Compare commits

..

No commits in common. "a323cba3c2582a95bde997eb0a9ed181af7c1f9f" and "a8d362c8b435f82b698a22e05beddcc19bb6c76f" have entirely different histories.

22 changed files with 35 additions and 137 deletions

1
.gitattributes vendored
View file

@ -1 +0,0 @@
* text=auto eol=lf

View file

@ -13,7 +13,7 @@ jobs:
- name: Check out
uses: actions/checkout@v4
- name: Run yamllint
uses: frenck/action-yamllint@v1.4.2
uses: frenck/action-yamllint@v1.4.1
ansible-lint:
name: ansible-lint
runs-on: ubuntu-latest

View file

@ -1,35 +1,3 @@
# 2023-10-23
## Enabling `allow_public_rooms_over_federation` by default for Synapse
**TDLR**: if your Matrix server is federating (which it mostly likely is, unless you've [disabled federation](docs/configuring-playbook-federation.md#disabling-federation)), your public rooms will not only be joinable across federation (as they've always been), but from now on will be discoverable (made available as a list across federation). We're changing this by flipping the value for Synapse's `allow_public_rooms_over_federation` setting to `true`, going against the upstream default. Servers that disable federation are not affected. Servers that have public rooms which are not published to the room directory are also not affected.
We generally try to stick to the default configuration for Synapse (and all other components), unless these defaults seem wrong or harmful. One such previous case from a few months ago was us [Enabling `forget_rooms_on_leave` by default for Synapse](#enabling-forget_rooms_on_leave-by-default-for-synapse) - the default value was making Synapse more wasteful of resources by default.
Today, we're going against upstream defaults again and flipping the `allow_public_rooms_over_federation` configuration option to `true`.
This way, public rooms on your server will be made discoverable by others via federation, using the [`GET /_matrix/federation/v1/publicRooms` of the Server-Server API](https://spec.matrix.org/v1.8/server-server-api/#get_matrixfederationv1publicrooms).
The upstream Synapse default is `false` (disabled), so that public rooms are not exposed for other servers to discover (learn about their existence). Nevertheless, even if these rooms are not exposed (listed) for discovery, they are **still joinable** by anyone who knows their address or is invited to the room by an existing member.
**We go against the upstream default** in an effort to make Matrix federation more useful - a public room should be globally public - not only joinable, but also discoverable across federation.
The **historical reasoning** behind this change is as follows:
- `allow_public_rooms_over_federation` seems to have been enabled by default for Synapse until v1.7.0 (~2019), just like we believe it should be for a globally-federating network - rooms should be joinable and discoverable across federation.
- In Synapse v1.7.0 (~2019), `allow_public_rooms_over_federation` [got disabled](https://github.com/matrix-org/synapse/blob/e9069c9f919685606506f04527332e83fbfa44d9/docs/upgrade.md?plain=1#L1877-L1891) by default in a [security-by-obscurity](https://en.wikipedia.org/wiki/Security_through_obscurity) workaround for misconfigured servers. See the [Avoiding unwelcome visitors on private Matrix servers](https://matrix.org/blog/2019/11/09/avoiding-unwelcome-visitors-on-private-matrix-servers/) `matrix.org` blog article. We believe that people wishing for a truly private server, should [disable federation](docs/configuring-playbook-federation.md#disabling-federation), instead of having a fully-federating server and trying to hide its public rooms. We also provide other workarounds below. We (and the Synapse team, obviously) believe that Matrix should federate by default, so federating the public room list seems to make sense.
- [etke.cc](https://etke.cc/) has been developing the free-software [Matrix Rooms Search](https://gitlab.com/etke.cc/mrs) project for a while now. One public (demo) instance of it is hosted at [matrixrooms.info](https://matrixrooms.info/). This search engine tries to go through the Matrix federation and discover & index public rooms to allow people to find them. We believe it's vital for Matrix (and any chat or social network for that matter) to be more discoverable, so that people can find communities and others to talk to. Today (on 23rd of October 2023), `matrixrooms.info` is indexing `23066` Matrix servers. Of these, only `1567` servers (7%) are making their public rooms discoverable. Who knows what wonderful communities and rooms are available on these 93% other Matrix servers that are supposedly federating, but are still gate-keeping their public room list. Indubitably, many of these servers are hosted via matrix-docker-ansible-deploy, so we feel partially responsible for making Matrix federation less useful.
Here are **actions you may wish to take** as a result of this change:
- (recommended) embrace the new default. If your Matrix server is federating, your public rooms have always been joinable across federation anyway. Exposing the list of public rooms does no harm and more-so does good by contributing to the usefulness of the Matrix network by facilitating room discovery.
- (switch to a better way of doings things on your semi-private server) The problem that the Synapse team appears to have solved by flipping the `allow_public_rooms_over_federation` default in Synapse v1.7.0 seems to for "mostly private" servers, which federate and have a bunch of rooms made public (and published in their room directory) in an effort to allow people on the same homeserver to easily find and join them (self-onboarding). With the introduction of Matrix Spaces, you can reorganize your flow around spaces - you can auto-join your users to a Matrix Space (via Synapse's `auto_join_rooms` setting - controlled by our `matrix_synapse_auto_join_rooms` variable), then add a bunch of rooms to the space and make them joinable by people belonging to the space. That is to say, do not make rooms public and do not publish them to the room directory unless they are really public. Instead, use other mechanisms for semi-public rooms or private rooms. One alternative is to stick to what you're doing (public rooms published to your rooms directory) but having a `m.federate: true` flag set during creation (clients like Element have a nice UI checkbox for this) to explicitly disable federation for them.
- (keeping the old behavior) if you wish to keep doing what you're doing (keeping your Matrix server federating, but hiding its public rooms list), add `matrix_synapse_allow_public_rooms_over_federation: false` to your `vars.yml` configuration. This restores the old behavior. You may also consider [disabling federation](docs/configuring-playbook-federation.md#disabling-federation) completely instead of relying on security-by-obscurity measures.
# 2023-10-18
## Postgres parameters are automatically tuned now

