From 7852d5eb26457b828fe8dc76327bb0639c36e3c7 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Sun, 26 Feb 2023 15:58:10 +0000 Subject: [PATCH 01/71] update mautrix-telegram 0.12.2 -> 0.13.0 --- roles/custom/matrix-bridge-mautrix-telegram/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bridge-mautrix-telegram/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-telegram/defaults/main.yml index 1221da84..4d040161 100644 --- a/roles/custom/matrix-bridge-mautrix-telegram/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-telegram/defaults/main.yml @@ -17,7 +17,7 @@ matrix_mautrix_telegram_docker_repo: "https://mau.dev/mautrix/telegram.git" matrix_mautrix_telegram_docker_repo_version: "{{ 'master' if matrix_mautrix_telegram_version == 'latest' else matrix_mautrix_telegram_version }}" matrix_mautrix_telegram_docker_src_files_path: "{{ matrix_base_data_path }}/mautrix-telegram/docker-src" -matrix_mautrix_telegram_version: v0.12.2 +matrix_mautrix_telegram_version: v0.13.0 # See: https://mau.dev/mautrix/telegram/container_registry matrix_mautrix_telegram_docker_image: "{{ matrix_mautrix_telegram_docker_image_name_prefix }}mautrix/telegram:{{ matrix_mautrix_telegram_version }}" matrix_mautrix_telegram_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_telegram_container_image_self_build else 'dock.mau.dev/' }}" From ffff236167e8b228e6fe0a3fe2332057937fc9c7 Mon Sep 17 00:00:00 2001 From: Jan <31133207+Jaffex@users.noreply.github.com> Date: Sun, 26 Feb 2023 17:21:08 +0100 Subject: [PATCH 02/71] Update configuring-playbook-own-webserver.md Change documentation for host bind port when fronting traefik with another reverse proxy --- docs/configuring-playbook-own-webserver.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/configuring-playbook-own-webserver.md b/docs/configuring-playbook-own-webserver.md index 3b9d822d..ff9d2c93 100644 --- a/docs/configuring-playbook-own-webserver.md +++ b/docs/configuring-playbook-own-webserver.md @@ -138,8 +138,8 @@ devture_traefik_container_web_host_bind_port: '127.0.0.1:81' devture_traefik_additional_entrypoints_auto: - name: matrix-federation - port: "{{ matrix_federation_public_port }}" - host_bind_port: "127.0.0.1:{{ matrix_federation_public_port }}" + port: 8449 + host_bind_port: '127.0.0.1:8449' config: {} ``` From 05b3f6565b4affa08fa71204088b27e288beb9d2 Mon Sep 17 00:00:00 2001 From: Jan <31133207+Jaffex@users.noreply.github.com> Date: Sun, 26 Feb 2023 17:21:59 +0100 Subject: [PATCH 03/71] Update CHANGELOG.md Fix typo in changelog --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5cf821f3..cd592337 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -57,7 +57,7 @@ At some point in the **near** future (days, or even weeks at most), we hope to c ### How do I keep using my own other reverse-proxy? -We recommend that you follow the guide for [Fronting the integraed reverse-proxy webserver with another reverse-proxy](docs/configuring-playbook-own-webserver.md#fronting-the-integrated-reverse-proxy-webserver-with-another-reverse-proxy). +We recommend that you follow the guide for [Fronting the integrated reverse-proxy webserver with another reverse-proxy](docs/configuring-playbook-own-webserver.md#fronting-the-integrated-reverse-proxy-webserver-with-another-reverse-proxy). # 2023-02-25 From 7c622bd249821b1e4ddfb9fdd85c7cf43d74d45d Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 26 Feb 2023 19:12:10 +0200 Subject: [PATCH 04/71] Upgrade com.devture.ansible.role.traefik --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 56fa7701..f3ab0272 100644 --- a/requirements.yml +++ b/requirements.yml @@ -49,7 +49,7 @@ version: v7.0.7-0 - src: git+https://github.com/devture/com.devture.ansible.role.traefik.git - version: 5e3248cd4d17db9ff3ba90904e7330150dab599e + version: 2c949e88261c4398533ad16017475a1c75391487 - src: git+https://github.com/devture/com.devture.ansible.role.traefik_certs_dumper.git version: e7563caa814e634d2f8deec4a41e970caa1c0ae4 From 31857ea9bb332463720bc638cb49d47fff96a223 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 26 Feb 2023 19:49:01 +0200 Subject: [PATCH 05/71] Upgrade com.devture.ansible.role.traefik_certs_dumper --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index f3ab0272..fe0d85b5 100644 --- a/requirements.yml +++ b/requirements.yml @@ -52,4 +52,4 @@ version: 2c949e88261c4398533ad16017475a1c75391487 - src: git+https://github.com/devture/com.devture.ansible.role.traefik_certs_dumper.git - version: e7563caa814e634d2f8deec4a41e970caa1c0ae4 + version: abeecc09f6fd165eff3cef5d6dd7696b9ca4ec27 From 9e4ecf4ac917d6d92116c297ab982e230dd50f3d Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 26 Feb 2023 22:05:36 +0200 Subject: [PATCH 06/71] Add matrix_dendrite_container_network/matrix_dendrite_container_additional_networks --- roles/custom/matrix-dendrite/defaults/main.yml | 8 ++++++++ roles/custom/matrix-dendrite/tasks/setup_install.yml | 5 +++++ .../dendrite/systemd/matrix-dendrite.service.j2 | 12 ++++++++++-- 3 files changed, 23 insertions(+), 2 deletions(-) diff --git a/roles/custom/matrix-dendrite/defaults/main.yml b/roles/custom/matrix-dendrite/defaults/main.yml index 525f4854..8c2dded4 100644 --- a/roles/custom/matrix-dendrite/defaults/main.yml +++ b/roles/custom/matrix-dendrite/defaults/main.yml @@ -33,6 +33,14 @@ matrix_dendrite_http_bind_address: "{{ (':' + matrix_dendrite_http_bind_port | s # This is passed as an `-https-bind-address` flag to the Dendrite server in the container matrix_dendrite_https_bind_address: "{{ (':' + matrix_dendrite_https_bind_port | string) if matrix_dendrite_https_bind_port else '' }}" +# The base container network. It will be auto-created by this role if it doesn't exist already. +matrix_dendrite_container_network: "{{ matrix_docker_network }}" + +# A list of additional container networks that the container would be connected to. +# The role does not create these networks, so make sure they already exist. +# Use this to expose this container to another reverse proxy, which runs in a different container network. +matrix_dendrite_container_additional_networks: [] + # Controls whether the matrix-dendrite container exposes the HTTP port (tcp/{{ matrix_dendrite_http_bind_port }} in the container). # # Takes an ":" or "" value (e.g. "127.0.0.1:8008"), or empty string to not expose. diff --git a/roles/custom/matrix-dendrite/tasks/setup_install.yml b/roles/custom/matrix-dendrite/tasks/setup_install.yml index c516c5b7..3b8cbd9b 100644 --- a/roles/custom/matrix-dendrite/tasks/setup_install.yml +++ b/roles/custom/matrix-dendrite/tasks/setup_install.yml @@ -76,6 +76,11 @@ owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" +- name: Ensure Dendrite container network is created + community.general.docker_network: + name: "{{ matrix_dendrite_container_network }}" + driver: bridge + - name: Ensure matrix-dendrite.service installed ansible.builtin.template: src: "{{ role_path }}/templates/dendrite/systemd/matrix-dendrite.service.j2" diff --git a/roles/custom/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2 b/roles/custom/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2 index 4649c3a3..378cf596 100644 --- a/roles/custom/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2 +++ b/roles/custom/matrix-dendrite/templates/dendrite/systemd/matrix-dendrite.service.j2 @@ -22,13 +22,15 @@ ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_s ExecStartPre={{ matrix_host_command_sleep }} 5 {% endif %} -ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-dendrite \ +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ + --rm \ + --name=matrix-dendrite \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ --read-only \ --tmpfs=/tmp:rw,noexec,nosuid,size={{ matrix_dendrite_tmp_directory_size_mb }}m \ - --network={{ matrix_docker_network }} \ + --network={{ matrix_dendrite_container_network }} \ {% if matrix_dendrite_container_http_host_bind_address and matrix_dendrite_http_bind_port %} -p {{ matrix_dendrite_container_http_host_bind_address }}:{{ matrix_dendrite_http_bind_port }} \ {% endif %} @@ -54,6 +56,12 @@ ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name -https-bind-address {{ matrix_dendrite_https_bind_address }} {% endif %} +{% for network in matrix_dendrite_container_additional_networks %} +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-dendrite +{% endfor %} + +ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-dendrite + ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-dendrite 2>/dev/null || true' ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-dendrite 2>/dev/null || true' ExecReload={{ devture_systemd_docker_base_host_command_docker }} exec matrix-dendrite /bin/sh -c 'kill -HUP 1' From cdd23aafc6931aa9f6902a03f40fe0dc8e09d264 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 26 Feb 2023 22:08:08 +0200 Subject: [PATCH 07/71] Add matrix_conduit_container_network/matrix_conduit_container_additional_networks --- roles/custom/matrix-conduit/defaults/main.yml | 8 ++++++ .../matrix-conduit/tasks/setup_install.yml | 26 ++++++++++++------- .../conduit/systemd/matrix-conduit.service.j2 | 12 +++++++-- 3 files changed, 34 insertions(+), 12 deletions(-) diff --git a/roles/custom/matrix-conduit/defaults/main.yml b/roles/custom/matrix-conduit/defaults/main.yml index bbab5cde..7673a7d2 100644 --- a/roles/custom/matrix-conduit/defaults/main.yml +++ b/roles/custom/matrix-conduit/defaults/main.yml @@ -23,6 +23,14 @@ matrix_conduit_systemd_required_services_list: ["docker.service"] # List of systemd services that matrix-conduit.service wants matrix_conduit_systemd_wanted_services_list: [] +# The base container network. It will be auto-created by this role if it doesn't exist already. +matrix_conduit_container_network: "{{ matrix_docker_network }}" + +# A list of additional container networks that the container would be connected to. +# The role does not create these networks, so make sure they already exist. +# Use this to expose this container to another reverse proxy, which runs in a different container network. +matrix_conduit_container_additional_networks: [] + # Extra arguments for the Docker container matrix_conduit_container_extra_arguments: [] diff --git a/roles/custom/matrix-conduit/tasks/setup_install.yml b/roles/custom/matrix-conduit/tasks/setup_install.yml index ef47c620..ecccbb32 100644 --- a/roles/custom/matrix-conduit/tasks/setup_install.yml +++ b/roles/custom/matrix-conduit/tasks/setup_install.yml @@ -1,14 +1,4 @@ --- -- name: Ensure Conduit Docker image is pulled - community.docker.docker_image: - name: "{{ matrix_conduit_docker_image }}" - source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" - force_source: "{{ matrix_conduit_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_conduit_docker_image_force_pull }}" - register: result - retries: "{{ devture_playbook_help_container_retries_count }}" - delay: "{{ devture_playbook_help_container_retries_delay }}" - until: result is not failed - name: Ensure Conduit config path exists ansible.builtin.file: @@ -34,6 +24,22 @@ owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" +- name: Ensure Conduit container network is created + community.general.docker_network: + name: "{{ matrix_conduit_container_network }}" + driver: bridge + +- name: Ensure Conduit container image is pulled + community.docker.docker_image: + name: "{{ matrix_conduit_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_conduit_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_conduit_docker_image_force_pull }}" + register: result + retries: "{{ devture_playbook_help_container_retries_count }}" + delay: "{{ devture_playbook_help_container_retries_delay }}" + until: result is not failed + - name: Ensure matrix-conduit.service installed ansible.builtin.template: src: "{{ role_path }}/templates/conduit/systemd/matrix-conduit.service.j2" diff --git a/roles/custom/matrix-conduit/templates/conduit/systemd/matrix-conduit.service.j2 b/roles/custom/matrix-conduit/templates/conduit/systemd/matrix-conduit.service.j2 index cdaead01..91c1e915 100644 --- a/roles/custom/matrix-conduit/templates/conduit/systemd/matrix-conduit.service.j2 +++ b/roles/custom/matrix-conduit/templates/conduit/systemd/matrix-conduit.service.j2 @@ -12,13 +12,15 @@ Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-conduit 2>/dev/null || true' ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-conduit 2>/dev/null || true' -ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-conduit \ +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ + --rm \ + --name=matrix-conduit \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ --read-only \ --tmpfs=/tmp:rw,noexec,nosuid,size={{ matrix_conduit_tmp_directory_size_mb }}m \ - --network={{ matrix_docker_network }} \ + --network={{ matrix_conduit_container_network }} \ --env CONDUIT_CONFIG=/etc/matrix-conduit/conduit.toml \ --mount type=bind,src={{ matrix_conduit_data_path }},dst=/var/lib/matrix-conduit \ --mount type=bind,src={{ matrix_conduit_config_path }},dst=/etc/matrix-conduit,ro \ @@ -27,6 +29,12 @@ ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name {% endfor %} {{ matrix_conduit_docker_image }} +{% for network in matrix_conduit_container_additional_networks %} +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-conduit +{% endfor %} + +ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-conduit + ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-conduit 2>/dev/null || true' ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-conduit 2>/dev/null || true' ExecReload={{ devture_systemd_docker_base_host_command_docker }} exec matrix-conduit /bin/sh -c 'kill -HUP 1' From b84f25309b6b0351b5b24b5be2ca49c4c12195a6 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 26 Feb 2023 22:09:37 +0200 Subject: [PATCH 08/71] Add matrix_homeserver_container_network --- group_vars/matrix_servers | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 359c6e3f..75076bbc 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -435,6 +435,15 @@ matrix_homeserver_container_federation_url: |- }[matrix_homeserver_implementation] }} +matrix_homeserver_container_network: |- + {{ + matrix_nginx_proxy_container_network if matrix_nginx_proxy_enabled else { + 'synapse': matrix_synapse_container_network, + 'dendrite': matrix_dendrite_container_network, + 'conduit': matrix_conduit_container_network, + }[matrix_homeserver_implementation] + }} + matrix_integration_manager_rest_url: "{{ matrix_dimension_integrations_rest_url if matrix_dimension_enabled else None }}" matrix_integration_manager_ui_url: "{{ matrix_dimension_integrations_ui_url if matrix_dimension_enabled else None }}" From 058a54fd0593994b25b421ede595e8a6d07b8183 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 26 Feb 2023 23:06:36 +0200 Subject: [PATCH 09/71] Add native Traefik support to Dimension --- docs/configuring-playbook-dimension.md | 23 +++- group_vars/matrix_servers | 29 +++- .../custom/matrix-dimension/defaults/main.yml | 127 +++++++++++++++++- .../matrix-dimension/tasks/setup_install.yml | 13 ++ .../tasks/validate_config.yml | 33 +++++ .../matrix-dimension/templates/config.yaml.j2 | 14 +- .../matrix-dimension/templates/labels.j2 | 45 +++++++ .../systemd/matrix-dimension.service.j2 | 14 +- .../matrix-nginx-proxy/defaults/main.yml | 5 - .../matrix-nginx-proxy/templates/labels.j2 | 12 -- 10 files changed, 275 insertions(+), 40 deletions(-) create mode 100644 roles/custom/matrix-dimension/templates/labels.j2 diff --git a/docs/configuring-playbook-dimension.md b/docs/configuring-playbook-dimension.md index e201785a..4472e103 100644 --- a/docs/configuring-playbook-dimension.md +++ b/docs/configuring-playbook-dimension.md @@ -6,14 +6,29 @@ If you're just installing Matrix services for the first time, please continue wi **Note**: This playbook now supports running [Dimension](https://dimension.t2bot.io) in both a federated and [unfederated](https://github.com/turt2live/matrix-dimension/blob/master/docs/unfederated.md) environments. This is handled automatically based on the value of `matrix_synapse_federation_enabled`. Enabling Dimension, means that the `openid` API endpoints will be exposed on the Matrix Federation port (usually `8448`), even if [federation](configuring-playbook-federation.md) is disabled. It's something to be aware of, especially in terms of firewall whitelisting (make sure port `8448` is accessible). -## Prerequisites +## Decide on a domain and path -The `dimension.` DNS record must be created. See [Configuring your DNS server](configuring-dns.md) on how to set up DNS record correctly. +By default, Dimension is configured to use its own dedicated domain (`dimension.DOMAIN`) and requires you to [adjust your DNS records](#adjusting-dns-records). + +You can override the domain and path like this: + +```yaml +# Switch to another hostname compared to the default (`dimension.{{ matrix_domain }}`) +matrix_dimension_hostname: "integrations.{{ matrix_domain }}" + +``` + +While there is a `matrix_dimension_path_prefix` variable for changing the path where Dimension is served, overriding it is not possible right now due to [this Dimension issue](https://github.com/turt2live/matrix-dimension/issues/510). You must serve Dimension at a dedicated subdomain until this issue is solved. + + +## Adjusting DNS records + +Once you've decided on the domain and path, **you may need to adjust your DNS** records to point the Dimension domain to the Matrix server. ## Enable -[Dimension integrations manager](https://dimension.t2bot.io) installation is disabled by default. You can enable it in your configuration file (`inventory/host_vars/matrix./vars.yml`): +To enable Dimension, add this to your configuration file (`inventory/host_vars/matrix./vars.yml`): ```yaml matrix_dimension_enabled: true @@ -54,7 +69,7 @@ For more information on how to acquire an access token, visit [https://t2bot.io/ ## Installation -After these variables have been set, please run the following command to re-run setup and to restart Dimension: +After these variables have been set and you have potentially [adjusted your DNS records](#adjusting-dns-records), please run the following command to re-run setup and to restart Dimension: ``` ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 75076bbc..e9d244d2 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -2154,12 +2154,32 @@ matrix_dimension_enabled: false matrix_dimension_container_image_self_build: "{{ matrix_architecture != 'amd64' }}" -# Normally, matrix-nginx-proxy is enabled and nginx can reach Dimension over the container network. -# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose -# the Dimension HTTP port to the local host. +matrix_dimension_scheme: "{{ 'https' if matrix_playbook_ssl_enabled else 'http' }}" + +matrix_dimension_hostname: "{{ matrix_server_fqn_dimension }}" + +matrix_dimension_container_network: "{{ matrix_nginx_proxy_container_network if matrix_playbook_reverse_proxy_type == 'playbook-managed-nginx' else 'matrix-dimension' }}" + +matrix_dimension_container_additional_networks: | + {{ + ( + ([matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network else []) + + + ([matrix_homeserver_container_network] if matrix_homeserver_container_network != matrix_dimension_container_network else []) + + + ([devture_postgres_container_network] if devture_postgres_enabled and devture_postgres_container_network != matrix_dimension_container_network else []) + ) | unique + }} + matrix_dimension_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '8184') if matrix_playbook_service_host_bind_interface_prefix else '' }}" +matrix_dimension_container_labels_traefik_enabled: "{{ matrix_playbook_traefik_labels_enabled }}" +matrix_dimension_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" +matrix_dimension_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" + +matrix_dimension_homeserver_clientServerUrl: "{{ matrix_homeserver_container_url }}" matrix_dimension_homeserver_federationUrl: "{{ matrix_homeserver_container_federation_url }}" +matrix_dimension_homeserver_mediaUrl: "https://{{ matrix_server_fqn_matrix }}" matrix_dimension_systemd_required_services_list: | {{ @@ -2443,7 +2463,7 @@ matrix_nginx_proxy_proxy_element_enabled: "{{ matrix_client_element_enabled and matrix_nginx_proxy_proxy_hydrogen_enabled: "{{ matrix_client_hydrogen_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}" matrix_nginx_proxy_proxy_cinny_enabled: "{{ matrix_client_cinny_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}" matrix_nginx_proxy_proxy_buscarron_enabled: "{{ matrix_bot_buscarron_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}" -matrix_nginx_proxy_proxy_dimension_enabled: "{{ matrix_dimension_enabled }}" +matrix_nginx_proxy_proxy_dimension_enabled: "{{ matrix_dimension_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}" matrix_nginx_proxy_proxy_rageshake_enabled: "{{ matrix_rageshake_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}" matrix_nginx_proxy_proxy_etherpad_enabled: "{{ matrix_etherpad_enabled and matrix_etherpad_mode == 'standalone' }}" matrix_nginx_proxy_proxy_bot_go_neb_enabled: "{{ matrix_bot_go_neb_enabled }}" @@ -2460,7 +2480,6 @@ matrix_nginx_proxy_container_labels_traefik_docker_network: "{{ matrix_playbook_ matrix_nginx_proxy_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" matrix_nginx_proxy_container_labels_traefik_proxy_matrix_enabled: true -matrix_nginx_proxy_container_labels_traefik_proxy_dimension_enabled: "{{ matrix_dimension_enabled }}" matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_enabled: "{{ matrix_etherpad_enabled and matrix_etherpad_mode == 'standalone' }}" matrix_nginx_proxy_container_labels_traefik_proxy_bot_go_neb_enabled: "{{ matrix_bot_go_neb_enabled }}" matrix_nginx_proxy_container_labels_traefik_proxy_jitsi_enabled: "{{ matrix_jitsi_enabled }}" diff --git a/roles/custom/matrix-dimension/defaults/main.yml b/roles/custom/matrix-dimension/defaults/main.yml index 4be76fd1..e66f9009 100644 --- a/roles/custom/matrix-dimension/defaults/main.yml +++ b/roles/custom/matrix-dimension/defaults/main.yml @@ -3,6 +3,15 @@ matrix_dimension_enabled: false +matrix_dimension_scheme: https + +# The hostname at which Dimension is served. +matrix_dimension_hostname: '' + +# The path at which Dimension is exposed. +# This value must either be `/` or not end with a slash (e.g. `/dimension`). +matrix_dimension_path_prefix: / + # You are required to specify an access token for Dimension to work. # For information on how to acquire an access token, visit https://t2bot.io/docs/access_tokens matrix_dimension_access_token: "" @@ -35,21 +44,129 @@ matrix_dimension_systemd_wanted_services_list: [] matrix_dimension_user_uid: '1000' matrix_dimension_user_gid: '1000' +# The base container network. It will be auto-created by this role if it doesn't exist already. +matrix_dimension_container_network: matrix-dimension + +# A list of additional container networks that the container would be connected to. +# The role does not create these networks, so make sure they already exist. +# Use this to expose this container to another reverse proxy, which runs in a different container network. +matrix_dimension_container_additional_networks: [] + # Controls whether the matrix-dimension container exposes its HTTP port (tcp/8184 in the container). # # Takes an ":" or "" value (e.g. "127.0.0.1:8184"), or empty string to not expose. matrix_dimension_container_http_host_bind_port: '' + +# matrix_dimension_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container. +# See `../templates/labels.j2` for details. +# +# To inject your own other container labels, see `matrix_dimension_container_labels_additional_labels`. +matrix_dimension_container_labels_traefik_enabled: true +matrix_dimension_container_labels_traefik_docker_network: "{{ matrix_dimension_container_network }}" +matrix_dimension_container_labels_traefik_hostname: "{{ matrix_dimension_hostname }}" +# The path prefix must either be `/` or not end with a slash (e.g. `/dimension`). +matrix_dimension_container_labels_traefik_path_prefix: "{{ matrix_dimension_path_prefix }}" +matrix_dimension_container_labels_traefik_rule: "Host(`{{ matrix_dimension_container_labels_traefik_hostname }}`){% if matrix_dimension_container_labels_traefik_path_prefix != '/' %} && PathPrefix(`{{ matrix_dimension_container_labels_traefik_path_prefix }}`){% endif %}" +matrix_dimension_container_labels_traefik_priority: 0 +matrix_dimension_container_labels_traefik_entrypoints: web-secure +matrix_dimension_container_labels_traefik_tls: "{{ matrix_dimension_container_labels_traefik_entrypoints != 'web' }}" +matrix_dimension_container_labels_traefik_tls_certResolver: default # noqa var-naming + +# Controls which additional headers to attach to all HTTP responses. +# To add your own headers, use `matrix_dimension_container_labels_traefik_additional_response_headers_custom` +matrix_dimension_container_labels_traefik_additional_response_headers: "{{ matrix_dimension_container_labels_traefik_additional_response_headers_auto | combine(matrix_dimension_container_labels_traefik_additional_response_headers_custom) }}" +matrix_dimension_container_labels_traefik_additional_response_headers_auto: | + {{ + {} + | combine ({'X-XSS-Protection': matrix_dimension_http_header_xss_protection} if matrix_dimension_http_header_xss_protection else {}) + | combine ({'X-Frame-Options': matrix_dimension_http_header_frame_options} if matrix_dimension_http_header_frame_options else {}) + | combine ({'X-Content-Type-Options': matrix_dimension_http_header_content_type_options} if matrix_dimension_http_header_content_type_options else {}) + | combine ({'Content-Security-Policy': matrix_dimension_http_header_content_security_policy} if matrix_dimension_http_header_content_security_policy else {}) + | combine ({'Permission-Policy': matrix_dimension_http_header_content_permission_policy} if matrix_dimension_http_header_content_permission_policy else {}) + | combine ({'Strict-Transport-Security': matrix_dimension_http_header_strict_transport_security} if matrix_dimension_http_header_strict_transport_security and matrix_dimension_container_labels_traefik_tls else {}) + }} +matrix_dimension_container_labels_traefik_additional_response_headers_custom: {} + +# matrix_dimension_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file. +# See `../templates/labels.j2` for details. +# +# Example: +# matrix_dimension_container_labels_additional_labels: | +# my.label=1 +# another.label="here" +matrix_dimension_container_labels_additional_labels: '' + + # A list of extra arguments to pass to the container matrix_dimension_container_extra_arguments: [] -matrix_dimension_integrations_ui_url: "https://{{ matrix_server_fqn_dimension }}/element" -matrix_dimension_integrations_rest_url: "https://{{ matrix_server_fqn_dimension }}/api/v1/scalar" -matrix_dimension_integrations_widgets_urls: ["https://{{ matrix_server_fqn_dimension }}/widgets"] -matrix_dimension_integrations_jitsi_widget_url: "https://{{ matrix_server_fqn_dimension }}/widgets/jitsi" +# Public facing base URL of the Dimension service. +# It should not end with a slash. +matrix_dimension_base_url: "{{ matrix_dimension_scheme }}://{{ matrix_dimension_hostname }}{{ '' if matrix_dimension_path_prefix == '/' else matrix_dimension_path_prefix }}" -matrix_dimension_homeserver_federationUrl: "" # noqa var-naming +matrix_dimension_integrations_ui_url: "{{ matrix_dimension_base_url }}/element" +matrix_dimension_integrations_rest_url: "{{ matrix_dimension_base_url }}/api/v1/scalar" +matrix_dimension_integrations_widgets_urls: ["{{ matrix_dimension_base_url }}/widgets"] +matrix_dimension_integrations_jitsi_widget_url: "{{ matrix_dimension_base_url }}/widgets/jitsi" +matrix_dimension_homeserver_clientServerUrl: '' # noqa var-naming +matrix_dimension_homeserver_federationUrl: '' # noqa var-naming +matrix_dimension_homeserver_mediaUrl: '' # noqa var-naming + +# Controls the dimension.publicUrl configuration option +matrix_dimension_dimension_publicUrl: "{{ matrix_dimension_base_url }}" # noqa var-naming + +# Specifies the value of the `X-XSS-Protection` header +# Stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. +# +# Learn more about it is here: +# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection +# - https://portswigger.net/web-security/cross-site-scripting/reflected +matrix_dimension_http_header_xss_protection: "1; mode=block" + +# Specifies the value of the `X-Frame-Options` header which controls whether framing can happen. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options +matrix_dimension_http_header_frame_options: '' + +# Specifies the value of the `X-Content-Type-Options` header. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options +matrix_dimension_http_header_content_type_options: nosniff + +# Specifies the value of the `Content-Security-Policy` header. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy +matrix_dimension_http_header_content_security_policy: '' + +# Specifies the value of the `Permission-Policy` header. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permission-Policy +matrix_dimension_http_header_content_permission_policy: "{{ 'interest-cohort=()' if matrix_dimension_floc_optout_enabled else '' }}" + +# Specifies the value of the `Strict-Transport-Security` header. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security +matrix_dimension_http_header_strict_transport_security: "max-age=31536000; includeSubDomains{{ '; preload' if matrix_dimension_hsts_preload_enabled else '' }}" + +# Controls whether to send a "Permissions-Policy interest-cohort=();" header along with all responses +# +# Learn more about what it is here: +# - https://www.eff.org/deeplinks/2021/03/googles-floc-terrible-idea +# - https://paramdeo.com/blog/opting-your-website-out-of-googles-floc-network +# - https://amifloced.org/ +# +# Of course, a better solution is to just stop using browsers (like Chrome), which participate in such tracking practices. +# See: `matrix_dimension_content_permission_policy` +matrix_dimension_floc_optout_enabled: true + +# Controls if HSTS preloading is enabled +# +# In its strongest and recommended form, the [HSTS policy](https://www.chromium.org/hsts) includes all subdomains, and +# indicates a willingness to be "preloaded" into browsers: +# `Strict-Transport-Security: max-age=31536000; includeSubDomains; preload` +# For more information visit: +# - https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security +# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security +# - https://hstspreload.org/#opt-in +# See: `matrix_dimension_http_header_strict_transport_security` +matrix_dimension_hsts_preload_enabled: false # Database-related configuration fields. # diff --git a/roles/custom/matrix-dimension/tasks/setup_install.yml b/roles/custom/matrix-dimension/tasks/setup_install.yml index 26617f7a..b1f0c242 100644 --- a/roles/custom/matrix-dimension/tasks/setup_install.yml +++ b/roles/custom/matrix-dimension/tasks/setup_install.yml @@ -85,6 +85,14 @@ owner: "{{ matrix_user_username }}" group: "{{ matrix_dimension_user_gid }}" +- name: Ensure Dimension labels installed + ansible.builtin.template: + src: "{{ role_path }}/templates/labels.j2" + dest: "{{ matrix_dimension_base_path }}/labels" + mode: 0640 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + - name: Ensure Dimension image is pulled community.docker.docker_image: name: "{{ matrix_dimension_docker_image }}" @@ -120,6 +128,11 @@ pull: true when: "matrix_dimension_container_image_self_build | bool" +- name: Ensure Dimension container network is created + community.general.docker_network: + name: "{{ matrix_dimension_container_network }}" + driver: bridge + - name: Ensure matrix-dimension.service installed ansible.builtin.template: src: "{{ role_path }}/templates/systemd/matrix-dimension.service.j2" diff --git a/roles/custom/matrix-dimension/tasks/validate_config.yml b/roles/custom/matrix-dimension/tasks/validate_config.yml index 8f681e08..b001ceed 100644 --- a/roles/custom/matrix-dimension/tasks/validate_config.yml +++ b/roles/custom/matrix-dimension/tasks/validate_config.yml @@ -6,7 +6,12 @@ You need to define a required configuration setting (`{{ item.name }}`). when: "item.when | bool and vars[item.name] == ''" with_items: + - {'name': 'matrix_dimension_hostname', when: true} + - {'name': 'matrix_dimension_container_network', when: true} - {'name': 'matrix_dimension_access_token', when: true} + - {'name': 'matrix_dimension_homeserver_clientServerUrl', when: true} + - {'name': 'matrix_dimension_homeserver_federationUrl', when: true} + - {'name': 'matrix_dimension_homeserver_mediaUrl', when: true} - {'name': 'matrix_dimension_database_hostname', when: "{{ matrix_dimension_database_engine == 'postgres' }}"} - name: (Deprecation) Catch and report renamed Dimension variables @@ -17,3 +22,31 @@ when: "item.old in vars" with_items: - {'old': 'matrix_dimension_container_expose_port', 'new': ''} + +- when: matrix_dimension_container_labels_traefik_enabled | bool + block: + - name: Fail if required Dimension Traefik settings not defined + ansible.builtin.fail: + msg: >- + You need to define a required configuration setting (`{{ item }}`). + when: "vars[item] == ''" + with_items: + - matrix_dimension_container_labels_traefik_hostname + - matrix_dimension_container_labels_traefik_path_prefix + + # We ensure it doesn't end with a slash, because we handle both (slash and no-slash). + # Knowing that `matrix_dimension_container_labels_traefik_path_prefix` does not end with a slash + # ensures we know how to set these routes up without having to do "does it end with a slash" checks elsewhere. + - name: Fail if matrix_dimension_container_labels_traefik_path_prefix ends with a slash + ansible.builtin.fail: + msg: >- + matrix_dimension_container_labels_traefik_path_prefix (`{{ matrix_dimension_container_labels_traefik_path_prefix }}`) must either be `/` or not end with a slash (e.g. `/dimension`). + when: "matrix_dimension_container_labels_traefik_path_prefix != '/' and matrix_dimension_container_labels_traefik_path_prefix[-1] == '/'" + + - name: Fail if matrix_dimension_container_labels_traefik_path_prefix is not / + ansible.builtin.fail: + msg: >- + matrix_dimension_container_labels_traefik_path_prefix (`{{ matrix_dimension_container_labels_traefik_path_prefix }}`) must currently be set to `/`. + Other values are not supported. + See: https://github.com/turt2live/matrix-dimension/issues/510 + when: "matrix_dimension_container_labels_traefik_path_prefix != '/' and matrix_dimension_container_labels_traefik_path_prefix[-1] == '/'" diff --git a/roles/custom/matrix-dimension/templates/config.yaml.j2 b/roles/custom/matrix-dimension/templates/config.yaml.j2 index 592c65ac..c387c91b 100644 --- a/roles/custom/matrix-dimension/templates/config.yaml.j2 +++ b/roles/custom/matrix-dimension/templates/config.yaml.j2 @@ -9,30 +9,30 @@ web: homeserver: # The domain name of the homeserver. This is used in many places, such as with go-neb # setups, to identify the homeserver. - name: "{{ matrix_domain }}" + name: {{ matrix_domain | to_json }} # The URL that Dimension, go-neb, and other services provisioned by Dimension should # use to access the homeserver with. - clientServerUrl: "{{ matrix_homeserver_container_url }}" + clientServerUrl: {{ matrix_dimension_homeserver_clientServerUrl | to_json }} # The URL that Dimension should use when trying to communicate with federated APIs on # the homeserver. If not supplied or left empty Dimension will try to resolve the address # through the normal federation process. - federationUrl: "{{ matrix_dimension_homeserver_federationUrl }}" + federationUrl: {{ matrix_dimension_homeserver_federationUrl | to_json }} # The URL that Dimension will redirect media requests to for downloading media such as # stickers. If not supplied or left empty Dimension will use the clientServerUrl. - mediaUrl: "https://{{ matrix_server_fqn_matrix }}" + mediaUrl: {{ matrix_dimension_homeserver_mediaUrl | to_json }} # The access token Dimension should use for miscellaneous access to the homeserver. This # should be for a user on the configured homeserver: any user will do, however it is # recommended to use a dedicated user (such as @dimension:t2bot.io). For information on # how to acquire an access token, visit https://t2bot.io/docs/access_tokens - accessToken: "{{ matrix_dimension_access_token }}" + accessToken: {{ matrix_dimension_access_token | to_json }} # These users can modify the integrations this Dimension supports. # To access the admin interface, open Dimension in Element and click the settings icon. -admins: {{ matrix_dimension_admins|to_json }} +admins: {{ matrix_dimension_admins | to_json }} # IPs and CIDR ranges listed here will be blocked from being widgets. # Note: Widgets may still be embedded with restricted content, although not through Dimension directly. @@ -72,4 +72,4 @@ goneb: dimension: # This is where Dimension is accessible from clients. Be sure to set this # to your own Dimension instance. - publicUrl: "https://{{ matrix_server_fqn_dimension }}" + publicUrl: {{ matrix_dimension_dimension_publicUrl | to_json }} diff --git a/roles/custom/matrix-dimension/templates/labels.j2 b/roles/custom/matrix-dimension/templates/labels.j2 new file mode 100644 index 00000000..24b570cb --- /dev/null +++ b/roles/custom/matrix-dimension/templates/labels.j2 @@ -0,0 +1,45 @@ +{% if matrix_dimension_container_labels_traefik_enabled %} +traefik.enable=true + +{% if matrix_dimension_container_labels_traefik_docker_network %} +traefik.docker.network={{ matrix_dimension_container_labels_traefik_docker_network }} +{% endif %} + +{% set middlewares = [] %} + +{% if matrix_dimension_container_labels_traefik_path_prefix != '/' %} +traefik.http.middlewares.matrix-dimension-slashless-redirect.redirectregex.regex=({{ matrix_dimension_container_labels_traefik_path_prefix | quote }})$ +traefik.http.middlewares.matrix-dimension-slashless-redirect.redirectregex.replacement=${1}/ +{% set middlewares = middlewares + ['matrix-dimension-slashless-redirect'] %} +{% endif %} + +{% if matrix_dimension_container_labels_traefik_path_prefix != '/' %} +traefik.http.middlewares.matrix-dimension-strip-prefix.stripprefix.prefixes={{ matrix_dimension_container_labels_traefik_path_prefix }} +{% set middlewares = middlewares + ['matrix-dimension-strip-prefix'] %} +{% endif %} + +{% if matrix_dimension_container_labels_traefik_additional_response_headers.keys() | length > 0 %} +{% for name, value in matrix_dimension_container_labels_traefik_additional_response_headers.items() %} +traefik.http.middlewares.matrix-dimension-add-headers.headers.customresponseheaders.{{ name }}={{ value }} +{% endfor %} +{% set middlewares = middlewares + ['matrix-dimension-add-headers'] %} +{% endif %} + +traefik.http.routers.matrix-dimension.rule={{ matrix_dimension_container_labels_traefik_rule }} +{% if matrix_dimension_container_labels_traefik_priority | int > 0 %} +traefik.http.routers.matrix-dimension.priority={{ matrix_dimension_container_labels_traefik_priority }} +{% endif %} +traefik.http.routers.matrix-dimension.service=matrix-dimension +{% if middlewares | length > 0 %} +traefik.http.routers.matrix-dimension.middlewares={{ middlewares | join(',') }} +{% endif %} +traefik.http.routers.matrix-dimension.entrypoints={{ matrix_dimension_container_labels_traefik_entrypoints }} +traefik.http.routers.matrix-dimension.tls={{ matrix_dimension_container_labels_traefik_tls | to_json }} +{% if matrix_dimension_container_labels_traefik_tls %} +traefik.http.routers.matrix-dimension.tls.certResolver={{ matrix_dimension_container_labels_traefik_tls_certResolver }} +{% endif %} + +traefik.http.services.matrix-dimension.loadbalancer.server.port=8184 +{% endif %} + +{{ matrix_dimension_container_labels_additional_labels }} diff --git a/roles/custom/matrix-dimension/templates/systemd/matrix-dimension.service.j2 b/roles/custom/matrix-dimension/templates/systemd/matrix-dimension.service.j2 index 07428ffa..0b14a117 100644 --- a/roles/custom/matrix-dimension/templates/systemd/matrix-dimension.service.j2 +++ b/roles/custom/matrix-dimension/templates/systemd/matrix-dimension.service.j2 @@ -21,25 +21,35 @@ ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_s ExecStartPre=-{{ matrix_host_command_chown }} {{ matrix_dimension_user_uid }}:{{ matrix_dimension_user_gid }} {{ matrix_dimension_sqlite_database_path_local }} {% endif %} -ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-dimension \ +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ + --rm \ + --name=matrix-dimension \ --log-driver=none \ --user={{ matrix_dimension_user_uid }}:{{ matrix_dimension_user_gid }} \ --cap-drop=ALL \ - --network={{ matrix_docker_network }} \ + --network={{ matrix_dimension_container_network }} \ {% if matrix_dimension_widgets_allow_self_signed_ssl_certificates %} -e NODE_TLS_REJECT_UNAUTHORIZED=0 \ {% endif %} {% if matrix_dimension_container_http_host_bind_port %} -p {{ matrix_dimension_container_http_host_bind_port }}:8184 \ {% endif %} + --label-file={{ matrix_dimension_base_path }}/labels \ --mount type=bind,src={{ matrix_dimension_base_path }},dst=/data \ {% for arg in matrix_dimension_container_extra_arguments %} {{ arg }} \ {% endfor %} {{ matrix_dimension_docker_image }} +{% for network in matrix_dimension_container_additional_networks %} +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-dimension +{% endfor %} + +ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-dimension + ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-dimension 2>/dev/null || true' ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-dimension 2>/dev/null || true' + Restart=always RestartSec=30 SyslogIdentifier=matrix-dimension diff --git a/roles/custom/matrix-nginx-proxy/defaults/main.yml b/roles/custom/matrix-nginx-proxy/defaults/main.yml index a098a098..f04f19f4 100644 --- a/roles/custom/matrix-nginx-proxy/defaults/main.yml +++ b/roles/custom/matrix-nginx-proxy/defaults/main.yml @@ -61,11 +61,6 @@ matrix_nginx_proxy_container_labels_traefik_proxy_matrix_rule: "Host(`{{ matrix_ matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_entrypoint: "{{ matrix_federation_traefik_entrypoint }}" matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_entrypoints: "{{ matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_entrypoint }}" -matrix_nginx_proxy_container_labels_traefik_proxy_dimension_enabled: false -matrix_nginx_proxy_container_labels_traefik_proxy_dimension_hostname: "{{ matrix_server_fqn_dimension }}" -matrix_nginx_proxy_container_labels_traefik_proxy_dimension_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}" -matrix_nginx_proxy_container_labels_traefik_proxy_dimension_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_dimension_hostname }}`)" - matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_enabled: false matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_hostname: "{{ matrix_server_fqn_etherpad }}" matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}" diff --git a/roles/custom/matrix-nginx-proxy/templates/labels.j2 b/roles/custom/matrix-nginx-proxy/templates/labels.j2 index 6afa6029..b4c68471 100644 --- a/roles/custom/matrix-nginx-proxy/templates/labels.j2 +++ b/roles/custom/matrix-nginx-proxy/templates/labels.j2 @@ -39,18 +39,6 @@ traefik.http.routers.matrix-nginx-proxy-matrix-federation.entrypoints={{ matrix_ {% endif %} -{% if matrix_nginx_proxy_container_labels_traefik_proxy_dimension_enabled %} -# Dimension -traefik.http.routers.matrix-nginx-proxy-dimension.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_dimension_rule }} -traefik.http.routers.matrix-nginx-proxy-dimension.service=matrix-nginx-proxy-web -traefik.http.routers.matrix-nginx-proxy-dimension.tls={{ matrix_nginx_proxy_container_labels_traefik_proxy_dimension_tls | to_json }} -{% if matrix_nginx_proxy_container_labels_traefik_proxy_dimension_tls %} -traefik.http.routers.matrix-nginx-proxy-dimension.tls.certResolver={{ matrix_nginx_proxy_container_labels_traefik_tls_certResolver }} -{% endif %} -traefik.http.routers.matrix-nginx-proxy-dimension.entrypoints={{ matrix_nginx_proxy_container_labels_traefik_entrypoints }} -{% endif %} - - {% if matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_enabled %} # Etherpad traefik.http.routers.matrix-nginx-proxy-etherpad.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_rule }} From d5910d0421f8debb1939c2246916271e0d91b27d Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 27 Feb 2023 08:27:41 +0200 Subject: [PATCH 10/71] Upgrade com.devture.ansible.role.docker_sdk_for_python Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/2522 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index fe0d85b5..d38383dc 100644 --- a/requirements.yml +++ b/requirements.yml @@ -4,7 +4,7 @@ version: 6.1.0 - src: git+https://github.com/devture/com.devture.ansible.role.docker_sdk_for_python.git - version: 54d6d1831f063e4a99b66c722f49053d59f8ee60 + version: 129c8590e106b83e6f4c259649a613c6279e937a - src: git+https://github.com/devture/com.devture.ansible.role.playbook_help.git version: c1f40e82b4d6b072b6f0e885239322bdaaaf554f From d544f746e8f2da3d01c9e00d699ec8e255b5bc9c Mon Sep 17 00:00:00 2001 From: Thom Wiggers Date: Mon, 27 Feb 2023 13:40:23 +0100 Subject: [PATCH 11/71] Update irc appservice --- roles/custom/matrix-bridge-appservice-irc/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bridge-appservice-irc/defaults/main.yml b/roles/custom/matrix-bridge-appservice-irc/defaults/main.yml index 5e8c1191..ce39bc56 100644 --- a/roles/custom/matrix-bridge-appservice-irc/defaults/main.yml +++ b/roles/custom/matrix-bridge-appservice-irc/defaults/main.yml @@ -11,7 +11,7 @@ matrix_appservice_irc_docker_src_files_path: "{{ matrix_base_data_path }}/appser # matrix_appservice_irc_version used to contain the full Docker image tag (e.g. `release-X.X.X`). # It's a bare version number now. We try to somewhat retain compatibility below. -matrix_appservice_irc_version: 0.36.0 +matrix_appservice_irc_version: 0.37.0 matrix_appservice_irc_docker_image: "{{ matrix_container_global_registry_prefix }}matrixdotorg/matrix-appservice-irc:{{ matrix_appservice_irc_docker_image_tag }}" matrix_appservice_irc_docker_image_tag: "{{ 'latest' if matrix_appservice_irc_version == 'latest' else ('release-' + matrix_appservice_irc_version) }}" matrix_appservice_irc_docker_image_force_pull: "{{ matrix_appservice_irc_docker_image.endswith(':latest') }}" From 724373b12358664dd226a658ed2ff4c7f9d21d6c Mon Sep 17 00:00:00 2001 From: Jost Alemann Date: Mon, 27 Feb 2023 14:59:36 +0100 Subject: [PATCH 12/71] add nginx to list of own webserver example configs --- docs/configuring-playbook-own-webserver.