diff --git a/CHANGELOG.md b/CHANGELOG.md index cc3b8a7b..92fdbc49 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,43 @@ +# 2023-03-07 + +## Sliding Sync Proxy (Element X) support + +Thanks to [Benjamin Kampmann](https://github.com/gnunicorn) for [getting it started](https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/2515), [FSG-Cat](https://github.com/FSG-Cat) for fixing it up and me ([Slavi](https://github.com/spantaleev)) for polishing it up, the playbook can now install and configure the [sliding-sync proxy](https://github.com/matrix-org/sliding-sync). + +The upcoming Element X clients ([Element X iOS](https://github.com/vector-im/element-x-ios) and [Element X Android](https://github.com/vector-im/element-x-android)) require the `sliding-sync` proxy to do their job. **These clients are still in beta** (especially Element X Android, which requires manual compilation to get it working with a non-`matrix.org` homeseserver). Playbook users can now easily give these clients a try and help test them thanks to us having `sliding-sync` support. + +To get started, see our [Setting up Sliding Sync Proxy](docs/configuring-playbook-sliding-sync-proxy.md) documentation page. + + +# 2023-03-02 + +## The matrix-etherpad role lives independently now + +**TLDR**: the `matrix-etherpad` role is now included from [another repository](https://gitlab.com/etke.cc/roles/etherpad). Some variables have been renamed. All functionality remains intact. + +You need to **update you roles** (`just roles` or `make roles`) regardless of whether you're using Etherpad or not. + +If you're making use of Etherpad via this playbook, you will need to update variable references in your `vars.yml` file: + +- Rename `matrix_etherpad_public_endpoint` to `etherpad_path_prefix` + +- Replace `matrix_etherpad_mode: dimension` with: + - for `matrix-nginx-proxy` users: + - `etherpad_nginx_proxy_dimension_integration_enabled: true` + - `etherpad_hostname: "{{ matrix_server_fqn_dimension }}"` + - for Traefik users: + - define your own `etherpad_hostname` and `etherpad_path_prefix` as you see fit + +- Rename all other variables: + - `matrix_etherpad_docker_image_` -> `matrix_etherpad_container_image_` + - `matrix_etherpad_` -> `etherpad_` + +Along with this relocation, the new role also: + +- supports [self-building](docs/self-building.md), so it should work on `arm32` and `arm64` architectures +- has native Traefik reverse-proxy support (Etherpad requests no longer go through `matrix-nginx-proxy` when using Traefik) + + # 2023-02-26 ## Traefik is the default reverse-proxy now @@ -57,7 +97,7 @@ At some point in the **near** future (days, or even weeks at most), we hope to c ### How do I keep using my own other reverse-proxy? -We recommend that you follow the guide for [Fronting the integraed reverse-proxy webserver with another reverse-proxy](docs/configuring-playbook-own-webserver.md#fronting-the-integrated-reverse-proxy-webserver-with-another-reverse-proxy). +We recommend that you follow the guide for [Fronting the integrated reverse-proxy webserver with another reverse-proxy](docs/configuring-playbook-own-webserver.md#fronting-the-integrated-reverse-proxy-webserver-with-another-reverse-proxy). # 2023-02-25 @@ -194,9 +234,9 @@ devture_traefik_config_certificatesResolvers_acme_email: YOUR_EMAIL_ADDRESS You may still need to keep certain old `matrix_nginx_proxy_*` variables (like `matrix_nginx_proxy_base_domain_serving_enabled`), even when using Traefik. For now, we recommend keeping all `matrix_nginx_proxy_*` variables just in case. In the future, reliance on `matrix-nginx-proxy` will be removed. -Switching to Traefik will obtain new SSL certificates from Let's Encrypt (stored in `/devture-traefik/ssl/acme.json`). **The switch is reversible**. You can always go back to `playbook-managed-nginx` if Traefik is causing you trouble. +Switching to Traefik will obtain new SSL certificates from Let's Encrypt (stored in `/matrix/traefik/ssl/acme.json`). **The switch is reversible**. You can always go back to `playbook-managed-nginx` if Traefik is causing you trouble. -**Note**: toggling `matrix_playbook_reverse_proxy_type` between Traefik and nginx will uninstall the Traefik role and all of its data (under `/devture-traefik`), so you may run into a Let's Encrypt rate limit if you do it often. +**Note**: toggling `matrix_playbook_reverse_proxy_type` between Traefik and nginx will uninstall the Traefik role and all of its data (under `/matrix/traefik`), so you may run into a Let's Encrypt rate limit if you do it often. Treafik directly reverse-proxies to **some** services right now, but for most other services it goes through `matrix-nginx-proxy` (e.g. Traefik -> `matrix-nginx-proxy` -> [Ntfy](docs/configuring-playbook-ntfy.md)). So, even if you opt into Traefik, you'll still see `matrix-nginx-proxy` being installed in local-only mode. This will improve with time. @@ -483,11 +523,11 @@ Various services (like Dimension, etc.) still talk to Synapse via `matrix-nginx- Until now, [Etherpad](https://etherpad.org/) (which [the playbook could install for you](docs/configuring-playbook-etherpad.md)) required the [Dimension integration manager](docs/configuring-playbook-dimension.md) to also be installed, because Etherpad was hosted on the Dimension domain (at `dimension.DOMAIN/etherpad`). -From now on, Etherpad can be installed in `standalone` mode on `etherpad.DOMAIN` and used even without Dimension. This is much more versatile, so the playbook now defaults to this new mode (`matrix_etherpad_mode: standalone`). +From now on, Etherpad can be installed in `standalone` mode on `etherpad.DOMAIN` and used even without Dimension. This is much more versatile, so the playbook now defaults to this new mode (`etherpad_mode: standalone`). If you've already got both Etherpad and Dimension in use you could: -- **either** keep hosting Etherpad under the Dimension domain by adding `matrix_etherpad_mode: dimension` to your `vars.yml` file. All your existing room widgets will continue working at the same URLs and no other changes will be necessary. +- **either** keep hosting Etherpad under the Dimension domain by adding `etherpad_mode: dimension` to your `vars.yml` file. All your existing room widgets will continue working at the same URLs and no other changes will be necessary. - **or**, you could change to hosting Etherpad separately on `etherpad.DOMAIN`. You will need to [configure a DNS record](docs/configuring-dns.md) for this new domain. You will also need to reconfigure Dimension to use the new pad URLs (`https://etherpad.DOMAIN/...`) going forward (refer to our [configuring Etherpad documentation](docs/configuring-playbook-etherpad.md)). All your existing room widgets (which still use `https://dimension.DOMAIN/etherpad/...`) will break as Etherpad is not hosted there anymore. You will need to re-add them or to consider not using `standalone` mode diff --git a/README.md b/README.md index bd37d23e..185c4085 100644 --- a/README.md +++ b/README.md @@ -162,6 +162,7 @@ Various services that don't fit any other category. | Name | Default? | Description | Documentation | | ---- | -------- | ----------- | ------------- | +| [sliding-sync](https://github.com/matrix-org/sliding-sync)| x | Sliding Sync support for clients which require it (e.g. Element X) | [Link](docs/configuring-playbook-sliding-sync-proxy.md) | | [synapse-simple-antispam](https://github.com/t2bot/synapse-simple-antispam) (advanced) | x | A spam checker module | [Link](docs/configuring-playbook-synapse-simple-antispam.md) | | [Matrix Corporal](https://github.com/devture/matrix-corporal) (advanced) | x | Reconciliator and gateway for a managed Matrix server | [Link](docs/configuring-playbook-matrix-corporal.md) | | [Etherpad](https://etherpad.org) | x | An open source collaborative text editor | [Link](docs/configuring-playbook-etherpad.md) | diff --git a/docs/ansible.md b/docs/ansible.md index 60be6164..dcda338a 100644 --- a/docs/ansible.md +++ b/docs/ansible.md @@ -65,7 +65,7 @@ docker run -it --rm \ -w /work \ -v `pwd`:/work \ --entrypoint=/bin/sh \ -docker.io/devture/ansible:2.13.6-r0-1 +docker.io/devture/ansible:2.13.6-r0-2 ``` Once you execute the above command, you'll be dropped into a `/work` directory inside a Docker container. diff --git a/docs/configuring-playbook-bot-go-neb.md b/docs/configuring-playbook-bot-go-neb.md index 6ec2056c..77351de2 100644 --- a/docs/configuring-playbook-bot-go-neb.md +++ b/docs/configuring-playbook-bot-go-neb.md @@ -24,6 +24,31 @@ ansible-playbook -i inventory/hosts setup.yml --extra-vars='username=bot.go-neb Once the user is created you can [obtain an access token](obtaining-access-tokens.md). +## Decide on a domain and path + +By default, Go-NEB is configured to use its own dedicated domain (`goneb.DOMAIN`) and requires you to [adjust your DNS records](#adjusting-dns-records). + +You can override the domain and path like this: + +```yaml +# Switch to the domain used for Matrix services (`matrix.DOMAIN`), +# so we won't need to add additional DNS records for Go-NEB. +matrix_bot_go_neb_hostname: "{{ matrix_server_fqn_matrix }}" + +# Expose under the /go-neb subpath +matrix_bot_go_neb_path_prefix: /go-neb +``` + +**NOTE**: When using `matrix-nginx-proxy` instead of Traefik, you won't be able to override the path prefix. You can only override the domain, but that needs to happen using another variable: `matrix_server_fqn_go_neb` (e.g. `matrix_server_fqn_go_neb: "mybot.{{ matrix_domain }}"`). + + +## Adjusting DNS records + +Once you've decided on the domain and path, **you may need to adjust your DNS** records to point the Go-NEB domain to the Matrix server. + +If you've decided to reuse the `matrix.` domain, you won't need to do any extra DNS configuration. + + ## Adjusting the playbook configuration Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file (adapt to your needs): @@ -193,9 +218,7 @@ matrix_bot_go_neb_services: ## Installing -Don't forget to add `goneb.` to DNS as described in [Configuring DNS](configuring-dns.md) before running the playbook. - -After configuring the playbook, run the [installation](installing.md) command again: +After potentially [adjusting DNS records](#adjusting-dns-records) and configuring the playbook, run the [installation](installing.md) command again: ``` ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start diff --git a/docs/configuring-playbook-dimension.md b/docs/configuring-playbook-dimension.md index e201785a..4472e103 100644 --- a/docs/configuring-playbook-dimension.md +++ b/docs/configuring-playbook-dimension.md @@ -6,14 +6,29 @@ If you're just installing Matrix services for the first time, please continue wi **Note**: This playbook now supports running [Dimension](https://dimension.t2bot.io) in both a federated and [unfederated](https://github.com/turt2live/matrix-dimension/blob/master/docs/unfederated.md) environments. This is handled automatically based on the value of `matrix_synapse_federation_enabled`. Enabling Dimension, means that the `openid` API endpoints will be exposed on the Matrix Federation port (usually `8448`), even if [federation](configuring-playbook-federation.md) is disabled. It's something to be aware of, especially in terms of firewall whitelisting (make sure port `8448` is accessible). -## Prerequisites +## Decide on a domain and path -The `dimension.` DNS record must be created. See [Configuring your DNS server](configuring-dns.md) on how to set up DNS record correctly. +By default, Dimension is configured to use its own dedicated domain (`dimension.DOMAIN`) and requires you to [adjust your DNS records](#adjusting-dns-records). + +You can override the domain and path like this: + +```yaml +# Switch to another hostname compared to the default (`dimension.{{ matrix_domain }}`) +matrix_dimension_hostname: "integrations.{{ matrix_domain }}" + +``` + +While there is a `matrix_dimension_path_prefix` variable for changing the path where Dimension is served, overriding it is not possible right now due to [this Dimension issue](https://github.com/turt2live/matrix-dimension/issues/510). You must serve Dimension at a dedicated subdomain until this issue is solved. + + +## Adjusting DNS records + +Once you've decided on the domain and path, **you may need to adjust your DNS** records to point the Dimension domain to the Matrix server. ## Enable -[Dimension integrations manager](https://dimension.t2bot.io) installation is disabled by default. You can enable it in your configuration file (`inventory/host_vars/matrix./vars.yml`): +To enable Dimension, add this to your configuration file (`inventory/host_vars/matrix./vars.yml`): ```yaml matrix_dimension_enabled: true @@ -54,7 +69,7 @@ For more information on how to acquire an access token, visit [https://t2bot.io/ ## Installation -After these variables have been set, please run the following command to re-run setup and to restart Dimension: +After these variables have been set and you have potentially [adjusted your DNS records](#adjusting-dns-records), please run the following command to re-run setup and to restart Dimension: ``` ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start diff --git a/docs/configuring-playbook-etherpad.md b/docs/configuring-playbook-etherpad.md index 22c782f4..76ad2f59 100644 --- a/docs/configuring-playbook-etherpad.md +++ b/docs/configuring-playbook-etherpad.md @@ -1,19 +1,41 @@ # Setting up Etherpad (optional) -[Etherpad](https://etherpad.org) is is an open source collaborative text editor that can be embedded in a Matrix chat room using the [Dimension integrations manager](https://dimension.t2bot.io) or used as standalone web app. +[Etherpad](https://etherpad.org) is an open source collaborative text editor that can be embedded in a Matrix chat room using the [Dimension integrations manager](https://dimension.t2bot.io) or used as standalone web app. When enabled together with the Jitsi audio/video conferencing system (see [our docs on Jitsi](configuring-playbook-jitsi.md)), it will be made available as an option during the conferences. -## Prerequisites +## Decide on a domain and path -Etherpad can be installed in 2 modes: +By default, Etherpad is configured to use its own dedicated domain (`etherpad.DOMAIN`) and requires you to [adjust your DNS records](#adjusting-dns-records). -- (default) `standalone` mode (`matrix_etherpad_mode: standalone`) - Etherpad will be hosted on `etherpad.` (`matrix_server_fqn_etherpad`), so the DNS record for this domian must be created. See [Configuring your DNS server](configuring-dns.md) on how to set up the `etherpad` DNS record correctly +You can override the domain and path like this: -- `dimension` mode (`matrix_etherpad_mode: dimension`) - Etherpad will be hosted on `dimension./etherpad` (`matrix_server_fqn_dimension`). This requires that you **first** configure the **Dimension integrations manager** as described in [the playbook documentation](configuring-playbook-dimension.md) +```yaml +# Switch to the domain used for Matrix services (`matrix.DOMAIN`), +# so we won't need to add additional DNS records for Etherpad. +etherpad_hostname: "{{ matrix_server_fqn_matrix }}" -We recomend that you go with the default (`standalone`) mode, which makes Etherpad independent and allows it to be used with or without Dimension. +# Expose under the /etherpad subpath +etherpad_path_prefix: /etherpad +``` + +**NOTE**: When using the old `matrix-nginx-proxy` reverse-proxy instead of Traefik, you have only 2 choices: + +- serving Etherpad at its own dedicated domain: + - you need to set the domain using the `matrix_server_fqn_etherpad` variable (not `etherpad_hostname`) + - you must use `etherpad_path_prefix: /` +- serving Etherpad at the [Dimension](configuring-playbook-dimension.md) integration manager's domain (`matrix_server_fqn_dimension`) + - you need to have Dimension enabled + - you need to add `etherpad_path_prefix: /etherpad` or another prefix (different than `/`) + - you need to add `etherpad_nginx_proxy_dimension_integration_enabled: true` to enable this integration + + +## Adjusting DNS records + +Once you've decided on the domain and path, **you may need to adjust your DNS** records to point the Etherpad domain to the Matrix server. + +If you've decided to reuse the `matrix.` domain, you won't need to do any extra DNS configuration. ## Installing @@ -21,48 +43,51 @@ We recomend that you go with the default (`standalone`) mode, which makes Etherp [Etherpad](https://etherpad.org) installation is disabled by default. You can enable it in your configuration file (`inventory/host_vars/matrix./vars.yml`): ```yaml -matrix_etherpad_enabled: true - -# Uncomment below if you'd like to install Etherpad on the Dimension domain (not recommended) -# matrix_etherpad_mode: dimension +etherpad_enabled: true # Uncomment below to enable the admin web UI -# matrix_etherpad_admin_username: admin -# matrix_etherpad_admin_password: some-password +# etherpad_admin_username: admin +# etherpad_admin_password: some-password ``` -If enabled, the admin web-UI should then be available on `https://etherpad./admin` (or `https://dimension./etherpad/admin`, if `matrix_etherpad_mode: dimension`) +Then, [run the installation process](installing.md) again (e.g. `just install-all`). -## Managing / Deleting old pads +## Usage + +The Etherpad UI should be available at `https://etherpad.`, while the admin UI (if enabled) should then be available at `https://etherpad./admin`. + +If you've [decided on another hostname or path-prefix](#decide-on-a-domain-and-path) (e.g. `https://matrix.DOMAIN/etherpad`), adjust these URLs accordingly before usage. + + +### Managing / Deleting old pads If you want to manage and remove old unused pads from Etherpad, you will first need to able Admin access as described above. -Then from the plugin manager page (`https://etherpad./admin/plugins` or `https://dimension./etherpad/admin/plugins`), install the `adminpads2` plugin. Once installed, you should have a "Manage pads" section in the Admin web-UI. +Then from the plugin manager page (`https://etherpad./admin/plugins`, install the `adminpads2` plugin. Once installed, you should have a "Manage pads" section in the Admin web-UI. -## How to use Etherpad widgets without an Integration Manager (like Dimension) +### How to use Etherpad widgets without an Integration Manager (like Dimension) This is how it works in Element, it might work quite similar with other clients: To integrate a standalone etherpad in a room, create your pad by visiting `https://etherpad.DOMAIN`. When the pad opens, copy the URL and send a command like this to the room: `/addwidget URL`. You will then find your integrated Etherpad within the right sidebar in the `Widgets` section. -## Set Dimension default to the self-hosted Etherpad (optional) +### Set Dimension default to the self-hosted Etherpad (optional) If you decided to install [Dimension integration manager](configuring-playbook-dimension.md) alongside Etherpad, the Dimension administrator users can configure the default URL template. The Dimension configuration menu can be accessed with the sprocket icon as you begin to add a widget to a room in Element. There you will find the Etherpad Widget Configuration action beneath the _Widgets_ tab. -### Removing the integrated Etherpad chat +#### Removing the integrated Etherpad chat -If you wish to disable the Etherpad chat button, you can do it by appending `?showChat=false` to the end of the pad URL, or the template. Examples: -- `https://etherpad./p/$roomId_$padName?showChat=false` (for the default - `matrix_etherpad_mode: standalone`) +If you wish to disable the Etherpad chat button, you can do it by appending `?showChat=false` to the end of the pad URL, or the template. -- `https://dimension./etherpad/p/$roomId_$padName?showChat=false` (for `matrix_etherpad_mode: dimension`) +Example: `https://etherpad./p/$roomId_$padName?showChat=false` -### Known issues +## Known issues If your Etherpad widget fails to load, this might be due to Dimension generating a Pad name so long, the Etherpad app rejects it. `$roomId_$padName` can end up being longer than 50 characters. You can avoid having this problem by altering the template so it only contains the three word random identifier `$padName`. diff --git a/docs/configuring-playbook-own-webserver.md b/docs/configuring-playbook-own-webserver.md index 3b9d822d..affb565f 100644 --- a/docs/configuring-playbook-own-webserver.md +++ b/docs/configuring-playbook-own-webserver.md @@ -123,7 +123,7 @@ You can disable such behavior and make the integrated reverse-proxy webserver on This is the recommended way for using another reverse-proxy, because the integrated one would act as a black box and wire all Matrix services correctly. You would only need to reverse-proxy a few individual domains and ports over to it. -**For Traefik** fronted by another reverse-proxy, you would need some configuration like this: +To front Traefik with another reverse-proxy, you would need some configuration like this: ```yaml matrix_playbook_reverse_proxy_type: playbook-managed-traefik @@ -134,42 +134,33 @@ matrix_playbook_ssl_enabled: true # Disable the web-secure (port 443) endpoint, which also disables SSL certificate retrieval devture_traefik_config_entrypoint_web_secure_enabled: false +# If your reverse-proxy runs on another machine, consider using `0.0.0.0:81`, just `81` or `SOME_IP_ADDRESS_OF_THIS_MACHINE:81` devture_traefik_container_web_host_bind_port: '127.0.0.1:81' +# We bind to `127.0.0.1` by default (see above), so trusting `X-Forwarded-*` headers from +# a reverse-proxy running on the local machine is safe enough. +devture_traefik_config_entrypoint_web_forwardedHeaders_insecure: true + +# Or, if you're publishing the port (`devture_traefik_container_web_host_bind_port` above) to a public network interfaces: +# - remove the `devture_traefik_config_entrypoint_web_forwardedHeaders_insecure` variable definition above +# - uncomment and adjust the line below +# devture_traefik_config_entrypoint_web_forwardedHeaders_trustedIPs: ['IP-ADDRESS-OF-YOUR-REVERSE-PROXY'] + +# Likewise (to `devture_traefik_container_web_host_bind_port` above), +# if your reverse-proxy runs on another machine, consider changing the `host_bind_port` setting below. devture_traefik_additional_entrypoints_auto: - name: matrix-federation - port: "{{ matrix_federation_public_port }}" - host_bind_port: "127.0.0.1:{{ matrix_federation_public_port }}" + port: 8449 + host_bind_port: '127.0.0.1:8449' config: {} + # If your reverse-proxy runs on another machine, remove the config above and use this config instead: + # config: + # forwardedHeaders: + # insecure: true + # # trustedIPs: ['IP-ADDRESS-OF-YOUR-REVERSE-PROXY'] ``` -(Deprecated) **For `matrix-nginx-proxy`** fronted by another reverse-proxy, you would need some configuration like this: - -```yaml -matrix_playbook_reverse_proxy_type: playbook-managed-nginx - -# Ensure that public urls use https -matrix_playbook_ssl_enabled: true - -# Disable SSL certificate retrieval -matrix_ssl_retrieval_method: none - -# Given that we won't be obtaining SSL certificates here, disable HTTPS -matrix_nginx_proxy_https_enabled: false - -# Do not listen for HTTP on port 80 globally (default), listen on the loopback interface. -# If you'd like, you can make it use the local network as well and reverse-proxy from another local machine. -matrix_nginx_proxy_container_http_host_bind_port: '127.0.0.1:81' - -# Likewise, expose the Matrix Federation port on the loopback interface. -# Since `matrix_nginx_proxy_https_enabled` is set to `false`, this federation port will serve HTTP traffic. -# If you'd like, you can make it use the local network as well and reverse-proxy from another local machine. -# -# You'd most likely need to expose it publicly on port 8448 (8449 was chosen for the local port to prevent overlap). -matrix_nginx_proxy_container_federation_host_bind_port: '127.0.0.1:8449' -``` - -If you'll be fronting with a reverse-proxy that lives on another machine (not on the same one as Matrix), you need to replace `127.0.0.1` in the above configurations with `0.0.0.0` or another network interface. +For an example where the playbook's Traefik reverse-proxy is fronted by [Nginx](https://nginx.org/) running on the same server, see [Nginx reverse-proxy fronting the playbook's Traefik](../examples/nginx/README.md). ### Using no reverse-proxy on the Matrix side at all @@ -232,4 +223,4 @@ Some of these services are configured with certain default expecations with rega For each new playbook service that you enable, you'll need special handling. -The [`examples/`](../examples/) directory contains examples for various servers: Caddy, Apache, HAproxy, etc. +The [`examples/`](../examples/) directory contains examples for various servers: Caddy, Apache, HAproxy, Nginx, etc. diff --git a/docs/configuring-playbook-postgres-backup.md b/docs/configuring-playbook-postgres-backup.md index 2510ecc1..9ea3c60e 100644 --- a/docs/configuring-playbook-postgres-backup.md +++ b/docs/configuring-playbook-postgres-backup.md @@ -23,8 +23,8 @@ Refer to the table below for additional configuration variables and their defaul |`devture_postgres_backup_keep_days`|`7`|Number of daily backups to keep| |`devture_postgres_backup_keep_weeks`|`4`|Number of weekly backups to keep| |`devture_postgres_backup_keep_months`|`12`|Number of monthly backups to keep| -|`devture_postgres_base_path` | `"{{ matrix_base_data_path }}/postgres-backup"` | Base path for postgres-backup. Also see `devture_postgres_data_path` | -|`devture_postgres_data_path` | `"{{ devture_postgres_base_path }}/data"` | Storage path for postgres-backup database backups | +|`devture_postgres_backup_base_path` | `"{{ matrix_base_data_path }}/postgres-backup"` | Base path for postgres-backup. Also see `devture_postgres_backup_data_path` | +|`devture_postgres_backup_data_path` | `"{{ devture_postgres_backup_base_path }}/data"` | Storage path for postgres-backup database backups | ## Installing diff --git a/docs/configuring-playbook-sliding-sync-proxy.md b/docs/configuring-playbook-sliding-sync-proxy.md new file mode 100644 index 00000000..49e0483a --- /dev/null +++ b/docs/configuring-playbook-sliding-sync-proxy.md @@ -0,0 +1,51 @@ +# Setting up Sliding Sync Proxy (optional) + +The playbook can install and configure [sliding-sync](https://github.com/matrix-org/sliding-sync) proxy for you. + +Sliding Sync is an implementation of [MSC3575](https://github.com/matrix-org/matrix-spec-proposals/blob/kegan/sync-v3/proposals/3575-sync.md) and a prerequisite for running the new (**still beta**) Element X clients ([Element X iOS](https://github.com/vector-im/element-x-ios) and [Element X Android](https://github.com/vector-im/element-x-android)). + +See the project's [documentation](https://github.com/matrix-org/sliding-sync) to learn more. + +Element X iOS is [available on TestFlight](https://testflight.apple.com/join/uZbeZCOi). + +Element X Android requires manual compilation to get it working with a non-`matrix.org` homeseserver. It's also less feature-complete than the iOS version. + +**NOTE**: The Sliding Sync proxy **only works with the Traefik reverse-proxy**. If you have an old server installation (from the time `matrix-nginx-proxy` was our default reverse-proxy - `matrix_playbook_reverse_proxy_type: playbook-managed-nginx`), you won't be able to use Sliding Sync. + + +## Decide on a domain and path + +By default, the Sliding Sync proxy is configured to be served on the Matrix domain (`matrix.DOMAIN`, controlled by `matrix_server_fqn_matrix`), under the `/sliding-sync` path. + +This makes it easy to set it up, **without** having to [adjust your DNS records](#adjusting-dns-records). + +If you'd like to run the Sliding Sync proxy on another hostname or path, use the `matrix_sliding_sync_hostname` and `matrix_sliding_sync_path_prefix` variables. + + +## Adjusting DNS records + +If you've changed the default hostame, **you may need to adjust your DNS** records. + + +## Adjusting the playbook configuration + +Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file: + +```yaml +matrix_sliding_sync_enabled: true +``` + + +## Installing + +After potentially [adjusting DNS records](#adjusting-dns-records) and configuring the playbook, run the [installation](installing.md) command again: `just install-all`. + + +## Usage + +You **don't need to do anything special** to make use of the Sliding Sync Proxy. +Simply open your client which supports Sliding Sync (like Element X) and log in. + +When the Sliding Sync proxy is [installed](#installing), your `/.well-known/matrix/client` file is also updated. A new `org.matrix.msc3575.proxy` section and `url` property are added there and made to point to your Sliding Sync proxy's base URL (e.g. `https://matrix.DOMAIN/sliding-sync`). + +This allows clients which support Sliding Sync to detect the Sliding Sync Proxy's URL and make use of it. diff --git a/docs/configuring-playbook-ssl-certificates.md b/docs/configuring-playbook-ssl-certificates.md index 60d5b135..9fa9f84b 100644 --- a/docs/configuring-playbook-ssl-certificates.md +++ b/docs/configuring-playbook-ssl-certificates.md @@ -29,6 +29,72 @@ devture_traefik_config_entrypoint_web_secure_enabled: false ## Using self-signed SSL certificates -Using self-signed certificates with Traefik is a somewhat involved processes, where you need to manually mount the files into the container and adjust the "static" configuration to refer to them. +If you'd like to use your own SSL certificates, instead of the default (SSL certificates obtained automatically via [ACME](https://en.wikipedia.org/wiki/Automatic_Certificate_Management_Environment) from [Let's Encrypt](https://letsencrypt.org/)): -Feel free to research this approach on your own and improve this guide! +- generate your self-signed certificate files +- follow the [Using your own SSL certificates](#using-your-own-ssl-certificates) documentation below + + +## Using your own SSL certificates + +To use your own SSL certificates with Traefik, you need to: + +- disable [ACME](https://en.wikipedia.org/wiki/Automatic_Certificate_Management_Environment) / [Let's Encrypt](https://letsencrypt.org/) support +- put a custom Traefik configuration file on the server, with the help of this Ansible playbook (via the `matrix-aux` role) or manually +- register your custom configuration file with Traefik, by adding an extra provider of type [file](https://doc.traefik.io/traefik/providers/file/) +- put the SSL files on the server, with the help of this Ansible playbook (via the `matrix-aux` role) or manually + +```yaml +# Disable ACME / Let's Encrypt support. +devture_traefik_config_certificatesResolvers_acme_enabled: false + +# Disabling ACME support (above) automatically disables the creation of the SSL directory. +# Force-enable it here, because we'll add our certificate files there. +devture_traefik_ssl_dir_enabled: true + +# Tell Traefik to load our custom configuration file (certificates.yml). +# The file is created below, in `matrix_aux_file_definitions`. +# The `/config/..` path is an in-container path, not a path on the host (like `/matrix/traefik/config`). Do not change it! +devture_traefik_configuration_extension_yaml: | + providers: + file: + filename: /config/certificates.yml + watch: true + +# Use the matrix-aux role to create our custom files on the server. +# If you'd like to do this manually, you remove this `matrix_aux_file_definitions` variable. +matrix_aux_file_definitions: + # Create the privkey.pem file on the server by + # uploading a file from the computer where Ansible is running. + - dest: "{{ devture_traefik_ssl_dir_path }}/privkey.pem" + src: /path/on/your/Ansible/computer/to/privkey.pem + # Alternatively, comment out `src` above and uncomment the lines below to provide the certificate content inline. + # Note the indentation level. + # content: | + # FILE CONTENT + # HERE + + # Create the cert.pem file on the server + # uploading a file from the computer where Ansible is running. + - dest: "{{ devture_traefik_ssl_dir_path }}/cert.pem" + src: /path/on/your/Ansible/computer/to/cert.pem + # Alternatively, comment out `src` above and uncomment the lines below to provide the certificate content inline. + # Note the indentation level. + # content: | + # FILE CONTENT + # HERE + + # Create the custom Traefik configuration. + # The `/ssl/..` paths below are in-container paths, not paths on the host (/`matrix/traefik/ssl/..