View file

@ -32,10 +32,14 @@ You may wish to look at `roles/custom/matrix-bridge-beeper-linkedin/templates/co
## Set up Double Puppeting
If you'd like to use [Double Puppeting](https://docs.mau.fi/bridges/general/double-puppeting.html) (hint: you most likely do), you have to enable Shared Secred Auth.
If you'd like to use [Double Puppeting](https://docs.mau.fi/bridges/general/double-puppeting.html) (hint: you most likely do), you have 2 ways of going about it.
### Method 1: automatically, by enabling Shared Secret Auth
The bridge will automatically perform Double Puppeting if you enable [Shared Secret Auth](configuring-playbook-shared-secret-auth.md) for this playbook.
This is the recommended way of setting up Double Puppeting, as it's easier to accomplish, works for all your users automatically, and has less of a chance of breaking in the future.
## Usage

View file

@ -8,7 +8,7 @@ See the project's [documentation](https://github.com/matrix-org/sliding-sync) to
Element X iOS is [available on TestFlight](https://testflight.apple.com/join/uZbeZCOi).
Element X Android is [available on the Github Releases page](https://github.com/vector-im/element-x-android/releases).
Element X Android requires manual compilation to get it working with a non-`matrix.org` homeseserver. It's also less feature-complete than the iOS version.
**NOTE**: The Sliding Sync proxy **only works with the Traefik reverse-proxy**. If you have an old server installation (from the time `matrix-nginx-proxy` was our default reverse-proxy - `matrix_playbook_reverse_proxy_type: playbook-managed-nginx`), you won't be able to use Sliding Sync.

