matrix-docker-ansible-deploy/group_vars/matrix-servers
Slavi Pantaleev bb816df557 Move mautrix telegram and whatsapp into separate roles
The goal is to move each bridge into its own separate role.
This commit starts off the work on this with 2 bridges:
- mautrix-telegram
- mautrix-whatsapp

Each bridge's role (including these 2) is meant to:

- depend only on the matrix-base role

- integrate nicely with the matrix-synapse role (if available)

- integrate nicely with the matrix-nginx-proxy role (if available and if
required). mautrix-telegram bridge benefits from integrating with
it.

- not break if matrix-synapse or matrix-nginx-proxy are not used at all

This has been provoked by #174 (Github Issue).
2019-05-14 23:47:22 +09:00

453 lines
18 KiB
Plaintext
Executable file

---
# This variables file wires together the various components (roles) used by the playbook.
#
# Roles used by playbook are pretty minimal and kept independent of one another as much as possible.
# To deliver a turnkey fully-featured Matrix server, this playbook needs
# to connect them all together. It does so by overriding role variables.
#
# You can also override ANY variable (seen here or in any given role),
# by re-defining it in your own configuration file (`inventory/host_vars/matrix.<your-domain>`).
######################################################################
#
# matrix-appservice-irc
#
######################################################################
# Normally, matrix-nginx-proxy is enabled and nginx can reach matrix-appservice-irc over the container network.
# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose
# matrix-appservice-irc's client-server port to the local host (`127.0.0.1:9999`).
matrix_appservice_irc_container_expose_client_server_api_port: "{{ not matrix_nginx_proxy_enabled }}"
######################################################################
#
# matrix-appservice-discord
#
######################################################################
# Normally, matrix-nginx-proxy is enabled and nginx can reach matrix-appservice-discord over the container network.
# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose
# matrix-appservice-discord's client-server port to the local host (`127.0.0.1:9005`).
matrix_appservice_discord_container_expose_client_server_api_port: "{{ not matrix_nginx_proxy_enabled }}"
######################################################################
#
# matrix-base
#
######################################################################
matrix_identity_server_url: "{{ 'https://' + matrix_synapse_trusted_third_party_id_servers[0] if matrix_synapse_trusted_third_party_id_servers|length > 0 else None }}"
######################################################################
#
# /matrix-base
#
######################################################################
######################################################################
#
# matrix-bridge-mautrix-telegram
#
######################################################################
# We don't enable bridges by default.
matrix_mautrix_telegram_enabled: false
matrix_mautrix_telegram_systemd_required_services_list: ['docker.service', 'matrix-synapse.service']
matrix_mautrix_telegram_public_endpoint: "/{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'telegram') | to_uuid }}"
######################################################################
#
# /matrix-bridge-mautrix-telegram
#
######################################################################
######################################################################
#
# matrix-bridge-mautrix-whatsapp
#
######################################################################
# We don't enable bridges by default.
matrix_mautrix_whatsapp_enabled: false
matrix_mautrix_whatsapp_systemd_required_services_list: ['docker.service', 'matrix-synapse.service']
######################################################################
#
# /matrix-bridge-mautrix-whatsapp
#
######################################################################
######################################################################
#
# matrix-corporal
#
######################################################################
matrix_corporal_enabled: false
# Normally, matrix-nginx-proxy is enabled and nginx can reach matrix-corporal over the container network.
# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose
# matrix-corporal's web-server ports to the local host (`127.0.0.1:41080` and `127.0.0.1:41081`).
matrix_corporal_container_expose_ports: "{{ not matrix_nginx_proxy_enabled }}"
matrix_corporal_systemd_required_services_list: |
{{
