feat: add automatic creation of reverse-proxy routing

Fixed typos in README

.gitignore

@@ -1,7 +1,3 @@
-/inventory/*
-!/inventory/.gitkeep
-!/inventory/host_vars/.gitkeep
-!/inventory/scripts
 /roles/*/files/scratchpad
 .DS_Store
 .python-version

README.md

@@ -29,7 +29,7 @@ Using this playbook, you can get the following services configured on your serve
 
 - (optional, default) an [Element](https://app.element.io/) ([formerly Riot](https://element.io/previously-riot)) web UI, which is configured to connect to your own Synapse server by default
 
-- (optional, default) an [ma1sd](https://github.com/ma1uta/ma1sd) Matrix Identity server
+- (optional, default) a [ma1sd](https://github.com/ma1uta/ma1sd) Matrix Identity server
 
 - (optional, default) an [Exim](https://www.exim.org/) mail server, through which all Matrix services send outgoing email (can be configured to relay through another SMTP server)
 
@@ -47,7 +47,7 @@ Using this playbook, you can get the following services configured on your serve
 
 - (optional) the [mautrix-telegram](https://github.com/tulir/mautrix-telegram) bridge for bridging your Matrix server to [Telegram](https://telegram.org/)
 
-- (optional) the [mautrix-whatsapp](https://github.com/tulir/mautrix-whatsapp) bridge for bridging your Matrix server to [Whatsapp](https://www.whatsapp.com/)
+- (optional) the [mautrix-whatsapp](https://github.com/tulir/mautrix-whatsapp) bridge for bridging your Matrix server to [WhatsApp](https://www.whatsapp.com/)
 
 - (optional) the [mautrix-facebook](https://github.com/tulir/mautrix-facebook) bridge for bridging your Matrix server to [Facebook](https://facebook.com/)
 
@@ -103,7 +103,7 @@ Using this playbook, you can get the following services configured on your serve
 
 - (optional) the [Sygnal](https://github.com/matrix-org/sygnal) push gateway - see [Setting up the Sygnal push gateway](docs/configuring-playbook-sygnal.md) for setup documentation
 
-Basically, this playbook aims to get you up-and-running with all the basic necessities around Matrix, without you having to do anything else.
+Basically, this playbook aims to get you up-and-running with all the necessities around Matrix, without you having to do anything else.
 
 **Note**: the list above is exhaustive. It includes optional or even some advanced components that you will most likely not need.
 Sticking with the defaults (which install a subset of the above components) is the best choice, especially for a new installation.
@@ -128,4 +128,11 @@ When updating the playbook, refer to [the changelog](CHANGELOG.md) to catch up w
 
 - IRC channel: `#matrix-docker-ansible-deploy` on the [Freenode](https://freenode.net/) IRC network (irc.freenode.net)
 
-- Github issues: [spantaleev/matrix-docker-ansible-deploy/issues](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues)
+- GitHub issues: [spantaleev/matrix-docker-ansible-deploy/issues](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues)
+
+
+## Services by the community
+
+- [etke.cc](https://etke.cc) - matrix-docker-ansible-deploy and system stuff "as a service". That service will create your matrix homeserver on your domain and server (doesn't matter if it's cloud provider or on an old laptop in the corner of your room), (optional) maintains it (server's system updates, cleanup, security adjustments, tuning, etc.; matrix homeserver updates & maintenance) and (optional) provide full-featured email service for your domain
+
+- [GoMatrixHosting](https://gomatrixhosting.com) - matrix-docker-ansible-deploy "as a service" with [Ansible AWX](https://github.com/ansible/awx). Members can be assigned a server from DigitalOcean, or they can connect their on-premises server. This AWX system can manage the updates, configuration, import and export, backups, and monitoring on its own. For more information [see our GitLab group](https://gitlab.com/GoMatrixHosting) or come [visit us on Matrix](https://matrix.to/#/#general:gomatrixhosting.com).

ansible.cfg

@@ -1,6 +1,11 @@
 [defaults]
+
+vault_password_file = gpg/open_vault.sh
+
 retry_files_enabled = False
 stdout_callback = yaml
 
+inventory = inventory/hosts
+
 [connection]
 pipelining = True

docs/configuring-awx-system.md

@@ -32,9 +32,9 @@ Updates to this section are trailed here:
 
 ## Does I need an AWX setup to use this? How do I configure it? 
 
-Yes, you'll need to configure an AWX instance, the [Create AWX System](https://gitlab.com/GoMatrixHosting/create-awx-system) repository makes it easy to do. Just follow the steps listed in '/docs/Installation.md' of that repository.
+Yes, you'll need to configure an AWX instance, the [Create AWX System](https://gitlab.com/GoMatrixHosting/create-awx-system) repository makes it easy to do. Just follow the steps listed in ['/docs/Installation.md' of that repository](https://gitlab.com/GoMatrixHosting/create-awx-system/-/blob/master/docs/Installation.md). 
 
-For simpler installation steps you can use to get started with this system, check out our minimal installation guide at '/doc/Installation_Minimal.md'.
+For simpler installation steps you can use to get started with this system, check out our minimal installation guide at ['/doc/Installation_Minimal.md of that repository'](https://gitlab.com/GoMatrixHosting/create-awx-system/-/blob/master/docs/Installation_Minimal.md).
 
 
 ## Does I need a front-end WordPress site? And a DigitalOcean account? 

docs/configuring-playbook-own-webserver.md

@@ -55,6 +55,8 @@ Note that if your nginx version is old, it might not like our default choice of
 matrix_nginx_proxy_ssl_protocols: "TLSv1.2"
 ```
 
+If you are experiencing issues, try updating to a newer version of Nginx. As a data point in May 2021 a user reported that Nginx 1.14.2 was not working for them. They were getting errors about socket leaks. Updating to Nginx 1.19 fixed their issue.
+
 
 ### Using your own external Apache webserver
 

docs/maintenance-synapse.md

@@ -14,11 +14,7 @@ Table of contents:
 
 ## Purging old data with the Purge History API
 
-You can use the **Purge History API** to delete in-use (but old) data.
-
-**This is destructive** (especially for non-federated rooms), because it means **people will no longer have access to history past a certain point**.
-
-Synapse's [Purge History API](https://github.com/matrix-org/synapse/blob/master/docs/admin_api/purge_history_api.rst) can be used to purge on a per-room basis.
+You can use the **[Purge History API](https://github.com/matrix-org/synapse/blob/master/docs/admin_api/purge_history_api.rst)** to delete old messages on a per-room basis. **This is destructive** (especially for non-federated rooms), because it means **people will no longer have access to history past a certain point**.
 
 To make use of this API, **you'll need an admin access token** first. You can find your access token in the setting of some clients (like Element).
 Alternatively, you can log in and obtain a new access token like this:
@@ -29,6 +25,8 @@ curl \
 https://matrix.DOMAIN/_matrix/client/r0/login
 ```
 
+Synapse's Admin API is not exposed to the internet by default. To expose it you will need to add `matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled: true` to your `vars.yml` file.
+
 Follow the [Purge History API](https://github.com/matrix-org/synapse/blob/master/docs/admin_api/purge_history_api.rst) documentation page for the actual purging instructions.
 
 After deleting data, you may wish to run a [`FULL` Postgres `VACUUM`](./maintenance-postgres.md#vacuuming-postgresql).
@@ -36,7 +34,7 @@ After deleting data, you may wish to run a [`FULL` Postgres `VACUUM`](./maintena
 
 ## Compressing state with rust-synapse-compress-state
 
-[rust-synapse-compress-state](https://github.com/matrix-org/rust-synapse-compress-state) can be used to optimize some `_state` tables used by Synapse.
+[rust-synapse-compress-state](https://github.com/matrix-org/rust-synapse-compress-state) can be used to optimize some `_state` tables used by Synapse. If your server participates in large rooms this is the most effective way to reduce the size of your database.
 
 This tool should be safe to use (even when Synapse is running), but it's always a good idea to [make Postgres backups](./maintenance-postgres.md#backing-up-postgresql) first.
 
@@ -54,7 +52,10 @@ After state compression, you may wish to run a [`FULL` Postgres `VACUUM`](./main
 
