bd61598faf
the changes are necessary because certbot images are tagged, so docker does not recognize the necessary architecture
787 lines
32 KiB
Plaintext
Executable file
787 lines
32 KiB
Plaintext
Executable file
---
|
|
|
|
# This variables file wires together the various components (roles) used by the playbook.
|
|
#
|
|
# Roles used by playbook are pretty minimal and kept independent of one another as much as possible.
|
|
# To deliver a turnkey fully-featured Matrix server, this playbook needs
|
|
# to connect them all together. It does so by overriding role variables.
|
|
#
|
|
# You can also override ANY variable (seen here or in any given role),
|
|
# by re-defining it in your own configuration file (`inventory/host_vars/matrix.<your-domain>`).
|
|
|
|
|
|
######################################################################
|
|
#
|
|
# matrix-base
|
|
#
|
|
######################################################################
|
|
|
|
matrix_identity_server_url: "{{ 'https://' + matrix_synapse_trusted_third_party_id_servers[0] if matrix_synapse_trusted_third_party_id_servers|length > 0 else None }}"
|
|
|
|
matrix_riot_jitsi_preferredDomain: "{{ matrix_server_fqn_jitsi if matrix_jitsi_enabled else '' }}"
|
|
|
|
######################################################################
|
|
#
|
|
# /matrix-base
|
|
#
|
|
######################################################################
|
|
|
|
######################################################################
|
|
#
|
|
# matrix-architecture
|
|
#
|
|
######################################################################
|
|
|
|
matrix_architecture: "amd64"
|
|
|
|
######################################################################
|
|
#
|
|
# /matrix-architecture
|
|
#
|
|
######################################################################
|
|
|
|
|
|
######################################################################
|
|
#
|
|
# matrix-bridge-appservice-discord
|
|
#
|
|
######################################################################
|
|
|
|
# We don't enable bridges by default.
|
|
matrix_appservice_discord_enabled: false
|
|
|
|
# Normally, matrix-nginx-proxy is enabled and nginx can reach matrix-appservice-discord over the container network.
|
|
# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose
|
|
# matrix-appservice-discord's client-server port to the local host.
|
|
matrix_appservice_discord_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:9005' }}"
|
|
|
|
# If the homeserver disables presence, it's likely better (less wasteful) to also disable presence on the bridge side.
|
|
matrix_appservice_discord_bridge_disablePresence: "{{ matrix_synapse_use_presence }}"
|
|
|
|
matrix_appservice_discord_systemd_required_services_list: |
|
|
{{
|
|
['docker.service']
|
|
+
|
|
(['matrix-synapse.service'] if matrix_synapse_enabled else [])
|
|
}}
|
|
|
|
matrix_appservice_discord_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'discord.as.token') | to_uuid }}"
|
|
|
|
matrix_appservice_discord_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'discord.hs.token') | to_uuid }}"
|
|
|
|
######################################################################
|
|
#
|
|
# /matrix-bridge-appservice-discord
|
|
#
|
|
######################################################################
|
|
|
|
|
|
######################################################################
|
|
#
|
|
# matrix-appservice-webhooks
|
|
#
|
|
######################################################################
|
|
|
|
# We don't enable bridges by default.
|
|
matrix_appservice_webhooks_enabled: false
|
|
|
|
# Normally, matrix-nginx-proxy is enabled and nginx can reach matrix-appservice-webhooks over the container network.
|
|
# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose
|
|
# matrix-appservice-webhooks' client-server port to the local host.
|
|
matrix_appservice_webhooks_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:{{ matrix_appservice_webhooks_matrix_port }}' }}"
|
|
|
|
matrix_appservice_webhooks_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'webhook.as.token') | to_uuid }}"
|
|
|
|
matrix_appservice_webhooks_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'webhook.hs.token') | to_uuid }}"
|
|
|
|
matrix_appservice_webhooks_id_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'webhook.id.token') | to_uuid }}"
|
|
|
|
matrix_appservice_webhooks_systemd_required_services_list: |
|
|
{{
|
|
['docker.service']
|
|
+
|
|
(['matrix-synapse.service'] if matrix_synapse_enabled else [])
