From 29bba5161b49764c39189fb7a17e615c43a06d2b Mon Sep 17 00:00:00 2001 From: sakkiii Date: Sat, 24 Apr 2021 11:10:40 +0530 Subject: [PATCH 01/65] Element More security headers More Production ready nginx headers for Matrix client element. --- .../templates/nginx/conf.d/matrix-client-element.conf.j2 | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 index f56d7fd59..269b2e09b 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 @@ -3,9 +3,12 @@ {% macro render_vhost_directives() %} gzip on; gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; add_header X-Frame-Options SAMEORIGIN; + add_header Content-Security-Policy "frame-ancestors 'none'; require-trusted-types-for 'script'; base-uri 'self'"; + add_header Referrer-Policy "strict-origin-when-cross-origin"; {% for configuration_block in matrix_nginx_proxy_proxy_element_additional_server_configuration_blocks %} {{- configuration_block }} {% endfor %} From 0ccf0fbf1cbcc6a50d4dc17473e9f91b2e262ef8 Mon Sep 17 00:00:00 2001 From: sakkiii Date: Sat, 24 Apr 2021 12:12:34 +0530 Subject: [PATCH 02/65] HSTS preload + X-XSS enables MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit **HSTS Preloading:** In its strongest and recommended form, the [HSTS policy](https://www.chromium.org/hsts) includes all subdomains, and indicates a willingness to be “preloaded” into browsers: `Strict-Transport-Security: max-age=31536000; includeSubDomains; preload` **X-Xss-Protection:** `1; mode=block` which tells the browser to block the response if it detects an attack rather than sanitising the script. --- .../templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 | 3 ++- .../templates/nginx/conf.d/matrix-dimension.conf.j2 | 3 ++- .../templates/nginx/conf.d/matrix-jitsi.conf.j2 | 3 ++- .../templates/nginx/conf.d/matrix-sygnal.conf.j2 | 3 ++- 4 files changed, 8 insertions(+), 4 deletions(-) diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 index 3c3231f43..24d3ce5d8 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 @@ -3,7 +3,8 @@ {% macro render_vhost_directives() %} gzip on; gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + add_header X-XSS-Protection "1; mode=block";; add_header X-Content-Type-Options nosniff; {% for configuration_block in matrix_nginx_proxy_proxy_bot_go_neb_additional_server_configuration_blocks %} {{- configuration_block }} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 index 038d35575..6c5eff36c 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 @@ -3,7 +3,8 @@ {% macro render_vhost_directives() %} gzip on; gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + add_header X-XSS-Protection "1; mode=block"; add_header X-Content-Type-Options nosniff; {% for configuration_block in matrix_nginx_proxy_proxy_dimension_additional_server_configuration_blocks %} {{- configuration_block }} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 index a20d8a73a..aaad23b66 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 @@ -3,7 +3,8 @@ {% macro render_vhost_directives() %} gzip on; gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + add_header X-XSS-Protection "1; mode=block"; add_header X-Content-Type-Options nosniff; {% for configuration_block in matrix_nginx_proxy_proxy_jitsi_additional_server_configuration_blocks %} {{- configuration_block }} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2 index e47126578..9028e8461 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2 @@ -3,7 +3,8 @@ {% macro render_vhost_directives() %} gzip on; gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + add_header X-XSS-Protection "1; mode=block"; add_header X-Content-Type-Options nosniff; add_header X-Frame-Options DENY; {% for configuration_block in matrix_nginx_proxy_proxy_sygnal_additional_server_configuration_blocks %} From 40fe6bd5c110c60a82b39976125a9fec5d6ab448 Mon Sep 17 00:00:00 2001 From: sakkiii Date: Sat, 24 Apr 2021 20:04:20 +0530 Subject: [PATCH 03/65] variable matrix_nginx_proxy_hsts_preload_enable added --- roles/matrix-nginx-proxy/defaults/main.yml | 11 +++++++++++ .../templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 | 6 +++++- .../nginx/conf.d/matrix-client-element.conf.j2 | 6 +++++- .../templates/nginx/conf.d/matrix-dimension.conf.j2 | 6 +++++- .../templates/nginx/conf.d/matrix-grafana.conf.j2 | 6 +++++- .../templates/nginx/conf.d/matrix-jitsi.conf.j2 | 6 +++++- .../templates/nginx/conf.d/matrix-sygnal.conf.j2 | 6 +++++- 7 files changed, 41 insertions(+), 6 deletions(-) diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index fdb76a32d..6ba6a98af 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -279,6 +279,17 @@ matrix_nginx_proxy_proxy_domain_additional_server_configuration_blocks: [] # Of course, a better solution is to just stop using browsers (like Chrome), which participate in such tracking practices. matrix_nginx_proxy_floc_optout_enabled: true +# HSTS Preloading Enable +# +# In its strongest and recommended form, the [HSTS policy](https://www.chromium.org/hsts) includes all subdomains, and +# indicates a willingness to be “preloaded” into browsers: +# `Strict-Transport-Security: max-age=31536000; includeSubDomains; preload` +# For more information visit: +# - https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security +# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security +# - https://hstspreload.org/#opt-in +matrix_nginx_proxy_hsts_preload_enable: false + # Specifies the SSL configuration that should be used for the SSL protocols and ciphers # This is based on the Mozilla Server Side TLS Recommended configurations. # diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 index 685601a41..d0b317979 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 @@ -3,7 +3,11 @@ {% macro render_vhost_directives() %} gzip on; gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + {% if matrix_nginx_proxy_hsts_preload_enable %} + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + {% else %} + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + {% endif %} add_header X-XSS-Protection "1; mode=block";; add_header X-Content-Type-Options nosniff; diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 index 0d97ddad5..2859cbb51 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 @@ -4,7 +4,11 @@ gzip on; gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + {% if matrix_nginx_proxy_hsts_preload_enable %} + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + {% else %} + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + {% endif %} add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; add_header X-Frame-Options SAMEORIGIN; diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 index 48e50a6dc..4c2f4ee0a 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 @@ -3,7 +3,11 @@ {% macro render_vhost_directives() %} gzip on; gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + {% if matrix_nginx_proxy_hsts_preload_enable %} + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + {% else %} + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + {% endif %} add_header X-XSS-Protection "1; mode=block"; add_header X-Content-Type-Options nosniff; {% if matrix_nginx_proxy_floc_optout_enabled %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-grafana.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-grafana.conf.j2 index c19785635..8feb99bd2 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-grafana.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-grafana.conf.j2 @@ -4,7 +4,11 @@ gzip on; gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + {% if matrix_nginx_proxy_hsts_preload_enable %} + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + {% else %} + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + {% endif %} # duplicate X-Content-Type-Options & X-Frame-Options header # Enabled by grafana by default # add_header X-Content-Type-Options nosniff; diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 index 21549e4dc..82e074152 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 @@ -3,7 +3,11 @@ {% macro render_vhost_directives() %} gzip on; gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + {% if matrix_nginx_proxy_hsts_preload_enable %} + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + {% else %} + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + {% endif %} add_header X-XSS-Protection "1; mode=block"; add_header X-Content-Type-Options nosniff; {% if matrix_nginx_proxy_floc_optout_enabled %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2 index be902c95c..2064fad88 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2 @@ -3,7 +3,11 @@ {% macro render_vhost_directives() %} gzip on; gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + {% if matrix_nginx_proxy_hsts_preload_enable %} + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + {% else %} + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + {% endif %} add_header X-XSS-Protection "1; mode=block"; add_header X-Content-Type-Options nosniff; add_header X-Frame-Options DENY; From ca361af61633a3032c87b0d212c7ddf4bede341f Mon Sep 17 00:00:00 2001 From: Aaron Raimist Date: Sat, 15 May 2021 04:23:36 -0500 Subject: [PATCH 04/65] Add Hydrogen --- group_vars/matrix_servers | 27 ++++ roles/matrix-base/defaults/main.yml | 3 + .../tasks/init.yml | 2 +- .../tasks/init.yml | 2 +- .../tasks/init.yml | 2 +- .../tasks/init.yml | 2 +- .../tasks/init.yml | 2 +- .../tasks/init.yml | 2 +- .../tasks/init.yml | 2 +- .../tasks/init.yml | 2 +- .../tasks/init.yml | 2 +- roles/matrix-client-element/tasks/init.yml | 2 +- .../matrix-client-hydrogen/defaults/main.yml | 67 ++++++++++ roles/matrix-client-hydrogen/tasks/init.yml | 10 ++ roles/matrix-client-hydrogen/tasks/main.yml | 15 +++ .../tasks/self_check.yml | 22 ++++ roles/matrix-client-hydrogen/tasks/setup.yml | 119 ++++++++++++++++++ .../templates/config.json.j2 | 3 + .../templates/nginx.conf.j2 | 66 ++++++++++ .../systemd/matrix-client-hydrogen.service.j2 | 40 ++++++ roles/matrix-coturn/tasks/init.yml | 2 +- roles/matrix-ma1sd/tasks/init.yml | 2 +- roles/matrix-nginx-proxy/defaults/main.yml | 7 ++ .../tasks/setup_nginx_proxy.yml | 7 ++ .../conf.d/matrix-client-hydrogen.conf.j2 | 84 +++++++++++++ roles/matrix-synapse/tasks/init.yml | 2 +- setup.yml | 1 + 27 files changed, 484 insertions(+), 13 deletions(-) create mode 100644 roles/matrix-client-hydrogen/defaults/main.yml create mode 100644 roles/matrix-client-hydrogen/tasks/init.yml create mode 100644 roles/matrix-client-hydrogen/tasks/main.yml create mode 100644 roles/matrix-client-hydrogen/tasks/self_check.yml create mode 100644 roles/matrix-client-hydrogen/tasks/setup.yml create mode 100644 roles/matrix-client-hydrogen/templates/config.json.j2 create mode 100644 roles/matrix-client-hydrogen/templates/nginx.conf.j2 create mode 100644 roles/matrix-client-hydrogen/templates/systemd/matrix-client-hydrogen.service.j2 create mode 100644 roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-hydrogen.conf.j2 diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 517e69224..f5ed72c7e 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1242,6 +1242,8 @@ matrix_ssl_domains_to_obtain_certificates_for: | + ([matrix_nginx_proxy_proxy_riot_compat_redirect_hostname] if matrix_nginx_proxy_proxy_riot_compat_redirect_enabled else []) + + ([matrix_server_fqn_hydrogen] if matrix_client_hydrogen_enabled else []) + + ([matrix_server_fqn_dimension] if matrix_dimension_enabled else []) + ([matrix_server_fqn_bot_go_neb] if matrix_bot_go_neb_enabled else []) @@ -1545,6 +1547,31 @@ matrix_client_element_jitsi_preferredDomain: "{{ matrix_server_fqn_jitsi if matr +###################################################################### +# +# matrix-client-hydrogen +# +###################################################################### + +matrix_client_hydrogen_enabled: false + +# Normally, matrix-nginx-proxy is enabled and nginx can reach Hydrogen over the container network. +# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose +# the HTTP port to the local host. +matrix_client_hydrogen_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:8768' }}" + +matrix_client_hydrogen_default_hs_url: "{{ matrix_homeserver_url }}" + +matrix_client_hydrogen_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else true }}" + +###################################################################### +# +# /matrix-client-hydrogen +# +###################################################################### + + + ###################################################################### # # matrix-synapse diff --git a/roles/matrix-base/defaults/main.yml b/roles/matrix-base/defaults/main.yml index d1d3bf27e..ef30ad678 100644 --- a/roles/matrix-base/defaults/main.yml +++ b/roles/matrix-base/defaults/main.yml @@ -15,6 +15,9 @@ matrix_server_fqn_matrix: "matrix.