 ## Browse and manipulate the database
 
-When the [matrix admin API](https://github.com/matrix-org/synapse/tree/master/docs/admin_api) and the other tools do not provide a more convenient way, having a look at synapse's postgresql database can satisfy a lot of admins' needs.
+When the [Synapse Admin API](https://github.com/matrix-org/synapse/tree/master/docs/admin_api) and the other tools do not provide a more convenient way, having a look at synapse's postgresql database can satisfy a lot of admins' needs.
+
+Editing the database manually is not recommended or supported by the Synapse developers. If you are going to do so you should [make a database backup](./maintenance-postgres.md#backing-up-postgresql).
+
 First, set up an SSH tunnel to your matrix server (skip if it is your local machine):
 
 ```

gpg/open_vault.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+
+set -e -u
+
+gpg2 --batch --use-agent --decrypt $(dirname $0)/vault_passphrase.gpg 2>/dev/null

gpg/vault_passphrase.gpg

@@ -0,0 +1,18 @@
+-----BEGIN PGP MESSAGE-----
+
+hQIMAxEs7W/4x4lxARAAssinIzR2rGs+Qkm0Q2tRdSXSXRx3OhH+2T5p0Rz3YkqU
+iyiUtyT/Ll7RMUAlAEDZITvirXe4ZZImDcxQegEzFgO7BowQYJDRdhaRmLKZpiuQ
+foRnJAAR12sf49arjJjaBQb91ViOp5MkxAtXiiqWyXwSSII+cV88flMq143cFmfC
+C5OdIQd3SqrbFhGRTjUzoIMqnJH8xksjwph9GS811dY14rQv5X1Ybt5zehMJ7/m/
+luLNg2zgQgYOUxcovddCVMI54ThXyDubDox/5xLvVjyVOFHgwC/VLn+QXHuPY/r5
++rVzz/30eq0uOLKD3LnDBQskCWRVWGC2ulKaZtlylBq6KRzIM6c6+VPSHCjoFyES
+RRpRHeIXGLs31eLkr8dc+VNbPKpMsjm/E/4ZVE2JBpy7S/kh1XYVQxT6ahDKT1tD
+4YN9O0JyNXzjiyNaTTLwNGh5+ICEd3ZCfa4O/og2LySGPOw6mX8ukgP029LHVp6+
+0tRwSWiIM3US/NIVGA+o9e9I/I5Bp/cnzJgd7faUIlzcVPP+euCbo4GsYWpX3Nca
+eRcr7AVY3wwuZtl7/s8KbQKk0ulLxS4Lo2XmdpQl8CPGwASdbMf/H8B256+xiUQ3
+ml400ZaCC7Loeduwl1ez1H/dFFzmpUziaxxtWW4aFtOUYhGeSCTu6ZIgxVq3eBnS
+jAGv8bt+0Xnrpih3mZWM92cw2VKfzYD9WG+dCB4DtZMKhl1ub2bkeTC/B9F+QuP6
+anlonYHs2wmPXzjcx8ajonbYrYXanoNRHDId6OqVAbjYqbua6TG6H9LUFweIj1RV
+yhUPejzhA8xEB0nUcKJZKLvuqvwPbr06GODnAKY5TQ4yILMAnBx0pNzfQNzo
+=Cecg
+-----END PGP MESSAGE-----

group_vars/matrix_servers

@@ -1113,7 +1113,9 @@ matrix_ma1sd_synapsesql_connection: //{{ matrix_synapse_database_host }}/{{ matr
 
 matrix_ma1sd_dns_overwrite_enabled: true
 matrix_ma1sd_dns_overwrite_homeserver_client_name: "{{ matrix_server_fqn_matrix }}"
-matrix_ma1sd_dns_overwrite_homeserver_client_value: "http://{{ matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container }}"
+# The `matrix_ma1sd_dns_overwrite_homeserver_client_value` value when matrix_nginx_proxy_enabled is false covers the general case,
+# but may be inaccurate if matrix-corporal is enabled.
+matrix_ma1sd_dns_overwrite_homeserver_client_value: "{{ ('http://' + matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container) if matrix_nginx_proxy_enabled else matrix_homeserver_container_url }}"
 
 # By default, we send mail through the `matrix-mailer` service.
 matrix_ma1sd_threepid_medium_email_identity_from: "{{ matrix_mailer_sender_address }}"

inventory/host_vars/matrix.finallycoffee.eu/vars.yml

@@ -0,0 +1,331 @@
+#
+# General config
+# Domain of the matrix server and SSL config
+#
+matrix_domain: finallycoffee.eu
+matrix_ssl_retrieval_method: none
+matrix_nginx_proxy_enabled: false
+matrix_base_data_path: "{{ vault_matrix_base_data_path }}"
+matrix_server_fqn_element: "chat.{{ matrix_domain }}"
+
+web_user: "web"
+revproxy_autoload_dir: "/vault/services/web/sites.d"
+
+#matrix_synapse_docker_image: "{{ matrix_synapse_docker_image_name_prefix }}matrixdotorg/synapse:v1.32.0rc1"
+
+#
+# General Synapse config
+#
+matrix_postgres_connection_password: "{{ vault_matrix_postgres_connection_password }}"
+# A secret used to protect access keys issued by the server.
+matrix_synapse_macaroon_secret_key: "{{ vault_matrix_synapse_macaroon_secret_key }}"
+# Make synapse accept larger media aswell
+matrix_synapse_max_upload_size_mb: 100
+# Enable metrics at (default) :9100/_synapse/metrics
+matrix_synapse_metrics_enabled: true
+matrix_synapse_enable_group_creation: true
+matrix_synapse_turn_shared_secret: "{{ vault_matrix_coturn_turn_static_auth_secret }}"
+matrix_synapse_turn_uris:
+  - "turns:voip.matrix.finallycoffee.eu?transport=udp"
+  - "turns:voip.matrix.finallycoffee.eu?transport=tcp"
+# Auto-join all users into those rooms
+matrix_synapse_auto_join_rooms:
+  - "#welcome:finallycoffee.eu"
+  - "#announcements:finallycoffee.eu"
+
+## Synapse rate limits
+matrix_synapse_rc_federation:
+  window_size: 1000
+  sleep_limit: 25
+  sleep_delay: 500
+  reject_limit: 50
+  concurrent: 5
+matrix_synapse_rc_message:
+  per_second: 0.5
+  burst_count: 25
+
+## Synapse cache tuning
+matrix_synapse_caches_global_factor: 0.7
+matrix_synapse_event_cache_size: "200K"
+
+## Synapse workers
+matrix_synapse_workers_enabled: true
+matrix_synapse_workers_preset: "little-federation-helper"
+matrix_synapse_workers_generic_worker_client_server_count: 0
+matrix_synapse_workers_media_repository_workers_count: 0
+matrix_synapse_workers_federation_sender_workers_count: 1
+matrix_synapse_workers_pusher_workers_count: 0
+matrix_synapse_workers_appservice_workers_count: 1
+
+# Static secret auth for matrix-synapse-shared-secret-auth
+matrix_synapse_ext_password_provider_shared_secret_auth_enabled: true
+matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret: "{{ vault_matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret }}"
+matrix_synapse_ext_password_provider_rest_auth_enabled: true
+matrix_synapse_ext_password_provider_rest_auth_endpoint: "http://matrix-ma1sd:8090"
+matrix_synapse_ext_password_provider_rest_auth_registration_enforce_lowercase: false
+matrix_synapse_ext_password_provider_rest_auth_registration_profile_name_autofill: true
+matrix_synapse_ext_password_provider_rest_auth_login_profile_name_autofill: false
+
+#
+# synapse-admin tool
+#
+matrix_synapse_admin_enabled: true
+matrix_synapse_admin_container_http_host_bind_port: 8985
+
+
+#
+# VoIP / CoTURN config
+#
+# A shared secret (between Synapse and Coturn) used for authentication.
+matrix_coturn_turn_static_auth_secret: "{{ vault_matrix_coturn_turn_static_auth_secret }}"
+# Disable coturn, as we use own instance
+matrix_coturn_enabled: false
+
+
+#
+# dimension (integration manager) config
+#
+matrix_dimension_enabled: true
+matrix_dimension_admins: "{{ vault_matrix_dimension_admins }}"
+matrix_server_fqn_dimension: "dimension.matrix.{{ matrix_domain }}"
+matrix_dimension_access_token: "{{ vault_matrix_dimension_access_token }}"
+matrix_dimension_configuration_extension_yaml: |
+    telegram:
+        botToken: "{{ vault_matrix_dimension_configuration_telegram_bot_token }}"
+
+
+#
+# mautrix-whatsapp config
+#
+matrix_mautrix_whatsapp_enabled: true
+matrix_mautrix_whatsapp_container_http_monitoring_host_bind_port: 9402
+matrix_mautrix_whatsapp_container_extra_arguments:
+  - "-p 127.0.0.1:{{ matrix_mautrix_whatsapp_container_http_monitoring_host_bind_port }}:{{ matrix_mautrix_whatsapp_container_http_monitoring_host_bind_port }}"
+matrix_mautrix_whatsapp_configuration_extension_yaml: |
+    bridge:
+        displayname_template: "{% raw %}{{.Name}} ({{if .Notify}}{{.Notify}}{{else}}{{.Jid}}{{end}}) (via WhatsApp){% endraw %}"
+        max_connection_attempts: 5
+        connection_timeout: 30
+        contact_wait_delay: 5
+        private_chat_portal_meta: true
+        login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret }}"
+    logging:
+        print_level: info
+    metrics:
+        enabled: true
+        listen: 0.0.0.0:{{ matrix_mautrix_whatsapp_container_http_monitoring_host_bind_port }}
+    whatsapp:
+        os_name: Linux mautrix-whatsapp
+        browser_name: Chrome
+
+
+#
+# mautrix-telegram config
+#
+matrix_mautrix_telegram_enabled: true
+matrix_mautrix_telegram_api_id: "{{ vault_matrix_mautrix_telegram_api_id }}"
+matrix_mautrix_telegram_api_hash: "{{ vault_matrix_mautrix_telegram_api_hash }}"
+matrix_mautrix_telegram_public_endpoint: '/bridge/telegram'
+matrix_mautrix_telegram_container_http_monitoring_host_bind_port: 9401
+matrix_mautrix_telegram_container_http_host_bind_port_public: 8980
+matrix_mautrix_telegram_container_extra_arguments:
+  - "-p 127.0.0.1:{{ matrix_mautrix_telegram_container_http_monitoring_host_bind_port }}:{{ matrix_mautrix_telegram_container_http_monitoring_host_bind_port }}"
+  - "-p 127.0.0.1:{{ matrix_mautrix_telegram_container_http_host_bind_port_public }}:80"
+matrix_mautrix_telegram_configuration_extension_yaml: |
+    bridge:
+        displayname_template: "{displayname} (via Telegram)"
+        parallel_file_transfer: false
+        inline_images: false
+        image_as_file_size: 20
+        delivery_receipts: true
+        login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret }}"
+        animated_sticker:
+            target: webm
+        encryption:
+            allow: true
+            default: true
+        permissions:
+            "@transcaffeine:finallycoffee.eu": "admin"
+    logging:
+        root:
+            level: INFO
+    metrics:
+        enabled: true
+        listen_port: {{ matrix_mautrix_telegram_container_http_monitoring_host_bind_port }}
+#        permissions: "{{ vault_matrix_mautrix_telegram_permission_map | from_yaml }}"
+
+
+#
+# mautrix-signal config
+#
+matrix_mautrix_signal_enabled: true
+matrix_mautrix_signal_container_http_monitoring_host_bind_port: 9408
+matrix_mautrix_signal_container_extra_arguments:
+    - "-p 127.0.0.1:{{ matrix_mautrix_signal_container_http_monitoring_host_bind_port }}:{{ matrix_mautrix_signal_container_http_monitoring_host_bind_port }}"
+matrix_mautrix_signal_configuration_extension_yaml: |
+    bridge:
+        displayname_template: "{displayname} (via Signal)"
+        community_id: "+signal:finallycoffee.eu"
+        encryption:
+            allow: true
+            default: true
+            key_sharing:
+                allow: true
+                require_verification: false
+        delivery_receipts: true
+    logging:
+        root:
+            level: INFO
+    metrics:
+        enabled: true
+        listen_port: {{ matrix_mautrix_signal_container_http_monitoring_host_bind_port }}
+
+
+#
+# mx-puppet-instagram configuration
+#
+matrix_mx_puppet_instagram_enabled: true
+matrix_mx_puppet_instagram_container_http_monitoring_host_bind_port: 9403
+matrix_mx_puppet_instagram_container_extra_arguments:
+  - "-p 127.0.0.1:{{ matrix_mx_puppet_instagram_container_http_monitoring_host_bind_port }}:{{ matrix_mx_puppet_instagram_container_http_monitoring_host_bind_port }}"
+matrix_mx_puppet_instagram_configuration_extension_yaml: |
+    bridge:
+        enableGroupSync: true
+        avatarUrl: mxc://finallycoffee.eu/acmiSAinuHDOULofFFeolTvr
+    metrics:
+        enabled: true
+        port: {{ matrix_mx_puppet_instagram_container_http_monitoring_host_bind_port }}
+        path: /metrics
+    presence:
+        enabled: true
+        interval: 3000
+
+
+#
+# mx-puppet-skype configuration
+#
+matrix_mx_puppet_skype_enabled: true
+matrix_mx_puppet_skype_container_http_monitoring_host_bind_port: 9405
+matrix_mx_puppet_skype_container_extra_arguments:
+  - "-p 127.0.0.1:{{ matrix_mx_puppet_skype_container_http_monitoring_host_bind_port }}:{{ matrix_mx_puppet_skype_container_http_monitoring_host_bind_port }}"
+matrix_mx_puppet_skype_configuration_extension_yaml: |
+    bridge:
+        enableGroupSync: true
+        avatarUrl: mxc://finallycoffee.eu/jjXDuFqtpFOBOnywoHgzTuYt
+    metrics:
+        enabled: true
+        port: {{ matrix_mx_puppet_skype_container_http_monitoring_host_bind_port }}
+        path: /metrics
+
+
+#
+# mx-puppet-discord configuration
+#
+matrix_mx_puppet_discord_enabled: true
+matrix_mx_puppet_discord_client_id: "{{ vault_matrix_mx_puppet_discord_client_id }}"
+matrix_mx_puppet_discord_client_secret: "{{ vault_matrix_mx_puppet_discord_client_secret }}"
+matrix_mx_puppet_discord_container_http_monitoring_host_bind_port: 9404
+matrix_mx_puppet_discord_container_extra_arguments:
+  - "-p 127.0.0.1:{{ matrix_mx_puppet_discord_container_http_monitoring_host_bind_port }}:{{ matrix_mx_puppet_discord_container_http_monitoring_host_bind_port }}"
+matrix_mx_puppet_discord_configuration_extension_yaml: |
+    bridge:
+        enableGroupSync: true
+        avatarUrl: mxc://finallycoffee.eu/BxcAAhjXmglMbtthStEHtCzd
+    metrics:
+        enabled: true
+        port: {{ matrix_mx_puppet_discord_container_http_monitoring_host_bind_port }}
+        path: /metrics
+    limits:
+        maxAutojoinUsers: 500
+        roomUserAutojoinDelay: 50
+    presence:
+        enabled: true
+        interval: 3000
+
+
+#
+# mx-puppet-slack configuration
+#
+matrix_mx_puppet_slack_enabled: true
+matrix_mx_puppet_slack_client_id: "{{ vault_matrix_mx_puppet_slack_client_id }}"
+matrix_mx_puppet_slack_client_secret: "{{ vault_matrix_mx_puppet_slack_client_secret }}"
+matrix_mx_puppet_slack_redirect_path: '/bridge/slack/oauth'
+matrix_mx_puppet_slack_container_http_auth_host_bind_port: 8981
+matrix_mx_puppet_slack_container_http_monitoring_host_bind_port: 9406
+matrix_mx_puppet_slack_container_extra_arguments:
+  - "-p 127.0.0.1:{{ matrix_mx_puppet_slack_container_http_monitoring_host_bind_port }}:{{ matrix_mx_puppet_slack_container_http_monitoring_host_bind_port }}"
+  - "-p 127.0.0.1:{{ matrix_mx_puppet_slack_container_http_auth_host_bind_port }}:8008"
+matrix_mx_puppet_slack_configuration_extension_yaml: |
+    bridge:
+        enableGroupSync: true
+    metrics:
+        enabled: true
+        port: {{ matrix_mx_puppet_slack_container_http_monitoring_host_bind_port }}
+        path: /metrics
+    limits:
+        maxAutojoinUsers: 500
+        roomUserAutojoinDelay: 50
+    presence:
+        enabled: true
+        interval: 3000
+
+
+#
+# Element web configuration
+#
+# Branding config
+matrix_client_element_brand: "Chat"
+matrix_client_element_default_theme: "dark"
+matrix_client_element_themes_enabled: true
+matrix_client_element_welcome_headline: "Welcome to chat.finallycoffee.eu"
+matrix_client_element_welcome_text: |
+    Decentralised, encrypted chat &amp; collaboration,<br />
+    hosted on finallycoffee.eu, powered by element.io &amp;
+    <a href="https://matrix.org" target="_blank" rel="noreferrer noopener">
+      <img width="79" height="34" alt="[matrix]" style="padding-left: 1px;vertical-align: middle" src="welcome/images/matrix.svg" />
+    </a>
+matrix_client_element_welcome_logo: "welcome/images/logo.png"
+matrix_client_element_welcome_logo_link: "https://{{ matrix_domain }}"
+matrix_client_element_branding_authHeaderLogoUrl: "welcome/images/logo.png"
+matrix_client_element_branding_welcomeBackgroundUrl: "welcome/images/background.jpg"
+matrix_client_element_container_extra_arguments:
+  - "-v {{ matrix_client_element_data_path }}/background.jpg:/app/{{ matrix_client_element_branding_welcomeBackgroundUrl }}:ro"
+  - "-v {{ matrix_client_element_data_path }}/logo.png:/app/{{ matrix_client_element_branding_authHeaderLogoUrl }}:ro"
+# Integration and capabilites config
+matrix_client_element_integrations_ui_url: "https://{{ matrix_server_fqn_dimension }}/element"
+matrix_client_element_integrations_rest_url: "https://{{ matrix_server_fqn_dimension }}/api/v1/scalar"
+matrix_client_element_integrations_widgets_urls:
+  - "https://{{ matrix_server_fqn_dimension }}/widgets"
+  - "https://scalar.vector.im/api"
+matrix_client_element_integrations_jitsi_widget_url: "https://{{ matrix_server_fqn_dimension }}/widgets/jitsi"
+matrix_client_element_disable_custom_urls: false
+matrix_client_element_roomdir_servers:
+  - "matrix.org"
+  - "finallycoffee.eu"
+  - "entropia.de"
+matrix_client_element_enable_presence_by_hs_url:
+  https://matrix.org: false
+
+
+# Matrix ma1sd extended configuration
+matrix_ma1sd_configuration_extension_yaml: |
+    hashing:
+      enabled: true
+      pepperLength: 20
+      rotationPolicy: per_requests
+      requests: 10
+      hashStorageType: sql
+      algorithms:
+          - none
+          - sha256
+
+
+# Matrix mail notification relay setup
+matrix_mailer_enabled: true
+matrix_mailer_sender_address: "Matrix on finallycoffee.eu <system-matrix@{{ matrix_domain }}>"
+matrix_mailer_relay_use: true
+matrix_mailer_relay_host_name: "{{ vault_matrix_mailer_relay_host_name }}"
+matrix_mailer_relay_host_port: 587
+matrix_mailer_relay_auth: true
+matrix_mailer_relay_auth_username: "{{ vault_matrix_mailer_relay_auth_username }}"
+matrix_mailer_relay_auth_password: "{{ vault_matrix_mailer_relay_auth_password }}"

inventory/host_vars/matrix.finallycoffee.eu/vault.yml

@@ -0,0 +1,100 @@
+$ANSIBLE_VAULT;1.1;AES256
+64343261653838626666353837393238353033353632393763363634303466613033376235386235
+6333386536323034643139656232636133386463393264300a663333333237656337343562366336
+66663064393930656566396636333430373233373362346339383866623066316133323366663961
+3732666162363238300a636230346163656334393063343030333064393962663431326461653239
+36653030393234623335313335383832646463663835653035303765633064666435373464653336
+31323433373734633531353562333065623039623633633163376235353737343935623133326663
+65333761383130336165356439623066363964313033666433316231663533393532333738333430
+36633463343335366364343565353862363531376539626237613263303331323631333366363830
+33613937346531323139343166613839366233383663363732353561643238383362353964373135
+61633430353037316266343962376238383238366562323764373135646365383030626130383433
+32313263663165656366313633653431663332636532656465623465353062643934343738633434
+63346333326331633830363663666631326466353138646233383235313532383864633233613134
+39363734353165653065343938643861646630376334303832613163663265373839323765396234
+38633336393739666565346565343865346233373639363530383533386533616337373033613865
+66353434653262663263326237626265636430646630313866383532376264383933343933326264
+65316337323863343935306138343462336666313332396439656234613831356262663630663038
+31376539653638333263333933633134303734656662343039396563343636366433396130653830
+33326539636432646438613236356430343435623539333062666630373265306635343233646333
+39653934323738303239643834663463396165656235393437396635623131316532333465316231
+65373130393463383932383837383830656637653963666638653665356437303239376262613062
+34613830613164323365636461303035616136636330323531383164376334363862383762366665
+62643839333662373461363038326436616639326264633735316139346536373839666236653634
+30376536386137636336363562376339393261373739333162373461656364353139626339346637
+30366431336534663037653438376330346238636562383932653561306134626566333861333630
+39633536653233393161333136316564623631313839633461333438633166363064303238663464
+65353338353464313635333934623833303965393462373530303666643537336662376266613434
+37356664616539323631373535316434383361323935376638666437646538316537613030653231
+62636263663935646466383663306535626465633239366562373038356366366331333537333663
+64363130386535306362646533393161643737366662313631623132356465636565313530353363