(['docker.service'])
+
(['matrix-synapse.service'])
}}
matrix_corporal_matrix_homeserver_api_endpoint: "http://matrix-synapse:8008"
matrix_corporal_matrix_auth_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret }}"
matrix_corporal_matrix_registration_shared_secret: "{{ matrix_synapse_registration_shared_secret }}"
######################################################################
#
# /matrix-corporal
#
######################################################################
######################################################################
#
# matrix-coturn
#
######################################################################
matrix_coturn_enabled: true
matrix_coturn_turn_external_ip_address: "{{ ansible_host }}"
matrix_coturn_tls_enabled: true
matrix_coturn_tls_cert_path: "{{ matrix_ssl_config_dir_path }}/live/{{ matrix_server_fqn_matrix }}/fullchain.pem"
matrix_coturn_tls_key_path: "{{ matrix_ssl_config_dir_path }}/live/{{ matrix_server_fqn_matrix }}/privkey.pem"
matrix_coturn_container_additional_volumes:
- src: "{{ matrix_ssl_config_dir_path }}"
dst: "{{ matrix_ssl_config_dir_path }}"
options: ro
######################################################################
#
# /matrix-coturn
#
######################################################################
######################################################################
#
# matrix-dimension
#
######################################################################
matrix_dimension_enabled: false
# Normally, matrix-nginx-proxy is enabled and nginx can reach Dimension over the container network.
# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose
# the Dimension HTTP port to the local host (`127.0.0.1:8184`).
matrix_dimension_container_expose_port: "{{ not matrix_nginx_proxy_enabled }}"
######################################################################
#
# /matrix-dimension
#
######################################################################
######################################################################
#
# matrix-mailer
#
######################################################################
# By default, this playbook sets up a postfix mailer server (running in a container).
# This is so that Synapse can send email reminders for unread messages.
# Other services (like mxisd), also use the mailer.
matrix_mailer_enabled: true
######################################################################
#
# /matrix-mailer
#
######################################################################
######################################################################
#
# matrix-mxisd
#
######################################################################
# By default, this playbook installs the mxisd identity server on the same domain as Synapse (`matrix_server_fqn_matrix`).
# If you wish to use the public identity servers (matrix.org, vector.im) instead of your own you may wish to disable this.
matrix_mxisd_enabled: true
# Normally, matrix-nginx-proxy is enabled and nginx can reach mxisd over the container network.
# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose
# mxisd's web-server port to the local host (`127.0.0.1:8090`).
matrix_mxisd_container_expose_port: "{{ not matrix_nginx_proxy_enabled }}"
# We enable Synapse integration via its Postgres database by default.
# When using another Identity store, you might wish to disable this and define
# your own configuration in `matrix_mxisd_configuration_extension_yaml`.
matrix_mxisd_synapsesql_enabled: true
matrix_mxisd_synapsesql_type: postgresql
matrix_mxisd_synapsesql_connection: //{{ matrix_synapse_database_host }}/{{ matrix_synapse_database_database }}?user={{ matrix_synapse_database_user | urlencode() }}&password={{ matrix_synapse_database_password | urlencode() }}
matrix_mxisd_dns_overwrite_enabled: true
matrix_mxisd_dns_overwrite_homeserver_client_name: "{{ matrix_server_fqn_matrix }}"
matrix_mxisd_dns_overwrite_homeserver_client_value: "http://{{ 'matrix-corporal:41080' if matrix_corporal_enabled else 'matrix-synapse:8008' }}"
# By default, we send mail through the `matrix-mailer` service.
matrix_mxisd_threepid_medium_email_identity_from: "{{ matrix_mailer_sender_address }}"
matrix_mxisd_threepid_medium_email_connectors_smtp_host: "matrix-mailer"
matrix_mxisd_threepid_medium_email_connectors_smtp_port: 8025
matrix_mxisd_threepid_medium_email_connectors_smtp_tls: 0
matrix_mxisd_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else false }}"
matrix_mxisd_systemd_wanted_services_list: |
{{
(['matrix-corporal.service'] if matrix_corporal_enabled else ['matrix-synapse.service'])
+
(['matrix-postgres.service'] if matrix_postgres_enabled else [])