|
|
}}
|
|
|
|
######################################################################
|
|
#
|
|
# /matrix-appservice-webhooks
|
|
#
|
|
######################################################################
|
|
|
|
|
|
######################################################################
|
|
#
|
|
# matrix-appservice-slack
|
|
#
|
|
######################################################################
|
|
|
|
# We don't enable bridges by default.
|
|
matrix_appservice_slack_enabled: false
|
|
|
|
# Normally, matrix-nginx-proxy is enabled and nginx can reach matrix-appservice-slack over the container network.
|
|
# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose
|
|
# matrix-appservice-slack's client-server port to the local host.
|
|
matrix_appservice_slack_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else ('127.0.0.1:' ~ matrix_appservice_slack_slack_port) }}"
|
|
|
|
matrix_appservice_slack_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'slack.as.token') | to_uuid }}"
|
|
|
|
matrix_appservice_slack_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'slack.hs.token') | to_uuid }}"
|
|
|
|
matrix_appservice_slack_id_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'slack.id.token') | to_uuid }}"
|
|
|
|
matrix_appservice_slack_systemd_required_services_list: |
|
|
{{
|
|
['docker.service']
|
|
+
|
|
(['matrix-synapse.service'] if matrix_synapse_enabled else [])
|
|
}}
|
|
|
|
######################################################################
|
|
#
|
|
# /matrix-bridge-appservice-slack
|
|
#
|
|
######################################################################
|
|
|
|
######################################################################
|
|
#
|
|
# matrix-bridge-appservice-irc
|
|
#
|
|
######################################################################
|
|
|
|
# We don't enable bridges by default.
|
|
matrix_appservice_irc_enabled: false
|
|
|
|
# Normally, matrix-nginx-proxy is enabled and nginx can reach matrix-appservice-irc over the container network.
|
|
# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose
|
|
# matrix-appservice-irc's client-server port to the local host.
|
|
matrix_appservice_irc_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:9999' }}"
|
|
|
|
# The IRC bridge docs say that if homeserver presence is disabled, it's better to also disable
|
|
# IRC bridge presence, for performance reasons.
|
|
matrix_appservice_irc_homeserver_enablePresence: "{{ matrix_synapse_use_presence }}"
|
|
|
|
matrix_appservice_irc_systemd_required_services_list: |
|
|
{{
|
|
['docker.service']
|
|
+
|
|
(['matrix-synapse.service'] if matrix_synapse_enabled else [])
|
|
}}
|
|
|
|
matrix_appservice_irc_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'irc.as.token') | to_uuid }}"
|
|
|
|
matrix_appservice_irc_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'irc.hs.token') | to_uuid }}"
|
|
|
|
######################################################################
|
|
#
|
|
# /matrix-bridge-appservice-irc
|
|
#
|
|
######################################################################
|
|
|
|
|
|
######################################################################
|
|
#
|
|
# matrix-bridge-mautrix-facebook
|
|
#
|
|
######################################################################
|
|
|
|
# We don't enable bridges by default.
|
|
matrix_mautrix_facebook_enabled: false
|
|
|
|
matrix_mautrix_facebook_container_image_self_build: "{{ (matrix_architecture != 'amd64') and (matrix_architecture != 'arm64') }}"
|
|
|
|
matrix_mautrix_facebook_systemd_required_services_list: |
|
|
{{
|
|
['docker.service']
|
|
+
|
|
(['matrix-synapse.service'] if matrix_synapse_enabled else [])
|
|
}}
|
|
|
|
matrix_mautrix_facebook_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'fb.as.token') | to_uuid }}"
|
|
|
|
matrix_mautrix_facebook_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'fb.hs.token') | to_uuid }}"
|
|
|
|
matrix_mautrix_facebook_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}"