+35366165383837326564623363636632616331393834313130303937303664353436363266323033
+61373532383962393937666261626263666631346235646237656337363831633734623733633835
+39613736373031633263396530626566303665343039663866333632636565633034376366356635
+35383633336465636331306232353434653739653339396437363163313630393035366665383263
+34353238656563306366336466376363316430636666353965356535653334343630633532313034
+64626436643030656335616337653564653331326463383461643739333163613361333133633639
+66656137313937356134646362623536363065633564633166343766356436313130373663663334
+63626138356562303761323336646332383761646663383032386261623936633661653735343637
+35326137343532333635353436376665326633633135656537623631326336353138346136636239
+37396135326362613039663136333964626237353562343966383764613231363061333534316233
+38636130313261643061613138656235396530656366313132346362383430333734663866383666
+61633631353830643565313437306664636262666135353133656531623563616335643737373438
+63633235363566616466663262333466383939373336383139643362376365623763386137666332
+39353363636437393236303764343337633233386236303563636634353836363537383632306434
+33653632373064646361616364323133343138363437373436636232373261663639616330666465
+37333130393435613134366437396361363830656137663963643132303334633331633661363061
+38356439666161643431356532353334383539353566386333666461663562613231383331623063
+33336435636239343663663937353864306363363264663033303539616434333436353134383034
+64663533366134306462366565333236383235373233656132396538663437616333343534333166
+66646566623734636532666230326530633538656639353262343665316235386534376534386634
+65663032303930353661363162373533363762353237393030346238306532326264303636383264
+63363063326265396166313533663362346539333532386665316466386131623161313738623239
+66386236656561396539356634636234393436323239396330366237333539343761393431336138
+66396230656435356365356530343132373861376336346532653063666331343366393761373131
+66313864373362326139316461666232386132306535616561663566623963353034313961666266
+34373534363834626334386139653532656564333863323363343165643538336430386434613235
+64386564643564636530313565326433623365303738386433323463396437653066636134313564
+33383035393436393163373864353331376163653137316136376564643066636335313735396664
+33623735353438643237333734353766363863313763653737633135353332363066336232363131
+33333532653737633033666336326331376561636330643935323636626562303439346338633135
+33663035366461336339666665663835373235633338613664636439393837303932643363643830
+63333862643430383235663836653161376637373265646463313538386531666362376532663738
+62333536383537613562336235666431393164616263303863323834343735326133646131303063
+62623836313730363832313764363562306666383337396561633865336561396632303539333166
+35623063336534653531303134653630666264333133393864626665623564313466363731316339
+36646666653062326665346332373963376439396538396663656130616333316533623331346461
+39643862356663316338333662646464353233356635303931626366323831303136366462366133
+34303234343064393265303866636137646461336530653733623264383261653864633332346435
+62383065353662303564633239326664356364366365626466666266326466333834316437383134
+35383261373437643261623533623533326335393932356632653634326432376235393038333464
+33626361366565316533663537343237316563343730363632663639623930313963316665663965
+33386435663462626435383733383336343064333935356364623436626632356535333430343262
+62363136353562633631613965353062363231343037626166363035376530646537646136363730
+35303530343361616230383662333139333533333138613834323437636238656538656436623433
+38353363336665346637643631663934633061626532376330633731316565336166313936393533
+35323535376539633937376532333536323234376632306362633438626565376234353235353836
+37663735366165393963313536356437653361306232313736356164656635616333306332356637
+39353465633536313539366264646364343231653466346165313863623365333465623336376635
+37396663333638356565306439636365653438623935363361356464316663613465303933346537
+61303863323631343264613665323866363935383265323562326364346364343133393965333135
+33306434646533333662613930666337646330303439333938326433376161613836663237303534
+63636139636338656664333034356635653330666362633563366663616661303266326135643036
+34383939613035323331366261356531343961303239626365383332313633393561623963643134
+30353239356234336635616663313830396133643035663838653837613262616364623637616237
+37363662663466396330323830343963366262643339316162643164353430663763613634346233
+62303539336433313066346339363163336236373334613938613061613038613466636632336335
+35326133373061323164623436623338316466396261393630623466313164393736353566356237
+34396530383361613464643461313336663331643438313136353039386263633134616534666464
+33373536326637316635326461656130383333613832386662643431666435663565343565616266
+35303738656362663266653735373833613765356366626436336437326665396635636335616566
+32663733396432656430356335383262613133623066636238623166613839393833616436653936
+34306536343664643732356262663435623834313732373564613337373765373130653734386632
+35623038623639346564393466393463613238363231663965633037353337353332663464336539
+33616131353734663463336436303866306334336339316364313962346430383338306161636462
+64303064313135346236346434316333346434303764356237636530663239633631383561393537
+66383836326634666362613661353533363432303437663235393336396331356465633031326430
+35333263633731626564326430613937343136633562386432396537363663653438333333366135
+33333339376165303736643661343535356561353938346131653662363966643839653262363537
+38373331353539313463363236383633326138366534313064303739626337343962653830653663
+626263633730663932376165333438323835

inventory/hosts

@@ -0,0 +1,22 @@
+$ANSIBLE_VAULT;1.1;AES256
+31336566376336626265653165306635633033376662656164383037383834653239656136333734
+3833666339393037323035343565343235396163636166370a643933333933386133366564396465
+30393637613164356564393337633361653432333232383664303739363736633435363764343530
+3532313739363963660a343434356534316230623133636366386334323465376139363162616238
+39396638366262313531653635326361616537396338363533303961623165343931373939306239
+31336632643166633662653765333231393461643933306464303165633037343061323636313034
+34376631656563646665373566633431366638383863666130323264316337663237343135306236
+66323536346164663239343139623430303230333466633437643337343930363530653964626163
+38336363633730393136333637383631636266396636646533356262376630646139303636666538
+32366437353163663865623234643061313639646162643965393535353938313133326237313265
+66646163333535396539646461356334633532313530653834623263386265383765356130333466
+30373531306137393935363030313739666536363138363962646565306439393239303030643162
+33333166663430393866666439653532623034396130313066383035396535646633366237303264
+36356665366461323664373038366364623937386233313039323837666333653764616462333365
+31326264633236373937313537633961633164323138356135633765663639323537656263633766
+38653836323263386333376131333330326237393666363064326463663961633839393039323835
+61306265333232623037356465393133323733363634646364336261326333366239346565366338
+61646132333033373866623739343830336164316461646366666237313565626639323537623732
+38323830656136323137323530343764666433633432366136643538323832653130376363653135
+64376261386635636533353961613335663962306337353866616464613636303735336230623962
+3336

roles/matrix-awx/tasks/main.yml

@@ -44,6 +44,15 @@
   tags:
     - purge-media
 
+# Purge Synapse database if called
+- include_tasks: 
+    file: "purge_database_main.yml"
+    apply:
+      tags: purge-database
+  when: run_setup|bool and matrix_awx_enabled|bool
+  tags:
+    - purge-database
+
 # Import configs, media repo from /chroot/backup import
 - include_tasks: 
     file: "import_awx.yml"

roles/matrix-awx/tasks/purge_database_build_list.yml

@@ -0,0 +1,10 @@
+
+- name: Collect entire room list into stdout
+  shell: |
+    curl -X GET --header "Authorization: Bearer {{ janitors_token.stdout[1:-1] }}" '{{ synapse_container_ip.stdout }}:8008/_synapse/admin/v1/rooms?from={{ item }}'
+  register: rooms_output
+  
+- name: Print stdout to file
+  delegate_to: 127.0.0.1
+  shell: |
+    echo '{{ rooms_output.stdout }}' >> /tmp/{{ subscription_id }}_room_list_complete.json

roles/matrix-awx/tasks/purge_database_events.yml

@@ -0,0 +1,13 @@
+
+- name: Purge all rooms with more then N events
+  shell: |
+    curl --header "Authorization: Bearer {{ janitors_token.stdout[1:-1] }}" -X POST -H "Content-Type: application/json" -d '{ "delete_local_events": false, "purge_up_to_ts": {{ purge_epoche_time.stdout }}000 }' "{{ synapse_container_ip.stdout }}:8008/_synapse/admin/v1/purge_history/{{ item[1:-1] }}"
+  register: purge_command
+
+- name: Print output of purge command
+  debug: 
+    msg: "{{ purge_command.stdout }}"
+
+- name: Pause for 5 seconds to let Synapse breathe
+  pause:
+    seconds: 5

roles/matrix-awx/tasks/purge_database_main.yml

@@ -0,0 +1,234 @@
+
+- name: Ensure dateutils and curl is installed in AWX
+  delegate_to: 127.0.0.1
+  yum:
+    name: dateutils
+    state: latest
+
+- name: Ensure dateutils, curl and jq intalled on target machine
+  apt:
+    pkg:
+    - curl
+    - jq
+    state: present
+
+- name: Include vars in matrix_vars.yml
+  include_vars:
+    file: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
+  no_log: True
+
+- name: Collect size of Synapse database