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuring-playbook-own-webserver.md b/docs/configuring-playbook-own-webserver.md index ff9d2c93..35c22b35 100644 --- a/docs/configuring-playbook-own-webserver.md +++ b/docs/configuring-playbook-own-webserver.md @@ -232,4 +232,4 @@ Some of these services are configured with certain default expecations with rega For each new playbook service that you enable, you'll need special handling. -The [`examples/`](../examples/) directory contains examples for various servers: Caddy, Apache, HAproxy, etc. +The [`examples/`](../examples/) directory contains examples for various servers: Caddy, Apache, HAproxy, Nginx, etc. From e6ba7cc2c915d4f0674da72aa911e140a9390e4c Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 27 Feb 2023 16:32:37 +0200 Subject: [PATCH 13/71] Upgrade com.devture.ansible.role.traefik --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index d38383dc..c882aee9 100644 --- a/requirements.yml +++ b/requirements.yml @@ -49,7 +49,7 @@ version: v7.0.7-0 - src: git+https://github.com/devture/com.devture.ansible.role.traefik.git - version: 2c949e88261c4398533ad16017475a1c75391487 + version: acc49a8059206743f1921f94891ebc177bf79bd2 - src: git+https://github.com/devture/com.devture.ansible.role.traefik_certs_dumper.git version: abeecc09f6fd165eff3cef5d6dd7696b9ca4ec27 From 8dacdb038b67dc41711bf72648f749a106c550e6 Mon Sep 17 00:00:00 2001 From: Jost Alemann Date: Mon, 27 Feb 2023 15:34:37 +0100 Subject: [PATCH 14/71] add: nginx example conf + readme for fronting playbooks traefik with own nginx --- examples/nginx/README.md | 32 +++++++++++++ examples/nginx/matrix.conf | 96 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 128 insertions(+) create mode 100644 examples/nginx/README.md create mode 100644 examples/nginx/matrix.conf diff --git a/examples/nginx/README.md b/examples/nginx/README.md new file mode 100644 index 00000000..d2d2a6ce --- /dev/null +++ b/examples/nginx/README.md @@ -0,0 +1,32 @@ +# Nginx reverse-proxy fronting playbook's Traefik + +This directory contains a sample config that show you how to do reverse-proxying using Nginx and the playbook's internal traefik container. + +This is for when you wish to front the playbook's integrated traefik container with a self-managed Nginx reverse-proxy running on the same server. +See the [Using your own webserver, instead of this playbook's nginx proxy & Fronting the integrated reverse-proxy webserver with another reverse-proxy](../../docs/configuring-playbook-own-webserver.md#fronting-the-integrated-reverse-proxy-webserver-with-another-reverse-proxy) documentation page and follow the instructions for the playbook's configuration (`inventory/host_vars/matrix./vars.yml`). + +That is this part: +**For Traefik** fronted by another reverse-proxy, you would need some configuration like this: + +```yaml +matrix_playbook_reverse_proxy_type: playbook-managed-traefik + +# Ensure that public urls use https +matrix_playbook_ssl_enabled: true + +# Disable the web-secure (port 443) endpoint, which also disables SSL certificate retrieval +devture_traefik_config_entrypoint_web_secure_enabled: false + +devture_traefik_container_web_host_bind_port: '127.0.0.1:81' + +devture_traefik_additional_entrypoints_auto: + - name: matrix-federation + port: 8449 + host_bind_port: '127.0.0.1:8449' + config: {} +``` + +**NOTE**: +- that this also disables SSL certificate retrieval, which then has to be done manually (e.g. by using certbot and setting the appropriate path as found in [the example nginx configuration file](./matrix.conf)). For the example nginx config one certificate is used that contains all the used subdomains. +- that [the example nginx configuration file](./matrix.conf) has to be adapted to whatever services you are using. For example, remove element.domain.com from the `server_name` list if you don't use Element web client or add dimension.domain.com to it if you do use Dimension. +- that this is just an example and may not be entirely accurate. It may also not cover other use cases (enabling various services or bridges requires additional reverse-proxying configuration). diff --git a/examples/nginx/matrix.conf b/examples/nginx/matrix.conf new file mode 100644 index 00000000..366a8a8e --- /dev/null +++ b/examples/nginx/matrix.conf @@ -0,0 +1,96 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + # TODO: add/remove services and their subdomains if you use/don't use them + # this example is using hosting something on the base domain and an element web client, so example.com and element.example.com are listed in addition to matrix.example.com + # if you don't use those, you can remove them + # if you use e.g. dimension on dimension.example.com, add dimension.example.com to the server_name list + server_name example.com matrix.example.com element.example.com; + + location / { + # note: do not add a path (even a single /) after the port in `proxy_pass`, + # otherwise, nginx will canonicalise the URI and cause signature verification + # errors. + proxy_pass http://localhost:81; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + + access_log /var/log/nginx/matrix.access.log; + error_log /var/log/nginx/matrix.error.log; + + # Nginx by default only allows file uploads up to 1M in size + # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml + client_max_body_size 50M; + } + + # TODO: adapt the path to your ssl certificate for the domains listed on server_name + ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot + # TODO: adapt the path to your ssl certificate for the domains listed on server_name + ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot + include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot +} + +# settings for matrix federation +server { + # For the federation port + listen 8448 ssl http2 default_server; + listen [::]:8448 ssl http2 default_server; + + server_name matrix.example.com; + + location / { + proxy_pass http://localhost:8449; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Host $host; + + access_log /var/log/nginx/matrix.access.log; + error_log /var/log/nginx/matrix.error.log; + + # Nginx by default only allows file uploads up to 1M in size + # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml + client_max_body_size 50M; + } + # TODO: adapt the path to your ssl certificate for the domains listed on server_name + ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot + # TODO: adapt the path to your ssl certificate for the domains listed on server_name + ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot + include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot +} + +# ensure using https +# TODO: remove server blocks that you don't use / add server blocks for domains you do use +server { + if ($host = example.com) { + return 301 https://$host$request_uri; + } # managed by Certbot + + server_name example.com; + listen 80; + return 404; # managed by Certbot +} + +server { + if ($host = matrix.example.com) { + return 301 https://$host$request_uri; + } # managed by Certbot + + server_name matrix.example.com; + listen 80; + return 404; # managed by Certbot +} + +server { + if ($host = element.example.com) { + return 301 https://$host$request_uri; + } # managed by Certbot + + server_name element.example.com; + listen 80; + return 404; # managed by Certbot +} \ No newline at end of file From 89b9fca85cbe88673cf9ff63bce5656be6393ca6 Mon Sep 17 00:00:00 2001 From: Jost Alemann Date: Mon, 27 Feb 2023 15:51:04 +0100 Subject: [PATCH 15/71] remove duplicate of playbook config instructions --- examples/nginx/README.md | 21 --------------------- 1 file changed, 21 deletions(-) diff --git a/examples/nginx/README.md b/examples/nginx/README.md index d2d2a6ce..038b060e 100644 --- a/examples/nginx/README.md +++ b/examples/nginx/README.md @@ -5,27 +5,6 @@ This directory contains a sample config that show you how to do reverse-proxying This is for when you wish to front the playbook's integrated traefik container with a self-managed Nginx reverse-proxy running on the same server. See the [Using your own webserver, instead of this playbook's nginx proxy & Fronting the integrated reverse-proxy webserver with another reverse-proxy](../../docs/configuring-playbook-own-webserver.md#fronting-the-integrated-reverse-proxy-webserver-with-another-reverse-proxy) documentation page and follow the instructions for the playbook's configuration (`inventory/host_vars/matrix./vars.yml`). -That is this part: -**For Traefik** fronted by another reverse-proxy, you would need some configuration like this: - -```yaml -matrix_playbook_reverse_proxy_type: playbook-managed-traefik - -# Ensure that public urls use https -matrix_playbook_ssl_enabled: true - -# Disable the web-secure (port 443) endpoint, which also disables SSL certificate retrieval -devture_traefik_config_entrypoint_web_secure_enabled: false - -devture_traefik_container_web_host_bind_port: '127.0.0.1:81' - -devture_traefik_additional_entrypoints_auto: - - name: matrix-federation - port: 8449 - host_bind_port: '127.0.0.1:8449' - config: {} -``` - **NOTE**: - that this also disables SSL certificate retrieval, which then has to be done manually (e.g. by using certbot and setting the appropriate path as found in [the example nginx configuration file](./matrix.conf)). For the example nginx config one certificate is used that contains all the used subdomains. - that [the example nginx configuration file](./matrix.conf) has to be adapted to whatever services you are using. For example, remove element.domain.com from the `server_name` list if you don't use Element web client or add dimension.domain.com to it if you do use Dimension. From 84e6677bc0fcbde82a91db920b9a0af84b0566c8 Mon Sep 17 00:00:00 2001 From: Jost Alemann Date: Mon, 27 Feb 2023 15:56:34 +0100 Subject: [PATCH 16/71] in own webserver doc link to nginx fronting traefik example --- docs/configuring-playbook-own-webserver.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/configuring-playbook-own-webserver.md b/docs/configuring-playbook-own-webserver.md index 35c22b35..cae1486e 100644 --- a/docs/configuring-playbook-own-webserver.md +++ b/docs/configuring-playbook-own-webserver.md @@ -143,6 +143,8 @@ devture_traefik_additional_entrypoints_auto: config: {} ``` +For an example where the playbook's traefik is fronted by Nginx running on the same server, see [Nginx reverse-proxy fronting playbook's Traefik](../examples/nginx/README.md). + (Deprecated) **For `matrix-nginx-proxy`** fronted by another reverse-proxy, you would need some configuration like this: ```yaml From 9e7415afa269d84dbfab98f7ff16eed371a56d63 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 27 Feb 2023 17:07:44 +0200 Subject: [PATCH 17/71] Ensure Buscarron is part of the Postgres network --- group_vars/matrix_servers | 2 ++ 1 file changed, 2 insertions(+) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index e9d244d2..40daa42e 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1707,6 +1707,8 @@ matrix_bot_buscarron_container_additional_networks: | ([matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network else []) + ([matrix_nginx_proxy_container_network] if matrix_nginx_proxy_enabled and matrix_bot_buscarron_container_network != matrix_nginx_proxy_container_network else []) + + + ([devture_postgres_container_network] if devture_postgres_enabled and devture_postgres_container_network != matrix_bot_buscarron_container_network else []) ) | unique }} From b388a01ab7df38da612e9fceaa23ba8b23289b38 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 27 Feb 2023 17:09:19 +0200 Subject: [PATCH 18/71] Wire all certResolver variables to devture_traefik_certResolver_primary This allows people wishing to change or unset the resolver, to have a single variable which they can toggle. Unsetting the resolver is useful for using your own certificates (not coming from a certificate resolver). --- group_vars/matrix_servers | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 40daa42e..4827a3c2 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1715,6 +1715,7 @@ matrix_bot_buscarron_container_additional_networks: | matrix_bot_buscarron_container_labels_traefik_enabled: "{{ matrix_playbook_traefik_labels_enabled }}" matrix_bot_buscarron_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" matrix_bot_buscarron_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" +matrix_bot_buscarron_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" ###################################################################### # @@ -2051,6 +2052,7 @@ matrix_rageshake_container_http_host_bind_port: "{{ (matrix_playbook_service_hos matrix_rageshake_container_labels_traefik_enabled: "{{ matrix_playbook_traefik_labels_enabled }}" matrix_rageshake_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" matrix_rageshake_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" +matrix_rageshake_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" ###################################################################### # @@ -2178,6 +2180,7 @@ matrix_dimension_container_http_host_bind_port: "{{ (matrix_playbook_service_hos matrix_dimension_container_labels_traefik_enabled: "{{ matrix_playbook_traefik_labels_enabled }}" matrix_dimension_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" matrix_dimension_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" +matrix_dimension_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" matrix_dimension_homeserver_clientServerUrl: "{{ matrix_homeserver_container_url }}" matrix_dimension_homeserver_federationUrl: "{{ matrix_homeserver_container_federation_url }}" @@ -2480,6 +2483,7 @@ matrix_nginx_proxy_proxy_ntfy_enabled: "{{ ntfy_enabled and matrix_playbook_reve matrix_nginx_proxy_container_labels_traefik_enabled: "{{ matrix_playbook_traefik_labels_enabled }}" matrix_nginx_proxy_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" matrix_nginx_proxy_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" +matrix_nginx_proxy_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" matrix_nginx_proxy_container_labels_traefik_proxy_matrix_enabled: true matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_enabled: "{{ matrix_etherpad_enabled and matrix_etherpad_mode == 'standalone' }}" @@ -2971,6 +2975,7 @@ matrix_sygnal_container_http_host_bind_port: "{{ (matrix_playbook_service_host_b matrix_sygnal_container_labels_traefik_enabled: "{{ matrix_playbook_traefik_labels_enabled }}" matrix_sygnal_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" matrix_sygnal_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" +matrix_sygnal_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" ###################################################################### # @@ -3004,6 +3009,7 @@ ntfy_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_inter ntfy_container_labels_traefik_enabled: "{{ matrix_playbook_traefik_labels_enabled }}" ntfy_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" ntfy_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" +ntfy_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" ntfy_visitor_request_limit_exempt_hosts_hostnames_auto: | {{ @@ -3061,6 +3067,7 @@ matrix_client_element_container_additional_networks: "{{ [matrix_playbook_revers matrix_client_element_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}" matrix_client_element_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" matrix_client_element_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" +matrix_client_element_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" matrix_client_element_default_hs_url: "{{ matrix_homeserver_url }}" matrix_client_element_default_is_url: "{{ matrix_identity_server_url }}" @@ -3114,6 +3121,7 @@ matrix_client_hydrogen_container_additional_networks: "{{ [matrix_playbook_rever matrix_client_hydrogen_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}" matrix_client_hydrogen_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" matrix_client_hydrogen_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" +matrix_client_hydrogen_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" matrix_client_hydrogen_default_hs_url: "{{ matrix_homeserver_url }}" @@ -3147,6 +3155,7 @@ matrix_client_cinny_container_additional_networks: "{{ [matrix_playbook_reverse_ matrix_client_cinny_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}" matrix_client_cinny_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" matrix_client_cinny_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" +matrix_client_cinny_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" matrix_client_cinny_default_hs_url: "{{ matrix_homeserver_url }}" @@ -3326,6 +3335,7 @@ matrix_synapse_admin_container_additional_networks: "{{ [matrix_playbook_reverse matrix_synapse_admin_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}" matrix_synapse_admin_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" matrix_synapse_admin_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" +matrix_synapse_admin_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" ###################################################################### # @@ -3357,6 +3367,7 @@ prometheus_node_exporter_container_additional_networks: "{{ [matrix_playbook_rev prometheus_node_exporter_container_labels_traefik_enabled: false prometheus_node_exporter_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" prometheus_node_exporter_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" +prometheus_node_exporter_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" ###################################################################### # @@ -3388,6 +3399,7 @@ prometheus_postgres_exporter_container_additional_networks: "{{ [matrix_playbook prometheus_postgres_exporter_container_labels_traefik_enabled: false prometheus_postgres_exporter_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" prometheus_postgres_exporter_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" +prometheus_postgres_exporter_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" prometheus_postgres_exporter_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" prometheus_postgres_exporter_database_username: matrix_prometheus_postgres_exporter @@ -3491,6 +3503,7 @@ grafana_container_additional_networks: | grafana_container_labels_traefik_enabled: "{{ matrix_playbook_traefik_labels_enabled }}" grafana_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" grafana_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" +grafana_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" # Normally, matrix-nginx-proxy is enabled and nginx can reach Grafana over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose From 7716c306f1d9a99fd3302fb04ac535d643be2e60 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 27 Feb 2023 17:26:22 +0200 Subject: [PATCH 19/71] Split Traefik rules for Matrix Client and Matrix Federation APIs This helps people who run federation on another domain (etc.). They should now easily be able to add a custom rule for federation traffic. --- roles/custom/matrix-nginx-proxy/defaults/main.yml | 5 ++++- roles/custom/matrix-nginx-proxy/tasks/validate_config.yml | 2 ++ roles/custom/matrix-nginx-proxy/templates/labels.j2 | 4 ++-- 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/roles/custom/matrix-nginx-proxy/defaults/main.yml b/roles/custom/matrix-nginx-proxy/defaults/main.yml index f04f19f4..6565e1b9 100644 --- a/roles/custom/matrix-nginx-proxy/defaults/main.yml +++ b/roles/custom/matrix-nginx-proxy/defaults/main.yml @@ -57,7 +57,10 @@ matrix_nginx_proxy_container_labels_traefik_proxy_base_domain_rule: "Host(`{{ ma matrix_nginx_proxy_container_labels_traefik_proxy_matrix_enabled: false matrix_nginx_proxy_container_labels_traefik_proxy_matrix_hostname: "{{ matrix_server_fqn_matrix }}" matrix_nginx_proxy_container_labels_traefik_proxy_matrix_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}" -matrix_nginx_proxy_container_labels_traefik_proxy_matrix_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_matrix_hostname }}`)" +matrix_nginx_proxy_container_labels_traefik_proxy_matrix_client_hostname: "{{ matrix_server_fqn_matrix }}" +matrix_nginx_proxy_container_labels_traefik_proxy_matrix_client_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_matrix_client_hostname }}`)" +matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_hostname: "{{ matrix_server_fqn_matrix }}" +matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_hostname }}`)" matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_entrypoint: "{{ matrix_federation_traefik_entrypoint }}" matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_entrypoints: "{{ matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_entrypoint }}" diff --git a/roles/custom/matrix-nginx-proxy/tasks/validate_config.yml b/roles/custom/matrix-nginx-proxy/tasks/validate_config.yml index f7d18c9e..8d63876a 100644 --- a/roles/custom/matrix-nginx-proxy/tasks/validate_config.yml +++ b/roles/custom/matrix-nginx-proxy/tasks/validate_config.yml @@ -14,6 +14,8 @@ - {'old': 'matrix_nginx_proxy_proxy_riot_enabled', 'new': 'matrix_nginx_proxy_proxy_element_enabled'} - {'old': 'matrix_ssl_lets_encrypt_renew_cron_time_definition', 'new': ''} - {'old': 'matrix_nginx_proxy_reload_cron_time_definition', 'new': ''} + - {'old': 'matrix_nginx_proxy_container_labels_traefik_proxy_matrix_rule', 'new': ''} + - {'old': 'matrix_nginx_proxy_container_labels_traefik_proxy_matrix_hostname', 'new': ''} - name: Fail on unknown matrix_ssl_retrieval_method ansible.builtin.fail: diff --git a/roles/custom/matrix-nginx-proxy/templates/labels.j2 b/roles/custom/matrix-nginx-proxy/templates/labels.j2 index b4c68471..0aff6a05 100644 --- a/roles/custom/matrix-nginx-proxy/templates/labels.j2 +++ b/roles/custom/matrix-nginx-proxy/templates/labels.j2 @@ -20,7 +20,7 @@ traefik.http.routers.matrix-nginx-proxy-base-domain.entrypoints={{ matrix_nginx_ {% if matrix_nginx_proxy_container_labels_traefik_proxy_matrix_enabled %} # Matrix Client -traefik.http.routers.matrix-nginx-proxy-matrix-client.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_matrix_rule }} +traefik.http.routers.matrix-nginx-proxy-matrix-client.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_matrix_client_rule }} traefik.http.routers.matrix-nginx-proxy-matrix-client.service=matrix-nginx-proxy-web traefik.http.routers.matrix-nginx-proxy-matrix-client.tls={{ matrix_nginx_proxy_container_labels_traefik_proxy_matrix_tls | to_json }} {% if matrix_nginx_proxy_container_labels_traefik_proxy_matrix_tls %} @@ -29,7 +29,7 @@ traefik.http.routers.matrix-nginx-proxy-matrix-client.tls.certResolver={{ matrix traefik.http.routers.matrix-nginx-proxy-matrix-client.entrypoints={{ matrix_nginx_proxy_container_labels_traefik_entrypoints }} # Matrix Federation -traefik.http.routers.matrix-nginx-proxy-matrix-federation.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_matrix_rule }} +traefik.http.routers.matrix-nginx-proxy-matrix-federation.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_rule }} traefik.http.routers.matrix-nginx-proxy-matrix-federation.service=matrix-nginx-proxy-federation traefik.http.routers.matrix-nginx-proxy-matrix-federation.tls={{ matrix_nginx_proxy_container_labels_traefik_proxy_matrix_tls | to_json }} {% if matrix_nginx_proxy_container_labels_traefik_proxy_matrix_tls %} From 91660f7433867b0ea4d1165c53d76b05e4d4387a Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 27 Feb 2023 17:45:28 +0200 Subject: [PATCH 20/71] Improve wordng in examples/nginx/README.md --- examples/nginx/README.md | 22 ++++++++++++++-------- 1 file changed, 14 insertions(+), 8 deletions(-) diff --git a/examples/nginx/README.md b/examples/nginx/README.md index 038b060e..f9be21fd 100644 --- a/examples/nginx/README.md +++ b/examples/nginx/README.md @@ -1,11 +1,17 @@ -# Nginx reverse-proxy fronting playbook's Traefik +# Nginx reverse-proxy fronting the playbook's integrated Traefik reverse-proxy -This directory contains a sample config that show you how to do reverse-proxying using Nginx and the playbook's internal traefik container. +This directory contains a sample config that shows you how use the [nginx](https://nginx.org/) webserver to front the integrated [Traefik](https://traefik.io/) reverse-proxy webserver with another reverse-proxy. -This is for when you wish to front the playbook's integrated traefik container with a self-managed Nginx reverse-proxy running on the same server. -See the [Using your own webserver, instead of this playbook's nginx proxy & Fronting the integrated reverse-proxy webserver with another reverse-proxy](../../docs/configuring-playbook-own-webserver.md#fronting-the-integrated-reverse-proxy-webserver-with-another-reverse-proxy) documentation page and follow the instructions for the playbook's configuration (`inventory/host_vars/matrix./vars.yml`). -**NOTE**: -- that this also disables SSL certificate retrieval, which then has to be done manually (e.g. by using certbot and setting the appropriate path as found in [the example nginx configuration file](./matrix.conf)). For the example nginx config one certificate is used that contains all the used subdomains. -- that [the example nginx configuration file](./matrix.conf) has to be adapted to whatever services you are using. For example, remove element.domain.com from the `server_name` list if you don't use Element web client or add dimension.domain.com to it if you do use Dimension. -- that this is just an example and may not be entirely accurate. It may also not cover other use cases (enabling various services or bridges requires additional reverse-proxying configuration). +## Prerequisite configuration + +To get started, first follow the [front the integrated reverse-proxy webserver with another reverse-proxy](../../docs/configuring-playbook-own-webserver.md#fronting-the-integrated-reverse-proxy-webserver-with-another-reverse-proxy) instructions and update your playbook's configuration (`inventory/host_vars/matrix./vars.yml`). + + +## Using the nginx configuration + +Copy the [matrix.conf](matrix.conf) file to your nginx server's filesystem, modify it to your needs and include it your nginx configuration (e.g. `include /path/to/matrix.conf;`). + +This configuration **disables SSL certificate retrieval**, so you will **need to obtain SSL certificates manually** (e.g. by using [certbot](https://certbot.eff.org/)) and set the appropriate path in `matrix.conf`. In the example nginx configuration, a single certificate is used for all subdomains (`matrix.DOMAIN`, `element.DOMAIN`, etc.). For your setup, may wish to change this and use separate `server` blocks and separate certificate files for each host. + +Also note that your copy of the `matrix.conf` file has to be adapted to whatever services you are using. For example, remove `element.domain.com` from the `server_name` list if you don't use [Element](../../docs/configuring-playbook-client-element.md) web client or add `dimension.domain.com` to it if you do use the [Dimension](../../docs/configuring-playbook-dimension.md) integration manager. From faa074f7af4ca4b5fa86122a38a303ab50e3cf57 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 27 Feb 2023 17:47:19 +0200 Subject: [PATCH 21/71] Improve wording --- docs/configuring-playbook-own-webserver.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuring-playbook-own-webserver.md b/docs/configuring-playbook-own-webserver.md index cae1486e..81b154e2 100644 --- a/docs/configuring-playbook-own-webserver.md +++ b/docs/configuring-playbook-own-webserver.md @@ -143,7 +143,7 @@ devture_traefik_additional_entrypoints_auto: config: {} ``` -For an example where the playbook's traefik is fronted by Nginx running on the same server, see [Nginx reverse-proxy fronting playbook's Traefik](../examples/nginx/README.md). +For an example where the playbook's Traefik reverse-proxy is fronted by [Nginx](https://nginx.org/) running on the same server, see [Nginx reverse-proxy fronting the playbook's Traefik](../examples/nginx/README.md). (Deprecated) **For `matrix-nginx-proxy`** fronted by another reverse-proxy, you would need some configuration like this: From 73f09d4bb0aa4bf6006267f3af62cf1c1ea255d7 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 27 Feb 2023 17:48:35 +0200 Subject: [PATCH 22/71] Remove fronting matrix-nginx-proxy example We don't need this anymore. No one should be using matrix-nginx-proxy anymore. --- docs/configuring-playbook-own-webserver.md | 32 ++-------------------- 1 file changed, 3 insertions(+), 29 deletions(-) diff --git a/docs/configuring-playbook-own-webserver.md b/docs/configuring-playbook-own-webserver.md index 81b154e2..12c969d2 100644 --- a/docs/configuring-playbook-own-webserver.md +++ b/docs/configuring-playbook-own-webserver.md @@ -123,7 +123,7 @@ You can disable such behavior and make the integrated reverse-proxy webserver on This is the recommended way for using another reverse-proxy, because the integrated one would act as a black box and wire all Matrix services correctly. You would only need to reverse-proxy a few individual domains and ports over to it. -**For Traefik** fronted by another reverse-proxy, you would need some configuration like this: +To front Traefik with another reverse-proxy, you would need some configuration like this: ```yaml matrix_playbook_reverse_proxy_type: playbook-managed-traefik @@ -143,36 +143,10 @@ devture_traefik_additional_entrypoints_auto: config: {} ``` -For an example where the playbook's Traefik reverse-proxy is fronted by [Nginx](https://nginx.org/) running on the same server, see [Nginx reverse-proxy fronting the playbook's Traefik](../examples/nginx/README.md). - -(Deprecated) **For `matrix-nginx-proxy`** fronted by another reverse-proxy, you would need some configuration like this: - -```yaml -matrix_playbook_reverse_proxy_type: playbook-managed-nginx - -# Ensure that public urls use https -matrix_playbook_ssl_enabled: true - -# Disable SSL certificate retrieval -matrix_ssl_retrieval_method: none - -# Given that we won't be obtaining SSL certificates here, disable HTTPS -matrix_nginx_proxy_https_enabled: false - -# Do not listen for HTTP on port 80 globally (default), listen on the loopback interface. -# If you'd like, you can make it use the local network as well and reverse-proxy from another local machine. -matrix_nginx_proxy_container_http_host_bind_port: '127.0.0.1:81' - -# Likewise, expose the Matrix Federation port on the loopback interface. -# Since `matrix_nginx_proxy_https_enabled` is set to `false`, this federation port will serve HTTP traffic. -# If you'd like, you can make it use the local network as well and reverse-proxy from another local machine. -# -# You'd most likely need to expose it publicly on port 8448 (8449 was chosen for the local port to prevent overlap). -matrix_nginx_proxy_container_federation_host_bind_port: '127.0.0.1:8449' -``` - If you'll be fronting with a reverse-proxy that lives on another machine (not on the same one as Matrix), you need to replace `127.0.0.1` in the above configurations with `0.0.0.0` or another network interface. +For an example where the playbook's Traefik reverse-proxy is fronted by [Nginx](https://nginx.org/) running on the same server, see [Nginx reverse-proxy fronting the playbook's Traefik](../examples/nginx/README.md). + ### Using no reverse-proxy on the Matrix side at all From bb9053687486bc320b31fb735b3ab6abab7673d5 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 27 Feb 2023 17:57:33 +0200 Subject: [PATCH 23/71] Fix variable name typos in docs/configuring-playbook-postgres-backup.md Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/2524 --- docs/configuring-playbook-postgres-backup.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/configuring-playbook-postgres-backup.md b/docs/configuring-playbook-postgres-backup.md index 2510ecc1..9ea3c60e 100644 --- a/docs/configuring-playbook-postgres-backup.md +++ b/docs/configuring-playbook-postgres-backup.md @@ -23,8 +23,8 @@ Refer to the table below for additional configuration variables and their defaul |`devture_postgres_backup_keep_days`|`7`|Number of daily backups to keep| |`devture_postgres_backup_keep_weeks`|`4`|Number of weekly backups to keep| |`devture_postgres_backup_keep_months`|`12`|Number of monthly backups to keep| -|`devture_postgres_base_path` | `"{{ matrix_base_data_path }}/postgres-backup"` | Base path for postgres-backup. Also see `devture_postgres_data_path` | -|`devture_postgres_data_path` | `"{{ devture_postgres_base_path }}/data"` | Storage path for postgres-backup database backups | +|`devture_postgres_backup_base_path` | `"{{ matrix_base_data_path }}/postgres-backup"` | Base path for postgres-backup. Also see `devture_postgres_backup_data_path` | +|`devture_postgres_backup_data_path` | `"{{ devture_postgres_backup_base_path }}/data"` | Storage path for postgres-backup database backups | ## Installing From 6fe739a2cb790add5a307bd35255c13edbc8096d Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 27 Feb 2023 18:32:22 +0200 Subject: [PATCH 24/71] Remove unnecessary variable --- roles/custom/matrix-nginx-proxy/defaults/main.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/custom/matrix-nginx-proxy/defaults/main.yml b/roles/custom/matrix-nginx-proxy/defaults/main.yml index 6565e1b9..27978cae 100644 --- a/roles/custom/matrix-nginx-proxy/defaults/main.yml +++ b/roles/custom/matrix-nginx-proxy/defaults/main.yml @@ -55,7 +55,6 @@ matrix_nginx_proxy_container_labels_traefik_proxy_base_domain_tls: "{{ matrix_ng matrix_nginx_proxy_container_labels_traefik_proxy_base_domain_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_base_domain_hostname }}`)" matrix_nginx_proxy_container_labels_traefik_proxy_matrix_enabled: false -matrix_nginx_proxy_container_labels_traefik_proxy_matrix_hostname: "{{ matrix_server_fqn_matrix }}" matrix_nginx_proxy_container_labels_traefik_proxy_matrix_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}" matrix_nginx_proxy_container_labels_traefik_proxy_matrix_client_hostname: "{{ matrix_server_fqn_matrix }}" matrix_nginx_proxy_container_labels_traefik_proxy_matrix_client_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_matrix_client_hostname }}`)" From 0aede060f30a35f0c789701dc96b04cb9eff6ae8 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Tue, 28 Feb 2023 13:18:21 +0000 Subject: [PATCH 25/71] Update grafana 9.3.6 -> 9.4.1 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index c882aee9..e638955e 100644 --- a/requirements.yml +++ b/requirements.yml @@ -40,7 +40,7 @@ version: v1.2.3-1.7.7-1 - src: git+https://gitlab.com/etke.cc/roles/grafana.git - version: v9.3.6-2 + version: v9.4.1-0 - src: git+https://gitlab.com/etke.cc/roles/ntfy.git version: v2.1.0-0 From 0fe1d1f9ece89025ee5952a4730e03e83fcd2654 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Tue, 28 Feb 2023 13:18:59 +0000 Subject: [PATCH 26/71] Update element 1.11.23 -> 1.11.24 --- roles/custom/matrix-client-element/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-client-element/defaults/main.yml b/roles/custom/matrix-client-element/defaults/main.yml index 60b52d60..8e24ca66 100644 --- a/roles/custom/matrix-client-element/defaults/main.yml +++ b/roles/custom/matrix-client-element/defaults/main.yml @@ -10,7 +10,7 @@ matrix_client_element_container_image_self_build_repo: "https://github.com/vecto # - https://github.com/vector-im/element-web/issues/19544 matrix_client_element_container_image_self_build_low_memory_system_patch_enabled: "{{ ansible_memtotal_mb < 4096 }}" -matrix_client_element_version: v1.11.23 +matrix_client_element_version: v1.11.24 matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}" matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}" From 32e700f0767f8893fe2a0f5fd0b65fdd4b96a7b6 Mon Sep 17 00:00:00 2001 From: plui29989 Date: Tue, 28 Feb 2023 21:07:16 +0100 Subject: [PATCH 27/71] Add doc for self-signed certificates --- docs/configuring-playbook-ssl-certificates.md | 43 ++++++++++++++++++- 1 file changed, 41 insertions(+), 2 deletions(-) diff --git a/docs/configuring-playbook-ssl-certificates.md b/docs/configuring-playbook-ssl-certificates.md index 60d5b135..a2fab7c3 100644 --- a/docs/configuring-playbook-ssl-certificates.md +++ b/docs/configuring-playbook-ssl-certificates.md @@ -29,6 +29,45 @@ devture_traefik_config_entrypoint_web_secure_enabled: false ## Using self-signed SSL certificates -Using self-signed certificates with Traefik is a somewhat involved processes, where you need to manually mount the files into the container and adjust the "static" configuration to refer to them. +To use self-signed SSL certificates, you need to disable the certResolvers and the traefik-certs-dumper tool. +You also need to override the providers.file setting in the Traefik configs. +Create a file 'certificates.yml' in /devture-traefik/config/ with the following content: -Feel free to research this approach on your own and improve this guide! +```yaml +tls: + certificates: + - certFile: /ssl/cert.pem + keyFile: /ssl/privkey.pem + stores: + default: + defaultCertificate: + certFile: /ssl/cert.pem + keyFile: /ssl/privkey.pem +``` + +Place the key and your certificate in /devture-traefik/ssl/ +You can use the matrix-aux role for this: + +```yaml +matrix_aux_file_definitions: + - dest: /devture-traefik/ssl/privkey.pem + src: /path/to/privkey.pem + - dest: /devture-traefik/ssl/cert.pem + src: /path/to/cert.pem + - dest: /devture-traefik/config/certificates.yml + src: /path/to/certificates.yml +``` + +Then add the following to your vars.yml: + +```yaml +devture_traefik_config_certificatesResolvers_acme_enabled: false +devture_traefik_certResolver_primary: '' +devture_traefik_ssl_dir_enabled: true +devture_traefik_configuration_extension_yaml: | + providers: + file: + filename: /config/certificates.yml + watch: true +matrix_playbook_traefik_certs_dumper_role_enabled: false +``` From 4b17a1e73a5a3560f6b2bb25ec8ac6ac26c52924 Mon Sep 17 00:00:00 2001 From: plui29989 Date: Tue, 28 Feb 2023 21:09:37 +0100 Subject: [PATCH 28/71] formatting --- docs/configuring-playbook-ssl-certificates.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/configuring-playbook-ssl-certificates.md b/docs/configuring-playbook-ssl-certificates.md index a2fab7c3..859885dd 100644 --- a/docs/configuring-playbook-ssl-certificates.md +++ b/docs/configuring-playbook-ssl-certificates.md @@ -31,6 +31,7 @@ devture_traefik_config_entrypoint_web_secure_enabled: false To use self-signed SSL certificates, you need to disable the certResolvers and the traefik-certs-dumper tool. You also need to override the providers.file setting in the Traefik configs. + Create a file 'certificates.yml' in /devture-traefik/config/ with the following content: ```yaml @@ -46,6 +47,7 @@ tls: ``` Place the key and your certificate in /devture-traefik/ssl/ + You can use the matrix-aux role for this: ```yaml From c3900aaf1b7c755519857f315da56ac3e304bbf5 Mon Sep 17 00:00:00 2001 From: array-in-a-matrix Date: Tue, 28 Feb 2023 18:06:46 -0500 Subject: [PATCH 29/71] remove devture services --- roles/custom/matrix-base/templates/bin/remove-all.j2 | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/roles/custom/matrix-base/templates/bin/remove-all.j2 b/roles/custom/matrix-base/templates/bin/remove-all.j2 index 5dd862ae..46e1f757 100644 --- a/roles/custom/matrix-base/templates/bin/remove-all.j2 +++ b/roles/custom/matrix-base/templates/bin/remove-all.j2 @@ -21,6 +21,13 @@ else rm -f {{ devture_systemd_docker_base_systemd_path }}/$s done + echo "Stop and remove devture services" + + for s in $(find {{ devture_systemd_docker_base_systemd_path }}/ -type f -name "devture-*" -printf "%f\n"); do + systemctl disable --now $s + rm -f {{ devture_systemd_docker_base_systemd_path }}/$s + done + systemctl daemon-reload echo "Remove unused Docker images and resources" From f7149103e457eaf1067824360ecd95c59ec69c6f Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 1 Mar 2023 09:29:14 +0200 Subject: [PATCH 30/71] Remove matrix_playbook_traefik_certs_dumper_role_enabled in favor of just devture_traefik_certs_dumper_enabled We don't need these 2 roughly-the-same settings related to the traefik-certs-dumper role. For Traefik, it makes sense, because it's a component used by the various related playbooks and they could step onto each other's toes if the role is enabled, but Traefik is disabled (in that case, uninstall tasks will run). As for Traefik certs dumper, the other related playbooks don't have it, so there's no conflict. Even if they used it, each one would use its own instance (different `devture_traefik_certs_dumper_identifier`), so there wouldn't be a conflict and uninstall tasks can run without any danger. --- group_vars/matrix_servers | 16 ++++++---------- playbooks/matrix.yml | 3 +-- .../tasks/validate_config.yml | 1 + 3 files changed, 8 insertions(+), 12 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 4827a3c2..4195aa52 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -38,12 +38,10 @@ matrix_playbook_traefik_role_enabled: "{{ matrix_playbook_reverse_proxy_type != # installed in another way. matrix_playbook_traefik_labels_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}" -matrix_playbook_traefik_certs_dumper_role_enabled: "{{ (matrix_playbook_reverse_proxy_type == 'playbook-managed-traefik' and devture_traefik_config_entrypoint_web_secure_enabled) or matrix_playbook_reverse_proxy_type == 'other-traefik-container' }}" - # Controls the additional network that reverse-proxyable services will be connected to. matrix_playbook_reverse_proxyable_services_additional_network: "{{ devture_traefik_container_network if devture_traefik_enabled else '' }}" -matrix_playbook_ssl_retrieval_method: "{{ 'lets-encrypt' if matrix_playbook_traefik_certs_dumper_role_enabled else matrix_ssl_retrieval_method }}" +matrix_playbook_ssl_retrieval_method: "{{ 'lets-encrypt' if devture_traefik_certs_dumper_enabled else matrix_ssl_retrieval_method }}" matrix_playbook_ssl_enabled: "{{ matrix_playbook_ssl_retrieval_method in ['lets-encrypt', 'self-signed', 'manually-managed'] }}" @@ -360,7 +358,7 @@ devture_systemd_service_manager_services_list_auto: | + ([{'name': 'devture-traefik.service', 'priority': 3000, 'groups': ['matrix', 'traefik', 'reverse-proxies']}] if devture_traefik_enabled else []) + - ([{'name': (devture_traefik_certs_dumper_identifier + '.service'), 'priority': 3500, 'groups': ['matrix', 'traefik-certs-dumper']}] if matrix_playbook_traefik_certs_dumper_role_enabled else []) + ([{'name': (devture_traefik_certs_dumper_identifier + '.service'), 'priority': 3500, 'groups': ['matrix', 'traefik-certs-dumper']}] if devture_traefik_certs_dumper_enabled else []) }} ######################################################################## @@ -1789,7 +1787,7 @@ matrix_bot_postmoogle_systemd_required_services_list: | + (['matrix-synapse.service'] if matrix_synapse_enabled else []) + - (matrix_playbook_bot_postmoogle_traefik_certs_dumper_waiter_services | trim | split(' ') if matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] and matrix_playbook_traefik_certs_dumper_role_enabled else []) + (matrix_playbook_bot_postmoogle_traefik_certs_dumper_waiter_services | trim | split(' ') if matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] and devture_traefik_certs_dumper_enabled else []) }} # Postgres is the default, except if not using internal Postgres server @@ -2131,7 +2129,7 @@ matrix_coturn_container_additional_volumes: | 'dst': '/privatekey.key', 'options': 'ro', }, - ] if matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] and matrix_playbook_traefik_certs_dumper_role_enabled and matrix_coturn_tls_enabled else [] + ] if matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] and devture_traefik_certs_dumper_enabled and matrix_coturn_tls_enabled else [] ) }} @@ -2139,7 +2137,7 @@ matrix_coturn_systemd_required_services_list: | {{ ['docker.service'] + - ([devture_traefik_certs_dumper_identifier + '-wait-for-domain@' + matrix_server_fqn_matrix + '.service'] if matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] and matrix_playbook_traefik_certs_dumper_role_enabled and matrix_coturn_tls_enabled else []) + ([devture_traefik_certs_dumper_identifier + '-wait-for-domain@' + matrix_server_fqn_matrix + '.service'] if matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] and devture_traefik_certs_dumper_enabled and matrix_coturn_tls_enabled else []) }} ###################################################################### @@ -3807,9 +3805,7 @@ devture_traefik_additional_domains_to_obtain_certificates_for: "{{ matrix_ssl_ad # # ######################################################################## -# To completely disable the Traefik certs dumper role from running, use `matrix_playbook_traefik_certs_dumper_role_enabled: false`. -# See the comment there for more details about why we have both `devture_traefik_certs_dumper_enabled` and `matrix_playbook_traefik_certs_dumper_role_enabled`. -devture_traefik_certs_dumper_enabled: "{{ matrix_playbook_traefik_certs_dumper_role_enabled }}" +devture_traefik_certs_dumper_enabled: "{{ (matrix_playbook_reverse_proxy_type == 'playbook-managed-traefik' and devture_traefik_config_entrypoint_web_secure_enabled) or matrix_playbook_reverse_proxy_type == 'other-traefik-container' }}" devture_traefik_certs_dumper_identifier: matrix-traefik-certs-dumper diff --git a/playbooks/matrix.yml b/playbooks/matrix.yml index a425cd88..6a8987bf 100755 --- a/playbooks/matrix.yml +++ b/playbooks/matrix.yml @@ -121,8 +121,7 @@ - when: matrix_playbook_traefik_role_enabled | bool role: galaxy/com.devture.ansible.role.traefik - - when: matrix_playbook_traefik_certs_dumper_role_enabled | bool - role: galaxy/com.devture.ansible.role.traefik_certs_dumper + - role: galaxy/com.devture.ansible.role.traefik_certs_dumper - when: devture_systemd_service_manager_enabled | bool role: galaxy/com.devture.ansible.role.systemd_service_manager diff --git a/roles/custom/matrix_playbook_migration/tasks/validate_config.yml b/roles/custom/matrix_playbook_migration/tasks/validate_config.yml index 7afd2154..2241d502 100644 --- a/roles/custom/matrix_playbook_migration/tasks/validate_config.yml +++ b/roles/custom/matrix_playbook_migration/tasks/validate_config.yml @@ -36,6 +36,7 @@ - {'old': 'matrix_systemd_services_autostart_enabled', 'new': 'devture_systemd_service_manager_services_autostart_enabled'} - {'old': 'matrix_prometheus_node_exporter_metrics_proxying_enabled', 'new': 'matrix_prometheus_services_proxy_connect_prometheus_node_exporter_metrics_proxying_enabled'} - {'old': 'matrix_prometheus_postgres_exporter_metrics_proxying_enabled', 'new': 'matrix_prometheus_services_proxy_connect_prometheus_postgres_exporter_metrics_proxying_enabled'} + - {'old': 'matrix_playbook_traefik_certs_dumper_role_enabled', 'new': 'devture_traefik_certs_dumper_enabled'} - name: (Deprecation) Catch and report matrix_postgres variables ansible.builtin.fail: From b0845984b3ea9e73e78f020ae3690db74363da49 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 1 Mar 2023 09:44:54 +0200 Subject: [PATCH 31/71] Only enable Traefik certs dumper if the ACME certificate resolver for Traefik is enabled If someone disables ACME, then they're using their own certificates somehow. There's nothing to dump from an `acme.json` file. --- group_vars/matrix_servers | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 4195aa52..6e40aba7 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -3805,7 +3805,7 @@ devture_traefik_additional_domains_to_obtain_certificates_for: "{{ matrix_ssl_ad # # ######################################################################## -devture_traefik_certs_dumper_enabled: "{{ (matrix_playbook_reverse_proxy_type == 'playbook-managed-traefik' and devture_traefik_config_entrypoint_web_secure_enabled) or matrix_playbook_reverse_proxy_type == 'other-traefik-container' }}" +devture_traefik_certs_dumper_enabled: "{{ (matrix_playbook_reverse_proxy_type == 'playbook-managed-traefik' and devture_traefik_config_entrypoint_web_secure_enabled and devture_traefik_config_certificatesResolvers_acme_enabled) or matrix_playbook_reverse_proxy_type == 'other-traefik-container' }}" devture_traefik_certs_dumper_identifier: matrix-traefik-certs-dumper From 7331d314c422ec9b113ea3d09135355d89610824 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 1 Mar 2023 09:45:54 +0200 Subject: [PATCH 32/71] Improve wording --- docs/configuring-playbook-ssl-certificates.md | 74 +++++++++++-------- 1 file changed, 42 insertions(+), 32 deletions(-) diff --git a/docs/configuring-playbook-ssl-certificates.md b/docs/configuring-playbook-ssl-certificates.md index 859885dd..bde425bd 100644 --- a/docs/configuring-playbook-ssl-certificates.md +++ b/docs/configuring-playbook-ssl-certificates.md @@ -29,47 +29,57 @@ devture_traefik_config_entrypoint_web_secure_enabled: false ## Using self-signed SSL certificates -To use self-signed SSL certificates, you need to disable the certResolvers and the traefik-certs-dumper tool. -You also need to override the providers.file setting in the Traefik configs. +To use self-signed SSL certificates, you need to: -Create a file 'certificates.yml' in /devture-traefik/config/ with the following content: - -```yaml -tls: - certificates: - - certFile: /ssl/cert.pem - keyFile: /ssl/privkey.pem - stores: - default: - defaultCertificate: - certFile: /ssl/cert.pem - keyFile: /ssl/privkey.pem -``` - -Place the key and your certificate in /devture-traefik/ssl/ - -You can use the matrix-aux role for this: - -```yaml -matrix_aux_file_definitions: - - dest: /devture-traefik/ssl/privkey.pem - src: /path/to/privkey.pem - - dest: /devture-traefik/ssl/cert.pem - src: /path/to/cert.pem - - dest: /devture-traefik/config/certificates.yml - src: /path/to/certificates.yml -``` - -Then add the following to your vars.yml: +- disable `certResolvers` in Traefik, so it won't attempt to retrieve SSL certificates using the default certificate resolver (using [ACME](https://en.wikipedia.org/wiki/Automatic_Certificate_Management_Environment) / [Let's Encrypt](https://letsencrypt.org/)) +- put a custom Traefik configuration file on the server, with the help of this Ansible playbook (via the `matrix-aux` role) or manually +- register your custom configuration file with Traefik, by adding an extra provider of type [file](https://doc.traefik.io/traefik/providers/file/) +- put the SSL files on the server, with the help of this Ansible playbook (via the `matrix-aux` role) or manually ```yaml +# Disable ACME / Let's Encrypt support devture_traefik_config_certificatesResolvers_acme_enabled: false + +# Unset the default certificate resolver devture_traefik_certResolver_primary: '' + +# Keep the SSL directory normally used for ACME / Let's Encrypt certificates. +# We need to explicitly enable this, because disabling ACME support (above) automatically disables it otherwise. devture_traefik_ssl_dir_enabled: true + +# Tell Traefik to load our custom configuration file (certificates.yml). +# The file is created below. See `matrix_aux_file_definitions`. +# The `/config/..