{{ matrix_domain }}" # This and the Matrix FQN (see above) are expected to be on the same server. matrix_server_fqn_element: "element.{{ matrix_domain }}" +# This is where you access the Hydrogen web client from (if enabled via matrix_client_hydrogen_enabled; disabled by default). +matrix_server_fqn_hydrogen: "hydrogen.{{ matrix_domain }}" + # This is where you access the Dimension. matrix_server_fqn_dimension: "dimension.{{ matrix_domain }}" diff --git a/roles/matrix-bridge-mautrix-facebook/tasks/init.yml b/roles/matrix-bridge-mautrix-facebook/tasks/init.yml index 9e1273163..97b370d9a 100644 --- a/roles/matrix-bridge-mautrix-facebook/tasks/init.yml +++ b/roles/matrix-bridge-mautrix-facebook/tasks/init.yml @@ -16,7 +16,7 @@ when: matrix_mautrix_facebook_enabled|bool # ansible lower than 2.8, does not support docker_image build parameters -# for self buildig it is explicitly needed, so we rather fail here +# for self building it is explicitly needed, so we rather fail here - name: Fail if running on Ansible lower than 2.8 and trying self building fail: msg: "To self build Mautrix Facebook image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." diff --git a/roles/matrix-bridge-mautrix-hangouts/tasks/init.yml b/roles/matrix-bridge-mautrix-hangouts/tasks/init.yml index 9209fa40f..9824891bf 100644 --- a/roles/matrix-bridge-mautrix-hangouts/tasks/init.yml +++ b/roles/matrix-bridge-mautrix-hangouts/tasks/init.yml @@ -62,7 +62,7 @@ when: "matrix_mautrix_hangouts_enabled|bool and (matrix_nginx_proxy_enabled is not defined or matrix_nginx_proxy_enabled|bool == false)" # ansible lower than 2.8, does not support docker_image build parameters -# for self buildig it is explicitly needed, so we rather fail here +# for self building it is explicitly needed, so we rather fail here - name: Fail if running on Ansible lower than 2.8 and trying self building fail: msg: "To self build Mautrix Hangouts image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." diff --git a/roles/matrix-bridge-mautrix-instagram/tasks/init.yml b/roles/matrix-bridge-mautrix-instagram/tasks/init.yml index 2b407358d..cd46d03d5 100644 --- a/roles/matrix-bridge-mautrix-instagram/tasks/init.yml +++ b/roles/matrix-bridge-mautrix-instagram/tasks/init.yml @@ -16,7 +16,7 @@ when: matrix_mautrix_instagram_enabled|bool # ansible lower than 2.8, does not support docker_image build parameters -# for self buildig it is explicitly needed, so we rather fail here +# for self building it is explicitly needed, so we rather fail here - name: Fail if running on Ansible lower than 2.8 and trying self building fail: msg: "To self build Mautrix instagram image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." diff --git a/roles/matrix-bridge-mx-puppet-discord/tasks/init.yml b/roles/matrix-bridge-mx-puppet-discord/tasks/init.yml index 4d8444e11..73f3507e9 100644 --- a/roles/matrix-bridge-mx-puppet-discord/tasks/init.yml +++ b/roles/matrix-bridge-mx-puppet-discord/tasks/init.yml @@ -16,7 +16,7 @@ when: matrix_mx_puppet_discord_enabled|bool # ansible lower than 2.8, does not support docker_image build parameters -# for self buildig it is explicitly needed, so we rather fail here +# for self building it is explicitly needed, so we rather fail here - name: Fail if running on Ansible lower than 2.8 and trying self building fail: msg: "To self build Puppet Slack image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." diff --git a/roles/matrix-bridge-mx-puppet-groupme/tasks/init.yml b/roles/matrix-bridge-mx-puppet-groupme/tasks/init.yml index 1f00e8a5a..f2657d2a6 100644 --- a/roles/matrix-bridge-mx-puppet-groupme/tasks/init.yml +++ b/roles/matrix-bridge-mx-puppet-groupme/tasks/init.yml @@ -16,7 +16,7 @@ when: matrix_mx_puppet_groupme_enabled|bool # ansible lower than 2.8, does not support docker_image build parameters -# for self buildig it is explicitly needed, so we rather fail here +# for self building it is explicitly needed, so we rather fail here - name: Fail if running on Ansible lower than 2.8 and trying self building fail: msg: "To self build Puppet