|
|
|
|
######################################################################
|
|
#
|
|
# /matrix-bridge-mautrix-facebook
|
|
#
|
|
######################################################################
|
|
|
|
|
|
######################################################################
|
|
#
|
|
# matrix-bridge-mautrix-hangouts
|
|
#
|
|
######################################################################
|
|
|
|
# We don't enable bridges by default.
|
|
matrix_mautrix_hangouts_enabled: false
|
|
|
|
matrix_mautrix_hangouts_container_image_self_build: "{{ (matrix_architecture != 'amd64') and (matrix_architecture != 'arm64') }}"
|
|
|
|
matrix_mautrix_hangouts_systemd_required_services_list: |
|
|
{{
|
|
['docker.service']
|
|
+
|
|
(['matrix-synapse.service'] if matrix_synapse_enabled else [])
|
|
}}
|
|
|
|
matrix_mautrix_hangouts_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'ho.as.token') | to_uuid }}"
|
|
|
|
matrix_mautrix_hangouts_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'ho.hs.token') | to_uuid }}"
|
|
|
|
matrix_mautrix_hangouts_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}"
|
|
|
|
######################################################################
|
|
#
|
|
# /matrix-bridge-mautrix-hangouts
|
|
#
|
|
######################################################################
|
|
|
|
|
|
|
|
|
|
|
|
######################################################################
|
|
#
|
|
# matrix-bridge-mautrix-telegram
|
|
#
|
|
######################################################################
|
|
|
|
# We don't enable bridges by default.
|
|
matrix_mautrix_telegram_enabled: false
|
|
|
|
matrix_mautrix_telegram_systemd_required_services_list: |
|
|
{{
|
|
['docker.service']
|
|
+
|
|
(['matrix-synapse.service'] if matrix_synapse_enabled else [])
|
|
}}
|
|
|
|
matrix_mautrix_telegram_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'telegr.as.token') | to_uuid }}"
|
|
|
|
matrix_mautrix_telegram_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'telegr.hs.token') | to_uuid }}"
|
|
|
|
matrix_mautrix_telegram_public_endpoint: "/{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'telegram') | to_uuid }}"
|
|
|
|
matrix_mautrix_telegram_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:9006' }}"
|
|
|
|
matrix_mautrix_telegram_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}"
|
|
|
|
######################################################################
|
|
#
|
|
# /matrix-bridge-mautrix-telegram
|
|
#
|
|
######################################################################
|
|
|
|
|
|
######################################################################
|
|
#
|
|
# matrix-bridge-mautrix-whatsapp
|
|
#
|
|
######################################################################
|
|
|
|
# We don't enable bridges by default.
|
|
matrix_mautrix_whatsapp_enabled: false
|
|
|
|
matrix_mautrix_whatsapp_systemd_required_services_list: |
|
|
{{
|
|
['docker.service']
|
|
+
|
|
(['matrix-synapse.service'] if matrix_synapse_enabled else [])
|
|
}}
|
|
|
|
matrix_mautrix_whatsapp_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'whats.as.token') | to_uuid }}"
|
|
|
|
matrix_mautrix_whatsapp_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'whats.hs.token') | to_uuid }}"
|
|
|
|
matrix_mautrix_whatsapp_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}"
|
|
|
|
######################################################################
|
|
#
|
|
# /matrix-bridge-mautrix-whatsapp
|
|
#
|
|
######################################################################
|
|
|
|
|
|
######################################################################
|
|
#
|
|
# matrix-bridge-mx-puppet-skype
|
|
#
|
|
######################################################################
|
|
|
|
# We don't enable bridges by default.
|
|
matrix_mx_puppet_skype_enabled: false
|
|
|
|
matrix_mx_puppet_skype_container_image_self_build: "{{ matrix_architecture != 'amd64'}}"
|
|
|
|
matrix_mx_puppet_skype_systemd_required_services_list: |
|
|
{{
|
|
['docker.service']
|
|
+
|
|
(['matrix-synapse.service'] if matrix_synapse_enabled else [])
|
|
}}
|
|
|
|
matrix_mx_puppet_skype_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'skype.as.tok') | to_uuid }}"
|
|
|
|
matrix_mx_puppet_skype_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'skype.hs.tok') | to_uuid }}"
|
|
|
|
matrix_mx_puppet_skype_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}"