+
(['matrix-mailer.service'] if matrix_mailer_enabled else [])
}}
######################################################################
#
# /matrix-mxisd
#
######################################################################
######################################################################
#
# matrix-nginx-proxy
#
######################################################################
# By default, this playbook sets up a reverse-proxy nginx proxy server on TCP ports 80, 443 and 8448.
# This is fine if you're dedicating the whole server to Matrix.
# If that's not the case, you may wish to disable this and take care of proxying yourself.
matrix_nginx_proxy_enabled: true
matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container: "{{ 'matrix-corporal:41080' if matrix_corporal_enabled else 'matrix-synapse:8008' }}"
matrix_nginx_proxy_proxy_matrix_client_api_addr_sans_container: "{{ '127.0.0.1:41080' if matrix_corporal_enabled else '127.0.0.1:8008' }}"
matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb: "{{ matrix_synapse_max_upload_size_mb }}"
matrix_nginx_proxy_proxy_matrix_enabled: true
matrix_nginx_proxy_proxy_riot_enabled: "{{ matrix_riot_web_enabled }}"
matrix_nginx_proxy_proxy_dimension_enabled: "{{ matrix_dimension_enabled }}"
matrix_nginx_proxy_proxy_matrix_corporal_api_enabled: "{{ matrix_corporal_enabled and matrix_corporal_http_api_enabled }}"
matrix_nginx_proxy_proxy_matrix_corporal_api_addr_with_container: "matrix-corporal:41081"
matrix_nginx_proxy_proxy_matrix_corporal_api_addr_sans_container: "127.0.0.1:41081"
matrix_nginx_proxy_proxy_matrix_identity_api_enabled: "{{ matrix_mxisd_enabled }}"
matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container: "matrix-mxisd:8090"
matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container: "127.0.0.1:8090"
# By default, we do TLS termination for the Matrix Federation API (port 8448) at matrix-nginx-proxy.
matrix_nginx_proxy_proxy_matrix_federation_api_enabled: true
matrix_nginx_proxy_proxy_matrix_federation_api_addr_with_container: "matrix-synapse:8048"
matrix_nginx_proxy_proxy_matrix_federation_api_addr_sans_container: "127.0.0.1:8048"
matrix_nginx_proxy_proxy_synapse_metrics: "{{ matrix_synapse_metrics_enabled }}"
matrix_nginx_proxy_proxy_synapse_metrics_addr_with_container: "matrix-synapse:{{ matrix_synapse_metrics_port }}"
matrix_nginx_proxy_proxy_synapse_metrics_addr_sans_container: "127.0.0.1:{{ matrix_synapse_metrics_port }}"
matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled: "{{ matrix_mxisd_enabled }}"
matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container: "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container }}"
matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container: "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container }}"
matrix_nginx_proxy_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else false }}"
matrix_nginx_proxy_systemd_wanted_services_list: |
{{
(['matrix-synapse.service'])
+
(['matrix-corporal.service'] if matrix_corporal_enabled else [])
+
(['matrix-mxisd.service'] if matrix_mxisd_enabled else [])
+
(['matrix-riot-web.service'] if matrix_riot_web_enabled else [])
}}
matrix_ssl_domains_to_obtain_certificates_for: |
{{
([matrix_server_fqn_matrix])
+
([matrix_server_fqn_riot] if matrix_riot_web_enabled else [])
+
([matrix_server_fqn_dimension] if matrix_dimension_enabled else [])
+
([matrix_domain] if matrix_nginx_proxy_base_domain_serving_enabled else [])
}}
######################################################################
#
# /matrix-nginx-proxy
#
######################################################################
######################################################################
#
# matrix-postgres
#
######################################################################
matrix_postgres_enabled: true
matrix_postgres_connection_hostname: "matrix-postgres"
matrix_postgres_connection_username: "synapse"
matrix_postgres_connection_password: "synapse-password"
matrix_postgres_db_name: "homeserver"
######################################################################
#
# /matrix-postgres
#
######################################################################
######################################################################
#
# matrix-riot-web
#
######################################################################
# By default, this playbook installs the Riot.IM web UI on the `matrix_server_fqn_riot` domain.
# If you wish to connect to your Matrix server by other means, you may wish to disable this.
matrix_riot_web_enabled: true