+  shell: du -sh /matrix/postgres/data
+  register: db_size_before_stat
+  no_log: True
+
+- name: Print before size of Synapse database
+  debug:
+    msg: "{{ db_size_before_stat.stdout.split('\n') }}"
+  when: db_size_before_stat is defined
+
+- name: Collect the internal IP of the matrix-synapse container
+  shell: "/usr/bin/docker inspect --format '{''{range.NetworkSettings.Networks}''}{''{.IPAddress}''}{''{end}''}' matrix-synapse"
+  register: synapse_container_ip
+
+- name: Collect access token for janitor user
+  shell: |
+    curl -X POST -d '{"type":"m.login.password", "user":"janitor", "password":"{{ matrix_awx_janitor_user_password }}"}' "{{ synapse_container_ip.stdout }}:8008/_matrix/client/r0/login" | jq '.access_token'
+  register: janitors_token
+  no_log: True
+
+- name: Collect total number of rooms
+  shell: |
+    curl -X GET --header "Authorization: Bearer {{ janitors_token.stdout[1:-1] }}" '{{ synapse_container_ip.stdout }}:8008/_synapse/admin/v1/rooms' | jq '.total_rooms'
+  when: purge_rooms|bool
+  register: rooms_total
+
+- name: Print total number of rooms
+  debug:
+    msg: '{{ rooms_total.stdout }}'
+  when: purge_rooms|bool
+
+- name: Calculate every 100 values for total number of rooms
+  delegate_to: 127.0.0.1
+  shell: |
+    seq 0 100 {{ rooms_total.stdout }}
+  when: purge_rooms|bool
+  register: every_100_rooms
+
+- name: Ensure room_list_complete.json file exists
+  delegate_to: 127.0.0.1
+  file:
+    path: /tmp/{{ subscription_id }}_room_list_complete.json
+    state: touch
+  when: purge_rooms|bool
+
+- name: Build file with total room list
+  include_tasks: purge_database_build_list.yml 
+  loop: "{{ every_100_rooms.stdout_lines | flatten(levels=1) }}"
+  when: purge_rooms|bool
+
+- name: Generate list of rooms with no local users
+  delegate_to: 127.0.0.1
+  shell: |
+    jq 'try .rooms[] | select(.joined_local_members == 0) | .room_id' < /tmp/{{ subscription_id }}_room_list_complete.json > /tmp/{{ subscription_id }}_room_list_no_local_users.txt
+  when: purge_rooms|bool
+  
+- name: Count number of rooms with no local users
+  delegate_to: 127.0.0.1
+  shell: |
+    wc -l /tmp/{{ subscription_id }}_room_list_no_local_users.txt | awk '{ print $1 }'
+  register: rooms_no_local_total
+  when: purge_rooms|bool
+
+- name: Setting host fact room_list_no_local_users
+  set_fact:
+    room_list_no_local_users: "{{ lookup('file', '/tmp/{{ subscription_id }}_room_list_no_local_users.txt') }}"
+  no_log: True
+  when: purge_rooms|bool
+
+- name: Purge all rooms with no local users
+  include_tasks: purge_database_no_local.yml 
+  loop: "{{ room_list_no_local_users.splitlines() | flatten(levels=1) }}"
+  when: purge_rooms|bool
+
+- name: Collect epoche time from date
+  delegate_to: 127.0.0.1
+  shell: |
+    date -d '{{ purge_date }}' +"%s"
+  when: purge_rooms|bool
+  register: purge_epoche_time
+
+- name: Generate list of rooms with more then N users
+  delegate_to: 127.0.0.1
+  shell: |
+    jq 'try .rooms[] | select(.joined_members > {{ purge_metric_value }}) | .room_id' < /tmp/{{ subscription_id }}_room_list_complete.json > /tmp/{{ subscription_id }}_room_list_joined_members.txt
+  when: (purge_metric.find("Number of users") != -1) and (purge_rooms|bool)
+
+- name: Count number of rooms with more then N users
+  delegate_to: 127.0.0.1
+  shell: |
+    wc -l /tmp/{{ subscription_id }}_room_list_joined_members.txt | awk '{ print $1 }'
+  register: rooms_join_members_total
+  when: (purge_metric.find("Number of users") != -1) and (purge_rooms|bool)
+
+- name: Setting host fact room_list_joined_members
+  delegate_to: 127.0.0.1
+  set_fact:
+    room_list_joined_members: "{{ lookup('file', '/tmp/{{ subscription_id }}_room_list_joined_members.txt') }}"
+  when: (purge_metric.find("Number of users") != -1) and (purge_rooms|bool)
+  no_log: True
+
+- name: Purge all rooms with more then N users
+  include_tasks: purge_database_users.yml 
+  loop: "{{ room_list_joined_members.splitlines() | flatten(levels=1) }}"
+  when: (purge_metric.find("Number of users") != -1) and (purge_rooms|bool)
+
+- name: Generate list of rooms with more then N events
+  delegate_to: 127.0.0.1
+  shell: |
+    jq 'try .rooms[] | select(.state_events > {{ purge_metric_value }}) | .room_id' < /tmp/{{ subscription_id }}_room_list_complete.json > /tmp/{{ subscription_id }}_room_list_state_events.txt
+  when: (purge_metric.find("Number of events") != -1) and (purge_rooms|bool)
+
+- name: Count number of rooms with more then N users
+  delegate_to: 127.0.0.1
+  shell: |
+    wc -l /tmp/{{ subscription_id }}_room_list_state_events.txt | awk '{ print $1 }'
+  register: rooms_state_events_total
+  when: (purge_metric.find("Number of events") != -1) and (purge_rooms|bool)
+
+- name: Setting host fact room_list_state_events
+  delegate_to: 127.0.0.1
+  set_fact:
+    room_list_state_events: "{{ lookup('file', '/tmp/{{ subscription_id }}_room_list_state_events.txt') }}"
+  when: (purge_metric.find("Number of events") != -1) and (purge_rooms|bool)
+  no_log: True
+
+- name: Purge all rooms with more then N events
+  include_tasks: purge_database_events.yml 
+  loop: "{{ room_list_state_events.splitlines() | flatten(levels=1) }}"
+  when: (purge_metric.find("Number of events") != -1) and (purge_rooms|bool)
+
+- name: Collect AWX admin token the hard way!
+  delegate_to: 127.0.0.1
+  shell: |
+      curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g'
+  register: tower_token
+  no_log: True
+
+- name: Execute rust-synapse-compress-state job template
+  delegate_to: 127.0.0.1
+  awx.awx.tower_job_launch:
+    job_template: "{{ matrix_domain }} - 0 - Deploy/Update a Server"
+    tags: "rust-synapse-compress-state"
+    wait: yes
+    tower_host: "https://{{ tower_host }}"
+    tower_oauthtoken: "{{ tower_token.stdout }}"
+    validate_certs: yes 
+  register: job
+
+- name: Stop Synapse service
+  shell: systemctl stop matrix-synapse.service
+
+- name: Re-index Synapse database
+  shell: docker exec -i matrix-postgres psql "host=127.0.0.1 port=5432 dbname=synapse user=synapse password={{ matrix_synapse_connection_password }}" -c 'REINDEX (VERBOSE) DATABASE synapse'
+
+- name: Execute run-postgres-vacuum job template
+  delegate_to: 127.0.0.1
+  awx.awx.tower_job_launch:
+    job_template: "{{ matrix_domain }} - 0 - Deploy/Update a Server"
+    tags: "run-postgres-vacuum,start"
+    wait: yes
+    tower_host: "https://{{ tower_host }}"
+    tower_oauthtoken: "{{ tower_token.stdout }}"
+    validate_certs: yes 
+  register: job
+
+- name: Cleanup room_list files
+  delegate_to: 127.0.0.1
+  shell: |
+    rm /tmp/{{ subscription_id }}_room_list*
+  when: purge_rooms|bool
+  ignore_errors: yes
+
+- name: Collect size of Synapse database
+  shell: du -sh /matrix/postgres/data
+  register: db_size_after_stat
+  no_log: True
+
+- name: Print total number of rooms processed 
+  debug:
+    msg: '{{ rooms_total.stdout }}'
+  when: purge_rooms|bool
+
+- name: Print the number of rooms purged with no local users
+  debug:
+    msg: '{{ rooms_no_local_total.stdout }}'
+  when: purge_rooms|bool
+
+- name: Print the number of rooms purged with more then N users
+  debug:
+    msg: '{{ rooms_join_members_total.stdout }}'
+  when: (purge_metric.find("Number of users") != -1) and (purge_rooms|bool)
+
+- name: Print the number of rooms purged with more then N events
+  debug:
+    msg: '{{ rooms_state_events_total.stdout }}'
+  when: (purge_metric.find("Number of events") != -1) and (purge_rooms|bool)
+
+- name: Print before purge size of Synapse database
+  debug:
+    msg: "{{ db_size_before_stat.stdout.split('\n') }}"
+  when: db_size_before_stat is defined
+
+- name: Print after purge size of Synapse database
+  debug:
+    msg: "{{ db_size_after_stat.stdout.split('\n') }}"
+  when: db_size_after_stat is defined
+
+- name: Set boolean value to exit playbook
+  set_fact:
+    end_playbook: true
+
+- name: End playbook early if this task is called.
+  meta: end_play
+  when: end_playbook is defined and end_playbook|bool

roles/matrix-awx/tasks/purge_database_no_local.yml

@@ -0,0 +1,13 @@
+
+- name: Purge all rooms with no local users
+  shell: |
+    curl --header "Authorization: Bearer {{ janitors_token.stdout[1:-1] }}" -X POST -H "Content-Type: application/json" -d '{ "room_id": {{ item }} }' '{{ synapse_container_ip.stdout }}:8008/_synapse/admin/v1/purge_room'
+  register: purge_command
+  
+- name: Print output of purge command
+  debug: 
+    msg: "{{ purge_command.stdout }}"
+
+- name: Pause for 5 seconds to let Synapse breathe
+  pause:
+    seconds: 5

roles/matrix-awx/tasks/purge_database_users.yml

@@ -0,0 +1,13 @@
+
+- name: Purge all rooms with more then N users
+  shell: |
+    curl --header "Authorization: Bearer {{ janitors_token.stdout[1:-1] }}" -X POST -H "Content-Type: application/json" -d '{ "delete_local_events": false, "purge_up_to_ts": {{ purge_epoche_time.stdout }}000 }' "{{ synapse_container_ip.stdout }}:8008/_synapse/admin/v1/purge_history/{{ item[1:-1] }}"
+  register: purge_command
+  
+- name: Print output of purge command
+  debug: 
+    msg: "{{ purge_command.stdout }}"
+
+- name: Pause for 5 seconds to let Synapse breathe
+  pause:
+    seconds: 5

roles/matrix-awx/tasks/purge_media_remote.yml

@@ -4,7 +4,7 @@
     date -d '{{ item }}' +"%s"
   register: epoche_time
 
-- name: Purge local media to specific date
+- name: Purge remote media to specific date
   shell: |