|
|
|
|
######################################################################
|
|
#
|
|
# /matrix-bridge-mx-puppet-skype
|
|
#
|
|
######################################################################
|
|
|
|
|
|
######################################################################
|
|
#
|
|
# matrix-corporal
|
|
#
|
|
######################################################################
|
|
|
|
matrix_corporal_enabled: false
|
|
|
|
# Normally, matrix-nginx-proxy is enabled and nginx can reach matrix-corporal over the container network.
|
|
# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose
|
|
# matrix-corporal's web-server ports to the local host.
|
|
matrix_corporal_container_http_gateway_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:41080' }}"
|
|
matrix_corporal_container_http_api_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:41081' }}"
|
|
|
|
matrix_corporal_systemd_required_services_list: |
|
|
{{
|
|
(['docker.service'])
|
|
+
|
|
(['matrix-synapse.service'])
|
|
}}
|
|
|
|
matrix_corporal_matrix_homeserver_api_endpoint: "http://matrix-synapse:8008"
|
|
|
|
matrix_corporal_matrix_auth_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret }}"
|
|
|
|
matrix_corporal_matrix_registration_shared_secret: "{{ matrix_synapse_registration_shared_secret }}"
|
|
|
|
######################################################################
|
|
#
|
|
# /matrix-corporal
|
|
#
|
|
######################################################################
|
|
|
|
|
|
|
|
######################################################################
|
|
#
|
|
# matrix-coturn
|
|
#
|
|
######################################################################
|
|
|
|
matrix_coturn_enabled: true
|
|
|
|
matrix_coturn_container_image_self_build: "{{ matrix_architecture != 'amd64'}}"
|
|
|
|
matrix_coturn_turn_external_ip_address: "{{ ansible_host }}"
|
|
|
|
matrix_coturn_tls_enabled: true
|
|
matrix_coturn_tls_cert_path: "{{ matrix_ssl_config_dir_path }}/live/{{ matrix_server_fqn_matrix }}/fullchain.pem"
|
|
matrix_coturn_tls_key_path: "{{ matrix_ssl_config_dir_path }}/live/{{ matrix_server_fqn_matrix }}/privkey.pem"
|
|
matrix_coturn_container_additional_volumes:
|
|
- src: "{{ matrix_ssl_config_dir_path }}"
|
|
dst: "{{ matrix_ssl_config_dir_path }}"
|
|
options: ro
|
|
|
|
######################################################################
|
|
#
|
|
# /matrix-coturn
|
|
#
|
|
######################################################################
|
|
|
|
|
|
|
|
######################################################################
|
|
#
|
|
# matrix-dimension
|
|
#
|
|
######################################################################
|
|
|
|
matrix_dimension_enabled: false
|
|
|
|
# Normally, matrix-nginx-proxy is enabled and nginx can reach Dimension over the container network.
|
|
# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose
|
|
# the Dimension HTTP port to the local host.
|
|
matrix_dimension_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:8184' }}"
|
|
|
|
matrix_integration_manager_rest_url: "{{ matrix_dimension_integrations_rest_url if matrix_dimension_enabled else None }}"
|
|
matrix_integration_manager_ui_url: "{{ matrix_dimension_integrations_ui_url if matrix_dimension_enabled else None }}"
|
|
|
|
######################################################################
|
|
#
|
|
# /matrix-dimension
|
|
#
|
|
######################################################################
|
|
|
|
|
|
######################################################################
|
|
#
|
|
# matrix-email2matrix
|
|
#
|
|
######################################################################
|
|
|
|
matrix_email2matrix_enabled: false
|
|
|
|
######################################################################
|
|
#
|
|
# /matrix-email2matrix
|
|
#
|
|
######################################################################
|
|
|
|
|
|
|
|
######################################################################
|
|
#
|
|
# matrix-jitsi
|
|
#
|
|
######################################################################
|
|
|
|
matrix_jitsi_enabled: false
|
|
|
|
# Normally, matrix-nginx-proxy is enabled and nginx can reach jitsi/web over the container network.
|
|
# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose
|
|
# the Jitsi HTTP port to the local host.
|
|
matrix_jitsi_web_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:12080' }}"
|
|
|
|
matrix_jitsi_jibri_xmpp_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'jibri') | to_uuid }}"
|
|
matrix_jitsi_jicofo_auth_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'jicofo') | to_uuid }}"
|
|
matrix_jitsi_jvb_auth_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'jvb') | to_uuid }}"
|
|
|
|
matrix_jitsi_web_stun_servers: |
|
|
{{
|
|
[
|
|
'stun:' + matrix_server_fqn_matrix + ':5349',
|
|
'stun:' + matrix_server_fqn_matrix + ':3478',
|
|
]
|
|
if matrix_coturn_enabled
|
|
else [ 'stun:meet-jit-si-turnrelay.jitsi.net:443']