`). Do not change them! + - dest: "{{ devture_traefik_config_dir_path }}/certificates.yml" + content: | + tls: + certificates: + - certFile: /ssl/cert.pem + keyFile: /ssl/privkey.pem + stores: + default: + defaultCertificate: + certFile: /ssl/cert.pem + keyFile: /ssl/privkey.pem +``` diff --git a/docs/configuring-playbook-traefik.md b/docs/configuring-playbook-traefik.md index 4f6a7335..0485742d 100644 --- a/docs/configuring-playbook-traefik.md +++ b/docs/configuring-playbook-traefik.md @@ -35,6 +35,8 @@ devture_traefik_dashboard_basicauth_user: YOUR_USERNAME_HERE devture_traefik_dashboard_basicauth_password: YOUR_PASSWORD_HERE ``` +**WARNING**: enabling the dashboard on a hostname you use for something else (like `matrix_server_fqn_matrix` in the configuration above) may cause conflicts. Enabling the Traefik Dashboard makes Traefik capture all `/dashboard` and `/api` requests and forward them to itself. If any of the services hosted on the same hostname requires any of these 2 URL prefixes, you will experience problems. So far, we're not aware of any playbook services which occupy these endpoints and are likely to cause conflicts. + ## Additional configuration Use the `devture_traefik_configuration_extension_yaml` variable provided by the Traefik Ansible role to override or inject additional settings, even when no dedicated variable exists. diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index b4bae786..68a2658a 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -195,6 +195,8 @@ When you're done with all the configuration you'd like to do, continue with [Ins ### Other specialized services +- [Setting up the Sliding Sync Proxy](configuring-playbook-sliding-sync-proxy.md) for clients which require Sliding Sync support (like Element X) (optional) + - [Setting up the Sygnal push gateway](configuring-playbook-sygnal.md) (optional) - [Setting up the ntfy push notifications server](configuring-playbook-ntfy.md) (optional) diff --git a/docs/faq.md b/docs/faq.md index 25d02e7c..48c658d1 100644 --- a/docs/faq.md +++ b/docs/faq.md @@ -125,7 +125,7 @@ This is similar to the [EMnify/matrix-synapse-auto-deploy](https://github.com/EM - this one installs everything in a single directory (`/matrix` by default) and **doesn't "contaminate" your server** with files all over the place -- this one **doesn't necessarily take over** ports 80 and 443. By default, it sets up nginx for you there, but you can also [use your own webserver](configuring-playbook-own-webserver.md) +- this one **doesn't necessarily take over** ports 80 and 443. By default, it sets up [Traefik](https://doc.traefik.io/traefik/) for you there, but you can also [use your own webserver](configuring-playbook-own-webserver.md) - this one **runs everything in Docker containers**, so it's likely more predictable and less fragile (see [Docker images used by this playbook](container-images.md)) @@ -322,7 +322,7 @@ matrix_playbook_docker_installation_enabled: false ### I run another webserver on the same server where I wish to install Matrix. What now? -By default, we install a webserver for you (nginx), but you can also use [your own webserver](configuring-playbook-own-webserver.md). +By default, we install a webserver for you ([Traefik](https://doc.traefik.io/traefik/)), but you can also use [your own webserver](configuring-playbook-own-webserver.md). ### How is the effective configuration determined? @@ -336,12 +336,14 @@ Configuration variables are defined in multiple places in this playbook and are ### What configuration variables are available? -You can discover the variables you can override in each role (`role/matrix*/defaults/main.yml`). +You can discover the variables you can override in each role (`roles/*/*/defaults/main.yml`). As described in [How is the effective configuration determined?](#how-is-the-effective-configuration-determined), these role-defaults may be overriden by values defined in `group_vars/matrix_servers`. Refer to both of these for inspiration. Still, as mentioned in [Configuring the playbook](configuring-playbook.md), you're only ever supposed to edit your own `inventory/host_vars/matrix.DOMAIN/vars.yml` file and nothing else inside the playbook (unless you're meaning to contribute new features). +**Note**: some of the roles (`roles/galaxy/*`) live in separate repositories and are only installed after your run `just roles` (or `make roles`). + ### I'd like to adjust some configuration which doesn't have a corresponding variable. How do I do it? The playbook doesn't aim to expose all configuration settings for all services using variables. @@ -352,7 +354,9 @@ See [What configuration variables are available?](#what-configuration-variables- Besides that, each role (component) aims to provide a `matrix_SOME_COMPONENT_configuration_extension_yaml` (or `matrix_SOME_COMPONENT_configuration_extension_json`) variable, which can be used to override the configuration. -Check each role's `role/matrix*/defaults/main.yml` for the corresponding variable and an example for how use it. +Check each role's `roles/*/*/defaults/main.yml` for the corresponding variable and an example for how use it. + +**Note**: some of the roles (`roles/galaxy/*`) live in separate repositories and are only installed after your run `just roles` (or `make roles`). ## Installation @@ -461,15 +465,8 @@ After verifying that everything still works after the Postgres upgrade, you can ### How do I debug or force SSL certificate renewal? -SSL certificate renewal normally happens automatically via [systemd timers](https://wiki.archlinux.org/index.php/Systemd/Timers). +SSL certificates are managed automatically by the [Traefik](https://doc.traefik.io/traefik/) reverse-proxy server. -If you're having trouble with SSL certificate renewal, you can inspect the renewal logs using: +If you're having trouble with SSL certificate renewal, check the Traefik logs (`journalctl -fu matrix-traefik`). -- `journalctl -fu matrix-ssl-lets-encrypt-certificates-renew.service` -- *or* by looking at the log files in `/matrix/ssl/log/` - -To trigger renewal, run: `systemctl start matrix-ssl-lets-encrypt-certificates-renew.service`. You can then take a look at the logs again. - -If you're using the integrated webserver (`matrix-nginx-proxy`), you can reload it manually like this: `systemctl reload matrix-nginx-proxy`. Reloading also happens periodically via a systemd timer. - -If you're [using your own webserver](configuring-playbook-own-webserver.md) instead of the integrated one (`matrix-nginx-proxy`) you may also need to reload/restart it, to make it pick up the renewed SSL certificate files. +If you're [using your own webserver](configuring-playbook-own-webserver.md) instead of the integrated one (Traefik), you should investigate in another way. diff --git a/examples/nginx/README.md b/examples/nginx/README.md new file mode 100644 index 00000000..f9be21fd --- /dev/null +++ b/examples/nginx/README.md @@ -0,0 +1,17 @@ +# Nginx reverse-proxy fronting the playbook's integrated Traefik reverse-proxy + +This directory contains a sample config that shows you how use the [nginx](https://nginx.org/) webserver to front the integrated [Traefik](https://traefik.io/) reverse-proxy webserver with another reverse-proxy. + + +## Prerequisite configuration + +To get started, first follow the [front the integrated reverse-proxy webserver with another reverse-proxy](../../docs/configuring-playbook-own-webserver.md#fronting-the-integrated-reverse-proxy-webserver-with-another-reverse-proxy) instructions and update your playbook's configuration (`inventory/host_vars/matrix./vars.yml`). + + +## Using the nginx configuration + +Copy the [matrix.conf](matrix.conf) file to your nginx server's filesystem, modify it to your needs and include it your nginx configuration (e.g. `include /path/to/matrix.conf;`). + +This configuration **disables SSL certificate retrieval**, so you will **need to obtain SSL certificates manually** (e.g. by using [certbot](https://certbot.eff.org/)) and set the appropriate path in `matrix.conf`. In the example nginx configuration, a single certificate is used for all subdomains (`matrix.DOMAIN`, `element.DOMAIN`, etc.). For your setup, may wish to change this and use separate `server` blocks and separate certificate files for each host. + +Also note that your copy of the `matrix.conf` file has to be adapted to whatever services you are using. For example, remove `element.domain.com` from the `server_name` list if you don't use [Element](../../docs/configuring-playbook-client-element.md) web client or add `dimension.domain.com` to it if you do use the [Dimension](../../docs/configuring-playbook-dimension.md) integration manager. diff --git a/examples/nginx/matrix.conf b/examples/nginx/matrix.conf new file mode 100644 index 00000000..366a8a8e --- /dev/null +++ b/examples/nginx/matrix.conf @@ -0,0 +1,96 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + # TODO: add/remove services and their subdomains if you use/don't use them + # this example is using hosting something on the base domain and an element web client, so example.com and element.example.com are listed in addition to matrix.example.com + # if you don't use those, you can remove them + # if you use e.g. dimension on dimension.example.com, add dimension.example.com to the server_name list + server_name example.com matrix.example.com element.example.com; + + location / { + # note: do not add a path (even a single /) after the port in `proxy_pass`, + # otherwise, nginx will canonicalise the URI and cause signature verification + # errors. + proxy_pass http://localhost:81; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + + access_log /var/log/nginx/matrix.access.log; + error_log /var/log/nginx/matrix.error.log; + + # Nginx by default only allows file uploads up to 1M in size + # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml + client_max_body_size 50M; + } + + # TODO: adapt the path to your ssl certificate for the domains listed on server_name + ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot + # TODO: adapt the path to your ssl certificate for the domains listed on server_name + ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot + include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot +} + +# settings for matrix federation +server { + # For the federation port + listen 8448 ssl http2 default_server; + listen [::]:8448 ssl http2 default_server; + + server_name matrix.example.com; + + location / { + proxy_pass http://localhost:8449; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Host $host; + + access_log /var/log/nginx/matrix.access.log; + error_log /var/log/nginx/matrix.error.log; + + # Nginx by default only allows file uploads up to 1M in size + # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml + client_max_body_size 50M; + } + # TODO: adapt the path to your ssl certificate for the domains listed on server_name + ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot + # TODO: adapt the path to your ssl certificate for the domains listed on server_name + ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot + include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot +} + +# ensure using https +# TODO: remove server blocks that you don't use / add server blocks for domains you do use +server { + if ($host = example.com) { + return 301 https://$host$request_uri; + } # managed by Certbot + + server_name example.com; + listen 80; + return 404; # managed by Certbot +} + +server { + if ($host = matrix.example.com) { + return 301 https://$host$request_uri; + } # managed by Certbot + + server_name matrix.example.com; + listen 80; + return 404; # managed by Certbot +} + +server { + if ($host = element.example.com) { + return 301 https://$host$request_uri; + } # managed by Certbot + + server_name element.example.com; + listen 80; + return 404; # managed by Certbot +} \ No newline at end of file diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 359c6e3f..85fbfd2a 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -19,31 +19,15 @@ # Also see `devture_docker_sdk_for_python_installation_enabled`. matrix_playbook_docker_installation_enabled: true -# Controls whether to run the Traefik role or not -# See the `com.devture.ansible.role.traefik` section below for role configuration. -# -# There's a difference between `devture_traefik_enabled` and `matrix_playbook_traefik_role_enabled`. -# `devture_traefik_enabled` controls what the Traefik role would do - when not enabled, it will run uninstall tasks, etc. -# `matrix_playbook_traefik_role_enabled` controls if the Traefik role would even run at all. -# -# Sometimes, you're installing Traefik via a different (related playbook) which uses the same role. -# In such cases, you'd like to disable the role in this playbook from bothering with Traefik at all (`matrix_playbook_traefik_role_enabled: false`). -# If you used `devture_traefik_enabled: false` + `matrix_playbook_traefik_role_enabled: true` instead, you'd see the Treafik role here -# try to delete Traefik data (`/devture-traefik`) installed by the other playbook. -matrix_playbook_traefik_role_enabled: "{{ matrix_playbook_reverse_proxy_type != 'other-traefik-container' }}" - # Controls whether to attach Traefik labels to services. -# This is separate from `devture_traefik_enabled` and `matrix_playbook_traefik_role_enabled`, -# because you may wish to disable Traefik installation by the playbook, yet still use Traefik -# installed in another way. +# This is separate from `devture_traefik_enabled`, because you may wish to disable Traefik installation by the playbook, +# yet still use Traefik installed in another way. matrix_playbook_traefik_labels_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}" -matrix_playbook_traefik_certs_dumper_role_enabled: "{{ (matrix_playbook_reverse_proxy_type == 'playbook-managed-traefik' and devture_traefik_config_entrypoint_web_secure_enabled) or matrix_playbook_reverse_proxy_type == 'other-traefik-container' }}" - # Controls the additional network that reverse-proxyable services will be connected to. matrix_playbook_reverse_proxyable_services_additional_network: "{{ devture_traefik_container_network if devture_traefik_enabled else '' }}" -matrix_playbook_ssl_retrieval_method: "{{ 'lets-encrypt' if matrix_playbook_traefik_certs_dumper_role_enabled else matrix_ssl_retrieval_method }}" +matrix_playbook_ssl_retrieval_method: "{{ 'lets-encrypt' if devture_traefik_certs_dumper_enabled else matrix_ssl_retrieval_method }}" matrix_playbook_ssl_enabled: "{{ matrix_playbook_ssl_retrieval_method in ['lets-encrypt', 'self-signed', 'manually-managed'] }}" @@ -306,7 +290,7 @@ devture_systemd_service_manager_services_list_auto: | + ([{'name': 'matrix-email2matrix.service', 'priority': 2000, 'groups': ['matrix', 'bridges', 'email2matrix']}] if matrix_email2matrix_enabled else []) + - ([{'name': 'matrix-etherpad.service', 'priority': 4000, 'groups': ['matrix', 'etherpad']}] if matrix_etherpad_enabled else []) + ([{'name': (etherpad_identifier + '.service'), 'priority': 4000, 'groups': ['matrix', 'etherpad']}] if etherpad_enabled else []) + ([{'name': (grafana_identifier + '.service'), 'priority': 4000, 'groups': ['matrix', 'monitoring', 'grafana']}] if grafana_enabled else []) + @@ -346,6 +330,8 @@ devture_systemd_service_manager_services_list_auto: | + ([{'name': 'matrix-registration.service', 'priority': 4000, 'groups': ['matrix', 'registration']}] if matrix_registration_enabled else []) + + ([{'name': 'matrix-sliding-sync.service', 'priority': 4000, 'groups': ['matrix', 'sliding-sync']}] if matrix_sliding_sync_enabled else []) + + ([{'name': 'matrix-sygnal.service', 'priority': 800, 'groups': ['matrix', 'sygnal']}] if matrix_sygnal_enabled else []) + ([{'name': 'matrix-goofys.service', 'priority': 800, 'groups': ['matrix', 'goofys']}] if matrix_s3_media_store_enabled else []) @@ -358,9 +344,11 @@ devture_systemd_service_manager_services_list_auto: | + ([{'name': 'matrix-user-verification-service.service', 'priority': 800, 'groups': ['matrix', 'matrix-user-verification-service']}] if matrix_user_verification_service_enabled else []) + - ([{'name': 'devture-traefik.service', 'priority': 3000, 'groups': ['matrix', 'traefik', 'reverse-proxies']}] if devture_traefik_enabled else []) + ([{'name': (devture_container_socket_proxy_identifier + '.service'), 'priority': 2900, 'groups': ['matrix', 'reverse-proxies', 'container-socket-proxy']}] if devture_container_socket_proxy_enabled else []) + - ([{'name': (devture_traefik_certs_dumper_identifier + '.service'), 'priority': 3500, 'groups': ['matrix', 'traefik-certs-dumper']}] if matrix_playbook_traefik_certs_dumper_role_enabled else []) + ([{'name': (devture_traefik_identifier + '.service'), 'priority': 3000, 'groups': ['matrix', 'traefik', 'reverse-proxies']}] if devture_traefik_enabled else []) + + + ([{'name': (devture_traefik_certs_dumper_identifier + '.service'), 'priority': 3500, 'groups': ['matrix', 'traefik-certs-dumper']}] if devture_traefik_certs_dumper_enabled else []) }} ######################################################################## @@ -435,6 +423,15 @@ matrix_homeserver_container_federation_url: |- }[matrix_homeserver_implementation] }} +matrix_homeserver_container_network: |- + {{ + matrix_nginx_proxy_container_network if matrix_nginx_proxy_enabled else { + 'synapse': matrix_synapse_container_network, + 'dendrite': matrix_dendrite_container_network, + 'conduit': matrix_conduit_container_network, + }[matrix_homeserver_implementation] + }} + matrix_integration_manager_rest_url: "{{ matrix_dimension_integrations_rest_url if matrix_dimension_enabled else None }}" matrix_integration_manager_ui_url: "{{ matrix_dimension_integrations_ui_url if matrix_dimension_enabled else None }}" @@ -1698,12 +1695,15 @@ matrix_bot_buscarron_container_additional_networks: | ([matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network else []) + ([matrix_nginx_proxy_container_network] if matrix_nginx_proxy_enabled and matrix_bot_buscarron_container_network != matrix_nginx_proxy_container_network else []) + + + ([devture_postgres_container_network] if devture_postgres_enabled and devture_postgres_container_network != matrix_bot_buscarron_container_network else []) ) | unique }} matrix_bot_buscarron_container_labels_traefik_enabled: "{{ matrix_playbook_traefik_labels_enabled }}" matrix_bot_buscarron_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" matrix_bot_buscarron_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" +matrix_bot_buscarron_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" ###################################################################### # @@ -1777,7 +1777,7 @@ matrix_bot_postmoogle_systemd_required_services_list: | + (['matrix-synapse.service'] if matrix_synapse_enabled else []) + - (matrix_playbook_bot_postmoogle_traefik_certs_dumper_waiter_services | trim | split(' ') if matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] and matrix_playbook_traefik_certs_dumper_role_enabled else []) + (matrix_playbook_bot_postmoogle_traefik_certs_dumper_waiter_services | trim | split(' ') if matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] and devture_traefik_certs_dumper_enabled else []) }} # Postgres is the default, except if not using internal Postgres server @@ -1819,17 +1819,41 @@ matrix_bot_chatgpt_container_image_self_build: "{{ matrix_architecture not in [' # We don't enable bots by default. matrix_bot_go_neb_enabled: false +matrix_bot_go_neb_scheme: "{{ 'https' if matrix_playbook_ssl_enabled else 'http' }}" + +matrix_bot_go_neb_hostname: "{{ matrix_server_fqn_bot_go_neb }}" + +matrix_bot_go_neb_container_network: "{{ matrix_nginx_proxy_container_network if matrix_playbook_reverse_proxy_type == 'playbook-managed-nginx' else 'matrix-bot-go-neb' }}" + +matrix_bot_go_neb_container_additional_networks: | + {{ + ( + ([matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network else []) + + + ([matrix_homeserver_container_network] if matrix_homeserver_container_network != matrix_bot_go_neb_container_network else []) + + + ([devture_postgres_container_network] if devture_postgres_enabled and devture_postgres_container_network != matrix_bot_go_neb_container_network else []) + ) | unique + }} + +matrix_bot_go_neb_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '4050') if matrix_playbook_service_host_bind_interface_prefix else '' }}" + +matrix_bot_go_neb_container_labels_traefik_enabled: "{{ matrix_playbook_traefik_labels_enabled }}" +matrix_bot_go_neb_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" +matrix_bot_go_neb_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" +matrix_bot_go_neb_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" + matrix_bot_go_neb_systemd_required_services_list: | {{ ['docker.service'] + ['matrix-' + matrix_homeserver_implementation + '.service'] + + ([devture_postgres_identifier + '.service'] if devture_postgres_enabled else []) + + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_bot_go_neb_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '4050') if matrix_playbook_service_host_bind_interface_prefix else '' }}" - ###################################################################### # # /matrix-bot-go-neb @@ -2040,6 +2064,7 @@ matrix_rageshake_container_http_host_bind_port: "{{ (matrix_playbook_service_hos matrix_rageshake_container_labels_traefik_enabled: "{{ matrix_playbook_traefik_labels_enabled }}" matrix_rageshake_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" matrix_rageshake_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" +matrix_rageshake_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" ###################################################################### # @@ -2118,7 +2143,7 @@ matrix_coturn_container_additional_volumes: | 'dst': '/privatekey.key', 'options': 'ro', }, - ] if matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] and matrix_playbook_traefik_certs_dumper_role_enabled and matrix_coturn_tls_enabled else [] + ] if matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] and devture_traefik_certs_dumper_enabled and matrix_coturn_tls_enabled else [] ) }} @@ -2126,7 +2151,7 @@ matrix_coturn_systemd_required_services_list: | {{ ['docker.service'] + - ([devture_traefik_certs_dumper_identifier + '-wait-for-domain@' + matrix_server_fqn_matrix + '.service'] if matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] and matrix_playbook_traefik_certs_dumper_role_enabled and matrix_coturn_tls_enabled else []) + ([devture_traefik_certs_dumper_identifier + '-wait-for-domain@' + matrix_server_fqn_matrix + '.service'] if matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] and devture_traefik_certs_dumper_enabled and matrix_coturn_tls_enabled else []) }} ###################################################################### @@ -2145,12 +2170,33 @@ matrix_dimension_enabled: false matrix_dimension_container_image_self_build: "{{ matrix_architecture != 'amd64' }}" -# Normally, matrix-nginx-proxy is enabled and nginx can reach Dimension over the container network. -# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose -# the Dimension HTTP port to the local host. +matrix_dimension_scheme: "{{ 'https' if matrix_playbook_ssl_enabled else 'http' }}" + +matrix_dimension_hostname: "{{ matrix_server_fqn_dimension }}" + +matrix_dimension_container_network: "{{ matrix_nginx_proxy_container_network if matrix_playbook_reverse_proxy_type == 'playbook-managed-nginx' else 'matrix-dimension' }}" + +matrix_dimension_container_additional_networks: | + {{ + ( + ([matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network else []) + + + ([matrix_homeserver_container_network] if matrix_homeserver_container_network != matrix_dimension_container_network else []) + + + ([devture_postgres_container_network] if devture_postgres_enabled and devture_postgres_container_network != matrix_dimension_container_network else []) + ) | unique + }} + matrix_dimension_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '8184') if matrix_playbook_service_host_bind_interface_prefix else '' }}" +matrix_dimension_container_labels_traefik_enabled: "{{ matrix_playbook_traefik_labels_enabled }}" +matrix_dimension_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" +matrix_dimension_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" +matrix_dimension_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" + +matrix_dimension_homeserver_clientServerUrl: "{{ matrix_homeserver_container_url }}" matrix_dimension_homeserver_federationUrl: "{{ matrix_homeserver_container_federation_url }}" +matrix_dimension_homeserver_mediaUrl: "https://{{ matrix_server_fqn_matrix }}" matrix_dimension_systemd_required_services_list: | {{ @@ -2176,29 +2222,57 @@ matrix_dimension_database_password: "{{ '%s' | format(matrix_homeserver_generic_ ###################################################################### # -# matrix-etherpad +# etke/etherpad # ###################################################################### -matrix_etherpad_enabled: false +etherpad_enabled: false -matrix_etherpad_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '9001') if matrix_playbook_service_host_bind_interface_prefix else '' }}" +etherpad_identifier: matrix-etherpad -matrix_etherpad_base_url: "{{ 'https://' + matrix_server_fqn_dimension + matrix_etherpad_public_endpoint if matrix_etherpad_mode == 'dimension' else 'https://' + matrix_server_fqn_etherpad + '/' }}" +etherpad_scheme: "{{ 'https' if matrix_playbook_ssl_enabled else 'http' }}" -matrix_etherpad_systemd_required_services_list: | +etherpad_base_path: "{{ matrix_base_data_path }}/etherpad" + +etherpad_framing_enabled: "{{ matrix_dimension_enabled or matrix_jitsi_enabled }}" + +etherpad_hostname: "{{ matrix_server_fqn_etherpad }}" + +etherpad_container_image_self_build: "{{ matrix_architecture not in ['amd64'] }}" + +etherpad_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '9001') if matrix_playbook_service_host_bind_interface_prefix else '' }}" + +etherpad_container_network: "{{ matrix_nginx_proxy_container_network if matrix_playbook_reverse_proxy_type == 'playbook-managed-nginx' else etherpad_identifier }}" + +etherpad_container_additional_networks: | + {{ + ( + ([matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network else []) + + + ([devture_postgres_container_network] if devture_postgres_enabled and devture_postgres_container_network != etherpad_container_network else []) + ) | unique + }} + +etherpad_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}" +etherpad_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" +etherpad_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" +etherpad_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" + +etherpad_systemd_required_services_list: | {{ ['docker.service'] + ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else []) }} -matrix_etherpad_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" -matrix_etherpad_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'etherpad.db', rounds=655555) | to_uuid }}" +etherpad_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" +etherpad_database_name: matrix_etherpad +etherpad_database_username: matrix_etherpad +etherpad_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'etherpad.db', rounds=655555) | to_uuid }}" ###################################################################### # -# /matrix-etherpad +# /etke/etherpad # ###################################################################### @@ -2266,9 +2340,9 @@ matrix_jitsi_web_stun_servers: | # If the self-hosted Etherpad instance is available, it will also show up in Jitsi conferences, # unless explicitly disabled by setting `matrix_jitsi_etherpad_enabled` to false. # Falls back to the scalar.vector.im etherpad in case someone sets `matrix_jitsi_etherpad_enabled` to true, -# while also setting `matrix_etherpad_enabled` to false. -matrix_jitsi_etherpad_enabled: "{{ matrix_etherpad_enabled }}" -matrix_jitsi_etherpad_base: "{{ matrix_etherpad_base_url if matrix_etherpad_enabled else 'https://scalar.vector.im/etherpad' }}" +# while also setting `etherpad_enabled` to false. +matrix_jitsi_etherpad_enabled: "{{ etherpad_enabled }}" +matrix_jitsi_etherpad_base: "{{ etherpad_base_url if etherpad_enabled else 'https://scalar.vector.im/etherpad' }}" # Allow verification using JWT and matrix-UVS matrix_jitsi_prosody_auth_matrix_uvs_auth_token: "{{ matrix_user_verification_service_uvs_auth_token }}" @@ -2434,10 +2508,10 @@ matrix_nginx_proxy_proxy_element_enabled: "{{ matrix_client_element_enabled and matrix_nginx_proxy_proxy_hydrogen_enabled: "{{ matrix_client_hydrogen_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}" matrix_nginx_proxy_proxy_cinny_enabled: "{{ matrix_client_cinny_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}" matrix_nginx_proxy_proxy_buscarron_enabled: "{{ matrix_bot_buscarron_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}" -matrix_nginx_proxy_proxy_dimension_enabled: "{{ matrix_dimension_enabled }}" +matrix_nginx_proxy_proxy_dimension_enabled: "{{ matrix_dimension_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}" matrix_nginx_proxy_proxy_rageshake_enabled: "{{ matrix_rageshake_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}" -matrix_nginx_proxy_proxy_etherpad_enabled: "{{ matrix_etherpad_enabled and matrix_etherpad_mode == 'standalone' }}" -matrix_nginx_proxy_proxy_bot_go_neb_enabled: "{{ matrix_bot_go_neb_enabled }}" +matrix_nginx_proxy_proxy_etherpad_enabled: "{{ etherpad_enabled and not etherpad_nginx_proxy_dimension_integration_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}" +matrix_nginx_proxy_proxy_bot_go_neb_enabled: "{{ matrix_bot_go_neb_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}" matrix_nginx_proxy_proxy_jitsi_enabled: "{{ matrix_jitsi_enabled }}" matrix_nginx_proxy_proxy_jitsi_manage_wellknown: "{{ matrix_jitsi_require_well_known }}" @@ -2449,11 +2523,9 @@ matrix_nginx_proxy_proxy_ntfy_enabled: "{{ ntfy_enabled and matrix_playbook_reve matrix_nginx_proxy_container_labels_traefik_enabled: "{{ matrix_playbook_traefik_labels_enabled }}" matrix_nginx_proxy_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" matrix_nginx_proxy_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" +matrix_nginx_proxy_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" matrix_nginx_proxy_container_labels_traefik_proxy_matrix_enabled: true -matrix_nginx_proxy_container_labels_traefik_proxy_dimension_enabled: "{{ matrix_dimension_enabled }}" -matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_enabled: "{{ matrix_etherpad_enabled and matrix_etherpad_mode == 'standalone' }}" -matrix_nginx_proxy_container_labels_traefik_proxy_bot_go_neb_enabled: "{{ matrix_bot_go_neb_enabled }}" matrix_nginx_proxy_container_labels_traefik_proxy_jitsi_enabled: "{{ matrix_jitsi_enabled }}" matrix_nginx_proxy_proxy_matrix_corporal_api_enabled: "{{ matrix_corporal_enabled and matrix_corporal_http_api_enabled }}" @@ -2542,9 +2614,11 @@ matrix_nginx_proxy_systemd_wanted_services_list: | + (['matrix-jitsi.service'] if matrix_jitsi_enabled else []) + + (['matrix-sliding-sync-proxy.service'] if matrix_sliding_sync_enabled else []) + + (['matrix-bot-go-neb.service'] if matrix_bot_go_neb_enabled else []) + - (['matrix-etherpad.service'] if matrix_etherpad_enabled else []) + ([etherpad_identifier + '.service'] if etherpad_enabled else []) + (['matrix-hookshot.service'] if matrix_hookshot_enabled else []) }} @@ -2565,7 +2639,7 @@ matrix_ssl_domains_to_obtain_certificates_for: | + ([matrix_server_fqn_dimension] if matrix_dimension_enabled else []) + - ([matrix_server_fqn_etherpad] if (matrix_etherpad_enabled and matrix_etherpad_mode == 'standalone') else []) + ([matrix_server_fqn_etherpad] if (etherpad_enabled and not etherpad_nginx_proxy_dimension_integration_enabled) else []) + ([matrix_server_fqn_bot_go_neb] if matrix_bot_go_neb_enabled else []) + @@ -2675,6 +2749,12 @@ devture_postgres_managed_databases_auto: | 'password': matrix_dendrite_database_password, }] if (matrix_dendrite_enabled and matrix_dendrite_database_hostname == devture_postgres_connection_hostname) else []) + + ([{ + 'name': matrix_sliding_sync_database_name, + 'username': matrix_sliding_sync_database_username, + 'password': matrix_sliding_sync_database_password, + }] if (matrix_sliding_sync_enabled) else []) + + ([{ 'name': matrix_ma1sd_database_name, 'username': matrix_ma1sd_database_username, @@ -2856,10 +2936,10 @@ devture_postgres_managed_databases_auto: | }] if (matrix_dimension_enabled and matrix_dimension_database_engine == 'postgres' and matrix_dimension_database_hostname == devture_postgres_connection_hostname) else []) + ([{ - 'name': matrix_etherpad_database_name, - 'username': matrix_etherpad_database_username, - 'password': matrix_etherpad_database_password, - }] if (matrix_etherpad_enabled and matrix_etherpad_database_engine == 'postgres' and matrix_etherpad_database_hostname == devture_postgres_connection_hostname) else []) + 'name': etherpad_database_name, + 'username': etherpad_database_username, + 'password': etherpad_database_password, + }] if (etherpad_enabled and etherpad_database_engine == 'postgres' and etherpad_database_hostname == devture_postgres_connection_hostname) else []) + ([{ 'name': prometheus_postgres_exporter_database_name, @@ -2941,6 +3021,7 @@ matrix_sygnal_container_http_host_bind_port: "{{ (matrix_playbook_service_host_b matrix_sygnal_container_labels_traefik_enabled: "{{ matrix_playbook_traefik_labels_enabled }}" matrix_sygnal_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" matrix_sygnal_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" +matrix_sygnal_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" ###################################################################### # @@ -2974,6 +3055,7 @@ ntfy_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_inter ntfy_container_labels_traefik_enabled: "{{ matrix_playbook_traefik_labels_enabled }}" ntfy_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" ntfy_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" +ntfy_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" ntfy_visitor_request_limit_exempt_hosts_hostnames_auto: | {{ @@ -3031,6 +3113,7 @@ matrix_client_element_container_additional_networks: "{{ [matrix_playbook_revers matrix_client_element_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}" matrix_client_element_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" matrix_client_element_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" +matrix_client_element_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" matrix_client_element_default_hs_url: "{{ matrix_homeserver_url }}" matrix_client_element_default_is_url: "{{ matrix_identity_server_url }}" @@ -3084,6 +3167,7 @@ matrix_client_hydrogen_container_additional_networks: "{{ [matrix_playbook_rever matrix_client_hydrogen_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}" matrix_client_hydrogen_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" matrix_client_hydrogen_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" +matrix_client_hydrogen_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" matrix_client_hydrogen_default_hs_url: "{{ matrix_homeserver_url }}" @@ -3117,6 +3201,7 @@ matrix_client_cinny_container_additional_networks: "{{ [matrix_playbook_reverse_ matrix_client_cinny_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}" matrix_client_cinny_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" matrix_client_cinny_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" +matrix_client_cinny_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" matrix_client_cinny_default_hs_url: "{{ matrix_homeserver_url }}" @@ -3296,6 +3381,7 @@ matrix_synapse_admin_container_additional_networks: "{{ [matrix_playbook_reverse matrix_synapse_admin_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}" matrix_synapse_admin_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" matrix_synapse_admin_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" +matrix_synapse_admin_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" ###################################################################### # @@ -3327,6 +3413,7 @@ prometheus_node_exporter_container_additional_networks: "{{ [matrix_playbook_rev prometheus_node_exporter_container_labels_traefik_enabled: false prometheus_node_exporter_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" prometheus_node_exporter_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" +prometheus_node_exporter_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" ###################################################################### # @@ -3358,6 +3445,7 @@ prometheus_postgres_exporter_container_additional_networks: "{{ [matrix_playbook prometheus_postgres_exporter_container_labels_traefik_enabled: false prometheus_postgres_exporter_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" prometheus_postgres_exporter_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" +prometheus_postgres_exporter_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" prometheus_postgres_exporter_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" prometheus_postgres_exporter_database_username: matrix_prometheus_postgres_exporter @@ -3461,6 +3549,7 @@ grafana_container_additional_networks: | grafana_container_labels_traefik_enabled: "{{ matrix_playbook_traefik_labels_enabled }}" grafana_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" grafana_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" +grafana_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" # Normally, matrix-nginx-proxy is enabled and nginx can reach Grafana over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose @@ -3560,6 +3649,63 @@ matrix_registration_database_password: "{{ '%s' | format(matrix_homeserver_gener ###################################################################### + +###################################################################### +# +# matrix-sliding-sync +# +###################################################################### + +# We don't enable the sliding sync proxy by default. +matrix_sliding_sync_enabled: false + +matrix_sliding_sync_scheme: "{{ 'https' if matrix_playbook_ssl_enabled else 'http' }}" + +matrix_sliding_sync_hostname: "{{ matrix_server_fqn_matrix }}" + +matrix_sliding_sync_path_prefix: /sliding-sync + +matrix_sliding_sync_container_image_self_build: "{{ matrix_architecture not in ['amd64'] }}" + +matrix_sliding_sync_container_additional_networks: | + {{ + ( + ([matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network else []) + + + ([matrix_nginx_proxy_container_network] if matrix_nginx_proxy_enabled and matrix_nginx_proxy_container_network != matrix_sliding_sync_container_network else []) + + + ([devture_postgres_container_network] if devture_postgres_enabled and devture_postgres_container_network != matrix_sliding_sync_container_network else []) + ) | unique + }} + +matrix_sliding_sync_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}" +matrix_sliding_sync_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" +matrix_sliding_sync_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" +matrix_sliding_sync_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" + +matrix_sliding_sync_systemd_required_services_list: | + {{ + ['docker.service'] + + + ['matrix-' + matrix_homeserver_implementation + '.service'] + + + ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else []) + + + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) + }} + +matrix_sliding_sync_environment_variable_syncv3_secret: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'ss.secret', rounds=655555) | to_uuid }}" + +matrix_sliding_sync_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" +matrix_sliding_sync_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'ss.db', rounds=655555) | to_uuid }}" + +###################################################################### +# +# /matrix-sliding-sync +# +###################################################################### + + ###################################################################### # # matrix-dendrite @@ -3730,16 +3876,43 @@ matrix_user_verification_service_uvs_auth_token: "{{ '%s' | format(matrix_homese ###################################################################### +######################################################################## +# # +# com.devture.ansible.role.container_socket_proxy # +# # +######################################################################## + +devture_container_socket_proxy_enabled: "{{ matrix_playbook_reverse_proxy_type == 'playbook-managed-traefik' }}" + +devture_container_socket_proxy_identifier: matrix-container-socket-proxy + +devture_container_socket_proxy_base_path: "{{ matrix_base_data_path }}/container-socket-proxy" + +devture_container_socket_proxy_uid: "{{ matrix_user_uid }}" +devture_container_socket_proxy_gid: "{{ matrix_user_gid }}" + +# Traefik requires read access to the containers APIs to do its job +devture_container_socket_proxy_api_containers_enabled: true + +######################################################################## +# # +# /com.devture.ansible.role.container_socket_proxy # +# # +######################################################################## + + ######################################################################## # # # com.devture.ansible.role.traefik # # # ######################################################################## -# To completely disable the Traefik role from running, use `matrix_playbook_traefik_role_enabled: false`. -# See the comment there for more details about why we have both `devture_traefik_enabled` and `matrix_playbook_traefik_role_enabled`. devture_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type == 'playbook-managed-traefik' }}" +devture_traefik_identifier: matrix-traefik + +devture_traefik_base_path: "{{ matrix_base_data_path }}/traefik" + devture_traefik_uid: "{{ matrix_user_uid }}" devture_traefik_gid: "{{ matrix_user_gid }}" @@ -3751,6 +3924,20 @@ devture_traefik_additional_entrypoints_auto: devture_traefik_additional_domains_to_obtain_certificates_for: "{{ matrix_ssl_additional_domains_to_obtain_certificates_for }}" +devture_traefik_config_providers_docker_endpoint: "{{ devture_container_socket_proxy_endpoint if devture_container_socket_proxy_enabled else 'unix:///var/run/docker.sock' }}" + +devture_traefik_container_additional_networks: | + {{ + ([devture_container_socket_proxy_container_network] if devture_container_socket_proxy_enabled else []) + }} + +devture_traefik_systemd_required_services_list: | + {{ + (['docker.service']) + + + ([devture_container_socket_proxy_identifier + '.service'] if devture_container_socket_proxy_enabled else []) + }} + ######################################################################## # # # /com.devture.ansible.role.traefik # @@ -3764,9 +3951,7 @@ devture_traefik_additional_domains_to_obtain_certificates_for: "{{ matrix_ssl_ad # # ######################################################################## -# To completely disable the Traefik certs dumper role from running, use `matrix_playbook_traefik_certs_dumper_role_enabled: false`. -# See the comment there for more details about why we have both `devture_traefik_certs_dumper_enabled` and `matrix_playbook_traefik_certs_dumper_role_enabled`. -devture_traefik_certs_dumper_enabled: "{{ matrix_playbook_traefik_certs_dumper_role_enabled }}" +devture_traefik_certs_dumper_enabled: "{{ (matrix_playbook_reverse_proxy_type == 'playbook-managed-traefik' and devture_traefik_config_entrypoint_web_secure_enabled and devture_traefik_config_certificatesResolvers_acme_enabled) or matrix_playbook_reverse_proxy_type == 'other-traefik-container' }}" devture_traefik_certs_dumper_identifier: matrix-traefik-certs-dumper diff --git a/playbooks/matrix.yml b/playbooks/matrix.yml index a425cd88..a2b7f2b8 100755 --- a/playbooks/matrix.yml +++ b/playbooks/matrix.yml @@ -103,7 +103,9 @@ - custom/matrix-ldap-registration-proxy - custom/matrix-ma1sd - custom/matrix-dimension - - custom/matrix-etherpad + - galaxy/etherpad + - custom/etherpad-proxy-connect + - custom/matrix-sliding-sync - custom/matrix-email2matrix - custom/matrix-sygnal - galaxy/ntfy @@ -118,11 +120,11 @@ - custom/matrix-user-creator - custom/matrix-common-after - - when: matrix_playbook_traefik_role_enabled | bool - role: galaxy/com.devture.ansible.role.traefik + - role: galaxy/com.devture.ansible.role.container_socket_proxy - - when: matrix_playbook_traefik_certs_dumper_role_enabled | bool - role: galaxy/com.devture.ansible.role.traefik_certs_dumper + - role: galaxy/com.devture.ansible.role.traefik + + - role: galaxy/com.devture.ansible.role.traefik_certs_dumper - when: devture_systemd_service_manager_enabled | bool role: galaxy/com.devture.ansible.role.systemd_service_manager diff --git a/requirements.yml b/requirements.yml index 56fa7701..013a6c53 100644 --- a/requirements.yml +++ b/requirements.yml @@ -4,7 +4,7 @@ version: 6.1.0 - src: git+https://github.com/devture/com.devture.ansible.role.docker_sdk_for_python.git - version: 54d6d1831f063e4a99b66c722f49053d59f8ee60 + version: 129c8590e106b83e6f4c259649a613c6279e937a - src: git+https://github.com/devture/com.devture.ansible.role.playbook_help.git version: c1f40e82b4d6b072b6f0e885239322bdaaaf554f @@ -22,7 +22,7 @@ version: a1bb78d194434b38005f3a9e623bfa4b2c06c7bc - src: git+https://github.com/devture/com.devture.ansible.role.postgres_backup.git - version: 77b1f9ae1aafa31c9078178c1036bf744c99d08b + version: 8e9ec48a09284c84704d7a2dce17da35f181574d - src: git+https://github.com/devture/com.devture.ansible.role.systemd_service_manager.git version: 6ccb88ac5fc27e1e70afcd48278ade4b564a9096 @@ -37,19 +37,25 @@ version: v0.11.1-2 - src: git+https://gitlab.com/etke.cc/roles/backup_borg.git - version: v1.2.3-1.7.7-1 + version: v1.2.3-1.7.8-0 - src: git+https://gitlab.com/etke.cc/roles/grafana.git - version: v9.3.6-2 + version: v9.4.3-0 - src: git+https://gitlab.com/etke.cc/roles/ntfy.git - version: v2.1.0-0 + version: v2.1.2-0 - src: git+https://gitlab.com/etke.cc/roles/redis.git - version: v7.0.7-0 + version: v7.0.9-0 + +- src: git+https://gitlab.com/etke.cc/roles/etherpad.git + version: v1.8.18-2 + +- src: git+https://github.com/devture/com.devture.ansible.role.container_socket_proxy.git + version: v0.1.1-1 - src: git+https://github.com/devture/com.devture.ansible.role.traefik.git - version: 5e3248cd4d17db9ff3ba90904e7330150dab599e + version: v2.9.8-1 - src: git+https://github.com/devture/com.devture.ansible.role.traefik_certs_dumper.git - version: e7563caa814e634d2f8deec4a41e970caa1c0ae4 + version: v2.8.1-0 diff --git a/roles/custom/etherpad-proxy-connect/defaults/main.yml b/roles/custom/etherpad-proxy-connect/defaults/main.yml new file mode 100644 index 00000000..83df826f --- /dev/null +++ b/roles/custom/etherpad-proxy-connect/defaults/main.yml @@ -0,0 +1,11 @@ +--- + +# etherpad-proxy-connect is a compatibility role connecting the new Etherpad role with matrix-nginx-proxy. +# It adds back support for serving Etherpad under the Dimension domain (`matrix_server_fqn_dimension`). + +# Controls whether Etherpad will be hosted under the Dimension domain when matrix-nginx-proxy is used (depending on matrix_playbook_reverse_proxy_type). +# If you're not using matrix-nginx-proxy, then this value has no effect. +etherpad_nginx_proxy_dimension_integration_enabled: false + +# Controls the path at which Etherpad will be exposed on the Dimension domain. +etherpad_nginx_proxy_dimension_integration_path_prefix: "{{ etherpad_path_prefix }}" diff --git a/roles/custom/matrix-etherpad/tasks/inject_into_nginx_proxy.yml b/roles/custom/etherpad-proxy-connect/tasks/inject_into_nginx_proxy.yml similarity index 81% rename from roles/custom/matrix-etherpad/tasks/inject_into_nginx_proxy.yml rename to roles/custom/etherpad-proxy-connect/tasks/inject_into_nginx_proxy.yml index e32cdf96..6252dba1 100644 --- a/roles/custom/matrix-etherpad/tasks/inject_into_nginx_proxy.yml +++ b/roles/custom/etherpad-proxy-connect/tasks/inject_into_nginx_proxy.yml @@ -11,14 +11,14 @@ - name: Generate Etherpad proxying configuration for matrix-nginx-proxy ansible.builtin.set_fact: - matrix_etherpad_matrix_nginx_proxy_configuration: | - rewrite ^{{ matrix_etherpad_public_endpoint }}$ {{ matrix_nginx_proxy_x_forwarded_proto_value }}://$server_name{{ matrix_etherpad_public_endpoint }}/ permanent; + etherpad_matrix_nginx_proxy_configuration: | + rewrite ^{{ etherpad_nginx_proxy_dimension_integration_path_prefix }}$ {{ matrix_nginx_proxy_x_forwarded_proto_value }}://$server_name{{ etherpad_nginx_proxy_dimension_integration_path_prefix }}/ permanent; - location {{ matrix_etherpad_public_endpoint }}/ { + location {{ etherpad_nginx_proxy_dimension_integration_path_prefix }}/ { {% if matrix_nginx_proxy_enabled | default(False) %} {# Use the embedded DNS resolver in Docker containers to discover the service #} resolver 127.0.0.11 valid=5s; - proxy_pass http://matrix-etherpad:9001/; + proxy_pass http://{{ etherpad_identifier }}:9001/; {# These are proxy directives needed specifically by Etherpad #} proxy_buffering off; proxy_http_version 1.1; # recommended with keepalive connections @@ -42,5 +42,5 @@ {{ matrix_nginx_proxy_proxy_dimension_additional_server_configuration_blocks | default([]) + - [matrix_etherpad_matrix_nginx_proxy_configuration] + [etherpad_matrix_nginx_proxy_configuration] }} diff --git a/roles/custom/etherpad-proxy-connect/tasks/main.yml b/roles/custom/etherpad-proxy-connect/tasks/main.yml new file mode 100644 index 00000000..630ab87f --- /dev/null +++ b/roles/custom/etherpad-proxy-connect/tasks/main.yml @@ -0,0 +1,12 @@ +--- + +- when: etherpad_enabled | bool and etherpad_nginx_proxy_dimension_integration_enabled | bool + tags: + - install-all + - setup-all + - install-nginx-proxy + - setup-nginx-proxy + block: + - ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" + + - ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" diff --git a/roles/custom/etherpad-proxy-connect/tasks/validate_config.yml b/roles/custom/etherpad-proxy-connect/tasks/validate_config.yml new file mode 100644 index 00000000..51a672ee --- /dev/null +++ b/roles/custom/etherpad-proxy-connect/tasks/validate_config.yml @@ -0,0 +1,32 @@ +--- + +- name: Fail if reverse-proxy is not nginx + when: matrix_playbook_reverse_proxy_type not in ['playbook-managed-nginx', 'other-nginx-non-container'] + ansible.builtin.fail: + msg: > + Etherpad's integration into matrix-nginx-proxy's Dimension server only makes sense if you're using matrix-nginx-proxy. + `matrix_playbook_reverse_proxy_type` ({{ matrix_playbook_reverse_proxy_type }}) indicates that you're using another reverse-proxy. + If you're using Traefik, you should configure `etherpad_hostname` and `etherpad_path_prefix` instead. + +- name: Fail if Dimension not enabled + when: not matrix_dimension_enabled + ansible.builtin.fail: + msg: > + Etherpad's integration into matrix-nginx-proxy's Dimension server only makes sense if you're using Dimension. + Looks like Dimension is not enabled in your configuration (judging by `matrix_dimension_enabled`). + Consider configuring `etherpad_hostname` and `etherpad_path_prefix` instead. + +- name: Fail if Etherpad hostname does not match Dimension hostname + when: etherpad_hostname != matrix_server_fqn_dimension + ansible.builtin.fail: + msg: > + Etherpad's integration into matrix-nginx-proxy's Dimension server requires that you set `etherpad_hostname` to `matrix_server_fqn_dimension`. + Consider adding this to your configuration: `{% raw %}etherpad_hostname: "{{ matrix_server_fqn_dimension }}"{% endraw %}` + +- name: Fail if / path prefix used for Etherpad + when: etherpad_nginx_proxy_dimension_integration_path_prefix == '/' + ansible.builtin.fail: + msg: > + Etherpad's integration into matrix-nginx-proxy's Dimension server only makes sense if you're using a non-`/` path for Etherpad. + You've chosen a path prefix of `/` in `etherpad_nginx_proxy_dimension_integration_path_prefix`. + The `/` path must go to Dimension itself, so you need to pick a different prefix (e.g. `/etherpad`). diff --git a/roles/custom/matrix-aux/tasks/main.yml b/roles/custom/matrix-aux/tasks/main.yml index 57db0965..3ae8d179 100644 --- a/roles/custom/matrix-aux/tasks/main.yml +++ b/roles/custom/matrix-aux/tasks/main.yml @@ -1,9 +1,9 @@ --- -- block: - - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup.yml" - tags: +- tags: - setup-all - setup-aux-files - install-all - install-aux-files + block: + - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup.yml" diff --git a/roles/custom/matrix-base/defaults/main.yml b/roles/custom/matrix-base/defaults/main.yml index 403af983..5e743925 100644 --- a/roles/custom/matrix-base/defaults/main.yml +++ b/roles/custom/matrix-base/defaults/main.yml @@ -72,7 +72,7 @@ matrix_server_fqn_buscarron: "buscarron.{{ matrix_domain }}" # This is where you access the Dimension. matrix_server_fqn_dimension: "dimension.{{ matrix_domain }}" -# This is where you access the etherpad (if enabled via matrix_etherpad_enabled; disabled by default). +# This is where you access the etherpad (if enabled via etherpad_enabled; disabled by default). matrix_server_fqn_etherpad: "etherpad.{{ matrix_domain }}" # For use with Go-NEB! (github callback url for example) @@ -284,7 +284,7 @@ matrix_homeserver_app_service_config_files_auto: [] # Valid options and a description of their behavior: # # - `playbook-managed-traefik` -# - the playbook will install devture-traefik +# - the playbook will run a managed Traefik instance (matrix-traefik) # - Traefik will do SSL termination, unless you disable it (e.g. `devture_traefik_config_entrypoint_web_secure_enabled: false`) # - if SSL termination is enabled (as it is by default), you need to populate: `devture_traefik_config_certificatesResolvers_acme_email` # - it will also install matrix-nginx-proxy in local-only mode, while we migrate the rest of the services to a Traefik-native mode of working diff --git a/roles/custom/matrix-base/tasks/main.yml b/roles/custom/matrix-base/tasks/main.yml index c67e2090..13ef11d5 100644 --- a/roles/custom/matrix-base/tasks/main.yml +++ b/roles/custom/matrix-base/tasks/main.yml @@ -1,30 +1,28 @@ --- -- block: - - ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - tags: +- tags: - setup-all - install-all + block: + - ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" # This needs to always run, because it populates `matrix_user_uid` and `matrix_user_gid`, # which are required by many other roles. -- block: - - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_matrix_user.yml" - tags: +- tags: - always - setup-system-user - common + block: + - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_matrix_user.yml" -- block: - - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_matrix_base.yml" - tags: +- tags: - setup-all - install-all - common + block: + - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_matrix_base.yml" -- block: - - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_well_known.yml" - tags: +- tags: - setup-all - setup-ma1sd - setup-synapse @@ -37,3 +35,5 @@ - install-dendrite - install-conduit - install-nginx-proxy + block: + - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_well_known.yml" diff --git a/roles/custom/matrix-base/templates/bin/remove-all.j2 b/roles/custom/matrix-base/templates/bin/remove-all.j2 index 5dd862ae..2733ad78 100644 --- a/roles/custom/matrix-base/templates/bin/remove-all.j2 +++ b/roles/custom/matrix-base/templates/bin/remove-all.j2 @@ -25,8 +25,12 @@ else echo "Remove unused Docker images and resources" docker system prune -af + echo "Remove Docker matrix network (should be gone already, but ..)" docker network rm {{ matrix_docker_network }} + + echo "This playbook creates a lot of matrix-* networks. Consider removing them manually ('docker network ls', followed by 'docker network rm NETWORK_NAME')" + echo "Remove {{ matrix_base_data_path }} directory" rm -fr "{{ matrix_base_data_path }}" exit 0 diff --git a/roles/custom/matrix-base/templates/static-files/well-known/matrix-client.j2 b/roles/custom/matrix-base/templates/static-files/well-known/matrix-client.j2 index 45fc9b66..45c3ea2a 100644 --- a/roles/custom/matrix-base/templates/static-files/well-known/matrix-client.j2 +++ b/roles/custom/matrix-base/templates/static-files/well-known/matrix-client.j2 @@ -26,6 +26,11 @@ "preferredDomain": {{ matrix_client_element_jitsi_preferredDomain|to_json }} } {% endif %} + {% if matrix_sliding_sync_enabled %}, + "org.matrix.msc3575.proxy": { + "url": "{{ matrix_sliding_sync_base_url }}" + } + {% endif %} {% if matrix_client_element_location_sharing_enabled %}, "m.tile_server": { "map_style_url": "https://{{ matrix_server_fqn_element }}/map_style.json" diff --git a/roles/custom/matrix-bot-buscarron/tasks/main.yml b/roles/custom/matrix-bot-buscarron/tasks/main.yml index b4a58e91..fbf5c96a 100644 --- a/roles/custom/matrix-bot-buscarron/tasks/main.yml +++ b/roles/custom/matrix-bot-buscarron/tasks/main.yml @@ -1,20 +1,20 @@ --- -- block: +- tags: + - setup-all + - setup-bot-buscarron + - install-all + - install-bot-buscarron + block: - ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" when: "run_setup | bool and matrix_bot_buscarron_enabled | bool" - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" when: "run_setup | bool and matrix_bot_buscarron_enabled | bool" - tags: + +- tags: - setup-all - setup-bot-buscarron - - install-all - - install-bot-buscarron - -- block: + block: - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" when: "run_setup | bool and not matrix_bot_buscarron_enabled | bool" - tags: - - setup-all - - setup-bot-buscarron diff --git a/roles/custom/matrix-bot-chatgpt/tasks/main.yml b/roles/custom/matrix-bot-chatgpt/tasks/main.yml index c5487fb8..1086a62d 100644 --- a/roles/custom/matrix-bot-chatgpt/tasks/main.yml +++ b/roles/custom/matrix-bot-chatgpt/tasks/main.yml @@ -1,20 +1,21 @@ --- -- block: - - when: matrix_bot_chatgpt_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - - - when: matrix_bot_chatgpt_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" +- tags: - setup-all - setup-bot-chatgpt - install-all - install-bot-chatgpt + block: + - when: matrix_bot_chatgpt_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" -- block: - - when: not matrix_bot_chatgpt_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: + - when: matrix_bot_chatgpt_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" + +- tags: - setup-all - setup-bot-chatgpt + block: + - when: not matrix_bot_chatgpt_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" diff --git a/roles/custom/matrix-bot-draupnir/tasks/main.yml b/roles/custom/matrix-bot-draupnir/tasks/main.yml index 686fe298..66c7cd06 100644 --- a/roles/custom/matrix-bot-draupnir/tasks/main.yml +++ b/roles/custom/matrix-bot-draupnir/tasks/main.yml @@ -1,20 +1,20 @@ --- -- block: +- tags: + - setup-all + - setup-bot-draupnir + - install-all + - install-bot-draupnir + block: - when: matrix_bot_draupnir_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_bot_draupnir_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-bot-draupnir - - install-all - - install-bot-draupnir - -- block: + block: - when: not matrix_bot_draupnir_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-bot-draupnir diff --git a/roles/custom/matrix-bot-draupnir/templates/production.yaml.j2 b/roles/custom/matrix-bot-draupnir/templates/production.yaml.j2 index 2dbff886..95acbd35 100644 --- a/roles/custom/matrix-bot-draupnir/templates/production.yaml.j2 +++ b/roles/custom/matrix-bot-draupnir/templates/production.yaml.j2 @@ -36,7 +36,7 @@ autojoinOnlyIfManager: true # If `autojoinOnlyIfManager` is false, only the members in this space can invite # the bot to new rooms. -acceptInvitesFromSpace: "!example:example.org" +#acceptInvitesFromSpace: "!example:example.org" # Whether Draupnir should report ignored invites to the management room (if autojoinOnlyIfManager is true). recordIgnoredInvites: false @@ -49,11 +49,11 @@ recordIgnoredInvites: false # # Note: By default, Draupnir is fairly verbose - expect a lot of messages in this room. # (see verboseLogging to adjust this a bit.) -managementRoom: "#moderators:example.org" +managementRoom: "{{ matrix_bot_draupnir_management_room }}" # Whether Draupnir should log a lot more messages in the room, # mainly involves "all-OK" messages, and debugging messages for when Draupnir checks bans in a room. -verboseLogging: true +verboseLogging: false # The log level of terminal (or container) output, # can be one of DEBUG, INFO, WARN and ERROR, in increasing order of importance and severity. @@ -130,7 +130,7 @@ admin: # (with enough permissions) to "make" a user an admin. # # This only works if a local user with enough admin permissions is present in the room. - enableMakeRoomAdminCommand: true + enableMakeRoomAdminCommand: false # Misc options for command handling and commands commands: @@ -146,6 +146,7 @@ commands: # Any additional bot prefixes that Draupnir will listen to. i.e. adding `mod` will allow `!mod help`. additionalPrefixes: - "draupnir-bot" + - "draupnir_bot" - "draupnir" # Whether or not commands with a wildcard (*) will require an additional `--force` argument diff --git a/roles/custom/matrix-bot-go-neb/defaults/main.yml b/roles/custom/matrix-bot-go-neb/defaults/main.yml index 61c5d54d..39b97b08 100644 --- a/roles/custom/matrix-bot-go-neb/defaults/main.yml +++ b/roles/custom/matrix-bot-go-neb/defaults/main.yml @@ -1,11 +1,22 @@ --- + # Go-NEB is a Matrix bot written in Go. It is the successor to Matrix-NEB, the original Matrix bot written in Python. # Project source code URL: https://github.com/matrix-org/go-neb matrix_bot_go_neb_enabled: true + matrix_bot_go_neb_version: latest -matrix_bot_go_neb_docker_image: "matrixdotorg/go-neb:{{ matrix_bot_go_neb_version }}" -matrix_bot_go_neb_docker_image_force_pull: "{{ matrix_bot_go_neb_docker_image.endswith(':latest') }}" + +matrix_bot_go_neb_scheme: https + +# The hostname at which Go-NEB is served. +matrix_bot_go_neb_hostname: '' + +# The path at which Go-NEB is exposed. +# This value must either be `/` or not end with a slash (e.g. `/go-neb`). +matrix_bot_go_neb_path_prefix: / + +matrix_bot_go_neb_base_url: "{{ matrix_bot_go_neb_scheme }}://{{ matrix_bot_go_neb_hostname }}{{ matrix_bot_go_neb_path_prefix }}{{ '' if matrix_bot_go_neb_path_prefix == '/' else '/' }}" matrix_bot_go_neb_base_path: "{{ matrix_base_data_path }}/go-neb" matrix_bot_go_neb_config_path: "{{ matrix_bot_go_neb_base_path }}/config" @@ -13,11 +24,63 @@ matrix_bot_go_neb_config_path_in_container: "/config/config.yaml" matrix_bot_go_neb_data_path: "{{ matrix_bot_go_neb_base_path }}/data" matrix_bot_go_neb_data_store_path: "{{ matrix_bot_go_neb_data_path }}/store" +matrix_bot_go_neb_container_image: "{{ matrix_bot_go_neb_container_image_registry_prefix }}matrixdotorg/go-neb:{{ matrix_bot_go_neb_container_image_tag }}" +matrix_bot_go_neb_container_image_tag: "{{ matrix_bot_go_neb_version }}" +matrix_bot_go_neb_container_image_force_pull: "{{ matrix_bot_go_neb_container_image.endswith(':latest') }}" +matrix_bot_go_neb_container_image_registry_prefix: docker.io/ + +# The base container network. It will be auto-created by this role if it doesn't exist already. +matrix_bot_go_neb_container_network: matrix-bot-go-neb + +# A list of additional container networks that the container would be connected to. +# The role does not create these networks, so make sure they already exist. +# Use this to expose this container to another reverse proxy, which runs in a different container network. +matrix_bot_go_neb_container_additional_networks: [] + # Controls whether the matrix-bot-go-neb container exposes its HTTP port (tcp/4050 in the container). # # Takes an ":" or "" value (e.g. "127.0.0.1:4050"), or empty string to not expose. matrix_bot_go_neb_container_http_host_bind_port: '' +# matrix_bot_go_neb_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container. +# See `../templates/labels.j2` for details. +# +# To inject your own other container labels, see `matrix_bot_go_neb_container_labels_additional_labels`. +matrix_bot_go_neb_container_labels_traefik_enabled: true +matrix_bot_go_neb_container_labels_traefik_docker_network: "{{ matrix_bot_go_neb_container_network }}" +matrix_bot_go_neb_container_labels_traefik_hostname: "{{ matrix_bot_go_neb_hostname }}" +# The path prefix must either be `/` or not end with a slash (e.g. `/go-neb`). +matrix_bot_go_neb_container_labels_traefik_path_prefix: "{{ matrix_bot_go_neb_path_prefix }}" +matrix_bot_go_neb_container_labels_traefik_rule: "Host(`{{ matrix_bot_go_neb_container_labels_traefik_hostname }}`){% if matrix_bot_go_neb_container_labels_traefik_path_prefix != '/' %} && PathPrefix(`{{ matrix_bot_go_neb_container_labels_traefik_path_prefix }}`){% endif %}" +matrix_bot_go_neb_container_labels_traefik_priority: 0 +matrix_bot_go_neb_container_labels_traefik_entrypoints: web-secure +matrix_bot_go_neb_container_labels_traefik_tls: "{{ matrix_bot_go_neb_container_labels_traefik_entrypoints != 'web' }}" +matrix_bot_go_neb_container_labels_traefik_tls_certResolver: default # noqa var-naming + +# Controls which additional headers to attach to all HTTP responses. +# To add your own headers, use `matrix_bot_go_neb_container_labels_traefik_additional_response_headers_custom` +matrix_bot_go_neb_container_labels_traefik_additional_response_headers: "{{ matrix_bot_go_neb_container_labels_traefik_additional_response_headers_auto | combine(matrix_bot_go_neb_container_labels_traefik_additional_response_headers_custom) }}" +matrix_bot_go_neb_container_labels_traefik_additional_response_headers_auto: | + {{ + {} + | combine ({'X-XSS-Protection': matrix_bot_go_neb_http_header_xss_protection} if matrix_bot_go_neb_http_header_xss_protection else {}) + | combine ({'X-Frame-Options': matrix_bot_go_neb_http_header_frame_options} if matrix_bot_go_neb_http_header_frame_options else {}) + | combine ({'X-Content-Type-Options': matrix_bot_go_neb_http_header_content_type_options} if matrix_bot_go_neb_http_header_content_type_options else {}) + | combine ({'Content-Security-Policy': matrix_bot_go_neb_http_header_content_security_policy} if matrix_bot_go_neb_http_header_content_security_policy else {}) + | combine ({'Permission-Policy': matrix_bot_go_neb_http_header_content_permission_policy} if matrix_bot_go_neb_http_header_content_permission_policy else {}) + | combine ({'Strict-Transport-Security': matrix_bot_go_neb_http_header_strict_transport_security} if matrix_bot_go_neb_http_header_strict_transport_security and matrix_bot_go_neb_container_labels_traefik_tls else {}) + }} +matrix_bot_go_neb_container_labels_traefik_additional_response_headers_custom: {} + +# matrix_bot_go_neb_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file. +# See `../templates/labels.j2` for details. +# +# Example: +# matrix_bot_go_neb_container_labels_additional_labels: | +# my.label=1 +# another.label="here" +matrix_bot_go_neb_container_labels_additional_labels: '' + # A list of extra arguments to pass to the container matrix_bot_go_neb_container_extra_arguments: [] @@ -27,6 +90,57 @@ matrix_bot_go_neb_systemd_required_services_list: ['docker.service'] # List of systemd services that matrix-bot-go-neb.service wants matrix_bot_go_neb_systemd_wanted_services_list: [] +# Specifies the value of the `X-XSS-Protection` header +# Stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. +# +# Learn more about it is here: +# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection +# - https://portswigger.net/web-security/cross-site-scripting/reflected +matrix_bot_go_neb_http_header_xss_protection: "1; mode=block" + +# Specifies the value of the `X-Frame-Options` header which controls whether framing can happen. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options +matrix_bot_go_neb_http_header_frame_options: SAMEORIGIN + +# Specifies the value of the `X-Content-Type-Options` header. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options +matrix_bot_go_neb_http_header_content_type_options: nosniff + +# Specifies the value of the `Content-Security-Policy` header. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy +matrix_bot_go_neb_http_header_content_security_policy: frame-ancestors 'self' + +# Specifies the value of the `Permission-Policy` header. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permission-Policy +matrix_bot_go_neb_http_header_content_permission_policy: "{{ 'interest-cohort=()' if matrix_bot_go_neb_floc_optout_enabled else '' }}" + +# Specifies the value of the `Strict-Transport-Security` header. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security +matrix_bot_go_neb_http_header_strict_transport_security: "max-age=31536000; includeSubDomains{{ '; preload' if matrix_bot_go_neb_hsts_preload_enabled else '' }}" + +# Controls whether to send a "Permissions-Policy interest-cohort=();" header along with all responses +# +# Learn more about what it is here: +# - https://www.eff.org/deeplinks/2021/03/googles-floc-terrible-idea +# - https://paramdeo.com/blog/opting-your-website-out-of-googles-floc-network +# - https://amifloced.org/ +# +# Of course, a better solution is to just stop using browsers (like Chrome), which participate in such tracking practices. +# See: `matrix_bot_go_neb_content_permission_policy` +matrix_bot_go_neb_floc_optout_enabled: true + +# Controls if HSTS preloading is enabled +# +# In its strongest and recommended form, the [HSTS policy](https://www.chromium.org/hsts) includes all subdomains, and +# indicates a willingness to be "preloaded" into browsers: +# `Strict-Transport-Security: max-age=31536000; includeSubDomains; preload` +# For more information visit: +# - https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security +# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security +# - https://hstspreload.org/#opt-in +# See: `matrix_bot_go_neb_http_header_strict_transport_security` +matrix_bot_go_neb_hsts_preload_enabled: false + # Database-related configuration fields. # # MUST be "sqlite3". No other type is supported. diff --git a/roles/custom/matrix-bot-go-neb/tasks/setup_install.yml b/roles/custom/matrix-bot-go-neb/tasks/install.yml similarity index 63% rename from roles/custom/matrix-bot-go-neb/tasks/setup_install.yml rename to roles/custom/matrix-bot-go-neb/tasks/install.yml index 1db16b91..9cb85db3 100644 --- a/roles/custom/matrix-bot-go-neb/tasks/setup_install.yml +++ b/roles/custom/matrix-bot-go-neb/tasks/install.yml @@ -1,8 +1,5 @@ --- -- ansible.builtin.set_fact: - matrix_bot_go_neb_requires_restart: false - - name: Ensure go-neb paths exist ansible.builtin.file: path: "{{ item.path }}" @@ -16,17 +13,6 @@ - {path: "{{ matrix_bot_go_neb_data_store_path }}", when: true} when: "item.when | bool" -- name: Ensure go-neb image is pulled - community.docker.docker_image: - name: "{{ matrix_bot_go_neb_docker_image }}" - source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" - force_source: "{{ matrix_bot_go_neb_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_bot_go_neb_docker_image_force_pull }}" - register: result - retries: "{{ devture_playbook_help_container_retries_count }}" - delay: "{{ devture_playbook_help_container_retries_delay }}" - until: result is not failed - - name: Ensure go-neb config installed ansible.builtin.copy: content: "{{ matrix_bot_go_neb_configuration | to_nice_yaml(indent=2, width=999999) }}" @@ -35,16 +21,35 @@ owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" +- name: Ensure go-neb support files installed + ansible.builtin.template: + src: "{{ role_path }}/templates/{{ item }}.j2" + dest: "{{ matrix_bot_go_neb_base_path }}/{{ item }}" + mode: 0640 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - env + - labels + +- name: Ensure go-neb container network is created + community.general.docker_network: + name: "{{ matrix_bot_go_neb_container_network }}" + driver: bridge + +- name: Ensure go-neb container image is pulled + community.docker.docker_image: + name: "{{ matrix_bot_go_neb_container_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_bot_go_neb_container_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_bot_go_neb_container_image_force_pull }}" + register: result + retries: "{{ devture_playbook_help_container_retries_count }}" + delay: "{{ devture_playbook_help_container_retries_delay }}" + until: result is not failed + - name: Ensure matrix-bot-go-neb.service installed ansible.builtin.template: src: "{{ role_path }}/templates/systemd/matrix-bot-go-neb.service.j2" dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-bot-go-neb.service" mode: 0644 - register: matrix_bot_go_neb_systemd_service_result - -- name: Ensure matrix-bot-go-neb.service restarted, if necessary - ansible.builtin.service: - name: "matrix-bot-go-neb.service" - state: restarted - daemon_reload: true - when: "matrix_bot_go_neb_requires_restart | bool" diff --git a/roles/custom/matrix-bot-go-neb/tasks/main.yml b/roles/custom/matrix-bot-go-neb/tasks/main.yml index 126f6ae0..9367419d 100644 --- a/roles/custom/matrix-bot-go-neb/tasks/main.yml +++ b/roles/custom/matrix-bot-go-neb/tasks/main.yml @@ -1,20 +1,20 @@ --- -- block: - - ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup | bool and matrix_bot_go_neb_enabled | bool" - - - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - when: "run_setup | bool and matrix_bot_go_neb_enabled | bool" - tags: +- tags: - setup-all - setup-bot-go-neb - install-all - install-bot-go-neb + block: + - ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" + when: "run_setup | bool and matrix_bot_go_neb_enabled | bool" -- block: - - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - when: "run_setup | bool and not matrix_bot_go_neb_enabled | bool" - tags: + - ansible.builtin.include_tasks: "{{ role_path }}/tasks/install.yml" + when: "run_setup | bool and matrix_bot_go_neb_enabled | bool" + +- tags: - setup-all - setup-bot-go-neb + block: + - ansible.builtin.include_tasks: "{{ role_path }}/tasks/uninstall.yml" + when: "run_setup | bool and not matrix_bot_go_neb_enabled | bool" diff --git a/roles/custom/matrix-bot-go-neb/tasks/setup_uninstall.yml b/roles/custom/matrix-bot-go-neb/tasks/uninstall.yml similarity index 100% rename from roles/custom/matrix-bot-go-neb/tasks/setup_uninstall.yml rename to roles/custom/matrix-bot-go-neb/tasks/uninstall.yml diff --git a/roles/custom/matrix-bot-go-neb/templates/env.j2 b/roles/custom/matrix-bot-go-neb/templates/env.j2 new file mode 100644 index 00000000..22e605e5 --- /dev/null +++ b/roles/custom/matrix-bot-go-neb/templates/env.j2 @@ -0,0 +1,8 @@ +BIND_ADDRESS=:4050 + +DATABASE_TYPE={{ matrix_bot_go_neb_database_engine }} +DATABASE_URL={{ matrix_bot_go_neb_storage_database }} + +BASE_URL={{ matrix_bot_go_neb_base_url }} + +CONFIG_FILE={{ matrix_bot_go_neb_config_path_in_container }} diff --git a/roles/custom/matrix-bot-go-neb/templates/labels.j2 b/roles/custom/matrix-bot-go-neb/templates/labels.j2 new file mode 100644 index 00000000..54aa2583 --- /dev/null +++ b/roles/custom/matrix-bot-go-neb/templates/labels.j2 @@ -0,0 +1,45 @@ +{% if matrix_bot_go_neb_container_labels_traefik_enabled %} +traefik.enable=true + +{% if matrix_bot_go_neb_container_labels_traefik_docker_network %} +traefik.docker.network={{ matrix_bot_go_neb_container_labels_traefik_docker_network }} +{% endif %} + +{% set middlewares = [] %} + +{% if matrix_bot_go_neb_container_labels_traefik_path_prefix != '/' %} +traefik.http.middlewares.matrix-bot-go-neb-slashless-redirect.redirectregex.regex=({{ matrix_bot_go_neb_container_labels_traefik_path_prefix | quote }})$ +traefik.http.middlewares.matrix-bot-go-neb-slashless-redirect.redirectregex.replacement=${1}/ +{% set middlewares = middlewares + ['matrix-bot-go-neb-slashless-redirect'] %} +{% endif %} + +{% if matrix_bot_go_neb_container_labels_traefik_path_prefix != '/' %} +traefik.http.middlewares.matrix-bot-go-neb-strip-prefix.stripprefix.prefixes={{ matrix_bot_go_neb_container_labels_traefik_path_prefix }} +{% set middlewares = middlewares + ['matrix-bot-go-neb-strip-prefix'] %} +{% endif %} + +{% if matrix_bot_go_neb_container_labels_traefik_additional_response_headers.keys() | length > 0 %} +{% for name, value in matrix_bot_go_neb_container_labels_traefik_additional_response_headers.items() %} +traefik.http.middlewares.matrix-bot-go-neb-add-headers.headers.customresponseheaders.