View file

@ -37,7 +37,6 @@
# Keep some URIs free for different proxy/location
ProxyPassMatch ^/.well-known/matrix/client !
ProxyPassMatch ^/.well-known/matrix/server !
ProxyPassMatch ^/.well-known/matrix/support !
ProxyPassMatch ^/_matrix/identity !
ProxyPassMatch ^/_matrix/client/r0/user_directory/search !
@ -47,11 +46,11 @@
ProxyPassReverse /_matrix http://127.0.0.1:8008/_matrix
ProxyPass /_synapse/client http://127.0.0.1:8008/_synapse/client retry=0 nocanon
ProxyPassReverse /_synapse/client http://127.0.0.1:8008/_synapse/client
# Proxy Admin API (necessary for Synapse-Admin)
# ProxyPass /_synapse/admin http://127.0.0.1:8008/_synapse/admin retry=0 nocanon
# ProxyPassReverse /_synapse/admin http://127.0.0.1:8008/_synapse/admin
# Proxy Synapse-Admin
# ProxyPass /synapse-admin http://127.0.0.1:8766 retry=0 nocanon
# ProxyPassReverse /synapse-admin http://127.0.0.1:8766
@ -65,7 +64,6 @@
Header always set Content-Type "application/json"
Header always set Access-Control-Allow-Origin "*"
</Location>
# Map /.well-known/matrix/server for server discovery
Alias /.well-known/matrix/server /matrix/static-files/.well-known/matrix/server
<Files "/matrix/static-files/.well-known/matrix/server">
@ -74,16 +72,6 @@
<Location "/.well-known/matrix/server">
Header always set Content-Type "application/json"
</Location>
# Map /.well-known/matrix/support for support discovery
Alias /.well-known/matrix/support /matrix/static-files/.well-known/matrix/support
<Files "/matrix/static-files/.well-known/matrix/support">
Require all granted
</Files>
<Location "/.well-known/matrix/support">
Header always set Content-Type "application/json"
</Location>
<Directory /matrix/static-files/.well-known/matrix/>
AllowOverride All
# Apache 2.4:

View file

@ -2491,8 +2491,6 @@ jitsi_base_path: "{{ matrix_base_data_path }}/jitsi"
jitsi_uid: "{{ matrix_user_uid }}"
jitsi_gid: "{{ matrix_user_gid }}"
jitsi_user_username: "{{ matrix_user_username }}"
# Normally, matrix-nginx-proxy is enabled and nginx can reach jitsi/web over the container network.
# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose
# the Jitsi HTTP port to the local host.
@ -2553,7 +2551,6 @@ jitsi_etherpad_enabled: "{{ etherpad_enabled }}"
jitsi_etherpad_base: "{{ etherpad_base_url if etherpad_enabled else 'https://scalar.vector.im/etherpad' }}"
# Allow verification using JWT and matrix-UVS
jitsi_prosody_auth_matrix_uvs_sync_power_levels: "{{ matrix_user_verification_service_enabled }}"
jitsi_prosody_auth_matrix_uvs_auth_token: "{{ matrix_user_verification_service_uvs_auth_token }}"
jitsi_prosody_auth_matrix_uvs_location: "{{ matrix_user_verification_service_container_url }}"
@ -4303,6 +4300,9 @@ matrix_user_creator_users_auto: |
#
######################################################################
## FIXME: Needs to be updated when there is a proper release by upstream.
matrix_user_verification_service_docker_image: "{{ matrix_user_verification_service_docker_image_name_prefix }}matrixdotorg/matrix-user-verification-service@sha256:d2aabc984dd69d258c91900c36928972d7aaef19d776caa3cd6a0fbc0e307270"
matrix_user_verification_service_enabled: false
matrix_user_verification_service_systemd_required_services_list: |
{{

View file

@ -4,7 +4,7 @@
version: v1.0.0-1
name: auxiliary
- src: git+https://gitlab.com/etke.cc/roles/backup_borg.git
version: v1.2.6-1.8.4-0
version: v1.2.6-1.8.3-0
- src: git+https://github.com/devture/com.devture.ansible.role.container_socket_proxy.git
version: v0.1.1-2
- src: git+https://github.com/devture/com.devture.ansible.role.docker_sdk_for_python.git
@ -18,7 +18,7 @@
- src: git+https://github.com/devture/com.devture.ansible.role.postgres.git
version: v16.0-8
- src: git+https://github.com/devture/com.devture.ansible.role.postgres_backup.git
version: d2c2585fe3f5ebf39045bc90c97ee160e1341594
version: a0cc7c1c696872ba8880d9c5e5a54098de825030
- src: git+https://github.com/devture/com.devture.ansible.role.systemd_docker_base.git
version: v1.0.0-0
- src: git+https://github.com/devture/com.devture.ansible.role.systemd_service_manager.git
@ -26,7 +26,7 @@
- src: git+https://github.com/devture/com.devture.ansible.role.timesync.git
version: v1.0.0-0
- src: git+https://github.com/devture/com.devture.ansible.role.traefik.git
version: v2.10.5-1
version: v2.10.5-0
- src: git+https://github.com/devture/com.devture.ansible.role.traefik_certs_dumper.git
version: v2.8.1-0
- src: git+https://gitlab.com/etke.cc/roles/etherpad.git
@ -35,9 +35,9 @@
version: 7.0.1
name: geerlingguy.docker
- src: git+https://gitlab.com/etke.cc/roles/grafana.git
version: v10.2.0-0
version: v10.1.5-0
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-jitsi.git
version: v8960-3
version: v8960-1
name: jitsi
- src: git+https://gitlab.com/etke.cc/roles/ntfy.git
version: v2.7.0-2