# Normally, matrix-nginx-proxy is enabled and nginx can reach riot-web over the container network.
# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose
# the riot-web HTTP port to the local host (`127.0.0.1:80`).
matrix_riot_web_container_expose_port: "{{ not matrix_nginx_proxy_enabled }}"
matrix_riot_web_default_hs_url: "{{ matrix_homeserver_url }}"
matrix_riot_web_default_is_url: "{{ matrix_identity_server_url }}"
# Use Dimension if enabled, otherwise fall back to Scalar
matrix_riot_web_integrations_ui_url: "{{ matrix_dimension_integrations_ui_url if matrix_dimension_enabled else 'https://scalar.vector.im/' }}"
matrix_riot_web_integrations_rest_url: "{{ matrix_dimension_integrations_rest_url if matrix_dimension_enabled else 'https://scalar.vector.im/api' }}"
matrix_riot_web_integrations_widgets_urls: "{{ matrix_dimension_integrations_widgets_urls if matrix_dimension_enabled else ['https://scalar.vector.im/api'] }}"
matrix_riot_web_integrations_jitsi_widget_url: "{{ matrix_dimension_integrations_jitsi_widget_url if matrix_dimension_enabled else 'https://scalar.vector.im/api/widgets/jitsi.html' }}"
matrix_riot_web_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else false }}"
matrix_riot_web_registration_enabled: "{{ matrix_synapse_enable_registration }}"
matrix_riot_web_enable_presence_by_hs_url: |
{{
none
if matrix_synapse_use_presence
else {matrix_riot_web_default_hs_url: false}
}}
######################################################################
#
# /matrix-riot-web
#
######################################################################
######################################################################
#
# matrix-synapse
#
######################################################################
# When mxisd is enabled, we can use it instead of the default public Identity servers.
matrix_synapse_trusted_third_party_id_servers: "{{ [matrix_server_fqn_matrix] if matrix_mxisd_enabled else matrix_synapse_id_servers_public }}"
# Normally, matrix-nginx-proxy is enabled and nginx can reach Synapse over the container network.
# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose its ports
# to the local host.
#
# For exposing the Matrix Client API's port (plain HTTP) to the local host (`127.0.0.1:8008`).
matrix_synapse_container_expose_client_api_port: "{{ not matrix_nginx_proxy_enabled }}"
# For exposing the Matrix Federation API's port (plain HTTP) to the local host (`127.0.0.1:8048`).
matrix_synapse_container_expose_federation_api_port: "{{ not matrix_nginx_proxy_enabled }}"
matrix_synapse_container_expose_metrics_port: "{{ not matrix_nginx_proxy_enabled }}"
matrix_synapse_database_host: "{{ matrix_postgres_connection_hostname }}"
matrix_synapse_database_user: "{{ matrix_postgres_connection_username }}"
matrix_synapse_database_password: "{{ matrix_postgres_connection_password }}"
matrix_synapse_database_database: "{{ matrix_postgres_db_name }}"
# We do not enable TLS in Synapse by default.
# TLS is handled by the matrix-nginx-proxy, which proxies the requests to Synapse.
matrix_synapse_tls_federation_listener_enabled: false
matrix_synapse_tls_certificate_path: ~
matrix_synapse_tls_private_key_path: ~
matrix_synapse_email_enabled: "{{ matrix_mailer_enabled }}"
matrix_synapse_email_smtp_host: "matrix-mailer"
matrix_synapse_email_smtp_port: 8025
matrix_synapse_email_smtp_require_transport_security: false
matrix_synapse_email_notif_from: "Matrix <{{ matrix_mailer_sender_address }}>"
matrix_synapse_email_riot_base_url: "https://{{ matrix_server_fqn_riot }}"
# Even if TURN doesn't support TLS (it does by default),
# it doesn't hurt to try a secure connection anyway.
matrix_synapse_turn_uris: |
{{
[
'turns:' + matrix_server_fqn_matrix + '?transport=udp',
'turns:' + matrix_server_fqn_matrix + '?transport=tcp',
'turn:' + matrix_server_fqn_matrix + '?transport=udp',
'turn:' + matrix_server_fqn_matrix + '?transport=tcp',
]
if matrix_coturn_enabled
else []
}}
matrix_synapse_turn_shared_secret: "{{ matrix_coturn_turn_static_auth_secret if matrix_coturn_enabled else '' }}"
matrix_synapse_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else false }}"
matrix_synapse_systemd_required_services_list: |
{{
(['docker.service'])
+
(['matrix-postgres.service'] if matrix_postgres_enabled else [])
+
(['matrix-goofys'] if matrix_s3_media_store_enabled else [])
}}
matrix_synapse_systemd_wanted_services_list: |
{{
(['matrix-coturn.service'] if matrix_coturn_enabled else [])
+
(['matrix-mailer.service'] if matrix_mailer_enabled else [])
}}
######################################################################
#
# /matrix-synapse
#
######################################################################