{{ name }}={{ value }} +{% endfor %} +{% set middlewares = middlewares + ['matrix-bot-go-neb-add-headers'] %} +{% endif %} + +traefik.http.routers.matrix-bot-go-neb.rule={{ matrix_bot_go_neb_container_labels_traefik_rule }} +{% if matrix_bot_go_neb_container_labels_traefik_priority | int > 0 %} +traefik.http.routers.matrix-bot-go-neb.priority={{ matrix_bot_go_neb_container_labels_traefik_priority }} +{% endif %} +traefik.http.routers.matrix-bot-go-neb.service=matrix-bot-go-neb +{% if middlewares | length > 0 %} +traefik.http.routers.matrix-bot-go-neb.middlewares={{ middlewares | join(',') }} +{% endif %} +traefik.http.routers.matrix-bot-go-neb.entrypoints={{ matrix_bot_go_neb_container_labels_traefik_entrypoints }} +traefik.http.routers.matrix-bot-go-neb.tls={{ matrix_bot_go_neb_container_labels_traefik_tls | to_json }} +{% if matrix_bot_go_neb_container_labels_traefik_tls %} +traefik.http.routers.matrix-bot-go-neb.tls.certResolver={{ matrix_bot_go_neb_container_labels_traefik_tls_certResolver }} +{% endif %} + +traefik.http.services.matrix-bot-go-neb.loadbalancer.server.port=4050 +{% endif %} + +{{ matrix_bot_go_neb_container_labels_additional_labels }} diff --git a/roles/custom/matrix-bot-go-neb/templates/systemd/matrix-bot-go-neb.service.j2 b/roles/custom/matrix-bot-go-neb/templates/systemd/matrix-bot-go-neb.service.j2 index a57df57e..150cd665 100644 --- a/roles/custom/matrix-bot-go-neb/templates/systemd/matrix-bot-go-neb.service.j2 +++ b/roles/custom/matrix-bot-go-neb/templates/systemd/matrix-bot-go-neb.service.j2 @@ -16,31 +16,37 @@ Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-bot-go-neb 2>/dev/null || true' ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-bot-go-neb 2>/dev/null || true' -ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-bot-go-neb \ +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ + --rm \ + --name=matrix-bot-go-neb \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ --read-only \ - --network={{ matrix_docker_network }} \ + --network={{ matrix_bot_go_neb_container_network }} \ {% if matrix_bot_go_neb_container_http_host_bind_port %} -p {{ matrix_bot_go_neb_container_http_host_bind_port }}:4050 \ {% endif %} - -e 'BIND_ADDRESS=:4050' \ - -e 'DATABASE_TYPE={{ matrix_bot_go_neb_database_engine }}' \ - -e 'BASE_URL=https://{{ matrix_server_fqn_bot_go_neb }}' \ - -e 'CONFIG_FILE={{ matrix_bot_go_neb_config_path_in_container }}' \ - -e 'DATABASE_URL={{ matrix_bot_go_neb_storage_database }}' \ + --env-file={{ matrix_bot_go_neb_base_path }}/env \ + --label-file={{ matrix_bot_go_neb_base_path }}/labels \ --mount type=bind,src={{ matrix_bot_go_neb_config_path }},dst=/config,ro \ --mount type=bind,src={{ matrix_bot_go_neb_data_path }},dst=/data \ --entrypoint=/bin/sh \ {% for arg in matrix_bot_go_neb_container_extra_arguments %} {{ arg }} \ {% endfor %} - {{ matrix_bot_go_neb_docker_image }} \ + {{ matrix_bot_go_neb_container_image }} \ -c "go-neb /config/config.yaml" +{% for network in matrix_bot_go_neb_container_additional_networks %} +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-bot-go-neb +{% endfor %} + +ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-bot-go-neb + ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-bot-go-neb 2>/dev/null || true' ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-bot-go-neb 2>/dev/null || true' + Restart=always RestartSec=30 SyslogIdentifier=matrix-bot-go-neb diff --git a/roles/custom/matrix-bot-honoroit/defaults/main.yml b/roles/custom/matrix-bot-honoroit/defaults/main.yml index e880df4f..42f76682 100644 --- a/roles/custom/matrix-bot-honoroit/defaults/main.yml +++ b/roles/custom/matrix-bot-honoroit/defaults/main.yml @@ -9,7 +9,7 @@ matrix_bot_honoroit_docker_repo: "https://gitlab.com/etke.cc/honoroit.git" matrix_bot_honoroit_docker_repo_version: "{{ matrix_bot_honoroit_version }}" matrix_bot_honoroit_docker_src_files_path: "{{ matrix_base_data_path }}/honoroit/docker-src" -matrix_bot_honoroit_version: v0.9.16 +matrix_bot_honoroit_version: v0.9.17 matrix_bot_honoroit_docker_image: "{{ matrix_bot_honoroit_docker_image_name_prefix }}etke.cc/honoroit:{{ matrix_bot_honoroit_version }}" matrix_bot_honoroit_docker_image_name_prefix: "{{ 'localhost/' if matrix_bot_honoroit_container_image_self_build else 'registry.gitlab.com/' }}" matrix_bot_honoroit_docker_image_force_pull: "{{ matrix_bot_honoroit_docker_image.endswith(':latest') }}" diff --git a/roles/custom/matrix-bot-honoroit/tasks/main.yml b/roles/custom/matrix-bot-honoroit/tasks/main.yml index d4dcbce4..9b4e2908 100644 --- a/roles/custom/matrix-bot-honoroit/tasks/main.yml +++ b/roles/custom/matrix-bot-honoroit/tasks/main.yml @@ -1,20 +1,20 @@ --- -- block: +- tags: + - setup-all + - setup-bot-honoroit + - install-all + - install-bot-honoroit + block: - ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" when: "run_setup | bool and matrix_bot_honoroit_enabled | bool" - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" when: "run_setup | bool and matrix_bot_honoroit_enabled | bool" - tags: + +- tags: - setup-all - setup-bot-honoroit - - install-all - - install-bot-honoroit - -- block: + block: - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" when: "run_setup | bool and not matrix_bot_honoroit_enabled | bool" - tags: - - setup-all - - setup-bot-honoroit diff --git a/roles/custom/matrix-bot-matrix-registration-bot/tasks/main.yml b/roles/custom/matrix-bot-matrix-registration-bot/tasks/main.yml index 90ee56cc..83291fb6 100644 --- a/roles/custom/matrix-bot-matrix-registration-bot/tasks/main.yml +++ b/roles/custom/matrix-bot-matrix-registration-bot/tasks/main.yml @@ -1,20 +1,20 @@ --- -- block: +- tags: + - setup-all + - setup-bot-matrix-registration-bot + - install-all + - install-bot-matrix-registration-bot + block: - when: matrix_bot_matrix_registration_bot_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_bot_matrix_registration_bot_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-bot-matrix-registration-bot - - install-all - - install-bot-matrix-registration-bot - -- block: + block: - when: not matrix_bot_matrix_registration_bot_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-bot-matrix-registration-bot diff --git a/roles/custom/matrix-bot-matrix-reminder-bot/tasks/main.yml b/roles/custom/matrix-bot-matrix-reminder-bot/tasks/main.yml index 22c014de..f475afc0 100644 --- a/roles/custom/matrix-bot-matrix-reminder-bot/tasks/main.yml +++ b/roles/custom/matrix-bot-matrix-reminder-bot/tasks/main.yml @@ -1,20 +1,20 @@ --- -- block: +- tags: + - setup-all + - setup-bot-matrix-reminder-bot + - install-all + - install-bot-matrix-reminder-bot + block: - when: matrix_bot_matrix_reminder_bot_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_bot_matrix_reminder_bot_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-bot-matrix-reminder-bot - - install-all - - install-bot-matrix-reminder-bot - -- block: + block: - when: not matrix_bot_matrix_reminder_bot_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-bot-matrix-reminder-bot diff --git a/roles/custom/matrix-bot-maubot/tasks/main.yml b/roles/custom/matrix-bot-maubot/tasks/main.yml index 95fad19e..3241795b 100644 --- a/roles/custom/matrix-bot-maubot/tasks/main.yml +++ b/roles/custom/matrix-bot-maubot/tasks/main.yml @@ -1,29 +1,29 @@ --- -- block: - - when: matrix_bot_maubot_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" - tags: +- tags: - setup-all - setup-nginx-proxy - install-all - install-nginx-proxy + block: + - when: matrix_bot_maubot_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" -- block: +- tags: + - setup-all + - setup-bot-maubot + - install-all + - install-bot-maubot + block: - when: matrix_bot_maubot_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_bot_maubot_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-bot-maubot - - install-all - - install-bot-maubot - -- block: + block: - when: not matrix_bot_maubot_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-bot-maubot diff --git a/roles/custom/matrix-bot-maubot/tasks/setup_install.yml b/roles/custom/matrix-bot-maubot/tasks/setup_install.yml index 97f189c4..60b87861 100644 --- a/roles/custom/matrix-bot-maubot/tasks/setup_install.yml +++ b/roles/custom/matrix-bot-maubot/tasks/setup_install.yml @@ -53,7 +53,7 @@ name: "{{ matrix_bot_maubot_docker_image }}" source: build force_source: "{{ matrix_bot_maubot_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mailer_git_pull_results.changed }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_bot_maubot_git_pull_results.changed }}" build: dockerfile: Dockerfile path: "{{ matrix_bot_maubot_docker_src_files_path }}" diff --git a/roles/custom/matrix-bot-mjolnir/tasks/main.yml b/roles/custom/matrix-bot-mjolnir/tasks/main.yml index def5c9f0..03f5ba90 100644 --- a/roles/custom/matrix-bot-mjolnir/tasks/main.yml +++ b/roles/custom/matrix-bot-mjolnir/tasks/main.yml @@ -1,20 +1,20 @@ --- -- block: +- tags: + - setup-all + - setup-bot-mjolnir + - install-all + - install-bot-mjolnir + block: - when: matrix_bot_mjolnir_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_bot_mjolnir_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-bot-mjolnir - - install-all - - install-bot-mjolnir - -- block: + block: - when: not matrix_bot_mjolnir_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-bot-mjolnir diff --git a/roles/custom/matrix-bot-postmoogle/tasks/main.yml b/roles/custom/matrix-bot-postmoogle/tasks/main.yml index a6bc76a3..b7704039 100644 --- a/roles/custom/matrix-bot-postmoogle/tasks/main.yml +++ b/roles/custom/matrix-bot-postmoogle/tasks/main.yml @@ -1,20 +1,20 @@ --- -- block: +- tags: + - setup-all + - setup-bot-postmoogle + - install-all + - install-bot-postmoogle + block: - when: matrix_bot_postmoogle_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_bot_postmoogle_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-bot-postmoogle - - install-all - - install-bot-postmoogle - -- block: + block: - when: not matrix_bot_postmoogle_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-bot-postmoogle diff --git a/roles/custom/matrix-bridge-appservice-discord/tasks/main.yml b/roles/custom/matrix-bridge-appservice-discord/tasks/main.yml index 926fe367..88a77220 100644 --- a/roles/custom/matrix-bridge-appservice-discord/tasks/main.yml +++ b/roles/custom/matrix-bridge-appservice-discord/tasks/main.yml @@ -1,20 +1,20 @@ --- -- block: +- tags: + - setup-all + - setup-appservice-discord + - install-all + - install-appservice-discord + block: - when: matrix_appservice_discord_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_appservice_discord_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-appservice-discord - - install-all - - install-appservice-discord - -- block: + block: - when: not matrix_appservice_discord_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-appservice-discord diff --git a/roles/custom/matrix-bridge-appservice-discord/tasks/setup_install.yml b/roles/custom/matrix-bridge-appservice-discord/tasks/setup_install.yml index 4a6419ed..632948bc 100644 --- a/roles/custom/matrix-bridge-appservice-discord/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-appservice-discord/tasks/setup_install.yml @@ -65,7 +65,10 @@ when: "matrix_appservice_discord_stat_db.stat.exists" - name: (Data relocation) Move AppService Discord discord.db file to ./data directory - ansible.builtin.command: "mv {{ matrix_appservice_discord_base_path }}/{{ item }} {{ matrix_appservice_discord_data_path }}/{{ item }}" + ansible.builtin.command: + cmd: "mv {{ matrix_appservice_discord_base_path }}/{{ item }} {{ matrix_appservice_discord_data_path }}/{{ item }}" + creates: "{{ matrix_appservice_discord_data_path }}/{{ item }}" + removes: "{{ matrix_appservice_discord_base_path }}/{{ item }}" with_items: - discord.db - user-store.db diff --git a/roles/custom/matrix-bridge-appservice-irc/defaults/main.yml b/roles/custom/matrix-bridge-appservice-irc/defaults/main.yml index 5e8c1191..ce39bc56 100644 --- a/roles/custom/matrix-bridge-appservice-irc/defaults/main.yml +++ b/roles/custom/matrix-bridge-appservice-irc/defaults/main.yml @@ -11,7 +11,7 @@ matrix_appservice_irc_docker_src_files_path: "{{ matrix_base_data_path }}/appser # matrix_appservice_irc_version used to contain the full Docker image tag (e.g. `release-X.X.X`). # It's a bare version number now. We try to somewhat retain compatibility below. -matrix_appservice_irc_version: 0.36.0 +matrix_appservice_irc_version: 0.37.0 matrix_appservice_irc_docker_image: "{{ matrix_container_global_registry_prefix }}matrixdotorg/matrix-appservice-irc:{{ matrix_appservice_irc_docker_image_tag }}" matrix_appservice_irc_docker_image_tag: "{{ 'latest' if matrix_appservice_irc_version == 'latest' else ('release-' + matrix_appservice_irc_version) }}" matrix_appservice_irc_docker_image_force_pull: "{{ matrix_appservice_irc_docker_image.endswith(':latest') }}" diff --git a/roles/custom/matrix-bridge-appservice-irc/tasks/main.yml b/roles/custom/matrix-bridge-appservice-irc/tasks/main.yml index 1cc6b35c..d4669848 100644 --- a/roles/custom/matrix-bridge-appservice-irc/tasks/main.yml +++ b/roles/custom/matrix-bridge-appservice-irc/tasks/main.yml @@ -1,20 +1,20 @@ --- -- block: +- tags: + - setup-all + - setup-appservice-irc + - install-all + - install-appservice-irc + block: - when: matrix_appservice_irc_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_appservice_irc_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-appservice-irc - - install-all - - install-appservice-irc - -- block: + block: - when: not matrix_appservice_irc_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-appservice-irc diff --git a/roles/custom/matrix-bridge-appservice-irc/tasks/setup_install.yml b/roles/custom/matrix-bridge-appservice-irc/tasks/setup_install.yml index a5fdacde..69a9aa4c 100644 --- a/roles/custom/matrix-bridge-appservice-irc/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-appservice-irc/tasks/setup_install.yml @@ -108,16 +108,12 @@ owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" -- name: Check if Appservice IRC passkey exists - ansible.builtin.stat: - path: "{{ matrix_appservice_irc_data_path }}/passkey.pem" - register: irc_passkey_file - - name: Generate Appservice IRC passkey if it doesn't exist - ansible.builtin.shell: "{{ matrix_host_command_openssl }} genpkey -out {{ matrix_appservice_irc_data_path }}/passkey.pem -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:2048" + ansible.builtin.shell: + cmd: "{{ matrix_host_command_openssl }} genpkey -out {{ matrix_appservice_irc_data_path }}/passkey.pem -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:2048" + creates: "{{ matrix_appservice_irc_data_path }}/passkey.pem" become: true become_user: "{{ matrix_user_username }}" - when: "not irc_passkey_file.stat.exists" # In the past, we used to generate the passkey.pem file with root, so permissions may not be okay. # Fix it. diff --git a/roles/custom/matrix-bridge-appservice-kakaotalk/tasks/main.yml b/roles/custom/matrix-bridge-appservice-kakaotalk/tasks/main.yml index 14a30e65..7a360024 100644 --- a/roles/custom/matrix-bridge-appservice-kakaotalk/tasks/main.yml +++ b/roles/custom/matrix-bridge-appservice-kakaotalk/tasks/main.yml @@ -1,20 +1,20 @@ --- -- block: +- tags: + - setup-all + - setup-appservice-kakaotalk + - install-all + - install-appservice-kakaotalk + block: - when: matrix_appservice_kakaotalk_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_appservice_kakaotalk_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-appservice-kakaotalk - - install-all - - install-appservice-kakaotalk - -- block: + block: - when: not matrix_appservice_kakaotalk_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-appservice-kakaotalk diff --git a/roles/custom/matrix-bridge-appservice-slack/tasks/main.yml b/roles/custom/matrix-bridge-appservice-slack/tasks/main.yml index 41e2679e..6fb8ac7c 100644 --- a/roles/custom/matrix-bridge-appservice-slack/tasks/main.yml +++ b/roles/custom/matrix-bridge-appservice-slack/tasks/main.yml @@ -1,29 +1,29 @@ --- -- block: - - when: matrix_appservice_slack_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" - tags: +- tags: - setup-all - setup-nginx-proxy - install-all - install-nginx-proxy + block: + - when: matrix_appservice_slack_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" -- block: +- tags: + - setup-all + - setup-appservice-slack + - install-all + - install-appservice-slack + block: - when: matrix_appservice_slack_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_appservice_slack_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-appservice-slack - - install-all - - install-appservice-slack - -- block: + block: - when: not matrix_appservice_slack_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-appservice-slack diff --git a/roles/custom/matrix-bridge-appservice-webhooks/tasks/main.yml b/roles/custom/matrix-bridge-appservice-webhooks/tasks/main.yml index ae36cf70..a40d66dd 100644 --- a/roles/custom/matrix-bridge-appservice-webhooks/tasks/main.yml +++ b/roles/custom/matrix-bridge-appservice-webhooks/tasks/main.yml @@ -1,29 +1,29 @@ --- -- block: - - when: matrix_appservice_webhooks_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" - tags: +- tags: - setup-all - setup-nginx-proxy - install-all - install-nginx-proxy + block: + - when: matrix_appservice_webhooks_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" -- block: +- tags: + - setup-all + - setup-appservice-webhooks + - install-all + - install-appservice-webhooks + block: - when: matrix_appservice_webhooks_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_appservice_webhooks_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-appservice-webhooks - - install-all - - install-appservice-webhooks - -- block: + block: - when: not matrix_appservice_webhooks_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-appservice-webhooks diff --git a/roles/custom/matrix-bridge-beeper-linkedin/tasks/main.yml b/roles/custom/matrix-bridge-beeper-linkedin/tasks/main.yml index 50228042..56eb91e5 100644 --- a/roles/custom/matrix-bridge-beeper-linkedin/tasks/main.yml +++ b/roles/custom/matrix-bridge-beeper-linkedin/tasks/main.yml @@ -1,20 +1,20 @@ --- -- block: +- tags: + - setup-all + - setup-beeper-linkedin + - install-all + - install-beeper-linkedin + block: - when: matrix_beeper_linkedin_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_beeper_linkedin_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-beeper-linkedin - - install-all - - install-beeper-linkedin - -- block: + block: - when: not matrix_beeper_linkedin_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-beeper-linkedin diff --git a/roles/custom/matrix-bridge-go-skype-bridge/tasks/main.yml b/roles/custom/matrix-bridge-go-skype-bridge/tasks/main.yml index 5bf9236b..7ba91421 100644 --- a/roles/custom/matrix-bridge-go-skype-bridge/tasks/main.yml +++ b/roles/custom/matrix-bridge-go-skype-bridge/tasks/main.yml @@ -1,20 +1,20 @@ --- -- block: +- tags: + - setup-all + - setup-go-skype-bridge + - install-all + - install-go-skype-bridge + block: - when: matrix_go_skype_bridge_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_go_skype_bridge_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-go-skype-bridge - - install-all - - install-go-skype-bridge - -- block: + block: - when: not matrix_go_skype_bridge_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-go-skype-bridge diff --git a/roles/custom/matrix-bridge-go-skype-bridge/tasks/setup_install.yml b/roles/custom/matrix-bridge-go-skype-bridge/tasks/setup_install.yml index 6146637f..7d8ccd8d 100644 --- a/roles/custom/matrix-bridge-go-skype-bridge/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-go-skype-bridge/tasks/setup_install.yml @@ -97,11 +97,17 @@ when: "matrix_go_skype_bridge_stat_database.stat.exists" - name: (Data relocation) Move go-skype-bridge database file to ./data directory - ansible.builtin.command: "mv {{ matrix_go_skype_bridge_base_path }}/go-skype-bridge.db {{ matrix_go_skype_bridge_data_path }}/go-skype-bridge.db" + ansible.builtin.command: + cmd: "mv {{ matrix_go_skype_bridge_base_path }}/go-skype-bridge.db {{ matrix_go_skype_bridge_data_path }}/go-skype-bridge.db" + creates: "{{ matrix_go_skype_bridge_data_path }}/go-skype-bridge.db" + removes: "{{ matrix_go_skype_bridge_base_path }}/go-skype-bridge.db" when: "matrix_go_skype_bridge_stat_database.stat.exists" - name: (Data relocation) Move go-skype-bridge mx-state file to ./data directory - ansible.builtin.command: "mv {{ matrix_go_skype_bridge_base_path }}/mx-state.json {{ matrix_go_skype_bridge_data_path }}/mx-state.json" + ansible.builtin.command: + cmd: "mv {{ matrix_go_skype_bridge_base_path }}/mx-state.json {{ matrix_go_skype_bridge_data_path }}/mx-state.json" + creates: "{{ matrix_go_skype_bridge_data_path }}/mx-state.json" + removes: "{{ matrix_go_skype_bridge_base_path }}/mx-state.json" when: "matrix_go_skype_bridge_stat_mx_state.stat.exists" - name: Ensure go-skype-bridge config.yaml installed diff --git a/roles/custom/matrix-bridge-heisenbridge/tasks/main.yml b/roles/custom/matrix-bridge-heisenbridge/tasks/main.yml index 0d8354cf..5b92520d 100644 --- a/roles/custom/matrix-bridge-heisenbridge/tasks/main.yml +++ b/roles/custom/matrix-bridge-heisenbridge/tasks/main.yml @@ -1,17 +1,17 @@ --- -- block: - - when: matrix_heisenbridge_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: +- tags: - setup-all - setup-heisenbridge - install-all - install-heisenbridge + block: + - when: matrix_heisenbridge_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" -- block: - - when: not matrix_heisenbridge_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: +- tags: - setup-all - setup-heisenbridge + block: + - when: not matrix_heisenbridge_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" diff --git a/roles/custom/matrix-bridge-hookshot/defaults/main.yml b/roles/custom/matrix-bridge-hookshot/defaults/main.yml index aa4ae45c..3b65b92a 100644 --- a/roles/custom/matrix-bridge-hookshot/defaults/main.yml +++ b/roles/custom/matrix-bridge-hookshot/defaults/main.yml @@ -122,15 +122,15 @@ matrix_hookshot_jira_oauth_redirect_uri: "{{ matrix_hookshot_urlprefix }}{{ matr # No need to change these matrix_hookshot_generic_enabled: true -matrix_hookshot_generic_enableHttpGet: false +matrix_hookshot_generic_enableHttpGet: false # noqa var-naming # Default value of matrix_hookshot_generic_endpoint: "/hookshot/webhooks" matrix_hookshot_generic_endpoint: "{{ matrix_hookshot_webhook_endpoint }}" # urlprefix gets updated with protocol & port in group_vars/matrix_servers -matrix_hookshot_generic_urlPrefix: "{{ matrix_hookshot_urlprefix }}{{ matrix_hookshot_generic_endpoint }}" +matrix_hookshot_generic_urlPrefix: "{{ matrix_hookshot_urlprefix }}{{ matrix_hookshot_generic_endpoint }}" # noqa var-naming # If you're also using matrix-appservice-webhooks, take care that these prefixes don't overlap -matrix_hookshot_generic_userIdPrefix: '_webhooks_' -matrix_hookshot_generic_allowJsTransformationFunctions: false -matrix_hookshot_generic_waitForComplete: false +matrix_hookshot_generic_userIdPrefix: '_webhooks_' # noqa var-naming +matrix_hookshot_generic_allowJsTransformationFunctions: false # noqa var-naming +matrix_hookshot_generic_waitForComplete: false # noqa var-naming matrix_hookshot_feeds_enabled: true diff --git a/roles/custom/matrix-bridge-hookshot/tasks/main.yml b/roles/custom/matrix-bridge-hookshot/tasks/main.yml index c7ffc304..e2fa9936 100644 --- a/roles/custom/matrix-bridge-hookshot/tasks/main.yml +++ b/roles/custom/matrix-bridge-hookshot/tasks/main.yml @@ -1,29 +1,29 @@ --- -- block: - - when: matrix_hookshot_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" - tags: +- tags: - setup-all - setup-nginx-proxy - install-all - install-nginx-proxy + block: + - when: matrix_hookshot_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" -- block: +- tags: + - setup-all + - setup-hookshot + - install-all + - install-hookshot + block: - when: matrix_hookshot_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_hookshot_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-hookshot - - install-all - - install-hookshot - -- block: + block: - when: not matrix_hookshot_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-hookshot diff --git a/roles/custom/matrix-bridge-hookshot/tasks/setup_install.yml b/roles/custom/matrix-bridge-hookshot/tasks/setup_install.yml index e9b277ce..f0e8c1c6 100644 --- a/roles/custom/matrix-bridge-hookshot/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-hookshot/tasks/setup_install.yml @@ -57,7 +57,9 @@ register: hookshot_passkey_file - name: Generate hookshot passkey if it doesn't exist - ansible.builtin.shell: "{{ matrix_host_command_openssl }} genpkey -out {{ matrix_hookshot_base_path }}/passkey.pem -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:4096" + ansible.builtin.shell: + cmd: "{{ matrix_host_command_openssl }} genpkey -out {{ matrix_hookshot_base_path }}/passkey.pem -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:4096" + creates: "{{ matrix_hookshot_base_path }}/passkey.pem" become: true become_user: "{{ matrix_user_username }}" when: "not hookshot_passkey_file.stat.exists" diff --git a/roles/custom/matrix-bridge-mautrix-discord/tasks/main.yml b/roles/custom/matrix-bridge-mautrix-discord/tasks/main.yml index cc90f2fa..19698f9f 100644 --- a/roles/custom/matrix-bridge-mautrix-discord/tasks/main.yml +++ b/roles/custom/matrix-bridge-mautrix-discord/tasks/main.yml @@ -1,20 +1,20 @@ --- -- block: +- tags: + - setup-all + - setup-mautrix-discord + - install-all + - install-mautrix-discord + block: - when: matrix_mautrix_discord_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_mautrix_discord_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-mautrix-discord - - install-all - - install-mautrix-discord - -- block: + block: - when: not matrix_mautrix_discord_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-mautrix-discord diff --git a/roles/custom/matrix-bridge-mautrix-facebook/tasks/main.yml b/roles/custom/matrix-bridge-mautrix-facebook/tasks/main.yml index fa7cec7d..11034668 100644 --- a/roles/custom/matrix-bridge-mautrix-facebook/tasks/main.yml +++ b/roles/custom/matrix-bridge-mautrix-facebook/tasks/main.yml @@ -1,29 +1,29 @@ --- -- block: - - when: matrix_mautrix_facebook_enabled | bool and matrix_mautrix_facebook_appservice_public_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" - tags: +- tags: - setup-all - setup-nginx-proxy - install-all - install-nginx-proxy + block: + - when: matrix_mautrix_facebook_enabled | bool and matrix_mautrix_facebook_appservice_public_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" -- block: +- tags: + - setup-all + - setup-mautrix-facebook + - install-all + - install-mautrix-facebook + block: - when: matrix_mautrix_facebook_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_mautrix_facebook_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-mautrix-facebook - - install-all - - install-mautrix-facebook - -- block: + block: - when: not matrix_mautrix_facebook_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-mautrix-facebook diff --git a/roles/custom/matrix-bridge-mautrix-facebook/tasks/setup_install.yml b/roles/custom/matrix-bridge-mautrix-facebook/tasks/setup_install.yml index 758a5fed..fac1d1d2 100644 --- a/roles/custom/matrix-bridge-mautrix-facebook/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-mautrix-facebook/tasks/setup_install.yml @@ -91,7 +91,10 @@ when: "matrix_mautrix_facebook_stat_database.stat.exists" - name: (Data relocation) Move mautrix-facebook database file to ./data directory - ansible.builtin.command: "mv {{ matrix_mautrix_facebook_base_path }}/mautrix-facebook.db {{ matrix_mautrix_facebook_data_path }}/mautrix-facebook.db" + ansible.builtin.command: + cmd: "mv {{ matrix_mautrix_facebook_base_path }}/mautrix-facebook.db {{ matrix_mautrix_facebook_data_path }}/mautrix-facebook.db" + creates: "{{ matrix_mautrix_facebook_data_path }}/mautrix-facebook.db" + removes: "{{ matrix_mautrix_facebook_base_path }}/mautrix-facebook.db" when: "matrix_mautrix_facebook_stat_database.stat.exists" - name: Ensure mautrix-facebook config.yaml installed diff --git a/roles/custom/matrix-bridge-mautrix-googlechat/tasks/main.yml b/roles/custom/matrix-bridge-mautrix-googlechat/tasks/main.yml index 917ba7a9..a23923b5 100644 --- a/roles/custom/matrix-bridge-mautrix-googlechat/tasks/main.yml +++ b/roles/custom/matrix-bridge-mautrix-googlechat/tasks/main.yml @@ -1,29 +1,29 @@ --- -- block: - - when: matrix_mautrix_googlechat_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" - tags: +- tags: - setup-all - setup-nginx-proxy - install-all - install-nginx-proxy + block: + - when: matrix_mautrix_googlechat_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" -- block: +- tags: + - setup-all + - setup-mautrix-googlechat + - install-all + - install-mautrix-googlechat + block: - when: matrix_mautrix_googlechat_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_mautrix_googlechat_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-mautrix-googlechat - - install-all - - install-mautrix-googlechat - -- block: + block: - when: not matrix_mautrix_googlechat_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-mautrix-googlechat diff --git a/roles/custom/matrix-bridge-mautrix-googlechat/tasks/setup_install.yml b/roles/custom/matrix-bridge-mautrix-googlechat/tasks/setup_install.yml index c1258471..c1ae8cf5 100644 --- a/roles/custom/matrix-bridge-mautrix-googlechat/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-mautrix-googlechat/tasks/setup_install.yml @@ -91,7 +91,10 @@ when: "matrix_mautrix_googlechat_stat_database.stat.exists" - name: (Data relocation) Move mautrix-googlechat database file to ./data directory - ansible.builtin.command: "mv {{ matrix_mautrix_googlechat_base_path }}/mautrix-googlechat.db {{ matrix_mautrix_googlechat_data_path }}/mautrix-googlechat.db" + ansible.builtin.command: + cmd: "mv {{ matrix_mautrix_googlechat_base_path }}/mautrix-googlechat.db {{ matrix_mautrix_googlechat_data_path }}/mautrix-googlechat.db" + creates: "{{ matrix_mautrix_googlechat_data_path }}/mautrix-googlechat.db" + removes: "{{ matrix_mautrix_googlechat_base_path }}/mautrix-googlechat.db" when: "matrix_mautrix_googlechat_stat_database.stat.exists" - name: Ensure mautrix-googlechat config.yaml installed diff --git a/roles/custom/matrix-bridge-mautrix-hangouts/tasks/main.yml b/roles/custom/matrix-bridge-mautrix-hangouts/tasks/main.yml index e9d8048c..e7881567 100644 --- a/roles/custom/matrix-bridge-mautrix-hangouts/tasks/main.yml +++ b/roles/custom/matrix-bridge-mautrix-hangouts/tasks/main.yml @@ -1,29 +1,29 @@ --- -- block: - - when: matrix_mautrix_hangouts_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" - tags: +- tags: - setup-all - setup-nginx-proxy - install-all - install-nginx-proxy + block: + - when: matrix_mautrix_hangouts_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" -- block: +- tags: + - setup-all + - setup-mautrix-hangouts + - install-all + - install-mautrix-hangouts + block: - when: matrix_mautrix_hangouts_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_mautrix_hangouts_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-mautrix-hangouts - - install-all - - install-mautrix-hangouts - -- block: + block: - when: not matrix_mautrix_hangouts_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-mautrix-hangouts diff --git a/roles/custom/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml b/roles/custom/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml index f8fdb023..0fa54994 100644 --- a/roles/custom/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml @@ -91,7 +91,10 @@ when: "matrix_mautrix_hangouts_stat_database.stat.exists" - name: (Data relocation) Move mautrix-hangouts database file to ./data directory - ansible.builtin.command: "mv {{ matrix_mautrix_hangouts_base_path }}/mautrix-hangouts.db {{ matrix_mautrix_hangouts_data_path }}/mautrix-hangouts.db" + ansible.builtin.command: + cmd: "mv {{ matrix_mautrix_hangouts_base_path }}/mautrix-hangouts.db {{ matrix_mautrix_hangouts_data_path }}/mautrix-hangouts.db" + creates: "{{ matrix_mautrix_hangouts_data_path }}/mautrix-hangouts.db" + removes: "{{ matrix_mautrix_hangouts_base_path }}/mautrix-hangouts.db" when: "matrix_mautrix_hangouts_stat_database.stat.exists" - name: Ensure mautrix-hangouts config.yaml installed diff --git a/roles/custom/matrix-bridge-mautrix-instagram/tasks/main.yml b/roles/custom/matrix-bridge-mautrix-instagram/tasks/main.yml index 0b3a722d..834dec0c 100644 --- a/roles/custom/matrix-bridge-mautrix-instagram/tasks/main.yml +++ b/roles/custom/matrix-bridge-mautrix-instagram/tasks/main.yml @@ -1,29 +1,29 @@ --- -- block: - - when: matrix_mautrix_instagram_enabled | bool and matrix_mautrix_instagram_metrics_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" - tags: +- tags: - setup-all - setup-nginx-proxy - install-all - install-nginx-proxy + block: + - when: matrix_mautrix_instagram_enabled | bool and matrix_mautrix_instagram_metrics_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" -- block: +- tags: + - setup-all + - setup-mautrix-instagram + - install-all + - install-mautrix-instagram + block: - when: matrix_mautrix_instagram_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_mautrix_instagram_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-mautrix-instagram - - install-all - - install-mautrix-instagram - -- block: + block: - when: not matrix_mautrix_instagram_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-mautrix-instagram diff --git a/roles/custom/matrix-bridge-mautrix-signal/tasks/main.yml b/roles/custom/matrix-bridge-mautrix-signal/tasks/main.yml index 9473344b..f5d769e5 100644 --- a/roles/custom/matrix-bridge-mautrix-signal/tasks/main.yml +++ b/roles/custom/matrix-bridge-mautrix-signal/tasks/main.yml @@ -1,29 +1,29 @@ --- -- block: - - when: matrix_mautrix_signal_enabled | bool and matrix_mautrix_signal_metrics_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" - tags: +- tags: - setup-all - setup-nginx-proxy - install-all - install-nginx-proxy + block: + - when: matrix_mautrix_signal_enabled | bool and matrix_mautrix_signal_metrics_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" -- block: +- tags: + - setup-all + - setup-mautrix-signal + - install-all + - install-mautrix-signal + block: - when: matrix_mautrix_signal_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_mautrix_signal_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-mautrix-signal - - install-all - - install-mautrix-signal - -- block: + block: - when: not matrix_mautrix_signal_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-mautrix-signal diff --git a/roles/custom/matrix-bridge-mautrix-slack/tasks/main.yml b/roles/custom/matrix-bridge-mautrix-slack/tasks/main.yml index bff90549..b7a2199d 100644 --- a/roles/custom/matrix-bridge-mautrix-slack/tasks/main.yml +++ b/roles/custom/matrix-bridge-mautrix-slack/tasks/main.yml @@ -1,20 +1,20 @@ --- -- block: +- tags: + - setup-all + - setup-mautrix-slack + - install-all + - install-mautrix-slack + block: - when: matrix_mautrix_slack_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_mautrix_slack_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-mautrix-slack - - install-all - - install-mautrix-slack - -- block: + block: - when: not matrix_mautrix_slack_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-mautrix-slack diff --git a/roles/custom/matrix-bridge-mautrix-telegram/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-telegram/defaults/main.yml index 1221da84..4d040161 100644 --- a/roles/custom/matrix-bridge-mautrix-telegram/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-telegram/defaults/main.yml @@ -17,7 +17,7 @@ matrix_mautrix_telegram_docker_repo: "https://mau.dev/mautrix/telegram.git" matrix_mautrix_telegram_docker_repo_version: "{{ 'master' if matrix_mautrix_telegram_version == 'latest' else matrix_mautrix_telegram_version }}" matrix_mautrix_telegram_docker_src_files_path: "{{ matrix_base_data_path }}/mautrix-telegram/docker-src" -matrix_mautrix_telegram_version: v0.12.2 +matrix_mautrix_telegram_version: v0.13.0 # See: https://mau.dev/mautrix/telegram/container_registry matrix_mautrix_telegram_docker_image: "{{ matrix_mautrix_telegram_docker_image_name_prefix }}mautrix/telegram:{{ matrix_mautrix_telegram_version }}" matrix_mautrix_telegram_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_telegram_container_image_self_build else 'dock.mau.dev/' }}" diff --git a/roles/custom/matrix-bridge-mautrix-telegram/tasks/main.yml b/roles/custom/matrix-bridge-mautrix-telegram/tasks/main.yml index 3c8e6d04..212848b6 100644 --- a/roles/custom/matrix-bridge-mautrix-telegram/tasks/main.yml +++ b/roles/custom/matrix-bridge-mautrix-telegram/tasks/main.yml @@ -1,29 +1,29 @@ --- -- block: - - when: matrix_mautrix_telegram_enabled | bool and matrix_mautrix_telegram_appservice_public_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" - tags: +- tags: - setup-all - setup-nginx-proxy - install-all - install-nginx-proxy + block: + - when: matrix_mautrix_telegram_enabled | bool and matrix_mautrix_telegram_appservice_public_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" -- block: +- tags: + - setup-all + - setup-mautrix-telegram + - install-all + - install-mautrix-telegram + block: - when: matrix_mautrix_telegram_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_mautrix_telegram_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-mautrix-telegram - - install-all - - install-mautrix-telegram - -- block: + block: - when: not matrix_mautrix_telegram_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-mautrix-telegram diff --git a/roles/custom/matrix-bridge-mautrix-telegram/tasks/setup_install.yml b/roles/custom/matrix-bridge-mautrix-telegram/tasks/setup_install.yml index 383d4827..ddf11d8d 100644 --- a/roles/custom/matrix-bridge-mautrix-telegram/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-mautrix-telegram/tasks/setup_install.yml @@ -116,7 +116,10 @@ when: "matrix_mautrix_telegram_stat_database.stat.exists" - name: (Data relocation) Move mautrix-telegram database file to ./data directory - ansible.builtin.command: "mv {{ matrix_mautrix_telegram_base_path }}/mautrix-telegram.db {{ matrix_mautrix_telegram_data_path }}/mautrix-telegram.db" + ansible.builtin.command: + cmd: "mv {{ matrix_mautrix_telegram_base_path }}/mautrix-telegram.db {{ matrix_mautrix_telegram_data_path }}/mautrix-telegram.db" + creates: "{{ matrix_mautrix_telegram_data_path }}/mautrix-telegram.db" + removes: "{{ matrix_mautrix_telegram_base_path }}/mautrix-telegram.db" when: "matrix_mautrix_telegram_stat_database.stat.exists" - name: Ensure mautrix-telegram config.yaml installed diff --git a/roles/custom/matrix-bridge-mautrix-twitter/tasks/main.yml b/roles/custom/matrix-bridge-mautrix-twitter/tasks/main.yml index 9eb444a7..655e52fb 100644 --- a/roles/custom/matrix-bridge-mautrix-twitter/tasks/main.yml +++ b/roles/custom/matrix-bridge-mautrix-twitter/tasks/main.yml @@ -1,29 +1,29 @@ --- -- block: - - when: matrix_mautrix_twitter_enabled | bool and matrix_mautrix_twitter_metrics_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" - tags: +- tags: - setup-all - setup-nginx-proxy - install-all - install-nginx-proxy + block: + - when: matrix_mautrix_twitter_enabled | bool and matrix_mautrix_twitter_metrics_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" -- block: +- tags: + - setup-all + - setup-mautrix-twitter + - install-all + - install-mautrix-twitter + block: - when: matrix_mautrix_twitter_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_mautrix_twitter_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-mautrix-twitter - - install-all - - install-mautrix-twitter - -- block: + block: - when: not matrix_mautrix_twitter_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-mautrix-twitter diff --git a/roles/custom/matrix-bridge-mautrix-whatsapp/tasks/main.yml b/roles/custom/matrix-bridge-mautrix-whatsapp/tasks/main.yml index b49a1300..cb4e8dea 100644 --- a/roles/custom/matrix-bridge-mautrix-whatsapp/tasks/main.yml +++ b/roles/custom/matrix-bridge-mautrix-whatsapp/tasks/main.yml @@ -1,29 +1,29 @@ --- -- block: - - when: matrix_mautrix_whatsapp_enabled | bool and matrix_mautrix_whatsapp_metrics_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" - tags: +- tags: - setup-all - setup-nginx-proxy - install-all - install-nginx-proxy + block: + - when: matrix_mautrix_whatsapp_enabled | bool and matrix_mautrix_whatsapp_metrics_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" -- block: +- tags: + - setup-all + - setup-mautrix-whatsapp + - install-all + - install-mautrix-whatsapp + block: - when: matrix_mautrix_whatsapp_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_mautrix_whatsapp_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-mautrix-whatsapp - - install-all - - install-mautrix-whatsapp - -- block: + block: - when: not matrix_mautrix_whatsapp_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-mautrix-whatsapp diff --git a/roles/custom/matrix-bridge-mautrix-whatsapp/tasks/setup_install.yml b/roles/custom/matrix-bridge-mautrix-whatsapp/tasks/setup_install.yml index 1cf883c5..e41fe9c3 100644 --- a/roles/custom/matrix-bridge-mautrix-whatsapp/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-mautrix-whatsapp/tasks/setup_install.yml @@ -97,11 +97,17 @@ when: "matrix_mautrix_whatsapp_stat_database.stat.exists" - name: (Data relocation) Move mautrix-whatsapp database file to ./data directory - ansible.builtin.command: "mv {{ matrix_mautrix_whatsapp_base_path }}/mautrix-whatsapp.db {{ matrix_mautrix_whatsapp_data_path }}/mautrix-whatsapp.db" + ansible.builtin.command: + cmd: "mv {{ matrix_mautrix_whatsapp_base_path }}/mautrix-whatsapp.db {{ matrix_mautrix_whatsapp_data_path }}/mautrix-whatsapp.db" + creates: "{{ matrix_mautrix_whatsapp_data_path }}/mautrix-whatsapp.db" + removes: "{{ matrix_mautrix_whatsapp_base_path }}/mautrix-whatsapp.db" when: "matrix_mautrix_whatsapp_stat_database.stat.exists" - name: (Data relocation) Move mautrix-whatsapp mx-state file to ./data directory - ansible.builtin.command: "mv {{ matrix_mautrix_whatsapp_base_path }}/mx-state.json {{ matrix_mautrix_whatsapp_data_path }}/mx-state.json" + ansible.builtin.command: + cmd: "mv {{ matrix_mautrix_whatsapp_base_path }}/mx-state.json {{ matrix_mautrix_whatsapp_data_path }}/mx-state.json" + creates: "{{ matrix_mautrix_whatsapp_data_path }}/mx-state.json" + removes: "{{ matrix_mautrix_whatsapp_base_path }}/mx-state.json" when: "matrix_mautrix_whatsapp_stat_mx_state.stat.exists" - name: Ensure mautrix-whatsapp config.yaml installed diff --git a/roles/custom/matrix-bridge-mx-puppet-discord/tasks/main.yml b/roles/custom/matrix-bridge-mx-puppet-discord/tasks/main.yml index c1403dfa..c0300b51 100644 --- a/roles/custom/matrix-bridge-mx-puppet-discord/tasks/main.yml +++ b/roles/custom/matrix-bridge-mx-puppet-discord/tasks/main.yml @@ -1,20 +1,20 @@ --- -- block: +- tags: + - setup-all + - setup-mx-puppet-discord + - install-all + - install-mx-puppet-discord + block: - when: matrix_mx_puppet_discord_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_mx_puppet_discord_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-mx-puppet-discord - - install-all - - install-mx-puppet-discord - -- block: + block: - when: not matrix_mx_puppet_discord_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-mx-puppet-discord diff --git a/roles/custom/matrix-bridge-mx-puppet-groupme/tasks/main.yml b/roles/custom/matrix-bridge-mx-puppet-groupme/tasks/main.yml index ab5b0d44..de225e71 100644 --- a/roles/custom/matrix-bridge-mx-puppet-groupme/tasks/main.yml +++ b/roles/custom/matrix-bridge-mx-puppet-groupme/tasks/main.yml @@ -1,20 +1,20 @@ --- -- block: +- tags: + - setup-all + - setup-mx-puppet-groupme + - install-all + - install-mx-puppet-groupme + block: - when: matrix_mx_puppet_groupme_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_mx_puppet_groupme_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-mx-puppet-groupme - - install-all - - install-mx-puppet-groupme - -- block: + block: - when: not matrix_mx_puppet_groupme_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-mx-puppet-groupme diff --git a/roles/custom/matrix-bridge-mx-puppet-groupme/tasks/setup_install.yml b/roles/custom/matrix-bridge-mx-puppet-groupme/tasks/setup_install.yml index 9db25e86..0ba1e699 100644 --- a/roles/custom/matrix-bridge-mx-puppet-groupme/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-mx-puppet-groupme/tasks/setup_install.yml @@ -29,7 +29,10 @@ when: "matrix_mx_puppet_groupme_stat_database.stat.exists" - name: (Data relocation) Move mx-puppet-groupme database file to ./data directory - ansible.builtin.command: "mv {{ matrix_mx_puppet_groupme_base_path }}/database.db {{ matrix_mx_puppet_groupme_data_path }}/database.db" + ansible.builtin.command: + cmd: "mv {{ matrix_mx_puppet_groupme_base_path }}/database.db {{ matrix_mx_puppet_groupme_data_path }}/database.db" + creates: "{{ matrix_mx_puppet_groupme_data_path }}/database.db" + removes: "{{ matrix_mx_puppet_groupme_base_path }}/database.db" when: "matrix_mx_puppet_groupme_stat_database.stat.exists" - ansible.builtin.set_fact: diff --git a/roles/custom/matrix-bridge-mx-puppet-instagram/tasks/main.yml b/roles/custom/matrix-bridge-mx-puppet-instagram/tasks/main.yml index 3cf02773..0d46532c 100644 --- a/roles/custom/matrix-bridge-mx-puppet-instagram/tasks/main.yml +++ b/roles/custom/matrix-bridge-mx-puppet-instagram/tasks/main.yml @@ -1,20 +1,20 @@ --- -- block: +- tags: + - setup-all + - setup-mx-puppet-instagram + - install-all + - install-mx-puppet-instagram + block: - when: matrix_mx_puppet_instagram_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_mx_puppet_instagram_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-mx-puppet-instagram - - install-all - - install-mx-puppet-instagram - -- block: + block: - when: not matrix_mx_puppet_instagram_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-mx-puppet-instagram diff --git a/roles/custom/matrix-bridge-mx-puppet-slack/tasks/main.yml b/roles/custom/matrix-bridge-mx-puppet-slack/tasks/main.yml index 3d6e722b..63e07405 100644 --- a/roles/custom/matrix-bridge-mx-puppet-slack/tasks/main.yml +++ b/roles/custom/matrix-bridge-mx-puppet-slack/tasks/main.yml @@ -1,29 +1,29 @@ --- -- block: - - when: matrix_mx_puppet_slack_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" - tags: +- tags: - setup-all - setup-nginx-proxy - install-all - install-nginx-proxy + block: + - when: matrix_mx_puppet_slack_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" -- block: +- tags: + - setup-all + - setup-mx-puppet-slack + - install-all + - install-mx-puppet-slack + block: - when: matrix_mx_puppet_slack_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_mx_puppet_slack_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-mx-puppet-slack - - install-all - - install-mx-puppet-slack - -- block: + block: - when: not matrix_mx_puppet_slack_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-mx-puppet-slack diff --git a/roles/custom/matrix-bridge-mx-puppet-slack/tasks/setup_install.yml b/roles/custom/matrix-bridge-mx-puppet-slack/tasks/setup_install.yml index e75d47e5..bba2d25c 100644 --- a/roles/custom/matrix-bridge-mx-puppet-slack/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-mx-puppet-slack/tasks/setup_install.yml @@ -91,7 +91,10 @@ when: "matrix_mx_puppet_slack_enabled | bool and matrix_mx_puppet_slack_container_image_self_build" - name: (Data relocation) Move mx-puppet-slack database file to ./data directory - ansible.builtin.command: "mv {{ matrix_mx_puppet_slack_base_path }}/database.db {{ matrix_mx_puppet_slack_data_path }}/database.db" + ansible.builtin.command: + cmd: "mv {{ matrix_mx_puppet_slack_base_path }}/database.db {{ matrix_mx_puppet_slack_data_path }}/database.db" + creates: "{{ matrix_mx_puppet_slack_data_path }}/database.db" + removes: "{{ matrix_mx_puppet_slack_base_path }}/database.db" when: "matrix_mx_puppet_slack_stat_database.stat.exists" - name: Ensure mx-puppet-slack config.yaml installed diff --git a/roles/custom/matrix-bridge-mx-puppet-steam/tasks/main.yml b/roles/custom/matrix-bridge-mx-puppet-steam/tasks/main.yml index 6eacc6fc..66d2980d 100644 --- a/roles/custom/matrix-bridge-mx-puppet-steam/tasks/main.yml +++ b/roles/custom/matrix-bridge-mx-puppet-steam/tasks/main.yml @@ -1,20 +1,20 @@ --- -- block: +- tags: + - setup-all + - setup-mx-puppet-steam + - install-all + - install-mx-puppet-steam + block: - when: matrix_mx_puppet_steam_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_mx_puppet_steam_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-mx-puppet-steam - - install-all - - install-mx-puppet-steam - -- block: + block: - when: not matrix_mx_puppet_steam_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-mx-puppet-steam diff --git a/roles/custom/matrix-bridge-mx-puppet-steam/tasks/setup_install.yml b/roles/custom/matrix-bridge-mx-puppet-steam/tasks/setup_install.yml index ca2de448..f2ccea59 100644 --- a/roles/custom/matrix-bridge-mx-puppet-steam/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-mx-puppet-steam/tasks/setup_install.yml @@ -29,7 +29,10 @@ when: "matrix_mx_puppet_steam_stat_database.stat.exists" - name: (Data relocation) Move mx-puppet-steam database file to ./data directory - ansible.builtin.command: "mv {{ matrix_mx_puppet_steam_base_path }}/database.db {{ matrix_mx_puppet_steam_data_path }}/database.db" + ansible.builtin.command: + cmd: "mv {{ matrix_mx_puppet_steam_base_path }}/database.db {{ matrix_mx_puppet_steam_data_path }}/database.db" + creates: "{{ matrix_mx_puppet_steam_data_path }}/database.db" + removes: "{{ matrix_mx_puppet_steam_base_path }}/database.db" when: "matrix_mx_puppet_steam_stat_database.stat.exists" - ansible.builtin.set_fact: diff --git a/roles/custom/matrix-bridge-mx-puppet-twitter/tasks/main.yml b/roles/custom/matrix-bridge-mx-puppet-twitter/tasks/main.yml index 85c06f04..d6d68103 100644 --- a/roles/custom/matrix-bridge-mx-puppet-twitter/tasks/main.yml +++ b/roles/custom/matrix-bridge-mx-puppet-twitter/tasks/main.yml @@ -1,29 +1,29 @@ --- -- block: - - when: matrix_mx_puppet_twitter_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" - tags: +- tags: - setup-all - setup-nginx-proxy - install-all - install-nginx-proxy + block: + - when: matrix_mx_puppet_twitter_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" -- block: +- tags: + - setup-all + - setup-mx-puppet-twitter + - install-all + - install-mx-puppet-twitter + block: - when: matrix_mx_puppet_twitter_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_mx_puppet_twitter_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-mx-puppet-twitter - - install-all - - install-mx-puppet-twitter - -- block: + block: - when: not matrix_mx_puppet_twitter_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-mx-puppet-twitter diff --git a/roles/custom/matrix-bridge-mx-puppet-twitter/tasks/setup_install.yml b/roles/custom/matrix-bridge-mx-puppet-twitter/tasks/setup_install.yml index a8450205..9224e956 100644 --- a/roles/custom/matrix-bridge-mx-puppet-twitter/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-mx-puppet-twitter/tasks/setup_install.yml @@ -29,7 +29,10 @@ when: "matrix_mx_puppet_twitter_stat_database.stat.exists" - name: (Data relocation) Move mx-puppet-twitter database file to ./data directory - ansible.builtin.command: "mv {{ matrix_mx_puppet_twitter_base_path }}/database.db {{ matrix_mx_puppet_twitter_data_path }}/database.db" + ansible.builtin.command: + cmd: "mv {{ matrix_mx_puppet_twitter_base_path }}/database.db {{ matrix_mx_puppet_twitter_data_path }}/database.db" + creates: "{{ matrix_mx_puppet_twitter_data_path }}/database.db" + removes: "{{ matrix_mx_puppet_twitter_base_path }}/database.db" when: "matrix_mx_puppet_twitter_stat_database.stat.exists" - ansible.builtin.set_fact: diff --git a/roles/custom/matrix-bridge-sms/tasks/main.yml b/roles/custom/matrix-bridge-sms/tasks/main.yml index f9bd502c..57d51727 100644 --- a/roles/custom/matrix-bridge-sms/tasks/main.yml +++ b/roles/custom/matrix-bridge-sms/tasks/main.yml @@ -1,20 +1,20 @@ --- -- block: +- tags: + - setup-all + - setup-matrix-sms-bridge + - install-all + - install-matrix-sms-bridge + block: - when: matrix_sms_bridge_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_sms_bridge_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-matrix-sms-bridge - - install-all - - install-matrix-sms-bridge - -- block: + block: - when: not matrix_sms_bridge_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-matrix-sms-bridge diff --git a/roles/custom/matrix-cactus-comments/tasks/main.yml b/roles/custom/matrix-cactus-comments/tasks/main.yml index c6108e91..c1a08d32 100644 --- a/roles/custom/matrix-cactus-comments/tasks/main.yml +++ b/roles/custom/matrix-cactus-comments/tasks/main.yml @@ -1,29 +1,29 @@ --- -- block: - - when: matrix_cactus_comments_enabled | bool and matrix_cactus_comments_serve_client_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" - tags: +- tags: - setup-all - setup-nginx-proxy - install-all - install-nginx-proxy + block: + - when: matrix_cactus_comments_enabled | bool and matrix_cactus_comments_serve_client_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" -- block: +- tags: + - setup-all + - setup-cactus-comments + - install-all + - install-cactus-comments + block: - when: matrix_cactus_comments_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_cactus_comments_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-cactus-comments - - install-all - - install-cactus-comments - -- block: + block: - when: not matrix_cactus_comments_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-cactus-comments diff --git a/roles/custom/matrix-client-cinny/tasks/main.yml b/roles/custom/matrix-client-cinny/tasks/main.yml index 1e6d4759..40c6514b 100644 --- a/roles/custom/matrix-client-cinny/tasks/main.yml +++ b/roles/custom/matrix-client-cinny/tasks/main.yml @@ -1,26 +1,26 @@ --- -- block: +- tags: + - setup-all + - setup-client-cinny + - install-all + - install-client-cinny + block: - when: matrix_client_cinny_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_client_cinny_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-client-cinny - - install-all - - install-client-cinny - -- block: + block: - when: not matrix_client_cinny_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-client-cinny -- block: +- tags: + - self-check + block: - when: matrix_client_cinny_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/self_check.yml" - tags: - - self-check diff --git a/roles/custom/matrix-client-element/defaults/main.yml b/roles/custom/matrix-client-element/defaults/main.yml index 60b52d60..8e24ca66 100644 --- a/roles/custom/matrix-client-element/defaults/main.yml +++ b/roles/custom/matrix-client-element/defaults/main.yml @@ -10,7 +10,7 @@ matrix_client_element_container_image_self_build_repo: "https://github.com/vecto # - https://github.com/vector-im/element-web/issues/19544 matrix_client_element_container_image_self_build_low_memory_system_patch_enabled: "{{ ansible_memtotal_mb < 4096 }}" -matrix_client_element_version: v1.11.23 +matrix_client_element_version: v1.11.24 matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}" matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}" diff --git a/roles/custom/matrix-client-element/tasks/main.yml b/roles/custom/matrix-client-element/tasks/main.yml index 89e50ba7..77020067 100644 --- a/roles/custom/matrix-client-element/tasks/main.yml +++ b/roles/custom/matrix-client-element/tasks/main.yml @@ -1,6 +1,11 @@ --- -- block: +- tags: + - setup-all + - setup-client-element + - install-all + - install-client-element + block: - when: matrix_client_element_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" @@ -9,21 +14,16 @@ - when: matrix_client_element_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-client-element - - install-all - - install-client-element - -- block: + block: - when: not matrix_client_element_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-client-element -- block: +- tags: + - self-check + block: - when: matrix_client_element_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/self_check.yml" - tags: - - self-check diff --git a/roles/custom/matrix-client-element/tasks/setup_install.yml b/roles/custom/matrix-client-element/tasks/setup_install.yml index fc0532db..50d6370f 100644 --- a/roles/custom/matrix-client-element/tasks/setup_install.yml +++ b/roles/custom/matrix-client-element/tasks/setup_install.yml @@ -56,6 +56,7 @@ --tag={{ matrix_client_element_docker_image }} --file={{ matrix_client_element_docker_src_files_path }}/Dockerfile {{ matrix_client_element_docker_src_files_path }} + changed_when: true when: matrix_client_element_container_image_self_build | bool - name: Ensure Element configuration installed diff --git a/roles/custom/matrix-client-hydrogen/tasks/main.yml b/roles/custom/matrix-client-hydrogen/tasks/main.yml index 9bb8bc08..9e7445c0 100644 --- a/roles/custom/matrix-client-hydrogen/tasks/main.yml +++ b/roles/custom/matrix-client-hydrogen/tasks/main.yml @@ -1,26 +1,26 @@ --- -- block: +- tags: + - setup-all + - setup-client-hydrogen + - install-all + - install-client-hydrogen + block: - when: matrix_client_hydrogen_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_client_hydrogen_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-client-hydrogen - - install-all - - install-client-hydrogen - -- block: + block: - when: not matrix_client_hydrogen_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-client-hydrogen -- block: +- tags: + - self-check + block: - when: matrix_client_hydrogen_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/self_check.yml" - tags: - - self-check diff --git a/roles/custom/matrix-common-after/tasks/main.yml b/roles/custom/matrix-common-after/tasks/main.yml index fe23e467..5e4dc76b 100644 --- a/roles/custom/matrix-common-after/tasks/main.yml +++ b/roles/custom/matrix-common-after/tasks/main.yml @@ -1,6 +1,6 @@ --- -- block: - - ansible.builtin.include_tasks: "{{ role_path }}/tasks/run_docker_prune.yml" - tags: +- tags: - run-docker-prune + block: + - ansible.builtin.include_tasks: "{{ role_path }}/tasks/run_docker_prune.yml" diff --git a/roles/custom/matrix-conduit/defaults/main.yml b/roles/custom/matrix-conduit/defaults/main.yml index bbab5cde..7673a7d2 100644 --- a/roles/custom/matrix-conduit/defaults/main.yml +++ b/roles/custom/matrix-conduit/defaults/main.yml @@ -23,6 +23,14 @@ matrix_conduit_systemd_required_services_list: ["docker.service"] # List of systemd services that matrix-conduit.service wants matrix_conduit_systemd_wanted_services_list: [] +# The base container network. It will be auto-created by this role if it doesn't exist already. +matrix_conduit_container_network: "{{ matrix_docker_network }}" + +# A list of additional container networks that the container would be connected to. +# The role does not create these networks, so make sure they already exist. +# Use this to expose this container to another reverse proxy, which runs in a different container network. +matrix_conduit_container_additional_networks: [] + # Extra arguments for the Docker container matrix_conduit_container_extra_arguments: [] diff --git a/roles/custom/matrix-conduit/tasks/main.yml b/roles/custom/matrix-conduit/tasks/main.yml index d733ac08..f48e385e 100644 --- a/roles/custom/matrix-conduit/tasks/main.yml +++ b/roles/custom/matrix-conduit/tasks/main.yml @@ -1,17 +1,17 @@ --- -- block: - - when: matrix_conduit_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: +- tags: - setup-all - setup-conduit - install-all - install-conduit + block: + - when: matrix_conduit_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" -- block: - - when: not matrix_conduit_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: +- tags: - setup-all - setup-conduit + block: + - when: not matrix_conduit_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" diff --git a/roles/custom/matrix-conduit/tasks/setup_install.yml b/roles/custom/matrix-conduit/tasks/setup_install.yml index ef47c620..ecccbb32 100644 --- a/roles/custom/matrix-conduit/tasks/setup_install.yml +++ b/roles/custom/matrix-conduit/tasks/setup_install.yml @@ -1,14 +1,4 @@ --- -- name: Ensure Conduit Docker image is pulled - community.docker.docker_image: - name: "{{ matrix_conduit_docker_image }}" - source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" - force_source: "{{ matrix_conduit_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_conduit_docker_image_force_pull }}" - register: result - retries: "{{ devture_playbook_help_container_retries_count }}" - delay: "{{ devture_playbook_help_container_retries_delay }}" - until: result is not failed - name: Ensure Conduit config path exists ansible.builtin.file: @@ -34,6 +24,22 @@ owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" +- name: Ensure Conduit container network is created + community.general.docker_network: + name: "{{ matrix_conduit_container_network }}" + driver: bridge + +- name: Ensure Conduit container image is pulled + community.docker.docker_image: + name: "{{ matrix_conduit_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_conduit_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_conduit_docker_image_force_pull }}" + register: result + retries: "{{ devture_playbook_help_container_retries_count }}" + delay: "{{ devture_playbook_help_container_retries_delay }}" + until: result is not failed + - name: Ensure matrix-conduit.service installed ansible.builtin.template: src: "{{ role_path }}/templates/conduit/systemd/matrix-conduit.service.j2" diff --git a/roles/custom/matrix-conduit/templates/conduit/systemd/matrix-conduit.service.j2 b/roles/custom/matrix-conduit/templates/conduit/systemd/matrix-conduit.service.j2 index cdaead01..91c1e915 100644 --- a/roles/custom/matrix-conduit/templates/conduit/systemd/matrix-conduit.service.j2 +++ b/roles/custom/matrix-conduit/templates/conduit/systemd/matrix-conduit.service.j2 @@ -12,13 +12,15 @@ Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-conduit 2>/dev/null || true' ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-conduit 2>/dev/null || true' -ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-conduit \ +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ + --rm \ + --name=matrix-conduit \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ --read-only \ --tmpfs=/tmp:rw,noexec,nosuid,size={{ matrix_conduit_tmp_directory_size_mb }}m \ - --network={{ matrix_docker_network }} \ + --network={{ matrix_conduit_container_network }} \ --env CONDUIT_CONFIG=/etc/matrix-conduit/conduit.toml \ --mount type=bind,src={{ matrix_conduit_data_path }},dst=/var/lib/matrix-conduit \ --mount type=bind,src={{ matrix_conduit_config_path }},dst=/etc/matrix-conduit,ro \ @@ -27,6 +29,12 @@ ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name {% endfor %} {{ matrix_conduit_docker_image }} +{% for network in matrix_conduit_container_additional_networks %} +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-conduit +{% endfor %} + +ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-conduit + ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-conduit 2>/dev/null || true' ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-conduit 2>/dev/null || true' ExecReload={{ devture_systemd_docker_base_host_command_docker }} exec matrix-conduit /bin/sh -c 'kill -HUP 1' diff --git a/roles/custom/matrix-corporal/tasks/main.yml b/roles/custom/matrix-corporal/tasks/main.yml index c4c7b7fc..e8f3b785 100644 --- a/roles/custom/matrix-corporal/tasks/main.yml +++ b/roles/custom/matrix-corporal/tasks/main.yml @@ -1,26 +1,26 @@ --- -- block: +- tags: + - setup-all + - setup-corporal + - install-all + - install-corporal + block: - when: matrix_corporal_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_corporal_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-corporal - - install-all - - install-corporal - -- block: + block: - when: not matrix_corporal_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-corporal -- block: +- tags: + - self-check + block: - when: matrix_corporal_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/self_check.yml" - tags: - - self-check diff --git a/roles/custom/matrix-coturn/tasks/main.yml b/roles/custom/matrix-coturn/tasks/main.yml index 45ce9fd9..1b1332fb 100644 --- a/roles/custom/matrix-coturn/tasks/main.yml +++ b/roles/custom/matrix-coturn/tasks/main.yml @@ -1,20 +1,20 @@ --- -- block: +- tags: + - setup-all + - setup-coturn + - install-all + - install-coturn + block: - when: matrix_coturn_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_coturn_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-coturn - - install-all - - install-coturn - -- block: + block: - when: not matrix_coturn_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-coturn diff --git a/roles/custom/matrix-coturn/tasks/setup_install.yml b/roles/custom/matrix-coturn/tasks/setup_install.yml index 44325f46..1cb8bd69 100644 --- a/roles/custom/matrix-coturn/tasks/setup_install.yml +++ b/roles/custom/matrix-coturn/tasks/setup_install.yml @@ -62,8 +62,8 @@ owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" -- when: matrix_coturn_docker_network not in ['', 'host'] - name: Ensure Coturn network is created in Docker +- name: Ensure Coturn network is created in Docker + when: matrix_coturn_docker_network not in ['', 'host'] community.docker.docker_network: name: "{{ matrix_coturn_docker_network }}" driver: bridge diff --git a/roles/custom/matrix-dendrite/defaults/main.yml b/roles/custom/matrix-dendrite/defaults/main.yml index 525f4854..8c2dded4 100644 --- a/roles/custom/matrix-dendrite/defaults/main.yml +++ b/roles/custom/matrix-dendrite/defaults/main.yml @@ -33,6 +33,14 @@ matrix_dendrite_http_bind_address: "{{ (':' + matrix_dendrite_http_bind_port | s # This is passed as an `-https-bind-address` flag to the Dendrite server in the container matrix_dendrite_https_bind_address: "{{ (':' + matrix_dendrite_https_bind_port | string) if matrix_dendrite_https_bind_port else '' }}" +# The base container network. It will be auto-created by this role if it doesn't exist already. +matrix_dendrite_container_network: "{{ matrix_docker_network }}" + +# A list of additional container networks that the container would be connected to. +# The role does not create these networks, so make sure they already exist. +# Use this to expose this container to another reverse proxy, which runs in a different container network. +matrix_dendrite_container_additional_networks: [] + # Controls whether the matrix-dendrite container exposes the HTTP port (tcp/{{ matrix_dendrite_http_bind_port }} in the container). # # Takes an ":" or "" value (e.g. "127.0.0.1:8008"), or empty string to not expose. diff --git a/roles/custom/matrix-dendrite/tasks/main.yml b/roles/custom/matrix-dendrite/tasks/main.yml index 0e88ec51..78d81524 100644 --- a/roles/custom/matrix-dendrite/tasks/main.yml +++ b/roles/custom/matrix-dendrite/tasks/main.yml @@ -1,35 +1,35 @@ --- -- block: +- tags: + - setup-all + - setup-dendrite + - install-all + - install-dendrite + block: - when: matrix_dendrite_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_dendrite_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-dendrite - - install-all - - install-dendrite - -- block: + block: - when: not matrix_dendrite_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-dendrite -- block: +- tags: + - self-check + block: - when: matrix_dendrite_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/self_check_client_api.yml" - when: matrix_dendrite_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/self_check_federation_api.yml" - tags: - - self-check -- block: +- tags: + - register-user + block: - when: matrix_dendrite_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/register_user.yml" - tags: - - register-user diff --git a/roles/custom/matrix-dendrite/tasks/setup_install.yml b/roles/custom/matrix-dendrite/tasks/setup_install.yml index c516c5b7..283e8b01 100644 --- a/roles/custom/matrix-dendrite/tasks/setup_install.yml +++ b/roles/custom/matrix-dendrite/tasks/setup_install.yml @@ -42,24 +42,20 @@ delay: "{{ devture_playbook_help_container_retries_delay }}" until: result is not failed -- name: Check if a Dendrite signing key exists - ansible.builtin.stat: - path: "{{ matrix_dendrite_config_dir_path }}/{{ matrix_server_fqn_matrix }}.signing.pem" - register: matrix_dendrite_signing_key_stat - # We do this so that the signing key would get generated. # We don't use the `docker_container` module, because using it with `cap_drop` requires # a very recent version, which is not available for a lot of people yet. - name: Generate Dendrite signing key - ansible.builtin.command: | - docker run - --rm - --name=matrix-dendrite-config - --entrypoint=generate-keys - --mount type=bind,src={{ matrix_dendrite_config_dir_path }},dst=/data - {{ matrix_dendrite_docker_image }} --private-key=/data/{{ matrix_server_fqn_matrix }}.signing.pem - generate - when: "not matrix_dendrite_signing_key_stat.stat.exists" + ansible.builtin.command: + cmd: | + docker run + --rm + --name=matrix-dendrite-config + --entrypoint=generate-keys + --mount type=bind,src={{ matrix_dendrite_config_dir_path }},dst=/data + {{ matrix_dendrite_docker_image }} --private-key=/data/{{ matrix_server_fqn_matrix }}.signing.pem + generate + creates: "{{ matrix_dendrite_config_dir_path }}/{{ matrix_server_fqn_matrix }}.signing.pem" - name: Ensure Dendrite server key exists ansible.builtin.file: @@ -76,6 +72,11 @@ owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" +- name: Ensure Dendrite container network is created + community.general.docker_network: + name: "{{ matrix_dendrite_container_network }}" + driver: bridge + - name: Ensure matrix-dendrite.service installed ansible.builtin.template: src: "{{ role_path }}/templates/dendrite/systemd/matrix-dendrite.service.j2" diff --git a/roles/custom/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2 b/roles/custom/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2 index 4649c3a3..378cf596 100644 --- a/roles/custom/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2 +++ b/roles/custom/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2 @@ -22,13 +22,15 @@ ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_s ExecStartPre={{ matrix_host_command_sleep }} 5 {% endif %} -ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-dendrite \ +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ + --rm \ + --name=matrix-dendrite \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ --read-only \ --tmpfs=/tmp:rw,noexec,nosuid,size={{ matrix_dendrite_tmp_directory_size_mb }}m \ - --network={{ matrix_docker_network }} \ + --network={{ matrix_dendrite_container_network }} \ {% if matrix_dendrite_container_http_host_bind_address and matrix_dendrite_http_bind_port %} -p {{ matrix_dendrite_container_http_host_bind_address }}:{{ matrix_dendrite_http_bind_port }} \ {% endif %} @@ -54,6 +56,12 @@ ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name -https-bind-address {{ matrix_dendrite_https_bind_address }} {% endif %} +{% for network in matrix_dendrite_container_additional_networks %} +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-dendrite +{% endfor %} + +ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-dendrite + ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-dendrite 2>/dev/null || true' ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-dendrite 2>/dev/null || true' ExecReload={{ devture_systemd_docker_base_host_command_docker }} exec matrix-dendrite /bin/sh -c 'kill -HUP 1' diff --git a/roles/custom/matrix-dimension/defaults/main.yml b/roles/custom/matrix-dimension/defaults/main.yml index 4be76fd1..e66f9009 100644 --- a/roles/custom/matrix-dimension/defaults/main.yml +++ b/roles/custom/matrix-dimension/defaults/main.yml @@ -3,6 +3,15 @@ matrix_dimension_enabled: false +matrix_dimension_scheme: https + +# The hostname at which Dimension is served. +matrix_dimension_hostname: '' + +# The path at which Dimension is exposed. +# This value must either be `/` or not end with a slash (e.g. `/dimension`). +matrix_dimension_path_prefix: / + # You are required to specify an access token for Dimension to work. # For information on how to acquire an access token, visit https://t2bot.io/docs/access_tokens matrix_dimension_access_token: "" @@ -35,21 +44,129 @@ matrix_dimension_systemd_wanted_services_list: [] matrix_dimension_user_uid: '1000' matrix_dimension_user_gid: '1000' +# The base container network. It will be auto-created by this role if it doesn't exist already. +matrix_dimension_container_network: matrix-dimension + +# A list of additional container networks that the container would be connected to. +# The role does not create these networks, so make sure they already exist. +# Use this to expose this container to another reverse proxy, which runs in a different container network. +matrix_dimension_container_additional_networks: [] + # Controls whether the matrix-dimension container exposes its HTTP port (tcp/8184 in the container). # # Takes an ":" or "" value (e.g. "127.0.0.1:8184"), or empty string to not expose. matrix_dimension_container_http_host_bind_port: '' + +# matrix_dimension_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container. +# See `../templates/labels.j2` for details. +# +# To inject your own other container labels, see `matrix_dimension_container_labels_additional_labels`. +matrix_dimension_container_labels_traefik_enabled: true +matrix_dimension_container_labels_traefik_docker_network: "{{ matrix_dimension_container_network }}" +matrix_dimension_container_labels_traefik_hostname: "{{ matrix_dimension_hostname }}" +# The path prefix must either be `/` or not end with a slash (e.g. `/dimension`). +matrix_dimension_container_labels_traefik_path_prefix: "{{ matrix_dimension_path_prefix }}" +matrix_dimension_container_labels_traefik_rule: "Host(`{{ matrix_dimension_container_labels_traefik_hostname }}`){% if matrix_dimension_container_labels_traefik_path_prefix != '/' %} && PathPrefix(`{{ matrix_dimension_container_labels_traefik_path_prefix }}`){% endif %}" +matrix_dimension_container_labels_traefik_priority: 0 +matrix_dimension_container_labels_traefik_entrypoints: web-secure +matrix_dimension_container_labels_traefik_tls: "{{ matrix_dimension_container_labels_traefik_entrypoints != 'web' }}" +matrix_dimension_container_labels_traefik_tls_certResolver: default # noqa var-naming + +# Controls which additional headers to attach to all HTTP responses. +# To add your own headers, use `matrix_dimension_container_labels_traefik_additional_response_headers_custom` +matrix_dimension_container_labels_traefik_additional_response_headers: "{{ matrix_dimension_container_labels_traefik_additional_response_headers_auto | combine(matrix_dimension_container_labels_traefik_additional_response_headers_custom) }}" +matrix_dimension_container_labels_traefik_additional_response_headers_auto: | + {{ + {} + | combine ({'X-XSS-Protection': matrix_dimension_http_header_xss_protection} if matrix_dimension_http_header_xss_protection else {}) + | combine ({'X-Frame-Options': matrix_dimension_http_header_frame_options} if matrix_dimension_http_header_frame_options else {}) + | combine ({'X-Content-Type-Options': matrix_dimension_http_header_content_type_options} if matrix_dimension_http_header_content_type_options else {}) + | combine ({'Content-Security-Policy': matrix_dimension_http_header_content_security_policy} if matrix_dimension_http_header_content_security_policy else {}) + | combine ({'Permission-Policy': matrix_dimension_http_header_content_permission_policy} if matrix_dimension_http_header_content_permission_policy else {}) + | combine ({'Strict-Transport-Security': matrix_dimension_http_header_strict_transport_security} if matrix_dimension_http_header_strict_transport_security and matrix_dimension_container_labels_traefik_tls else {}) + }} +matrix_dimension_container_labels_traefik_additional_response_headers_custom: {} + +# matrix_dimension_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file. +# See `../templates/labels.j2` for details. +# +# Example: +# matrix_dimension_container_labels_additional_labels: | +# my.label=1 +# another.label="here" +matrix_dimension_container_labels_additional_labels: '' + + # A list of extra arguments to pass to the container matrix_dimension_container_extra_arguments: [] -matrix_dimension_integrations_ui_url: "https://{{ matrix_server_fqn_dimension }}/element" -matrix_dimension_integrations_rest_url: "https://{{ matrix_server_fqn_dimension }}/api/v1/scalar" -matrix_dimension_integrations_widgets_urls: ["https://{{ matrix_server_fqn_dimension }}/widgets"] -matrix_dimension_integrations_jitsi_widget_url: "https://{{ matrix_server_fqn_dimension }}/widgets/jitsi" +# Public facing base URL of the Dimension service. +# It should not end with a slash. +matrix_dimension_base_url: "{{ matrix_dimension_scheme }}://{{ matrix_dimension_hostname }}{{ '' if matrix_dimension_path_prefix == '/' else matrix_dimension_path_prefix }}" -matrix_dimension_homeserver_federationUrl: "" # noqa var-naming +matrix_dimension_integrations_ui_url: "{{ matrix_dimension_base_url }}/element" +matrix_dimension_integrations_rest_url: "{{ matrix_dimension_base_url }}/api/v1/scalar" +matrix_dimension_integrations_widgets_urls: ["{{ matrix_dimension_base_url }}/widgets"] +matrix_dimension_integrations_jitsi_widget_url: "{{ matrix_dimension_base_url }}/widgets/jitsi" +matrix_dimension_homeserver_clientServerUrl: '' # noqa var-naming +matrix_dimension_homeserver_federationUrl: '' # noqa var-naming +matrix_dimension_homeserver_mediaUrl: '' # noqa var-naming + +# Controls the dimension.publicUrl configuration option +matrix_dimension_dimension_publicUrl: "{{ matrix_dimension_base_url }}" # noqa var-naming + +# Specifies the value of the `X-XSS-Protection` header +# Stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. +# +# Learn more about it is here: +# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection +# - https://portswigger.net/web-security/cross-site-scripting/reflected +matrix_dimension_http_header_xss_protection: "1; mode=block" + +# Specifies the value of the `X-Frame-Options` header which controls whether framing can happen. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options +matrix_dimension_http_header_frame_options: '' + +# Specifies the value of the `X-Content-Type-Options` header. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options +matrix_dimension_http_header_content_type_options: nosniff + +# Specifies the value of the `Content-Security-Policy` header. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy +matrix_dimension_http_header_content_security_policy: '' + +# Specifies the value of the `Permission-Policy` header. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permission-Policy +matrix_dimension_http_header_content_permission_policy: "{{ 'interest-cohort=()' if matrix_dimension_floc_optout_enabled else '' }}" + +# Specifies the value of the `Strict-Transport-Security` header. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security +matrix_dimension_http_header_strict_transport_security: "max-age=31536000; includeSubDomains{{ '; preload' if matrix_dimension_hsts_preload_enabled else '' }}" + +# Controls whether to send a "Permissions-Policy interest-cohort=();" header along with all responses +# +# Learn more about what it is here: +# - https://www.eff.org/deeplinks/2021/03/googles-floc-terrible-idea +# - https://paramdeo.com/blog/opting-your-website-out-of-googles-floc-network +# - https://amifloced.org/ +# +# Of course, a better solution is to just stop using browsers (like Chrome), which participate in such tracking practices. +# See: `matrix_dimension_content_permission_policy` +matrix_dimension_floc_optout_enabled: true + +# Controls if HSTS preloading is enabled +# +# In its strongest and recommended form, the [HSTS policy](https://www.chromium.org/hsts) includes all subdomains, and +# indicates a willingness to be "preloaded" into browsers: +# `Strict-Transport-Security: max-age=31536000; includeSubDomains; preload` +# For more information visit: +# - https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security +# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security +# - https://hstspreload.org/#opt-in +# See: `matrix_dimension_http_header_strict_transport_security` +matrix_dimension_hsts_preload_enabled: false # Database-related configuration fields. # diff --git a/roles/custom/matrix-dimension/tasks/main.yml b/roles/custom/matrix-dimension/tasks/main.yml index efd0f8d4..1e949d3f 100644 --- a/roles/custom/matrix-dimension/tasks/main.yml +++ b/roles/custom/matrix-dimension/tasks/main.yml @@ -1,20 +1,20 @@ --- -- block: +- tags: + - setup-all + - setup-dimension + - install-all + - install-dimension + block: - when: matrix_dimension_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_dimension_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-dimension - - install-all - - install-dimension - -- block: + block: - when: not matrix_dimension_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-dimension diff --git a/roles/custom/matrix-dimension/tasks/setup_install.yml b/roles/custom/matrix-dimension/tasks/setup_install.yml index 26617f7a..b1f0c242 100644 --- a/roles/custom/matrix-dimension/tasks/setup_install.yml +++ b/roles/custom/matrix-dimension/tasks/setup_install.yml @@ -85,6 +85,14 @@ owner: "{{ matrix_user_username }}" group: "{{ matrix_dimension_user_gid }}" +- name: Ensure Dimension labels installed + ansible.builtin.template: + src: "{{ role_path }}/templates/labels.j2" + dest: "{{ matrix_dimension_base_path }}/labels" + mode: 0640 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + - name: Ensure Dimension image is pulled community.docker.docker_image: name: "{{ matrix_dimension_docker_image }}" @@ -120,6 +128,11 @@ pull: true when: "matrix_dimension_container_image_self_build | bool" +- name: Ensure Dimension container network is created + community.general.docker_network: + name: "{{ matrix_dimension_container_network }}" + driver: bridge + - name: Ensure matrix-dimension.service installed ansible.builtin.template: src: "{{ role_path }}/templates/systemd/matrix-dimension.service.j2" diff --git a/roles/custom/matrix-dimension/tasks/validate_config.yml b/roles/custom/matrix-dimension/tasks/validate_config.yml index 8f681e08..b001ceed 100644 --- a/roles/custom/matrix-dimension/tasks/validate_config.yml +++ b/roles/custom/matrix-dimension/tasks/validate_config.yml @@ -6,7 +6,12 @@ You need to define a required configuration setting (`{{ item.name }}`). when: "item.when | bool and vars[item.name] == ''" with_items: + - {'name': 'matrix_dimension_hostname', when: true} + - {'name': 'matrix_dimension_container_network', when: true} - {'name': 'matrix_dimension_access_token', when: true} + - {'name': 'matrix_dimension_homeserver_clientServerUrl', when: true} + - {'name': 'matrix_dimension_homeserver_federationUrl', when: true} + - {'name': 'matrix_dimension_homeserver_mediaUrl', when: true} - {'name': 'matrix_dimension_database_hostname', when: "{{ matrix_dimension_database_engine == 'postgres' }}"} - name: (Deprecation) Catch and report renamed Dimension variables @@ -17,3 +22,31 @@ when: "item.old in vars" with_items: - {'old': 'matrix_dimension_container_expose_port', 'new': ''} + +- when: matrix_dimension_container_labels_traefik_enabled | bool + block: + - name: Fail if required Dimension Traefik settings not defined + ansible.builtin.fail: + msg: >- + You need to define a required configuration setting (`{{ item }}`). + when: "vars[item] == ''" + with_items: + - matrix_dimension_container_labels_traefik_hostname + - matrix_dimension_container_labels_traefik_path_prefix + + # We ensure it doesn't end with a slash, because we handle both (slash and no-slash). + # Knowing that `matrix_dimension_container_labels_traefik_path_prefix` does not end with a slash + # ensures we know how to set these routes up without having to do "does it end with a slash" checks elsewhere. + - name: Fail if matrix_dimension_container_labels_traefik_path_prefix ends with a slash + ansible.builtin.fail: + msg: >- + matrix_dimension_container_labels_traefik_path_prefix (`{{ matrix_dimension_container_labels_traefik_path_prefix }}`) must either be `/` or not end with a slash (e.g. `/dimension`). + when: "matrix_dimension_container_labels_traefik_path_prefix != '/' and matrix_dimension_container_labels_traefik_path_prefix[-1] == '/'" + + - name: Fail if matrix_dimension_container_labels_traefik_path_prefix is not / + ansible.builtin.fail: + msg: >- + matrix_dimension_container_labels_traefik_path_prefix (`{{ matrix_dimension_container_labels_traefik_path_prefix }}`) must currently be set to `/`. + Other values are not supported. + See: https://github.com/turt2live/matrix-dimension/issues/510 + when: "matrix_dimension_container_labels_traefik_path_prefix != '/' and matrix_dimension_container_labels_traefik_path_prefix[-1] == '/'" diff --git a/roles/custom/matrix-dimension/templates/config.yaml.j2 b/roles/custom/matrix-dimension/templates/config.yaml.j2 index 592c65ac..c387c91b 100644 --- a/roles/custom/matrix-dimension/templates/config.yaml.j2 +++ b/roles/custom/matrix-dimension/templates/config.yaml.j2 @@ -9,30 +9,30 @@ web: homeserver: # The domain name of the homeserver. This is used in many places, such as with go-neb # setups, to identify the homeserver. - name: "{{ matrix_domain }}" + name: {{ matrix_domain | to_json }} # The URL that Dimension, go-neb, and other services provisioned by Dimension should # use to access the homeserver with. - clientServerUrl: "{{ matrix_homeserver_container_url }}" + clientServerUrl: {{ matrix_dimension_homeserver_clientServerUrl | to_json }} # The URL that Dimension should use when trying to communicate with federated APIs on # the homeserver. If not supplied or left empty Dimension will try to resolve the address # through the normal federation process. - federationUrl: "{{ matrix_dimension_homeserver_federationUrl }}" + federationUrl: {{ matrix_dimension_homeserver_federationUrl | to_json }} # The URL that Dimension will redirect media requests to for downloading media such as # stickers. If not supplied or left empty Dimension will use the clientServerUrl. - mediaUrl: "https://{{ matrix_server_fqn_matrix }}" + mediaUrl: {{ matrix_dimension_homeserver_mediaUrl | to_json }} # The access token Dimension should use for miscellaneous access to the homeserver. This # should be for a user on the configured homeserver: any user will do, however it is # recommended to use a dedicated user (such as @dimension:t2bot.io). For information on # how to acquire an access token, visit https://t2bot.io/docs/access_tokens - accessToken: "{{ matrix_dimension_access_token }}" + accessToken: {{ matrix_dimension_access_token | to_json }} # These users can modify the integrations this Dimension supports. # To access the admin interface, open Dimension in Element and click the settings icon. -admins: {{ matrix_dimension_admins|to_json }} +admins: {{ matrix_dimension_admins | to_json }} # IPs and CIDR ranges listed here will be blocked from being widgets. # Note: Widgets may still be embedded with restricted content, although not through Dimension directly. @@ -72,4 +72,4 @@ goneb: dimension: # This is where Dimension is accessible from clients. Be sure to set this # to your own Dimension instance. - publicUrl: "https://{{ matrix_server_fqn_dimension }}" + publicUrl: {{ matrix_dimension_dimension_publicUrl | to_json }} diff --git a/roles/custom/matrix-dimension/templates/labels.j2 b/roles/custom/matrix-dimension/templates/labels.j2 new file mode 100644 index 00000000..24b570cb --- /dev/null +++ b/roles/custom/matrix-dimension/templates/labels.j2 @@ -0,0 +1,45 @@ +{% if matrix_dimension_container_labels_traefik_enabled %} +traefik.enable=true + +{% if matrix_dimension_container_labels_traefik_docker_network %} +traefik.docker.network={{ matrix_dimension_container_labels_traefik_docker_network }} +{% endif %} + +{% set middlewares = [] %} + +{% if matrix_dimension_container_labels_traefik_path_prefix != '/' %} +traefik.http.middlewares.matrix-dimension-slashless-redirect.redirectregex.regex=({{ matrix_dimension_container_labels_traefik_path_prefix | quote }})$ +traefik.http.middlewares.matrix-dimension-slashless-redirect.redirectregex.replacement=${1}/ +{% set middlewares = middlewares + ['matrix-dimension-slashless-redirect'] %} +{% endif %} + +{% if matrix_dimension_container_labels_traefik_path_prefix != '/' %} +traefik.http.middlewares.matrix-dimension-strip-prefix.stripprefix.prefixes={{ matrix_dimension_container_labels_traefik_path_prefix }} +{% set middlewares = middlewares + ['matrix-dimension-strip-prefix'] %} +{% endif %} + +{% if matrix_dimension_container_labels_traefik_additional_response_headers.keys() | length > 0 %} +{% for name, value in matrix_dimension_container_labels_traefik_additional_response_headers.items() %} +traefik.http.middlewares.matrix-dimension-add-headers.headers.customresponseheaders.{{ name }}={{ value }} +{% endfor %} +{% set middlewares = middlewares + ['matrix-dimension-add-headers'] %} +{% endif %} + +traefik.http.routers.matrix-dimension.rule={{ matrix_dimension_container_labels_traefik_rule }} +{% if matrix_dimension_container_labels_traefik_priority | int > 0 %} +traefik.http.routers.matrix-dimension.priority={{ matrix_dimension_container_labels_traefik_priority }} +{% endif %} +traefik.http.routers.matrix-dimension.service=matrix-dimension +{% if middlewares | length > 0 %} +traefik.http.routers.matrix-dimension.middlewares={{ middlewares | join(',') }} +{% endif %} +traefik.http.routers.matrix-dimension.entrypoints={{ matrix_dimension_container_labels_traefik_entrypoints }} +traefik.http.routers.matrix-dimension.tls={{ matrix_dimension_container_labels_traefik_tls | to_json }} +{% if matrix_dimension_container_labels_traefik_tls %} +traefik.http.routers.matrix-dimension.tls.certResolver={{ matrix_dimension_container_labels_traefik_tls_certResolver }} +{% endif %} + +traefik.http.services.matrix-dimension.loadbalancer.server.port=8184 +{% endif %} + +{{ matrix_dimension_container_labels_additional_labels }} diff --git a/roles/custom/matrix-dimension/templates/systemd/matrix-dimension.service.j2 b/roles/custom/matrix-dimension/templates/systemd/matrix-dimension.service.j2 index 07428ffa..0b14a117 100644 --- a/roles/custom/matrix-dimension/templates/systemd/matrix-dimension.service.j2 +++ b/roles/custom/matrix-dimension/templates/systemd/matrix-dimension.service.j2 @@ -21,25 +21,35 @@ ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_s ExecStartPre=-{{ matrix_host_command_chown }} {{ matrix_dimension_user_uid }}:{{ matrix_dimension_user_gid }} {{ matrix_dimension_sqlite_database_path_local }} {% endif %} -ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-dimension \ +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ + --rm \ + --name=matrix-dimension \ --log-driver=none \ --user={{ matrix_dimension_user_uid }}:{{ matrix_dimension_user_gid }} \ --cap-drop=ALL \ - --network={{ matrix_docker_network }} \ + --network={{ matrix_dimension_container_network }} \ {% if matrix_dimension_widgets_allow_self_signed_ssl_certificates %} -e NODE_TLS_REJECT_UNAUTHORIZED=0 \ {% endif %} {% if matrix_dimension_container_http_host_bind_port %} -p {{ matrix_dimension_container_http_host_bind_port }}:8184 \ {% endif %} + --label-file={{ matrix_dimension_base_path }}/labels \ --mount type=bind,src={{ matrix_dimension_base_path }},dst=/data \ {% for arg in matrix_dimension_container_extra_arguments %} {{ arg }} \ {% endfor %} {{ matrix_dimension_docker_image }} +{% for network in matrix_dimension_container_additional_networks %} +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-dimension +{% endfor %} + +ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-dimension + ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-dimension 2>/dev/null || true' ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-dimension 2>/dev/null || true' + Restart=always RestartSec=30 SyslogIdentifier=matrix-dimension diff --git a/roles/custom/matrix-dynamic-dns/defaults/main.yml b/roles/custom/matrix-dynamic-dns/defaults/main.yml index 4ec034a9..08cf023c 100644 --- a/roles/custom/matrix-dynamic-dns/defaults/main.yml +++ b/roles/custom/matrix-dynamic-dns/defaults/main.yml @@ -7,7 +7,7 @@ matrix_dynamic_dns_enabled: true # The dynamic dns daemon interval matrix_dynamic_dns_daemon_interval: '300' -matrix_dynamic_dns_version: v3.10.0-ls110 +matrix_dynamic_dns_version: v3.10.0-ls111 # The docker container to use when in mode matrix_dynamic_dns_docker_image: "{{ matrix_dynamic_dns_docker_image_name_prefix }}linuxserver/ddclient:{{ matrix_dynamic_dns_version }}" diff --git a/roles/custom/matrix-dynamic-dns/tasks/main.yml b/roles/custom/matrix-dynamic-dns/tasks/main.yml index ae7503b7..8327a84a 100644 --- a/roles/custom/matrix-dynamic-dns/tasks/main.yml +++ b/roles/custom/matrix-dynamic-dns/tasks/main.yml @@ -1,20 +1,20 @@ --- -- block: +- tags: + - setup-all + - setup-dynamic-dns + - install-all + - install-dynamic-dns + block: - when: matrix_dynamic_dns_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_dynamic_dns_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-dynamic-dns - - install-all - - install-dynamic-dns - -- block: + block: - when: not matrix_dynamic_dns_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-dynamic-dns diff --git a/roles/custom/matrix-email2matrix/tasks/main.yml b/roles/custom/matrix-email2matrix/tasks/main.yml index 8fac77ce..acd2c9c1 100644 --- a/roles/custom/matrix-email2matrix/tasks/main.yml +++ b/roles/custom/matrix-email2matrix/tasks/main.yml @@ -1,20 +1,20 @@ --- -- block: +- tags: + - setup-all + - setup-email2matrix + - install-all + - install-email2matrix + block: - when: matrix_email2matrix_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_email2matrix_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-email2matrix - - install-all - - install-email2matrix - -- block: + block: - when: not matrix_email2matrix_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-email2matrix diff --git a/roles/custom/matrix-etherpad/defaults/main.yml b/roles/custom/matrix-etherpad/defaults/main.yml deleted file mode 100644 index 874e9a30..00000000 --- a/roles/custom/matrix-etherpad/defaults/main.yml +++ /dev/null @@ -1,102 +0,0 @@ ---- -# Project source code URL: https://github.com/ether/etherpad-lite - -matrix_etherpad_enabled: false - -# standalone = etherpad installed on subdomain (etherpad.DOMAIN) and can be used as-is -# dimension = etherpad installed in subdir of dimension (dimension.DOMAIN/etherpad) and can be used with dimension -matrix_etherpad_mode: standalone - -matrix_etherpad_base_path: "{{ matrix_base_data_path }}/etherpad" - -matrix_etherpad_version: 1.8.18 -matrix_etherpad_docker_image: "{{ matrix_container_global_registry_prefix }}etherpad/etherpad:{{ matrix_etherpad_version }}" -matrix_etherpad_docker_image_force_pull: "{{ matrix_etherpad_docker_image.endswith(':latest') }}" - -# List of systemd services that matrix-etherpad.service depends on. -matrix_etherpad_systemd_required_services_list: ['docker.service'] - -# List of systemd services that matrix-etherpad.service wants -matrix_etherpad_systemd_wanted_services_list: [] - -# Container user has to be able to write to the source file directories until this bug is fixed: -# https://github.com/ether/etherpad-lite/issues/2683 -matrix_etherpad_user_uid: '5001' -matrix_etherpad_user_gid: '5001' - -# Controls whether the matrix-etherpad container exposes its HTTP port (tcp/9001 in the container). -# -# Takes an ":" or "" value (e.g. "127.0.0.1:9001"), or empty string to not expose. -matrix_etherpad_container_http_host_bind_port: '' - -# A list of extra arguments to pass to the container -matrix_etherpad_container_extra_arguments: [] - -# Used only when `matrix_etherpad_mode: dimension` -matrix_etherpad_public_endpoint: '/etherpad' - -# By default, the Etherpad app can be accessed on etherpad subdomain -matrix_etherpad_base_url: "https://{{ matrix_server_fqn_etherpad }}/" - -# Database-related configuration fields. -# -# Etherpad requires a dedicated database -matrix_etherpad_database_engine: 'postgres' - -matrix_etherpad_database_username: 'matrix_etherpad' -matrix_etherpad_database_password: 'some-password' -matrix_etherpad_database_hostname: '' -matrix_etherpad_database_port: 5432 -matrix_etherpad_database_name: 'matrix_etherpad' - -# If a admin username and password is set, the /admin web page will be -# available. -matrix_etherpad_admin_username: '' -matrix_etherpad_admin_password: '' - -matrix_etherpad_database_connection_string: 'postgres://{{ matrix_etherpad_database_username }}:{{ matrix_etherpad_database_password }}@{{ matrix_etherpad_database_hostname }}:{{ matrix_etherpad_database_port }}/{{ matrix_etherpad_database_name }}' - -# Variables configuring the etherpad -matrix_etherpad_title: 'Etherpad' -matrix_etherpad_abiword: null -matrix_etherpad_soffice: null -matrix_etherpad_default_pad_text: | - Welcome to Etherpad! - - This pad text is synchronized as you type, so that everyone viewing this page sees the same text. This allows you to collaborate seamlessly on documents! - - Get involved with Etherpad at https://etherpad.org - -# Default Etherpad configuration template which covers the generic use case. -# You can customize it by controlling the various variables inside it. -# -# For a more advanced customization, you can extend the default (see `matrix_etherpad_configuration_extension_json`) -# or completely replace this variable with your own template. -matrix_etherpad_configuration_default: "{{ lookup('template', 'templates/settings.json.j2') }}" - -# Your custom JSON configuration for Etherpad goes here. -# This configuration extends the default starting configuration (`matrix_etherpad_configuration_json`). -# -# You can override individual variables from the default configuration, or introduce new ones. -# -# If you need something more special, you can take full control by -# completely redefining `matrix_etherpad_configuration_json`. -# -# Example configuration extension follows: -# -# matrix_etherpad_configuration_extension_json: | -# { -# "loadTest": true, -# "commitRateLimiting": { -# "duration": 1, -# "points": 10 -# } -# } -# -matrix_etherpad_configuration_extension_json: '{}' - -matrix_etherpad_configuration_extension: "{{ matrix_etherpad_configuration_extension_json | from_json if matrix_etherpad_configuration_extension_json | from_json is mapping else {} }}" - -# Holds the final Etherpad configuration (a combination of the default and its extension). -# You most likely don't need to touch this variable. Instead, see `matrix_etherpad_configuration_json`. -matrix_etherpad_configuration: "{{ matrix_etherpad_configuration_default | combine(matrix_etherpad_configuration_extension, recursive=True) }}" diff --git a/roles/custom/matrix-etherpad/tasks/main.yml b/roles/custom/matrix-etherpad/tasks/main.yml deleted file mode 100644 index eaafd98a..00000000 --- a/roles/custom/matrix-etherpad/tasks/main.yml +++ /dev/null @@ -1,29 +0,0 @@ ---- - -- block: - - when: matrix_etherpad_enabled | bool and matrix_etherpad_mode == 'dimension' - ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" - tags: - - setup-all - - setup-nginx-proxy - - install-all - - install-nginx-proxy - -- block: - - when: matrix_etherpad_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - - - when: matrix_etherpad_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: - - setup-all - - setup-etherpad - - install-all - - install-etherpad - -- block: - - when: not matrix_etherpad_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-etherpad diff --git a/roles/custom/matrix-etherpad/tasks/setup_install.yml b/roles/custom/matrix-etherpad/tasks/setup_install.yml deleted file mode 100644 index d4e2952e..00000000 --- a/roles/custom/matrix-etherpad/tasks/setup_install.yml +++ /dev/null @@ -1,34 +0,0 @@ ---- - -- name: Ensure Etherpad base path exists - ansible.builtin.file: - path: "{{ matrix_etherpad_base_path }}" - state: directory - mode: 0770 - owner: "{{ matrix_etherpad_user_uid }}" - group: "{{ matrix_etherpad_user_gid }}" - -- name: Ensure Etherpad config installed - ansible.builtin.copy: - content: "{{ matrix_etherpad_configuration | to_nice_json }}" - dest: "{{ matrix_etherpad_base_path }}/settings.json" - mode: 0640 - owner: "{{ matrix_etherpad_user_uid }}" - group: "{{ matrix_etherpad_user_gid }}" - -- name: Ensure Etherpad image is pulled - community.docker.docker_image: - name: "{{ matrix_etherpad_docker_image }}" - source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" - force_source: "{{ matrix_etherpad_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_etherpad_docker_image_force_pull }}" - register: result - retries: "{{ devture_playbook_help_container_retries_count }}" - delay: "{{ devture_playbook_help_container_retries_delay }}" - until: result is not failed - -- name: Ensure matrix-etherpad.service installed - ansible.builtin.template: - src: "{{ role_path }}/templates/systemd/matrix-etherpad.service.j2" - dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-etherpad.service" - mode: 0644 diff --git a/roles/custom/matrix-etherpad/tasks/setup_uninstall.yml b/roles/custom/matrix-etherpad/tasks/setup_uninstall.yml deleted file mode 100644 index e0382984..00000000 --- a/roles/custom/matrix-etherpad/tasks/setup_uninstall.yml +++ /dev/null @@ -1,25 +0,0 @@ ---- - -- name: Check existence of matrix-etherpad service - ansible.builtin.stat: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-etherpad.service" - register: matrix_etherpad_service_stat - -- when: matrix_etherpad_service_stat.stat.exists | bool - block: - - name: Ensure matrix-etherpad is stopped - ansible.builtin.service: - name: matrix-etherpad - state: stopped - enabled: false - daemon_reload: true - - - name: Ensure matrix-etherpad.