View file

@ -5,7 +5,7 @@
matrix_bot_chatgpt_enabled: true
# renovate: datasource=docker depName=ghcr.io/matrixgpt/matrix-chatgpt-bot
matrix_bot_chatgpt_version: 3.1.4
matrix_bot_chatgpt_version: 3.1.2
matrix_bot_chatgpt_container_image_self_build: false
matrix_bot_chatgpt_container_image_self_build_repo: "https://github.com/matrixgpt/matrix-chatgpt-bot"

View file

@ -5,7 +5,7 @@
matrix_heisenbridge_enabled: true
# renovate: datasource=docker depName=hif1/heisenbridge
matrix_heisenbridge_version: 1.14.6
matrix_heisenbridge_version: 1.14.5
matrix_heisenbridge_docker_image: "{{ matrix_container_global_registry_prefix }}hif1/heisenbridge:{{ matrix_heisenbridge_version }}"
matrix_heisenbridge_docker_image_force_pull: "{{ matrix_heisenbridge_docker_image.endswith(':latest') }}"

View file

@ -7,7 +7,7 @@ matrix_client_cinny_container_image_self_build: false
matrix_client_cinny_container_image_self_build_repo: "https://github.com/ajbura/cinny.git"
# renovate: datasource=docker depName=ajbura/cinny
matrix_client_cinny_version: v3.2.0
matrix_client_cinny_version: v2.2.6
matrix_client_cinny_docker_image: "{{ matrix_client_cinny_docker_image_name_prefix }}ajbura/cinny:{{ matrix_client_cinny_version }}"
matrix_client_cinny_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_cinny_container_image_self_build else matrix_container_global_registry_prefix }}"
matrix_client_cinny_docker_image_force_pull: "{{ matrix_client_cinny_docker_image.endswith(':latest') }}"

View file

@ -11,7 +11,7 @@ matrix_client_element_container_image_self_build_repo: "https://github.com/vecto
matrix_client_element_container_image_self_build_low_memory_system_patch_enabled: "{{ ansible_memtotal_mb < 4096 }}"
# renovate: datasource=docker depName=vectorim/element-web
matrix_client_element_version: v1.11.48
matrix_client_element_version: v1.11.46
matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}"
matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_container_global_registry_prefix }}"

View file

@ -11,7 +11,7 @@ matrix_dendrite_docker_image_path: "matrixdotorg/dendrite-monolith"
matrix_dendrite_docker_image: "{{ matrix_dendrite_docker_image_name_prefix }}{{ matrix_dendrite_docker_image_path }}:{{ matrix_dendrite_docker_image_tag }}"
matrix_dendrite_docker_image_name_prefix: "{{ 'localhost/' if matrix_dendrite_container_image_self_build else matrix_container_global_registry_prefix }}"
# renovate: datasource=docker depName=matrixdotorg/dendrite-monolith
matrix_dendrite_docker_image_tag: "v0.13.4"
matrix_dendrite_docker_image_tag: "v0.13.3"
matrix_dendrite_docker_image_force_pull: "{{ matrix_dendrite_docker_image.endswith(':latest') }}"
matrix_dendrite_base_path: "{{ matrix_base_data_path }}/dendrite"