|
|
}}
|
|
|
|
######################################################################
|
|
#
|
|
# /matrix-jitsi
|
|
#
|
|
######################################################################
|
|
|
|
|
|
|
|
######################################################################
|
|
#
|
|
# matrix-mailer
|
|
#
|
|
######################################################################
|
|
|
|
# By default, this playbook sets up a postfix mailer server (running in a container).
|
|
# This is so that Synapse can send email reminders for unread messages.
|
|
# Other services (like ma1sd), also use the mailer.
|
|
matrix_mailer_enabled: true
|
|
|
|
######################################################################
|
|
#
|
|
# /matrix-mailer
|
|
#
|
|
######################################################################
|
|
|
|
|
|
|
|
######################################################################
|
|
#
|
|
# matrix-ma1sd
|
|
#
|
|
######################################################################
|
|
|
|
# By default, this playbook installs the ma1sd identity server on the same domain as Synapse (`matrix_server_fqn_matrix`).
|
|
# If you wish to use the public identity servers (matrix.org, vector.im) instead of your own you may wish to disable this.
|
|
matrix_ma1sd_enabled: true
|
|
|
|
matrix_ma1sd_container_image_self_build: "{{ matrix_architecture != 'amd64'}}"
|
|
|
|
# Normally, matrix-nginx-proxy is enabled and nginx can reach ma1sd over the container network.
|
|
# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose
|
|
# ma1sd's web-server port.
|
|
matrix_ma1sd_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:8090' }}"
|
|
|
|
# We enable Synapse integration via its Postgres database by default.
|
|
# When using another Identity store, you might wish to disable this and define
|
|
# your own configuration in `matrix_ma1sd_configuration_extension_yaml`.
|
|
matrix_ma1sd_synapsesql_enabled: true
|
|
matrix_ma1sd_synapsesql_type: postgresql
|
|
matrix_ma1sd_synapsesql_connection: //{{ matrix_synapse_database_host }}/{{ matrix_synapse_database_database }}?user={{ matrix_synapse_database_user | urlencode() }}&password={{ matrix_synapse_database_password | urlencode() }}
|
|
|
|
matrix_ma1sd_dns_overwrite_enabled: true
|
|
matrix_ma1sd_dns_overwrite_homeserver_client_name: "{{ matrix_server_fqn_matrix }}"
|
|
matrix_ma1sd_dns_overwrite_homeserver_client_value: "http://{{ 'matrix-corporal:41080' if matrix_corporal_enabled else 'matrix-synapse:8008' }}"
|
|
|
|
# By default, we send mail through the `matrix-mailer` service.
|
|
matrix_ma1sd_threepid_medium_email_identity_from: "{{ matrix_mailer_sender_address }}"
|
|
matrix_ma1sd_threepid_medium_email_connectors_smtp_host: "matrix-mailer"
|
|
matrix_ma1sd_threepid_medium_email_connectors_smtp_port: 8025
|
|
matrix_ma1sd_threepid_medium_email_connectors_smtp_tls: 0
|
|
|
|
matrix_ma1sd_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else false }}"
|
|
|
|
matrix_ma1sd_systemd_wanted_services_list: |
|
|
{{
|
|
(['matrix-corporal.service'] if matrix_corporal_enabled else ['matrix-synapse.service'])
|
|
+
|
|
(['matrix-postgres.service'] if matrix_postgres_enabled else [])
|
|
+
|
|
(['matrix-mailer.service'] if matrix_mailer_enabled else [])