     curl -X POST --header "Authorization: Bearer {{ janitors_token.stdout[1:-1] }}" '{{ synapse_container_ip.stdout }}:8008/_synapse/admin/v1/purge_media_cache?before_ts={{ epoche_time.stdout }}'
   register: purge_command

roles/matrix-bridge-mautrix-telegram/defaults/main.yml

@@ -104,6 +104,8 @@ matrix_mautrix_telegram_configuration_extension: "{{ matrix_mautrix_telegram_con
 # You most likely don't need to touch this variable. Instead, see `matrix_mautrix_telegram_configuration_yaml`.
 matrix_mautrix_telegram_configuration: "{{ matrix_mautrix_telegram_configuration_yaml|from_yaml|combine(matrix_mautrix_telegram_configuration_extension, recursive=True) }}"
 
+matrix_mautrix_telegram_sender_localpart: "telegrambot"
+
 matrix_mautrix_telegram_registration_yaml: |
   id: telegram
   as_token: "{{ matrix_mautrix_telegram_appservice_token }}"
@@ -118,8 +120,8 @@ matrix_mautrix_telegram_registration_yaml: |
       - exclusive: true
         regex: '^#telegram_.+:{{ matrix_mautrix_telegram_homeserver_domain|regex_escape }}$'
   # See https://github.com/tulir/mautrix-signal/issues/43
-  sender_localpart: _bot_{{ matrix_mautrix_telegram_appservice_bot_username }}
   url: {{ matrix_mautrix_telegram_appservice_address }}
+  sender_localpart: "bridges_{{ matrix_mautrix_telegram_sender_localpart }}"
   rate_limited: false
   de.sorunome.msc2409.push_ephemeral: true
 

roles/matrix-bridge-mx-puppet-discord/templates/config.yaml.j2

@@ -25,7 +25,7 @@ presence:
   # Bridge Discord online/offline status
   enabled: true
   # How often to send status to the homeserver in milliseconds
-  interval: 500
+  interval: 10000
 
 provisioning:
   # Regex of Matrix IDs allowed to use the puppet bridge
@@ -70,7 +70,7 @@ namePatterns:
   #
   # name: username of the user
   # discriminator: hashtag of the user (ex. #1234)
-  user: :name
+  user: ":name (#:discriminator) (via Discord)"
 
   # A user's guild-specific displayname - if they've set a custom nick in
   # a guild
@@ -82,7 +82,7 @@ namePatterns:
   # displayname: the user's custom group-specific nick
   # channel: the name of the channel
   # guild: the name of the guild
-  userOverride: :name
+  userOverride: ":displayname (:name#:discriminator) (via Discord)"
 
   # Room names for bridged Discord channels
   #
@@ -90,7 +90,7 @@ namePatterns:
   #
   # name: name of the channel
   # guild: name of the guild
-  room: :name
+  room: "#:name (:guild on Discord)"
 
   # Group names for bridged Discord servers
   #

roles/matrix-client-element/defaults/main.yml

@@ -3,7 +3,7 @@ matrix_client_element_enabled: true
 matrix_client_element_container_image_self_build: false
 matrix_client_element_container_image_self_build_repo: "https://github.com/vector-im/riot-web.git"
 
-matrix_client_element_version: v1.7.26
+matrix_client_element_version: v1.7.28
 matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}"
 matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_container_global_registry_prefix }}"
 matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}"

roles/matrix-client-element/tasks/setup.yml

@@ -66,6 +66,18 @@
     - {src: "{{ matrix_client_element_embedded_pages_home_path }}", name: "home.html"}
   when: "matrix_client_element_enabled|bool and item.src is not none"
 
+- name: Copy Element costum files
+  copy:
+    src: "{{ item.src }}"
+    dest: "{{ matrix_client_element_data_path }}/{{ item.name }}"
+    mode: 0644
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+  with_items:
+    - {src: "{{ role_path }}/files/background.jpg", name: "background.jpg"}
+    - {src: "{{ role_path }}/files/antifa_coffee_cups.png", name: "logo.png"}
+  when: "matrix_client_element_enabled|bool and item.src is not none"
+
 - name: Ensure Element config files removed
   file:
     path: "{{ matrix_client_element_data_path }}/{{ item.name }}"

roles/matrix-client-element/templates/welcome.html.j2

@@ -33,7 +33,7 @@ h1::after {
 }
 
 .mx_Logo {
-    height: 54px;
+    height: 92px;
     margin-top: 2px;
 }
 

roles/matrix-common-after/tasks/awx_post.yml

@@ -35,7 +35,25 @@
   with_dict:
     'matrix_awx_dimension_user_created': 'true'
   when: not matrix_awx_dimension_user_created|bool
+
+- name: Create user account @mjolnir
+  command: |
+    /usr/local/bin/matrix-synapse-register-user mjolnir {{ matrix_awx_mjolnir_user_password | quote }} 0
+  register: cmd
+  when: not matrix_awx_mjolnir_user_created|bool
+  no_log: True
   
+- name: Update AWX dimension user created variable
+  delegate_to: 127.0.0.1
+  lineinfile:
+    path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
+    regexp: "^#? *{{ item.key | regex_escape() }}:"
+    line: "{{ item.key }}: {{ item.value }}"
+    insertafter: 'AWX Settings'
+  with_dict:
+    'matrix_awx_mjolnir_user_created': 'true'
+  when: not matrix_awx_mjolnir_user_created|bool
+
 - name: Ensure /chroot/website location has correct permissions
   file:
     path: /chroot/website

roles/matrix-coturn/defaults/main.yml

@@ -2,7 +2,7 @@ matrix_coturn_enabled: true
 
 matrix_coturn_container_image_self_build: false
 matrix_coturn_container_image_self_build_repo: "https://github.com/coturn/coturn"
-matrix_coturn_container_image_self_build_repo_version: "upstream/{{ matrix_coturn_version }}"
+matrix_coturn_container_image_self_build_repo_version: "docker/{{ matrix_coturn_version }}-r0"
 matrix_coturn_container_image_self_build_repo_dockerfile_path: "docker/coturn/alpine/Dockerfile"
 
 matrix_coturn_version: 4.5.2

roles/matrix-grafana/defaults/main.yml

@@ -3,7 +3,7 @@
 
 matrix_grafana_enabled: false
 
-matrix_grafana_version: 7.5.5
+matrix_grafana_version: 7.5.6
 matrix_grafana_docker_image: "{{ matrix_container_global_registry_prefix }}grafana/grafana:{{ matrix_grafana_version }}"
 matrix_grafana_docker_image_force_pull: "{{ matrix_grafana_docker_image.endswith(':latest') }}"
 
@@ -37,6 +37,13 @@ matrix_grafana_default_admin_password: admin
 # [Content Security Policy](https://grafana.com/docs/grafana/latest/administration/configuration/#content_security_policy)
 matrix_grafana_content_security_policy: true
 
+# specify content security policy template to customized template
+# added 'unsafe-inline' (ignored by browsers supporting nonces/hashes) to be backward compatible with older browsers.
+# added https: and http: url schemes (ignored by browsers supporting 'strict-dynamic') to be backward compatible with older browsers.
+# [Content Security Policy Browser Test] (https://content-security-policy.com/browser-test/)
+# [Content Security Policy Reference](https://content-security-policy.com/script-src/)
+matrix_grafana_content_security_policy_customized: true
+
 # A list of extra arguments to pass to the container
 matrix_grafana_container_extra_arguments: []
 

roles/matrix-grafana/templates/grafana.ini.j2

@@ -8,6 +8,11 @@ admin_password = """{{ matrix_grafana_default_admin_password }}"""
 # specify content_security_policy to add the Content-Security-Policy header to your requests
 content_security_policy = "{{ matrix_grafana_content_security_policy }}"
 
+# specify content security policy template to customized template
+{% if matrix_grafana_content_security_policy_customized %}
+content_security_policy_template = """script-src http: https: 'unsafe-inline' 'unsafe-eval' 'strict-dynamic' $NONCE;object-src 'none';font-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data:;base-uri 'self';connect-src 'self' grafana.com;manifest-src 'self';media-src 'none';form-action 'self';"""
+{% endif %}
+
 [auth.anonymous]
 # enable anonymous access
 enabled = {{ matrix_grafana_anonymous_access }}

roles/matrix-jitsi/defaults/main.yml

@@ -52,7 +52,7 @@ matrix_jitsi_jibri_recorder_password: ''
 
 matrix_jitsi_enable_lobby: false
 
-matrix_jitsi_version: stable-5142
+matrix_jitsi_version: stable-5765-1
 matrix_jitsi_container_image_tag: "{{ matrix_jitsi_version }}" # for backward-compatibility
 
 matrix_jitsi_web_docker_image: "{{ matrix_container_global_registry_prefix }}jitsi/web:{{ matrix_jitsi_container_image_tag }}"

roles/matrix-jitsi/templates/prosody/env.j2

@@ -3,6 +3,8 @@ AUTH_TYPE={{ matrix_jitsi_auth_type }}
 ENABLE_AUTH={{ 1 if matrix_jitsi_enable_auth else 0 }}
 ENABLE_GUESTS={{ 1 if matrix_jitsi_enable_guests else 0 }}
 
+PUBLIC_URL={{ matrix_jitsi_web_public_url }}
+
 LDAP_URL={{ matrix_jitsi_ldap_url }}
 LDAP_BASE={{ matrix_jitsi_ldap_base }}
 LDAP_BINDDN={{ matrix_jitsi_ldap_binddn }}

roles/matrix-mailer/defaults/main.yml

@@ -7,7 +7,7 @@ matrix_mailer_container_image_self_build_repository_url: "https://github.com/dev
 matrix_mailer_container_image_self_build_src_files_path: "{{ matrix_mailer_base_path }}/docker-src"
 matrix_mailer_container_image_self_build_version: "{{ matrix_mailer_docker_image.split(':')[1] }}"
 
-matrix_mailer_version: 4.94-r0
+matrix_mailer_version: 4.94.2-r0-1
 matrix_mailer_docker_image: "{{ matrix_mailer_docker_image_name_prefix }}devture/exim-relay:{{ matrix_mailer_version }}"
 matrix_mailer_docker_image_name_prefix: "{{ 'localhost/' if matrix_mailer_container_image_self_build else matrix_container_global_registry_prefix }}"
 matrix_mailer_docker_image_force_pull: "{{ matrix_mailer_docker_image.endswith(':latest') }}"

roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2

@@ -18,7 +18,6 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mailer \
 			--user={{ matrix_mailer_container_user_uid }}:{{ matrix_mailer_container_user_gid }} \
 			--cap-drop=ALL \
 			--read-only \