` path is an in-container path, not a path on the host. Do not change it! devture_traefik_configuration_extension_yaml: | providers: file: filename: /config/certificates.yml watch: true -matrix_playbook_traefik_certs_dumper_role_enabled: false + +# Use the matrix-aux role to create our custom files on the server. +# If you'd like to do this manually, you remove this `matrix_aux_file_definitions` variable. +matrix_aux_file_definitions: + # Create the privkey.pem file on the server by + # uploading a file from the computer where Ansible is running. + - dest: "{{ devture_traefik_ssl_dir_path }}/privkey.pem" + src: /path/on/your/Ansible/computer/to/privkey.pem + + # Create the cert.pem file on the server + # uploading a file from the computer where Ansible is running. + - dest: "{{ devture_traefik_ssl_dir_path }}/cert.pem" + src: /path/on/your/Ansible/computer/to/cert.pem + + # Create the custom Traefik configuration. + # The `/ssl/..` paths below are in-container paths, not paths on the host. Do not change them! + - dest: "{{ devture_traefik_config_dir_path }}/certificates.yml" + content: | + tls: + certificates: + - certFile: /ssl/cert.pem + keyFile: /ssl/privkey.pem + stores: + default: + defaultCertificate: + certFile: /ssl/cert.pem + keyFile: /ssl/privkey.pem ``` From ba2a3caaf383fa7b576d156acfd8c87584ff850b Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 1 Mar 2023 09:54:23 +0200 Subject: [PATCH 33/71] Minor improvements to docs/configuring-playbook-ssl-certificates.md --- docs/configuring-playbook-ssl-certificates.md | 37 +++++++++++++------ 1 file changed, 26 insertions(+), 11 deletions(-) diff --git a/docs/configuring-playbook-ssl-certificates.md b/docs/configuring-playbook-ssl-certificates.md index bde425bd..13d5f609 100644 --- a/docs/configuring-playbook-ssl-certificates.md +++ b/docs/configuring-playbook-ssl-certificates.md @@ -29,27 +29,32 @@ devture_traefik_config_entrypoint_web_secure_enabled: false ## Using self-signed SSL certificates -To use self-signed SSL certificates, you need to: +If you'd like to use your own SSL certificates, instead of the default (SSL certificates obtained automatically via [ACME](https://en.wikipedia.org/wiki/Automatic_Certificate_Management_Environment) from [Let's Encrypt](https://letsencrypt.org/)): -- disable `certResolvers` in Traefik, so it won't attempt to retrieve SSL certificates using the default certificate resolver (using [ACME](https://en.wikipedia.org/wiki/Automatic_Certificate_Management_Environment) / [Let's Encrypt](https://letsencrypt.org/)) +- generate your self-signed certificate files +- follow the [Using your own SSL certificates](#using-your-own-ssl-certificates) documentation below + + +## Using your own SSL certificates + +To use your own SSL certificates with Traefik, you need to: + +- disable [ACME](https://en.wikipedia.org/wiki/Automatic_Certificate_Management_Environment) / [Let's Encrypt](https://letsencrypt.org/) support - put a custom Traefik configuration file on the server, with the help of this Ansible playbook (via the `matrix-aux` role) or manually - register your custom configuration file with Traefik, by adding an extra provider of type [file](https://doc.traefik.io/traefik/providers/file/) - put the SSL files on the server, with the help of this Ansible playbook (via the `matrix-aux` role) or manually ```yaml -# Disable ACME / Let's Encrypt support +# Disable ACME / Let's Encrypt support. devture_traefik_config_certificatesResolvers_acme_enabled: false -# Unset the default certificate resolver -devture_traefik_certResolver_primary: '' - -# Keep the SSL directory normally used for ACME / Let's Encrypt certificates. -# We need to explicitly enable this, because disabling ACME support (above) automatically disables it otherwise. +# Disabling ACME support (above) automatically disables the creation of the SSL directory. +# Force-enable it here, because we'll add our certificate files there. devture_traefik_ssl_dir_enabled: true # Tell Traefik to load our custom configuration file (certificates.yml). -# The file is created below. See `matrix_aux_file_definitions`. -# The `/config/..` path is an in-container path, not a path on the host. Do not change it! +# The file is created below, in `matrix_aux_file_definitions`. +# The `/config/..` path is an in-container path, not a path on the host (like `/devture-traefik/config`). Do not change it! devture_traefik_configuration_extension_yaml: | providers: file: @@ -63,14 +68,24 @@ matrix_aux_file_definitions: # uploading a file from the computer where Ansible is running. - dest: "{{ devture_traefik_ssl_dir_path }}/privkey.pem" src: /path/on/your/Ansible/computer/to/privkey.pem + # Alternatively, comment out `src` above and uncomment the lines below to provide the certificate content inline. + # Note the indentation level. + # content: | + # FILE CONTENT + # HERE # Create the cert.pem file on the server # uploading a file from the computer where Ansible is running. - dest: "{{ devture_traefik_ssl_dir_path }}/cert.pem" src: /path/on/your/Ansible/computer/to/cert.pem + # Alternatively, comment out `src` above and uncomment the lines below to provide the certificate content inline. + # Note the indentation level. + # content: | + # FILE CONTENT + # HERE # Create the custom Traefik configuration. - # The `/ssl/..` paths below are in-container paths, not paths on the host. Do not change them! + # The `/ssl/..` paths below are in-container paths, not paths on the host (/`devture-traefik/ssl/..`). Do not change them! - dest: "{{ devture_traefik_config_dir_path }}/certificates.yml" content: | tls: From 468bed653e06ad632cdbdaf9c6c1cb66a44b0eee Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 1 Mar 2023 10:30:09 +0200 Subject: [PATCH 34/71] Upgrade Redis (v7.0.7-0 -> v7.0.9-0) --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index e638955e..fc39323a 100644 --- a/requirements.yml +++ b/requirements.yml @@ -46,7 +46,7 @@ version: v2.1.0-0 - src: git+https://gitlab.com/etke.cc/roles/redis.git - version: v7.0.7-0 + version: v7.0.9-0 - src: git+https://github.com/devture/com.devture.ansible.role.traefik.git version: acc49a8059206743f1921f94891ebc177bf79bd2 From d6371a07816bf0861d653c70188049b21eb5175b Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 1 Mar 2023 10:32:49 +0200 Subject: [PATCH 35/71] Upgrade ddclient (v3.10.0-ls110 -> v3.10.0-ls111) --- roles/custom/matrix-dynamic-dns/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-dynamic-dns/defaults/main.yml b/roles/custom/matrix-dynamic-dns/defaults/main.yml index 4ec034a9..08cf023c 100644 --- a/roles/custom/matrix-dynamic-dns/defaults/main.yml +++ b/roles/custom/matrix-dynamic-dns/defaults/main.yml @@ -7,7 +7,7 @@ matrix_dynamic_dns_enabled: true # The dynamic dns daemon interval matrix_dynamic_dns_daemon_interval: '300' -matrix_dynamic_dns_version: v3.10.0-ls110 +matrix_dynamic_dns_version: v3.10.0-ls111 # The docker container to use when in mode matrix_dynamic_dns_docker_image: "{{ matrix_dynamic_dns_docker_image_name_prefix }}linuxserver/ddclient:{{ matrix_dynamic_dns_version }}" From 8db2c0498a20aaf74a59a3f8bfcdd2eef7f30c02 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 1 Mar 2023 11:07:25 +0200 Subject: [PATCH 36/71] Upgrade Synapse (v1.77.0 -> v1.78.0) --- roles/custom/matrix-synapse/defaults/main.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml index dd69facd..41ad0bc4 100644 --- a/roles/custom/matrix-synapse/defaults/main.yml +++ b/roles/custom/matrix-synapse/defaults/main.yml @@ -4,6 +4,8 @@ matrix_synapse_enabled: true +matrix_synapse_version: v1.78.0 + matrix_synapse_username: '' matrix_synapse_uid: '' matrix_synapse_gid: '' @@ -69,7 +71,6 @@ matrix_synapse_container_image_customizations_dockerfile_body_custom: '' matrix_synapse_docker_image: "{{ matrix_synapse_docker_image_name_prefix }}matrixdotorg/synapse:{{ matrix_synapse_docker_image_tag }}" matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_container_image_self_build else matrix_container_global_registry_prefix }}" -matrix_synapse_version: v1.77.0 matrix_synapse_docker_image_tag: "{{ matrix_synapse_version }}" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" From a4b401c4da53ada67f25dd131144bce880ac5593 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 1 Mar 2023 12:31:46 +0200 Subject: [PATCH 37/71] Upgrade com.devture.ansible.role.traefik and improve front-Traefik-with-another-proxy docs Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/2532 --- docs/configuring-playbook-own-webserver.md | 19 +++++++++++++++++-- requirements.yml | 2 +- 2 files changed, 18 insertions(+), 3 deletions(-) diff --git a/docs/configuring-playbook-own-webserver.md b/docs/configuring-playbook-own-webserver.md index 12c969d2..affb565f 100644 --- a/docs/configuring-playbook-own-webserver.md +++ b/docs/configuring-playbook-own-webserver.md @@ -134,17 +134,32 @@ matrix_playbook_ssl_enabled: true # Disable the web-secure (port 443) endpoint, which also disables SSL certificate retrieval devture_traefik_config_entrypoint_web_secure_enabled: false +# If your reverse-proxy runs on another machine, consider using `0.0.0.0:81`, just `81` or `SOME_IP_ADDRESS_OF_THIS_MACHINE:81` devture_traefik_container_web_host_bind_port: '127.0.0.1:81' +# We bind to `127.0.0.1` by default (see above), so trusting `X-Forwarded-*` headers from +# a reverse-proxy running on the local machine is safe enough. +devture_traefik_config_entrypoint_web_forwardedHeaders_insecure: true + +# Or, if you're publishing the port (`devture_traefik_container_web_host_bind_port` above) to a public network interfaces: +# - remove the `devture_traefik_config_entrypoint_web_forwardedHeaders_insecure` variable definition above +# - uncomment and adjust the line below +# devture_traefik_config_entrypoint_web_forwardedHeaders_trustedIPs: ['IP-ADDRESS-OF-YOUR-REVERSE-PROXY'] + +# Likewise (to `devture_traefik_container_web_host_bind_port` above), +# if your reverse-proxy runs on another machine, consider changing the `host_bind_port` setting below. devture_traefik_additional_entrypoints_auto: - name: matrix-federation port: 8449 host_bind_port: '127.0.0.1:8449' config: {} + # If your reverse-proxy runs on another machine, remove the config above and use this config instead: + # config: + # forwardedHeaders: + # insecure: true + # # trustedIPs: ['IP-ADDRESS-OF-YOUR-REVERSE-PROXY'] ``` -If you'll be fronting with a reverse-proxy that lives on another machine (not on the same one as Matrix), you need to replace `127.0.0.1` in the above configurations with `0.0.0.0` or another network interface. - For an example where the playbook's Traefik reverse-proxy is fronted by [Nginx](https://nginx.org/) running on the same server, see [Nginx reverse-proxy fronting the playbook's Traefik](../examples/nginx/README.md). diff --git a/requirements.yml b/requirements.yml index fc39323a..1c3b8e76 100644 --- a/requirements.yml +++ b/requirements.yml @@ -49,7 +49,7 @@ version: v7.0.9-0 - src: git+https://github.com/devture/com.devture.ansible.role.traefik.git - version: acc49a8059206743f1921f94891ebc177bf79bd2 + version: ed9f59753468556b363f90798be23c600d16ef5f - src: git+https://github.com/devture/com.devture.ansible.role.traefik_certs_dumper.git version: abeecc09f6fd165eff3cef5d6dd7696b9ca4ec27 From adc18251a9e9a34ba51b49e9c6eb91dca01a4f22 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 1 Mar 2023 12:47:55 +0200 Subject: [PATCH 38/71] Upgrade com.devture.ansible.role.traefik (2.9.6 -> 2.9.8) --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 1c3b8e76..410dc446 100644 --- a/requirements.yml +++ b/requirements.yml @@ -49,7 +49,7 @@ version: v7.0.9-0 - src: git+https://github.com/devture/com.devture.ansible.role.traefik.git - version: ed9f59753468556b363f90798be23c600d16ef5f + version: 4ec9187017cb7832f521fc273fabd0a873ca2736 - src: git+https://github.com/devture/com.devture.ansible.role.traefik_certs_dumper.git version: abeecc09f6fd165eff3cef5d6dd7696b9ca4ec27 From 4cd9e65d6dc47166b8584870ac88f84ebedb439d Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Wed, 1 Mar 2023 20:09:54 +0000 Subject: [PATCH 39/71] update ntfy 2.1.0 -> 2.1.1 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 410dc446..c8d6ed7d 100644 --- a/requirements.yml +++ b/requirements.yml @@ -43,7 +43,7 @@ version: v9.4.1-0 - src: git+https://gitlab.com/etke.cc/roles/ntfy.git - version: v2.1.0-0 + version: v2.1.1-0 - src: git+https://gitlab.com/etke.cc/roles/redis.git version: v7.0.9-0 From 227d9d820900d15fd2a3dbf06283c805b721928d Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 1 Mar 2023 23:14:40 +0200 Subject: [PATCH 40/71] Fix variable name typo --- roles/custom/matrix-bot-maubot/tasks/setup_install.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bot-maubot/tasks/setup_install.yml b/roles/custom/matrix-bot-maubot/tasks/setup_install.yml index 97f189c4..60b87861 100644 --- a/roles/custom/matrix-bot-maubot/tasks/setup_install.yml +++ b/roles/custom/matrix-bot-maubot/tasks/setup_install.yml @@ -53,7 +53,7 @@ name: "{{ matrix_bot_maubot_docker_image }}" source: build force_source: "{{ matrix_bot_maubot_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mailer_git_pull_results.changed }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_bot_maubot_git_pull_results.changed }}" build: dockerfile: Dockerfile path: "{{ matrix_bot_maubot_docker_src_files_path }}" From 4ccd3f79de54d3c86a1cebb0ea4ec8c33ddde8d4 Mon Sep 17 00:00:00 2001 From: Catalan Lover Date: Thu, 2 Mar 2023 03:58:03 +0100 Subject: [PATCH 41/71] Fix Draupnir config Config was accidently changed when importing upstream changes. --- .../matrix-bot-draupnir/templates/production.yaml.j2 | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/roles/custom/matrix-bot-draupnir/templates/production.yaml.j2 b/roles/custom/matrix-bot-draupnir/templates/production.yaml.j2 index 2dbff886..95acbd35 100644 --- a/roles/custom/matrix-bot-draupnir/templates/production.yaml.j2 +++ b/roles/custom/matrix-bot-draupnir/templates/production.yaml.j2 @@ -36,7 +36,7 @@ autojoinOnlyIfManager: true # If `autojoinOnlyIfManager` is false, only the members in this space can invite # the bot to new rooms. -acceptInvitesFromSpace: "!example:example.org" +#acceptInvitesFromSpace: "!example:example.org" # Whether Draupnir should report ignored invites to the management room (if autojoinOnlyIfManager is true). recordIgnoredInvites: false @@ -49,11 +49,11 @@ recordIgnoredInvites: false # # Note: By default, Draupnir is fairly verbose - expect a lot of messages in this room. # (see verboseLogging to adjust this a bit.) -managementRoom: "#moderators:example.org" +managementRoom: "{{ matrix_bot_draupnir_management_room }}" # Whether Draupnir should log a lot more messages in the room, # mainly involves "all-OK" messages, and debugging messages for when Draupnir checks bans in a room. -verboseLogging: true +verboseLogging: false # The log level of terminal (or container) output, # can be one of DEBUG, INFO, WARN and ERROR, in increasing order of importance and severity. @@ -130,7 +130,7 @@ admin: # (with enough permissions) to "make" a user an admin. # # This only works if a local user with enough admin permissions is present in the room. - enableMakeRoomAdminCommand: true + enableMakeRoomAdminCommand: false # Misc options for command handling and commands commands: @@ -146,6 +146,7 @@ commands: # Any additional bot prefixes that Draupnir will listen to. i.e. adding `mod` will allow `!mod help`. additionalPrefixes: - "draupnir-bot" + - "draupnir_bot" - "draupnir" # Whether or not commands with a wildcard (*) will require an additional `--force` argument From 4f74d21ba8d53f6b9c7651ddf3e6568f49bd705b Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 2 Mar 2023 10:31:23 +0200 Subject: [PATCH 42/71] Upgrade devture/ansible (2.13.6-r0-1 -> 2.13.6-r0-2) The new version includes the `passlib` Python module. --- docs/ansible.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/ansible.md b/docs/ansible.md index 60be6164..dcda338a 100644 --- a/docs/ansible.md +++ b/docs/ansible.md @@ -65,7 +65,7 @@ docker run -it --rm \ -w /work \ -v `pwd`:/work \ --entrypoint=/bin/sh \ -docker.io/devture/ansible:2.13.6-r0-1 +docker.io/devture/ansible:2.13.6-r0-2 ``` Once you execute the above command, you'll be dropped into a `/work` directory inside a Docker container. From ae76db4d77d3ee52e69c7d254122747f31a010da Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 2 Mar 2023 16:06:01 +0200 Subject: [PATCH 43/71] Upgrade com.devture.ansible.role.traefik_certs_dumper for wait time increase (60 -> 180 sec.) --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index c8d6ed7d..3fc359f7 100644 --- a/requirements.yml +++ b/requirements.yml @@ -52,4 +52,4 @@ version: 4ec9187017cb7832f521fc273fabd0a873ca2736 - src: git+https://github.com/devture/com.devture.ansible.role.traefik_certs_dumper.git - version: abeecc09f6fd165eff3cef5d6dd7696b9ca4ec27 + version: 55051deb663f7a30bf01637df7dd6b6bc2a7ce00 From 124fbeda045857233880478da814cb99444860ef Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 2 Mar 2023 22:50:13 +0200 Subject: [PATCH 44/71] Switch to using an external Etherpad role This new role also adds native Traefik support and support for other (non-`amd64`) architectures via self-building. --- CHANGELOG.md | 33 ++++- docs/configuring-playbook-etherpad.md | 69 +++++++---- group_vars/matrix_servers | 65 +++++++--- playbooks/matrix.yml | 3 +- requirements.yml | 3 + .../etherpad-proxy-connect/defaults/main.yml | 11 ++ .../tasks/inject_into_nginx_proxy.yml | 10 +- .../etherpad-proxy-connect/tasks/main.yml | 12 ++ .../tasks/validate_config.yml | 32 +++++ roles/custom/matrix-base/defaults/main.yml | 2 +- .../custom/matrix-etherpad/defaults/main.yml | 102 --------------- roles/custom/matrix-etherpad/tasks/main.yml | 29 ----- .../matrix-etherpad/tasks/setup_install.yml | 34 ----- .../matrix-etherpad/tasks/setup_uninstall.yml | 25 ---- .../matrix-etherpad/tasks/validate_config.yml | 15 --- .../templates/settings.json.j2 | 116 ------------------ .../systemd/matrix-etherpad.service.j2 | 44 ------- .../matrix-nginx-proxy/defaults/main.yml | 5 - .../matrix-nginx-proxy/templates/labels.j2 | 12 -- 19 files changed, 189 insertions(+), 433 deletions(-) create mode 100644 roles/custom/etherpad-proxy-connect/defaults/main.yml rename roles/custom/{matrix-etherpad => etherpad-proxy-connect}/tasks/inject_into_nginx_proxy.yml (81%) create mode 100644 roles/custom/etherpad-proxy-connect/tasks/main.yml create mode 100644 roles/custom/etherpad-proxy-connect/tasks/validate_config.yml delete mode 100644 roles/custom/matrix-etherpad/defaults/main.yml delete mode 100644 roles/custom/matrix-etherpad/tasks/main.yml delete mode 100644 roles/custom/matrix-etherpad/tasks/setup_install.yml delete mode 100644 roles/custom/matrix-etherpad/tasks/setup_uninstall.yml delete mode 100644 roles/custom/matrix-etherpad/tasks/validate_config.yml delete mode 100644 roles/custom/matrix-etherpad/templates/settings.json.j2 delete mode 100644 roles/custom/matrix-etherpad/templates/systemd/matrix-etherpad.service.j2 diff --git a/CHANGELOG.md b/CHANGELOG.md index cd592337..790406f3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,32 @@ +# 2023-03-02 + +## The matrix-etherpad role lives independently now + +**TLDR**: the `matrix-etherpad` role is now included from [another repository](https://gitlab.com/etke.cc/roles/etherpad). Some variables have been renamed. All functionality remains intact. + +You need to **update you roles** (`just roles` or `make roles`) regardless of whether you're using Etherpad or not. + +If you're making use of Etherpad via this playbook, you will need to update variable references in your `vars.yml` file: + +- Rename `matrix_etherpad_public_endpoint` to `etherpad_path_prefix` + +- Replace `matrix_etherpad_mode: dimension` with: + - for `matrix-nginx-proxy` users: + - `etherpad_nginx_proxy_dimension_integration_enabled: true` + - `etherpad_hostname: "{{ matrix_server_fqn_dimension }}"` + - for Traefik users: + - define your own `etherpad_hostname` and `etherpad_path_prefix` as you see fit + +- Rename all other variables: + - `matrix_etherpad_docker_image_` -> `matrix_etherpad_container_image_` + - `matrix_etherpad_` -> `etherpad_` + +Along with this relocation, the new role also: + +- supports [self-building](docs/self-building.md), so it should work on `arm32` and `arm64` architectures +- has native Traefik reverse-proxy support (Etherpad requests no longer go through `matrix-nginx-proxy` when using Traefik) + + # 2023-02-26 ## Traefik is the default reverse-proxy now @@ -483,11 +512,11 @@ Various services (like Dimension, etc.) still talk to Synapse via `matrix-nginx- Until now, [Etherpad](https://etherpad.org/) (which [the playbook could install for you](docs/configuring-playbook-etherpad.md)) required the [Dimension integration manager](docs/configuring-playbook-dimension.md) to also be installed, because Etherpad was hosted on the Dimension domain (at `dimension.DOMAIN/etherpad`). -From now on, Etherpad can be installed in `standalone` mode on `etherpad.DOMAIN` and used even without Dimension. This is much more versatile, so the playbook now defaults to this new mode (`matrix_etherpad_mode: standalone`). +From now on, Etherpad can be installed in `standalone` mode on `etherpad.DOMAIN` and used even without Dimension. This is much more versatile, so the playbook now defaults to this new mode (`etherpad_mode: standalone`). If you've already got both Etherpad and Dimension in use you could: -- **either** keep hosting Etherpad under the Dimension domain by adding `matrix_etherpad_mode: dimension` to your `vars.yml` file. All your existing room widgets will continue working at the same URLs and no other changes will be necessary. +- **either** keep hosting Etherpad under the Dimension domain by adding `etherpad_mode: dimension` to your `vars.yml` file. All your existing room widgets will continue working at the same URLs and no other changes will be necessary. - **or**, you could change to hosting Etherpad separately on `etherpad.DOMAIN`. You will need to [configure a DNS record](docs/configuring-dns.md) for this new domain. You will also need to reconfigure Dimension to use the new pad URLs (`https://etherpad.DOMAIN/...`) going forward (refer to our [configuring Etherpad documentation](docs/configuring-playbook-etherpad.md)). All your existing room widgets (which still use `https://dimension.DOMAIN/etherpad/...`) will break as Etherpad is not hosted there anymore. You will need to re-add them or to consider not using `standalone` mode diff --git a/docs/configuring-playbook-etherpad.md b/docs/configuring-playbook-etherpad.md index 22c782f4..76ad2f59 100644 --- a/docs/configuring-playbook-etherpad.md +++ b/docs/configuring-playbook-etherpad.md @@ -1,19 +1,41 @@ # Setting up Etherpad (optional) -[Etherpad](https://etherpad.org) is is an open source collaborative text editor that can be embedded in a Matrix chat room using the [Dimension integrations manager](https://dimension.t2bot.io) or used as standalone web app. +[Etherpad](https://etherpad.org) is an open source collaborative text editor that can be embedded in a Matrix chat room using the [Dimension integrations manager](https://dimension.t2bot.io) or used as standalone web app. When enabled together with the Jitsi audio/video conferencing system (see [our docs on Jitsi](configuring-playbook-jitsi.md)), it will be made available as an option during the conferences. -## Prerequisites +## Decide on a domain and path -Etherpad can be installed in 2 modes: +By default, Etherpad is configured to use its own dedicated domain (`etherpad.DOMAIN`) and requires you to [adjust your DNS records](#adjusting-dns-records). -- (default) `standalone` mode (`matrix_etherpad_mode: standalone`) - Etherpad will be hosted on `etherpad.` (`matrix_server_fqn_etherpad`), so the DNS record for this domian must be created. See [Configuring your DNS server](configuring-dns.md) on how to set up the `etherpad` DNS record correctly +You can override the domain and path like this: -- `dimension` mode (`matrix_etherpad_mode: dimension`) - Etherpad will be hosted on `dimension./etherpad` (`matrix_server_fqn_dimension`). This requires that you **first** configure the **Dimension integrations manager** as described in [the playbook documentation](configuring-playbook-dimension.md) +```yaml +# Switch to the domain used for Matrix services (`matrix.DOMAIN`), +# so we won't need to add additional DNS records for Etherpad. +etherpad_hostname: "{{ matrix_server_fqn_matrix }}" -We recomend that you go with the default (`standalone`) mode, which makes Etherpad independent and allows it to be used with or without Dimension. +# Expose under the /etherpad subpath +etherpad_path_prefix: /etherpad +``` + +**NOTE**: When using the old `matrix-nginx-proxy` reverse-proxy instead of Traefik, you have only 2 choices: + +- serving Etherpad at its own dedicated domain: + - you need to set the domain using the `matrix_server_fqn_etherpad` variable (not `etherpad_hostname`) + - you must use `etherpad_path_prefix: /` +- serving Etherpad at the [Dimension](configuring-playbook-dimension.md) integration manager's domain (`matrix_server_fqn_dimension`) + - you need to have Dimension enabled + - you need to add `etherpad_path_prefix: /etherpad` or another prefix (different than `/`) + - you need to add `etherpad_nginx_proxy_dimension_integration_enabled: true` to enable this integration + + +## Adjusting DNS records + +Once you've decided on the domain and path, **you may need to adjust your DNS** records to point the Etherpad domain to the Matrix server. + +If you've decided to reuse the `matrix.` domain, you won't need to do any extra DNS configuration. ## Installing @@ -21,48 +43,51 @@ We recomend that you go with the default (`standalone`) mode, which makes Etherp [Etherpad](https://etherpad.org) installation is disabled by default. You can enable it in your configuration file (`inventory/host_vars/matrix./vars.yml`): ```yaml -matrix_etherpad_enabled: true - -# Uncomment below if you'd like to install Etherpad on the Dimension domain (not recommended) -# matrix_etherpad_mode: dimension +etherpad_enabled: true # Uncomment below to enable the admin web UI -# matrix_etherpad_admin_username: admin -# matrix_etherpad_admin_password: some-password +# etherpad_admin_username: admin +# etherpad_admin_password: some-password ``` -If enabled, the admin web-UI should then be available on `https://etherpad./admin` (or `https://dimension./etherpad/admin`, if `matrix_etherpad_mode: dimension`) +Then, [run the installation process](installing.md) again (e.g. `just install-all`). -## Managing / Deleting old pads +## Usage + +The Etherpad UI should be available at `https://etherpad.`, while the admin UI (if enabled) should then be available at `https://etherpad./admin`. + +If you've [decided on another hostname or path-prefix](#decide-on-a-domain-and-path) (e.g. `https://matrix.DOMAIN/etherpad`), adjust these URLs accordingly before usage. + + +### Managing / Deleting old pads If you want to manage and remove old unused pads from Etherpad, you will first need to able Admin access as described above. -Then from the plugin manager page (`https://etherpad./admin/plugins` or `https://dimension./etherpad/admin/plugins`), install the `adminpads2` plugin. Once installed, you should have a "Manage pads" section in the Admin web-UI. +Then from the plugin manager page (`https://etherpad./admin/plugins`, install the `adminpads2` plugin. Once installed, you should have a "Manage pads" section in the Admin web-UI. -## How to use Etherpad widgets without an Integration Manager (like Dimension) +### How to use Etherpad widgets without an Integration Manager (like Dimension) This is how it works in Element, it might work quite similar with other clients: To integrate a standalone etherpad in a room, create your pad by visiting `https://etherpad.DOMAIN`. When the pad opens, copy the URL and send a command like this to the room: `/addwidget URL`. You will then find your integrated Etherpad within the right sidebar in the `Widgets` section. -## Set Dimension default to the self-hosted Etherpad (optional) +### Set Dimension default to the self-hosted Etherpad (optional) If you decided to install [Dimension integration manager](configuring-playbook-dimension.md) alongside Etherpad, the Dimension administrator users can configure the default URL template. The Dimension configuration menu can be accessed with the sprocket icon as you begin to add a widget to a room in Element. There you will find the Etherpad Widget Configuration action beneath the _Widgets_ tab. -### Removing the integrated Etherpad chat +#### Removing the integrated Etherpad chat -If you wish to disable the Etherpad chat button, you can do it by appending `?showChat=false` to the end of the pad URL, or the template. Examples: -- `https://etherpad./p/$roomId_$padName?showChat=false` (for the default - `matrix_etherpad_mode: standalone`) +If you wish to disable the Etherpad chat button, you can do it by appending `?showChat=false` to the end of the pad URL, or the template. -- `https://dimension./etherpad/p/$roomId_$padName?showChat=false` (for `matrix_etherpad_mode: dimension`) +Example: `https://etherpad./p/$roomId_$padName?showChat=false` -### Known issues +## Known issues If your Etherpad widget fails to load, this might be due to Dimension generating a Pad name so long, the Etherpad app rejects it. `$roomId_$padName` can end up being longer than 50 characters. You can avoid having this problem by altering the template so it only contains the three word random identifier `$padName`. diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 6e40aba7..6acc7dde 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -304,7 +304,7 @@ devture_systemd_service_manager_services_list_auto: | + ([{'name': 'matrix-email2matrix.service', 'priority': 2000, 'groups': ['matrix', 'bridges', 'email2matrix']}] if matrix_email2matrix_enabled else []) + - ([{'name': 'matrix-etherpad.service', 'priority': 4000, 'groups': ['matrix', 'etherpad']}] if matrix_etherpad_enabled else []) + ([{'name': (etherpad_identifier + '.service'), 'priority': 4000, 'groups': ['matrix', 'etherpad']}] if etherpad_enabled else []) + ([{'name': (grafana_identifier + '.service'), 'priority': 4000, 'groups': ['matrix', 'monitoring', 'grafana']}] if grafana_enabled else []) + @@ -2208,29 +2208,55 @@ matrix_dimension_database_password: "{{ '%s' | format(matrix_homeserver_generic_ ###################################################################### # -# matrix-etherpad +# etke/etherpad # ###################################################################### -matrix_etherpad_enabled: false +etherpad_enabled: false -matrix_etherpad_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '9001') if matrix_playbook_service_host_bind_interface_prefix else '' }}" +etherpad_identifier: matrix-etherpad -matrix_etherpad_base_url: "{{ 'https://' + matrix_server_fqn_dimension + matrix_etherpad_public_endpoint if matrix_etherpad_mode == 'dimension' else 'https://' + matrix_server_fqn_etherpad + '/' }}" +etherpad_scheme: "{{ 'https' if matrix_playbook_ssl_enabled else 'http' }}" -matrix_etherpad_systemd_required_services_list: | +etherpad_base_path: "{{ matrix_base_data_path }}/etherpad" + +etherpad_framing_enabled: "{{ matrix_dimension_enabled or matrix_jitsi_enabled }}" + +etherpad_container_image_self_build: "{{ matrix_architecture not in ['amd64'] }}" + +etherpad_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '9001') if matrix_playbook_service_host_bind_interface_prefix else '' }}" + +etherpad_container_network: "{{ matrix_nginx_proxy_container_network if matrix_playbook_reverse_proxy_type == 'playbook-managed-nginx' else etherpad_identifier }}" + +etherpad_container_additional_networks: | + {{ + ( + ([matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network else []) + + + ([devture_postgres_container_network] if devture_postgres_enabled and devture_postgres_container_network != etherpad_container_network else []) + ) | unique + }} + +etherpad_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}" +etherpad_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" +etherpad_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" +etherpad_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" + +etherpad_systemd_required_services_list: | {{ ['docker.service'] + ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else []) }} -matrix_etherpad_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" -matrix_etherpad_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'etherpad.db', rounds=655555) | to_uuid }}" +etherpad_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" +etherpad_database_name: matrix_etherpad +etherpad_database_username: matrix_etherpad +etherpad_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'etherpad.db', rounds=655555) | to_uuid }}" ###################################################################### # -# /matrix-etherpad +# /etke/etherpad # ###################################################################### @@ -2298,9 +2324,9 @@ matrix_jitsi_web_stun_servers: | # If the self-hosted Etherpad instance is available, it will also show up in Jitsi conferences, # unless explicitly disabled by setting `matrix_jitsi_etherpad_enabled` to false. # Falls back to the scalar.vector.im etherpad in case someone sets `matrix_jitsi_etherpad_enabled` to true, -# while also setting `matrix_etherpad_enabled` to false. -matrix_jitsi_etherpad_enabled: "{{ matrix_etherpad_enabled }}" -matrix_jitsi_etherpad_base: "{{ matrix_etherpad_base_url if matrix_etherpad_enabled else 'https://scalar.vector.im/etherpad' }}" +# while also setting `etherpad_enabled` to false. +matrix_jitsi_etherpad_enabled: "{{ etherpad_enabled }}" +matrix_jitsi_etherpad_base: "{{ etherpad_base_url if etherpad_enabled else 'https://scalar.vector.im/etherpad' }}" # Allow verification using JWT and matrix-UVS matrix_jitsi_prosody_auth_matrix_uvs_auth_token: "{{ matrix_user_verification_service_uvs_auth_token }}" @@ -2468,7 +2494,7 @@ matrix_nginx_proxy_proxy_cinny_enabled: "{{ matrix_client_cinny_enabled and matr matrix_nginx_proxy_proxy_buscarron_enabled: "{{ matrix_bot_buscarron_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}" matrix_nginx_proxy_proxy_dimension_enabled: "{{ matrix_dimension_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}" matrix_nginx_proxy_proxy_rageshake_enabled: "{{ matrix_rageshake_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}" -matrix_nginx_proxy_proxy_etherpad_enabled: "{{ matrix_etherpad_enabled and matrix_etherpad_mode == 'standalone' }}" +matrix_nginx_proxy_proxy_etherpad_enabled: "{{ etherpad_enabled and not etherpad_nginx_proxy_dimension_integration_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}" matrix_nginx_proxy_proxy_bot_go_neb_enabled: "{{ matrix_bot_go_neb_enabled }}" matrix_nginx_proxy_proxy_jitsi_enabled: "{{ matrix_jitsi_enabled }}" @@ -2484,7 +2510,6 @@ matrix_nginx_proxy_container_labels_traefik_entrypoints: "{{ devture_traefik_ent matrix_nginx_proxy_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" matrix_nginx_proxy_container_labels_traefik_proxy_matrix_enabled: true -matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_enabled: "{{ matrix_etherpad_enabled and matrix_etherpad_mode == 'standalone' }}" matrix_nginx_proxy_container_labels_traefik_proxy_bot_go_neb_enabled: "{{ matrix_bot_go_neb_enabled }}" matrix_nginx_proxy_container_labels_traefik_proxy_jitsi_enabled: "{{ matrix_jitsi_enabled }}" @@ -2576,7 +2601,7 @@ matrix_nginx_proxy_systemd_wanted_services_list: | + (['matrix-bot-go-neb.service'] if matrix_bot_go_neb_enabled else []) + - (['matrix-etherpad.service'] if matrix_etherpad_enabled else []) + ([etherpad_identifier + '.service'] if etherpad_enabled else []) + (['matrix-hookshot.service'] if matrix_hookshot_enabled else []) }} @@ -2597,7 +2622,7 @@ matrix_ssl_domains_to_obtain_certificates_for: | + ([matrix_server_fqn_dimension] if matrix_dimension_enabled else []) + - ([matrix_server_fqn_etherpad] if (matrix_etherpad_enabled and matrix_etherpad_mode == 'standalone') else []) + ([matrix_server_fqn_etherpad] if (etherpad_enabled and not etherpad_nginx_proxy_dimension_integration_enabled) else []) + ([matrix_server_fqn_bot_go_neb] if matrix_bot_go_neb_enabled else []) + @@ -2888,10 +2913,10 @@ devture_postgres_managed_databases_auto: | }] if (matrix_dimension_enabled and matrix_dimension_database_engine == 'postgres' and matrix_dimension_database_hostname == devture_postgres_connection_hostname) else []) + ([{ - 'name': matrix_etherpad_database_name, - 'username': matrix_etherpad_database_username, - 'password': matrix_etherpad_database_password, - }] if (matrix_etherpad_enabled and matrix_etherpad_database_engine == 'postgres' and matrix_etherpad_database_hostname == devture_postgres_connection_hostname) else []) + 'name': etherpad_database_name, + 'username': etherpad_database_username, + 'password': etherpad_database_password, + }] if (etherpad_enabled and etherpad_database_engine == 'postgres' and etherpad_database_hostname == devture_postgres_connection_hostname) else []) + ([{ 'name': prometheus_postgres_exporter_database_name, diff --git a/playbooks/matrix.yml b/playbooks/matrix.yml index 6a8987bf..6a66dc58 100755 --- a/playbooks/matrix.yml +++ b/playbooks/matrix.yml @@ -103,7 +103,8 @@ - custom/matrix-ldap-registration-proxy - custom/matrix-ma1sd - custom/matrix-dimension - - custom/matrix-etherpad + - galaxy/etherpad + - custom/etherpad-proxy-connect - custom/matrix-email2matrix - custom/matrix-sygnal - galaxy/ntfy diff --git a/requirements.yml b/requirements.yml index 3fc359f7..89d26802 100644 --- a/requirements.yml +++ b/requirements.yml @@ -48,6 +48,9 @@ - src: git+https://gitlab.com/etke.cc/roles/redis.git version: v7.0.9-0 +- src: git+https://gitlab.com/etke.cc/roles/etherpad.git + version: v1.8.18-0 + - src: git+https://github.com/devture/com.devture.ansible.role.traefik.git version: 4ec9187017cb7832f521fc273fabd0a873ca2736 diff --git a/roles/custom/etherpad-proxy-connect/defaults/main.yml b/roles/custom/etherpad-proxy-connect/defaults/main.yml new file mode 100644 index 00000000..83df826f --- /dev/null +++ b/roles/custom/etherpad-proxy-connect/defaults/main.yml @@ -0,0 +1,11 @@ +--- + +# etherpad-proxy-connect is a compatibility role connecting the new Etherpad role with matrix-nginx-proxy. +# It adds back support for serving Etherpad under the Dimension domain (`matrix_server_fqn_dimension`). + +# Controls whether Etherpad will be hosted under the Dimension domain when matrix-nginx-proxy is used (depending on matrix_playbook_reverse_proxy_type). +# If you're not using matrix-nginx-proxy, then this value has no effect. +etherpad_nginx_proxy_dimension_integration_enabled: false + +# Controls the path at which Etherpad will be exposed on the Dimension domain. +etherpad_nginx_proxy_dimension_integration_path_prefix: "{{ etherpad_path_prefix }}" diff --git a/roles/custom/matrix-etherpad/tasks/inject_into_nginx_proxy.yml b/roles/custom/etherpad-proxy-connect/tasks/inject_into_nginx_proxy.yml similarity index 81% rename from roles/custom/matrix-etherpad/tasks/inject_into_nginx_proxy.yml rename to roles/custom/etherpad-proxy-connect/tasks/inject_into_nginx_proxy.yml index e32cdf96..6252dba1 100644 --- a/roles/custom/matrix-etherpad/tasks/inject_into_nginx_proxy.yml +++ b/roles/custom/etherpad-proxy-connect/tasks/inject_into_nginx_proxy.yml @@ -11,14 +11,14 @@ - name: Generate Etherpad proxying configuration for matrix-nginx-proxy ansible.builtin.set_fact: - matrix_etherpad_matrix_nginx_proxy_configuration: | - rewrite ^{{ matrix_etherpad_public_endpoint }}$ {{ matrix_nginx_proxy_x_forwarded_proto_value }}://$server_name{{ matrix_etherpad_public_endpoint }}/ permanent; + etherpad_matrix_nginx_proxy_configuration: | + rewrite ^{{ etherpad_nginx_proxy_dimension_integration_path_prefix }}$ {{ matrix_nginx_proxy_x_forwarded_proto_value }}://$server_name{{ etherpad_nginx_proxy_dimension_integration_path_prefix }}/ permanent; - location {{ matrix_etherpad_public_endpoint }}/ { + location {{ etherpad_nginx_proxy_dimension_integration_path_prefix }}/ { {% if matrix_nginx_proxy_enabled | default(False) %} {# Use the embedded DNS resolver in Docker containers to discover the service #} resolver 127.0.0.11 valid=5s; - proxy_pass http://matrix-etherpad:9001/; + proxy_pass http://{{ etherpad_identifier }}:9001/; {# These are proxy directives needed specifically by Etherpad #} proxy_buffering off; proxy_http_version 1.1; # recommended with keepalive connections @@ -42,5 +42,5 @@ {{ matrix_nginx_proxy_proxy_dimension_additional_server_configuration_blocks | default([]) + - [matrix_etherpad_matrix_nginx_proxy_configuration] + [etherpad_matrix_nginx_proxy_configuration] }} diff --git a/roles/custom/etherpad-proxy-connect/tasks/main.yml b/roles/custom/etherpad-proxy-connect/tasks/main.yml new file mode 100644 index 00000000..67bf7d0e --- /dev/null +++ b/roles/custom/etherpad-proxy-connect/tasks/main.yml @@ -0,0 +1,12 @@ +--- + +- when: etherpad_enabled | bool and etherpad_nginx_proxy_dimension_integration_enabled | bool + block: + - ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" + + - ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" + tags: + - install-all + - setup-all + - install-nginx-proxy + - setup-nginx-proxy diff --git a/roles/custom/etherpad-proxy-connect/tasks/validate_config.yml b/roles/custom/etherpad-proxy-connect/tasks/validate_config.yml new file mode 100644 index 00000000..2127ce1a --- /dev/null +++ b/roles/custom/etherpad-proxy-connect/tasks/validate_config.yml @@ -0,0 +1,32 @@ +--- + +- when: matrix_playbook_reverse_proxy_type not in ['playbook-managed-nginx', 'other-nginx-non-container'] + name: Fail if reverse-proxy is not nginx + ansible.builtin.fail: + msg: > + Etherpad's integration into matrix-nginx-proxy's Dimension server only makes sense if you're using matrix-nginx-proxy. + `matrix_playbook_reverse_proxy_type` ({{ matrix_playbook_reverse_proxy_type }}) indicates that you're using another reverse-proxy. + If you're using Traefik, you should configure `etherpad_hostname` and `etherpad_path_prefix` instead. + +- when: not matrix_dimension_enabled + name: Fail if Dimension not enabled + ansible.builtin.fail: + msg: > + Etherpad's integration into matrix-nginx-proxy's Dimension server only makes sense if you're using Dimension. + Looks like Dimension is not enabled in your configuration (judging by `matrix_dimension_enabled`). + Consider configuring `etherpad_hostname` and `etherpad_path_prefix` instead. + +- when: etherpad_hostname != matrix_server_fqn_dimension + name: Fail if Etherpad hostname does not match Dimension hostname + ansible.builtin.fail: + msg: > + Etherpad's integration into matrix-nginx-proxy's Dimension server requires that you set `etherpad_hostname` to `matrix_server_fqn_dimension`. + Consider adding this to your configuration: `{% raw %}etherpad_hostname: "{{ matrix_server_fqn_dimension }}"{% endraw %}` + +- when: etherpad_nginx_proxy_dimension_integration_path_prefix == '/' + name: Fail if / path prefix used for Etherpad + ansible.builtin.fail: + msg: > + Etherpad's integration into matrix-nginx-proxy's Dimension server only makes sense if you're using a non-`/` path for Etherpad. + You've chosen a path prefix of `/` in `etherpad_nginx_proxy_dimension_integration_path_prefix`. + The `/` path must go to Dimension itself, so you need to pick a different prefix (e.g. `/etherpad`). diff --git a/roles/custom/matrix-base/defaults/main.yml b/roles/custom/matrix-base/defaults/main.yml index 403af983..98a2167e 100644 --- a/roles/custom/matrix-base/defaults/main.yml +++ b/roles/custom/matrix-base/defaults/main.yml @@ -72,7 +72,7 @@ matrix_server_fqn_buscarron: "buscarron.