|
|
}}
|
|
|
|
######################################################################
|
|
#
|
|
# /matrix-ma1sd
|
|
#
|
|
######################################################################
|
|
|
|
|
|
|
|
######################################################################
|
|
#
|
|
# matrix-nginx-proxy
|
|
#
|
|
######################################################################
|
|
|
|
# By default, this playbook sets up a reverse-proxy nginx proxy server on TCP ports 80, 443 and 8448.
|
|
# This is fine if you're dedicating the whole server to Matrix.
|
|
# If that's not the case, you may wish to disable this and take care of proxying yourself.
|
|
matrix_nginx_proxy_enabled: true
|
|
|
|
matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container: "{{ 'matrix-corporal:41080' if matrix_corporal_enabled else 'matrix-synapse:8008' }}"
|
|
matrix_nginx_proxy_proxy_matrix_client_api_addr_sans_container: "{{ '127.0.0.1:41080' if matrix_corporal_enabled else '127.0.0.1:8008' }}"
|
|
matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb: "{{ matrix_synapse_max_upload_size_mb }}"
|
|
|
|
matrix_nginx_proxy_proxy_matrix_enabled: true
|
|
matrix_nginx_proxy_proxy_riot_enabled: "{{ matrix_riot_web_enabled }}"
|
|
matrix_nginx_proxy_proxy_dimension_enabled: "{{ matrix_dimension_enabled }}"
|
|
matrix_nginx_proxy_proxy_jitsi_enabled: "{{ matrix_jitsi_enabled }}"
|
|
|
|
matrix_nginx_proxy_proxy_matrix_corporal_api_enabled: "{{ matrix_corporal_enabled and matrix_corporal_http_api_enabled }}"
|
|
matrix_nginx_proxy_proxy_matrix_corporal_api_addr_with_container: "matrix-corporal:41081"
|
|
matrix_nginx_proxy_proxy_matrix_corporal_api_addr_sans_container: "127.0.0.1:41081"
|
|
|
|
matrix_nginx_proxy_proxy_matrix_identity_api_enabled: "{{ matrix_ma1sd_enabled }}"
|
|
matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container: "matrix-ma1sd:8090"
|
|
matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container: "127.0.0.1:8090"
|
|
|
|
# By default, we do TLS termination for the Matrix Federation API (port 8448) at matrix-nginx-proxy.
|
|
matrix_nginx_proxy_proxy_matrix_federation_api_enabled: true
|
|
matrix_nginx_proxy_proxy_matrix_federation_api_addr_with_container: "matrix-synapse:8048"
|
|
matrix_nginx_proxy_proxy_matrix_federation_api_addr_sans_container: "127.0.0.1:8048"
|
|
|
|
matrix_nginx_proxy_proxy_synapse_metrics: "{{ matrix_synapse_metrics_enabled }}"
|
|
matrix_nginx_proxy_proxy_synapse_metrics_addr_with_container: "matrix-synapse:{{ matrix_synapse_metrics_port }}"
|
|
matrix_nginx_proxy_proxy_synapse_metrics_addr_sans_container: "127.0.0.1:{{ matrix_synapse_metrics_port }}"
|
|
|
|
matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled: "{{ matrix_ma1sd_enabled }}"
|
|
matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container: "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container }}"
|
|
matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container: "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container }}"
|
|
|
|
matrix_nginx_proxy_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else false }}"
|
|
|
|
matrix_nginx_proxy_systemd_wanted_services_list: |
|
|
{{
|
|
(['matrix-synapse.service'])
|
|
+
|
|
(['matrix-corporal.service'] if matrix_corporal_enabled else [])
|
|
+
|
|
(['matrix-ma1sd.service'] if matrix_ma1sd_enabled else [])
|
|
+
|
|
(['matrix-riot-web.service'] if matrix_riot_web_enabled else [])
|
|
}}
|
|
|
|
matrix_ssl_domains_to_obtain_certificates_for: |
|
|
{{
|
|
([matrix_server_fqn_matrix])
|
|
+
|
|
([matrix_server_fqn_riot] if matrix_riot_web_enabled else [])
|
|
+
|
|
([matrix_server_fqn_dimension] if matrix_dimension_enabled else [])
|
|
+
|
|
([matrix_server_fqn_jitsi] if matrix_jitsi_enabled else [])
|
|
+
|
|
([matrix_domain] if matrix_nginx_proxy_base_domain_serving_enabled else [])
|
|
}}
|
|
|
|
matrix_ssl_architecture: "{{ matrix_architecture }}"
|
|
|
|
######################################################################
|
|
#
|
|
# /matrix-nginx-proxy
|
|
#
|
|
######################################################################
|
|
|
|
|
|
|
|
######################################################################
|
|
#
|
|
# matrix-postgres
|
|
#
|
|
######################################################################
|
|
|
|
matrix_postgres_enabled: true
|
|
|
|
matrix_postgres_connection_hostname: "matrix-postgres"
|
|
matrix_postgres_connection_username: "synapse"
|
|
matrix_postgres_connection_password: "synapse-password"
|
|
matrix_postgres_db_name: "homeserver"