-			--init \
 			--tmpfs=/var/spool/exim:rw,noexec,nosuid,size=100m \
 			--network={{ matrix_docker_network }} \
 			--env-file={{ matrix_mailer_base_path }}/env-mailer \

roles/matrix-nginx-proxy/defaults/main.yml

@@ -223,6 +223,7 @@ matrix_nginx_proxy_proxy_matrix_federation_api_addr_sans_container: "localhost:1
 matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb: "{{ (matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb | int) * 3 }}"
 matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate: "{{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/fullchain.pem"
 matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate_key: "{{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/privkey.pem"
+matrix_nginx_proxy_proxy_matrix_federation_api_ssl_trusted_certificate: "{{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/chain.pem"
 
 # The tmpfs at /tmp needs to be large enough to handle multiple concurrent file uploads.
 matrix_nginx_proxy_tmp_directory_size_mb: "{{ (matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb | int) * 50 }}"
@@ -385,6 +386,19 @@ matrix_ssl_log_dir_path: "{{ matrix_ssl_base_path }}/log"
 matrix_ssl_pre_obtaining_required_service_name: ~
 matrix_ssl_pre_obtaining_required_service_start_wait_time_seconds: 60
 
+# OCSP Stapling eliminating the need for clients to contact the CA, with the aim of improving both security and performance.
+# OCSP stapling can provide a performance boost of up to 30%
+# nginx web server supports OCSP stapling since version 1.3.7.
+#
+# *warning* Nginx is lazy loading OCSP responses, which means that for the first few web requests it is unable to add the OCSP response.
+# set matrix_nginx_proxy_ocsp_stapling_enabled false to disable OCSP Stapling
+#
+# Learn more about what it is here:
+# - https://en.wikipedia.org/wiki/OCSP_stapling
+# - https://blog.cloudflare.com/high-reliability-ocsp-stapling/
+# - https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/
+matrix_nginx_proxy_ocsp_stapling_enabled: true
+
 # nginx status page configurations.
 matrix_nginx_proxy_proxy_matrix_nginx_status_enabled: false
 matrix_nginx_proxy_proxy_matrix_nginx_status_allowed_addresses: ['{{ ansible_default_ipv4.address }}']

roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2

@@ -69,6 +69,12 @@ server {
 	ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }};
 	{% endif %}
 	ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }};
+	
+	{% if matrix_nginx_proxy_ocsp_stapling_enabled %}
+		ssl_stapling on;
+		ssl_stapling_verify on;
+		ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_base_domain_hostname }}/chain.pem;
+	{% endif %}	
 
 	{{ render_vhost_directives() }}
 }

roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2

@@ -74,6 +74,12 @@ server {
 	{% endif %}
 	ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }};
 
+	{% if matrix_nginx_proxy_ocsp_stapling_enabled %}
+		ssl_stapling on;
+		ssl_stapling_verify on;
+		ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_bot_go_neb_hostname }}/chain.pem;
+	{% endif %}
+
 	{{ render_vhost_directives() }}
 }
 {% endif %}

roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2

@@ -79,6 +79,12 @@ server {
 	{% endif %}
 	ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }};
 
+	{% if matrix_nginx_proxy_ocsp_stapling_enabled %}
+		ssl_stapling on;
+		ssl_stapling_verify on;
+		ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_element_hostname }}/chain.pem;
+	{% endif %}
+
 	{{ render_vhost_directives() }}
 }
 {% endif %}

roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2

@@ -77,6 +77,12 @@ server {
 	{% endif %}
 	ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }};
 
+	{% if matrix_nginx_proxy_ocsp_stapling_enabled %}
+		ssl_stapling on;
+		ssl_stapling_verify on;
+		ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_dimension_hostname }}/chain.pem;
+	{% endif %}
+
 	{{ render_vhost_directives() }}
 }
 {% endif %}

roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2

@@ -136,7 +136,13 @@
 		proxy_max_temp_file_size 0;
 	}
 
-	location / {
+	{#
+		We only handle the root URI for this redirect or homepage serving.
+		Unhandled URIs (mostly by `matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_prefix_regexes` above) should result in a 404,
+		instead of causing a redirect.
+		See: https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1058
+	#}
+	location ~* ^/$ {
 		{% if matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain %}
 			return 302 $scheme://{{ matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain }}$request_uri;
 		{% else %}
@@ -196,6 +202,12 @@ server {
 	{% endif %}
 	ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }};
 
+	{% if matrix_nginx_proxy_ocsp_stapling_enabled %}
+		ssl_stapling on;
+		ssl_stapling_verify on;
+		ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/chain.pem;
+	{% endif %}
+
 	{{ render_vhost_directives() }}
 }
 {% endif %}
@@ -230,6 +242,12 @@ server {
 			ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }};
 		{% endif %}
 		ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }};
+
+		{% if matrix_nginx_proxy_ocsp_stapling_enabled %}
+			ssl_stapling on;
+			ssl_stapling_verify on;
+			ssl_trusted_certificate {{ matrix_nginx_proxy_proxy_matrix_federation_api_ssl_trusted_certificate }};
+		{% endif %}
 	{% endif %}
 
 	location / {

roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-grafana.conf.j2

@@ -10,6 +10,7 @@
 	# add_header X-Content-Type-Options nosniff;
 	# add_header X-Frame-Options SAMEORIGIN;
 	add_header Referrer-Policy "strict-origin-when-cross-origin";
+
 	{% if matrix_nginx_proxy_floc_optout_enabled %}
 		add_header Permissions-Policy interest-cohort=() always;
 	{% endif %}
@@ -84,6 +85,12 @@ server {
 	{% endif %}
 	ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }};
 
+	{% if matrix_nginx_proxy_ocsp_stapling_enabled %}
+		ssl_stapling on;
+		ssl_stapling_verify on;
+		ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_grafana_hostname }}/chain.pem;
+	{% endif %}
+
 	{{ render_vhost_directives() }}
 }
 {% endif %}

roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2

@@ -49,6 +49,27 @@
 
 		tcp_nodelay on;
 	}
+
+	# XMPP websocket
+	location = /xmpp-websocket {
+		{% if matrix_nginx_proxy_enabled %}
+			resolver 127.0.0.11 valid=5s;
+			set $backend {{ matrix_jitsi_xmpp_bosh_url_base }};
+			proxy_pass $backend/xmpp-websocket;
+		{% else %}
+			{# Generic configuration for use outside of our container setup #}
+			proxy_pass http://127.0.0.1:5280;
+		{% endif %}
+		proxy_set_header Host $host;
+
+		proxy_http_version 1.1;
+		proxy_read_timeout 900s;
+		proxy_set_header Connection "upgrade";
+		proxy_set_header Upgrade $http_upgrade;
+		proxy_set_header X-Forwarded-For $remote_addr;
+		proxy_set_header X-Forwarded-Proto $scheme;
+		tcp_nodelay on;
+	}
 {% endmacro %}
 
 server {
@@ -98,6 +119,12 @@ server {
 	{% endif %}
 	ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }};
 
+	{% if matrix_nginx_proxy_ocsp_stapling_enabled %}
+		ssl_stapling on;
+		ssl_stapling_verify on;
+		ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_jitsi_hostname }}/chain.pem;
+	{% endif %}
+
 	{{ render_vhost_directives() }}
 }
 {% endif %}

roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2

@@ -62,6 +62,12 @@ server {
 	{% endif %}
 	ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }};
 
+	{% if matrix_nginx_proxy_ocsp_stapling_enabled %}
+		ssl_stapling on;
+		ssl_stapling_verify on;
+		ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_riot_compat_redirect_hostname }}/chain.pem;
+	{% endif %}
+
 	{{ render_vhost_directives() }}
 }
 {% endif %}

roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2

@@ -76,6 +76,12 @@ server {
 	{% endif %}
 	ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }};
 
+	{% if matrix_nginx_proxy_ocsp_stapling_enabled %}
+		ssl_stapling on;
+		ssl_stapling_verify on;
+		ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_sygnal_hostname }}/chain.pem;
+	{% endif %}
+
 	{{ render_vhost_directives() }}
 }
 {% endif %}

roles/matrix-prometheus/defaults/main.yml

@@ -3,7 +3,7 @@
 
 matrix_prometheus_enabled: false
 
-matrix_prometheus_version: v2.26.0
+matrix_prometheus_version: v2.27.0
 matrix_prometheus_docker_image: "{{ matrix_container_global_registry_prefix }}prom/prometheus:{{ matrix_prometheus_version }}"
 matrix_prometheus_docker_image_force_pull: "{{ matrix_prometheus_docker_image.endswith(':latest') }}"
 

roles/matrix-synapse-admin/defaults/main.yml

@@ -8,7 +8,7 @@ matrix_synapse_admin_container_self_build_repo: "https://github.com/Awesome-Tech
 
 matrix_synapse_admin_docker_src_files_path: "{{ matrix_base_data_path }}/synapse-admin/docker-src"
 
-matrix_synapse_admin_version: 0.7.2
+matrix_synapse_admin_version: latest
 matrix_synapse_admin_docker_image: "{{ matrix_synapse_admin_docker_image_name_prefix }}awesometechnologies/synapse-admin:{{ matrix_synapse_admin_version }}"
 matrix_synapse_admin_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_admin_container_self_build else matrix_container_global_registry_prefix }}"
 matrix_synapse_admin_docker_image_force_pull: "{{ matrix_synapse_admin_docker_image.endswith(':latest') }}"

roles/matrix-synapse/defaults/main.yml

@@ -15,8 +15,8 @@ matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_cont
 # amd64 gets released first.
 # arm32 relies on self-building, so the same version can be built immediately.
 # arm64 users need to wait for a prebuilt image to become available.
-matrix_synapse_version: v1.33.1