{{ matrix_domain }}" # This is where you access the Dimension. matrix_server_fqn_dimension: "dimension.{{ matrix_domain }}" -# This is where you access the etherpad (if enabled via matrix_etherpad_enabled; disabled by default). +# This is where you access the etherpad (if enabled via etherpad_enabled; disabled by default). matrix_server_fqn_etherpad: "etherpad.{{ matrix_domain }}" # For use with Go-NEB! (github callback url for example) diff --git a/roles/custom/matrix-etherpad/defaults/main.yml b/roles/custom/matrix-etherpad/defaults/main.yml deleted file mode 100644 index 874e9a30..00000000 --- a/roles/custom/matrix-etherpad/defaults/main.yml +++ /dev/null @@ -1,102 +0,0 @@ ---- -# Project source code URL: https://github.com/ether/etherpad-lite - -matrix_etherpad_enabled: false - -# standalone = etherpad installed on subdomain (etherpad.DOMAIN) and can be used as-is -# dimension = etherpad installed in subdir of dimension (dimension.DOMAIN/etherpad) and can be used with dimension -matrix_etherpad_mode: standalone - -matrix_etherpad_base_path: "{{ matrix_base_data_path }}/etherpad" - -matrix_etherpad_version: 1.8.18 -matrix_etherpad_docker_image: "{{ matrix_container_global_registry_prefix }}etherpad/etherpad:{{ matrix_etherpad_version }}" -matrix_etherpad_docker_image_force_pull: "{{ matrix_etherpad_docker_image.endswith(':latest') }}" - -# List of systemd services that matrix-etherpad.service depends on. -matrix_etherpad_systemd_required_services_list: ['docker.service'] - -# List of systemd services that matrix-etherpad.service wants -matrix_etherpad_systemd_wanted_services_list: [] - -# Container user has to be able to write to the source file directories until this bug is fixed: -# https://github.com/ether/etherpad-lite/issues/2683 -matrix_etherpad_user_uid: '5001' -matrix_etherpad_user_gid: '5001' - -# Controls whether the matrix-etherpad container exposes its HTTP port (tcp/9001 in the container). -# -# Takes an ":" or "" value (e.g. "127.0.0.1:9001"), or empty string to not expose. -matrix_etherpad_container_http_host_bind_port: '' - -# A list of extra arguments to pass to the container -matrix_etherpad_container_extra_arguments: [] - -# Used only when `matrix_etherpad_mode: dimension` -matrix_etherpad_public_endpoint: '/etherpad' - -# By default, the Etherpad app can be accessed on etherpad subdomain -matrix_etherpad_base_url: "https://{{ matrix_server_fqn_etherpad }}/" - -# Database-related configuration fields. -# -# Etherpad requires a dedicated database -matrix_etherpad_database_engine: 'postgres' - -matrix_etherpad_database_username: 'matrix_etherpad' -matrix_etherpad_database_password: 'some-password' -matrix_etherpad_database_hostname: '' -matrix_etherpad_database_port: 5432 -matrix_etherpad_database_name: 'matrix_etherpad' - -# If a admin username and password is set, the /admin web page will be -# available. -matrix_etherpad_admin_username: '' -matrix_etherpad_admin_password: '' - -matrix_etherpad_database_connection_string: 'postgres://{{ matrix_etherpad_database_username }}:{{ matrix_etherpad_database_password }}@{{ matrix_etherpad_database_hostname }}:{{ matrix_etherpad_database_port }}/{{ matrix_etherpad_database_name }}' - -# Variables configuring the etherpad -matrix_etherpad_title: 'Etherpad' -matrix_etherpad_abiword: null -matrix_etherpad_soffice: null -matrix_etherpad_default_pad_text: | - Welcome to Etherpad! - - This pad text is synchronized as you type, so that everyone viewing this page sees the same text. This allows you to collaborate seamlessly on documents! - - Get involved with Etherpad at https://etherpad.org - -# Default Etherpad configuration template which covers the generic use case. -# You can customize it by controlling the various variables inside it. -# -# For a more advanced customization, you can extend the default (see `matrix_etherpad_configuration_extension_json`) -# or completely replace this variable with your own template. -matrix_etherpad_configuration_default: "{{ lookup('template', 'templates/settings.json.j2') }}" - -# Your custom JSON configuration for Etherpad goes here. -# This configuration extends the default starting configuration (`matrix_etherpad_configuration_json`). -# -# You can override individual variables from the default configuration, or introduce new ones. -# -# If you need something more special, you can take full control by -# completely redefining `matrix_etherpad_configuration_json`. -# -# Example configuration extension follows: -# -# matrix_etherpad_configuration_extension_json: | -# { -# "loadTest": true, -# "commitRateLimiting": { -# "duration": 1, -# "points": 10 -# } -# } -# -matrix_etherpad_configuration_extension_json: '{}' - -matrix_etherpad_configuration_extension: "{{ matrix_etherpad_configuration_extension_json | from_json if matrix_etherpad_configuration_extension_json | from_json is mapping else {} }}" - -# Holds the final Etherpad configuration (a combination of the default and its extension). -# You most likely don't need to touch this variable. Instead, see `matrix_etherpad_configuration_json`. -matrix_etherpad_configuration: "{{ matrix_etherpad_configuration_default | combine(matrix_etherpad_configuration_extension, recursive=True) }}" diff --git a/roles/custom/matrix-etherpad/tasks/main.yml b/roles/custom/matrix-etherpad/tasks/main.yml deleted file mode 100644 index eaafd98a..00000000 --- a/roles/custom/matrix-etherpad/tasks/main.yml +++ /dev/null @@ -1,29 +0,0 @@ ---- - -- block: - - when: matrix_etherpad_enabled | bool and matrix_etherpad_mode == 'dimension' - ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" - tags: - - setup-all - - setup-nginx-proxy - - install-all - - install-nginx-proxy - -- block: - - when: matrix_etherpad_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - - - when: matrix_etherpad_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: - - setup-all - - setup-etherpad - - install-all - - install-etherpad - -- block: - - when: not matrix_etherpad_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-etherpad diff --git a/roles/custom/matrix-etherpad/tasks/setup_install.yml b/roles/custom/matrix-etherpad/tasks/setup_install.yml deleted file mode 100644 index d4e2952e..00000000 --- a/roles/custom/matrix-etherpad/tasks/setup_install.yml +++ /dev/null @@ -1,34 +0,0 @@ ---- - -- name: Ensure Etherpad base path exists - ansible.builtin.file: - path: "{{ matrix_etherpad_base_path }}" - state: directory - mode: 0770 - owner: "{{ matrix_etherpad_user_uid }}" - group: "{{ matrix_etherpad_user_gid }}" - -- name: Ensure Etherpad config installed - ansible.builtin.copy: - content: "{{ matrix_etherpad_configuration | to_nice_json }}" - dest: "{{ matrix_etherpad_base_path }}/settings.json" - mode: 0640 - owner: "{{ matrix_etherpad_user_uid }}" - group: "{{ matrix_etherpad_user_gid }}" - -- name: Ensure Etherpad image is pulled - community.docker.docker_image: - name: "{{ matrix_etherpad_docker_image }}" - source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" - force_source: "{{ matrix_etherpad_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_etherpad_docker_image_force_pull }}" - register: result - retries: "{{ devture_playbook_help_container_retries_count }}" - delay: "{{ devture_playbook_help_container_retries_delay }}" - until: result is not failed - -- name: Ensure matrix-etherpad.service installed - ansible.builtin.template: - src: "{{ role_path }}/templates/systemd/matrix-etherpad.service.j2" - dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-etherpad.service" - mode: 0644 diff --git a/roles/custom/matrix-etherpad/tasks/setup_uninstall.yml b/roles/custom/matrix-etherpad/tasks/setup_uninstall.yml deleted file mode 100644 index e0382984..00000000 --- a/roles/custom/matrix-etherpad/tasks/setup_uninstall.yml +++ /dev/null @@ -1,25 +0,0 @@ ---- - -- name: Check existence of matrix-etherpad service - ansible.builtin.stat: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-etherpad.service" - register: matrix_etherpad_service_stat - -- when: matrix_etherpad_service_stat.stat.exists | bool - block: - - name: Ensure matrix-etherpad is stopped - ansible.builtin.service: - name: matrix-etherpad - state: stopped - enabled: false - daemon_reload: true - - - name: Ensure matrix-etherpad.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-etherpad.service" - state: absent - - - name: Ensure Etherpad base directory doesn't exist - ansible.builtin.file: - path: "{{ matrix_etherpad_base_path }}" - state: absent diff --git a/roles/custom/matrix-etherpad/tasks/validate_config.yml b/roles/custom/matrix-etherpad/tasks/validate_config.yml deleted file mode 100644 index 2bc773a6..00000000 --- a/roles/custom/matrix-etherpad/tasks/validate_config.yml +++ /dev/null @@ -1,15 +0,0 @@ ---- - -- name: Fail if required Etherpad settings not defined - ansible.builtin.fail: - msg: > - You need to define a required configuration setting (`{{ item.name }}`). - when: "item.when | bool and vars[item.name] == ''" - with_items: - - {'name': 'matrix_etherpad_database_hostname', when: true} - -- name: Fail if wrong mode selected - ansible.builtin.fail: - msg: >- - You're using Etherpad in 'dimension' mode (`matrix_etherpad_serving_mode: dimension`), which tries to host Etherpad at the Dimension subdomain - `{{ matrix_server_fqn_dimension }}`. However, this isn't possible because Dimension is not enabled. To resolve the problem, either enable Dimension (`matrix_dimension_enabled: true`) or switch Etherpad to standalone mode (`matrix_etherpad_mode: standalone`) and have it served on its own domain (`{{ matrix_server_fqn_etherpad }}`). - when: matrix_etherpad_enabled | bool and matrix_etherpad_mode == 'dimension' and not matrix_dimension_enabled | default(False) | bool diff --git a/roles/custom/matrix-etherpad/templates/settings.json.j2 b/roles/custom/matrix-etherpad/templates/settings.json.j2 deleted file mode 100644 index cc45d190..00000000 --- a/roles/custom/matrix-etherpad/templates/settings.json.j2 +++ /dev/null @@ -1,116 +0,0 @@ -{ - "title": {{ matrix_etherpad_title|to_json }}, - "favicon": "favicon.ico", - "skinName": "colibris", - "skinVariants": "super-light-toolbar super-light-editor light-background", - "ip": "::", - "port": 9001, - "showSettingsInAdminPage": true, - "dbType": {{ matrix_etherpad_database_engine|to_json }}, - "dbSettings": { - "database": {{ matrix_etherpad_database_name|to_json }}, - "host": {{ matrix_etherpad_database_hostname|to_json }}, - "password": {{ matrix_etherpad_database_password|to_json }}, - "port": {{ matrix_etherpad_database_port|to_json }}, - "user": {{ matrix_etherpad_database_username|to_json }} - }, - "defaultPadText" : {{ matrix_etherpad_default_pad_text|to_json }}, - "suppressErrorsInPadText": false, - "requireSession": false, - "editOnly": false, - "minify": true, - "maxAge": 21600, - "abiword": {{ matrix_etherpad_abiword|to_json }}, - "soffice": {{ matrix_etherpad_soffice|to_json }}, - "tidyHtml": null, - "allowUnknownFileEnds": true, - "requireAuthentication": false, - "requireAuthorization": false, - "trustProxy": true, - "cookie": { - "sameSite": "Lax" - }, - "disableIPlogging": true, - "automaticReconnectionTimeout": 0, - "scrollWhenFocusLineIsOutOfViewport": { - "percentage": { - "editionAboveViewport": 0, - "editionBelowViewport": 0 - }, - "duration": 0, - "scrollWhenCaretIsInTheLastLineOfViewport": false, - "percentageToScrollWhenUserPressesArrowUp": 0 - }, - "socketTransportProtocols" : ["xhr-polling", "jsonp-polling", "htmlfile"], - "socketIo": { - "maxHttpBufferSize": 10000 - }, - "loadTest": false, - "dumpOnUncleanExit": false, - "indentationOnNewLine": false, - "importExportRateLimiting": { - "windowMs": 90000, - "max": 10 - }, - "importMaxFileSize": 52428800, - "commitRateLimiting": { - "duration": 1, - "points": 10 - }, - "exposeVersion": false, - "padOptions": { - "noColors": false, - "showControls": true, - "showChat": false, - "showLineNumbers": true, - "useMonospaceFont": false, - "userName": false, - "userColor": false, - "rtl": false, - "alwaysShowChat": false, - "chatAndUsers": false, - "lang": "en-gb" - }, -{% if matrix_etherpad_admin_username != "" and matrix_etherpad_admin_password != "" %} - "users": { - {{ matrix_etherpad_admin_username|to_json }}: { - "password": {{ matrix_etherpad_admin_password|to_json }}, - "is_admin": true - } - }, -{% endif %} - "padShortcutEnabled" : { - "altF9": true, - "altC": true, - "cmdShift2": true, - "delete": true, - "return": true, - "esc": true, - "cmdS": true, - "tab": true, - "cmdZ": true, - "cmdY": true, - "cmdI": true, - "cmdB": true, - "cmdU": true, - "cmd5": true, - "cmdShiftL": true, - "cmdShiftN": true, - "cmdShift1": true, - "cmdShiftC": true, - "cmdH": true, - "ctrlHome": true, - "pageUp": true, - "pageDown": true - }, - "loglevel": "WARN", - "logconfig" : - { "appenders": [ - { "type": "console", - "layout": {"type": "messagePassThrough"} - } - ] - }, - "customLocaleStrings": {}, - "enableAdminUITests": false -} diff --git a/roles/custom/matrix-etherpad/templates/systemd/matrix-etherpad.service.j2 b/roles/custom/matrix-etherpad/templates/systemd/matrix-etherpad.service.j2 deleted file mode 100644 index e0a10481..00000000 --- a/roles/custom/matrix-etherpad/templates/systemd/matrix-etherpad.service.j2 +++ /dev/null @@ -1,44 +0,0 @@ -#jinja2: lstrip_blocks: "True" -[Unit] -Description=Matrix Etherpad -{% for service in matrix_etherpad_systemd_required_services_list %} -Requires={{ service }} -After={{ service }} -{% endfor %} -{% for service in matrix_etherpad_systemd_wanted_services_list %} -Wants={{ service }} -{% endfor %} -DefaultDependencies=no - -[Service] -Type=simple -Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" -ExecStartPre=-{{ devture_systemd_docker_base_host_command_docker }} kill matrix-etherpad -ExecStartPre=-{{ devture_systemd_docker_base_host_command_docker }} rm matrix-etherpad - -ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-etherpad \ - --log-driver=none \ - --user={{ matrix_etherpad_user_uid }}:{{ matrix_etherpad_user_gid }} \ - --cap-drop=ALL \ - --network={{ matrix_docker_network }} \ - {% if matrix_etherpad_container_http_host_bind_port %} - -p {{ matrix_etherpad_container_http_host_bind_port }}:9001 \ - {% endif %} - --mount type=bind,src={{ matrix_etherpad_base_path }},dst=/data \ - {% for arg in matrix_etherpad_container_extra_arguments %} - {{ arg }} \ - {% endfor %} - {{ matrix_etherpad_docker_image }} \ - node --experimental-worker src/node/server.js \ - --settings /data/settings.json --credentials /data/credentials.json \ - --sessionkey /data/sessionkey.json --apikey /data/apijey.json - - -ExecStop=-{{ devture_systemd_docker_base_host_command_docker }} kill matrix-etherpad -ExecStop=-{{ devture_systemd_docker_base_host_command_docker }} rm matrix-etherpad -Restart=always -RestartSec=30 -SyslogIdentifier=matrix-etherpad - -[Install] -WantedBy=multi-user.target diff --git a/roles/custom/matrix-nginx-proxy/defaults/main.yml b/roles/custom/matrix-nginx-proxy/defaults/main.yml index 27978cae..daabcdb9 100644 --- a/roles/custom/matrix-nginx-proxy/defaults/main.yml +++ b/roles/custom/matrix-nginx-proxy/defaults/main.yml @@ -63,11 +63,6 @@ matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_rule: "Host( matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_entrypoint: "{{ matrix_federation_traefik_entrypoint }}" matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_entrypoints: "{{ matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_entrypoint }}" -matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_enabled: false -matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_hostname: "{{ matrix_server_fqn_etherpad }}" -matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}" -matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_hostname }}`)" - matrix_nginx_proxy_container_labels_traefik_proxy_bot_go_neb_enabled: false matrix_nginx_proxy_container_labels_traefik_proxy_bot_go_neb_hostname: "{{ matrix_server_fqn_bot_go_neb }}" matrix_nginx_proxy_container_labels_traefik_proxy_bot_go_neb_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}" diff --git a/roles/custom/matrix-nginx-proxy/templates/labels.j2 b/roles/custom/matrix-nginx-proxy/templates/labels.j2 index 0aff6a05..4cf78b2e 100644 --- a/roles/custom/matrix-nginx-proxy/templates/labels.j2 +++ b/roles/custom/matrix-nginx-proxy/templates/labels.j2 @@ -39,18 +39,6 @@ traefik.http.routers.matrix-nginx-proxy-matrix-federation.entrypoints={{ matrix_ {% endif %} -{% if matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_enabled %} -# Etherpad -traefik.http.routers.matrix-nginx-proxy-etherpad.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_rule }} -traefik.http.routers.matrix-nginx-proxy-etherpad.service=matrix-nginx-proxy-web -traefik.http.routers.matrix-nginx-proxy-etherpad.tls={{ matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_tls | to_json }} -{% if matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_tls %} -traefik.http.routers.matrix-nginx-proxy-etherpad.tls.certResolver={{ matrix_nginx_proxy_container_labels_traefik_tls_certResolver }} -{% endif %} -traefik.http.routers.matrix-nginx-proxy-etherpad.entrypoints={{ matrix_nginx_proxy_container_labels_traefik_entrypoints }} -{% endif %} - - {% if matrix_nginx_proxy_container_labels_traefik_proxy_bot_go_neb_enabled %} # Go NEB bot traefik.http.routers.matrix-nginx-proxy-bot_go_neb.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_bot_go_neb_rule }} From 795c3353958a9877616faf0c49c0bd09ee96ff9e Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 2 Mar 2023 22:58:45 +0200 Subject: [PATCH 45/71] Upgrade Etherpad role (v1.8.18-0 -> v1.8.18-1) --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 89d26802..d3fdefff 100644 --- a/requirements.yml +++ b/requirements.yml @@ -49,7 +49,7 @@ version: v7.0.9-0 - src: git+https://gitlab.com/etke.cc/roles/etherpad.git - version: v1.8.18-0 + version: v1.8.18-1 - src: git+https://github.com/devture/com.devture.ansible.role.traefik.git version: 4ec9187017cb7832f521fc273fabd0a873ca2736 From 849248b165b2e1b8a35babe9f49f5ebf05935a71 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 2 Mar 2023 23:00:18 +0200 Subject: [PATCH 46/71] Upgrade Etherpad role (v1.8.18-1 -> v1.8.18-2) --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index d3fdefff..dc1c9d56 100644 --- a/requirements.yml +++ b/requirements.yml @@ -49,7 +49,7 @@ version: v7.0.9-0 - src: git+https://gitlab.com/etke.cc/roles/etherpad.git - version: v1.8.18-1 + version: v1.8.18-2 - src: git+https://github.com/devture/com.devture.ansible.role.traefik.git version: 4ec9187017cb7832f521fc273fabd0a873ca2736 From 47cfec726f1e640fe28dbb28f12ef7c34e01af23 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Fri, 3 Mar 2023 06:18:52 +0000 Subject: [PATCH 47/71] update grafana 9.4.1 -> 9.4.2 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index dc1c9d56..025c285c 100644 --- a/requirements.yml +++ b/requirements.yml @@ -40,7 +40,7 @@ version: v1.2.3-1.7.7-1 - src: git+https://gitlab.com/etke.cc/roles/grafana.git - version: v9.4.1-0 + version: v9.4.2-0 - src: git+https://gitlab.com/etke.cc/roles/ntfy.git version: v2.1.1-0 From bb19de4a5f63e47fadd46aba65802338b69b6fd9 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Fri, 3 Mar 2023 06:21:26 +0000 Subject: [PATCH 48/71] update borgmatic 1.7.7 -> 1.7.8 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index dc1c9d56..4ffbce13 100644 --- a/requirements.yml +++ b/requirements.yml @@ -37,7 +37,7 @@ version: v0.11.1-2 - src: git+https://gitlab.com/etke.cc/roles/backup_borg.git - version: v1.2.3-1.7.7-1 + version: v1.2.3-1.7.8-0 - src: git+https://gitlab.com/etke.cc/roles/grafana.git version: v9.4.1-0 From 49b7d805ee3d03893a3208f0bef9b9d4fc8452a2 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 3 Mar 2023 08:58:23 +0200 Subject: [PATCH 49/71] Upgrade com.devture.ansible.role.traefik --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 025c285c..edb58785 100644 --- a/requirements.yml +++ b/requirements.yml @@ -52,7 +52,7 @@ version: v1.8.18-2 - src: git+https://github.com/devture/com.devture.ansible.role.traefik.git - version: 4ec9187017cb7832f521fc273fabd0a873ca2736 + version: v2.9.8-0 - src: git+https://github.com/devture/com.devture.ansible.role.traefik_certs_dumper.git version: 55051deb663f7a30bf01637df7dd6b6bc2a7ce00 From 0dcfc74fc83b947ad2f841940ed7b31e86c2ba9e Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 3 Mar 2023 08:59:57 +0200 Subject: [PATCH 50/71] Upgrade com.devture.ansible.role.traefik_certs_dumper --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index edb58785..dbe3ded9 100644 --- a/requirements.yml +++ b/requirements.yml @@ -55,4 +55,4 @@ version: v2.9.8-0 - src: git+https://github.com/devture/com.devture.ansible.role.traefik_certs_dumper.git - version: 55051deb663f7a30bf01637df7dd6b6bc2a7ce00 + version: v2.8.1-0 From 70b67b12bcf60d89efc19ea7cce4f7c63d3df955 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 3 Mar 2023 09:04:13 +0200 Subject: [PATCH 51/71] Upgrade com.devture.ansible.role.postgres_backup --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index dbe3ded9..b2fd25ec 100644 --- a/requirements.yml +++ b/requirements.yml @@ -22,7 +22,7 @@ version: a1bb78d194434b38005f3a9e623bfa4b2c06c7bc - src: git+https://github.com/devture/com.devture.ansible.role.postgres_backup.git - version: 77b1f9ae1aafa31c9078178c1036bf744c99d08b + version: 8e9ec48a09284c84704d7a2dce17da35f181574d - src: git+https://github.com/devture/com.devture.ansible.role.systemd_service_manager.git version: 6ccb88ac5fc27e1e70afcd48278ade4b564a9096 From f8966cd8da533516aa1466fb2838045c4c1200cc Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 3 Mar 2023 09:47:05 +0200 Subject: [PATCH 52/71] Default etherpad_hostname to matrix_server_fqn_etherpad for backward compatibility --- group_vars/matrix_servers | 2 ++ 1 file changed, 2 insertions(+) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 6acc7dde..7f1a729f 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -2222,6 +2222,8 @@ etherpad_base_path: "{{ matrix_base_data_path }}/etherpad" etherpad_framing_enabled: "{{ matrix_dimension_enabled or matrix_jitsi_enabled }}" +etherpad_hostname: "{{ matrix_server_fqn_etherpad }}" + etherpad_container_image_self_build: "{{ matrix_architecture not in ['amd64'] }}" etherpad_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '9001') if matrix_playbook_service_host_bind_interface_prefix else '' }}" From e588f5eaec2329c1217b54a709cfdf5385067638 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Fri, 3 Mar 2023 07:47:47 +0000 Subject: [PATCH 53/71] update grafana 9.4.2 -> 9.4.3 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 5154cc73..3dd08913 100644 --- a/requirements.yml +++ b/requirements.yml @@ -40,7 +40,7 @@ version: v1.2.3-1.7.8-0 - src: git+https://gitlab.com/etke.cc/roles/grafana.git - version: v9.4.2-0 + version: v9.4.3-0 - src: git+https://gitlab.com/etke.cc/roles/ntfy.git version: v2.1.1-0 From 6085e3a8163cb497ed27e1002d5cd02438a736fe Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 3 Mar 2023 10:37:51 +0200 Subject: [PATCH 54/71] Add validation tasks for Etherpad migration (matrix_etherpad -> etherpad) --- .../matrix_playbook_migration/defaults/main.yml | 3 +++ .../tasks/validate_config.yml | 15 +++++++++++++++ 2 files changed, 18 insertions(+) diff --git a/roles/custom/matrix_playbook_migration/defaults/main.yml b/roles/custom/matrix_playbook_migration/defaults/main.yml index 514125ec..dbc3b3b8 100644 --- a/roles/custom/matrix_playbook_migration/defaults/main.yml +++ b/roles/custom/matrix_playbook_migration/defaults/main.yml @@ -17,3 +17,6 @@ matrix_playbook_migration_matrix_ntfy_migration_validation_enabled: true # Controls if (`matrix_redis` -> `redis`) validation will run. matrix_playbook_migration_matrix_redis_migration_validation_enabled: true + +# Controls if (`matrix_etherpad` -> `etherpad`) validation will run. +matrix_playbook_migration_matrix_etherpad_migration_validation_enabled: true diff --git a/roles/custom/matrix_playbook_migration/tasks/validate_config.yml b/roles/custom/matrix_playbook_migration/tasks/validate_config.yml index 2241d502..296f2daf 100644 --- a/roles/custom/matrix_playbook_migration/tasks/validate_config.yml +++ b/roles/custom/matrix_playbook_migration/tasks/validate_config.yml @@ -141,3 +141,18 @@ Please change your configuration (vars.yml) to rename all variables (`matrix_redis_` -> `redis_`). We found usage of the following variables: {{ matrix_playbook_migration_redis_migration_vars.keys() | join(', ') }} when: "matrix_playbook_migration_redis_migration_vars | length > 0" + +- when: matrix_playbook_migration_matrix_etherpad_migration_validation_enabled | bool + block: + - ansible.builtin.set_fact: + matrix_playbook_migration_etherpad_migration_vars: |- + {{ vars | dict2items | selectattr('key', 'match', 'matrix_etherpad_.*') | list | items2dict }} + + - name: (Deprecation) Catch and report matrix_etherpad variables + ansible.builtin.fail: + msg: >- + The matrix-etherpad role that used to be part of this playbook has been replaced by https://gitlab.com/etke.cc/roles/etherpad. + The new role is compatible with the old one, but uses different names for its variables. + Please change your configuration (vars.yml) to rename all variables (`matrix_etherpad_` -> `etherpad_`). + We found usage of the following variables: {{ matrix_playbook_migration_etherpad_migration_vars.keys() | join(', ') }} + when: "matrix_playbook_migration_etherpad_migration_vars | length > 0" From 10b53503704d192d29008745f7d9c28e38f58e25 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 3 Mar 2023 10:38:38 +0200 Subject: [PATCH 55/71] Add Traefik support to Go-NEB bot Completely untested. --- docs/configuring-playbook-bot-go-neb.md | 29 ++++- group_vars/matrix_servers | 31 ++++- .../matrix-bot-go-neb/defaults/main.yml | 118 +++++++++++++++++- .../tasks/{setup_install.yml => install.yml} | 49 ++++---- roles/custom/matrix-bot-go-neb/tasks/main.yml | 4 +- .../{setup_uninstall.yml => uninstall.yml} | 0 .../custom/matrix-bot-go-neb/templates/env.j2 | 8 ++ .../matrix-bot-go-neb/templates/labels.j2 | 45 +++++++ .../systemd/matrix-bot-go-neb.service.j2 | 22 ++-- .../matrix-nginx-proxy/defaults/main.yml | 5 - .../matrix-nginx-proxy/templates/labels.j2 | 12 -- 11 files changed, 265 insertions(+), 58 deletions(-) rename roles/custom/matrix-bot-go-neb/tasks/{setup_install.yml => install.yml} (63%) rename roles/custom/matrix-bot-go-neb/tasks/{setup_uninstall.yml => uninstall.yml} (100%) create mode 100644 roles/custom/matrix-bot-go-neb/templates/env.j2 create mode 100644 roles/custom/matrix-bot-go-neb/templates/labels.j2 diff --git a/docs/configuring-playbook-bot-go-neb.md b/docs/configuring-playbook-bot-go-neb.md index 6ec2056c..77351de2 100644 --- a/docs/configuring-playbook-bot-go-neb.md +++ b/docs/configuring-playbook-bot-go-neb.md @@ -24,6 +24,31 @@ ansible-playbook -i inventory/hosts setup.yml --extra-vars='username=bot.go-neb Once the user is created you can [obtain an access token](obtaining-access-tokens.md). +## Decide on a domain and path + +By default, Go-NEB is configured to use its own dedicated domain (`goneb.DOMAIN`) and requires you to [adjust your DNS records](#adjusting-dns-records). + +You can override the domain and path like this: + +```yaml +# Switch to the domain used for Matrix services (`matrix.DOMAIN`), +# so we won't need to add additional DNS records for Go-NEB. +matrix_bot_go_neb_hostname: "{{ matrix_server_fqn_matrix }}" + +# Expose under the /go-neb subpath +matrix_bot_go_neb_path_prefix: /go-neb +``` + +**NOTE**: When using `matrix-nginx-proxy` instead of Traefik, you won't be able to override the path prefix. You can only override the domain, but that needs to happen using another variable: `matrix_server_fqn_go_neb` (e.g. `matrix_server_fqn_go_neb: "mybot.{{ matrix_domain }}"`). + + +## Adjusting DNS records + +Once you've decided on the domain and path, **you may need to adjust your DNS** records to point the Go-NEB domain to the Matrix server. + +If you've decided to reuse the `matrix.` domain, you won't need to do any extra DNS configuration. + + ## Adjusting the playbook configuration Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file (adapt to your needs): @@ -193,9 +218,7 @@ matrix_bot_go_neb_services: ## Installing -Don't forget to add `goneb.` to DNS as described in [Configuring DNS](configuring-dns.md) before running the playbook. - -After configuring the playbook, run the [installation](installing.md) command again: +After potentially [adjusting DNS records](#adjusting-dns-records) and configuring the playbook, run the [installation](installing.md) command again: ``` ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 7f1a729f..0a3ff00b 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1829,17 +1829,41 @@ matrix_bot_chatgpt_container_image_self_build: "{{ matrix_architecture not in [' # We don't enable bots by default. matrix_bot_go_neb_enabled: false +matrix_bot_go_neb_scheme: "{{ 'https' if matrix_playbook_ssl_enabled else 'http' }}" + +matrix_bot_go_neb_hostname: "{{ matrix_server_fqn_bot_go_neb }}" + +matrix_bot_go_neb_container_network: "{{ matrix_nginx_proxy_container_network if matrix_playbook_reverse_proxy_type == 'playbook-managed-nginx' else 'matrix-bot-go-neb' }}" + +matrix_bot_go_neb_container_additional_networks: | + {{ + ( + ([matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network else []) + + + ([matrix_homeserver_container_network] if matrix_homeserver_container_network != matrix_bot_go_neb_container_network else []) + + + ([devture_postgres_container_network] if devture_postgres_enabled and devture_postgres_container_network != matrix_bot_go_neb_container_network else []) + ) | unique + }} + +matrix_bot_go_neb_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '4050') if matrix_playbook_service_host_bind_interface_prefix else '' }}" + +matrix_bot_go_neb_container_labels_traefik_enabled: "{{ matrix_playbook_traefik_labels_enabled }}" +matrix_bot_go_neb_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" +matrix_bot_go_neb_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" +matrix_bot_go_neb_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" + matrix_bot_go_neb_systemd_required_services_list: | {{ ['docker.service'] + ['matrix-' + matrix_homeserver_implementation + '.service'] + + ([devture_postgres_identifier + '.service'] if devture_postgres_enabled else []) + + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_bot_go_neb_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '4050') if matrix_playbook_service_host_bind_interface_prefix else '' }}" - ###################################################################### # # /matrix-bot-go-neb @@ -2497,7 +2521,7 @@ matrix_nginx_proxy_proxy_buscarron_enabled: "{{ matrix_bot_buscarron_enabled and matrix_nginx_proxy_proxy_dimension_enabled: "{{ matrix_dimension_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}" matrix_nginx_proxy_proxy_rageshake_enabled: "{{ matrix_rageshake_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}" matrix_nginx_proxy_proxy_etherpad_enabled: "{{ etherpad_enabled and not etherpad_nginx_proxy_dimension_integration_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}" -matrix_nginx_proxy_proxy_bot_go_neb_enabled: "{{ matrix_bot_go_neb_enabled }}" +matrix_nginx_proxy_proxy_bot_go_neb_enabled: "{{ matrix_bot_go_neb_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}" matrix_nginx_proxy_proxy_jitsi_enabled: "{{ matrix_jitsi_enabled }}" matrix_nginx_proxy_proxy_jitsi_manage_wellknown: "{{ matrix_jitsi_require_well_known }}" @@ -2512,7 +2536,6 @@ matrix_nginx_proxy_container_labels_traefik_entrypoints: "{{ devture_traefik_ent matrix_nginx_proxy_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" matrix_nginx_proxy_container_labels_traefik_proxy_matrix_enabled: true -matrix_nginx_proxy_container_labels_traefik_proxy_bot_go_neb_enabled: "{{ matrix_bot_go_neb_enabled }}" matrix_nginx_proxy_container_labels_traefik_proxy_jitsi_enabled: "{{ matrix_jitsi_enabled }}" matrix_nginx_proxy_proxy_matrix_corporal_api_enabled: "{{ matrix_corporal_enabled and matrix_corporal_http_api_enabled }}" diff --git a/roles/custom/matrix-bot-go-neb/defaults/main.yml b/roles/custom/matrix-bot-go-neb/defaults/main.yml index 61c5d54d..39b97b08 100644 --- a/roles/custom/matrix-bot-go-neb/defaults/main.yml +++ b/roles/custom/matrix-bot-go-neb/defaults/main.yml @@ -1,11 +1,22 @@ --- + # Go-NEB is a Matrix bot written in Go. It is the successor to Matrix-NEB, the original Matrix bot written in Python. # Project source code URL: https://github.com/matrix-org/go-neb matrix_bot_go_neb_enabled: true + matrix_bot_go_neb_version: latest -matrix_bot_go_neb_docker_image: "matrixdotorg/go-neb:{{ matrix_bot_go_neb_version }}" -matrix_bot_go_neb_docker_image_force_pull: "{{ matrix_bot_go_neb_docker_image.endswith(':latest') }}" + +matrix_bot_go_neb_scheme: https + +# The hostname at which Go-NEB is served. +matrix_bot_go_neb_hostname: '' + +# The path at which Go-NEB is exposed. +# This value must either be `/` or not end with a slash (e.g. `/go-neb`). +matrix_bot_go_neb_path_prefix: / + +matrix_bot_go_neb_base_url: "{{ matrix_bot_go_neb_scheme }}://{{ matrix_bot_go_neb_hostname }}{{ matrix_bot_go_neb_path_prefix }}{{ '' if matrix_bot_go_neb_path_prefix == '/' else '/' }}" matrix_bot_go_neb_base_path: "{{ matrix_base_data_path }}/go-neb" matrix_bot_go_neb_config_path: "{{ matrix_bot_go_neb_base_path }}/config" @@ -13,11 +24,63 @@ matrix_bot_go_neb_config_path_in_container: "/config/config.yaml" matrix_bot_go_neb_data_path: "{{ matrix_bot_go_neb_base_path }}/data" matrix_bot_go_neb_data_store_path: "{{ matrix_bot_go_neb_data_path }}/store" +matrix_bot_go_neb_container_image: "{{ matrix_bot_go_neb_container_image_registry_prefix }}matrixdotorg/go-neb:{{ matrix_bot_go_neb_container_image_tag }}" +matrix_bot_go_neb_container_image_tag: "{{ matrix_bot_go_neb_version }}" +matrix_bot_go_neb_container_image_force_pull: "{{ matrix_bot_go_neb_container_image.endswith(':latest') }}" +matrix_bot_go_neb_container_image_registry_prefix: docker.io/ + +# The base container network. It will be auto-created by this role if it doesn't exist already. +matrix_bot_go_neb_container_network: matrix-bot-go-neb + +# A list of additional container networks that the container would be connected to. +# The role does not create these networks, so make sure they already exist. +# Use this to expose this container to another reverse proxy, which runs in a different container network. +matrix_bot_go_neb_container_additional_networks: [] + # Controls whether the matrix-bot-go-neb container exposes its HTTP port (tcp/4050 in the container). # # Takes an ":" or "" value (e.g. "127.0.0.1:4050"), or empty string to not expose. matrix_bot_go_neb_container_http_host_bind_port: '' +# matrix_bot_go_neb_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container. +# See `../templates/labels.j2` for details. +# +# To inject your own other container labels, see `matrix_bot_go_neb_container_labels_additional_labels`. +matrix_bot_go_neb_container_labels_traefik_enabled: true +matrix_bot_go_neb_container_labels_traefik_docker_network: "{{ matrix_bot_go_neb_container_network }}" +matrix_bot_go_neb_container_labels_traefik_hostname: "{{ matrix_bot_go_neb_hostname }}" +# The path prefix must either be `/` or not end with a slash (e.g. `/go-neb`). +matrix_bot_go_neb_container_labels_traefik_path_prefix: "{{ matrix_bot_go_neb_path_prefix }}" +matrix_bot_go_neb_container_labels_traefik_rule: "Host(`{{ matrix_bot_go_neb_container_labels_traefik_hostname }}`){% if matrix_bot_go_neb_container_labels_traefik_path_prefix != '/' %} && PathPrefix(`{{ matrix_bot_go_neb_container_labels_traefik_path_prefix }}`){% endif %}" +matrix_bot_go_neb_container_labels_traefik_priority: 0 +matrix_bot_go_neb_container_labels_traefik_entrypoints: web-secure +matrix_bot_go_neb_container_labels_traefik_tls: "{{ matrix_bot_go_neb_container_labels_traefik_entrypoints != 'web' }}" +matrix_bot_go_neb_container_labels_traefik_tls_certResolver: default # noqa var-naming + +# Controls which additional headers to attach to all HTTP responses. +# To add your own headers, use `matrix_bot_go_neb_container_labels_traefik_additional_response_headers_custom` +matrix_bot_go_neb_container_labels_traefik_additional_response_headers: "{{ matrix_bot_go_neb_container_labels_traefik_additional_response_headers_auto | combine(matrix_bot_go_neb_container_labels_traefik_additional_response_headers_custom) }}" +matrix_bot_go_neb_container_labels_traefik_additional_response_headers_auto: | + {{ + {} + | combine ({'X-XSS-Protection': matrix_bot_go_neb_http_header_xss_protection} if matrix_bot_go_neb_http_header_xss_protection else {}) + | combine ({'X-Frame-Options': matrix_bot_go_neb_http_header_frame_options} if matrix_bot_go_neb_http_header_frame_options else {}) + | combine ({'X-Content-Type-Options': matrix_bot_go_neb_http_header_content_type_options} if matrix_bot_go_neb_http_header_content_type_options else {}) + | combine ({'Content-Security-Policy': matrix_bot_go_neb_http_header_content_security_policy} if matrix_bot_go_neb_http_header_content_security_policy else {}) + | combine ({'Permission-Policy': matrix_bot_go_neb_http_header_content_permission_policy} if matrix_bot_go_neb_http_header_content_permission_policy else {}) + | combine ({'Strict-Transport-Security': matrix_bot_go_neb_http_header_strict_transport_security} if matrix_bot_go_neb_http_header_strict_transport_security and matrix_bot_go_neb_container_labels_traefik_tls else {}) + }} +matrix_bot_go_neb_container_labels_traefik_additional_response_headers_custom: {} + +# matrix_bot_go_neb_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file. +# See `../templates/labels.j2` for details. +# +# Example: +# matrix_bot_go_neb_container_labels_additional_labels: | +# my.label=1 +# another.label="here" +matrix_bot_go_neb_container_labels_additional_labels: '' + # A list of extra arguments to pass to the container matrix_bot_go_neb_container_extra_arguments: [] @@ -27,6 +90,57 @@ matrix_bot_go_neb_systemd_required_services_list: ['docker.service'] # List of systemd services that matrix-bot-go-neb.service wants matrix_bot_go_neb_systemd_wanted_services_list: [] +# Specifies the value of the `X-XSS-Protection` header +# Stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. +# +# Learn more about it is here: +# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection +# - https://portswigger.net/web-security/cross-site-scripting/reflected +matrix_bot_go_neb_http_header_xss_protection: "1; mode=block" + +# Specifies the value of the `X-Frame-Options` header which controls whether framing can happen. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options +matrix_bot_go_neb_http_header_frame_options: SAMEORIGIN + +# Specifies the value of the `X-Content-Type-Options` header. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options +matrix_bot_go_neb_http_header_content_type_options: nosniff + +# Specifies the value of the `Content-Security-Policy` header. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy +matrix_bot_go_neb_http_header_content_security_policy: frame-ancestors 'self' + +# Specifies the value of the `Permission-Policy` header. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permission-Policy +matrix_bot_go_neb_http_header_content_permission_policy: "{{ 'interest-cohort=()' if matrix_bot_go_neb_floc_optout_enabled else '' }}" + +# Specifies the value of the `Strict-Transport-Security` header. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security +matrix_bot_go_neb_http_header_strict_transport_security: "max-age=31536000; includeSubDomains{{ '; preload' if matrix_bot_go_neb_hsts_preload_enabled else '' }}" + +# Controls whether to send a "Permissions-Policy interest-cohort=();" header along with all responses +# +# Learn more about what it is here: +# - https://www.eff.org/deeplinks/2021/03/googles-floc-terrible-idea +# - https://paramdeo.com/blog/opting-your-website-out-of-googles-floc-network +# - https://amifloced.org/ +# +# Of course, a better solution is to just stop using browsers (like Chrome), which participate in such tracking practices. +# See: `matrix_bot_go_neb_content_permission_policy` +matrix_bot_go_neb_floc_optout_enabled: true + +# Controls if HSTS preloading is enabled +# +# In its strongest and recommended form, the [HSTS policy](https://www.chromium.org/hsts) includes all subdomains, and +# indicates a willingness to be "preloaded" into browsers: +# `Strict-Transport-Security: max-age=31536000; includeSubDomains; preload` +# For more information visit: +# - https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security +# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security +# - https://hstspreload.org/#opt-in +# See: `matrix_bot_go_neb_http_header_strict_transport_security` +matrix_bot_go_neb_hsts_preload_enabled: false + # Database-related configuration fields. # # MUST be "sqlite3". No other type is supported. diff --git a/roles/custom/matrix-bot-go-neb/tasks/setup_install.yml b/roles/custom/matrix-bot-go-neb/tasks/install.yml similarity index 63% rename from roles/custom/matrix-bot-go-neb/tasks/setup_install.yml rename to roles/custom/matrix-bot-go-neb/tasks/install.yml index 1db16b91..9cb85db3 100644 --- a/roles/custom/matrix-bot-go-neb/tasks/setup_install.yml +++ b/roles/custom/matrix-bot-go-neb/tasks/install.yml @@ -1,8 +1,5 @@ --- -- ansible.builtin.set_fact: - matrix_bot_go_neb_requires_restart: false - - name: Ensure go-neb paths exist ansible.builtin.file: path: "{{ item.path }}" @@ -16,17 +13,6 @@ - {path: "{{ matrix_bot_go_neb_data_store_path }}", when: true} when: "item.when | bool" -- name: Ensure go-neb image is pulled - community.docker.docker_image: - name: "{{ matrix_bot_go_neb_docker_image }}" - source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" - force_source: "{{ matrix_bot_go_neb_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_bot_go_neb_docker_image_force_pull }}" - register: result - retries: "{{ devture_playbook_help_container_retries_count }}" - delay: "{{ devture_playbook_help_container_retries_delay }}" - until: result is not failed - - name: Ensure go-neb config installed ansible.builtin.copy: content: "{{ matrix_bot_go_neb_configuration | to_nice_yaml(indent=2, width=999999) }}" @@ -35,16 +21,35 @@ owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" +- name: Ensure go-neb support files installed + ansible.builtin.template: + src: "{{ role_path }}/templates/{{ item }}.j2" + dest: "{{ matrix_bot_go_neb_base_path }}/{{ item }}" + mode: 0640 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - env + - labels + +- name: Ensure go-neb container network is created + community.general.docker_network: + name: "{{ matrix_bot_go_neb_container_network }}" + driver: bridge + +- name: Ensure go-neb container image is pulled + community.docker.docker_image: + name: "{{ matrix_bot_go_neb_container_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_bot_go_neb_container_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_bot_go_neb_container_image_force_pull }}" + register: result + retries: "{{ devture_playbook_help_container_retries_count }}" + delay: "{{ devture_playbook_help_container_retries_delay }}" + until: result is not failed + - name: Ensure matrix-bot-go-neb.service installed ansible.builtin.template: src: "{{ role_path }}/templates/systemd/matrix-bot-go-neb.service.j2" dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-bot-go-neb.service" mode: 0644 - register: matrix_bot_go_neb_systemd_service_result - -- name: Ensure matrix-bot-go-neb.service restarted, if necessary - ansible.builtin.service: - name: "matrix-bot-go-neb.service" - state: restarted - daemon_reload: true - when: "matrix_bot_go_neb_requires_restart | bool" diff --git a/roles/custom/matrix-bot-go-neb/tasks/main.yml b/roles/custom/matrix-bot-go-neb/tasks/main.yml index 126f6ae0..3249fc7b 100644 --- a/roles/custom/matrix-bot-go-neb/tasks/main.yml +++ b/roles/custom/matrix-bot-go-neb/tasks/main.yml @@ -4,7 +4,7 @@ - ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" when: "run_setup | bool and matrix_bot_go_neb_enabled | bool" - - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" + - ansible.builtin.include_tasks: "{{ role_path }}/tasks/install.yml" when: "run_setup | bool and matrix_bot_go_neb_enabled | bool" tags: - setup-all @@ -13,7 +13,7 @@ - install-bot-go-neb - block: - - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" + - ansible.builtin.include_tasks: "{{ role_path }}/tasks/uninstall.yml" when: "run_setup | bool and not matrix_bot_go_neb_enabled | bool" tags: - setup-all diff --git a/roles/custom/matrix-bot-go-neb/tasks/setup_uninstall.yml b/roles/custom/matrix-bot-go-neb/tasks/uninstall.yml similarity index 100% rename from roles/custom/matrix-bot-go-neb/tasks/setup_uninstall.yml rename to roles/custom/matrix-bot-go-neb/tasks/uninstall.yml diff --git a/roles/custom/matrix-bot-go-neb/templates/env.j2 b/roles/custom/matrix-bot-go-neb/templates/env.j2 new file mode 100644 index 00000000..22e605e5 --- /dev/null +++ b/roles/custom/matrix-bot-go-neb/templates/env.j2 @@ -0,0 +1,8 @@ +BIND_ADDRESS=:4050 + +DATABASE_TYPE={{ matrix_bot_go_neb_database_engine }} +DATABASE_URL={{ matrix_bot_go_neb_storage_database }} + +BASE_URL={{ matrix_bot_go_neb_base_url }} + +CONFIG_FILE={{ matrix_bot_go_neb_config_path_in_container }} diff --git a/roles/custom/matrix-bot-go-neb/templates/labels.j2 b/roles/custom/matrix-bot-go-neb/templates/labels.j2 new file mode 100644 index 00000000..0ad8d98c --- /dev/null +++ b/roles/custom/matrix-bot-go-neb/templates/labels.j2 @@ -0,0 +1,45 @@ +{% if matrix_bot_go_neb_container_labels_traefik_enabled %} +traefik.enable=true + +{% if matrix_bot_go_neb_container_labels_traefik_docker_network %} +traefik.docker.network={{ matrix_bot_go_neb_container_labels_traefik_docker_network }} +{% endif %} + +{% set middlewares = [] %} + +{% if matrix_bot_go_neb_container_labels_traefik_path_prefix != '/' %} +traefik.http.middlewares.