View file

@ -7,8 +7,8 @@ matrix_dynamic_dns_enabled: true
# The dynamic dns daemon interval
matrix_dynamic_dns_daemon_interval: '300'
# renovate: datasource=docker depName=linuxserver/ddclient versioning=semver
matrix_dynamic_dns_version: 3.11.1
# renovate: datasource=docker depName=linuxserver/ddclient
matrix_dynamic_dns_version: v3.10.0-ls136
# The docker container to use when in mode
matrix_dynamic_dns_docker_image: "{{ matrix_dynamic_dns_docker_image_name_prefix }}linuxserver/ddclient:{{ matrix_dynamic_dns_version }}"

View file

@ -2,7 +2,7 @@
# Project source code URL: https://github.com/nginx/nginx
matrix_nginx_proxy_enabled: true
# renovate: datasource=docker depName=nginx
matrix_nginx_proxy_version: 1.25.3-alpine
matrix_nginx_proxy_version: 1.25.2-alpine
# We use an official nginx image, which we fix-up to run unprivileged.
# An alternative would be an `nginxinc/nginx-unprivileged` image, but
@ -331,12 +331,6 @@ matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled: false
matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container: "matrix-ma1sd:{{ matrix_ma1sd_container_port }}"
matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container: "127.0.0.1:{{ matrix_ma1sd_container_port }}"
# Controls whether the user directory search API will be URL-rewritten (/_matrix/client/v3/user_directory/search -> /_matrix/client/r0/user_directory/search).
# This is to assist identity servers which only handle the r0 endpoints.
# The v3 endpoints are the same (spec-wise), so they can usually be redirected without downsides.
# If this is disabled, API requests will be forwarded as-is, without any URL rewriting.
matrix_nginx_proxy_proxy_matrix_user_directory_search_v3_to_r0_redirect_enabled: true
# Controls whether proxying for 3PID-based registration (`/_matrix/client/r0/register/(email|msisdn)/requestToken`) should be done (on the matrix domain).
# This allows another service to control registrations involving 3PIDs.
# To learn more, see: https://github.com/ma1uta/ma1sd/blob/master/docs/features/registration.md
@ -344,12 +338,6 @@ matrix_nginx_proxy_proxy_matrix_3pid_registration_enabled: false
matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_with_container: "matrix-ma1sd:{{ matrix_ma1sd_container_port }}"
matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_sans_container: "127.0.0.1:{{ matrix_ma1sd_container_port }}"
# Controls whether the user directory search API will be URL-rewritten (/_matrix/client/v3/register/(email|msisdn)/requestToken -> /_matrix/client/r0/register/(email|msisdn)/requestToken).
# This is to assist identity servers which only handle the r0 endpoints.
# The v3 endpoints are the same (spec-wise), so they can usually be redirected without downsides.
# If this is disabled, API requests will be forwarded as-is, without any URL rewriting.
matrix_nginx_proxy_proxy_matrix_3pid_registration_v3_to_r0_redirect_enabled: true
# Controls whether proxying for the Identity API (`/_matrix/identity`) should be done (on the matrix domain)
matrix_nginx_proxy_proxy_matrix_identity_api_enabled: false
matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container: "matrix-ma1sd:{{ matrix_ma1sd_container_port }}"