|
|
|
|
######################################################################
|
|
#
|
|
# /matrix-postgres
|
|
#
|
|
######################################################################
|
|
|
|
|
|
|
|
######################################################################
|
|
#
|
|
# matrix-riot-web
|
|
#
|
|
######################################################################
|
|
|
|
# By default, this playbook installs the Riot.IM web UI on the `matrix_server_fqn_riot` domain.
|
|
# If you wish to connect to your Matrix server by other means, you may wish to disable this.
|
|
matrix_riot_web_enabled: true
|
|
|
|
matrix_riot_web_container_image_self_build: "{{ matrix_architecture != 'amd64'}}"
|
|
|
|
# Normally, matrix-nginx-proxy is enabled and nginx can reach riot-web over the container network.
|
|
# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose
|
|
# the riot-web HTTP port to the local host.
|
|
matrix_riot_web_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:8765' }}"
|
|
|
|
matrix_riot_web_default_hs_url: "{{ matrix_homeserver_url }}"
|
|
matrix_riot_web_default_is_url: "{{ matrix_identity_server_url }}"
|
|
|
|
# Use Dimension if enabled, otherwise fall back to Scalar
|
|
matrix_riot_web_integrations_ui_url: "{{ matrix_dimension_integrations_ui_url if matrix_dimension_enabled else 'https://scalar.vector.im/' }}"
|
|
matrix_riot_web_integrations_rest_url: "{{ matrix_dimension_integrations_rest_url if matrix_dimension_enabled else 'https://scalar.vector.im/api' }}"
|
|
matrix_riot_web_integrations_widgets_urls: "{{ matrix_dimension_integrations_widgets_urls if matrix_dimension_enabled else ['https://scalar.vector.im/api'] }}"
|
|
matrix_riot_web_integrations_jitsi_widget_url: "{{ matrix_dimension_integrations_jitsi_widget_url if matrix_dimension_enabled else 'https://scalar.vector.im/api/widgets/jitsi.html' }}"
|
|
|
|
matrix_riot_web_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else false }}"
|
|
|
|
matrix_riot_web_registration_enabled: "{{ matrix_synapse_enable_registration }}"
|
|
|
|
matrix_riot_web_enable_presence_by_hs_url: |
|
|
{{
|
|
none
|
|
if matrix_synapse_use_presence
|
|
else {matrix_riot_web_default_hs_url: false}
|
|
}}
|
|
|
|
matrix_riot_web_welcome_user_id: ~
|
|
|
|
matrix_riot_web_jitsi_preferredDomain: "{{ matrix_server_fqn_jitsi if matrix_jitsi_enabled else '' }}"
|
|
|
|
######################################################################
|
|
#
|
|
# /matrix-riot-web
|
|
#
|
|
######################################################################
|
|
|
|
|
|
|
|
######################################################################
|
|
#
|
|
# matrix-synapse
|
|
#
|
|
######################################################################
|
|
|
|
matrix_synapse_container_image_self_build: "{{ matrix_architecture != 'amd64'}}"
|
|
|
|
# When ma1sd is enabled, we can use it instead of the default public Identity servers.
|
|
matrix_synapse_trusted_third_party_id_servers: "{{ [matrix_server_fqn_matrix] if matrix_ma1sd_enabled else matrix_synapse_id_servers_public }}"
|
|
|
|
# When ma1sd is enabled, we can use it to validate email addresses and phone numbers.
|
|
# Synapse can validate email addresses by itself as well, but it's probably not what we want by default when we have an identity server.