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-etherpad.service" - state: absent - - - name: Ensure Etherpad base directory doesn't exist - ansible.builtin.file: - path: "{{ matrix_etherpad_base_path }}" - state: absent diff --git a/roles/custom/matrix-etherpad/tasks/validate_config.yml b/roles/custom/matrix-etherpad/tasks/validate_config.yml deleted file mode 100644 index 2bc773a6..00000000 --- a/roles/custom/matrix-etherpad/tasks/validate_config.yml +++ /dev/null @@ -1,15 +0,0 @@ ---- - -- name: Fail if required Etherpad settings not defined - ansible.builtin.fail: - msg: > - You need to define a required configuration setting (`{{ item.name }}`). - when: "item.when | bool and vars[item.name] == ''" - with_items: - - {'name': 'matrix_etherpad_database_hostname', when: true} - -- name: Fail if wrong mode selected - ansible.builtin.fail: - msg: >- - You're using Etherpad in 'dimension' mode (`matrix_etherpad_serving_mode: dimension`), which tries to host Etherpad at the Dimension subdomain - `{{ matrix_server_fqn_dimension }}`. However, this isn't possible because Dimension is not enabled. To resolve the problem, either enable Dimension (`matrix_dimension_enabled: true`) or switch Etherpad to standalone mode (`matrix_etherpad_mode: standalone`) and have it served on its own domain (`{{ matrix_server_fqn_etherpad }}`). - when: matrix_etherpad_enabled | bool and matrix_etherpad_mode == 'dimension' and not matrix_dimension_enabled | default(False) | bool diff --git a/roles/custom/matrix-etherpad/templates/settings.json.j2 b/roles/custom/matrix-etherpad/templates/settings.json.j2 deleted file mode 100644 index cc45d190..00000000 --- a/roles/custom/matrix-etherpad/templates/settings.json.j2 +++ /dev/null @@ -1,116 +0,0 @@ -{ - "title": {{ matrix_etherpad_title|to_json }}, - "favicon": "favicon.ico", - "skinName": "colibris", - "skinVariants": "super-light-toolbar super-light-editor light-background", - "ip": "::", - "port": 9001, - "showSettingsInAdminPage": true, - "dbType": {{ matrix_etherpad_database_engine|to_json }}, - "dbSettings": { - "database": {{ matrix_etherpad_database_name|to_json }}, - "host": {{ matrix_etherpad_database_hostname|to_json }}, - "password": {{ matrix_etherpad_database_password|to_json }}, - "port": {{ matrix_etherpad_database_port|to_json }}, - "user": {{ matrix_etherpad_database_username|to_json }} - }, - "defaultPadText" : {{ matrix_etherpad_default_pad_text|to_json }}, - "suppressErrorsInPadText": false, - "requireSession": false, - "editOnly": false, - "minify": true, - "maxAge": 21600, - "abiword": {{ matrix_etherpad_abiword|to_json }}, - "soffice": {{ matrix_etherpad_soffice|to_json }}, - "tidyHtml": null, - "allowUnknownFileEnds": true, - "requireAuthentication": false, - "requireAuthorization": false, - "trustProxy": true, - "cookie": { - "sameSite": "Lax" - }, - "disableIPlogging": true, - "automaticReconnectionTimeout": 0, - "scrollWhenFocusLineIsOutOfViewport": { - "percentage": { - "editionAboveViewport": 0, - "editionBelowViewport": 0 - }, - "duration": 0, - "scrollWhenCaretIsInTheLastLineOfViewport": false, - "percentageToScrollWhenUserPressesArrowUp": 0 - }, - "socketTransportProtocols" : ["xhr-polling", "jsonp-polling", "htmlfile"], - "socketIo": { - "maxHttpBufferSize": 10000 - }, - "loadTest": false, - "dumpOnUncleanExit": false, - "indentationOnNewLine": false, - "importExportRateLimiting": { - "windowMs": 90000, - "max": 10 - }, - "importMaxFileSize": 52428800, - "commitRateLimiting": { - "duration": 1, - "points": 10 - }, - "exposeVersion": false, - "padOptions": { - "noColors": false, - "showControls": true, - "showChat": false, - "showLineNumbers": true, - "useMonospaceFont": false, - "userName": false, - "userColor": false, - "rtl": false, - "alwaysShowChat": false, - "chatAndUsers": false, - "lang": "en-gb" - }, -{% if matrix_etherpad_admin_username != "" and matrix_etherpad_admin_password != "" %} - "users": { - {{ matrix_etherpad_admin_username|to_json }}: { - "password": {{ matrix_etherpad_admin_password|to_json }}, - "is_admin": true - } - }, -{% endif %} - "padShortcutEnabled" : { - "altF9": true, - "altC": true, - "cmdShift2": true, - "delete": true, - "return": true, - "esc": true, - "cmdS": true, - "tab": true, - "cmdZ": true, - "cmdY": true, - "cmdI": true, - "cmdB": true, - "cmdU": true, - "cmd5": true, - "cmdShiftL": true, - "cmdShiftN": true, - "cmdShift1": true, - "cmdShiftC": true, - "cmdH": true, - "ctrlHome": true, - "pageUp": true, - "pageDown": true - }, - "loglevel": "WARN", - "logconfig" : - { "appenders": [ - { "type": "console", - "layout": {"type": "messagePassThrough"} - } - ] - }, - "customLocaleStrings": {}, - "enableAdminUITests": false -} diff --git a/roles/custom/matrix-etherpad/templates/systemd/matrix-etherpad.service.j2 b/roles/custom/matrix-etherpad/templates/systemd/matrix-etherpad.service.j2 deleted file mode 100644 index e0a10481..00000000 --- a/roles/custom/matrix-etherpad/templates/systemd/matrix-etherpad.service.j2 +++ /dev/null @@ -1,44 +0,0 @@ -#jinja2: lstrip_blocks: "True" -[Unit] -Description=Matrix Etherpad -{% for service in matrix_etherpad_systemd_required_services_list %} -Requires={{ service }} -After={{ service }} -{% endfor %} -{% for service in matrix_etherpad_systemd_wanted_services_list %} -Wants={{ service }} -{% endfor %} -DefaultDependencies=no - -[Service] -Type=simple -Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" -ExecStartPre=-{{ devture_systemd_docker_base_host_command_docker }} kill matrix-etherpad -ExecStartPre=-{{ devture_systemd_docker_base_host_command_docker }} rm matrix-etherpad - -ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-etherpad \ - --log-driver=none \ - --user={{ matrix_etherpad_user_uid }}:{{ matrix_etherpad_user_gid }} \ - --cap-drop=ALL \ - --network={{ matrix_docker_network }} \ - {% if matrix_etherpad_container_http_host_bind_port %} - -p {{ matrix_etherpad_container_http_host_bind_port }}:9001 \ - {% endif %} - --mount type=bind,src={{ matrix_etherpad_base_path }},dst=/data \ - {% for arg in matrix_etherpad_container_extra_arguments %} - {{ arg }} \ - {% endfor %} - {{ matrix_etherpad_docker_image }} \ - node --experimental-worker src/node/server.js \ - --settings /data/settings.json --credentials /data/credentials.json \ - --sessionkey /data/sessionkey.json --apikey /data/apijey.json - - -ExecStop=-{{ devture_systemd_docker_base_host_command_docker }} kill matrix-etherpad -ExecStop=-{{ devture_systemd_docker_base_host_command_docker }} rm matrix-etherpad -Restart=always -RestartSec=30 -SyslogIdentifier=matrix-etherpad - -[Install] -WantedBy=multi-user.target diff --git a/roles/custom/matrix-jitsi/defaults/main.yml b/roles/custom/matrix-jitsi/defaults/main.yml index cc24d356..ef4cf100 100644 --- a/roles/custom/matrix-jitsi/defaults/main.yml +++ b/roles/custom/matrix-jitsi/defaults/main.yml @@ -91,7 +91,7 @@ matrix_jitsi_jibri_recorder_password: '' matrix_jitsi_enable_lobby: false -matrix_jitsi_version: stable-8252 +matrix_jitsi_version: stable-8319 matrix_jitsi_container_image_tag: "{{ matrix_jitsi_version }}" # for backward-compatibility matrix_jitsi_web_docker_image: "{{ matrix_container_global_registry_prefix }}jitsi/web:{{ matrix_jitsi_container_image_tag }}" diff --git a/roles/custom/matrix-jitsi/tasks/main.yml b/roles/custom/matrix-jitsi/tasks/main.yml index b35c2c34..0ebf3ad6 100644 --- a/roles/custom/matrix-jitsi/tasks/main.yml +++ b/roles/custom/matrix-jitsi/tasks/main.yml @@ -1,27 +1,32 @@ --- -- block: - - when: matrix_jitsi_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/init_additional_jvb.yml" - tags: +- tags: - setup-additional-jitsi-jvb - install-additional-jitsi-jvb - -- block: + block: - when: matrix_jitsi_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" + ansible.builtin.include_tasks: "{{ role_path }}/tasks/init_additional_jvb.yml" - - when: matrix_jitsi_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_jitsi_base.yml" - tags: +- tags: - setup-all - setup-jitsi - setup-additional-jitsi-jvb - install-all - install-jitsi - install-additional-jitsi-jvb + block: + - when: matrix_jitsi_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" -- block: + - when: matrix_jitsi_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_jitsi_base.yml" + +- tags: + - setup-all + - setup-jitsi + - install-all + - install-jitsi + block: - when: matrix_jitsi_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_jitsi_web_install.yml" @@ -30,13 +35,11 @@ - when: matrix_jitsi_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_jitsi_jicofo_install.yml" - tags: + +- tags: - setup-all - setup-jitsi - - install-all - - install-jitsi - -- block: + block: - when: not matrix_jitsi_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_jitsi_web_uninstall.yml" @@ -45,31 +48,28 @@ - when: not matrix_jitsi_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_jitsi_jicofo_uninstall.yml" - tags: - - setup-all - - setup-jitsi -- block: - - when: matrix_jitsi_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_jitsi_jvb_install.yml" - tags: +- tags: - setup-all - setup-jitsi - setup-additional-jitsi-jvb - install-all - install-jitsi - install-additional-jitsi-jvb + block: + - when: matrix_jitsi_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_jitsi_jvb_install.yml" -- block: - - when: not matrix_jitsi_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_jitsi_jvb_uninstall.yml" - tags: +- tags: - setup-all - setup-jitsi - setup-additional-jitsi-jvb + block: + - when: not matrix_jitsi_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_jitsi_jvb_uninstall.yml" -- block: +- tags: + - self-check + block: - when: matrix_jitsi_enable_auth | bool and matrix_jitsi_auth_type == 'matrix' ansible.builtin.include_tasks: "{{ role_path }}/tasks/self_check_matrix_auth.yml" - tags: - - self-check diff --git a/roles/custom/matrix-jitsi/tasks/util/setup_jitsi_auth_uvs_install.yml b/roles/custom/matrix-jitsi/tasks/util/setup_jitsi_auth_uvs_install.yml index f1d9ff21..4aa67a31 100644 --- a/roles/custom/matrix-jitsi/tasks/util/setup_jitsi_auth_uvs_install.yml +++ b/roles/custom/matrix-jitsi/tasks/util/setup_jitsi_auth_uvs_install.yml @@ -5,11 +5,16 @@ repo: "{{ matrix_jitsi_prosody_auth_matrix_user_verification_repo_location }}" dest: "{{ matrix_jitsi_prosody_auth_matrix_user_verification_repo_target }}" version: "{{ matrix_jitsi_prosody_auth_matrix_user_verification_repo_version }}" + become: true + become_user: "{{ matrix_user_username }}" - name: Install Prosody Auth Matrix User Verification Plugin ansible.builtin.copy: remote_src: true src: "{{ matrix_jitsi_prosody_auth_matrix_user_verification_repo_target }}/{{ item.path }}" dest: "{{ matrix_jitsi_prosody_plugins_path }}/{{ item.path }}" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" with_items: "{{ matrix_jitsi_prosody_auth_matrix_files }}" when: item.when | bool diff --git a/roles/custom/matrix-ldap-registration-proxy/tasks/main.yml b/roles/custom/matrix-ldap-registration-proxy/tasks/main.yml index 9309113f..cc71ae82 100644 --- a/roles/custom/matrix-ldap-registration-proxy/tasks/main.yml +++ b/roles/custom/matrix-ldap-registration-proxy/tasks/main.yml @@ -1,29 +1,29 @@ --- -- block: - - when: matrix_ldap_registration_proxy_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" - tags: +- tags: - setup-all - setup-nginx-proxy - install-all - install-nginx-proxy + block: + - when: matrix_ldap_registration_proxy_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" -- block: +- tags: + - setup-all + - setup-matrix-ldap-registration-proxy + - install-all + - install-matrix-ldap-registration-proxy + block: - when: matrix_ldap_registration_proxy_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_ldap_registration_proxy_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-matrix-ldap-registration-proxy - - install-all - - install-matrix-ldap-registration-proxy - -- block: + block: - when: not matrix_ldap_registration_proxy_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-matrix-ldap-registration-proxy diff --git a/roles/custom/matrix-ma1sd/tasks/main.yml b/roles/custom/matrix-ma1sd/tasks/main.yml index a65cf371..a9c4ec8b 100644 --- a/roles/custom/matrix-ma1sd/tasks/main.yml +++ b/roles/custom/matrix-ma1sd/tasks/main.yml @@ -1,25 +1,25 @@ --- -- block: +- tags: + - setup-all + - setup-ma1sd + - install-all + - install-ma1sd + block: - when: matrix_ma1sd_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_ma1sd_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: - - setup-all - - setup-ma1sd - - install-all - - install-ma1sd -- block: +- tags: + - setup-ma1sd + block: - when: not matrix_ma1sd_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-ma1sd -- block: +- tags: + - self-check + block: - when: matrix_ma1sd_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/self_check.yml" - tags: - - self-check diff --git a/roles/custom/matrix-ma1sd/tasks/setup_install.yml b/roles/custom/matrix-ma1sd/tasks/setup_install.yml index 6fe20342..5800b45a 100644 --- a/roles/custom/matrix-ma1sd/tasks/setup_install.yml +++ b/roles/custom/matrix-ma1sd/tasks/setup_install.yml @@ -89,6 +89,7 @@ chdir: "{{ matrix_ma1sd_docker_src_files_path }}" environment: DOCKER_BUILDKIT: 1 + changed_when: true when: matrix_ma1sd_git_pull_results.changed - name: Ensure ma1sd Docker image is tagged correctly diff --git a/roles/custom/matrix-mailer/tasks/main.yml b/roles/custom/matrix-mailer/tasks/main.yml index b269f63e..00fa0884 100644 --- a/roles/custom/matrix-mailer/tasks/main.yml +++ b/roles/custom/matrix-mailer/tasks/main.yml @@ -1,17 +1,17 @@ --- -- block: - - when: matrix_mailer_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: +- tags: - setup-all - setup-mailer - install-all - install-mailer + block: + - when: matrix_mailer_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" -- block: - - when: not matrix_mailer_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: +- tags: - setup-all - setup-mailer + block: + - when: not matrix_mailer_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" diff --git a/roles/custom/matrix-nginx-proxy/defaults/main.yml b/roles/custom/matrix-nginx-proxy/defaults/main.yml index a098a098..f7f214f3 100644 --- a/roles/custom/matrix-nginx-proxy/defaults/main.yml +++ b/roles/custom/matrix-nginx-proxy/defaults/main.yml @@ -55,27 +55,14 @@ matrix_nginx_proxy_container_labels_traefik_proxy_base_domain_tls: "{{ matrix_ng matrix_nginx_proxy_container_labels_traefik_proxy_base_domain_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_base_domain_hostname }}`)" matrix_nginx_proxy_container_labels_traefik_proxy_matrix_enabled: false -matrix_nginx_proxy_container_labels_traefik_proxy_matrix_hostname: "{{ matrix_server_fqn_matrix }}" matrix_nginx_proxy_container_labels_traefik_proxy_matrix_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}" -matrix_nginx_proxy_container_labels_traefik_proxy_matrix_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_matrix_hostname }}`)" +matrix_nginx_proxy_container_labels_traefik_proxy_matrix_client_hostname: "{{ matrix_server_fqn_matrix }}" +matrix_nginx_proxy_container_labels_traefik_proxy_matrix_client_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_matrix_client_hostname }}`)" +matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_hostname: "{{ matrix_server_fqn_matrix }}" +matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_hostname }}`)" matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_entrypoint: "{{ matrix_federation_traefik_entrypoint }}" matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_entrypoints: "{{ matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_entrypoint }}" -matrix_nginx_proxy_container_labels_traefik_proxy_dimension_enabled: false -matrix_nginx_proxy_container_labels_traefik_proxy_dimension_hostname: "{{ matrix_server_fqn_dimension }}" -matrix_nginx_proxy_container_labels_traefik_proxy_dimension_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}" -matrix_nginx_proxy_container_labels_traefik_proxy_dimension_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_dimension_hostname }}`)" - -matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_enabled: false -matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_hostname: "{{ matrix_server_fqn_etherpad }}" -matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}" -matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_hostname }}`)" - -matrix_nginx_proxy_container_labels_traefik_proxy_bot_go_neb_enabled: false -matrix_nginx_proxy_container_labels_traefik_proxy_bot_go_neb_hostname: "{{ matrix_server_fqn_bot_go_neb }}" -matrix_nginx_proxy_container_labels_traefik_proxy_bot_go_neb_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}" -matrix_nginx_proxy_container_labels_traefik_proxy_bot_go_neb_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_bot_go_neb_hostname }}`)" - matrix_nginx_proxy_container_labels_traefik_proxy_jitsi_enabled: false matrix_nginx_proxy_container_labels_traefik_proxy_jitsi_hostname: "{{ matrix_server_fqn_jitsi }}" matrix_nginx_proxy_container_labels_traefik_proxy_jitsi_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}" diff --git a/roles/custom/matrix-nginx-proxy/tasks/main.yml b/roles/custom/matrix-nginx-proxy/tasks/main.yml index 39cec7e5..7a702fb3 100644 --- a/roles/custom/matrix-nginx-proxy/tasks/main.yml +++ b/roles/custom/matrix-nginx-proxy/tasks/main.yml @@ -29,13 +29,13 @@ - install-all - install-nginx-proxy -- block: - - ansible.builtin.include_tasks: "{{ role_path }}/tasks/self_check_well_known.yml" - tags: +- tags: - self-check + block: + - ansible.builtin.include_tasks: "{{ role_path }}/tasks/self_check_well_known.yml" - name: Mark matrix-nginx-proxy role as executed - ansible.builtin.set_fact: - matrix_nginx_proxy_role_executed: true tags: - always + ansible.builtin.set_fact: + matrix_nginx_proxy_role_executed: true diff --git a/roles/custom/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml b/roles/custom/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml index b10791a7..a175b831 100644 --- a/roles/custom/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml +++ b/roles/custom/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml @@ -51,6 +51,7 @@ --agree-tos --email={{ matrix_ssl_lets_encrypt_support_email }} -d {{ domain_name }} + changed_when: true when: domain_name_needs_cert | bool register: result_certbot_direct ignore_errors: true @@ -81,6 +82,7 @@ --agree-tos --email={{ matrix_ssl_lets_encrypt_support_email }} -d {{ domain_name }} + changed_when: true when: "domain_name_needs_cert and result_certbot_direct.failed" register: result_certbot_proxy ignore_errors: true diff --git a/roles/custom/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed_obtain_for_domain.yml b/roles/custom/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed_obtain_for_domain.yml index d0b254a2..c0f19519 100644 --- a/roles/custom/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed_obtain_for_domain.yml +++ b/roles/custom/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed_obtain_for_domain.yml @@ -28,16 +28,19 @@ # # We'll do it in a more manual way. - name: Generate SSL certificate - ansible.builtin.command: | - openssl req -x509 \ - -sha256 \ - -newkey rsa:4096 \ - -nodes \ - -subj "/CN={{ domain_name }}" \ - -keyout {{ matrix_ssl_certificate_cert_key_path }} \ - -out {{ matrix_ssl_certificate_cert_path }} \ - -days 3650 when: "not matrix_ssl_certificate_cert_path_stat_result.stat.exists" + ansible.builtin.command: + cmd: | + openssl req -x509 \ + -sha256 \ + -newkey rsa:4096 \ + -nodes \ + -subj "/CN={{ domain_name }}" \ + -keyout {{ matrix_ssl_certificate_cert_key_path }} \ + -out {{ matrix_ssl_certificate_cert_path }} \ + -days 3650 + # Well, this creates 2 files, but Ansible can only check 1. + creates: "{{ matrix_ssl_certificate_cert_path }}" - name: Adjust SSL certificate file ownership ansible.builtin.file: diff --git a/roles/custom/matrix-nginx-proxy/tasks/validate_config.yml b/roles/custom/matrix-nginx-proxy/tasks/validate_config.yml index f7d18c9e..8d63876a 100644 --- a/roles/custom/matrix-nginx-proxy/tasks/validate_config.yml +++ b/roles/custom/matrix-nginx-proxy/tasks/validate_config.yml @@ -14,6 +14,8 @@ - {'old': 'matrix_nginx_proxy_proxy_riot_enabled', 'new': 'matrix_nginx_proxy_proxy_element_enabled'} - {'old': 'matrix_ssl_lets_encrypt_renew_cron_time_definition', 'new': ''} - {'old': 'matrix_nginx_proxy_reload_cron_time_definition', 'new': ''} + - {'old': 'matrix_nginx_proxy_container_labels_traefik_proxy_matrix_rule', 'new': ''} + - {'old': 'matrix_nginx_proxy_container_labels_traefik_proxy_matrix_hostname', 'new': ''} - name: Fail on unknown matrix_ssl_retrieval_method ansible.builtin.fail: diff --git a/roles/custom/matrix-nginx-proxy/templates/labels.j2 b/roles/custom/matrix-nginx-proxy/templates/labels.j2 index 6afa6029..4fb567da 100644 --- a/roles/custom/matrix-nginx-proxy/templates/labels.j2 +++ b/roles/custom/matrix-nginx-proxy/templates/labels.j2 @@ -20,7 +20,7 @@ traefik.http.routers.matrix-nginx-proxy-base-domain.entrypoints={{ matrix_nginx_ {% if matrix_nginx_proxy_container_labels_traefik_proxy_matrix_enabled %} # Matrix Client -traefik.http.routers.matrix-nginx-proxy-matrix-client.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_matrix_rule }} +traefik.http.routers.matrix-nginx-proxy-matrix-client.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_matrix_client_rule }} traefik.http.routers.matrix-nginx-proxy-matrix-client.service=matrix-nginx-proxy-web traefik.http.routers.matrix-nginx-proxy-matrix-client.tls={{ matrix_nginx_proxy_container_labels_traefik_proxy_matrix_tls | to_json }} {% if matrix_nginx_proxy_container_labels_traefik_proxy_matrix_tls %} @@ -29,7 +29,7 @@ traefik.http.routers.matrix-nginx-proxy-matrix-client.tls.certResolver={{ matrix traefik.http.routers.matrix-nginx-proxy-matrix-client.entrypoints={{ matrix_nginx_proxy_container_labels_traefik_entrypoints }} # Matrix Federation -traefik.http.routers.matrix-nginx-proxy-matrix-federation.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_matrix_rule }} +traefik.http.routers.matrix-nginx-proxy-matrix-federation.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_rule }} traefik.http.routers.matrix-nginx-proxy-matrix-federation.service=matrix-nginx-proxy-federation traefik.http.routers.matrix-nginx-proxy-matrix-federation.tls={{ matrix_nginx_proxy_container_labels_traefik_proxy_matrix_tls | to_json }} {% if matrix_nginx_proxy_container_labels_traefik_proxy_matrix_tls %} @@ -39,42 +39,6 @@ traefik.http.routers.matrix-nginx-proxy-matrix-federation.entrypoints={{ matrix_ {% endif %} -{% if matrix_nginx_proxy_container_labels_traefik_proxy_dimension_enabled %} -# Dimension -traefik.http.routers.matrix-nginx-proxy-dimension.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_dimension_rule }} -traefik.http.routers.matrix-nginx-proxy-dimension.service=matrix-nginx-proxy-web -traefik.http.routers.matrix-nginx-proxy-dimension.tls={{ matrix_nginx_proxy_container_labels_traefik_proxy_dimension_tls | to_json }} -{% if matrix_nginx_proxy_container_labels_traefik_proxy_dimension_tls %} -traefik.http.routers.matrix-nginx-proxy-dimension.tls.certResolver={{ matrix_nginx_proxy_container_labels_traefik_tls_certResolver }} -{% endif %} -traefik.http.routers.matrix-nginx-proxy-dimension.entrypoints={{ matrix_nginx_proxy_container_labels_traefik_entrypoints }} -{% endif %} - - -{% if matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_enabled %} -# Etherpad -traefik.http.routers.matrix-nginx-proxy-etherpad.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_rule }} -traefik.http.routers.matrix-nginx-proxy-etherpad.service=matrix-nginx-proxy-web -traefik.http.routers.matrix-nginx-proxy-etherpad.tls={{ matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_tls | to_json }} -{% if matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_tls %} -traefik.http.routers.matrix-nginx-proxy-etherpad.tls.certResolver={{ matrix_nginx_proxy_container_labels_traefik_tls_certResolver }} -{% endif %} -traefik.http.routers.matrix-nginx-proxy-etherpad.entrypoints={{ matrix_nginx_proxy_container_labels_traefik_entrypoints }} -{% endif %} - - -{% if matrix_nginx_proxy_container_labels_traefik_proxy_bot_go_neb_enabled %} -# Go NEB bot -traefik.http.routers.matrix-nginx-proxy-bot_go_neb.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_bot_go_neb_rule }} -traefik.http.routers.matrix-nginx-proxy-bot_go_neb.service=matrix-nginx-proxy-web -traefik.http.routers.matrix-nginx-proxy-bot_go_neb.tls={{ matrix_nginx_proxy_container_labels_traefik_proxy_bot_go_neb_tls | to_json }} -{% if matrix_nginx_proxy_container_labels_traefik_proxy_bot_go_neb_tls %} -traefik.http.routers.matrix-nginx-proxy-bot_go_neb.tls.certResolver={{ matrix_nginx_proxy_container_labels_traefik_tls_certResolver }} -{% endif %} -traefik.http.routers.matrix-nginx-proxy-bot_go_neb.entrypoints={{ matrix_nginx_proxy_container_labels_traefik_entrypoints }} -{% endif %} - - {% if matrix_nginx_proxy_container_labels_traefik_proxy_jitsi_enabled %} # Jitsi traefik.http.routers.matrix-nginx-proxy-jitsi.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_jitsi_rule }} diff --git a/roles/custom/matrix-prometheus-nginxlog-exporter/tasks/main.yml b/roles/custom/matrix-prometheus-nginxlog-exporter/tasks/main.yml index b205dec3..ad047460 100644 --- a/roles/custom/matrix-prometheus-nginxlog-exporter/tasks/main.yml +++ b/roles/custom/matrix-prometheus-nginxlog-exporter/tasks/main.yml @@ -1,29 +1,29 @@ --- -- block: - - when: matrix_prometheus_nginxlog_exporter_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" - tags: +- tags: - setup-all - setup-prometheus-nginxlog-exporter - install-all - install-prometheus-nginxlog-exporter + block: + - when: matrix_prometheus_nginxlog_exporter_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" -- block: +- tags: + - setup-all + - setup-prometheus-nginxlog-exporter + - install-all + - install-prometheus-nginxlog-exporter + block: - when: matrix_prometheus_nginxlog_exporter_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_prometheus_nginxlog_exporter_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-prometheus-nginxlog-exporter - - install-all - - install-prometheus-nginxlog-exporter - -- block: + block: - when: not matrix_prometheus_nginxlog_exporter_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-prometheus-nginxlog-exporter diff --git a/roles/custom/matrix-prometheus-services-proxy-connect/tasks/main.yml b/roles/custom/matrix-prometheus-services-proxy-connect/tasks/main.yml index e5654688..ea067bdb 100644 --- a/roles/custom/matrix-prometheus-services-proxy-connect/tasks/main.yml +++ b/roles/custom/matrix-prometheus-services-proxy-connect/tasks/main.yml @@ -1,28 +1,28 @@ --- - name: Fail if matrix-nginx-proxy role executed before matrix-prometheus-services-proxy-connect + when: matrix_nginx_proxy_role_executed | default(False) | bool ansible.builtin.fail: msg: >- Trying to append node-exporter's reverse-proxying configuration to matrix-nginx-proxy, but it's pointless since the matrix-nginx-proxy role had already executed. To fix this, please change the order of roles in your playbook, so that the matrix-nginx-proxy role would run after the matrix-prometheus-services-proxy-connect role. - when: matrix_nginx_proxy_role_executed | default(False) | bool -- block: +- tags: + - setup-all + - setup-nginx-proxy + - install-all + - install-nginx-proxy + block: - when: prometheus_node_exporter_enabled | bool and matrix_prometheus_services_proxy_connect_prometheus_node_exporter_metrics_proxying_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/prometheus-node-exporter/inject_into_nginx_proxy.yml" - tags: + +- tags: - setup-all - setup-nginx-proxy - install-all - install-nginx-proxy - -- block: + block: - when: prometheus_node_exporter_enabled | bool and matrix_prometheus_services_proxy_connect_prometheus_postgres_exporter_metrics_proxying_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/prometheus-postgres-exporter/inject_into_nginx_proxy.yml" - tags: - - setup-all - - setup-nginx-proxy - - install-all - - install-nginx-proxy diff --git a/roles/custom/matrix-prometheus/tasks/main.yml b/roles/custom/matrix-prometheus/tasks/main.yml index 59371d4d..bbd82001 100644 --- a/roles/custom/matrix-prometheus/tasks/main.yml +++ b/roles/custom/matrix-prometheus/tasks/main.yml @@ -1,20 +1,20 @@ --- -- block: +- tags: + - setup-all + - setup-prometheus + - install-all + - install-prometheus + block: - when: matrix_prometheus_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_prometheus_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-prometheus - - install-all - - install-prometheus - -- block: + block: - when: not matrix_prometheus_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-prometheus diff --git a/roles/custom/matrix-rageshake/tasks/install.yml b/roles/custom/matrix-rageshake/tasks/install.yml index f9461680..a1db9a87 100644 --- a/roles/custom/matrix-rageshake/tasks/install.yml +++ b/roles/custom/matrix-rageshake/tasks/install.yml @@ -62,6 +62,7 @@ --tag={{ matrix_rageshake_container_image }} --file={{ matrix_rageshake_container_src_files_path }}/Dockerfile {{ matrix_rageshake_container_src_files_path }} + changed_when: true when: matrix_rageshake_container_image_self_build | bool - name: Ensure rageshake container network is created diff --git a/roles/custom/matrix-rageshake/tasks/main.yml b/roles/custom/matrix-rageshake/tasks/main.yml index c330964a..a211296d 100644 --- a/roles/custom/matrix-rageshake/tasks/main.yml +++ b/roles/custom/matrix-rageshake/tasks/main.yml @@ -1,19 +1,20 @@ --- -- block: + +- tags: + - setup-all + - setup-rageshake + - install-all + - install-rageshake + block: - when: matrix_rageshake_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_rageshake_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/install.yml" - tags: + +- tags: - setup-all - setup-rageshake - - install-all - - install-rageshake - -- block: + block: - when: not matrix_rageshake_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/uninstall.yml" - tags: - - setup-all - - setup-rageshake diff --git a/roles/custom/matrix-registration/tasks/main.yml b/roles/custom/matrix-registration/tasks/main.yml index bebcebc0..64843dee 100644 --- a/roles/custom/matrix-registration/tasks/main.yml +++ b/roles/custom/matrix-registration/tasks/main.yml @@ -1,41 +1,41 @@ --- -- block: - - when: matrix_registration_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" - tags: +- tags: - setup-all - setup-nginx-proxy - install-all - install-nginx-proxy + block: + - when: matrix_registration_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" -- block: +- tags: + - setup-all + - setup-matrix-registration + - install-all + - install-matrix-registration + block: - when: matrix_registration_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_registration_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-matrix-registration - - install-all - - install-matrix-registration - -- block: + block: - when: not matrix_registration_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-matrix-registration -- block: +- tags: + - generate-matrix-registration-token + block: - when: matrix_registration_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/generate_token.yml" - tags: - - generate-matrix-registration-token -- block: +- tags: + - list-matrix-registration-tokens + block: - when: matrix_registration_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/list_tokens.yml" - tags: - - list-matrix-registration-tokens diff --git a/roles/custom/matrix-sliding-sync/defaults/main.yml b/roles/custom/matrix-sliding-sync/defaults/main.yml new file mode 100644 index 00000000..f66b3b61 --- /dev/null +++ b/roles/custom/matrix-sliding-sync/defaults/main.yml @@ -0,0 +1,91 @@ +--- + +# Sliding Sync Proxy is an implementation of MSC3575 for the new sliding sync + +matrix_sliding_sync_enabled: true + +matrix_sliding_sync_version: v0.99.1 + +matrix_sliding_sync_scheme: https + +# The hostname at which sliding-sync is served. +matrix_sliding_sync_hostname: '' + +# The path at which sliding-sync is served. +# This value must either be `/` or not end with a slash (e.g. `/sliding-sync`). +matrix_sliding_sync_path_prefix: / + +matrix_sliding_sync_base_path: "{{ matrix_base_data_path }}/sliding-sync" + +matrix_sliding_sync_container_image_self_build: false +matrix_sliding_sync_container_image_self_build_repo: https://github.com/matrix-org/sliding-sync +matrix_sliding_sync_container_image_self_build_repo_version: "{{ 'main' if matrix_sliding_sync_version == 'main' else matrix_sliding_sync_version }}" +matrix_sliding_sync_container_src_path: "{{ matrix_sliding_sync_base_path }}/container-src" + +matrix_sliding_sync_container_image: "{{ matrix_sliding_sync_container_image_name_prefix }}matrix-org/sliding-sync:{{ matrix_sliding_sync_container_image_tag }}" +matrix_sliding_sync_container_image_name_prefix: "{{ 'localhost/' if matrix_sliding_sync_container_image_self_build else matrix_sliding_sync_container_image_registry_prefix }}" +matrix_sliding_sync_container_image_tag: "{{ matrix_sliding_sync_version }}" +matrix_sliding_sync_container_image_force_pull: "{{ matrix_sliding_sync_container_image.endswith(':main') }}" +matrix_sliding_sync_container_image_registry_prefix: ghcr.io/ + +# The base container network. It will be auto-created by this role if it doesn't exist already. +matrix_sliding_sync_container_network: matrix-sliding-sync + +# A list of additional container networks that the container would be connected to. +# The role does not create these networks, so make sure they already exist. +# Use this to expose this container to another reverse proxy, which runs in a different container network. +matrix_sliding_sync_container_additional_networks: [] + +# matrix_sliding_sync_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container. +# See `../templates/labels.j2` for details. +# +# To inject your own other container labels, see `matrix_sliding_sync_container_labels_additional_labels`. +matrix_sliding_sync_container_labels_traefik_enabled: true +matrix_sliding_sync_container_labels_traefik_docker_network: "{{ matrix_sliding_sync_container_network }}" +matrix_sliding_sync_container_labels_traefik_hostname: "{{ matrix_sliding_sync_hostname }}" +# The path prefix must either be `/` or not end with a slash (e.g. `/sliding-sync`). +matrix_sliding_sync_container_labels_traefik_path_prefix: "{{ matrix_sliding_sync_path_prefix }}" +matrix_sliding_sync_container_labels_traefik_rule: "Host(`{{ matrix_sliding_sync_container_labels_traefik_hostname }}`){% if matrix_sliding_sync_container_labels_traefik_path_prefix != '/' %} && PathPrefix(`{{ matrix_sliding_sync_container_labels_traefik_path_prefix }}`){% endif %}" +matrix_sliding_sync_container_labels_traefik_priority: 0 +matrix_sliding_sync_container_labels_traefik_entrypoints: web-secure +matrix_sliding_sync_container_labels_traefik_tls: "{{ matrix_sliding_sync_container_labels_traefik_entrypoints != 'web' }}" +matrix_sliding_sync_container_labels_traefik_tls_certResolver: default # noqa var-naming + +# Controls which additional headers to attach to all HTTP responses. +# To add your own headers, use `matrix_sliding_sync_container_labels_traefik_additional_response_headers_custom` +matrix_sliding_sync_container_labels_traefik_additional_response_headers: "{{ matrix_sliding_sync_container_labels_traefik_additional_response_headers_auto | combine(matrix_sliding_sync_container_labels_traefik_additional_response_headers_custom) }}" +matrix_sliding_sync_container_labels_traefik_additional_response_headers_auto: {} +matrix_sliding_sync_container_labels_traefik_additional_response_headers_custom: {} + +# matrix_sliding_sync_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file. +# See `../templates/labels.j2` for details. +# +# Example: +# matrix_sliding_sync_container_labels_additional_labels: | +# my.label=1 +# another.label="here" +matrix_sliding_sync_container_labels_additional_labels: '' + +# A list of extra arguments to pass to the container +matrix_sliding_sync_container_extra_arguments: [] + +# List of systemd services that matrix-sliding-sync-proxy.service depends on +matrix_sliding_sync_systemd_required_services_list: ["docker.service"] + +# List of systemd services that matrix-sliding-sync-proxy.service wants +matrix_sliding_sync_systemd_wanted_services_list: [] + +# Controls the SYNCV3_SERVER environment variable +matrix_sliding_sync_environment_variable_syncv3_server: "{{ matrix_homeserver_container_url }}" + +# Controls the SYNCV3_SECRET environment variable +matrix_sliding_sync_environment_variable_syncv3_secret: '' + +# Controls the SYNCV3_DB environment variable +matrix_sliding_sync_environment_variable_syncv3_db: 'user={{ matrix_sliding_sync_database_username }} password={{ matrix_sliding_sync_database_password }} host={{ matrix_sliding_sync_database_hostname }} port={{ matrix_sliding_sync_database_port }} dbname={{ matrix_sliding_sync_database_name }} sslmode=disable' + +matrix_sliding_sync_database_username: 'matrix_sliding_sync' +matrix_sliding_sync_database_password: '' +matrix_sliding_sync_database_hostname: '' +matrix_sliding_sync_database_port: 5432 +matrix_sliding_sync_database_name: 'matrix_sliding_sync' diff --git a/roles/custom/matrix-sliding-sync/tasks/install.yml b/roles/custom/matrix-sliding-sync/tasks/install.yml new file mode 100644 index 00000000..cb41cec0 --- /dev/null +++ b/roles/custom/matrix-sliding-sync/tasks/install.yml @@ -0,0 +1,70 @@ +--- + +- name: Ensure matrix-sliding-sync paths exist + ansible.builtin.file: + path: "{{ item.path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - path: "{{ matrix_sliding_sync_base_path }}" + when: true + - path: "{{ matrix_sliding_sync_container_src_path }}" + when: "{{ matrix_sliding_sync_container_image_self_build }}" + when: item.when | bool + +- name: Ensure matrix-sliding-sync support files installed + ansible.builtin.template: + src: "{{ role_path }}/templates/{{ item }}.j2" + dest: "{{ matrix_sliding_sync_base_path }}/{{ item }}" + mode: 0640 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - env + - labels + +- name: Ensure matrix-sliding-sync container image is pulled + community.docker.docker_image: + name: "{{ matrix_sliding_sync_container_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_sliding_sync_container_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_sliding_sync_container_image_force_pull }}" + when: "not matrix_sliding_sync_container_image_self_build | bool" + register: result + retries: "{{ devture_playbook_help_container_retries_count }}" + delay: "{{ devture_playbook_help_container_retries_delay }}" + until: result is not failed + +- when: matrix_sliding_sync_container_image_self_build | bool + block: + - name: Ensure matrix-sliding-sync repository is present on self-build + ansible.builtin.git: + repo: "{{ matrix_sliding_sync_container_image_self_build_repo }}" + version: "{{ matrix_sliding_sync_container_image_self_build_repo_version }}" + dest: "{{ matrix_sliding_sync_container_src_path }}" + force: "yes" + become: true + become_user: "{{ matrix_user_username }}" + register: matrix_sliding_sync_git_pull_results + + - name: Ensure matrix-sliding-sync container image is built + ansible.builtin.command: + cmd: |- + {{ devture_systemd_docker_base_host_command_docker }} buildx build + --tag={{ matrix_sliding_sync_container_image }} + --file={{ matrix_sliding_sync_container_src_path }}/Dockerfile + {{ matrix_sliding_sync_container_src_path }} + changed_when: true + +- name: Ensure matrix-sliding-sync container network is created + community.general.docker_network: + name: "{{ matrix_sliding_sync_container_network }}" + driver: bridge + +- name: Ensure matrix-sliding-sync.service installed + ansible.builtin.template: + src: "{{ role_path }}/templates/systemd/matrix-sliding-sync.service.j2" + dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-sliding-sync.service" + mode: 0644 diff --git a/roles/custom/matrix-sliding-sync/tasks/main.yml b/roles/custom/matrix-sliding-sync/tasks/main.yml new file mode 100644 index 00000000..521f16fe --- /dev/null +++ b/roles/custom/matrix-sliding-sync/tasks/main.yml @@ -0,0 +1,20 @@ +--- + +- tags: + - setup-all + - setup-sliding-sync + - install-all + - install-sliding-sync + block: + - when: matrix_sliding_sync_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" + + - when: matrix_sliding_sync_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/install.yml" + +- tags: + - setup-all + - setup-sliding-sync + block: + - when: not matrix_sliding_sync_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/uninstall.yml" diff --git a/roles/custom/matrix-sliding-sync/tasks/uninstall.yml b/roles/custom/matrix-sliding-sync/tasks/uninstall.yml new file mode 100644 index 00000000..8a559cac --- /dev/null +++ b/roles/custom/matrix-sliding-sync/tasks/uninstall.yml @@ -0,0 +1,25 @@ +--- + +- name: Check existence of matrix-sliding-sync service + ansible.builtin.stat: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-sliding-sync.service" + register: matrix_sliding_sync_service_stat + +- when: matrix_sliding_sync_service_stat.stat.exists | bool + block: + - name: Ensure matrix-sliding-sync is stopped + ansible.builtin.service: + name: matrix-sliding-sync + state: stopped + enabled: false + daemon_reload: true + + - name: Ensure matrix-sliding-sync.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-sliding-sync.service" + state: absent + + - name: Ensure matrix-sliding-sync paths don't exist + ansible.builtin.file: + path: "{{ matrix_sliding_sync_base_path }}" + state: absent diff --git a/roles/custom/matrix-sliding-sync/tasks/validate_config.yml b/roles/custom/matrix-sliding-sync/tasks/validate_config.yml new file mode 100644 index 00000000..5d36403c --- /dev/null +++ b/roles/custom/matrix-sliding-sync/tasks/validate_config.yml @@ -0,0 +1,11 @@ +--- +- name: Fail if required matrix-sliding-sync settings not defined + ansible.builtin.fail: + msg: > + You need to define a required configuration setting (`{{ item.name }}`). + when: "vars[item] == ''" + with_items: + - matrix_sliding_sync_hostname + - matrix_sliding_sync_path_prefix + - matrix_sliding_sync_database_hostname + - matrix_sliding_sync_environment_variable_syncv3_secret diff --git a/roles/custom/matrix-sliding-sync/templates/env.j2 b/roles/custom/matrix-sliding-sync/templates/env.j2 new file mode 100644 index 00000000..1269bd2a --- /dev/null +++ b/roles/custom/matrix-sliding-sync/templates/env.j2 @@ -0,0 +1,4 @@ +SYNCV3_SERVER={{ matrix_sliding_sync_environment_variable_syncv3_server }} +SYNCV3_SECRET={{ matrix_sliding_sync_environment_variable_syncv3_secret }} +SYNCV3_BINDADDR=:8008 +SYNCV3_DB={{ matrix_sliding_sync_environment_variable_syncv3_db }} diff --git a/roles/custom/matrix-sliding-sync/templates/labels.j2 b/roles/custom/matrix-sliding-sync/templates/labels.j2 new file mode 100644 index 00000000..66549249 --- /dev/null +++ b/roles/custom/matrix-sliding-sync/templates/labels.j2 @@ -0,0 +1,45 @@ +{% if matrix_sliding_sync_container_labels_traefik_enabled %} +traefik.enable=true + +{% if matrix_sliding_sync_container_labels_traefik_docker_network %} +traefik.docker.network={{ matrix_sliding_sync_container_labels_traefik_docker_network }} +{% endif %} + +{% set middlewares = [] %} + +{% if matrix_sliding_sync_container_labels_traefik_path_prefix != '/' %} +traefik.http.middlewares.matrix-sliding-sync-slashless-redirect.redirectregex.regex=({{ matrix_sliding_sync_container_labels_traefik_path_prefix | quote }})$ +traefik.http.middlewares.matrix-sliding-sync-slashless-redirect.redirectregex.replacement=${1}/ +{% set middlewares = middlewares + ['matrix-sliding-sync-slashless-redirect'] %} +{% endif %} + +{% if matrix_sliding_sync_container_labels_traefik_path_prefix != '/' %} +traefik.http.middlewares.matrix-sliding-sync-strip-prefix.stripprefix.prefixes={{ matrix_sliding_sync_container_labels_traefik_path_prefix }} +{% set middlewares = middlewares + ['matrix-sliding-sync-strip-prefix'] %} +{% endif %} + +{% if matrix_sliding_sync_container_labels_traefik_additional_response_headers.keys() | length > 0 %} +{% for name, value in matrix_sliding_sync_container_labels_traefik_additional_response_headers.items() %} +traefik.http.middlewares.matrix-sliding-sync-add-headers.headers.customresponseheaders.{{ name }}={{ value }} +{% endfor %} +{% set middlewares = middlewares + ['matrix-sliding-sync-add-headers'] %} +{% endif %} + +traefik.http.routers.matrix-sliding-sync.rule={{ matrix_sliding_sync_container_labels_traefik_rule }} +{% if matrix_sliding_sync_container_labels_traefik_priority | int > 0 %} +traefik.http.routers.matrix-sliding-sync.priority={{ matrix_sliding_sync_container_labels_traefik_priority }} +{% endif %} +traefik.http.routers.matrix-sliding-sync.service=matrix-sliding-sync +{% if middlewares | length > 0 %} +traefik.http.routers.matrix-sliding-sync.middlewares={{ middlewares | join(',') }} +{% endif %} +traefik.http.routers.matrix-sliding-sync.entrypoints={{ matrix_sliding_sync_container_labels_traefik_entrypoints }} +traefik.http.routers.matrix-sliding-sync.tls={{ matrix_sliding_sync_container_labels_traefik_tls | to_json }} +{% if matrix_sliding_sync_container_labels_traefik_tls %} +traefik.http.routers.matrix-sliding-sync.tls.certResolver={{ matrix_sliding_sync_container_labels_traefik_tls_certResolver }} +{% endif %} + +traefik.http.services.matrix-sliding-sync.loadbalancer.server.port=8008 +{% endif %} + +{{ matrix_sliding_sync_container_labels_additional_labels }} diff --git a/roles/custom/matrix-sliding-sync/templates/systemd/matrix-sliding-sync.service.j2 b/roles/custom/matrix-sliding-sync/templates/systemd/matrix-sliding-sync.service.j2 new file mode 100644 index 00000000..ac8d2ffb --- /dev/null +++ b/roles/custom/matrix-sliding-sync/templates/systemd/matrix-sliding-sync.service.j2 @@ -0,0 +1,49 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=matrix-sliding-sync +{% for service in matrix_sliding_sync_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +{% for service in matrix_sliding_sync_systemd_wanted_services_list %} +Wants={{ service }} +{% endfor %} +DefaultDependencies=no + +[Service] +Type=simple +Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" +ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-sliding-sync 2>/dev/null || true' +ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-sliding-sync 2>/dev/null || true' + +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ + --rm \ + --name=matrix-sliding-sync \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --read-only \ + --tmpfs /tmp \ + --network={{ matrix_sliding_sync_container_network }} \ + --env-file={{ matrix_sliding_sync_base_path }}/env \ + --label-file={{ matrix_sliding_sync_base_path }}/labels \ + {% for arg in matrix_sliding_sync_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + {{ matrix_sliding_sync_container_image }} + +{% for network in matrix_sliding_sync_container_additional_networks %} +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-sliding-sync +{% endfor %} + +ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-sliding-sync + +ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-sliding-sync 2>/dev/null || true' +ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-sliding-sync 2>/dev/null || true' + +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-sliding-sync + +[Install] +WantedBy=multi-user.target diff --git a/roles/custom/matrix-sliding-sync/vars/main.yml b/roles/custom/matrix-sliding-sync/vars/main.yml new file mode 100644 index 00000000..8ec69c08 --- /dev/null +++ b/roles/custom/matrix-sliding-sync/vars/main.yml @@ -0,0 +1,5 @@ +--- + +# Public facing base URL of the Sliding Sync service. +# It should not end with a slash. +matrix_sliding_sync_base_url: "{{ matrix_sliding_sync_scheme }}://{{ matrix_sliding_sync_hostname }}{{ '' if matrix_sliding_sync_path_prefix == '/' else matrix_sliding_sync_path_prefix }}" diff --git a/roles/custom/matrix-sygnal/tasks/main.yml b/roles/custom/matrix-sygnal/tasks/main.yml index ba4cb876..a586cbd0 100644 --- a/roles/custom/matrix-sygnal/tasks/main.yml +++ b/roles/custom/matrix-sygnal/tasks/main.yml @@ -1,20 +1,20 @@ --- -- block: +- tags: + - setup-all + - setup-sygnal + - install-all + - install-sygnal + block: - when: matrix_sygnal_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_sygnal_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/install.yml" - tags: + +- tags: - setup-all - setup-sygnal - - install-all - - install-sygnal - -- block: + block: - when: not matrix_sygnal_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/uninstall.yml" - tags: - - setup-all - - setup-sygnal diff --git a/roles/custom/matrix-synapse-admin/tasks/main.yml b/roles/custom/matrix-synapse-admin/tasks/main.yml index f38f1d5e..da9bdb18 100644 --- a/roles/custom/matrix-synapse-admin/tasks/main.yml +++ b/roles/custom/matrix-synapse-admin/tasks/main.yml @@ -1,29 +1,29 @@ --- -- block: - - when: matrix_synapse_admin_enabled | bool and matrix_synapse_admin_nginx_proxy_integration_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" - tags: +- tags: - setup-all - setup-nginx-proxy - install-all - install-nginx-proxy + block: + - when: matrix_synapse_admin_enabled | bool and matrix_synapse_admin_nginx_proxy_integration_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" -- block: +- tags: + - setup-all + - setup-synapse-admin + - install-all + - install-synapse-admin + block: - when: matrix_synapse_admin_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_synapse_admin_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-synapse-admin - - install-all - - install-synapse-admin - -- block: + block: - when: not matrix_synapse_admin_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-synapse-admin diff --git a/roles/custom/matrix-synapse-reverse-proxy-companion/tasks/main.yml b/roles/custom/matrix-synapse-reverse-proxy-companion/tasks/main.yml index 0dba0b9c..68060267 100644 --- a/roles/custom/matrix-synapse-reverse-proxy-companion/tasks/main.yml +++ b/roles/custom/matrix-synapse-reverse-proxy-companion/tasks/main.yml @@ -1,20 +1,20 @@ --- -- block: - - when: matrix_synapse_reverse_proxy_companion_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: +- tags: - setup-all - setup-synapse-reverse-proxy-companion - setup-synapse - install-all - install-synapse-reverse-proxy-companion - install-synapse + block: + - when: matrix_synapse_reverse_proxy_companion_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" -- block: - - when: not matrix_synapse_reverse_proxy_companion_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: +- tags: - setup-all - setup-synapse-reverse-proxy-companion - setup-synapse + block: + - when: not matrix_synapse_reverse_proxy_companion_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml index dd69facd..41ad0bc4 100644 --- a/roles/custom/matrix-synapse/defaults/main.yml +++ b/roles/custom/matrix-synapse/defaults/main.yml @@ -4,6 +4,8 @@ matrix_synapse_enabled: true +matrix_synapse_version: v1.78.0 + matrix_synapse_username: '' matrix_synapse_uid: '' matrix_synapse_gid: '' @@ -69,7 +71,6 @@ matrix_synapse_container_image_customizations_dockerfile_body_custom: '' matrix_synapse_docker_image: "{{ matrix_synapse_docker_image_name_prefix }}matrixdotorg/synapse:{{ matrix_synapse_docker_image_tag }}" matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_container_image_self_build else matrix_container_global_registry_prefix }}" -matrix_synapse_version: v1.77.0 matrix_synapse_docker_image_tag: "{{ matrix_synapse_version }}" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" diff --git a/roles/custom/matrix-synapse/tasks/ext/setup_install.yml b/roles/custom/matrix-synapse/tasks/ext/setup_install.yml index a2413803..0d887939 100644 --- a/roles/custom/matrix-synapse/tasks/ext/setup_install.yml +++ b/roles/custom/matrix-synapse/tasks/ext/setup_install.yml @@ -1,60 +1,60 @@ --- # encryption-disabler -- block: +- tags: + - setup-all + - setup-synapse + block: - when: matrix_synapse_ext_encryption_disabler_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/encryption-disabler/setup_install.yml" - tags: - - setup-all - - setup-synapse # rest-auth -- block: +- tags: + - setup-all + - setup-synapse + block: - when: matrix_synapse_ext_password_provider_rest_auth_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/rest-auth/setup_install.yml" - tags: - - setup-all - - setup-synapse # shared-secret-auth -- block: +- tags: + - setup-all + - setup-synapse + block: - when: matrix_synapse_ext_password_provider_shared_secret_auth_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/shared-secret-auth/setup_install.yml" - tags: - - setup-all - - setup-synapse # ldap-auth -- block: +- tags: + - setup-all + - setup-synapse + block: - when: matrix_synapse_ext_password_provider_ldap_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/ldap-auth/setup_install.yml" - tags: - - setup-all - - setup-synapse # synapse-simple-antispam -- block: +- tags: + - setup-all + - setup-synapse + block: - when: matrix_synapse_ext_spam_checker_synapse_simple_antispam_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/synapse-simple-antispam/setup_install.yml" - tags: - - setup-all - - setup-synapse # mjolnir-antispam -- block: - - when: matrix_synapse_ext_spam_checker_mjolnir_antispam_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/mjolnir-antispam/setup_install.yml" - tags: +- tags: - setup-all - setup-synapse + block: + - when: matrix_synapse_ext_spam_checker_mjolnir_antispam_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/mjolnir-antispam/setup_install.yml" # s3-storage-provider -- block: +- tags: + - setup-all + - setup-synapse + block: - when: matrix_synapse_ext_synapse_s3_storage_provider_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/s3-storage-provider/validate_config.yml" - when: matrix_synapse_ext_synapse_s3_storage_provider_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/s3-storage-provider/setup_install.yml" - tags: - - setup-all - - setup-synapse diff --git a/roles/custom/matrix-synapse/tasks/ext/setup_uninstall.yml b/roles/custom/matrix-synapse/tasks/ext/setup_uninstall.yml index cca6c1b8..f584f584 100644 --- a/roles/custom/matrix-synapse/tasks/ext/setup_uninstall.yml +++ b/roles/custom/matrix-synapse/tasks/ext/setup_uninstall.yml @@ -1,52 +1,52 @@ --- # encryption-disabler -- block: +- tags: + - setup-all + - setup-synapse + block: - when: not matrix_synapse_ext_encryption_disabler_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/encryption-disabler/setup_uninstall.yml" - tags: - - setup-all - - setup-synapse # rest-auth -- block: +- tags: + - setup-all + - setup-synapse + block: - when: not matrix_synapse_ext_password_provider_rest_auth_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/rest-auth/setup_uninstall.yml" - tags: - - setup-all - - setup-synapse # shared-secret-auth -- block: - - when: not matrix_synapse_ext_password_provider_shared_secret_auth_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/shared-secret-auth/setup_uninstall.yml" - tags: +- tags: - setup-all - setup-synapse + block: + - when: not matrix_synapse_ext_password_provider_shared_secret_auth_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/shared-secret-auth/setup_uninstall.yml" # ldap-auth has no uninstall tasks # synapse-simple-antispam -- block: +- tags: + - setup-all + - setup-synapse + block: - when: not matrix_synapse_ext_spam_checker_synapse_simple_antispam_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/synapse-simple-antispam/setup_uninstall.yml" - tags: - - setup-all - - setup-synapse # mjolnir-antispam -- block: +- tags: + - setup-all + - setup-synapse + block: - when: not matrix_synapse_ext_spam_checker_mjolnir_antispam_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/mjolnir-antispam/setup_uninstall.yml" - tags: - - setup-all - - setup-synapse # s3-storage-provider -- block: - - when: not matrix_synapse_ext_synapse_s3_storage_provider_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/s3-storage-provider/setup_uninstall.yml" - tags: +- tags: - setup-all - setup-synapse + block: + - when: not matrix_synapse_ext_synapse_s3_storage_provider_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/s3-storage-provider/setup_uninstall.yml" diff --git a/roles/custom/matrix-synapse/tasks/main.yml b/roles/custom/matrix-synapse/tasks/main.yml index d00c1808..88a54afc 100644 --- a/roles/custom/matrix-synapse/tasks/main.yml +++ b/roles/custom/matrix-synapse/tasks/main.yml @@ -1,9 +1,6 @@ --- -- block: - - when: matrix_synapse_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/init.yml" - tags: +- tags: - setup-all - setup-synapse - install-all @@ -19,55 +16,58 @@ - stop - stop-all - stop-group + block: + - when: matrix_synapse_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/init.yml" -- block: +- tags: + - setup-all + - setup-synapse + - install-all + - install-synapse + block: - when: matrix_synapse_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_synapse_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-synapse - - install-all - - install-synapse - -- block: + block: - when: not matrix_synapse_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-synapse -- block: +- tags: + - import-synapse-media-store + block: - when: matrix_synapse_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/import_media_store.yml" - tags: - - import-synapse-media-store -- block: +- tags: + - register-user + block: - when: matrix_synapse_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/register_user.yml" - tags: - - register-user -- block: +- tags: + - update-user-password + block: - when: matrix_synapse_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/update_user_password.yml" - tags: - - update-user-password -- block: +- tags: + - rust-synapse-compress-state + block: - when: matrix_synapse_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/rust-synapse-compress-state/main.yml" - tags: - - rust-synapse-compress-state -- block: +- tags: + - self-check + block: - when: matrix_synapse_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/self_check_client_api.yml" - when: matrix_synapse_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/self_check_federation_api.yml" - tags: - - self-check diff --git a/roles/custom/matrix-synapse/tasks/setup_install.yml b/roles/custom/matrix-synapse/tasks/setup_install.yml index c8b191ec..378a0dee 100644 --- a/roles/custom/matrix-synapse/tasks/setup_install.yml +++ b/roles/custom/matrix-synapse/tasks/setup_install.yml @@ -23,33 +23,33 @@ # trying to chown/chmod it here will cause trouble. when: item.when | bool -- block: +- tags: + - setup-all + - setup-synapse + block: - ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/setup_install.yml" - ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/setup_uninstall.yml" - tags: + +- tags: - setup-all - setup-synapse - -- block: + block: - when: matrix_synapse_workers_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/synapse/workers/setup_install.yml" - tags: + +- tags: - setup-all - setup-synapse - -- block: + block: - ansible.builtin.include_tasks: "{{ role_path }}/tasks/synapse/setup_install.yml" - tags: + +- tags: - setup-all - setup-synapse - -- block: + block: - when: matrix_s3_media_store_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/goofys/setup_install.yml" - when: not matrix_s3_media_store_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/goofys/setup_uninstall.yml" - tags: - - setup-all - - setup-synapse diff --git a/roles/custom/matrix-synapse/tasks/setup_uninstall.yml b/roles/custom/matrix-synapse/tasks/setup_uninstall.yml index 72b64c87..7ce5e13d 100644 --- a/roles/custom/matrix-synapse/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-synapse/tasks/setup_uninstall.yml @@ -1,27 +1,27 @@ --- -- block: - - ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/setup_uninstall.yml" - tags: +- tags: - setup-all - setup-synapse + block: + - ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/setup_uninstall.yml" -- block: +- tags: + - setup-all + - setup-synapse + block: - when: not matrix_synapse_workers_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/synapse/workers/setup_uninstall.yml" - tags: + +- tags: - setup-all - setup-synapse - -- block: + block: - ansible.builtin.include_tasks: "{{ role_path }}/tasks/synapse/setup_uninstall.yml" - tags: + +- tags: - setup-all - setup-synapse - -- block: + block: - when: not matrix_s3_media_store_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/goofys/setup_uninstall.yml" - tags: - - setup-all - - setup-synapse diff --git a/roles/custom/matrix-synapse/tasks/synapse/setup_install.yml b/roles/custom/matrix-synapse/tasks/synapse/setup_install.yml index 4a62d88d..169be60b 100644 --- a/roles/custom/matrix-synapse/tasks/synapse/setup_install.yml +++ b/roles/custom/matrix-synapse/tasks/synapse/setup_install.yml @@ -48,6 +48,7 @@ . environment: DOCKER_BUILDKIT: 1 + changed_when: true when: "matrix_synapse_git_pull_results.changed | bool or matrix_synapse_docker_image_check_result.stdout == ''" - name: Ensure Synapse Docker image is pulled @@ -82,11 +83,6 @@ path: "{{ matrix_synapse_customized_docker_src_files_path }}" nocache: "{{ matrix_synapse_docker_image_customized_build_nocache }}" -- name: Check if a Synapse signing key exists - ansible.builtin.stat: - path: "{{ matrix_synapse_config_dir_path }}/{{ matrix_server_fqn_matrix }}.signing.key" - register: matrix_synapse_signing_key_stat - # We do this so that the signing key would get generated. # # This will also generate a default homeserver.yaml configuration file and a log configuration file. @@ -95,19 +91,20 @@ # We don't use the `docker_container` module, because using it with `cap_drop` requires # a very recent docker-py version, which is not available for a lot of people yet. - name: Generate initial Synapse config and signing key - ansible.builtin.command: | - docker run - --rm - --name=matrix-config - --user={{ matrix_synapse_uid }}:{{ matrix_synapse_gid }} - --cap-drop=ALL - --mount type=bind,src={{ matrix_synapse_config_dir_path }},dst=/data - -e SYNAPSE_CONFIG_PATH=/data/homeserver.yaml - -e SYNAPSE_SERVER_NAME={{ matrix_server_fqn_matrix }} - -e SYNAPSE_REPORT_STATS=no - {{ matrix_synapse_docker_image }} - generate - when: "not matrix_synapse_signing_key_stat.stat.exists" + ansible.builtin.command: + cmd: | + docker run + --rm + --name=matrix-config + --user={{ matrix_synapse_uid }}:{{ matrix_synapse_gid }} + --cap-drop=ALL + --mount type=bind,src={{ matrix_synapse_config_dir_path }},dst=/data + -e SYNAPSE_CONFIG_PATH=/data/homeserver.yaml + -e SYNAPSE_SERVER_NAME={{ matrix_server_fqn_matrix }} + -e SYNAPSE_REPORT_STATS=no + {{ matrix_synapse_docker_image }} + generate + creates: "{{ matrix_synapse_config_dir_path }}/{{ matrix_server_fqn_matrix }}.signing.key" - name: Ensure Synapse homeserver config installed ansible.builtin.copy: diff --git a/roles/custom/matrix-user-creator/tasks/main.yml b/roles/custom/matrix-user-creator/tasks/main.yml index 2198b3eb..ff93a463 100644 --- a/roles/custom/matrix-user-creator/tasks/main.yml +++ b/roles/custom/matrix-user-creator/tasks/main.yml @@ -1,10 +1,10 @@ --- -- block: - - when: matrix_user_creator_users | length > 0 - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup.yml" - tags: +- tags: # This role intentionally doesn't do work on a `setup-all` tag. # If it did, the initial installation (`--tags=setup-all`) would also potentially polute the database with data, # which would make importing a database dump problematic. - ensure-matrix-users-created + block: + - when: matrix_user_creator_users | length > 0 + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup.yml" diff --git a/roles/custom/matrix-user-verification-service/tasks/main.yml b/roles/custom/matrix-user-verification-service/tasks/main.yml index 6eaaaf23..1b65f86a 100644 --- a/roles/custom/matrix-user-verification-service/tasks/main.yml +++ b/roles/custom/matrix-user-verification-service/tasks/main.yml @@ -1,19 +1,19 @@ --- -- block: - - when: run_setup | bool and matrix_user_verification_service_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - - when: run_setup | bool and matrix_user_verification_service_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: +- tags: - setup-all - setup-user-verification-service - install-all - install-user-verification-service + block: + - when: run_setup | bool and matrix_user_verification_service_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" + - when: run_setup | bool and matrix_user_verification_service_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" -- block: - - when: run_setup | bool and not matrix_user_verification_service_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: +- tags: - setup-all - setup-user-verification-service + block: + - when: run_setup | bool and not matrix_user_verification_service_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" diff --git a/roles/custom/matrix_playbook_migration/defaults/main.yml b/roles/custom/matrix_playbook_migration/defaults/main.yml index 514125ec..dbc3b3b8 100644 --- a/roles/custom/matrix_playbook_migration/defaults/main.yml +++ b/roles/custom/matrix_playbook_migration/defaults/main.yml @@ -17,3 +17,6 @@ matrix_playbook_migration_matrix_ntfy_migration_validation_enabled: true # Controls if (`matrix_redis` -> `redis`) validation will run. matrix_playbook_migration_matrix_redis_migration_validation_enabled: true + +# Controls if (`matrix_etherpad` -> `etherpad`) validation will run. +matrix_playbook_migration_matrix_etherpad_migration_validation_enabled: true diff --git a/roles/custom/matrix_playbook_migration/tasks/devture_traefik_to_matrix_traefik.yml b/roles/custom/matrix_playbook_migration/tasks/devture_traefik_to_matrix_traefik.yml new file mode 100644 index 00000000..f192cf01 --- /dev/null +++ b/roles/custom/matrix_playbook_migration/tasks/devture_traefik_to_matrix_traefik.yml @@ -0,0 +1,35 @@ +--- + +# This migrates Traefik from the old path (`/devture-traefik`) to the new path (`/matrix/traefik`, controlled by `devture_traefik_base_path`), +# and from the old hardcoded systemd service name (`devture-traefik.service`) to the new one (`matrix-traefik.service`, controlled by `devture_traefik_identifier`). +# +# Here, we merely disable (and stop) the old systemd service and relocate the data (`/devture-traefik` directory). +# The Traefik role itself (running later) will then ensure this data is up-to-date and will set up the new systemd service. + +# It only makes sense to migrate if the identifier or path are different than the default (what we were using before). +- when: "devture_traefik_identifier != 'devture-postgres' or devture_traefik_base_path != '/devture-traefik'" + block: + - name: Check existence of devture-traefik.service systemd service + ansible.builtin.stat: + path: "{{ devture_systemd_docker_base_systemd_path }}/devture-traefik.service" + register: devture_traefik_service_stat + + - when: devture_traefik_service_stat.stat.exists | bool + block: + - name: Ensure devture-traefik.service systemd service is stopped + ansible.builtin.systemd: + name: devture-traefik + state: stopped + enabled: false + daemon_reload: true + + - name: Ensure Traefik directory relocated + ansible.builtin.command: + cmd: "mv /devture-traefik {{ devture_traefik_base_path }}" + creates: "{{ devture_traefik_base_path }}" + removes: "/devture-traefik" + + - name: Ensure Traefik systemd service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/devture-traefik.service" + state: absent diff --git a/roles/custom/matrix_playbook_migration/tasks/main.yml b/roles/custom/matrix_playbook_migration/tasks/main.yml index 96b68b60..4dbd3554 100644 --- a/roles/custom/matrix_playbook_migration/tasks/main.yml +++ b/roles/custom/matrix_playbook_migration/tasks/main.yml @@ -1,13 +1,22 @@ --- -- block: +- tags: + - setup-all + - install-all + block: - ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - tags: - - setup-all - - install-all -- block: +- tags: + - setup-all + - install-all + block: - ansible.builtin.include_tasks: "{{ role_path }}/tasks/cleanup_usr_local_bin.yml" + +- when: devture_traefik_enabled | bool tags: - setup-all - install-all + - setup-traefik + - install-traefik + block: + - ansible.builtin.include_tasks: "{{ role_path }}/tasks/devture_traefik_to_matrix_traefik.yml" diff --git a/roles/custom/matrix_playbook_migration/tasks/validate_config.yml b/roles/custom/matrix_playbook_migration/tasks/validate_config.yml index 7afd2154..d8fe1683 100644 --- a/roles/custom/matrix_playbook_migration/tasks/validate_config.yml +++ b/roles/custom/matrix_playbook_migration/tasks/validate_config.yml @@ -36,6 +36,8 @@ - {'old': 'matrix_systemd_services_autostart_enabled', 'new': 'devture_systemd_service_manager_services_autostart_enabled'} - {'old': 'matrix_prometheus_node_exporter_metrics_proxying_enabled', 'new': 'matrix_prometheus_services_proxy_connect_prometheus_node_exporter_metrics_proxying_enabled'} - {'old': 'matrix_prometheus_postgres_exporter_metrics_proxying_enabled', 'new': 'matrix_prometheus_services_proxy_connect_prometheus_postgres_exporter_metrics_proxying_enabled'} + - {'old': 'matrix_playbook_traefik_certs_dumper_role_enabled', 'new': 'devture_traefik_certs_dumper_enabled'} + - {'old': 'matrix_playbook_traefik_role_enabled', 'new': 'devture_traefik_enabled'} - name: (Deprecation) Catch and report matrix_postgres variables ansible.builtin.fail: @@ -140,3 +142,18 @@ Please change your configuration (vars.yml) to rename all variables (`matrix_redis_` -> `redis_`). We found usage of the following variables: {{ matrix_playbook_migration_redis_migration_vars.keys() | join(', ') }} when: "matrix_playbook_migration_redis_migration_vars | length > 0" + +- when: matrix_playbook_migration_matrix_etherpad_migration_validation_enabled | bool + block: + - ansible.builtin.set_fact: + matrix_playbook_migration_etherpad_migration_vars: |- + {{ vars | dict2items | selectattr('key', 'match', 'matrix_etherpad_.*') | list | items2dict }} + + - name: (Deprecation) Catch and report matrix_etherpad variables + ansible.builtin.fail: + msg: >- + The matrix-etherpad role that used to be part of this playbook has been replaced by https://gitlab.com/etke.cc/roles/etherpad. + The new role is compatible with the old one, but uses different names for its variables. + Please change your configuration (vars.yml) to rename all variables (`matrix_etherpad_` -> `etherpad_`). + We found usage of the following variables: {{ matrix_playbook_migration_etherpad_migration_vars.keys() | join(', ') }} + when: "matrix_playbook_migration_etherpad_migration_vars | length > 0"