-matrix_synapse_version_arm64: v1.33.1
+matrix_synapse_version: v1.34.0
+matrix_synapse_version_arm64: v1.34.0
 matrix_synapse_docker_image_tag: "{{ matrix_synapse_version if matrix_architecture in ['arm32', 'amd64'] else matrix_synapse_version_arm64 }}"
 matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}"
 
@@ -454,6 +454,7 @@ matrix_synapse_sentry_dsn: ""
 
 # Postgres database information
 matrix_synapse_database_host: "matrix-postgres"
+matrix_synapse_database_port: 5432
 matrix_synapse_database_user: "synapse"
 matrix_synapse_database_password: ""
 matrix_synapse_database_database: "synapse"

roles/matrix-synapse/tasks/rust-synapse-compress-state/main.yml

@@ -10,7 +10,7 @@
 
 - name: Set matrix_synapse_rust_synapse_compress_state_find_rooms_command_wait_time, if not provided
   set_fact:
-    matrix_synapse_rust_synapse_compress_state_find_rooms_command_wait_time: 15
+    matrix_synapse_rust_synapse_compress_state_find_rooms_command_wait_time: 180
   when: "matrix_synapse_rust_synapse_compress_state_find_rooms_command_wait_time|default('') == ''"
 
 - name: Set matrix_synapse_rust_synapse_compress_state_compress_room_time, if not provided

roles/matrix-synapse/templates/synapse/homeserver.yaml.j2

@@ -128,6 +128,16 @@ default_room_version: {{ matrix_synapse_default_room_version|to_json }}
 #
 #gc_thresholds: [700, 10, 10]
 
+# The minimum time in seconds between each GC for a generation, regardless of
+# the GC thresholds. This ensures that we don't do GC too frequently.
+#
+# A value of `[1s, 10s, 30s]` indicates that a second must pass between consecutive
+# generation 0 GCs, etc.
+#
+# Defaults to `[1s, 10s, 30s]`.
+#
+#gc_min_interval: [0.5s, 30s, 1m]
+
 # Set the limit on the returned events in the timeline in the get
 # and sync operations. The default value is 100. -1 means no upper limit.
 #
@@ -757,6 +767,12 @@ federation_domain_whitelist: {{ matrix_synapse_federation_domain_whitelist|to_js
 #
 #allow_profile_lookup_over_federation: false
 
+# Uncomment to disable device display name lookup over federation. By default, the
+# Federation API allows other homeservers to obtain device display names of any user
+# on this homeserver. Defaults to 'true'.
+#
+#allow_device_name_lookup_over_federation: false
+
 
 ## Caching ##
 
@@ -813,6 +829,7 @@ database:
     password: {{ matrix_synapse_database_password|string|to_json }}
     database: "{{ matrix_synapse_database_database }}"
     host: "{{ matrix_synapse_database_host }}"
+    port: {{ matrix_synapse_database_port }}
     cp_min: 5
     cp_max: 10
 
@@ -1519,6 +1536,7 @@ room_prejoin_state:
    # - m.room.avatar
    # - m.room.encryption
    # - m.room.name
+   # - m.room.create
    #
    # Uncomment the following to disable these defaults (so that only the event
    # types listed in 'additional_event_types' are shared). Defaults to 'false'.

setup.yml

@@ -54,3 +54,27 @@
     - matrix-postgres-backup
     - matrix-common-after
 
+  tasks:
+    - name: Ensure web-user is present
+      user:
+        name: "{{ web_user }}"
+        state: present
+        system: yes
+      register: web_user_res
+      tags: [ setup-caddy, setup-all, start ]
+    - name: Ensure directory for revproxy config is present
+      file:
+        path: "{{ revproxy_autoload_dir }}/matrix"
+        state: directory
+        owner: "{{ web_user_res.uid }}"
+        group: "{{ web_user_res.group }}"
+        mode: 0750
+      tags: [ setup-caddy, setup-all, start ]
+    - name: Template reverse proxy configuration
+      template:
+        src: Caddyfile.j2
+        dest: "{{ revproxy_autoload_dir }}/matrix/Caddyfile"
+        owner: "{{ web_user_res.uid }}"
+        group: "{{ web_user_res.group }}"
+        mode: 0640
+      tags: [ setup-caddy, setup-all, start ]

templates/Caddyfile.j2

@@ -0,0 +1,110 @@
+https://{{ matrix_server_fqn_matrix }} {
+	tls /tls_certs/finallycoffee.eu/fullchain.pem /tls_certs/finallycoffee.eu/privkey.pem
+	encode zstd gzip
+	header {
+		Strict-Transport-Security "max-age=31536000;"
+		X-Frame-Options "DENY"
+		X-XSS-Protection "1; mode=block"
+	}
+        # matrix-ma1sd
+	reverse_proxy /_matrix/identity/* {{ matrix_ma1sd_container_http_host_bind_port }} {
+		header_down Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"
+		header_down Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization"
+	}
+        reverse_proxy /_matrix/client/r0/user_directory/search/* {{ matrix_ma1sd_container_http_host_bind_port }} {
+		header_down Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"
+                header_down Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization"
+	}
+	reverse_proxy /_matrix/federation/* http://{{ matrix_synapse_container_federation_api_plain_host_bind_port }}
+	reverse_proxy /_matrix/key/* http://{{ matrix_synapse_container_federation_api_plain_host_bind_port }}
+	reverse_proxy /_matrix/* {{ matrix_synapse_container_client_api_host_bind_port }} {
+		import proxyheaders
+		header_down Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"
+		header_down Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization"
+	}
+        route /synapse-admin/* {
+                uri strip_prefix /synapse-admin
+                reverse_proxy http://127.0.0.1{{ matrix_synapse_admin_container_http_host_bind_port }}
+        }
+	reverse_proxy /_synapse/* http://{{ matrix_synapse_container_client_api_host_bind_port }}
+        basicauth /metrics/* bcrypt monitoring {
+                monitoring JDJhJDE0JGdQRlNHVFpSQmRiaWlPem9LdXlkS09HN2E3LklZS05YZmtXTEY1NlFXbkMxd3hBUmwwbVZl
+        }
+        route /metrics/synapse {
+                uri replace /metrics/synapse /_synapse/metrics
+		reverse_proxy http://{{ matrix_synapse_container_metrics_api_host_bind_port }}
+        }
+        route /metrics/synapse/worker/appservice {
+                uri replace /metrics/synapse/worker/appservice /_synapse/metrics
+		reverse_proxy http://127.0.0.1:{{ matrix_synapse_workers_appservice_workers_metrics_range_start }}
+        }
+        route /metrics/synapse/worker/federation-sender {
+                uri replace /metrics/synapse/worker/federation-sender /_synapse/metrics
+		reverse_proxy http://127.0.0.1:{{ matrix_synapse_workers_federation_sender_workers_metrics_range_start }}
+        }
+        route /metrics/bridge/* {
+                uri strip_prefix /metrics/bridge
+                route /mautrix-telegram {
+                    uri replace /mautrix-telegram /metrics
+                    reverse_proxy http://127.0.0.1:{{ matrix_mautrix_telegram_container_http_monitoring_host_bind_port }}
+                }
+                route /mautrix-whatsapp {
+                    uri replace /mautrix-whatsapp /metrics
+                    reverse_proxy http://127.0.0.1:{{ matrix_mautrix_whatsapp_container_http_monitoring_host_bind_port }}
+                }
+                route /mautrix-signal {
+                    uri replace /mautrix-signal /metrics
+                    reverse_proxy http://127.0.0.1:{{ matrix_mautrix_signal_container_http_monitoring_host_bind_port }}
+                }
+                route /mx-puppet-instagram {
+                    uri replace /mx-puppet-instagram /metrics
+                    reverse_proxy http://127.0.0.1:{{ matrix_mx_puppet_instagram_container_http_monitoring_host_bind_port }}
+                }
+                route /mx-puppet-discord {
+                    uri replace /mx-puppet-discord /metrics
+                    reverse_proxy http://127.0.0.1:{{ matrix_mx_puppet_discord_container_http_monitoring_host_bind_port }}
+                }
+                route /mx-puppet-skype {
+                    uri replace /mx-puppet-skype /metrics
+                    reverse_proxy http://127.0.0.1:{{ matrix_mx_puppet_skype_container_http_monitoring_host_bind_port }}
+                }
+                route /mx-puppet-slack {
+                    uri replace /mx-puppet-slack /metrics
+                    reverse_proxy http://127.0.0.1:{{ matrix_mx_puppet_slack_container_http_monitoring_host_bind_port }}
+                }
+        }
+	reverse_proxy /bridge/telegram/* http://127.0.0.1:{{ matrix_mautrix_telegram_container_http_host_bind_port_public }}
+	reverse_proxy /bridge/slack/* http://127.0.0.1:{{ matrix_mx_puppet_slack_container_http_auth_host_bind_port }}
+}
+
+https://{{ matrix_server_fqn_dimension }} {
+	tls /tls_certs/finallycoffee.eu/fullchain.pem /tls_certs/finallycoffee.eu/privkey.pem
+	encode zstd gzip
+	reverse_proxy http://{{ matrix_dimension_container_http_host_bind_port }} {
+		#header_up X-Forwarded-For {remote}
+		import proxyheaders
+		#header_up Host {host}
+	}
+}
+
+https://{{ matrix_server_fqn_element }} {
+	tls /tls_certs/chat.finallycoffee.eu/fullchain.pem /tls_certs/chat.finallycoffee.eu/privkey.pem
+	encode zstd gzip
+	reverse_proxy http://{{ matrix_client_element_container_http_host_bind_port }}
+}
+
+https://{{ matrix_domain }}/.well-known/matrix/* {
+	tls /tls_certs/finallycoffee.eu/fullchain.pem /tls_certs/finallycoffee.eu/privkey.pem
+	route {
+		uri strip_prefix /.well-known/matrix
+		root * /matrix_static
+		file_server
+	}
+	header {
+		Content-Type "application/json"
+		X-Content-Type-Options "nosniff"
+		Access-Control-Allow-Origin *
+		Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"
+		Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization"
+	}
+}