{{ matrix_bot_go_neb_identifier }}-slashless-redirect.redirectregex.regex=({{ matrix_bot_go_neb_container_labels_traefik_path_prefix | quote }})$ +traefik.http.middlewares.{{ matrix_bot_go_neb_identifier }}-slashless-redirect.redirectregex.replacement=${1}/ +{% set middlewares = middlewares + [matrix_bot_go_neb_identifier + '-slashless-redirect'] %} +{% endif %} + +{% if matrix_bot_go_neb_container_labels_traefik_path_prefix != '/' %} +traefik.http.middlewares.{{ matrix_bot_go_neb_identifier }}-strip-prefix.stripprefix.prefixes={{ matrix_bot_go_neb_container_labels_traefik_path_prefix }} +{% set middlewares = middlewares + [matrix_bot_go_neb_identifier + '-strip-prefix'] %} +{% endif %} + +{% if matrix_bot_go_neb_container_labels_traefik_additional_response_headers.keys() | length > 0 %} +{% for name, value in matrix_bot_go_neb_container_labels_traefik_additional_response_headers.items() %} +traefik.http.middlewares.{{ matrix_bot_go_neb_identifier }}-add-headers.headers.customresponseheaders.{{ name }}={{ value }} +{% endfor %} +{% set middlewares = middlewares + [matrix_bot_go_neb_identifier + '-add-headers'] %} +{% endif %} + +traefik.http.routers.{{ matrix_bot_go_neb_identifier }}.rule={{ matrix_bot_go_neb_container_labels_traefik_rule }} +{% if matrix_bot_go_neb_container_labels_traefik_priority | int > 0 %} +traefik.http.routers.{{ matrix_bot_go_neb_identifier }}.priority={{ matrix_bot_go_neb_container_labels_traefik_priority }} +{% endif %} +traefik.http.routers.{{ matrix_bot_go_neb_identifier }}.service={{ matrix_bot_go_neb_identifier }} +{% if middlewares | length > 0 %} +traefik.http.routers.{{ matrix_bot_go_neb_identifier }}.middlewares={{ middlewares | join(',') }} +{% endif %} +traefik.http.routers.{{ matrix_bot_go_neb_identifier }}.entrypoints={{ matrix_bot_go_neb_container_labels_traefik_entrypoints }} +traefik.http.routers.{{ matrix_bot_go_neb_identifier }}.tls={{ matrix_bot_go_neb_container_labels_traefik_tls | to_json }} +{% if matrix_bot_go_neb_container_labels_traefik_tls %} +traefik.http.routers.{{ matrix_bot_go_neb_identifier }}.tls.certResolver={{ matrix_bot_go_neb_container_labels_traefik_tls_certResolver }} +{% endif %} + +traefik.http.services.{{ matrix_bot_go_neb_identifier }}.loadbalancer.server.port=4050 +{% endif %} + +{{ matrix_bot_go_neb_container_labels_additional_labels }} diff --git a/roles/custom/matrix-bot-go-neb/templates/systemd/matrix-bot-go-neb.service.j2 b/roles/custom/matrix-bot-go-neb/templates/systemd/matrix-bot-go-neb.service.j2 index a57df57e..150cd665 100644 --- a/roles/custom/matrix-bot-go-neb/templates/systemd/matrix-bot-go-neb.service.j2 +++ b/roles/custom/matrix-bot-go-neb/templates/systemd/matrix-bot-go-neb.service.j2 @@ -16,31 +16,37 @@ Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-bot-go-neb 2>/dev/null || true' ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-bot-go-neb 2>/dev/null || true' -ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-bot-go-neb \ +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ + --rm \ + --name=matrix-bot-go-neb \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ --read-only \ - --network={{ matrix_docker_network }} \ + --network={{ matrix_bot_go_neb_container_network }} \ {% if matrix_bot_go_neb_container_http_host_bind_port %} -p {{ matrix_bot_go_neb_container_http_host_bind_port }}:4050 \ {% endif %} - -e 'BIND_ADDRESS=:4050' \ - -e 'DATABASE_TYPE={{ matrix_bot_go_neb_database_engine }}' \ - -e 'BASE_URL=https://{{ matrix_server_fqn_bot_go_neb }}' \ - -e 'CONFIG_FILE={{ matrix_bot_go_neb_config_path_in_container }}' \ - -e 'DATABASE_URL={{ matrix_bot_go_neb_storage_database }}' \ + --env-file={{ matrix_bot_go_neb_base_path }}/env \ + --label-file={{ matrix_bot_go_neb_base_path }}/labels \ --mount type=bind,src={{ matrix_bot_go_neb_config_path }},dst=/config,ro \ --mount type=bind,src={{ matrix_bot_go_neb_data_path }},dst=/data \ --entrypoint=/bin/sh \ {% for arg in matrix_bot_go_neb_container_extra_arguments %} {{ arg }} \ {% endfor %} - {{ matrix_bot_go_neb_docker_image }} \ + {{ matrix_bot_go_neb_container_image }} \ -c "go-neb /config/config.yaml" +{% for network in matrix_bot_go_neb_container_additional_networks %} +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-bot-go-neb +{% endfor %} + +ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-bot-go-neb + ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-bot-go-neb 2>/dev/null || true' ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-bot-go-neb 2>/dev/null || true' + Restart=always RestartSec=30 SyslogIdentifier=matrix-bot-go-neb diff --git a/roles/custom/matrix-nginx-proxy/defaults/main.yml b/roles/custom/matrix-nginx-proxy/defaults/main.yml index daabcdb9..f7f214f3 100644 --- a/roles/custom/matrix-nginx-proxy/defaults/main.yml +++ b/roles/custom/matrix-nginx-proxy/defaults/main.yml @@ -63,11 +63,6 @@ matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_rule: "Host( matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_entrypoint: "{{ matrix_federation_traefik_entrypoint }}" matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_entrypoints: "{{ matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_entrypoint }}" -matrix_nginx_proxy_container_labels_traefik_proxy_bot_go_neb_enabled: false -matrix_nginx_proxy_container_labels_traefik_proxy_bot_go_neb_hostname: "{{ matrix_server_fqn_bot_go_neb }}" -matrix_nginx_proxy_container_labels_traefik_proxy_bot_go_neb_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}" -matrix_nginx_proxy_container_labels_traefik_proxy_bot_go_neb_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_bot_go_neb_hostname }}`)" - matrix_nginx_proxy_container_labels_traefik_proxy_jitsi_enabled: false matrix_nginx_proxy_container_labels_traefik_proxy_jitsi_hostname: "{{ matrix_server_fqn_jitsi }}" matrix_nginx_proxy_container_labels_traefik_proxy_jitsi_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}" diff --git a/roles/custom/matrix-nginx-proxy/templates/labels.j2 b/roles/custom/matrix-nginx-proxy/templates/labels.j2 index 4cf78b2e..4fb567da 100644 --- a/roles/custom/matrix-nginx-proxy/templates/labels.j2 +++ b/roles/custom/matrix-nginx-proxy/templates/labels.j2 @@ -39,18 +39,6 @@ traefik.http.routers.matrix-nginx-proxy-matrix-federation.entrypoints={{ matrix_ {% endif %} -{% if matrix_nginx_proxy_container_labels_traefik_proxy_bot_go_neb_enabled %} -# Go NEB bot -traefik.http.routers.matrix-nginx-proxy-bot_go_neb.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_bot_go_neb_rule }} -traefik.http.routers.matrix-nginx-proxy-bot_go_neb.service=matrix-nginx-proxy-web -traefik.http.routers.matrix-nginx-proxy-bot_go_neb.tls={{ matrix_nginx_proxy_container_labels_traefik_proxy_bot_go_neb_tls | to_json }} -{% if matrix_nginx_proxy_container_labels_traefik_proxy_bot_go_neb_tls %} -traefik.http.routers.matrix-nginx-proxy-bot_go_neb.tls.certResolver={{ matrix_nginx_proxy_container_labels_traefik_tls_certResolver }} -{% endif %} -traefik.http.routers.matrix-nginx-proxy-bot_go_neb.entrypoints={{ matrix_nginx_proxy_container_labels_traefik_entrypoints }} -{% endif %} - - {% if matrix_nginx_proxy_container_labels_traefik_proxy_jitsi_enabled %} # Jitsi traefik.http.routers.matrix-nginx-proxy-jitsi.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_jitsi_rule }} From 6a6761cb88afe14d26c9458ea98f15cf662bfa91 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Sun, 5 Mar 2023 10:17:07 +0000 Subject: [PATCH 56/71] Update ntfy 2.1.1 -> 2.1.2 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 3dd08913..158b4fde 100644 --- a/requirements.yml +++ b/requirements.yml @@ -43,7 +43,7 @@ version: v9.4.3-0 - src: git+https://gitlab.com/etke.cc/roles/ntfy.git - version: v2.1.1-0 + version: v2.1.2-0 - src: git+https://gitlab.com/etke.cc/roles/redis.git version: v7.0.9-0 From 493de7316c2b35b40e7326ef3843803ffdb5ab08 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Sun, 5 Mar 2023 14:52:53 +0000 Subject: [PATCH 57/71] update honoroit 0.9.16 -> 0.9.17 * healthchecks.io integration * mutex on forwarding messages into thread * fix in prefixes handling * send error messages as thread reply when possible --- roles/custom/matrix-bot-honoroit/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bot-honoroit/defaults/main.yml b/roles/custom/matrix-bot-honoroit/defaults/main.yml index e880df4f..42f76682 100644 --- a/roles/custom/matrix-bot-honoroit/defaults/main.yml +++ b/roles/custom/matrix-bot-honoroit/defaults/main.yml @@ -9,7 +9,7 @@ matrix_bot_honoroit_docker_repo: "https://gitlab.com/etke.cc/honoroit.git" matrix_bot_honoroit_docker_repo_version: "{{ matrix_bot_honoroit_version }}" matrix_bot_honoroit_docker_src_files_path: "{{ matrix_base_data_path }}/honoroit/docker-src" -matrix_bot_honoroit_version: v0.9.16 +matrix_bot_honoroit_version: v0.9.17 matrix_bot_honoroit_docker_image: "{{ matrix_bot_honoroit_docker_image_name_prefix }}etke.cc/honoroit:{{ matrix_bot_honoroit_version }}" matrix_bot_honoroit_docker_image_name_prefix: "{{ 'localhost/' if matrix_bot_honoroit_container_image_self_build else 'registry.gitlab.com/' }}" matrix_bot_honoroit_docker_image_force_pull: "{{ matrix_bot_honoroit_docker_image.endswith(':latest') }}" From 449b51588e32a165ccf7e95c14f0370b0edd2b60 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 6 Mar 2023 08:51:21 +0200 Subject: [PATCH 58/71] Remove usage of undefined matrix_bot_go_neb_identifier variable This is a mistake made in 10b53503704d192d29008745. Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/2540 --- .../matrix-bot-go-neb/templates/labels.j2 | 30 +++++++++---------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/roles/custom/matrix-bot-go-neb/templates/labels.j2 b/roles/custom/matrix-bot-go-neb/templates/labels.j2 index 0ad8d98c..54aa2583 100644 --- a/roles/custom/matrix-bot-go-neb/templates/labels.j2 +++ b/roles/custom/matrix-bot-go-neb/templates/labels.j2 @@ -8,38 +8,38 @@ traefik.docker.network={{ matrix_bot_go_neb_container_labels_traefik_docker_netw {% set middlewares = [] %} {% if matrix_bot_go_neb_container_labels_traefik_path_prefix != '/' %} -traefik.http.middlewares.{{ matrix_bot_go_neb_identifier }}-slashless-redirect.redirectregex.regex=({{ matrix_bot_go_neb_container_labels_traefik_path_prefix | quote }})$ -traefik.http.middlewares.{{ matrix_bot_go_neb_identifier }}-slashless-redirect.redirectregex.replacement=${1}/ -{% set middlewares = middlewares + [matrix_bot_go_neb_identifier + '-slashless-redirect'] %} +traefik.http.middlewares.matrix-bot-go-neb-slashless-redirect.redirectregex.regex=({{ matrix_bot_go_neb_container_labels_traefik_path_prefix | quote }})$ +traefik.http.middlewares.matrix-bot-go-neb-slashless-redirect.redirectregex.replacement=${1}/ +{% set middlewares = middlewares + ['matrix-bot-go-neb-slashless-redirect'] %} {% endif %} {% if matrix_bot_go_neb_container_labels_traefik_path_prefix != '/' %} -traefik.http.middlewares.{{ matrix_bot_go_neb_identifier }}-strip-prefix.stripprefix.prefixes={{ matrix_bot_go_neb_container_labels_traefik_path_prefix }} -{% set middlewares = middlewares + [matrix_bot_go_neb_identifier + '-strip-prefix'] %} +traefik.http.middlewares.matrix-bot-go-neb-strip-prefix.stripprefix.prefixes={{ matrix_bot_go_neb_container_labels_traefik_path_prefix }} +{% set middlewares = middlewares + ['matrix-bot-go-neb-strip-prefix'] %} {% endif %} {% if matrix_bot_go_neb_container_labels_traefik_additional_response_headers.keys() | length > 0 %} {% for name, value in matrix_bot_go_neb_container_labels_traefik_additional_response_headers.items() %} -traefik.http.middlewares.{{ matrix_bot_go_neb_identifier }}-add-headers.headers.customresponseheaders.{{ name }}={{ value }} +traefik.http.middlewares.matrix-bot-go-neb-add-headers.headers.customresponseheaders.{{ name }}={{ value }} {% endfor %} -{% set middlewares = middlewares + [matrix_bot_go_neb_identifier + '-add-headers'] %} +{% set middlewares = middlewares + ['matrix-bot-go-neb-add-headers'] %} {% endif %} -traefik.http.routers.{{ matrix_bot_go_neb_identifier }}.rule={{ matrix_bot_go_neb_container_labels_traefik_rule }} +traefik.http.routers.matrix-bot-go-neb.rule={{ matrix_bot_go_neb_container_labels_traefik_rule }} {% if matrix_bot_go_neb_container_labels_traefik_priority | int > 0 %} -traefik.http.routers.{{ matrix_bot_go_neb_identifier }}.priority={{ matrix_bot_go_neb_container_labels_traefik_priority }} +traefik.http.routers.matrix-bot-go-neb.priority={{ matrix_bot_go_neb_container_labels_traefik_priority }} {% endif %} -traefik.http.routers.{{ matrix_bot_go_neb_identifier }}.service={{ matrix_bot_go_neb_identifier }} +traefik.http.routers.matrix-bot-go-neb.service=matrix-bot-go-neb {% if middlewares | length > 0 %} -traefik.http.routers.{{ matrix_bot_go_neb_identifier }}.middlewares={{ middlewares | join(',') }} +traefik.http.routers.matrix-bot-go-neb.middlewares={{ middlewares | join(',') }} {% endif %} -traefik.http.routers.{{ matrix_bot_go_neb_identifier }}.entrypoints={{ matrix_bot_go_neb_container_labels_traefik_entrypoints }} -traefik.http.routers.{{ matrix_bot_go_neb_identifier }}.tls={{ matrix_bot_go_neb_container_labels_traefik_tls | to_json }} +traefik.http.routers.matrix-bot-go-neb.entrypoints={{ matrix_bot_go_neb_container_labels_traefik_entrypoints }} +traefik.http.routers.matrix-bot-go-neb.tls={{ matrix_bot_go_neb_container_labels_traefik_tls | to_json }} {% if matrix_bot_go_neb_container_labels_traefik_tls %} -traefik.http.routers.{{ matrix_bot_go_neb_identifier }}.tls.certResolver={{ matrix_bot_go_neb_container_labels_traefik_tls_certResolver }} +traefik.http.routers.matrix-bot-go-neb.tls.certResolver={{ matrix_bot_go_neb_container_labels_traefik_tls_certResolver }} {% endif %} -traefik.http.services.{{ matrix_bot_go_neb_identifier }}.loadbalancer.server.port=4050 +traefik.http.services.matrix-bot-go-neb.loadbalancer.server.port=4050 {% endif %} {{ matrix_bot_go_neb_container_labels_additional_labels }} From bf2b54080789f7e82eeeb118f1ddccbc7ffffb83 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 6 Mar 2023 09:08:04 +0200 Subject: [PATCH 59/71] Harden Traefik security by accessing the Docker API through docker-socket-proxy With these changes, we: - install https://github.com/Tecnativa/docker-socket-proxy via the https://github.com/devture/com.devture.ansible.role.container_socket_proxy Ansible role - make Traefik access the Docker API via TCP by connecting to this socket proxy - .. which allows us to run the Traefik container with less privileges (non-`root`, dropped capabilities) --- group_vars/matrix_servers | 43 ++++++++++++++++++++++++++++++++++++++- playbooks/matrix.yml | 2 ++ requirements.yml | 5 ++++- 3 files changed, 48 insertions(+), 2 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 0a3ff00b..d4bcd027 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -356,7 +356,9 @@ devture_systemd_service_manager_services_list_auto: | + ([{'name': 'matrix-user-verification-service.service', 'priority': 800, 'groups': ['matrix', 'matrix-user-verification-service']}] if matrix_user_verification_service_enabled else []) + - ([{'name': 'devture-traefik.service', 'priority': 3000, 'groups': ['matrix', 'traefik', 'reverse-proxies']}] if devture_traefik_enabled else []) + ([{'name': (devture_container_socket_proxy_identifier + '.service'), 'priority': 2900, 'groups': ['matrix', 'reverse-proxies', 'container-socket-proxy']}] if devture_container_socket_proxy_enabled else []) + + + ([{'name': (devture_traefik_identifier + '.service'), 'priority': 3000, 'groups': ['matrix', 'traefik', 'reverse-proxies']}] if devture_traefik_enabled else []) + ([{'name': (devture_traefik_certs_dumper_identifier + '.service'), 'priority': 3500, 'groups': ['matrix', 'traefik-certs-dumper']}] if devture_traefik_certs_dumper_enabled else []) }} @@ -3821,6 +3823,31 @@ matrix_user_verification_service_uvs_auth_token: "{{ '%s' | format(matrix_homese ###################################################################### +######################################################################## +# # +# com.devture.ansible.role.container_socket_proxy # +# # +######################################################################## + +devture_container_socket_proxy_enabled: "{{ matrix_playbook_reverse_proxy_type == 'playbook-managed-traefik' }}" + +devture_container_socket_proxy_identifier: matrix-container-socket-proxy + +devture_container_socket_proxy_base_path: "{{ matrix_base_data_path }}/container-socket-proxy" + +devture_container_socket_proxy_uid: "{{ matrix_user_uid }}" +devture_container_socket_proxy_gid: "{{ matrix_user_gid }}" + +# Traefik requires read access to the containers APIs to do its job +devture_container_socket_proxy_api_containers_enabled: true + +######################################################################## +# # +# /com.devture.ansible.role.container_socket_proxy # +# # +######################################################################## + + ######################################################################## # # # com.devture.ansible.role.traefik # @@ -3842,6 +3869,20 @@ devture_traefik_additional_entrypoints_auto: devture_traefik_additional_domains_to_obtain_certificates_for: "{{ matrix_ssl_additional_domains_to_obtain_certificates_for }}" +devture_traefik_config_providers_docker_endpoint: "{{ devture_container_socket_proxy_endpoint if devture_container_socket_proxy_enabled else 'unix:///var/run/docker.sock' }}" + +devture_traefik_container_additional_networks: | + {{ + ([devture_container_socket_proxy_container_network] if devture_container_socket_proxy_enabled else []) + }} + +devture_traefik_systemd_required_services_list: | + {{ + (['docker.service']) + + + ([devture_container_socket_proxy_identifier + '.service'] if devture_container_socket_proxy_enabled else []) + }} + ######################################################################## # # # /com.devture.ansible.role.traefik # diff --git a/playbooks/matrix.yml b/playbooks/matrix.yml index 6a66dc58..6e348df2 100755 --- a/playbooks/matrix.yml +++ b/playbooks/matrix.yml @@ -119,6 +119,8 @@ - custom/matrix-user-creator - custom/matrix-common-after + - role: galaxy/com.devture.ansible.role.container_socket_proxy + - when: matrix_playbook_traefik_role_enabled | bool role: galaxy/com.devture.ansible.role.traefik diff --git a/requirements.yml b/requirements.yml index 158b4fde..ad1f5eac 100644 --- a/requirements.yml +++ b/requirements.yml @@ -51,8 +51,11 @@ - src: git+https://gitlab.com/etke.cc/roles/etherpad.git version: v1.8.18-2 +- src: git+https://github.com/devture/com.devture.ansible.role.container_socket_proxy.git + version: v0.1.1-0 + - src: git+https://github.com/devture/com.devture.ansible.role.traefik.git - version: v2.9.8-0 + version: v2.9.8-1 - src: git+https://github.com/devture/com.devture.ansible.role.traefik_certs_dumper.git version: v2.8.1-0 From adcc6d9723086f65f1a7284a4d3eee03de56ac22 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 6 Mar 2023 09:32:13 +0200 Subject: [PATCH 60/71] Relocate Traefik (to matrix-traefik.service && /matrix/traefik base path) The migration is automatic. Existing users should experience a bit of downtime until the playbook runs to completion, but don't need to do anything manually. This change is provoked by https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/2535 While my statements there ("Traefik is a shared component among sibling/related playbooks and should retain its global non-matrix-prefixed name and path") do make sense, there's another point of view as well. With the addition of docker-socket-proxy support in bf2b54080789f7e, we potentially introduced another non-`matrix-`-prefixed systemd service and global path (`/devture-container-socket-proxy`). It would have started to become messy. Traefik always being called `devture-traefik.service` and using the `/devture-traefik` path has the following downsides: - different playbooks may write to the same place, unintentionally, before you disable the Traefik role in some of them. If each playbook manages its own installation, no such conflicts arise and you'll learn about the conflict when one of them starts its Traefik service and fails because the ports are already in use - the data is scattered - backing up `/matrix` is no longer enough when some stuff lives in `/devture-traefik` or `/devture-container-socket-proxy` as well; similarly, deleting `/matrix` is no longer enough to clean up For this reason, the Traefik instance managed by this playbook will now be called `matrix-traefik` and live under `/matrix/traefik`. This also makes it obvious to users running multiple playbooks, which Traefik instance (powered by which playbook) is the active one. Previously, you'd look at `devture-traefik.service` and wonder which role was managing it. --- group_vars/matrix_servers | 4 +++ .../matrix-base/templates/bin/remove-all.j2 | 11 +++--- .../devture_traefik_to_matrix_traefik.yml | 35 +++++++++++++++++++ .../matrix_playbook_migration/tasks/main.yml | 9 +++++ 4 files changed, 52 insertions(+), 7 deletions(-) create mode 100644 roles/custom/matrix_playbook_migration/tasks/devture_traefik_to_matrix_traefik.yml diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index d4bcd027..c9f78345 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -3858,6 +3858,10 @@ devture_container_socket_proxy_api_containers_enabled: true # See the comment there for more details about why we have both `devture_traefik_enabled` and `matrix_playbook_traefik_role_enabled`. devture_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type == 'playbook-managed-traefik' }}" +devture_traefik_identifier: matrix-traefik + +devture_traefik_base_path: "{{ matrix_base_data_path }}/traefik" + devture_traefik_uid: "{{ matrix_user_uid }}" devture_traefik_gid: "{{ matrix_user_gid }}" diff --git a/roles/custom/matrix-base/templates/bin/remove-all.j2 b/roles/custom/matrix-base/templates/bin/remove-all.j2 index 46e1f757..2733ad78 100644 --- a/roles/custom/matrix-base/templates/bin/remove-all.j2 +++ b/roles/custom/matrix-base/templates/bin/remove-all.j2 @@ -21,19 +21,16 @@ else rm -f {{ devture_systemd_docker_base_systemd_path }}/$s done - echo "Stop and remove devture services" - - for s in $(find {{ devture_systemd_docker_base_systemd_path }}/ -type f -name "devture-*" -printf "%f\n"); do - systemctl disable --now $s - rm -f {{ devture_systemd_docker_base_systemd_path }}/$s - done - systemctl daemon-reload echo "Remove unused Docker images and resources" docker system prune -af + echo "Remove Docker matrix network (should be gone already, but ..)" docker network rm {{ matrix_docker_network }} + + echo "This playbook creates a lot of matrix-* networks. Consider removing them manually ('docker network ls', followed by 'docker network rm NETWORK_NAME')" + echo "Remove {{ matrix_base_data_path }} directory" rm -fr "{{ matrix_base_data_path }}" exit 0 diff --git a/roles/custom/matrix_playbook_migration/tasks/devture_traefik_to_matrix_traefik.yml b/roles/custom/matrix_playbook_migration/tasks/devture_traefik_to_matrix_traefik.yml new file mode 100644 index 00000000..7d1b1190 --- /dev/null +++ b/roles/custom/matrix_playbook_migration/tasks/devture_traefik_to_matrix_traefik.yml @@ -0,0 +1,35 @@ +--- + +# This migrates Traefik from the old path (`/devture-traefik`) to the new path (`/matrix/traefik`, controlled by `devture_traefik_base_path`), +# and from the old hardcoded systemd service name (`devture-traefik.service`) to the new one (`matrix-traefik.service`, controlled by `devture_traefik_identifier`). +# +# Here, we merely disable (and stop) the old systemd service and relocate the data (`/devture-traefik` directory). +# The Traefik role itself (running later) will then ensure this data is up-to-date and will set up the new systemd service. + +# It only makes sense to migrate if the identifier or path are different than the default (what we were using before). +- when: "devture_traefik_identifier != 'devture-postgres' or devture_traefik_base_path != '/devture-traefik'" + block: + - name: Check existence of devture-traefik.service systemd service + ansible.builtin.stat: + path: "{{ devture_systemd_docker_base_systemd_path }}/devture-traefik.service" + register: devture_traefik_service_stat + + - when: devture_traefik_service_stat.stat.exists | bool + block: + - name: Ensure devture-traefik.service systemd service is stopped + ansible.builtin.systemd: + name: devture-traefik + state: stopped + enabled: false + daemon_reload: true + + - name: Ensure Traefik systemd service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/devture-traefik.service" + state: absent + + - name: Ensure Traefik directory relocated + ansible.builtin.command: + cmd: "mv /devture-traefik {{ devture_traefik_base_path }}" + creates: "{{ devture_traefik_base_path }}" + removes: "/devture-traefik" diff --git a/roles/custom/matrix_playbook_migration/tasks/main.yml b/roles/custom/matrix_playbook_migration/tasks/main.yml index 96b68b60..e2b29384 100644 --- a/roles/custom/matrix_playbook_migration/tasks/main.yml +++ b/roles/custom/matrix_playbook_migration/tasks/main.yml @@ -11,3 +11,12 @@ tags: - setup-all - install-all + +- when: matrix_playbook_traefik_role_enabled | bool + block: + - ansible.builtin.include_tasks: "{{ role_path }}/tasks/devture_traefik_to_matrix_traefik.yml" + tags: + - setup-all + - install-all + - setup-traefik + - install-traefik From 30f10347670d2fcc3fafc3ac81659dcb6d909cdc Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 6 Mar 2023 09:51:14 +0200 Subject: [PATCH 61/71] Remove matrix_playbook_traefik_role_enabled variable and devture-traefik references The variable was necessary when multiple playbooks could have potentially tried to manage a shared `devture-traefik.serivce` systemd service and shared `/devture-traefik` directory. Since adcc6d9723086f65f1a72, we use our own `/matrix/traefik` (`matrix-traefik.service`) installation and no conflicts can arise. It's safe to always enable the role, just like we do with all the other roles. --- CHANGELOG.md | 4 ++-- docs/configuring-playbook-ssl-certificates.md | 4 ++-- group_vars/matrix_servers | 20 ++----------------- playbooks/matrix.yml | 3 +-- roles/custom/matrix-base/defaults/main.yml | 2 +- .../matrix_playbook_migration/tasks/main.yml | 2 +- .../tasks/validate_config.yml | 1 + 7 files changed, 10 insertions(+), 26 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 790406f3..1aedacc3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -223,9 +223,9 @@ devture_traefik_config_certificatesResolvers_acme_email: YOUR_EMAIL_ADDRESS You may still need to keep certain old `matrix_nginx_proxy_*` variables (like `matrix_nginx_proxy_base_domain_serving_enabled`), even when using Traefik. For now, we recommend keeping all `matrix_nginx_proxy_*` variables just in case. In the future, reliance on `matrix-nginx-proxy` will be removed. -Switching to Traefik will obtain new SSL certificates from Let's Encrypt (stored in `/devture-traefik/ssl/acme.json`). **The switch is reversible**. You can always go back to `playbook-managed-nginx` if Traefik is causing you trouble. +Switching to Traefik will obtain new SSL certificates from Let's Encrypt (stored in `/matrix/traefik/ssl/acme.json`). **The switch is reversible**. You can always go back to `playbook-managed-nginx` if Traefik is causing you trouble. -**Note**: toggling `matrix_playbook_reverse_proxy_type` between Traefik and nginx will uninstall the Traefik role and all of its data (under `/devture-traefik`), so you may run into a Let's Encrypt rate limit if you do it often. +**Note**: toggling `matrix_playbook_reverse_proxy_type` between Traefik and nginx will uninstall the Traefik role and all of its data (under `/matrix/traefik`), so you may run into a Let's Encrypt rate limit if you do it often. Treafik directly reverse-proxies to **some** services right now, but for most other services it goes through `matrix-nginx-proxy` (e.g. Traefik -> `matrix-nginx-proxy` -> [Ntfy](docs/configuring-playbook-ntfy.md)). So, even if you opt into Traefik, you'll still see `matrix-nginx-proxy` being installed in local-only mode. This will improve with time. diff --git a/docs/configuring-playbook-ssl-certificates.md b/docs/configuring-playbook-ssl-certificates.md index 13d5f609..9fa9f84b 100644 --- a/docs/configuring-playbook-ssl-certificates.md +++ b/docs/configuring-playbook-ssl-certificates.md @@ -54,7 +54,7 @@ devture_traefik_ssl_dir_enabled: true # Tell Traefik to load our custom configuration file (certificates.yml). # The file is created below, in `matrix_aux_file_definitions`. -# The `/config/..` path is an in-container path, not a path on the host (like `/devture-traefik/config`). Do not change it! +# The `/config/..` path is an in-container path, not a path on the host (like `/matrix/traefik/config`). Do not change it! devture_traefik_configuration_extension_yaml: | providers: file: @@ -85,7 +85,7 @@ matrix_aux_file_definitions: # HERE # Create the custom Traefik configuration. - # The `/ssl/..` paths below are in-container paths, not paths on the host (/`devture-traefik/ssl/..`). Do not change them! + # The `/ssl/..` paths below are in-container paths, not paths on the host (/`matrix/traefik/ssl/..`). Do not change them! - dest: "{{ devture_traefik_config_dir_path }}/certificates.yml" content: | tls: diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index c9f78345..5c4c1bdd 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -19,23 +19,9 @@ # Also see `devture_docker_sdk_for_python_installation_enabled`. matrix_playbook_docker_installation_enabled: true -# Controls whether to run the Traefik role or not -# See the `com.devture.ansible.role.traefik` section below for role configuration. -# -# There's a difference between `devture_traefik_enabled` and `matrix_playbook_traefik_role_enabled`. -# `devture_traefik_enabled` controls what the Traefik role would do - when not enabled, it will run uninstall tasks, etc. -# `matrix_playbook_traefik_role_enabled` controls if the Traefik role would even run at all. -# -# Sometimes, you're installing Traefik via a different (related playbook) which uses the same role. -# In such cases, you'd like to disable the role in this playbook from bothering with Traefik at all (`matrix_playbook_traefik_role_enabled: false`). -# If you used `devture_traefik_enabled: false` + `matrix_playbook_traefik_role_enabled: true` instead, you'd see the Treafik role here -# try to delete Traefik data (`/devture-traefik`) installed by the other playbook. -matrix_playbook_traefik_role_enabled: "{{ matrix_playbook_reverse_proxy_type != 'other-traefik-container' }}" - # Controls whether to attach Traefik labels to services. -# This is separate from `devture_traefik_enabled` and `matrix_playbook_traefik_role_enabled`, -# because you may wish to disable Traefik installation by the playbook, yet still use Traefik -# installed in another way. +# This is separate from `devture_traefik_enabled`, because you may wish to disable Traefik installation by the playbook, +# yet still use Traefik installed in another way. matrix_playbook_traefik_labels_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}" # Controls the additional network that reverse-proxyable services will be connected to. @@ -3854,8 +3840,6 @@ devture_container_socket_proxy_api_containers_enabled: true # # ######################################################################## -# To completely disable the Traefik role from running, use `matrix_playbook_traefik_role_enabled: false`. -# See the comment there for more details about why we have both `devture_traefik_enabled` and `matrix_playbook_traefik_role_enabled`. devture_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type == 'playbook-managed-traefik' }}" devture_traefik_identifier: matrix-traefik diff --git a/playbooks/matrix.yml b/playbooks/matrix.yml index 6e348df2..e72269ee 100755 --- a/playbooks/matrix.yml +++ b/playbooks/matrix.yml @@ -121,8 +121,7 @@ - role: galaxy/com.devture.ansible.role.container_socket_proxy - - when: matrix_playbook_traefik_role_enabled | bool - role: galaxy/com.devture.ansible.role.traefik + - role: galaxy/com.devture.ansible.role.traefik - role: galaxy/com.devture.ansible.role.traefik_certs_dumper diff --git a/roles/custom/matrix-base/defaults/main.yml b/roles/custom/matrix-base/defaults/main.yml index 98a2167e..5e743925 100644 --- a/roles/custom/matrix-base/defaults/main.yml +++ b/roles/custom/matrix-base/defaults/main.yml @@ -284,7 +284,7 @@ matrix_homeserver_app_service_config_files_auto: [] # Valid options and a description of their behavior: # # - `playbook-managed-traefik` -# - the playbook will install devture-traefik +# - the playbook will run a managed Traefik instance (matrix-traefik) # - Traefik will do SSL termination, unless you disable it (e.g. `devture_traefik_config_entrypoint_web_secure_enabled: false`) # - if SSL termination is enabled (as it is by default), you need to populate: `devture_traefik_config_certificatesResolvers_acme_email` # - it will also install matrix-nginx-proxy in local-only mode, while we migrate the rest of the services to a Traefik-native mode of working diff --git a/roles/custom/matrix_playbook_migration/tasks/main.yml b/roles/custom/matrix_playbook_migration/tasks/main.yml index e2b29384..4a39e2c7 100644 --- a/roles/custom/matrix_playbook_migration/tasks/main.yml +++ b/roles/custom/matrix_playbook_migration/tasks/main.yml @@ -12,7 +12,7 @@ - setup-all - install-all -- when: matrix_playbook_traefik_role_enabled | bool +- when: devture_traefik_enabled | bool block: - ansible.builtin.include_tasks: "{{ role_path }}/tasks/devture_traefik_to_matrix_traefik.yml" tags: diff --git a/roles/custom/matrix_playbook_migration/tasks/validate_config.yml b/roles/custom/matrix_playbook_migration/tasks/validate_config.yml index 296f2daf..d8fe1683 100644 --- a/roles/custom/matrix_playbook_migration/tasks/validate_config.yml +++ b/roles/custom/matrix_playbook_migration/tasks/validate_config.yml @@ -37,6 +37,7 @@ - {'old': 'matrix_prometheus_node_exporter_metrics_proxying_enabled', 'new': 'matrix_prometheus_services_proxy_connect_prometheus_node_exporter_metrics_proxying_enabled'} - {'old': 'matrix_prometheus_postgres_exporter_metrics_proxying_enabled', 'new': 'matrix_prometheus_services_proxy_connect_prometheus_postgres_exporter_metrics_proxying_enabled'} - {'old': 'matrix_playbook_traefik_certs_dumper_role_enabled', 'new': 'devture_traefik_certs_dumper_enabled'} + - {'old': 'matrix_playbook_traefik_role_enabled', 'new': 'devture_traefik_enabled'} - name: (Deprecation) Catch and report matrix_postgres variables ansible.builtin.fail: From e21c44347f971319c204ca129c7d27714689bc26 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 6 Mar 2023 10:28:44 +0200 Subject: [PATCH 62/71] Add Traefik Dashboard warning --- docs/configuring-playbook-traefik.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/configuring-playbook-traefik.md b/docs/configuring-playbook-traefik.md index 4f6a7335..0485742d 100644 --- a/docs/configuring-playbook-traefik.md +++ b/docs/configuring-playbook-traefik.md @@ -35,6 +35,8 @@ devture_traefik_dashboard_basicauth_user: YOUR_USERNAME_HERE devture_traefik_dashboard_basicauth_password: YOUR_PASSWORD_HERE ``` +**WARNING**: enabling the dashboard on a hostname you use for something else (like `matrix_server_fqn_matrix` in the configuration above) may cause conflicts. Enabling the Traefik Dashboard makes Traefik capture all `/dashboard` and `/api` requests and forward them to itself. If any of the services hosted on the same hostname requires any of these 2 URL prefixes, you will experience problems. So far, we're not aware of any playbook services which occupy these endpoints and are likely to cause conflicts. + ## Additional configuration Use the `devture_traefik_configuration_extension_yaml` variable provided by the Traefik Ansible role to override or inject additional settings, even when no dedicated variable exists. From 26fdae3797419f0df5065109adb53cfe74564559 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 6 Mar 2023 10:29:58 +0200 Subject: [PATCH 63/71] Upgrade com.devture.ansible.role.container_socket_proxy --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index ad1f5eac..013a6c53 100644 --- a/requirements.yml +++ b/requirements.yml @@ -52,7 +52,7 @@ version: v1.8.18-2 - src: git+https://github.com/devture/com.devture.ansible.role.container_socket_proxy.git - version: v0.1.1-0 + version: v0.1.1-1 - src: git+https://github.com/devture/com.devture.ansible.role.traefik.git version: v2.9.8-1 From 6e3aab65942e2da274fd283cae094ffd988ba4f7 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 6 Mar 2023 11:00:42 +0200 Subject: [PATCH 64/71] Make devture-traefik to matrix-traefik migration code a little safer --- .../tasks/devture_traefik_to_matrix_traefik.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/roles/custom/matrix_playbook_migration/tasks/devture_traefik_to_matrix_traefik.yml b/roles/custom/matrix_playbook_migration/tasks/devture_traefik_to_matrix_traefik.yml index 7d1b1190..f192cf01 100644 --- a/roles/custom/matrix_playbook_migration/tasks/devture_traefik_to_matrix_traefik.yml +++ b/roles/custom/matrix_playbook_migration/tasks/devture_traefik_to_matrix_traefik.yml @@ -23,13 +23,13 @@ enabled: false daemon_reload: true - - name: Ensure Traefik systemd service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/devture-traefik.service" - state: absent - - name: Ensure Traefik directory relocated ansible.builtin.command: cmd: "mv /devture-traefik {{ devture_traefik_base_path }}" creates: "{{ devture_traefik_base_path }}" removes: "/devture-traefik" + + - name: Ensure Traefik systemd service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/devture-traefik.service" + state: absent From db4070fc75d62aa296f55716e67a0561c2767cdb Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 6 Mar 2023 13:48:31 +0200 Subject: [PATCH 65/71] Remove some nginx references --- docs/faq.md | 17 +++++------------ 1 file changed, 5 insertions(+), 12 deletions(-) diff --git a/docs/faq.md b/docs/faq.md index 25d02e7c..7b67a5bf 100644 --- a/docs/faq.md +++ b/docs/faq.md @@ -125,7 +125,7 @@ This is similar to the [EMnify/matrix-synapse-auto-deploy](https://github.com/EM - this one installs everything in a single directory (`/matrix` by default) and **doesn't "contaminate" your server** with files all over the place -- this one **doesn't necessarily take over** ports 80 and 443. By default, it sets up nginx for you there, but you can also [use your own webserver](configuring-playbook-own-webserver.md) +- this one **doesn't necessarily take over** ports 80 and 443. By default, it sets up [Traefik](https://doc.traefik.io/traefik/) for you there, but you can also [use your own webserver](configuring-playbook-own-webserver.md) - this one **runs everything in Docker containers**, so it's likely more predictable and less fragile (see [Docker images used by this playbook](container-images.md)) @@ -322,7 +322,7 @@ matrix_playbook_docker_installation_enabled: false ### I run another webserver on the same server where I wish to install Matrix. What now? -By default, we install a webserver for you (nginx), but you can also use [your own webserver](configuring-playbook-own-webserver.md). +By default, we install a webserver for you ([Traefik](https://doc.traefik.io/traefik/)), but you can also use [your own webserver](configuring-playbook-own-webserver.md). ### How is the effective configuration determined? @@ -461,15 +461,8 @@ After verifying that everything still works after the Postgres upgrade, you can ### How do I debug or force SSL certificate renewal? -SSL certificate renewal normally happens automatically via [systemd timers](https://wiki.archlinux.org/index.php/Systemd/Timers). +SSL certificates are managed automatically by the [Traefik](https://doc.traefik.io/traefik/) reverse-proxy server. -If you're having trouble with SSL certificate renewal, you can inspect the renewal logs using: +If you're having trouble with SSL certificate renewal, check the Traefik logs (`journalctl -fu matrix-traefik`). -- `journalctl -fu matrix-ssl-lets-encrypt-certificates-renew.service` -- *or* by looking at the log files in `/matrix/ssl/log/` - -To trigger renewal, run: `systemctl start matrix-ssl-lets-encrypt-certificates-renew.service`. You can then take a look at the logs again. - -If you're using the integrated webserver (`matrix-nginx-proxy`), you can reload it manually like this: `systemctl reload matrix-nginx-proxy`. Reloading also happens periodically via a systemd timer. - -If you're [using your own webserver](configuring-playbook-own-webserver.md) instead of the integrated one (`matrix-nginx-proxy`) you may also need to reload/restart it, to make it pick up the renewed SSL certificate files. +If you're [using your own webserver](configuring-playbook-own-webserver.md) instead of the integrated one (Traefik), you should investigate in another way. From 2a872e95fcc171a0bb96317b4a811762957600e3 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 6 Mar 2023 13:52:22 +0200 Subject: [PATCH 66/71] Mention external roles in the FAQ --- docs/faq.md | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/docs/faq.md b/docs/faq.md index 7b67a5bf..48c658d1 100644 --- a/docs/faq.md +++ b/docs/faq.md @@ -336,12 +336,14 @@ Configuration variables are defined in multiple places in this playbook and are ### What configuration variables are available? -You can discover the variables you can override in each role (`role/matrix*/defaults/main.yml`). +You can discover the variables you can override in each role (`roles/*/*/defaults/main.yml`). As described in [How is the effective configuration determined?](#how-is-the-effective-configuration-determined), these role-defaults may be overriden by values defined in `group_vars/matrix_servers`. Refer to both of these for inspiration. Still, as mentioned in [Configuring the playbook](configuring-playbook.md), you're only ever supposed to edit your own `inventory/host_vars/matrix.DOMAIN/vars.yml` file and nothing else inside the playbook (unless you're meaning to contribute new features). +**Note**: some of the roles (`roles/galaxy/*`) live in separate repositories and are only installed after your run `just roles` (or `make roles`). + ### I'd like to adjust some configuration which doesn't have a corresponding variable. How do I do it? The playbook doesn't aim to expose all configuration settings for all services using variables. @@ -352,7 +354,9 @@ See [What configuration variables are available?](#what-configuration-variables- Besides that, each role (component) aims to provide a `matrix_SOME_COMPONENT_configuration_extension_yaml` (or `matrix_SOME_COMPONENT_configuration_extension_json`) variable, which can be used to override the configuration. -Check each role's `role/matrix*/defaults/main.yml` for the corresponding variable and an example for how use it. +Check each role's `roles/*/*/defaults/main.yml` for the corresponding variable and an example for how use it. + +**Note**: some of the roles (`roles/galaxy/*`) live in separate repositories and are only installed after your run `just roles` (or `make roles`). ## Installation From 023fe3ea08593b6786c93d641bd0c0daf2e2618d Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 7 Mar 2023 11:57:56 +0200 Subject: [PATCH 67/71] Add sliding-sync support This allows people to try out the new Element X clients, which need to run against the sliding-sync proxy (https://github.com/matrix-org/sliding-sync). Supersedes https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/2515 The code is based on the existing PR (#2515), but heavily reworked. Major changes: - lots of internal refactoring and variable renaming - fixed self-building to support non-amd64 architectures - changed to talk to the homeserver locally, over the container network (not publicly) - no more matrix-nginx-proxy support due to complexity (see below) - no more `matrix_server_fqn_sliding_sync_proxy` in favor of `matrix_sliding_sync_hostname` and `matrix_sliding_sync_path_prefix` - runs on `matrix.DOMAIN/sliding-sync` by default, so it can tried easily without having to create new DNS records --- group_vars/matrix_servers | 67 ++++++++++++++ playbooks/matrix.yml | 1 + .../static-files/well-known/matrix-client.j2 | 5 + .../matrix-sliding-sync/defaults/main.yml | 91 +++++++++++++++++++ .../matrix-sliding-sync/tasks/install.yml | 69 ++++++++++++++ .../custom/matrix-sliding-sync/tasks/main.yml | 19 ++++ .../matrix-sliding-sync/tasks/uninstall.yml | 25 +++++ .../tasks/validate_config.yml | 11 +++ .../matrix-sliding-sync/templates/env.j2 | 4 + .../matrix-sliding-sync/templates/labels.j2 | 45 +++++++++ .../systemd/matrix-sliding-sync.service.j2 | 49 ++++++++++ .../custom/matrix-sliding-sync/vars/main.yml | 5 + 12 files changed, 391 insertions(+) create mode 100644 roles/custom/matrix-sliding-sync/defaults/main.yml create mode 100644 roles/custom/matrix-sliding-sync/tasks/install.yml create mode 100644 roles/custom/matrix-sliding-sync/tasks/main.yml create mode 100644 roles/custom/matrix-sliding-sync/tasks/uninstall.yml create mode 100644 roles/custom/matrix-sliding-sync/tasks/validate_config.yml create mode 100644 roles/custom/matrix-sliding-sync/templates/env.j2 create mode 100644 roles/custom/matrix-sliding-sync/templates/labels.j2 create mode 100644 roles/custom/matrix-sliding-sync/templates/systemd/matrix-sliding-sync.service.j2 create mode 100644 roles/custom/matrix-sliding-sync/vars/main.yml diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 5c4c1bdd..85fbfd2a 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -330,6 +330,8 @@ devture_systemd_service_manager_services_list_auto: | + ([{'name': 'matrix-registration.service', 'priority': 4000, 'groups': ['matrix', 'registration']}] if matrix_registration_enabled else []) + + ([{'name': 'matrix-sliding-sync.service', 'priority': 4000, 'groups': ['matrix', 'sliding-sync']}] if matrix_sliding_sync_enabled else []) + + ([{'name': 'matrix-sygnal.service', 'priority': 800, 'groups': ['matrix', 'sygnal']}] if matrix_sygnal_enabled else []) + ([{'name': 'matrix-goofys.service', 'priority': 800, 'groups': ['matrix', 'goofys']}] if matrix_s3_media_store_enabled else []) @@ -2612,6 +2614,8 @@ matrix_nginx_proxy_systemd_wanted_services_list: | + (['matrix-jitsi.service'] if matrix_jitsi_enabled else []) + + (['matrix-sliding-sync-proxy.service'] if matrix_sliding_sync_enabled else []) + + (['matrix-bot-go-neb.service'] if matrix_bot_go_neb_enabled else []) + ([etherpad_identifier + '.service'] if etherpad_enabled else []) @@ -2745,6 +2749,12 @@ devture_postgres_managed_databases_auto: | 'password': matrix_dendrite_database_password, }] if (matrix_dendrite_enabled and matrix_dendrite_database_hostname == devture_postgres_connection_hostname) else []) + + ([{ + 'name': matrix_sliding_sync_database_name, + 'username': matrix_sliding_sync_database_username, + 'password': matrix_sliding_sync_database_password, + }] if (matrix_sliding_sync_enabled) else []) + + ([{ 'name': matrix_ma1sd_database_name, 'username': matrix_ma1sd_database_username, @@ -3639,6 +3649,63 @@ matrix_registration_database_password: "{{ '%s' | format(matrix_homeserver_gener ###################################################################### + +###################################################################### +# +# matrix-sliding-sync +# +###################################################################### + +# We don't enable the sliding sync proxy by default. +matrix_sliding_sync_enabled: false + +matrix_sliding_sync_scheme: "{{ 'https' if matrix_playbook_ssl_enabled else 'http' }}" + +matrix_sliding_sync_hostname: "{{ matrix_server_fqn_matrix }}" + +matrix_sliding_sync_path_prefix: /sliding-sync + +matrix_sliding_sync_container_image_self_build: "{{ matrix_architecture not in ['amd64'] }}" + +matrix_sliding_sync_container_additional_networks: | + {{ + ( + ([matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network else []) + + + ([matrix_nginx_proxy_container_network] if matrix_nginx_proxy_enabled and matrix_nginx_proxy_container_network != matrix_sliding_sync_container_network else []) + + + ([devture_postgres_container_network] if devture_postgres_enabled and devture_postgres_container_network != matrix_sliding_sync_container_network else []) + ) | unique + }} + +matrix_sliding_sync_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}" +matrix_sliding_sync_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" +matrix_sliding_sync_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" +matrix_sliding_sync_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" + +matrix_sliding_sync_systemd_required_services_list: | + {{ + ['docker.service'] + + + ['matrix-' + matrix_homeserver_implementation + '.service'] + + + ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else []) + + + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) + }} + +matrix_sliding_sync_environment_variable_syncv3_secret: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'ss.secret', rounds=655555) | to_uuid }}" + +matrix_sliding_sync_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" +matrix_sliding_sync_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'ss.db', rounds=655555) | to_uuid }}" + +###################################################################### +# +# /matrix-sliding-sync +# +###################################################################### + + ###################################################################### # # matrix-dendrite diff --git a/playbooks/matrix.yml b/playbooks/matrix.yml index e72269ee..a2b7f2b8 100755 --- a/playbooks/matrix.yml +++ b/playbooks/matrix.yml @@ -105,6 +105,7 @@ - custom/matrix-dimension - galaxy/etherpad - custom/etherpad-proxy-connect + - custom/matrix-sliding-sync - custom/matrix-email2matrix - custom/matrix-sygnal - galaxy/ntfy diff --git a/roles/custom/matrix-base/templates/static-files/well-known/matrix-client.j2 b/roles/custom/matrix-base/templates/static-files/well-known/matrix-client.j2 index 45fc9b66..45c3ea2a 100644 --- a/roles/custom/matrix-base/templates/static-files/well-known/matrix-client.j2 +++ b/roles/custom/matrix-base/templates/static-files/well-known/matrix-client.j2 @@ -26,6 +26,11 @@ "preferredDomain": {{ matrix_client_element_jitsi_preferredDomain|to_json }} } {% endif %} + {% if matrix_sliding_sync_enabled %}, + "org.matrix.msc3575.proxy": { + "url": "{{ matrix_sliding_sync_base_url }}" + } + {% endif %} {% if matrix_client_element_location_sharing_enabled %}, "m.tile_server": { "map_style_url": "https://{{ matrix_server_fqn_element }}/map_style.json" diff --git a/roles/custom/matrix-sliding-sync/defaults/main.yml b/roles/custom/matrix-sliding-sync/defaults/main.yml new file mode 100644 index 00000000..f66b3b61 --- /dev/null +++ b/roles/custom/matrix-sliding-sync/defaults/main.yml @@ -0,0 +1,91 @@ +--- + +# Sliding Sync Proxy is an implementation of MSC3575 for the new sliding sync + +matrix_sliding_sync_enabled: true + +matrix_sliding_sync_version: v0.99.1 + +matrix_sliding_sync_scheme: https + +# The hostname at which sliding-sync is served. +matrix_sliding_sync_hostname: '' + +# The path at which sliding-sync is served. +# This value must either be `/` or not end with a slash (e.g. `/sliding-sync`). +matrix_sliding_sync_path_prefix: / + +matrix_sliding_sync_base_path: "{{ matrix_base_data_path }}/sliding-sync" + +matrix_sliding_sync_container_image_self_build: false +matrix_sliding_sync_container_image_self_build_repo: https://github.com/matrix-org/sliding-sync +matrix_sliding_sync_container_image_self_build_repo_version: "{{ 'main' if matrix_sliding_sync_version == 'main' else matrix_sliding_sync_version }}" +matrix_sliding_sync_container_src_path: "{{ matrix_sliding_sync_base_path }}/container-src" + +matrix_sliding_sync_container_image: "{{ matrix_sliding_sync_container_image_name_prefix }}matrix-org/sliding-sync:{{ matrix_sliding_sync_container_image_tag }}" +matrix_sliding_sync_container_image_name_prefix: "{{ 'localhost/' if matrix_sliding_sync_container_image_self_build else matrix_sliding_sync_container_image_registry_prefix }}" +matrix_sliding_sync_container_image_tag: "{{ matrix_sliding_sync_version }}" +matrix_sliding_sync_container_image_force_pull: "{{ matrix_sliding_sync_container_image.endswith(':main') }}" +matrix_sliding_sync_container_image_registry_prefix: ghcr.io/ + +# The base container network. It will be auto-created by this role if it doesn't exist already. +matrix_sliding_sync_container_network: matrix-sliding-sync + +# A list of additional container networks that the container would be connected to. +# The role does not create these networks, so make sure they already exist. +# Use this to expose this container to another reverse proxy, which runs in a different container network. +matrix_sliding_sync_container_additional_networks: [] + +# matrix_sliding_sync_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container. +# See `../templates/labels.j2` for details. +# +# To inject your own other container labels, see `matrix_sliding_sync_container_labels_additional_labels`. +matrix_sliding_sync_container_labels_traefik_enabled: true +matrix_sliding_sync_container_labels_traefik_docker_network: "{{ matrix_sliding_sync_container_network }}" +matrix_sliding_sync_container_labels_traefik_hostname: "{{ matrix_sliding_sync_hostname }}" +# The path prefix must either be `/` or not end with a slash (e.g. `/sliding-sync`). +matrix_sliding_sync_container_labels_traefik_path_prefix: "{{ matrix_sliding_sync_path_prefix }}" +matrix_sliding_sync_container_labels_traefik_rule: "Host(`{{ matrix_sliding_sync_container_labels_traefik_hostname }}`){% if matrix_sliding_sync_container_labels_traefik_path_prefix != '/' %} && PathPrefix(`{{ matrix_sliding_sync_container_labels_traefik_path_prefix }}`){% endif %}" +matrix_sliding_sync_container_labels_traefik_priority: 0 +matrix_sliding_sync_container_labels_traefik_entrypoints: web-secure +matrix_sliding_sync_container_labels_traefik_tls: "{{ matrix_sliding_sync_container_labels_traefik_entrypoints != 'web' }}" +matrix_sliding_sync_container_labels_traefik_tls_certResolver: default # noqa var-naming + +# Controls which additional headers to attach to all HTTP responses. +# To add your own headers, use `matrix_sliding_sync_container_labels_traefik_additional_response_headers_custom` +matrix_sliding_sync_container_labels_traefik_additional_response_headers: "{{ matrix_sliding_sync_container_labels_traefik_additional_response_headers_auto | combine(matrix_sliding_sync_container_labels_traefik_additional_response_headers_custom) }}" +matrix_sliding_sync_container_labels_traefik_additional_response_headers_auto: {} +matrix_sliding_sync_container_labels_traefik_additional_response_headers_custom: {} + +# matrix_sliding_sync_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file. +# See `../templates/labels.j2` for details. +# +# Example: +# matrix_sliding_sync_container_labels_additional_labels: | +# my.label=1 +# another.label="here" +matrix_sliding_sync_container_labels_additional_labels: '' + +# A list of extra arguments to pass to the container +matrix_sliding_sync_container_extra_arguments: [] + +# List of systemd services that matrix-sliding-sync-proxy.service depends on +matrix_sliding_sync_systemd_required_services_list: ["docker.service"] + +# List of systemd services that matrix-sliding-sync-proxy.service wants +matrix_sliding_sync_systemd_wanted_services_list: [] + +# Controls the SYNCV3_SERVER environment variable +matrix_sliding_sync_environment_variable_syncv3_server: "{{ matrix_homeserver_container_url }}" + +# Controls the SYNCV3_SECRET environment variable +matrix_sliding_sync_environment_variable_syncv3_secret: '' + +# Controls the SYNCV3_DB environment variable +matrix_sliding_sync_environment_variable_syncv3_db: 'user={{ matrix_sliding_sync_database_username }} password={{ matrix_sliding_sync_database_password }} host={{ matrix_sliding_sync_database_hostname }} port={{ matrix_sliding_sync_database_port }} dbname={{ matrix_sliding_sync_database_name }} sslmode=disable' + +matrix_sliding_sync_database_username: 'matrix_sliding_sync' +matrix_sliding_sync_database_password: '' +matrix_sliding_sync_database_hostname: '' +matrix_sliding_sync_database_port: 5432 +matrix_sliding_sync_database_name: 'matrix_sliding_sync' diff --git a/roles/custom/matrix-sliding-sync/tasks/install.yml b/roles/custom/matrix-sliding-sync/tasks/install.yml new file mode 100644 index 00000000..26717afd --- /dev/null +++ b/roles/custom/matrix-sliding-sync/tasks/install.yml @@ -0,0 +1,69 @@ +--- + +- name: Ensure matrix-sliding-sync paths exist + ansible.builtin.file: + path: "{{ item.path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - path: "{{ matrix_sliding_sync_base_path }}" + when: true + - path: "{{ matrix_sliding_sync_container_src_path }}" + when: "{{ matrix_sliding_sync_container_image_self_build }}" + when: item.when | bool + +- name: Ensure matrix-sliding-sync support files installed + ansible.builtin.template: + src: "{{ role_path }}/templates/{{ item }}.j2" + dest: "{{ matrix_sliding_sync_base_path }}/{{ item }}" + mode: 0640 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - env + - labels + +- name: Ensure matrix-sliding-sync container image is pulled + community.docker.docker_image: + name: "{{ matrix_sliding_sync_container_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_sliding_sync_container_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_sliding_sync_container_image_force_pull }}" + when: "not matrix_sliding_sync_container_image_self_build | bool" + register: result + retries: "{{ devture_playbook_help_container_retries_count }}" + delay: "{{ devture_playbook_help_container_retries_delay }}" + until: result is not failed + +- when: matrix_sliding_sync_container_image_self_build | bool + block: + - name: Ensure matrix-sliding-sync repository is present on self-build + ansible.builtin.git: + repo: "{{ matrix_sliding_sync_container_image_self_build_repo }}" + version: "{{ matrix_sliding_sync_container_image_self_build_repo_version }}" + dest: "{{ matrix_sliding_sync_container_src_path }}" + force: "yes" + become: true + become_user: "{{ matrix_user_username }}" + register: matrix_sliding_sync_git_pull_results + + - name: Ensure matrix-sliding-sync container image is built + ansible.builtin.command: + cmd: |- + {{ devture_systemd_docker_base_host_command_docker }} buildx build + --tag={{ matrix_sliding_sync_container_image }} + --file={{ matrix_sliding_sync_container_src_path }}/Dockerfile + {{ matrix_sliding_sync_container_src_path }} + +- name: Ensure matrix-sliding-sync container network is created + community.general.docker_network: + name: "{{ matrix_sliding_sync_container_network }}" + driver: bridge + +- name: Ensure matrix-sliding-sync.service installed + ansible.builtin.template: + src: "{{ role_path }}/templates/systemd/matrix-sliding-sync.service.j2" + dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-sliding-sync.service" + mode: 0644 diff --git a/roles/custom/matrix-sliding-sync/tasks/main.yml b/roles/custom/matrix-sliding-sync/tasks/main.yml new file mode 100644 index 00000000..71e7391b --- /dev/null +++ b/roles/custom/matrix-sliding-sync/tasks/main.yml @@ -0,0 +1,19 @@ +--- +- block: + - when: matrix_sliding_sync_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" + + - when: matrix_sliding_sync_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/install.yml" + tags: + - setup-all + - setup-sliding-sync + - install-all + - install-sliding-sync + +- block: + - when: not matrix_sliding_sync_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/uninstall.yml" + tags: + - setup-all + - setup-sliding-sync diff --git a/roles/custom/matrix-sliding-sync/tasks/uninstall.yml b/roles/custom/matrix-sliding-sync/tasks/uninstall.yml new file mode 100644 index 00000000..8a559cac --- /dev/null +++ b/roles/custom/matrix-sliding-sync/tasks/uninstall.yml @@ -0,0 +1,25 @@ +--- + +- name: Check existence of matrix-sliding-sync service + ansible.builtin.stat: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-sliding-sync.service" + register: matrix_sliding_sync_service_stat + +- when: matrix_sliding_sync_service_stat.stat.exists | bool + block: + - name: Ensure matrix-sliding-sync is stopped + ansible.builtin.service: + name: matrix-sliding-sync + state: stopped + enabled: false + daemon_reload: true + + - name: Ensure matrix-sliding-sync.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-sliding-sync.service" + state: absent + + - name: Ensure matrix-sliding-sync paths don't exist + ansible.builtin.file: + path: "{{ matrix_sliding_sync_base_path }}" + state: absent diff --git a/roles/custom/matrix-sliding-sync/tasks/validate_config.yml b/roles/custom/matrix-sliding-sync/tasks/validate_config.yml new file mode 100644 index 00000000..5d36403c --- /dev/null +++ b/roles/custom/matrix-sliding-sync/tasks/validate_config.yml @@ -0,0 +1,11 @@ +--- +- name: Fail if required matrix-sliding-sync settings not defined + ansible.builtin.fail: + msg: > + You need to define a required configuration setting (`{{ item.name }}`). + when: "vars[item] == ''" + with_items: + - matrix_sliding_sync_hostname + - matrix_sliding_sync_path_prefix + - matrix_sliding_sync_database_hostname + - matrix_sliding_sync_environment_variable_syncv3_secret diff --git a/roles/custom/matrix-sliding-sync/templates/env.j2 b/roles/custom/matrix-sliding-sync/templates/env.j2 new file mode 100644 index 00000000..1269bd2a --- /dev/null +++ b/roles/custom/matrix-sliding-sync/templates/env.j2 @@ -0,0 +1,4 @@ +SYNCV3_SERVER={{ matrix_sliding_sync_environment_variable_syncv3_server }} +SYNCV3_SECRET={{ matrix_sliding_sync_environment_variable_syncv3_secret }} +SYNCV3_BINDADDR=:8008 +SYNCV3_DB={{ matrix_sliding_sync_environment_variable_syncv3_db }} diff --git a/roles/custom/matrix-sliding-sync/templates/labels.j2 b/roles/custom/matrix-sliding-sync/templates/labels.j2 new file mode 100644 index 00000000..66549249 --- /dev/null +++ b/roles/custom/matrix-sliding-sync/templates/labels.j2 @@ -0,0 +1,45 @@ +{% if matrix_sliding_sync_container_labels_traefik_enabled %} +traefik.enable=true + +{% if matrix_sliding_sync_container_labels_traefik_docker_network %} +traefik.docker.network={{ matrix_sliding_sync_container_labels_traefik_docker_network }} +{% endif %} + +{% set middlewares = [] %} + +{% if matrix_sliding_sync_container_labels_traefik_path_prefix != '/' %} +traefik.http.middlewares.matrix-sliding-sync-slashless-redirect.redirectregex.regex=({{ matrix_sliding_sync_container_labels_traefik_path_prefix | quote }})$ +traefik.http.middlewares.matrix-sliding-sync-slashless-redirect.redirectregex.replacement=${1}/ +{% set middlewares = middlewares + ['matrix-sliding-sync-slashless-redirect'] %} +{% endif %} + +{% if matrix_sliding_sync_container_labels_traefik_path_prefix != '/' %} +traefik.http.middlewares.matrix-sliding-sync-strip-prefix.stripprefix.prefixes={{ matrix_sliding_sync_container_labels_traefik_path_prefix }} +{% set middlewares = middlewares + ['matrix-sliding-sync-strip-prefix'] %} +{% endif %} + +{% if matrix_sliding_sync_container_labels_traefik_additional_response_headers.keys() | length > 0 %} +{% for name, value in matrix_sliding_sync_container_labels_traefik_additional_response_headers.items() %} +traefik.http.middlewares.matrix-sliding-sync-add-headers.headers.customresponseheaders.{{ name }}={{ value }} +{% endfor %} +{% set middlewares = middlewares + ['matrix-sliding-sync-add-headers'] %} +{% endif %} + +traefik.http.routers.matrix-sliding-sync.rule={{ matrix_sliding_sync_container_labels_traefik_rule }} +{% if matrix_sliding_sync_container_labels_traefik_priority | int > 0 %} +traefik.http.routers.matrix-sliding-sync.priority={{ matrix_sliding_sync_container_labels_traefik_priority }} +{% endif %} +traefik.http.routers.matrix-sliding-sync.service=matrix-sliding-sync +{% if middlewares | length > 0 %} +traefik.http.routers.matrix-sliding-sync.middlewares={{ middlewares | join(',') }} +{% endif %} +traefik.http.routers.matrix-sliding-sync.entrypoints={{ matrix_sliding_sync_container_labels_traefik_entrypoints }} +traefik.http.routers.matrix-sliding-sync.tls={{ matrix_sliding_sync_container_labels_traefik_tls | to_json }} +{% if matrix_sliding_sync_container_labels_traefik_tls %} +traefik.http.routers.matrix-sliding-sync.tls.certResolver={{ matrix_sliding_sync_container_labels_traefik_tls_certResolver }} +{% endif %} + +traefik.http.services.matrix-sliding-sync.loadbalancer.server.port=8008 +{% endif %} + +{{ matrix_sliding_sync_container_labels_additional_labels }} diff --git a/roles/custom/matrix-sliding-sync/templates/systemd/matrix-sliding-sync.service.j2 b/roles/custom/matrix-sliding-sync/templates/systemd/matrix-sliding-sync.service.j2 new file mode 100644 index 00000000..ac8d2ffb --- /dev/null +++ b/roles/custom/matrix-sliding-sync/templates/systemd/matrix-sliding-sync.service.j2 @@ -0,0 +1,49 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=matrix-sliding-sync +{% for service in matrix_sliding_sync_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +{% for service in matrix_sliding_sync_systemd_wanted_services_list %} +Wants={{ service }} +{% endfor %} +DefaultDependencies=no + +[Service] +Type=simple +Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" +ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-sliding-sync 2>/dev/null || true' +ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-sliding-sync 2>/dev/null || true' + +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ + --rm \ + --name=matrix-sliding-sync \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --read-only \ + --tmpfs /tmp \ + --network={{ matrix_sliding_sync_container_network }} \ + --env-file={{ matrix_sliding_sync_base_path }}/env \ + --label-file={{ matrix_sliding_sync_base_path }}/labels \ + {% for arg in matrix_sliding_sync_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + {{ matrix_sliding_sync_container_image }} + +{% for network in matrix_sliding_sync_container_additional_networks %} +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-sliding-sync +{% endfor %} + +ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-sliding-sync + +ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-sliding-sync 2>/dev/null || true' +ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-sliding-sync 2>/dev/null || true' + +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-sliding-sync + +[Install] +WantedBy=multi-user.target diff --git a/roles/custom/matrix-sliding-sync/vars/main.yml b/roles/custom/matrix-sliding-sync/vars/main.yml new file mode 100644 index 00000000..8ec69c08 --- /dev/null +++ b/roles/custom/matrix-sliding-sync/vars/main.yml @@ -0,0 +1,5 @@ +--- + +# Public facing base URL of the Sliding Sync service. +# It should not end with a slash. +matrix_sliding_sync_base_url: "{{ matrix_sliding_sync_scheme }}://{{ matrix_sliding_sync_hostname }}{{ '' if matrix_sliding_sync_path_prefix == '/' else matrix_sliding_sync_path_prefix }}" From 6c1a39e6e9efbe0c1637006c8be16238e70845b3 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 7 Mar 2023 12:22:04 +0200 Subject: [PATCH 68/71] Announce sliding-sync support Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/2515 --- CHANGELOG.md | 11 +++++ README.md | 1 + ...configuring-playbook-sliding-sync-proxy.md | 47 +++++++++++++++++++ docs/configuring-playbook.md | 2 + 4 files changed, 61 insertions(+) create mode 100644 docs/configuring-playbook-sliding-sync-proxy.md diff --git a/CHANGELOG.md b/CHANGELOG.md index 1aedacc3..49262d63 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,14 @@ +# 2023-03-07 + +## Sliding Sync Proxy (Element X) support + +Thanks to [Benjamin Kampmann](https://github.com/gnunicorn) for [getting it started](https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/2515), [FSG-Cat](https://github.com/FSG-Cat) for fixing it up and me ([Slavi](https://github.com/spantaleev)) for polishing it up, the playbook can now install and configure the [sliding-sync proxy](https://github.com/matrix-org/sliding-sync). + +The new Element X clients ([Element X iOS](https://github.com/vector-im/element-x-ios) and [Element X Android](https://github.com/vector-im/element-x-android)) require the `sliding-sync` proxy to do their job. These clients are still in beta, and now playbook users can easily give them a try and help test them thanks to us having `sliding-sync` support. + +To get started, see our [Setting up Sliding Sync Proxy](docs/configuring-playbook-sliding-sync-proxy.md) documentation page. + + # 2023-03-02 ## The matrix-etherpad role lives independently now diff --git a/README.md b/README.md index bd37d23e..185c4085 100644 --- a/README.md +++ b/README.md @@ -162,6 +162,7 @@ Various services that don't fit any other category. | Name | Default? | Description | Documentation | | ---- | -------- | ----------- | ------------- | +| [sliding-sync](https://github.com/matrix-org/sliding-sync)| x | Sliding Sync support for clients which require it (e.g. Element X) | [Link](docs/configuring-playbook-sliding-sync-proxy.md) | | [synapse-simple-antispam](https://github.com/t2bot/synapse-simple-antispam) (advanced) | x | A spam checker module | [Link](docs/configuring-playbook-synapse-simple-antispam.md) | | [Matrix Corporal](https://github.com/devture/matrix-corporal) (advanced) | x | Reconciliator and gateway for a managed Matrix server | [Link](docs/configuring-playbook-matrix-corporal.md) | | [Etherpad](https://etherpad.org) | x | An open source collaborative text editor | [Link](docs/configuring-playbook-etherpad.md) | diff --git a/docs/configuring-playbook-sliding-sync-proxy.md b/docs/configuring-playbook-sliding-sync-proxy.md new file mode 100644 index 00000000..c07d1db4 --- /dev/null +++ b/docs/configuring-playbook-sliding-sync-proxy.md @@ -0,0 +1,47 @@ +# Setting up Sliding Sync Proxy (optional) + +The playbook can install and configure [sliding-sync](https://github.com/matrix-org/sliding-sync) proxy for you. + +Sliding Sync is an implementation of [MSC3575](https://github.com/matrix-org/matrix-spec-proposals/blob/kegan/sync-v3/proposals/3575-sync.md) and a prerequisite for running the new (still beta) Element X clients ([Element X iOS](https://github.com/vector-im/element-x-ios) and [Element X Android](https://github.com/vector-im/element-x-android)). + +See the project's [documentation](https://github.com/matrix-org/sliding-syncb) to learn more. + +**NOTE**: The Sliding Sync proxy **only works with the Traefik reverse-proxy**. If you have an old server installation (from the time `matrix-nginx-proxy` was our default reverse-proxy - `matrix_playbook_reverse_proxy_type: playbook-managed-nginx`), you won't be able to use Sliding Sync. + + +## Decide on a domain and path + +By default, the Sliding Sync proxy is configured to be served on the Matrix domain (`matrix.DOMAIN`, controlled by `matrix_server_fqn_matrix`), under the `/sliding-sync` path. + +This makes it easy to set it up, **without** having to [adjust your DNS records](#adjusting-dns-records). + +If you'd like to run the Sliding Sync proxy on another hostname or path, use the `matrix_sliding_sync_hostname` and `matrix_sliding_sync_path_prefix` variables. + + +## Adjusting DNS records + +If you've changed the default hostame, **you may need to adjust your DNS** records. + + +## Adjusting the playbook configuration + +Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file: + +```yaml +matrix_sliding_sync_enabled: true +``` + + +## Installing + +After potentially [adjusting DNS records](#adjusting-dns-records) and configuring the playbook, run the [installation](installing.md) command again: `just install-all`. + + +## Usage + +You **don't need to do anything special** to make use of the Sliding Sync Proxy. +Simply open your client which supports Sliding Sync (like Element X) and log in. + +When the Sliding Sync proxy is [installed](#installing), your `/.well-known/matrix/client` file is also updated. A new `org.matrix.msc3575.proxy` section and `url` property are added there and made to point to your Sliding Sync proxy's base URL (e.g. `https://matrix.DOMAIN/sliding-sync`). + +This allows clients which support Sliding Sync to detect the Sliding Sync Proxy's URL and make use of it. diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index b4bae786..68a2658a 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -195,6 +195,8 @@ When you're done with all the configuration you'd like to do, continue with [Ins ### Other specialized services +- [Setting up the Sliding Sync Proxy](configuring-playbook-sliding-sync-proxy.md) for clients which require Sliding Sync support (like Element X) (optional) + - [Setting up the Sygnal push gateway](configuring-playbook-sygnal.md) (optional) - [Setting up the ntfy push notifications server](configuring-playbook-ntfy.md) (optional) From bf95204860e79e3e7821fd2380d63e461a74076a Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 7 Mar 2023 14:44:30 +0200 Subject: [PATCH 69/71] Mention Element X Android not being quite ready for testing yet --- CHANGELOG.md | 2 +- docs/configuring-playbook-sliding-sync-proxy.md | 8 ++++++-- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 49262d63..7e9e2545 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,7 +4,7 @@ Thanks to [Benjamin Kampmann](https://github.com/gnunicorn) for [getting it started](https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/2515), [FSG-Cat](https://github.com/FSG-Cat) for fixing it up and me ([Slavi](https://github.com/spantaleev)) for polishing it up, the playbook can now install and configure the [sliding-sync proxy](https://github.com/matrix-org/sliding-sync). -The new Element X clients ([Element X iOS](https://github.com/vector-im/element-x-ios) and [Element X Android](https://github.com/vector-im/element-x-android)) require the `sliding-sync` proxy to do their job. These clients are still in beta, and now playbook users can easily give them a try and help test them thanks to us having `sliding-sync` support. +The upcoming Element X clients ([Element X iOS](https://github.com/vector-im/element-x-ios) and [Element X Android](https://github.com/vector-im/element-x-android)) require the `sliding-sync` proxy to do their job. **These clients are still in beta** (especially Element X Android, which requires manual compilation to get it working with a non-`matrix.org` homeseserver). Playbook users can now easily give these clients a try and help test them thanks to us having `sliding-sync` support. To get started, see our [Setting up Sliding Sync Proxy](docs/configuring-playbook-sliding-sync-proxy.md) documentation page. diff --git a/docs/configuring-playbook-sliding-sync-proxy.md b/docs/configuring-playbook-sliding-sync-proxy.md index c07d1db4..49e0483a 100644 --- a/docs/configuring-playbook-sliding-sync-proxy.md +++ b/docs/configuring-playbook-sliding-sync-proxy.md @@ -2,9 +2,13 @@ The playbook can install and configure [sliding-sync](https://github.com/matrix-org/sliding-sync) proxy for you. -Sliding Sync is an implementation of [MSC3575](https://github.com/matrix-org/matrix-spec-proposals/blob/kegan/sync-v3/proposals/3575-sync.md) and a prerequisite for running the new (still beta) Element X clients ([Element X iOS](https://github.com/vector-im/element-x-ios) and [Element X Android](https://github.com/vector-im/element-x-android)). +Sliding Sync is an implementation of [MSC3575](https://github.com/matrix-org/matrix-spec-proposals/blob/kegan/sync-v3/proposals/3575-sync.md) and a prerequisite for running the new (**still beta**) Element X clients ([Element X iOS](https://github.com/vector-im/element-x-ios) and [Element X Android](https://github.com/vector-im/element-x-android)). -See the project's [documentation](https://github.com/matrix-org/sliding-syncb) to learn more. +See the project's [documentation](https://github.com/matrix-org/sliding-sync) to learn more. + +Element X iOS is [available on TestFlight](https://testflight.apple.com/join/uZbeZCOi). + +Element X Android requires manual compilation to get it working with a non-`matrix.org` homeseserver. It's also less feature-complete than the iOS version. **NOTE**: The Sliding Sync proxy **only works with the Traefik reverse-proxy**. If you have an old server installation (from the time `matrix-nginx-proxy` was our default reverse-proxy - `matrix_playbook_reverse_proxy_type: playbook-managed-nginx`), you won't be able to use Sliding Sync. From dddfee16bc852fc989b057bd1867f0e85825846d Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 7 Mar 2023 17:28:10 +0200 Subject: [PATCH 70/71] Fix all 300+ ansible-lint-reported errors --- .../etherpad-proxy-connect/tasks/main.yml | 8 +-- .../tasks/validate_config.yml | 16 ++--- roles/custom/matrix-aux/tasks/main.yml | 6 +- roles/custom/matrix-base/tasks/main.yml | 24 ++++---- .../matrix-bot-buscarron/tasks/main.yml | 18 +++--- .../custom/matrix-bot-chatgpt/tasks/main.yml | 21 +++---- .../custom/matrix-bot-draupnir/tasks/main.yml | 18 +++--- roles/custom/matrix-bot-go-neb/tasks/main.yml | 18 +++--- .../custom/matrix-bot-honoroit/tasks/main.yml | 18 +++--- .../tasks/main.yml | 18 +++--- .../tasks/main.yml | 18 +++--- roles/custom/matrix-bot-maubot/tasks/main.yml | 26 ++++---- .../custom/matrix-bot-mjolnir/tasks/main.yml | 18 +++--- .../matrix-bot-postmoogle/tasks/main.yml | 18 +++--- .../tasks/main.yml | 18 +++--- .../tasks/setup_install.yml | 5 +- .../tasks/main.yml | 18 +++--- .../tasks/setup_install.yml | 10 +--- .../tasks/main.yml | 18 +++--- .../tasks/main.yml | 26 ++++---- .../tasks/main.yml | 26 ++++---- .../tasks/main.yml | 18 +++--- .../tasks/main.yml | 18 +++--- .../tasks/setup_install.yml | 10 +++- .../matrix-bridge-heisenbridge/tasks/main.yml | 16 ++--- .../matrix-bridge-hookshot/defaults/main.yml | 10 ++-- .../matrix-bridge-hookshot/tasks/main.yml | 26 ++++---- .../tasks/setup_install.yml | 4 +- .../tasks/main.yml | 18 +++--- .../tasks/main.yml | 26 ++++---- .../tasks/setup_install.yml | 5 +- .../tasks/main.yml | 26 ++++---- .../tasks/setup_install.yml | 5 +- .../tasks/main.yml | 26 ++++---- .../tasks/setup_install.yml | 5 +- .../tasks/main.yml | 26 ++++---- .../tasks/main.yml | 26 ++++---- .../tasks/main.yml | 18 +++--- .../tasks/main.yml | 26 ++++---- .../tasks/setup_install.yml | 5 +- .../tasks/main.yml | 26 ++++---- .../tasks/main.yml | 26 ++++---- .../tasks/setup_install.yml | 10 +++- .../tasks/main.yml | 18 +++--- .../tasks/main.yml | 18 +++--- .../tasks/setup_install.yml | 5 +- .../tasks/main.yml | 18 +++--- .../tasks/main.yml | 26 ++++---- .../tasks/setup_install.yml | 5 +- .../tasks/main.yml | 18 +++--- .../tasks/setup_install.yml | 5 +- .../tasks/main.yml | 26 ++++---- .../tasks/setup_install.yml | 5 +- roles/custom/matrix-bridge-sms/tasks/main.yml | 18 +++--- .../matrix-cactus-comments/tasks/main.yml | 26 ++++---- .../custom/matrix-client-cinny/tasks/main.yml | 24 ++++---- .../matrix-client-element/tasks/main.yml | 24 ++++---- .../tasks/setup_install.yml | 1 + .../matrix-client-hydrogen/tasks/main.yml | 24 ++++---- .../custom/matrix-common-after/tasks/main.yml | 6 +- roles/custom/matrix-conduit/tasks/main.yml | 16 ++--- roles/custom/matrix-corporal/tasks/main.yml | 24 ++++---- roles/custom/matrix-coturn/tasks/main.yml | 18 +++--- .../matrix-coturn/tasks/setup_install.yml | 4 +- roles/custom/matrix-dendrite/tasks/main.yml | 30 +++++----- .../matrix-dendrite/tasks/setup_install.yml | 24 ++++---- roles/custom/matrix-dimension/tasks/main.yml | 18 +++--- .../custom/matrix-dynamic-dns/tasks/main.yml | 18 +++--- .../custom/matrix-email2matrix/tasks/main.yml | 18 +++--- roles/custom/matrix-jitsi/tasks/main.yml | 60 +++++++++---------- .../util/setup_jitsi_auth_uvs_install.yml | 5 ++ .../tasks/main.yml | 26 ++++---- roles/custom/matrix-ma1sd/tasks/main.yml | 24 ++++---- .../matrix-ma1sd/tasks/setup_install.yml | 1 + roles/custom/matrix-mailer/tasks/main.yml | 16 ++--- .../custom/matrix-nginx-proxy/tasks/main.yml | 10 ++-- ...tup_ssl_lets_encrypt_obtain_for_domain.yml | 2 + ...etup_ssl_self_signed_obtain_for_domain.yml | 21 ++++--- .../tasks/main.yml | 26 ++++---- .../tasks/main.yml | 20 +++---- roles/custom/matrix-prometheus/tasks/main.yml | 18 +++--- .../custom/matrix-rageshake/tasks/install.yml | 1 + roles/custom/matrix-rageshake/tasks/main.yml | 19 +++--- .../custom/matrix-registration/tasks/main.yml | 38 ++++++------ .../matrix-sliding-sync/tasks/install.yml | 1 + .../custom/matrix-sliding-sync/tasks/main.yml | 19 +++--- roles/custom/matrix-sygnal/tasks/main.yml | 18 +++--- .../matrix-synapse-admin/tasks/main.yml | 26 ++++---- .../tasks/main.yml | 16 ++--- .../tasks/ext/setup_install.yml | 56 ++++++++--------- .../tasks/ext/setup_uninstall.yml | 48 +++++++-------- roles/custom/matrix-synapse/tasks/main.yml | 56 ++++++++--------- .../matrix-synapse/tasks/setup_install.yml | 26 ++++---- .../matrix-synapse/tasks/setup_uninstall.yml | 26 ++++---- .../tasks/synapse/setup_install.yml | 33 +++++----- .../custom/matrix-user-creator/tasks/main.yml | 8 +-- .../tasks/main.yml | 20 +++---- .../matrix_playbook_migration/tasks/main.yml | 18 +++--- 98 files changed, 942 insertions(+), 895 deletions(-) diff --git a/roles/custom/etherpad-proxy-connect/tasks/main.yml b/roles/custom/etherpad-proxy-connect/tasks/main.yml index 67bf7d0e..630ab87f 100644 --- a/roles/custom/etherpad-proxy-connect/tasks/main.yml +++ b/roles/custom/etherpad-proxy-connect/tasks/main.yml @@ -1,12 +1,12 @@ --- - when: etherpad_enabled | bool and etherpad_nginx_proxy_dimension_integration_enabled | bool - block: - - ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - - - ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" tags: - install-all - setup-all - install-nginx-proxy - setup-nginx-proxy + block: + - ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" + + - ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" diff --git a/roles/custom/etherpad-proxy-connect/tasks/validate_config.yml b/roles/custom/etherpad-proxy-connect/tasks/validate_config.yml index 2127ce1a..51a672ee 100644 --- a/roles/custom/etherpad-proxy-connect/tasks/validate_config.yml +++ b/roles/custom/etherpad-proxy-connect/tasks/validate_config.yml @@ -1,30 +1,30 @@ --- -- when: matrix_playbook_reverse_proxy_type not in ['playbook-managed-nginx', 'other-nginx-non-container'] - name: Fail if reverse-proxy is not nginx +- name: Fail if reverse-proxy is not nginx + when: matrix_playbook_reverse_proxy_type not in ['playbook-managed-nginx', 'other-nginx-non-container'] ansible.builtin.fail: msg: > Etherpad's integration into matrix-nginx-proxy's Dimension server only makes sense if you're using matrix-nginx-proxy. `matrix_playbook_reverse_proxy_type` ({{ matrix_playbook_reverse_proxy_type }}) indicates that you're using another reverse-proxy. If you're using Traefik, you should configure `etherpad_hostname` and `etherpad_path_prefix` instead. -- when: not matrix_dimension_enabled - name: Fail if Dimension not enabled +- name: Fail if Dimension not enabled + when: not matrix_dimension_enabled ansible.builtin.fail: msg: > Etherpad's integration into matrix-nginx-proxy's Dimension server only makes sense if you're using Dimension. Looks like Dimension is not enabled in your configuration (judging by `matrix_dimension_enabled`). Consider configuring `etherpad_hostname` and `etherpad_path_prefix` instead. -- when: etherpad_hostname != matrix_server_fqn_dimension - name: Fail if Etherpad hostname does not match Dimension hostname +- name: Fail if Etherpad hostname does not match Dimension hostname + when: etherpad_hostname != matrix_server_fqn_dimension ansible.builtin.fail: msg: > Etherpad's integration into matrix-nginx-proxy's Dimension server requires that you set `etherpad_hostname` to `matrix_server_fqn_dimension`. Consider adding this to your configuration: `{% raw %}etherpad_hostname: "{{ matrix_server_fqn_dimension }}"{% endraw %}` -- when: etherpad_nginx_proxy_dimension_integration_path_prefix == '/' - name: Fail if / path prefix used for Etherpad +- name: Fail if / path prefix used for Etherpad + when: etherpad_nginx_proxy_dimension_integration_path_prefix == '/' ansible.builtin.fail: msg: > Etherpad's integration into matrix-nginx-proxy's Dimension server only makes sense if you're using a non-`/` path for Etherpad. diff --git a/roles/custom/matrix-aux/tasks/main.yml b/roles/custom/matrix-aux/tasks/main.yml index 57db0965..3ae8d179 100644 --- a/roles/custom/matrix-aux/tasks/main.yml +++ b/roles/custom/matrix-aux/tasks/main.yml @@ -1,9 +1,9 @@ --- -- block: - - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup.yml" - tags: +- tags: - setup-all - setup-aux-files - install-all - install-aux-files + block: + - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup.yml" diff --git a/roles/custom/matrix-base/tasks/main.yml b/roles/custom/matrix-base/tasks/main.yml index c67e2090..13ef11d5 100644 --- a/roles/custom/matrix-base/tasks/main.yml +++ b/roles/custom/matrix-base/tasks/main.yml @@ -1,30 +1,28 @@ --- -- block: - - ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - tags: +- tags: - setup-all - install-all + block: + - ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" # This needs to always run, because it populates `matrix_user_uid` and `matrix_user_gid`, # which are required by many other roles. -- block: - - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_matrix_user.yml" - tags: +- tags: - always - setup-system-user - common + block: + - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_matrix_user.yml" -- block: - - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_matrix_base.yml" - tags: +- tags: - setup-all - install-all - common + block: + - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_matrix_base.yml" -- block: - - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_well_known.yml" - tags: +- tags: - setup-all - setup-ma1sd - setup-synapse @@ -37,3 +35,5 @@ - install-dendrite - install-conduit - install-nginx-proxy + block: + - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_well_known.yml" diff --git a/roles/custom/matrix-bot-buscarron/tasks/main.yml b/roles/custom/matrix-bot-buscarron/tasks/main.yml index b4a58e91..fbf5c96a 100644 --- a/roles/custom/matrix-bot-buscarron/tasks/main.yml +++ b/roles/custom/matrix-bot-buscarron/tasks/main.yml @@ -1,20 +1,20 @@ --- -- block: +- tags: + - setup-all + - setup-bot-buscarron + - install-all + - install-bot-buscarron + block: - ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" when: "run_setup | bool and matrix_bot_buscarron_enabled | bool" - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" when: "run_setup | bool and matrix_bot_buscarron_enabled | bool" - tags: + +- tags: - setup-all - setup-bot-buscarron - - install-all - - install-bot-buscarron - -- block: + block: - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" when: "run_setup | bool and not matrix_bot_buscarron_enabled | bool" - tags: - - setup-all - - setup-bot-buscarron diff --git a/roles/custom/matrix-bot-chatgpt/tasks/main.yml b/roles/custom/matrix-bot-chatgpt/tasks/main.yml index c5487fb8..1086a62d 100644 --- a/roles/custom/matrix-bot-chatgpt/tasks/main.yml +++ b/roles/custom/matrix-bot-chatgpt/tasks/main.yml @@ -1,20 +1,21 @@ --- -- block: - - when: matrix_bot_chatgpt_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - - - when: matrix_bot_chatgpt_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" +- tags: - setup-all - setup-bot-chatgpt - install-all - install-bot-chatgpt + block: + - when: matrix_bot_chatgpt_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" -- block: - - when: not matrix_bot_chatgpt_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: + - when: matrix_bot_chatgpt_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" + +- tags: - setup-all - setup-bot-chatgpt + block: + - when: not matrix_bot_chatgpt_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" diff --git a/roles/custom/matrix-bot-draupnir/tasks/main.yml b/roles/custom/matrix-bot-draupnir/tasks/main.yml index 686fe298..66c7cd06 100644 --- a/roles/custom/matrix-bot-draupnir/tasks/main.yml +++ b/roles/custom/matrix-bot-draupnir/tasks/main.yml @@ -1,20 +1,20 @@ --- -- block: +- tags: + - setup-all + - setup-bot-draupnir + - install-all + - install-bot-draupnir + block: - when: matrix_bot_draupnir_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_bot_draupnir_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-bot-draupnir - - install-all - - install-bot-draupnir - -- block: + block: - when: not matrix_bot_draupnir_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-bot-draupnir diff --git a/roles/custom/matrix-bot-go-neb/tasks/main.yml b/roles/custom/matrix-bot-go-neb/tasks/main.yml index 3249fc7b..9367419d 100644 --- a/roles/custom/matrix-bot-go-neb/tasks/main.yml +++ b/roles/custom/matrix-bot-go-neb/tasks/main.yml @@ -1,20 +1,20 @@ --- -- block: +- tags: + - setup-all + - setup-bot-go-neb + - install-all + - install-bot-go-neb + block: - ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" when: "run_setup | bool and matrix_bot_go_neb_enabled | bool" - ansible.builtin.include_tasks: "{{ role_path }}/tasks/install.yml" when: "run_setup | bool and matrix_bot_go_neb_enabled | bool" - tags: + +- tags: - setup-all - setup-bot-go-neb - - install-all - - install-bot-go-neb - -- block: + block: - ansible.builtin.include_tasks: "{{ role_path }}/tasks/uninstall.yml" when: "run_setup | bool and not matrix_bot_go_neb_enabled | bool" - tags: - - setup-all - - setup-bot-go-neb diff --git a/roles/custom/matrix-bot-honoroit/tasks/main.yml b/roles/custom/matrix-bot-honoroit/tasks/main.yml index d4dcbce4..9b4e2908 100644 --- a/roles/custom/matrix-bot-honoroit/tasks/main.yml +++ b/roles/custom/matrix-bot-honoroit/tasks/main.yml @@ -1,20 +1,20 @@ --- -- block: +- tags: + - setup-all + - setup-bot-honoroit + - install-all + - install-bot-honoroit + block: - ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" when: "run_setup | bool and matrix_bot_honoroit_enabled | bool" - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" when: "run_setup | bool and matrix_bot_honoroit_enabled | bool" - tags: + +- tags: - setup-all - setup-bot-honoroit - - install-all - - install-bot-honoroit - -- block: + block: - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" when: "run_setup | bool and not matrix_bot_honoroit_enabled | bool" - tags: - - setup-all - - setup-bot-honoroit diff --git a/roles/custom/matrix-bot-matrix-registration-bot/tasks/main.yml b/roles/custom/matrix-bot-matrix-registration-bot/tasks/main.yml index 90ee56cc..83291fb6 100644 --- a/roles/custom/matrix-bot-matrix-registration-bot/tasks/main.yml +++ b/roles/custom/matrix-bot-matrix-registration-bot/tasks/main.yml @@ -1,20 +1,20 @@ --- -- block: +- tags: + - setup-all + - setup-bot-matrix-registration-bot + - install-all + - install-bot-matrix-registration-bot + block: - when: matrix_bot_matrix_registration_bot_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_bot_matrix_registration_bot_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-bot-matrix-registration-bot - - install-all - - install-bot-matrix-registration-bot - -- block: + block: - when: not matrix_bot_matrix_registration_bot_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-bot-matrix-registration-bot diff --git a/roles/custom/matrix-bot-matrix-reminder-bot/tasks/main.yml b/roles/custom/matrix-bot-matrix-reminder-bot/tasks/main.yml index 22c014de..f475afc0 100644 --- a/roles/custom/matrix-bot-matrix-reminder-bot/tasks/main.yml +++ b/roles/custom/matrix-bot-matrix-reminder-bot/tasks/main.yml @@ -1,20 +1,20 @@ --- -- block: +- tags: + - setup-all + - setup-bot-matrix-reminder-bot + - install-all + - install-bot-matrix-reminder-bot + block: - when: matrix_bot_matrix_reminder_bot_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_bot_matrix_reminder_bot_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-bot-matrix-reminder-bot - - install-all - - install-bot-matrix-reminder-bot - -- block: + block: - when: not matrix_bot_matrix_reminder_bot_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-bot-matrix-reminder-bot diff --git a/roles/custom/matrix-bot-maubot/tasks/main.yml b/roles/custom/matrix-bot-maubot/tasks/main.yml index 95fad19e..3241795b 100644 --- a/roles/custom/matrix-bot-maubot/tasks/main.yml +++ b/roles/custom/matrix-bot-maubot/tasks/main.yml @@ -1,29 +1,29 @@ --- -- block: - - when: matrix_bot_maubot_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" - tags: +- tags: - setup-all - setup-nginx-proxy - install-all - install-nginx-proxy + block: + - when: matrix_bot_maubot_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" -- block: +- tags: + - setup-all + - setup-bot-maubot + - install-all + - install-bot-maubot + block: - when: matrix_bot_maubot_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_bot_maubot_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-bot-maubot - - install-all - - install-bot-maubot - -- block: + block: - when: not matrix_bot_maubot_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-bot-maubot diff --git a/roles/custom/matrix-bot-mjolnir/tasks/main.yml b/roles/custom/matrix-bot-mjolnir/tasks/main.yml index def5c9f0..03f5ba90 100644 --- a/roles/custom/matrix-bot-mjolnir/tasks/main.yml +++ b/roles/custom/matrix-bot-mjolnir/tasks/main.yml @@ -1,20 +1,20 @@ --- -- block: +- tags: + - setup-all + - setup-bot-mjolnir + - install-all + - install-bot-mjolnir + block: - when: matrix_bot_mjolnir_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_bot_mjolnir_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-bot-mjolnir - - install-all - - install-bot-mjolnir - -- block: + block: - when: not matrix_bot_mjolnir_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-bot-mjolnir diff --git a/roles/custom/matrix-bot-postmoogle/tasks/main.yml b/roles/custom/matrix-bot-postmoogle/tasks/main.yml index a6bc76a3..b7704039 100644 --- a/roles/custom/matrix-bot-postmoogle/tasks/main.yml +++ b/roles/custom/matrix-bot-postmoogle/tasks/main.yml @@ -1,20 +1,20 @@ --- -- block: +- tags: + - setup-all + - setup-bot-postmoogle + - install-all + - install-bot-postmoogle + block: - when: matrix_bot_postmoogle_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_bot_postmoogle_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-bot-postmoogle - - install-all - - install-bot-postmoogle - -- block: + block: - when: not matrix_bot_postmoogle_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-bot-postmoogle diff --git a/roles/custom/matrix-bridge-appservice-discord/tasks/main.yml b/roles/custom/matrix-bridge-appservice-discord/tasks/main.yml index 926fe367..88a77220 100644 --- a/roles/custom/matrix-bridge-appservice-discord/tasks/main.yml +++ b/roles/custom/matrix-bridge-appservice-discord/tasks/main.yml @@ -1,20 +1,20 @@ --- -- block: +- tags: + - setup-all + - setup-appservice-discord + - install-all + - install-appservice-discord + block: - when: matrix_appservice_discord_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_appservice_discord_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-appservice-discord - - install-all - - install-appservice-discord - -- block: + block: - when: not matrix_appservice_discord_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-appservice-discord diff --git a/roles/custom/matrix-bridge-appservice-discord/tasks/setup_install.yml b/roles/custom/matrix-bridge-appservice-discord/tasks/setup_install.yml index 4a6419ed..632948bc 100644 --- a/roles/custom/matrix-bridge-appservice-discord/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-appservice-discord/tasks/setup_install.yml @@ -65,7 +65,10 @@ when: "matrix_appservice_discord_stat_db.stat.exists" - name: (Data relocation) Move AppService Discord discord.db file to ./data directory - ansible.builtin.command: "mv {{ matrix_appservice_discord_base_path }}/{{ item }} {{ matrix_appservice_discord_data_path }}/{{ item }}" + ansible.builtin.command: + cmd: "mv {{ matrix_appservice_discord_base_path }}/{{ item }} {{ matrix_appservice_discord_data_path }}/{{ item }}" + creates: "{{ matrix_appservice_discord_data_path }}/{{ item }}" + removes: "{{ matrix_appservice_discord_base_path }}/{{ item }}" with_items: - discord.db - user-store.db diff --git a/roles/custom/matrix-bridge-appservice-irc/tasks/main.yml b/roles/custom/matrix-bridge-appservice-irc/tasks/main.yml index 1cc6b35c..d4669848 100644 --- a/roles/custom/matrix-bridge-appservice-irc/tasks/main.yml +++ b/roles/custom/matrix-bridge-appservice-irc/tasks/main.yml @@ -1,20 +1,20 @@ --- -- block: +- tags: + - setup-all + - setup-appservice-irc + - install-all + - install-appservice-irc + block: - when: matrix_appservice_irc_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_appservice_irc_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-appservice-irc - - install-all - - install-appservice-irc - -- block: + block: - when: not matrix_appservice_irc_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-appservice-irc diff --git a/roles/custom/matrix-bridge-appservice-irc/tasks/setup_install.yml b/roles/custom/matrix-bridge-appservice-irc/tasks/setup_install.yml index a5fdacde..69a9aa4c 100644 --- a/roles/custom/matrix-bridge-appservice-irc/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-appservice-irc/tasks/setup_install.yml @@ -108,16 +108,12 @@ owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" -- name: Check if Appservice IRC passkey exists - ansible.builtin.stat: - path: "{{ matrix_appservice_irc_data_path }}/passkey.pem" - register: irc_passkey_file - - name: Generate Appservice IRC passkey if it doesn't exist - ansible.builtin.shell: "{{ matrix_host_command_openssl }} genpkey -out {{ matrix_appservice_irc_data_path }}/passkey.pem -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:2048" + ansible.builtin.shell: + cmd: "{{ matrix_host_command_openssl }} genpkey -out {{ matrix_appservice_irc_data_path }}/passkey.pem -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:2048" + creates: "{{ matrix_appservice_irc_data_path }}/passkey.pem" become: true become_user: "{{ matrix_user_username }}" - when: "not irc_passkey_file.stat.exists" # In the past, we used to generate the passkey.pem file with root, so permissions may not be okay. # Fix it. diff --git a/roles/custom/matrix-bridge-appservice-kakaotalk/tasks/main.yml b/roles/custom/matrix-bridge-appservice-kakaotalk/tasks/main.yml index 14a30e65..7a360024 100644 --- a/roles/custom/matrix-bridge-appservice-kakaotalk/tasks/main.yml +++ b/roles/custom/matrix-bridge-appservice-kakaotalk/tasks/main.yml @@ -1,20 +1,20 @@ --- -- block: +- tags: + - setup-all + - setup-appservice-kakaotalk + - install-all + - install-appservice-kakaotalk + block: - when: matrix_appservice_kakaotalk_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_appservice_kakaotalk_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-appservice-kakaotalk - - install-all - - install-appservice-kakaotalk - -- block: + block: - when: not matrix_appservice_kakaotalk_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-appservice-kakaotalk diff --git a/roles/custom/matrix-bridge-appservice-slack/tasks/main.yml b/roles/custom/matrix-bridge-appservice-slack/tasks/main.yml index 41e2679e..6fb8ac7c 100644 --- a/roles/custom/matrix-bridge-appservice-slack/tasks/main.yml +++ b/roles/custom/matrix-bridge-appservice-slack/tasks/main.yml @@ -1,29 +1,29 @@ --- -- block: - - when: matrix_appservice_slack_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" - tags: +- tags: - setup-all - setup-nginx-proxy - install-all - install-nginx-proxy + block: + - when: matrix_appservice_slack_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" -- block: +- tags: + - setup-all + - setup-appservice-slack + - install-all + - install-appservice-slack + block: - when: matrix_appservice_slack_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_appservice_slack_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-appservice-slack - - install-all - - install-appservice-slack - -- block: + block: - when: not matrix_appservice_slack_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-appservice-slack diff --git a/roles/custom/matrix-bridge-appservice-webhooks/tasks/main.yml b/roles/custom/matrix-bridge-appservice-webhooks/tasks/main.yml index ae36cf70..a40d66dd 100644 --- a/roles/custom/matrix-bridge-appservice-webhooks/tasks/main.yml +++ b/roles/custom/matrix-bridge-appservice-webhooks/tasks/main.yml @@ -1,29 +1,29 @@ --- -- block: - - when: matrix_appservice_webhooks_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" - tags: +- tags: - setup-all - setup-nginx-proxy - install-all - install-nginx-proxy + block: + - when: matrix_appservice_webhooks_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" -- block: +- tags: + - setup-all + - setup-appservice-webhooks + - install-all + - install-appservice-webhooks + block: - when: matrix_appservice_webhooks_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_appservice_webhooks_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-appservice-webhooks - - install-all - - install-appservice-webhooks - -- block: + block: - when: not matrix_appservice_webhooks_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-appservice-webhooks diff --git a/roles/custom/matrix-bridge-beeper-linkedin/tasks/main.yml b/roles/custom/matrix-bridge-beeper-linkedin/tasks/main.yml index 50228042..56eb91e5 100644 --- a/roles/custom/matrix-bridge-beeper-linkedin/tasks/main.yml +++ b/roles/custom/matrix-bridge-beeper-linkedin/tasks/main.yml @@ -1,20 +1,20 @@ --- -- block: +- tags: + - setup-all + - setup-beeper-linkedin + - install-all + - install-beeper-linkedin + block: - when: matrix_beeper_linkedin_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_beeper_linkedin_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-beeper-linkedin - - install-all - - install-beeper-linkedin - -- block: + block: - when: not matrix_beeper_linkedin_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-beeper-linkedin diff --git a/roles/custom/matrix-bridge-go-skype-bridge/tasks/main.yml b/roles/custom/matrix-bridge-go-skype-bridge/tasks/main.yml index 5bf9236b..7ba91421 100644 --- a/roles/custom/matrix-bridge-go-skype-bridge/tasks/main.yml +++ b/roles/custom/matrix-bridge-go-skype-bridge/tasks/main.yml @@ -1,20 +1,20 @@ --- -- block: +- tags: + - setup-all + - setup-go-skype-bridge + - install-all + - install-go-skype-bridge + block: - when: matrix_go_skype_bridge_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_go_skype_bridge_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-go-skype-bridge - - install-all - - install-go-skype-bridge - -- block: + block: - when: not matrix_go_skype_bridge_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-go-skype-bridge diff --git a/roles/custom/matrix-bridge-go-skype-bridge/tasks/setup_install.yml b/roles/custom/matrix-bridge-go-skype-bridge/tasks/setup_install.yml index 6146637f..7d8ccd8d 100644 --- a/roles/custom/matrix-bridge-go-skype-bridge/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-go-skype-bridge/tasks/setup_install.yml @@ -97,11 +97,17 @@ when: "matrix_go_skype_bridge_stat_database.stat.exists" - name: (Data relocation) Move go-skype-bridge database file to ./data directory - ansible.builtin.command: "mv {{ matrix_go_skype_bridge_base_path }}/go-skype-bridge.db {{ matrix_go_skype_bridge_data_path }}/go-skype-bridge.db" + ansible.builtin.command: + cmd: "mv {{ matrix_go_skype_bridge_base_path }}/go-skype-bridge.db {{ matrix_go_skype_bridge_data_path }}/go-skype-bridge.db" + creates: "{{ matrix_go_skype_bridge_data_path }}/go-skype-bridge.db" + removes: "{{ matrix_go_skype_bridge_base_path }}/go-skype-bridge.db" when: "matrix_go_skype_bridge_stat_database.stat.exists" - name: (Data relocation) Move go-skype-bridge mx-state file to ./data directory - ansible.builtin.command: "mv {{ matrix_go_skype_bridge_base_path }}/mx-state.json {{ matrix_go_skype_bridge_data_path }}/mx-state.json" + ansible.builtin.command: + cmd: "mv {{ matrix_go_skype_bridge_base_path }}/mx-state.json {{ matrix_go_skype_bridge_data_path }}/mx-state.json" + creates: "{{ matrix_go_skype_bridge_data_path }}/mx-state.json" + removes: "{{ matrix_go_skype_bridge_base_path }}/mx-state.json" when: "matrix_go_skype_bridge_stat_mx_state.stat.exists" - name: Ensure go-skype-bridge config.yaml installed diff --git a/roles/custom/matrix-bridge-heisenbridge/tasks/main.yml b/roles/custom/matrix-bridge-heisenbridge/tasks/main.yml index 0d8354cf..5b92520d 100644 --- a/roles/custom/matrix-bridge-heisenbridge/tasks/main.yml +++ b/roles/custom/matrix-bridge-heisenbridge/tasks/main.yml @@ -1,17 +1,17 @@ --- -- block: - - when: matrix_heisenbridge_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: +- tags: - setup-all - setup-heisenbridge - install-all - install-heisenbridge + block: + - when: matrix_heisenbridge_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" -- block: - - when: not matrix_heisenbridge_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: +- tags: - setup-all - setup-heisenbridge + block: + - when: not matrix_heisenbridge_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" diff --git a/roles/custom/matrix-bridge-hookshot/defaults/main.yml b/roles/custom/matrix-bridge-hookshot/defaults/main.yml index aa4ae45c..3b65b92a 100644 --- a/roles/custom/matrix-bridge-hookshot/defaults/main.yml +++ b/roles/custom/matrix-bridge-hookshot/defaults/main.yml @@ -122,15 +122,15 @@ matrix_hookshot_jira_oauth_redirect_uri: "{{ matrix_hookshot_urlprefix }}{{ matr # No need to change these matrix_hookshot_generic_enabled: true -matrix_hookshot_generic_enableHttpGet: false +matrix_hookshot_generic_enableHttpGet: false # noqa var-naming # Default value of matrix_hookshot_generic_endpoint: "/hookshot/webhooks" matrix_hookshot_generic_endpoint: "{{ matrix_hookshot_webhook_endpoint }}" # urlprefix gets updated with protocol & port in group_vars/matrix_servers -matrix_hookshot_generic_urlPrefix: "{{ matrix_hookshot_urlprefix }}{{ matrix_hookshot_generic_endpoint }}" +matrix_hookshot_generic_urlPrefix: "{{ matrix_hookshot_urlprefix }}{{ matrix_hookshot_generic_endpoint }}" # noqa var-naming # If you're also using matrix-appservice-webhooks, take care that these prefixes don't overlap -matrix_hookshot_generic_userIdPrefix: '_webhooks_' -matrix_hookshot_generic_allowJsTransformationFunctions: false -matrix_hookshot_generic_waitForComplete: false +matrix_hookshot_generic_userIdPrefix: '_webhooks_' # noqa var-naming +matrix_hookshot_generic_allowJsTransformationFunctions: false # noqa var-naming +matrix_hookshot_generic_waitForComplete: false # noqa var-naming matrix_hookshot_feeds_enabled: true diff --git a/roles/custom/matrix-bridge-hookshot/tasks/main.yml b/roles/custom/matrix-bridge-hookshot/tasks/main.yml index c7ffc304..e2fa9936 100644 --- a/roles/custom/matrix-bridge-hookshot/tasks/main.yml +++ b/roles/custom/matrix-bridge-hookshot/tasks/main.yml @@ -1,29 +1,29 @@ --- -- block: - - when: matrix_hookshot_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" - tags: +- tags: - setup-all - setup-nginx-proxy - install-all - install-nginx-proxy + block: + - when: matrix_hookshot_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" -- block: +- tags: + - setup-all + - setup-hookshot + - install-all + - install-hookshot + block: - when: matrix_hookshot_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_hookshot_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-hookshot - - install-all - - install-hookshot - -- block: + block: - when: not matrix_hookshot_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-hookshot diff --git a/roles/custom/matrix-bridge-hookshot/tasks/setup_install.yml b/roles/custom/matrix-bridge-hookshot/tasks/setup_install.yml index e9b277ce..f0e8c1c6 100644 --- a/roles/custom/matrix-bridge-hookshot/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-hookshot/tasks/setup_install.yml @@ -57,7 +57,9 @@ register: hookshot_passkey_file - name: Generate hookshot passkey if it doesn't exist - ansible.builtin.shell: "{{ matrix_host_command_openssl }} genpkey -out {{ matrix_hookshot_base_path }}/passkey.pem -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:4096" + ansible.builtin.shell: + cmd: "{{ matrix_host_command_openssl }} genpkey -out {{ matrix_hookshot_base_path }}/passkey.pem -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:4096" + creates: "{{ matrix_hookshot_base_path }}/passkey.pem" become: true become_user: "{{ matrix_user_username }}" when: "not hookshot_passkey_file.stat.exists" diff --git a/roles/custom/matrix-bridge-mautrix-discord/tasks/main.yml b/roles/custom/matrix-bridge-mautrix-discord/tasks/main.yml index cc90f2fa..19698f9f 100644 --- a/roles/custom/matrix-bridge-mautrix-discord/tasks/main.yml +++ b/roles/custom/matrix-bridge-mautrix-discord/tasks/main.yml @@ -1,20 +1,20 @@ --- -- block: +- tags: + - setup-all + - setup-mautrix-discord + - install-all + - install-mautrix-discord + block: - when: matrix_mautrix_discord_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_mautrix_discord_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-mautrix-discord - - install-all - - install-mautrix-discord - -- block: + block: - when: not matrix_mautrix_discord_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-mautrix-discord diff --git a/roles/custom/matrix-bridge-mautrix-facebook/tasks/main.yml b/roles/custom/matrix-bridge-mautrix-facebook/tasks/main.yml index fa7cec7d..11034668 100644 --- a/roles/custom/matrix-bridge-mautrix-facebook/tasks/main.yml +++ b/roles/custom/matrix-bridge-mautrix-facebook/tasks/main.yml @@ -1,29 +1,29 @@ --- -- block: - - when: matrix_mautrix_facebook_enabled | bool and matrix_mautrix_facebook_appservice_public_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" - tags: +- tags: - setup-all - setup-nginx-proxy - install-all - install-nginx-proxy + block: + - when: matrix_mautrix_facebook_enabled | bool and matrix_mautrix_facebook_appservice_public_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" -- block: +- tags: + - setup-all + - setup-mautrix-facebook + - install-all + - install-mautrix-facebook + block: - when: matrix_mautrix_facebook_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_mautrix_facebook_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-mautrix-facebook - - install-all - - install-mautrix-facebook - -- block: + block: - when: not matrix_mautrix_facebook_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-mautrix-facebook diff --git a/roles/custom/matrix-bridge-mautrix-facebook/tasks/setup_install.yml b/roles/custom/matrix-bridge-mautrix-facebook/tasks/setup_install.yml index 758a5fed..fac1d1d2 100644 --- a/roles/custom/matrix-bridge-mautrix-facebook/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-mautrix-facebook/tasks/setup_install.yml @@ -91,7 +91,10 @@ when: "matrix_mautrix_facebook_stat_database.stat.exists" - name: (Data relocation) Move mautrix-facebook database file to ./data directory - ansible.builtin.command: "mv {{ matrix_mautrix_facebook_base_path }}/mautrix-facebook.db {{ matrix_mautrix_facebook_data_path }}/mautrix-facebook.db" + ansible.builtin.command: + cmd: "mv {{ matrix_mautrix_facebook_base_path }}/mautrix-facebook.db {{ matrix_mautrix_facebook_data_path }}/mautrix-facebook.db" + creates: "{{ matrix_mautrix_facebook_data_path }}/mautrix-facebook.db" + removes: "{{ matrix_mautrix_facebook_base_path }}/mautrix-facebook.db" when: "matrix_mautrix_facebook_stat_database.stat.exists" - name: Ensure mautrix-facebook config.yaml installed diff --git a/roles/custom/matrix-bridge-mautrix-googlechat/tasks/main.yml b/roles/custom/matrix-bridge-mautrix-googlechat/tasks/main.yml index 917ba7a9..a23923b5 100644 --- a/roles/custom/matrix-bridge-mautrix-googlechat/tasks/main.yml +++ b/roles/custom/matrix-bridge-mautrix-googlechat/tasks/main.yml @@ -1,29 +1,29 @@ --- -- block: - - when: matrix_mautrix_googlechat_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" - tags: +- tags: - setup-all - setup-nginx-proxy - install-all - install-nginx-proxy + block: + - when: matrix_mautrix_googlechat_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" -- block: +- tags: + - setup-all + - setup-mautrix-googlechat + - install-all + - install-mautrix-googlechat + block: - when: matrix_mautrix_googlechat_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_mautrix_googlechat_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-mautrix-googlechat - - install-all - - install-mautrix-googlechat - -- block: + block: - when: not matrix_mautrix_googlechat_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-mautrix-googlechat diff --git a/roles/custom/matrix-bridge-mautrix-googlechat/tasks/setup_install.yml b/roles/custom/matrix-bridge-mautrix-googlechat/tasks/setup_install.yml index c1258471..c1ae8cf5 100644 --- a/roles/custom/matrix-bridge-mautrix-googlechat/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-mautrix-googlechat/tasks/setup_install.yml @@ -91,7 +91,10 @@ when: "matrix_mautrix_googlechat_stat_database.stat.exists" - name: (Data relocation) Move mautrix-googlechat database file to ./data directory - ansible.builtin.command: "mv {{ matrix_mautrix_googlechat_base_path }}/mautrix-googlechat.db {{ matrix_mautrix_googlechat_data_path }}/mautrix-googlechat.db" + ansible.builtin.command: + cmd: "mv {{ matrix_mautrix_googlechat_base_path }}/mautrix-googlechat.db {{ matrix_mautrix_googlechat_data_path }}/mautrix-googlechat.db" + creates: "{{ matrix_mautrix_googlechat_data_path }}/mautrix-googlechat.db" + removes: "{{ matrix_mautrix_googlechat_base_path }}/mautrix-googlechat.db" when: "matrix_mautrix_googlechat_stat_database.stat.exists" - name: Ensure mautrix-googlechat config.yaml installed diff --git a/roles/custom/matrix-bridge-mautrix-hangouts/tasks/main.yml b/roles/custom/matrix-bridge-mautrix-hangouts/tasks/main.yml index e9d8048c..e7881567 100644 --- a/roles/custom/matrix-bridge-mautrix-hangouts/tasks/main.yml +++ b/roles/custom/matrix-bridge-mautrix-hangouts/tasks/main.yml @@ -1,29 +1,29 @@ --- -- block: - - when: matrix_mautrix_hangouts_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" - tags: +- tags: - setup-all - setup-nginx-proxy - install-all - install-nginx-proxy + block: + - when: matrix_mautrix_hangouts_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" -- block: +- tags: + - setup-all + - setup-mautrix-hangouts + - install-all + - install-mautrix-hangouts + block: - when: matrix_mautrix_hangouts_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_mautrix_hangouts_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-mautrix-hangouts - - install-all - - install-mautrix-hangouts - -- block: + block: - when: not matrix_mautrix_hangouts_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-mautrix-hangouts diff --git a/roles/custom/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml b/roles/custom/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml index f8fdb023..0fa54994 100644 --- a/roles/custom/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml @@ -91,7 +91,10 @@ when: "matrix_mautrix_hangouts_stat_database.stat.exists" - name: (Data relocation) Move mautrix-hangouts database file to ./data directory - ansible.builtin.command: "mv {{ matrix_mautrix_hangouts_base_path }}/mautrix-hangouts.db {{ matrix_mautrix_hangouts_data_path }}/mautrix-hangouts.db" + ansible.builtin.command: + cmd: "mv {{ matrix_mautrix_hangouts_base_path }}/mautrix-hangouts.db {{ matrix_mautrix_hangouts_data_path }}/mautrix-hangouts.db" + creates: "{{ matrix_mautrix_hangouts_data_path }}/mautrix-hangouts.db" + removes: "{{ matrix_mautrix_hangouts_base_path }}/mautrix-hangouts.db" when: "matrix_mautrix_hangouts_stat_database.stat.exists" - name: Ensure mautrix-hangouts config.yaml installed diff --git a/roles/custom/matrix-bridge-mautrix-instagram/tasks/main.yml b/roles/custom/matrix-bridge-mautrix-instagram/tasks/main.yml index 0b3a722d..834dec0c 100644 --- a/roles/custom/matrix-bridge-mautrix-instagram/tasks/main.yml +++ b/roles/custom/matrix-bridge-mautrix-instagram/tasks/main.yml @@ -1,29 +1,29 @@ --- -- block: - - when: matrix_mautrix_instagram_enabled | bool and matrix_mautrix_instagram_metrics_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" - tags: +- tags: - setup-all - setup-nginx-proxy - install-all - install-nginx-proxy + block: + - when: matrix_mautrix_instagram_enabled | bool and matrix_mautrix_instagram_metrics_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" -- block: +- tags: + - setup-all + - setup-mautrix-instagram + - install-all + - install-mautrix-instagram + block: - when: matrix_mautrix_instagram_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_mautrix_instagram_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-mautrix-instagram - - install-all - - install-mautrix-instagram - -- block: + block: - when: not matrix_mautrix_instagram_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-mautrix-instagram diff --git a/roles/custom/matrix-bridge-mautrix-signal/tasks/main.yml b/roles/custom/matrix-bridge-mautrix-signal/tasks/main.yml index 9473344b..f5d769e5 100644 --- a/roles/custom/matrix-bridge-mautrix-signal/tasks/main.yml +++ b/roles/custom/matrix-bridge-mautrix-signal/tasks/main.yml @@ -1,29 +1,29 @@ --- -- block: - - when: matrix_mautrix_signal_enabled | bool and matrix_mautrix_signal_metrics_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" - tags: +- tags: - setup-all - setup-nginx-proxy - install-all - install-nginx-proxy + block: + - when: matrix_mautrix_signal_enabled | bool and matrix_mautrix_signal_metrics_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" -- block: +- tags: + - setup-all + - setup-mautrix-signal + - install-all + - install-mautrix-signal + block: - when: matrix_mautrix_signal_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_mautrix_signal_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-mautrix-signal - - install-all - - install-mautrix-signal - -- block: + block: - when: not matrix_mautrix_signal_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-mautrix-signal diff --git a/roles/custom/matrix-bridge-mautrix-slack/tasks/main.yml b/roles/custom/matrix-bridge-mautrix-slack/tasks/main.yml index bff90549..b7a2199d 100644 --- a/roles/custom/matrix-bridge-mautrix-slack/tasks/main.yml +++ b/roles/custom/matrix-bridge-mautrix-slack/tasks/main.yml @@ -1,20 +1,20 @@ --- -- block: +- tags: + - setup-all + - setup-mautrix-slack + - install-all + - install-mautrix-slack + block: - when: matrix_mautrix_slack_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_mautrix_slack_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-mautrix-slack - - install-all - - install-mautrix-slack - -- block: + block: - when: not matrix_mautrix_slack_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-mautrix-slack diff --git a/roles/custom/matrix-bridge-mautrix-telegram/tasks/main.yml b/roles/custom/matrix-bridge-mautrix-telegram/tasks/main.yml index 3c8e6d04..212848b6 100644 --- a/roles/custom/matrix-bridge-mautrix-telegram/tasks/main.yml +++ b/roles/custom/matrix-bridge-mautrix-telegram/tasks/main.yml @@ -1,29 +1,29 @@ --- -- block: - - when: matrix_mautrix_telegram_enabled | bool and matrix_mautrix_telegram_appservice_public_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" - tags: +- tags: - setup-all - setup-nginx-proxy - install-all - install-nginx-proxy + block: + - when: matrix_mautrix_telegram_enabled | bool and matrix_mautrix_telegram_appservice_public_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" -- block: +- tags: + - setup-all + - setup-mautrix-telegram + - install-all + - install-mautrix-telegram + block: - when: matrix_mautrix_telegram_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_mautrix_telegram_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-mautrix-telegram - - install-all - - install-mautrix-telegram - -- block: + block: - when: not matrix_mautrix_telegram_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-mautrix-telegram diff --git a/roles/custom/matrix-bridge-mautrix-telegram/tasks/setup_install.yml b/roles/custom/matrix-bridge-mautrix-telegram/tasks/setup_install.yml index 383d4827..ddf11d8d 100644 --- a/roles/custom/matrix-bridge-mautrix-telegram/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-mautrix-telegram/tasks/setup_install.yml @@ -116,7 +116,10 @@ when: "matrix_mautrix_telegram_stat_database.stat.exists" - name: (Data relocation) Move mautrix-telegram database file to ./data directory - ansible.builtin.command: "mv {{ matrix_mautrix_telegram_base_path }}/mautrix-telegram.db {{ matrix_mautrix_telegram_data_path }}/mautrix-telegram.db" + ansible.builtin.command: + cmd: "mv {{ matrix_mautrix_telegram_base_path }}/mautrix-telegram.db {{ matrix_mautrix_telegram_data_path }}/mautrix-telegram.db" + creates: "{{ matrix_mautrix_telegram_data_path }}/mautrix-telegram.db" + removes: "{{ matrix_mautrix_telegram_base_path }}/mautrix-telegram.db" when: "matrix_mautrix_telegram_stat_database.stat.exists" - name: Ensure mautrix-telegram config.yaml installed diff --git a/roles/custom/matrix-bridge-mautrix-twitter/tasks/main.yml b/roles/custom/matrix-bridge-mautrix-twitter/tasks/main.yml index 9eb444a7..655e52fb 100644 --- a/roles/custom/matrix-bridge-mautrix-twitter/tasks/main.yml +++ b/roles/custom/matrix-bridge-mautrix-twitter/tasks/main.yml @@ -1,29 +1,29 @@ --- -- block: - - when: matrix_mautrix_twitter_enabled | bool and matrix_mautrix_twitter_metrics_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" - tags: +- tags: - setup-all - setup-nginx-proxy - install-all - install-nginx-proxy + block: + - when: matrix_mautrix_twitter_enabled | bool and matrix_mautrix_twitter_metrics_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" -- block: +- tags: + - setup-all + - setup-mautrix-twitter + - install-all + - install-mautrix-twitter + block: - when: matrix_mautrix_twitter_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_mautrix_twitter_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-mautrix-twitter - - install-all - - install-mautrix-twitter - -- block: + block: - when: not matrix_mautrix_twitter_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-mautrix-twitter diff --git a/roles/custom/matrix-bridge-mautrix-whatsapp/tasks/main.yml b/roles/custom/matrix-bridge-mautrix-whatsapp/tasks/main.yml index b49a1300..cb4e8dea 100644 --- a/roles/custom/matrix-bridge-mautrix-whatsapp/tasks/main.yml +++ b/roles/custom/matrix-bridge-mautrix-whatsapp/tasks/main.yml @@ -1,29 +1,29 @@ --- -- block: - - when: matrix_mautrix_whatsapp_enabled | bool and matrix_mautrix_whatsapp_metrics_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" - tags: +- tags: - setup-all - setup-nginx-proxy - install-all - install-nginx-proxy + block: + - when: matrix_mautrix_whatsapp_enabled | bool and matrix_mautrix_whatsapp_metrics_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" -- block: +- tags: + - setup-all + - setup-mautrix-whatsapp + - install-all + - install-mautrix-whatsapp + block: - when: matrix_mautrix_whatsapp_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_mautrix_whatsapp_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-mautrix-whatsapp - - install-all - - install-mautrix-whatsapp - -- block: + block: - when: not matrix_mautrix_whatsapp_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-mautrix-whatsapp diff --git a/roles/custom/matrix-bridge-mautrix-whatsapp/tasks/setup_install.yml b/roles/custom/matrix-bridge-mautrix-whatsapp/tasks/setup_install.yml index 1cf883c5..e41fe9c3 100644 --- a/roles/custom/matrix-bridge-mautrix-whatsapp/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-mautrix-whatsapp/tasks/setup_install.yml @@ -97,11 +97,17 @@ when: "matrix_mautrix_whatsapp_stat_database.stat.exists" - name: (Data relocation) Move mautrix-whatsapp database file to ./data directory - ansible.builtin.command: "mv {{ matrix_mautrix_whatsapp_base_path }}/mautrix-whatsapp.db {{ matrix_mautrix_whatsapp_data_path }}/mautrix-whatsapp.db" + ansible.builtin.command: + cmd: "mv {{ matrix_mautrix_whatsapp_base_path }}/mautrix-whatsapp.db {{ matrix_mautrix_whatsapp_data_path }}/mautrix-whatsapp.db" + creates: "{{ matrix_mautrix_whatsapp_data_path }}/mautrix-whatsapp.db" + removes: "{{ matrix_mautrix_whatsapp_base_path }}/mautrix-whatsapp.db" when: "matrix_mautrix_whatsapp_stat_database.stat.exists" - name: (Data relocation) Move mautrix-whatsapp mx-state file to ./data directory - ansible.builtin.command: "mv {{ matrix_mautrix_whatsapp_base_path }}/mx-state.json {{ matrix_mautrix_whatsapp_data_path }}/mx-state.json" + ansible.builtin.command: + cmd: "mv {{ matrix_mautrix_whatsapp_base_path }}/mx-state.json {{ matrix_mautrix_whatsapp_data_path }}/mx-state.json" + creates: "{{ matrix_mautrix_whatsapp_data_path }}/mx-state.json" + removes: "{{ matrix_mautrix_whatsapp_base_path }}/mx-state.json" when: "matrix_mautrix_whatsapp_stat_mx_state.stat.exists" - name: Ensure mautrix-whatsapp config.yaml installed diff --git a/roles/custom/matrix-bridge-mx-puppet-discord/tasks/main.yml b/roles/custom/matrix-bridge-mx-puppet-discord/tasks/main.yml index c1403dfa..c0300b51 100644 --- a/roles/custom/matrix-bridge-mx-puppet-discord/tasks/main.yml +++ b/roles/custom/matrix-bridge-mx-puppet-discord/tasks/main.yml @@ -1,20 +1,20 @@ --- -- block: +- tags: + - setup-all + - setup-mx-puppet-discord + - install-all + - install-mx-puppet-discord + block: - when: matrix_mx_puppet_discord_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_mx_puppet_discord_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-mx-puppet-discord - - install-all - - install-mx-puppet-discord - -- block: + block: - when: not matrix_mx_puppet_discord_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-mx-puppet-discord diff --git a/roles/custom/matrix-bridge-mx-puppet-groupme/tasks/main.yml b/roles/custom/matrix-bridge-mx-puppet-groupme/tasks/main.yml index ab5b0d44..de225e71 100644 --- a/roles/custom/matrix-bridge-mx-puppet-groupme/tasks/main.yml +++ b/roles/custom/matrix-bridge-mx-puppet-groupme/tasks/main.yml @@ -1,20 +1,20 @@ --- -- block: +- tags: + - setup-all + - setup-mx-puppet-groupme + - install-all + - install-mx-puppet-groupme + block: - when: matrix_mx_puppet_groupme_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_mx_puppet_groupme_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-mx-puppet-groupme - - install-all - - install-mx-puppet-groupme - -- block: + block: - when: not matrix_mx_puppet_groupme_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-mx-puppet-groupme diff --git a/roles/custom/matrix-bridge-mx-puppet-groupme/tasks/setup_install.yml b/roles/custom/matrix-bridge-mx-puppet-groupme/tasks/setup_install.yml index 9db25e86..0ba1e699 100644 --- a/roles/custom/matrix-bridge-mx-puppet-groupme/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-mx-puppet-groupme/tasks/setup_install.yml @@ -29,7 +29,10 @@ when: "matrix_mx_puppet_groupme_stat_database.stat.exists" - name: (Data relocation) Move mx-puppet-groupme database file to ./data directory - ansible.builtin.command: "mv {{ matrix_mx_puppet_groupme_base_path }}/database.db {{ matrix_mx_puppet_groupme_data_path }}/database.db" + ansible.builtin.command: + cmd: "mv {{ matrix_mx_puppet_groupme_base_path }}/database.db {{ matrix_mx_puppet_groupme_data_path }}/database.db" + creates: "{{ matrix_mx_puppet_groupme_data_path }}/database.db" + removes: "{{ matrix_mx_puppet_groupme_base_path }}/database.db" when: "matrix_mx_puppet_groupme_stat_database.stat.exists" - ansible.builtin.set_fact: diff --git a/roles/custom/matrix-bridge-mx-puppet-instagram/tasks/main.yml b/roles/custom/matrix-bridge-mx-puppet-instagram/tasks/main.yml index 3cf02773..0d46532c 100644 --- a/roles/custom/matrix-bridge-mx-puppet-instagram/tasks/main.yml +++ b/roles/custom/matrix-bridge-mx-puppet-instagram/tasks/main.yml @@ -1,20 +1,20 @@ --- -- block: +- tags: + - setup-all + - setup-mx-puppet-instagram + - install-all + - install-mx-puppet-instagram + block: - when: matrix_mx_puppet_instagram_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_mx_puppet_instagram_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-mx-puppet-instagram - - install-all - - install-mx-puppet-instagram - -- block: + block: - when: not matrix_mx_puppet_instagram_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-mx-puppet-instagram diff --git a/roles/custom/matrix-bridge-mx-puppet-slack/tasks/main.yml b/roles/custom/matrix-bridge-mx-puppet-slack/tasks/main.yml index 3d6e722b..63e07405 100644 --- a/roles/custom/matrix-bridge-mx-puppet-slack/tasks/main.yml +++ b/roles/custom/matrix-bridge-mx-puppet-slack/tasks/main.yml @@ -1,29 +1,29 @@ --- -- block: - - when: matrix_mx_puppet_slack_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" - tags: +- tags: - setup-all - setup-nginx-proxy - install-all - install-nginx-proxy + block: + - when: matrix_mx_puppet_slack_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" -- block: +- tags: + - setup-all + - setup-mx-puppet-slack + - install-all + - install-mx-puppet-slack + block: - when: matrix_mx_puppet_slack_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_mx_puppet_slack_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-mx-puppet-slack - - install-all - - install-mx-puppet-slack - -- block: + block: - when: not matrix_mx_puppet_slack_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-mx-puppet-slack diff --git a/roles/custom/matrix-bridge-mx-puppet-slack/tasks/setup_install.yml b/roles/custom/matrix-bridge-mx-puppet-slack/tasks/setup_install.yml index e75d47e5..bba2d25c 100644 --- a/roles/custom/matrix-bridge-mx-puppet-slack/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-mx-puppet-slack/tasks/setup_install.yml @@ -91,7 +91,10 @@ when: "matrix_mx_puppet_slack_enabled | bool and matrix_mx_puppet_slack_container_image_self_build" - name: (Data relocation) Move mx-puppet-slack database file to ./data directory - ansible.builtin.command: "mv {{ matrix_mx_puppet_slack_base_path }}/database.db {{ matrix_mx_puppet_slack_data_path }}/database.db" + ansible.builtin.command: + cmd: "mv {{ matrix_mx_puppet_slack_base_path }}/database.db {{ matrix_mx_puppet_slack_data_path }}/database.db" + creates: "{{ matrix_mx_puppet_slack_data_path }}/database.db" + removes: "{{ matrix_mx_puppet_slack_base_path }}/database.db" when: "matrix_mx_puppet_slack_stat_database.stat.exists" - name: Ensure mx-puppet-slack config.yaml installed diff --git a/roles/custom/matrix-bridge-mx-puppet-steam/tasks/main.yml b/roles/custom/matrix-bridge-mx-puppet-steam/tasks/main.yml index 6eacc6fc..66d2980d 100644 --- a/roles/custom/matrix-bridge-mx-puppet-steam/tasks/main.yml +++ b/roles/custom/matrix-bridge-mx-puppet-steam/tasks/main.yml @@ -1,20 +1,20 @@ --- -- block: +- tags: + - setup-all + - setup-mx-puppet-steam + - install-all + - install-mx-puppet-steam + block: - when: matrix_mx_puppet_steam_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_mx_puppet_steam_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-mx-puppet-steam - - install-all - - install-mx-puppet-steam - -- block: + block: - when: not matrix_mx_puppet_steam_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-mx-puppet-steam diff --git a/roles/custom/matrix-bridge-mx-puppet-steam/tasks/setup_install.yml b/roles/custom/matrix-bridge-mx-puppet-steam/tasks/setup_install.yml index ca2de448..f2ccea59 100644 --- a/roles/custom/matrix-bridge-mx-puppet-steam/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-mx-puppet-steam/tasks/setup_install.yml @@ -29,7 +29,10 @@ when: "matrix_mx_puppet_steam_stat_database.stat.exists" - name: (Data relocation) Move mx-puppet-steam database file to ./data directory - ansible.builtin.command: "mv {{ matrix_mx_puppet_steam_base_path }}/database.db {{ matrix_mx_puppet_steam_data_path }}/database.db" + ansible.builtin.command: + cmd: "mv {{ matrix_mx_puppet_steam_base_path }}/database.db {{ matrix_mx_puppet_steam_data_path }}/database.db" + creates: "{{ matrix_mx_puppet_steam_data_path }}/database.db" + removes: "{{ matrix_mx_puppet_steam_base_path }}/database.db" when: "matrix_mx_puppet_steam_stat_database.stat.exists" - ansible.builtin.set_fact: diff --git a/roles/custom/matrix-bridge-mx-puppet-twitter/tasks/main.yml b/roles/custom/matrix-bridge-mx-puppet-twitter/tasks/main.yml index 85c06f04..d6d68103 100644 --- a/roles/custom/matrix-bridge-mx-puppet-twitter/tasks/main.yml +++ b/roles/custom/matrix-bridge-mx-puppet-twitter/tasks/main.yml @@ -1,29 +1,29 @@ --- -- block: - - when: matrix_mx_puppet_twitter_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" - tags: +- tags: - setup-all - setup-nginx-proxy - install-all - install-nginx-proxy + block: + - when: matrix_mx_puppet_twitter_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" -- block: +- tags: + - setup-all + - setup-mx-puppet-twitter + - install-all + - install-mx-puppet-twitter + block: - when: matrix_mx_puppet_twitter_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_mx_puppet_twitter_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-mx-puppet-twitter - - install-all - - install-mx-puppet-twitter - -- block: + block: - when: not matrix_mx_puppet_twitter_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-mx-puppet-twitter diff --git a/roles/custom/matrix-bridge-mx-puppet-twitter/tasks/setup_install.yml b/roles/custom/matrix-bridge-mx-puppet-twitter/tasks/setup_install.yml index a8450205..9224e956 100644 --- a/roles/custom/matrix-bridge-mx-puppet-twitter/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-mx-puppet-twitter/tasks/setup_install.yml @@ -29,7 +29,10 @@ when: "matrix_mx_puppet_twitter_stat_database.stat.exists" - name: (Data relocation) Move mx-puppet-twitter database file to ./data directory - ansible.builtin.command: "mv {{ matrix_mx_puppet_twitter_base_path }}/database.db {{ matrix_mx_puppet_twitter_data_path }}/database.db" + ansible.builtin.command: + cmd: "mv {{ matrix_mx_puppet_twitter_base_path }}/database.db {{ matrix_mx_puppet_twitter_data_path }}/database.db" + creates: "{{ matrix_mx_puppet_twitter_data_path }}/database.db" + removes: "{{ matrix_mx_puppet_twitter_base_path }}/database.db" when: "matrix_mx_puppet_twitter_stat_database.stat.exists" - ansible.builtin.set_fact: diff --git a/roles/custom/matrix-bridge-sms/tasks/main.yml b/roles/custom/matrix-bridge-sms/tasks/main.yml index f9bd502c..57d51727 100644 --- a/roles/custom/matrix-bridge-sms/tasks/main.yml +++ b/roles/custom/matrix-bridge-sms/tasks/main.yml @@ -1,20 +1,20 @@ --- -- block: +- tags: + - setup-all + - setup-matrix-sms-bridge + - install-all + - install-matrix-sms-bridge + block: - when: matrix_sms_bridge_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_sms_bridge_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-matrix-sms-bridge - - install-all - - install-matrix-sms-bridge - -- block: + block: - when: not matrix_sms_bridge_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-matrix-sms-bridge diff --git a/roles/custom/matrix-cactus-comments/tasks/main.yml b/roles/custom/matrix-cactus-comments/tasks/main.yml index c6108e91..c1a08d32 100644 --- a/roles/custom/matrix-cactus-comments/tasks/main.yml +++ b/roles/custom/matrix-cactus-comments/tasks/main.yml @@ -1,29 +1,29 @@ --- -- block: - - when: matrix_cactus_comments_enabled | bool and matrix_cactus_comments_serve_client_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" - tags: +- tags: - setup-all - setup-nginx-proxy - install-all - install-nginx-proxy + block: + - when: matrix_cactus_comments_enabled | bool and matrix_cactus_comments_serve_client_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" -- block: +- tags: + - setup-all + - setup-cactus-comments + - install-all + - install-cactus-comments + block: - when: matrix_cactus_comments_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_cactus_comments_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-cactus-comments - - install-all - - install-cactus-comments - -- block: + block: - when: not matrix_cactus_comments_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-cactus-comments diff --git a/roles/custom/matrix-client-cinny/tasks/main.yml b/roles/custom/matrix-client-cinny/tasks/main.yml index 1e6d4759..40c6514b 100644 --- a/roles/custom/matrix-client-cinny/tasks/main.yml +++ b/roles/custom/matrix-client-cinny/tasks/main.yml @@ -1,26 +1,26 @@ --- -- block: +- tags: + - setup-all + - setup-client-cinny + - install-all + - install-client-cinny + block: - when: matrix_client_cinny_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_client_cinny_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-client-cinny - - install-all - - install-client-cinny - -- block: + block: - when: not matrix_client_cinny_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-client-cinny -- block: +- tags: + - self-check + block: - when: matrix_client_cinny_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/self_check.yml" - tags: - - self-check diff --git a/roles/custom/matrix-client-element/tasks/main.yml b/roles/custom/matrix-client-element/tasks/main.yml index 89e50ba7..77020067 100644 --- a/roles/custom/matrix-client-element/tasks/main.yml +++ b/roles/custom/matrix-client-element/tasks/main.yml @@ -1,6 +1,11 @@ --- -- block: +- tags: + - setup-all + - setup-client-element + - install-all + - install-client-element + block: - when: matrix_client_element_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" @@ -9,21 +14,16 @@ - when: matrix_client_element_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-client-element - - install-all - - install-client-element - -- block: + block: - when: not matrix_client_element_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-client-element -- block: +- tags: + - self-check + block: - when: matrix_client_element_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/self_check.yml" - tags: - - self-check diff --git a/roles/custom/matrix-client-element/tasks/setup_install.yml b/roles/custom/matrix-client-element/tasks/setup_install.yml index fc0532db..50d6370f 100644 --- a/roles/custom/matrix-client-element/tasks/setup_install.yml +++ b/roles/custom/matrix-client-element/tasks/setup_install.yml @@ -56,6 +56,7 @@ --tag={{ matrix_client_element_docker_image }} --file={{ matrix_client_element_docker_src_files_path }}/Dockerfile {{ matrix_client_element_docker_src_files_path }} + changed_when: true when: matrix_client_element_container_image_self_build | bool - name: Ensure Element configuration installed diff --git a/roles/custom/matrix-client-hydrogen/tasks/main.yml b/roles/custom/matrix-client-hydrogen/tasks/main.yml index 9bb8bc08..9e7445c0 100644 --- a/roles/custom/matrix-client-hydrogen/tasks/main.yml +++ b/roles/custom/matrix-client-hydrogen/tasks/main.yml @@ -1,26 +1,26 @@ --- -- block: +- tags: + - setup-all + - setup-client-hydrogen + - install-all + - install-client-hydrogen + block: - when: matrix_client_hydrogen_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_client_hydrogen_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-client-hydrogen - - install-all - - install-client-hydrogen - -- block: + block: - when: not matrix_client_hydrogen_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-client-hydrogen -- block: +- tags: + - self-check + block: - when: matrix_client_hydrogen_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/self_check.yml" - tags: - - self-check diff --git a/roles/custom/matrix-common-after/tasks/main.yml b/roles/custom/matrix-common-after/tasks/main.yml index fe23e467..5e4dc76b 100644 --- a/roles/custom/matrix-common-after/tasks/main.yml +++ b/roles/custom/matrix-common-after/tasks/main.yml @@ -1,6 +1,6 @@ --- -- block: - - ansible.builtin.include_tasks: "{{ role_path }}/tasks/run_docker_prune.yml" - tags: +- tags: - run-docker-prune + block: + - ansible.builtin.include_tasks: "{{ role_path }}/tasks/run_docker_prune.yml" diff --git a/roles/custom/matrix-conduit/tasks/main.yml b/roles/custom/matrix-conduit/tasks/main.yml index d733ac08..f48e385e 100644 --- a/roles/custom/matrix-conduit/tasks/main.yml +++ b/roles/custom/matrix-conduit/tasks/main.yml @@ -1,17 +1,17 @@ --- -- block: - - when: matrix_conduit_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: +- tags: - setup-all - setup-conduit - install-all - install-conduit + block: + - when: matrix_conduit_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" -- block: - - when: not matrix_conduit_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: +- tags: - setup-all - setup-conduit + block: + - when: not matrix_conduit_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" diff --git a/roles/custom/matrix-corporal/tasks/main.yml b/roles/custom/matrix-corporal/tasks/main.yml index c4c7b7fc..e8f3b785 100644 --- a/roles/custom/matrix-corporal/tasks/main.yml +++ b/roles/custom/matrix-corporal/tasks/main.yml @@ -1,26 +1,26 @@ --- -- block: +- tags: + - setup-all + - setup-corporal + - install-all + - install-corporal + block: - when: matrix_corporal_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_corporal_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-corporal - - install-all - - install-corporal - -- block: + block: - when: not matrix_corporal_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-corporal -- block: +- tags: + - self-check + block: - when: matrix_corporal_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/self_check.yml" - tags: - - self-check diff --git a/roles/custom/matrix-coturn/tasks/main.yml b/roles/custom/matrix-coturn/tasks/main.yml index 45ce9fd9..1b1332fb 100644 --- a/roles/custom/matrix-coturn/tasks/main.yml +++ b/roles/custom/matrix-coturn/tasks/main.yml @@ -1,20 +1,20 @@ --- -- block: +- tags: + - setup-all + - setup-coturn + - install-all + - install-coturn + block: - when: matrix_coturn_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_coturn_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-coturn - - install-all - - install-coturn - -- block: + block: - when: not matrix_coturn_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-coturn diff --git a/roles/custom/matrix-coturn/tasks/setup_install.yml b/roles/custom/matrix-coturn/tasks/setup_install.yml index 44325f46..1cb8bd69 100644 --- a/roles/custom/matrix-coturn/tasks/setup_install.yml +++ b/roles/custom/matrix-coturn/tasks/setup_install.yml @@ -62,8 +62,8 @@ owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" -- when: matrix_coturn_docker_network not in ['', 'host'] - name: Ensure Coturn network is created in Docker +- name: Ensure Coturn network is created in Docker + when: matrix_coturn_docker_network not in ['', 'host'] community.docker.docker_network: name: "{{ matrix_coturn_docker_network }}" driver: bridge diff --git a/roles/custom/matrix-dendrite/tasks/main.yml b/roles/custom/matrix-dendrite/tasks/main.yml index 0e88ec51..78d81524 100644 --- a/roles/custom/matrix-dendrite/tasks/main.yml +++ b/roles/custom/matrix-dendrite/tasks/main.yml @@ -1,35 +1,35 @@ --- -- block: +- tags: + - setup-all + - setup-dendrite + - install-all + - install-dendrite + block: - when: matrix_dendrite_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_dendrite_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-dendrite - - install-all - - install-dendrite - -- block: + block: - when: not matrix_dendrite_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-dendrite -- block: +- tags: + - self-check + block: - when: matrix_dendrite_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/self_check_client_api.yml" - when: matrix_dendrite_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/self_check_federation_api.yml" - tags: - - self-check -- block: +- tags: + - register-user + block: - when: matrix_dendrite_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/register_user.yml" - tags: - - register-user diff --git a/roles/custom/matrix-dendrite/tasks/setup_install.yml b/roles/custom/matrix-dendrite/tasks/setup_install.yml index 3b8cbd9b..283e8b01 100644 --- a/roles/custom/matrix-dendrite/tasks/setup_install.yml +++ b/roles/custom/matrix-dendrite/tasks/setup_install.yml @@ -42,24 +42,20 @@ delay: "{{ devture_playbook_help_container_retries_delay }}" until: result is not failed -- name: Check if a Dendrite signing key exists - ansible.builtin.stat: - path: "{{ matrix_dendrite_config_dir_path }}/{{ matrix_server_fqn_matrix }}.signing.pem" - register: matrix_dendrite_signing_key_stat - # We do this so that the signing key would get generated. # We don't use the `docker_container` module, because using it with `cap_drop` requires # a very recent version, which is not available for a lot of people yet. - name: Generate Dendrite signing key - ansible.builtin.command: | - docker run - --rm - --name=matrix-dendrite-config - --entrypoint=generate-keys - --mount type=bind,src={{ matrix_dendrite_config_dir_path }},dst=/data - {{ matrix_dendrite_docker_image }} --private-key=/data/{{ matrix_server_fqn_matrix }}.signing.pem - generate - when: "not matrix_dendrite_signing_key_stat.stat.exists" + ansible.builtin.command: + cmd: | + docker run + --rm + --name=matrix-dendrite-config + --entrypoint=generate-keys + --mount type=bind,src={{ matrix_dendrite_config_dir_path }},dst=/data + {{ matrix_dendrite_docker_image }} --private-key=/data/{{ matrix_server_fqn_matrix }}.signing.pem + generate + creates: "{{ matrix_dendrite_config_dir_path }}/{{ matrix_server_fqn_matrix }}.signing.pem" - name: Ensure Dendrite server key exists ansible.builtin.file: diff --git a/roles/custom/matrix-dimension/tasks/main.yml b/roles/custom/matrix-dimension/tasks/main.yml index efd0f8d4..1e949d3f 100644 --- a/roles/custom/matrix-dimension/tasks/main.yml +++ b/roles/custom/matrix-dimension/tasks/main.yml @@ -1,20 +1,20 @@ --- -- block: +- tags: + - setup-all + - setup-dimension + - install-all + - install-dimension + block: - when: matrix_dimension_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_dimension_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-dimension - - install-all - - install-dimension - -- block: + block: - when: not matrix_dimension_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-dimension diff --git a/roles/custom/matrix-dynamic-dns/tasks/main.yml b/roles/custom/matrix-dynamic-dns/tasks/main.yml index ae7503b7..8327a84a 100644 --- a/roles/custom/matrix-dynamic-dns/tasks/main.yml +++ b/roles/custom/matrix-dynamic-dns/tasks/main.yml @@ -1,20 +1,20 @@ --- -- block: +- tags: + - setup-all + - setup-dynamic-dns + - install-all + - install-dynamic-dns + block: - when: matrix_dynamic_dns_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_dynamic_dns_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-dynamic-dns - - install-all - - install-dynamic-dns - -- block: + block: - when: not matrix_dynamic_dns_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-dynamic-dns diff --git a/roles/custom/matrix-email2matrix/tasks/main.yml b/roles/custom/matrix-email2matrix/tasks/main.yml index 8fac77ce..acd2c9c1 100644 --- a/roles/custom/matrix-email2matrix/tasks/main.yml +++ b/roles/custom/matrix-email2matrix/tasks/main.yml @@ -1,20 +1,20 @@ --- -- block: +- tags: + - setup-all + - setup-email2matrix + - install-all + - install-email2matrix + block: - when: matrix_email2matrix_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_email2matrix_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-email2matrix - - install-all - - install-email2matrix - -- block: + block: - when: not matrix_email2matrix_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-email2matrix diff --git a/roles/custom/matrix-jitsi/tasks/main.yml b/roles/custom/matrix-jitsi/tasks/main.yml index b35c2c34..0ebf3ad6 100644 --- a/roles/custom/matrix-jitsi/tasks/main.yml +++ b/roles/custom/matrix-jitsi/tasks/main.yml @@ -1,27 +1,32 @@ --- -- block: - - when: matrix_jitsi_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/init_additional_jvb.yml" - tags: +- tags: - setup-additional-jitsi-jvb - install-additional-jitsi-jvb - -- block: + block: - when: matrix_jitsi_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" + ansible.builtin.include_tasks: "{{ role_path }}/tasks/init_additional_jvb.yml" - - when: matrix_jitsi_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_jitsi_base.yml" - tags: +- tags: - setup-all - setup-jitsi - setup-additional-jitsi-jvb - install-all - install-jitsi - install-additional-jitsi-jvb + block: + - when: matrix_jitsi_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" -- block: + - when: matrix_jitsi_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_jitsi_base.yml" + +- tags: + - setup-all + - setup-jitsi + - install-all + - install-jitsi + block: - when: matrix_jitsi_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_jitsi_web_install.yml" @@ -30,13 +35,11 @@ - when: matrix_jitsi_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_jitsi_jicofo_install.yml" - tags: + +- tags: - setup-all - setup-jitsi - - install-all - - install-jitsi - -- block: + block: - when: not matrix_jitsi_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_jitsi_web_uninstall.yml" @@ -45,31 +48,28 @@ - when: not matrix_jitsi_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_jitsi_jicofo_uninstall.yml" - tags: - - setup-all - - setup-jitsi -- block: - - when: matrix_jitsi_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_jitsi_jvb_install.yml" - tags: +- tags: - setup-all - setup-jitsi - setup-additional-jitsi-jvb - install-all - install-jitsi - install-additional-jitsi-jvb + block: + - when: matrix_jitsi_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_jitsi_jvb_install.yml" -- block: - - when: not matrix_jitsi_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_jitsi_jvb_uninstall.yml" - tags: +- tags: - setup-all - setup-jitsi - setup-additional-jitsi-jvb + block: + - when: not matrix_jitsi_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_jitsi_jvb_uninstall.yml" -- block: +- tags: + - self-check + block: - when: matrix_jitsi_enable_auth | bool and matrix_jitsi_auth_type == 'matrix' ansible.builtin.include_tasks: "{{ role_path }}/tasks/self_check_matrix_auth.yml" - tags: - - self-check diff --git a/roles/custom/matrix-jitsi/tasks/util/setup_jitsi_auth_uvs_install.yml b/roles/custom/matrix-jitsi/tasks/util/setup_jitsi_auth_uvs_install.yml index f1d9ff21..4aa67a31 100644 --- a/roles/custom/matrix-jitsi/tasks/util/setup_jitsi_auth_uvs_install.yml +++ b/roles/custom/matrix-jitsi/tasks/util/setup_jitsi_auth_uvs_install.yml @@ -5,11 +5,16 @@ repo: "{{ matrix_jitsi_prosody_auth_matrix_user_verification_repo_location }}" dest: "{{ matrix_jitsi_prosody_auth_matrix_user_verification_repo_target }}" version: "{{ matrix_jitsi_prosody_auth_matrix_user_verification_repo_version }}" + become: true + become_user: "{{ matrix_user_username }}" - name: Install Prosody Auth Matrix User Verification Plugin ansible.builtin.copy: remote_src: true src: "{{ matrix_jitsi_prosody_auth_matrix_user_verification_repo_target }}/{{ item.path }}" dest: "{{ matrix_jitsi_prosody_plugins_path }}/{{ item.path }}" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" with_items: "{{ matrix_jitsi_prosody_auth_matrix_files }}" when: item.when | bool diff --git a/roles/custom/matrix-ldap-registration-proxy/tasks/main.yml b/roles/custom/matrix-ldap-registration-proxy/tasks/main.yml index 9309113f..cc71ae82 100644 --- a/roles/custom/matrix-ldap-registration-proxy/tasks/main.yml +++ b/roles/custom/matrix-ldap-registration-proxy/tasks/main.yml @@ -1,29 +1,29 @@ --- -- block: - - when: matrix_ldap_registration_proxy_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" - tags: +- tags: - setup-all - setup-nginx-proxy - install-all - install-nginx-proxy + block: + - when: matrix_ldap_registration_proxy_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" -- block: +- tags: + - setup-all + - setup-matrix-ldap-registration-proxy + - install-all + - install-matrix-ldap-registration-proxy + block: - when: matrix_ldap_registration_proxy_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_ldap_registration_proxy_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-matrix-ldap-registration-proxy - - install-all - - install-matrix-ldap-registration-proxy - -- block: + block: - when: not matrix_ldap_registration_proxy_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-matrix-ldap-registration-proxy diff --git a/roles/custom/matrix-ma1sd/tasks/main.yml b/roles/custom/matrix-ma1sd/tasks/main.yml index a65cf371..a9c4ec8b 100644 --- a/roles/custom/matrix-ma1sd/tasks/main.yml +++ b/roles/custom/matrix-ma1sd/tasks/main.yml @@ -1,25 +1,25 @@ --- -- block: +- tags: + - setup-all + - setup-ma1sd + - install-all + - install-ma1sd + block: - when: matrix_ma1sd_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_ma1sd_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: - - setup-all - - setup-ma1sd - - install-all - - install-ma1sd -- block: +- tags: + - setup-ma1sd + block: - when: not matrix_ma1sd_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-ma1sd -- block: +- tags: + - self-check + block: - when: matrix_ma1sd_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/self_check.yml" - tags: - - self-check diff --git a/roles/custom/matrix-ma1sd/tasks/setup_install.yml b/roles/custom/matrix-ma1sd/tasks/setup_install.yml index 6fe20342..5800b45a 100644 --- a/roles/custom/matrix-ma1sd/tasks/setup_install.yml +++ b/roles/custom/matrix-ma1sd/tasks/setup_install.yml @@ -89,6 +89,7 @@ chdir: "{{ matrix_ma1sd_docker_src_files_path }}" environment: DOCKER_BUILDKIT: 1 + changed_when: true when: matrix_ma1sd_git_pull_results.changed - name: Ensure ma1sd Docker image is tagged correctly diff --git a/roles/custom/matrix-mailer/tasks/main.yml b/roles/custom/matrix-mailer/tasks/main.yml index b269f63e..00fa0884 100644 --- a/roles/custom/matrix-mailer/tasks/main.yml +++ b/roles/custom/matrix-mailer/tasks/main.yml @@ -1,17 +1,17 @@ --- -- block: - - when: matrix_mailer_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: +- tags: - setup-all - setup-mailer - install-all - install-mailer + block: + - when: matrix_mailer_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" -- block: - - when: not matrix_mailer_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: +- tags: - setup-all - setup-mailer + block: + - when: not matrix_mailer_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" diff --git a/roles/custom/matrix-nginx-proxy/tasks/main.yml b/roles/custom/matrix-nginx-proxy/tasks/main.yml index 39cec7e5..7a702fb3 100644 --- a/roles/custom/matrix-nginx-proxy/tasks/main.yml +++ b/roles/custom/matrix-nginx-proxy/tasks/main.yml @@ -29,13 +29,13 @@ - install-all - install-nginx-proxy -- block: - - ansible.builtin.include_tasks: "{{ role_path }}/tasks/self_check_well_known.yml" - tags: +- tags: - self-check + block: + - ansible.builtin.include_tasks: "{{ role_path }}/tasks/self_check_well_known.yml" - name: Mark matrix-nginx-proxy role as executed - ansible.builtin.set_fact: - matrix_nginx_proxy_role_executed: true tags: - always + ansible.builtin.set_fact: + matrix_nginx_proxy_role_executed: true diff --git a/roles/custom/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml b/roles/custom/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml index b10791a7..a175b831 100644 --- a/roles/custom/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml +++ b/roles/custom/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml @@ -51,6 +51,7 @@ --agree-tos --email={{ matrix_ssl_lets_encrypt_support_email }} -d {{ domain_name }} + changed_when: true when: domain_name_needs_cert | bool register: result_certbot_direct ignore_errors: true @@ -81,6 +82,7 @@ --agree-tos --email={{ matrix_ssl_lets_encrypt_support_email }} -d {{ domain_name }} + changed_when: true when: "domain_name_needs_cert and result_certbot_direct.failed" register: result_certbot_proxy ignore_errors: true diff --git a/roles/custom/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed_obtain_for_domain.yml b/roles/custom/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed_obtain_for_domain.yml index d0b254a2..c0f19519 100644 --- a/roles/custom/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed_obtain_for_domain.yml +++ b/roles/custom/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed_obtain_for_domain.yml @@ -28,16 +28,19 @@ # # We'll do it in a more manual way. - name: Generate SSL certificate - ansible.builtin.command: | - openssl req -x509 \ - -sha256 \ - -newkey rsa:4096 \ - -nodes \ - -subj "/CN={{ domain_name }}" \ - -keyout {{ matrix_ssl_certificate_cert_key_path }} \ - -out {{ matrix_ssl_certificate_cert_path }} \ - -days 3650 when: "not matrix_ssl_certificate_cert_path_stat_result.stat.exists" + ansible.builtin.command: + cmd: | + openssl req -x509 \ + -sha256 \ + -newkey rsa:4096 \ + -nodes \ + -subj "/CN={{ domain_name }}" \ + -keyout {{ matrix_ssl_certificate_cert_key_path }} \ + -out {{ matrix_ssl_certificate_cert_path }} \ + -days 3650 + # Well, this creates 2 files, but Ansible can only check 1. + creates: "{{ matrix_ssl_certificate_cert_path }}" - name: Adjust SSL certificate file ownership ansible.builtin.file: diff --git a/roles/custom/matrix-prometheus-nginxlog-exporter/tasks/main.yml b/roles/custom/matrix-prometheus-nginxlog-exporter/tasks/main.yml index b205dec3..ad047460 100644 --- a/roles/custom/matrix-prometheus-nginxlog-exporter/tasks/main.yml +++ b/roles/custom/matrix-prometheus-nginxlog-exporter/tasks/main.yml @@ -1,29 +1,29 @@ --- -- block: - - when: matrix_prometheus_nginxlog_exporter_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" - tags: +- tags: - setup-all - setup-prometheus-nginxlog-exporter - install-all - install-prometheus-nginxlog-exporter + block: + - when: matrix_prometheus_nginxlog_exporter_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" -- block: +- tags: + - setup-all + - setup-prometheus-nginxlog-exporter + - install-all + - install-prometheus-nginxlog-exporter + block: - when: matrix_prometheus_nginxlog_exporter_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_prometheus_nginxlog_exporter_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-prometheus-nginxlog-exporter - - install-all - - install-prometheus-nginxlog-exporter - -- block: + block: - when: not matrix_prometheus_nginxlog_exporter_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-prometheus-nginxlog-exporter diff --git a/roles/custom/matrix-prometheus-services-proxy-connect/tasks/main.yml b/roles/custom/matrix-prometheus-services-proxy-connect/tasks/main.yml index e5654688..ea067bdb 100644 --- a/roles/custom/matrix-prometheus-services-proxy-connect/tasks/main.yml +++ b/roles/custom/matrix-prometheus-services-proxy-connect/tasks/main.yml @@ -1,28 +1,28 @@ --- - name: Fail if matrix-nginx-proxy role executed before matrix-prometheus-services-proxy-connect + when: matrix_nginx_proxy_role_executed | default(False) | bool ansible.builtin.fail: msg: >- Trying to append node-exporter's reverse-proxying configuration to matrix-nginx-proxy, but it's pointless since the matrix-nginx-proxy role had already executed. To fix this, please change the order of roles in your playbook, so that the matrix-nginx-proxy role would run after the matrix-prometheus-services-proxy-connect role. - when: matrix_nginx_proxy_role_executed | default(False) | bool -- block: +- tags: + - setup-all + - setup-nginx-proxy + - install-all + - install-nginx-proxy + block: - when: prometheus_node_exporter_enabled | bool and matrix_prometheus_services_proxy_connect_prometheus_node_exporter_metrics_proxying_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/prometheus-node-exporter/inject_into_nginx_proxy.yml" - tags: + +- tags: - setup-all - setup-nginx-proxy - install-all - install-nginx-proxy - -- block: + block: - when: prometheus_node_exporter_enabled | bool and matrix_prometheus_services_proxy_connect_prometheus_postgres_exporter_metrics_proxying_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/prometheus-postgres-exporter/inject_into_nginx_proxy.yml" - tags: - - setup-all - - setup-nginx-proxy - - install-all - - install-nginx-proxy diff --git a/roles/custom/matrix-prometheus/tasks/main.yml b/roles/custom/matrix-prometheus/tasks/main.yml index 59371d4d..bbd82001 100644 --- a/roles/custom/matrix-prometheus/tasks/main.yml +++ b/roles/custom/matrix-prometheus/tasks/main.yml @@ -1,20 +1,20 @@ --- -- block: +- tags: + - setup-all + - setup-prometheus + - install-all + - install-prometheus + block: - when: matrix_prometheus_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_prometheus_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-prometheus - - install-all - - install-prometheus - -- block: + block: - when: not matrix_prometheus_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-prometheus diff --git a/roles/custom/matrix-rageshake/tasks/install.yml b/roles/custom/matrix-rageshake/tasks/install.yml index f9461680..a1db9a87 100644 --- a/roles/custom/matrix-rageshake/tasks/install.yml +++ b/roles/custom/matrix-rageshake/tasks/install.yml @@ -62,6 +62,7 @@ --tag={{ matrix_rageshake_container_image }} --file={{ matrix_rageshake_container_src_files_path }}/Dockerfile {{ matrix_rageshake_container_src_files_path }} + changed_when: true when: matrix_rageshake_container_image_self_build | bool - name: Ensure rageshake container network is created diff --git a/roles/custom/matrix-rageshake/tasks/main.yml b/roles/custom/matrix-rageshake/tasks/main.yml index c330964a..a211296d 100644 --- a/roles/custom/matrix-rageshake/tasks/main.yml +++ b/roles/custom/matrix-rageshake/tasks/main.yml @@ -1,19 +1,20 @@ --- -- block: + +- tags: + - setup-all + - setup-rageshake + - install-all + - install-rageshake + block: - when: matrix_rageshake_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_rageshake_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/install.yml" - tags: + +- tags: - setup-all - setup-rageshake - - install-all - - install-rageshake - -- block: + block: - when: not matrix_rageshake_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/uninstall.yml" - tags: - - setup-all - - setup-rageshake diff --git a/roles/custom/matrix-registration/tasks/main.yml b/roles/custom/matrix-registration/tasks/main.yml index bebcebc0..64843dee 100644 --- a/roles/custom/matrix-registration/tasks/main.yml +++ b/roles/custom/matrix-registration/tasks/main.yml @@ -1,41 +1,41 @@ --- -- block: - - when: matrix_registration_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" - tags: +- tags: - setup-all - setup-nginx-proxy - install-all - install-nginx-proxy + block: + - when: matrix_registration_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" -- block: +- tags: + - setup-all + - setup-matrix-registration + - install-all + - install-matrix-registration + block: - when: matrix_registration_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_registration_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-matrix-registration - - install-all - - install-matrix-registration - -- block: + block: - when: not matrix_registration_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-matrix-registration -- block: +- tags: + - generate-matrix-registration-token + block: - when: matrix_registration_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/generate_token.yml" - tags: - - generate-matrix-registration-token -- block: +- tags: + - list-matrix-registration-tokens + block: - when: matrix_registration_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/list_tokens.yml" - tags: - - list-matrix-registration-tokens diff --git a/roles/custom/matrix-sliding-sync/tasks/install.yml b/roles/custom/matrix-sliding-sync/tasks/install.yml index 26717afd..cb41cec0 100644 --- a/roles/custom/matrix-sliding-sync/tasks/install.yml +++ b/roles/custom/matrix-sliding-sync/tasks/install.yml @@ -56,6 +56,7 @@ --tag={{ matrix_sliding_sync_container_image }} --file={{ matrix_sliding_sync_container_src_path }}/Dockerfile {{ matrix_sliding_sync_container_src_path }} + changed_when: true - name: Ensure matrix-sliding-sync container network is created community.general.docker_network: diff --git a/roles/custom/matrix-sliding-sync/tasks/main.yml b/roles/custom/matrix-sliding-sync/tasks/main.yml index 71e7391b..521f16fe 100644 --- a/roles/custom/matrix-sliding-sync/tasks/main.yml +++ b/roles/custom/matrix-sliding-sync/tasks/main.yml @@ -1,19 +1,20 @@ --- -- block: + +- tags: + - setup-all + - setup-sliding-sync + - install-all + - install-sliding-sync + block: - when: matrix_sliding_sync_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_sliding_sync_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/install.yml" - tags: + +- tags: - setup-all - setup-sliding-sync - - install-all - - install-sliding-sync - -- block: + block: - when: not matrix_sliding_sync_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/uninstall.yml" - tags: - - setup-all - - setup-sliding-sync diff --git a/roles/custom/matrix-sygnal/tasks/main.yml b/roles/custom/matrix-sygnal/tasks/main.yml index ba4cb876..a586cbd0 100644 --- a/roles/custom/matrix-sygnal/tasks/main.yml +++ b/roles/custom/matrix-sygnal/tasks/main.yml @@ -1,20 +1,20 @@ --- -- block: +- tags: + - setup-all + - setup-sygnal + - install-all + - install-sygnal + block: - when: matrix_sygnal_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_sygnal_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/install.yml" - tags: + +- tags: - setup-all - setup-sygnal - - install-all - - install-sygnal - -- block: + block: - when: not matrix_sygnal_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/uninstall.yml" - tags: - - setup-all - - setup-sygnal diff --git a/roles/custom/matrix-synapse-admin/tasks/main.yml b/roles/custom/matrix-synapse-admin/tasks/main.yml index f38f1d5e..da9bdb18 100644 --- a/roles/custom/matrix-synapse-admin/tasks/main.yml +++ b/roles/custom/matrix-synapse-admin/tasks/main.yml @@ -1,29 +1,29 @@ --- -- block: - - when: matrix_synapse_admin_enabled | bool and matrix_synapse_admin_nginx_proxy_integration_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" - tags: +- tags: - setup-all - setup-nginx-proxy - install-all - install-nginx-proxy + block: + - when: matrix_synapse_admin_enabled | bool and matrix_synapse_admin_nginx_proxy_integration_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" -- block: +- tags: + - setup-all + - setup-synapse-admin + - install-all + - install-synapse-admin + block: - when: matrix_synapse_admin_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_synapse_admin_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-synapse-admin - - install-all - - install-synapse-admin - -- block: + block: - when: not matrix_synapse_admin_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-synapse-admin diff --git a/roles/custom/matrix-synapse-reverse-proxy-companion/tasks/main.yml b/roles/custom/matrix-synapse-reverse-proxy-companion/tasks/main.yml index 0dba0b9c..68060267 100644 --- a/roles/custom/matrix-synapse-reverse-proxy-companion/tasks/main.yml +++ b/roles/custom/matrix-synapse-reverse-proxy-companion/tasks/main.yml @@ -1,20 +1,20 @@ --- -- block: - - when: matrix_synapse_reverse_proxy_companion_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: +- tags: - setup-all - setup-synapse-reverse-proxy-companion - setup-synapse - install-all - install-synapse-reverse-proxy-companion - install-synapse + block: + - when: matrix_synapse_reverse_proxy_companion_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" -- block: - - when: not matrix_synapse_reverse_proxy_companion_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: +- tags: - setup-all - setup-synapse-reverse-proxy-companion - setup-synapse + block: + - when: not matrix_synapse_reverse_proxy_companion_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" diff --git a/roles/custom/matrix-synapse/tasks/ext/setup_install.yml b/roles/custom/matrix-synapse/tasks/ext/setup_install.yml index a2413803..0d887939 100644 --- a/roles/custom/matrix-synapse/tasks/ext/setup_install.yml +++ b/roles/custom/matrix-synapse/tasks/ext/setup_install.yml @@ -1,60 +1,60 @@ --- # encryption-disabler -- block: +- tags: + - setup-all + - setup-synapse + block: - when: matrix_synapse_ext_encryption_disabler_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/encryption-disabler/setup_install.yml" - tags: - - setup-all - - setup-synapse # rest-auth -- block: +- tags: + - setup-all + - setup-synapse + block: - when: matrix_synapse_ext_password_provider_rest_auth_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/rest-auth/setup_install.yml" - tags: - - setup-all - - setup-synapse # shared-secret-auth -- block: +- tags: + - setup-all + - setup-synapse + block: - when: matrix_synapse_ext_password_provider_shared_secret_auth_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/shared-secret-auth/setup_install.yml" - tags: - - setup-all - - setup-synapse # ldap-auth -- block: +- tags: + - setup-all + - setup-synapse + block: - when: matrix_synapse_ext_password_provider_ldap_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/ldap-auth/setup_install.yml" - tags: - - setup-all - - setup-synapse # synapse-simple-antispam -- block: +- tags: + - setup-all + - setup-synapse + block: - when: matrix_synapse_ext_spam_checker_synapse_simple_antispam_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/synapse-simple-antispam/setup_install.yml" - tags: - - setup-all - - setup-synapse # mjolnir-antispam -- block: - - when: matrix_synapse_ext_spam_checker_mjolnir_antispam_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/mjolnir-antispam/setup_install.yml" - tags: +- tags: - setup-all - setup-synapse + block: + - when: matrix_synapse_ext_spam_checker_mjolnir_antispam_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/mjolnir-antispam/setup_install.yml" # s3-storage-provider -- block: +- tags: + - setup-all + - setup-synapse + block: - when: matrix_synapse_ext_synapse_s3_storage_provider_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/s3-storage-provider/validate_config.yml" - when: matrix_synapse_ext_synapse_s3_storage_provider_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/s3-storage-provider/setup_install.yml" - tags: - - setup-all - - setup-synapse diff --git a/roles/custom/matrix-synapse/tasks/ext/setup_uninstall.yml b/roles/custom/matrix-synapse/tasks/ext/setup_uninstall.yml index cca6c1b8..f584f584 100644 --- a/roles/custom/matrix-synapse/tasks/ext/setup_uninstall.yml +++ b/roles/custom/matrix-synapse/tasks/ext/setup_uninstall.yml @@ -1,52 +1,52 @@ --- # encryption-disabler -- block: +- tags: + - setup-all + - setup-synapse + block: - when: not matrix_synapse_ext_encryption_disabler_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/encryption-disabler/setup_uninstall.yml" - tags: - - setup-all - - setup-synapse # rest-auth -- block: +- tags: + - setup-all + - setup-synapse + block: - when: not matrix_synapse_ext_password_provider_rest_auth_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/rest-auth/setup_uninstall.yml" - tags: - - setup-all - - setup-synapse # shared-secret-auth -- block: - - when: not matrix_synapse_ext_password_provider_shared_secret_auth_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/shared-secret-auth/setup_uninstall.yml" - tags: +- tags: - setup-all - setup-synapse + block: + - when: not matrix_synapse_ext_password_provider_shared_secret_auth_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/shared-secret-auth/setup_uninstall.yml" # ldap-auth has no uninstall tasks # synapse-simple-antispam -- block: +- tags: + - setup-all + - setup-synapse + block: - when: not matrix_synapse_ext_spam_checker_synapse_simple_antispam_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/synapse-simple-antispam/setup_uninstall.yml" - tags: - - setup-all - - setup-synapse # mjolnir-antispam -- block: +- tags: + - setup-all + - setup-synapse + block: - when: not matrix_synapse_ext_spam_checker_mjolnir_antispam_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/mjolnir-antispam/setup_uninstall.yml" - tags: - - setup-all - - setup-synapse # s3-storage-provider -- block: - - when: not matrix_synapse_ext_synapse_s3_storage_provider_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/s3-storage-provider/setup_uninstall.yml" - tags: +- tags: - setup-all - setup-synapse + block: + - when: not matrix_synapse_ext_synapse_s3_storage_provider_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/s3-storage-provider/setup_uninstall.yml" diff --git a/roles/custom/matrix-synapse/tasks/main.yml b/roles/custom/matrix-synapse/tasks/main.yml index d00c1808..88a54afc 100644 --- a/roles/custom/matrix-synapse/tasks/main.yml +++ b/roles/custom/matrix-synapse/tasks/main.yml @@ -1,9 +1,6 @@ --- -- block: - - when: matrix_synapse_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/init.yml" - tags: +- tags: - setup-all - setup-synapse - install-all @@ -19,55 +16,58 @@ - stop - stop-all - stop-group + block: + - when: matrix_synapse_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/init.yml" -- block: +- tags: + - setup-all + - setup-synapse + - install-all + - install-synapse + block: - when: matrix_synapse_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: matrix_synapse_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: + +- tags: - setup-all - setup-synapse - - install-all - - install-synapse - -- block: + block: - when: not matrix_synapse_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: - - setup-all - - setup-synapse -- block: +- tags: + - import-synapse-media-store + block: - when: matrix_synapse_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/import_media_store.yml" - tags: - - import-synapse-media-store -- block: +- tags: + - register-user + block: - when: matrix_synapse_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/register_user.yml" - tags: - - register-user -- block: +- tags: + - update-user-password + block: - when: matrix_synapse_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/update_user_password.yml" - tags: - - update-user-password -- block: +- tags: + - rust-synapse-compress-state + block: - when: matrix_synapse_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/rust-synapse-compress-state/main.yml" - tags: - - rust-synapse-compress-state -- block: +- tags: + - self-check + block: - when: matrix_synapse_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/self_check_client_api.yml" - when: matrix_synapse_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/self_check_federation_api.yml" - tags: - - self-check diff --git a/roles/custom/matrix-synapse/tasks/setup_install.yml b/roles/custom/matrix-synapse/tasks/setup_install.yml index c8b191ec..378a0dee 100644 --- a/roles/custom/matrix-synapse/tasks/setup_install.yml +++ b/roles/custom/matrix-synapse/tasks/setup_install.yml @@ -23,33 +23,33 @@ # trying to chown/chmod it here will cause trouble. when: item.when | bool -- block: +- tags: + - setup-all + - setup-synapse + block: - ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/setup_install.yml" - ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/setup_uninstall.yml" - tags: + +- tags: - setup-all - setup-synapse - -- block: + block: - when: matrix_synapse_workers_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/synapse/workers/setup_install.yml" - tags: + +- tags: - setup-all - setup-synapse - -- block: + block: - ansible.builtin.include_tasks: "{{ role_path }}/tasks/synapse/setup_install.yml" - tags: + +- tags: - setup-all - setup-synapse - -- block: + block: - when: matrix_s3_media_store_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/goofys/setup_install.yml" - when: not matrix_s3_media_store_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/goofys/setup_uninstall.yml" - tags: - - setup-all - - setup-synapse diff --git a/roles/custom/matrix-synapse/tasks/setup_uninstall.yml b/roles/custom/matrix-synapse/tasks/setup_uninstall.yml index 72b64c87..7ce5e13d 100644 --- a/roles/custom/matrix-synapse/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-synapse/tasks/setup_uninstall.yml @@ -1,27 +1,27 @@ --- -- block: - - ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/setup_uninstall.yml" - tags: +- tags: - setup-all - setup-synapse + block: + - ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/setup_uninstall.yml" -- block: +- tags: + - setup-all + - setup-synapse + block: - when: not matrix_synapse_workers_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/synapse/workers/setup_uninstall.yml" - tags: + +- tags: - setup-all - setup-synapse - -- block: + block: - ansible.builtin.include_tasks: "{{ role_path }}/tasks/synapse/setup_uninstall.yml" - tags: + +- tags: - setup-all - setup-synapse - -- block: + block: - when: not matrix_s3_media_store_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/goofys/setup_uninstall.yml" - tags: - - setup-all - - setup-synapse diff --git a/roles/custom/matrix-synapse/tasks/synapse/setup_install.yml b/roles/custom/matrix-synapse/tasks/synapse/setup_install.yml index 4a62d88d..169be60b 100644 --- a/roles/custom/matrix-synapse/tasks/synapse/setup_install.yml +++ b/roles/custom/matrix-synapse/tasks/synapse/setup_install.yml @@ -48,6 +48,7 @@ . environment: DOCKER_BUILDKIT: 1 + changed_when: true when: "matrix_synapse_git_pull_results.changed | bool or matrix_synapse_docker_image_check_result.stdout == ''" - name: Ensure Synapse Docker image is pulled @@ -82,11 +83,6 @@ path: "{{ matrix_synapse_customized_docker_src_files_path }}" nocache: "{{ matrix_synapse_docker_image_customized_build_nocache }}" -- name: Check if a Synapse signing key exists - ansible.builtin.stat: - path: "{{ matrix_synapse_config_dir_path }}/{{ matrix_server_fqn_matrix }}.signing.key" - register: matrix_synapse_signing_key_stat - # We do this so that the signing key would get generated. # # This will also generate a default homeserver.yaml configuration file and a log configuration file. @@ -95,19 +91,20 @@ # We don't use the `docker_container` module, because using it with `cap_drop` requires # a very recent docker-py version, which is not available for a lot of people yet. - name: Generate initial Synapse config and signing key - ansible.builtin.command: | - docker run - --rm - --name=matrix-config - --user={{ matrix_synapse_uid }}:{{ matrix_synapse_gid }} - --cap-drop=ALL - --mount type=bind,src={{ matrix_synapse_config_dir_path }},dst=/data - -e SYNAPSE_CONFIG_PATH=/data/homeserver.yaml - -e SYNAPSE_SERVER_NAME={{ matrix_server_fqn_matrix }} - -e SYNAPSE_REPORT_STATS=no - {{ matrix_synapse_docker_image }} - generate - when: "not matrix_synapse_signing_key_stat.stat.exists" + ansible.builtin.command: + cmd: | + docker run + --rm + --name=matrix-config + --user={{ matrix_synapse_uid }}:{{ matrix_synapse_gid }} + --cap-drop=ALL + --mount type=bind,src={{ matrix_synapse_config_dir_path }},dst=/data + -e SYNAPSE_CONFIG_PATH=/data/homeserver.yaml + -e SYNAPSE_SERVER_NAME={{ matrix_server_fqn_matrix }} + -e SYNAPSE_REPORT_STATS=no + {{ matrix_synapse_docker_image }} + generate + creates: "{{ matrix_synapse_config_dir_path }}/{{ matrix_server_fqn_matrix }}.signing.key" - name: Ensure Synapse homeserver config installed ansible.builtin.copy: diff --git a/roles/custom/matrix-user-creator/tasks/main.yml b/roles/custom/matrix-user-creator/tasks/main.yml index 2198b3eb..ff93a463 100644 --- a/roles/custom/matrix-user-creator/tasks/main.yml +++ b/roles/custom/matrix-user-creator/tasks/main.yml @@ -1,10 +1,10 @@ --- -- block: - - when: matrix_user_creator_users | length > 0 - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup.yml" - tags: +- tags: # This role intentionally doesn't do work on a `setup-all` tag. # If it did, the initial installation (`--tags=setup-all`) would also potentially polute the database with data, # which would make importing a database dump problematic. - ensure-matrix-users-created + block: + - when: matrix_user_creator_users | length > 0 + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup.yml" diff --git a/roles/custom/matrix-user-verification-service/tasks/main.yml b/roles/custom/matrix-user-verification-service/tasks/main.yml index 6eaaaf23..1b65f86a 100644 --- a/roles/custom/matrix-user-verification-service/tasks/main.yml +++ b/roles/custom/matrix-user-verification-service/tasks/main.yml @@ -1,19 +1,19 @@ --- -- block: - - when: run_setup | bool and matrix_user_verification_service_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - - when: run_setup | bool and matrix_user_verification_service_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - tags: +- tags: - setup-all - setup-user-verification-service - install-all - install-user-verification-service + block: + - when: run_setup | bool and matrix_user_verification_service_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" + - when: run_setup | bool and matrix_user_verification_service_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" -- block: - - when: run_setup | bool and not matrix_user_verification_service_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - tags: +- tags: - setup-all - setup-user-verification-service + block: + - when: run_setup | bool and not matrix_user_verification_service_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" diff --git a/roles/custom/matrix_playbook_migration/tasks/main.yml b/roles/custom/matrix_playbook_migration/tasks/main.yml index 4a39e2c7..4dbd3554 100644 --- a/roles/custom/matrix_playbook_migration/tasks/main.yml +++ b/roles/custom/matrix_playbook_migration/tasks/main.yml @@ -1,22 +1,22 @@ --- -- block: +- tags: + - setup-all + - install-all + block: - ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - tags: - - setup-all - - install-all -- block: - - ansible.builtin.include_tasks: "{{ role_path }}/tasks/cleanup_usr_local_bin.yml" - tags: +- tags: - setup-all - install-all + block: + - ansible.builtin.include_tasks: "{{ role_path }}/tasks/cleanup_usr_local_bin.yml" - when: devture_traefik_enabled | bool - block: - - ansible.builtin.include_tasks: "{{ role_path }}/tasks/devture_traefik_to_matrix_traefik.yml" tags: - setup-all - install-all - setup-traefik - install-traefik + block: + - ansible.builtin.include_tasks: "{{ role_path }}/tasks/devture_traefik_to_matrix_traefik.yml" From cdb1452d170d99170af77687380c059a581b4570 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Tue, 7 Mar 2023 20:38:36 +0000 Subject: [PATCH 71/71] Update jitsi stable-8252 -> stable-8319 --- roles/custom/matrix-jitsi/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-jitsi/defaults/main.yml b/roles/custom/matrix-jitsi/defaults/main.yml index cc24d356..ef4cf100 100644 --- a/roles/custom/matrix-jitsi/defaults/main.yml +++ b/roles/custom/matrix-jitsi/defaults/main.yml @@ -91,7 +91,7 @@ matrix_jitsi_jibri_recorder_password: '' matrix_jitsi_enable_lobby: false -matrix_jitsi_version: stable-8252 +matrix_jitsi_version: stable-8319 matrix_jitsi_container_image_tag: "{{ matrix_jitsi_version }}" # for backward-compatibility matrix_jitsi_web_docker_image: "{{ matrix_container_global_registry_prefix }}jitsi/web:{{ matrix_jitsi_container_image_tag }}"