View file

@ -119,7 +119,7 @@
# Redirect other endpoints registered by the media-repo to its container
# /_matrix/client/r0/logout
# /_matrix/client/r0/logout/all
location ~ ^/_matrix/client/(r0|v1|v3|unstable)/(logout|logout/all) {
location ^~ /_matrix/client/(r0|v1|v3|unstable)/(logout|logout/all) {
{% if matrix_nginx_proxy_enabled %}
{# Use the embedded DNS resolver in Docker containers to discover the service #}
resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s;
@ -142,7 +142,7 @@
# Redirect other endpoints registered by the media-repo to its container
# /_matrix/client/r0/admin/purge_media_cache
# /_matrix/client/r0/admin/quarantine_media/{roomId:[^/]+}
location ~ ^/_matrix/client/(r0|v1|v3|unstable)/admin/(purge_media_cache|quarantine_media/.*) {
location ^~ /_matrix/client/(r0|v1|v3|unstable)/admin/(purge_media_cache|quarantine_media/.*) {
{% if matrix_nginx_proxy_enabled %}
{# Use the embedded DNS resolver in Docker containers to discover the service #}
resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s;
@ -185,19 +185,13 @@
{% endif %}
{% if matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled %}
location ~ ^/_matrix/client/(r0|v3)/user_directory/search {
location ^~ /_matrix/client/r0/user_directory/search {
{% if matrix_nginx_proxy_enabled %}
{# Use the embedded DNS resolver in Docker containers to discover the service #}
resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s;
set $backend "{{ matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container }}";
{% if matrix_nginx_proxy_proxy_matrix_user_directory_search_v3_to_r0_redirect_enabled %}
rewrite ^(.*?)/v3/(.*?)$ $1/r0/$2 break;
{% endif %}
proxy_pass http://$backend;
{% else %}
{% if matrix_nginx_proxy_proxy_matrix_user_directory_search_v3_to_r0_redirect_enabled %}
rewrite ^(.*?)/v3/(.*?)$ $1/r0/$2 break;
{% endif %}
{# Generic configuration for use outside of our container setup #}
proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container }};
{% endif %}
@ -208,19 +202,13 @@
{% endif %}
{% if matrix_nginx_proxy_proxy_matrix_3pid_registration_enabled %}
location ~ ^/_matrix/client/(r0|v3)/register/(email|msisdn)/requestToken$ {
location ~ ^/_matrix/client/r0/register/(email|msisdn)/requestToken$ {
{% if matrix_nginx_proxy_enabled %}
{# Use the embedded DNS resolver in Docker containers to discover the service #}
resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s;
set $backend "{{ matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_with_container }}";
{% if matrix_nginx_proxy_proxy_matrix_3pid_registration_v3_to_r0_redirect_enabled %}
rewrite ^(.*?)/v3/(.*?)$ $1/r0/$2 break;
{% endif %}
proxy_pass http://$backend;
{% else %}
{% if matrix_nginx_proxy_proxy_matrix_3pid_registration_v3_to_r0_redirect_enabled %}
rewrite ^(.*?)/v3/(.*?)$ $1/r0/$2 break;
{% endif %}
{# Generic configuration for use outside of our container setup #}
proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_sans_container }};
{% endif %}

View file

@ -6,7 +6,7 @@
matrix_sliding_sync_enabled: true
# renovate: datasource=docker depName=ghcr.io/matrix-org/sliding-sync
matrix_sliding_sync_version: v0.99.12
matrix_sliding_sync_version: v0.99.11
matrix_sliding_sync_scheme: https

View file

@ -26,7 +26,7 @@
matrix_synapse_reverse_proxy_companion_enabled: true
# renovate: datasource=docker depName=nginx
matrix_synapse_reverse_proxy_companion_version: 1.25.3-alpine
matrix_synapse_reverse_proxy_companion_version: 1.25.2-alpine
matrix_synapse_reverse_proxy_companion_base_path: "{{ matrix_synapse_base_path }}/reverse-proxy-companion"
matrix_synapse_reverse_proxy_companion_confd_path: "{{ matrix_synapse_reverse_proxy_companion_base_path }}/conf.d"

View file

@ -5,7 +5,7 @@
matrix_synapse_enabled: true
# renovate: datasource=docker depName=matrixdotorg/synapse
matrix_synapse_version: v1.95.1
matrix_synapse_version: v1.94.0
matrix_synapse_username: ''
matrix_synapse_uid: ''
@ -312,13 +312,8 @@ matrix_synapse_presence_enabled: true
matrix_synapse_allow_public_rooms_without_auth: false
# Controls whether remote servers can fetch this server's public rooms directory via federation.
# The upstream default is `false`, but we try to make Matrix federation more useful.
#
# For private servers, you may wish to forbid it to align yourself with upstream defaults.
# However, disabling federation completely (see `matrix_synapse_federation_enabled`) is a better way to make your server private,
# instead of relying on security-by-obscurity -- federating with others, having your public rooms joinable by anyone,
# but hiding them and thinking you've secured them.
matrix_synapse_allow_public_rooms_over_federation: true
# For private servers, you most likely wish to forbid it.
matrix_synapse_allow_public_rooms_over_federation: false
# Whether to require authentication to retrieve profile data (avatars,
# display names) of other users through the client API. Defaults to