|
|
matrix_synapse_account_threepid_delegates_email: "{{ 'http://matrix-ma1sd:8090' if matrix_ma1sd_enabled else '' }}"
|
|
matrix_synapse_account_threepid_delegates_msisdn: "{{ 'http://matrix-ma1sd:8090' if matrix_ma1sd_enabled else '' }}"
|
|
|
|
# Normally, matrix-nginx-proxy is enabled and nginx can reach Synapse over the container network.
|
|
# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it,
|
|
# you can expose Synapse's ports to the host.
|
|
#
|
|
# For exposing the Matrix Client API's port (plain HTTP) to the local host.
|
|
matrix_synapse_container_client_api_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:8008' }}"
|
|
#
|
|
# For exposing the Matrix Federation API's plain port (plain HTTP) to the local host.
|
|
matrix_synapse_container_federation_api_plain_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:8048' }}"
|
|
#
|
|
# For exposing the Matrix Federation API's TLS port (HTTPS) to the internet on all network interfaces.
|
|
matrix_synapse_container_federation_api_tls_host_bind_port: "{{ '8448' if (matrix_synapse_federation_enabled and matrix_synapse_tls_federation_listener_enabled) else '' }}"
|
|
#
|
|
# For exposing the Synapse Metrics API's port (plain HTTP) to the local host.
|
|
matrix_synapse_container_metrics_api_host_bind_port: "{{ '127.0.0.1:9100' if (matrix_synapse_metrics_enabled and not matrix_nginx_proxy_enabled) else '' }}"
|
|
#
|
|
# For exposing the Synapse Manhole port (plain HTTP) to the local host.
|
|
matrix_synapse_container_manhole_api_host_bind_port: "{{ '127.0.0.1:9000' if matrix_synapse_manhole_enabled else '' }}"
|
|
|
|
matrix_synapse_database_host: "{{ matrix_postgres_connection_hostname }}"
|
|
matrix_synapse_database_user: "{{ matrix_postgres_connection_username }}"
|
|
matrix_synapse_database_password: "{{ matrix_postgres_connection_password }}"
|
|
matrix_synapse_database_database: "{{ matrix_postgres_db_name }}"
|
|
|
|
# We do not enable TLS in Synapse by default.
|
|
# TLS is handled by the matrix-nginx-proxy, which proxies the requests to Synapse.
|
|
matrix_synapse_tls_federation_listener_enabled: false
|
|
matrix_synapse_tls_certificate_path: ~
|
|
matrix_synapse_tls_private_key_path: ~
|
|
|
|
matrix_synapse_email_enabled: "{{ matrix_mailer_enabled }}"
|
|
matrix_synapse_email_smtp_host: "matrix-mailer"
|
|
matrix_synapse_email_smtp_port: 8025
|
|
matrix_synapse_email_smtp_require_transport_security: false
|
|
matrix_synapse_email_notif_from: "Matrix <{{ matrix_mailer_sender_address }}>"
|
|
|
|
# Even if TURN doesn't support TLS (it does by default),
|
|
# it doesn't hurt to try a secure connection anyway.
|
|
matrix_synapse_turn_uris: |
|
|
{{
|
|
[
|
|
'turns:' + matrix_server_fqn_matrix + '?transport=udp',
|
|
'turns:' + matrix_server_fqn_matrix + '?transport=tcp',
|
|
'turn:' + matrix_server_fqn_matrix + '?transport=udp',
|
|
'turn:' + matrix_server_fqn_matrix + '?transport=tcp',
|
|
]
|
|
if matrix_coturn_enabled
|
|
else []
|
|
}}
|
|
|
|
matrix_synapse_turn_shared_secret: "{{ matrix_coturn_turn_static_auth_secret if matrix_coturn_enabled else '' }}"
|
|
|
|
matrix_synapse_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else false }}"
|
|
|
|
matrix_synapse_systemd_required_services_list: |
|
|
{{
|
|
(['docker.service'])
|
|
+
|
|
(['matrix-postgres.service'] if matrix_postgres_enabled else [])
|
|
+
|
|
(['matrix-goofys'] if matrix_s3_media_store_enabled else [])
|
|
}}
|
|
|
|
matrix_synapse_systemd_wanted_services_list: |
|
|
{{
|
|
(['matrix-coturn.service'] if matrix_coturn_enabled else [])
|
|
+
|
|
(['matrix-mailer.service'] if matrix_mailer_enabled else [])
|
|
}}
|
|
|
|
######################################################################
|
|
#
|
|
# /matrix-synapse
|
|
#
|
|
######################################################################
|