View file

@ -5,10 +5,6 @@ matrix_user_verification_service_ansible_name: "Matrix User Verification Service
# Enable by default. This is overwritten in provided group vars.
matrix_user_verification_service_enabled: true
matrix_user_verification_service_container_image_self_build: "{{ matrix_architecture != 'amd64' }}"
matrix_user_verification_service_container_image_self_build_repo: "https://github.com/matrix-org/matrix-user-verification-service"
matrix_user_verification_service_container_image_self_build_branch: "{{ 'master' if matrix_registration_version == 'latest' else matrix_user_verification_service_version }}"
# Fix version tag
# renovate: datasource=docker depName=matrixdotorg/matrix-user-verification-service
matrix_user_verification_service_version: "v3.0.0"
@ -17,7 +13,6 @@ matrix_user_verification_service_version: "v3.0.0"
matrix_user_verification_service_base_path: "{{ matrix_base_data_path }}/user-verification-service"
matrix_user_verification_service_config_path: "{{ matrix_user_verification_service_base_path }}/config"
matrix_user_verification_service_config_env_file: "{{ matrix_user_verification_service_config_path }}/.env"
matrix_user_verification_service_docker_src_files_path: "{{ matrix_user_verification_service_base_path }}/docker-src"
# Docker
matrix_user_verification_service_docker_image_name_prefix: "{{ matrix_container_global_registry_prefix }}"

View file

@ -9,7 +9,6 @@
group: "{{ matrix_user_groupname }}"
with_items:
- {path: "{{ matrix_user_verification_service_config_path }}", when: true}
- {path: "{{ matrix_user_verification_service_docker_src_files_path }}", when: "{{ matrix_user_verification_service_container_image_self_build }}"}
when: item.when | bool
- name: Ensure Matrix User Verification Service image is pulled
@ -22,30 +21,6 @@
retries: "{{ devture_playbook_help_container_retries_count }}"
delay: "{{ devture_playbook_help_container_retries_delay }}"
until: result is not failed
when: "not matrix_user_verification_service_container_image_self_build | bool"
- name: Ensure Matrix User Verification Service repository is present when self-building
ansible.builtin.git:
repo: "{{ matrix_user_verification_service_container_image_self_build_repo }}"
dest: "{{ matrix_user_verification_service_docker_src_files_path }}"
version: "{{ matrix_user_verification_service_container_image_self_build_branch }}"
force: "yes"
become: true
become_user: "{{ matrix_user_username }}"
register: matrix_user_verification_service_git_pull_results
when: "matrix_user_verification_service_container_image_self_build | bool"
- name: Ensure Matrix User Verification Service image is built
community.docker.docker_image:
name: "{{ matrix_user_verification_service_docker_image }}"
source: build
force_source: "{{ matrix_user_verification_service_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_user_verification_service_git_pull_results.changed }}"
build:
dockerfile: Dockerfile
path: "{{ matrix_user_verification_service_docker_src_files_path }}"
pull: true
when: "matrix_user_verification_service_container_image_self_build | bool"
- name: Ensure Matrix User Verification Service env file installed
ansible.builtin.template:

View file

@ -17,14 +17,13 @@ ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_s
ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm {{ matrix_user_verification_service_container_name }} 2>/dev/null'
ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \
ExecStart={{ devture_systemd_docker_base_host_command_docker }} run \
--rm \
--name={{ matrix_user_verification_service_container_name }} \
--log-driver=none \
--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
--cap-drop=ALL \
--read-only \
--tmpfs /.npm \
--network={{ matrix_user_verification_service_container_network }} \
{% if matrix_user_verification_service_container_http_host_bind_port %}
-p {{ matrix_user_verification_service_container_http_host_bind_port }}:3000 \
@ -38,7 +37,6 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \
{% for network in matrix_user_verification_service_container_additional_networks %}
ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} {{ matrix_user_verification_service_container_name }}
{% endfor %}
ExecStart=/usr/bin/env docker start --attach matrix-user-verification-service
ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill {{ matrix_user_verification_service_container_name }} 2>/dev/null'
ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm {{ matrix_user_verification_service_container_name }} 2>/dev/null'