Slack image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." diff --git a/roles/matrix-bridge-mx-puppet-skype/tasks/init.yml b/roles/matrix-bridge-mx-puppet-skype/tasks/init.yml index 605ea4928..75ced0a26 100644 --- a/roles/matrix-bridge-mx-puppet-skype/tasks/init.yml +++ b/roles/matrix-bridge-mx-puppet-skype/tasks/init.yml @@ -16,7 +16,7 @@ when: matrix_mx_puppet_skype_enabled|bool # ansible lower than 2.8, does not support docker_image build parameters -# for self buildig it is explicitly needed, so we rather fail here +# for self building it is explicitly needed, so we rather fail here - name: Fail if running on Ansible lower than 2.8 and trying self building fail: msg: "To self build Puppet Skype image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." diff --git a/roles/matrix-bridge-mx-puppet-slack/tasks/init.yml b/roles/matrix-bridge-mx-puppet-slack/tasks/init.yml index 16afef20b..68c305bbb 100644 --- a/roles/matrix-bridge-mx-puppet-slack/tasks/init.yml +++ b/roles/matrix-bridge-mx-puppet-slack/tasks/init.yml @@ -63,7 +63,7 @@ when: "matrix_mx_puppet_slack_enabled|bool and matrix_nginx_proxy_enabled is not defined" # ansible lower than 2.8, does not support docker_image build parameters -# for self buildig it is explicitly needed, so we rather fail here +# for self building it is explicitly needed, so we rather fail here - name: Fail if running on Ansible lower than 2.8 and trying self building fail: msg: "To self build Puppet Slack image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." diff --git a/roles/matrix-bridge-mx-puppet-steam/tasks/init.yml b/roles/matrix-bridge-mx-puppet-steam/tasks/init.yml index 9687944fc..4c71ef85c 100644 --- a/roles/matrix-bridge-mx-puppet-steam/tasks/init.yml +++ b/roles/matrix-bridge-mx-puppet-steam/tasks/init.yml @@ -16,7 +16,7 @@ when: matrix_mx_puppet_steam_enabled|bool # ansible lower than 2.8, does not support docker_image build parameters -# for self buildig it is explicitly needed, so we rather fail here +# for self building it is explicitly needed, so we rather fail here - name: Fail if running on Ansible lower than 2.8 and trying self building fail: msg: "To self build Puppet Slack image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." diff --git a/roles/matrix-bridge-mx-puppet-twitter/tasks/init.yml b/roles/matrix-bridge-mx-puppet-twitter/tasks/init.yml index 86f302379..a048a0025 100644 --- a/roles/matrix-bridge-mx-puppet-twitter/tasks/init.yml +++ b/roles/matrix-bridge-mx-puppet-twitter/tasks/init.yml @@ -63,7 +63,7 @@ when: "matrix_mx_puppet_twitter_enabled|bool and matrix_nginx_proxy_enabled is not defined" # ansible lower than 2.8, does not support docker_image build parameters -# for self buildig it is explicitly needed, so we rather fail here +# for self building it is explicitly needed, so we rather fail here - name: Fail if running on Ansible lower than 2.8 and trying self building fail: msg: "To self build Puppet Twitter image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." diff --git a/roles/matrix-client-element/tasks/init.yml b/roles/matrix-client-element/tasks/init.yml index a42e31437..0fb47a8b9 100644 --- a/roles/matrix-client-element/tasks/init.yml +++ b/roles/matrix-client-element/tasks/init.yml @@ -3,7 +3,7 @@ when: matrix_client_element_enabled|bool # ansible lower than 2.8, does not support docker_image build parameters -# for self buildig it is explicitly needed, so we rather fail here +# for self building it is explicitly needed, so we rather fail here - name: Fail if running on Ansible lower than 2.8 and trying self building fail: msg: "To self build the Element image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." diff --git a/roles/matrix-client-hydrogen/defaults/main.yml b/roles/matrix-client-hydrogen/defaults/main.yml new file mode 100644 index 000000000..cf6e9a0cf --- /dev/null +++ b/roles/matrix-client-hydrogen/defaults/main.yml @@ -0,0 +1,67 @@ +matrix_client_hydrogen_enabled: true + +# as of 2021-05-15 the pre-built images were not working so self building is enabled by default +matrix_client_hydrogen_container_image_self_build: true +matrix_client_hydrogen_container_image_self_build_repo: "https://github.com/vector-im/hydrogen-web.git" + +matrix_client_hydrogen_version: v0.1.51 +matrix_client_hydrogen_docker_image: "{{ matrix_client_hydrogen_docker_image_name_prefix }}vectorim/hydrogen-web:{{ matrix_client_hydrogen_version }}" +matrix_client_hydrogen_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_hydrogen_container_image_self_build }}" +matrix_client_hydrogen_docker_image_force_pull: "{{ matrix_client_hydrogen_docker_image.endswith(':latest') }}" + +matrix_client_hydrogen_data_path: "{{ matrix_base_data_path }}/client-hydrogen" +matrix_client_hydrogen_docker_src_files_path: "{{ matrix_client_hydrogen_data_path }}/docker-src" + +# Controls whether the container exposes its HTTP port (tcp/8080 in the container). +# +# Takes an ":" or "" value (e.g. "127.0.0.1:8768"), or empty string to not expose. +matrix_client_hydrogen_container_http_host_bind_port: '' + +# A list of extra arguments to pass to the container +matrix_client_hydrogen_container_extra_arguments: [] + +# List of systemd services that matrix-client-hydrogen.service depends on +matrix_client_hydrogen_systemd_required_services_list: ['docker.service'] + +# Controls whether the self-check feature should validate SSL certificates. +matrix_client_hydrogen_self_check_validate_certificates: true + +# config.json +matrix_client_hydrogen_default_hs_url: "" + +# Default Hydrogen configuration template which covers the generic use case. +# You can customize it by controlling the various variables inside it. +# +# For a more advanced customization, you can extend the default (see `matrix_client_hydrogen_configuration_extension_json`) +# or completely replace this variable with your own template. +# +# The side-effect of this lookup is that Ansible would even parse the JSON for us, returning a dict. +# This is unlike what it does when looking up YAML template files (no automatic parsing there). +matrix_client_hydrogen_configuration_default: "{{ lookup('template', 'templates/config.json.j2') }}" + +# Your custom JSON configuration for Hydrogen should go to `matrix_client_hydrogen_configuration_extension_json`. +# This configuration extends the default starting configuration (`matrix_client_hydrogen_configuration_default`). +# +# You can override individual variables from the default configuration, or introduce new ones. +# +# If you need something more special, you can take full control by +# completely redefining `matrix_client_hydrogen_configuration_default`. +# +# Example configuration extension follows: +# +# matrix_client_hydrogen_configuration_extension_json: | +# { +# "push": { +# "appId": "io.element.hydrogen.web", +# "gatewayUrl": "https://matrix.org", +# "applicationServerKey": "BC-gpSdVHEXhvHSHS0AzzWrQoukv2BE7KzpoPO_FfPacqOo3l1pdqz7rSgmB04pZCWaHPz7XRe6fjLaC-WPDopM" +# }, +# "defaultHomeServer": "matrix.org" +# } +matrix_client_hydrogen_configuration_extension_json: '{}' + +matrix_client_hydrogen_configuration_extension: "{{ matrix_client_hydrogen_configuration_extension_json|from_json if matrix_client_hydrogen_configuration_extension_json|from_json is mapping else {} }}" + +# Holds the final Hydrogen configuration (a combination of the default and its extension). +# You most likely don't need to touch this variable. Instead, see `matrix_client_hydrogen_configuration_default`. +matrix_client_hydrogen_configuration: "{{ matrix_client_hydrogen_configuration_default|combine(matrix_client_hydrogen_configuration_extension, recursive=True) }}" diff --git a/roles/matrix-client-hydrogen/tasks/init.yml b/roles/matrix-client-hydrogen/tasks/init.yml new file mode 100644 index 000000000..be72a9835 --- /dev/null +++ b/roles/matrix-client-hydrogen/tasks/init.yml @@ -0,0 +1,10 @@ +- set_fact: + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-client-hydrogen.service'] }}" + when: matrix_client_hydrogen_enabled|bool + +# ansible lower than 2.8, does not support docker_image build parameters +# for self building it is explicitly needed, so we rather fail here +- name: Fail if running on Ansible lower than 2.8 and trying self building + fail: + msg: "To self build the Hydrogen image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_client_hydrogen_container_image_self_build" diff --git a/roles/matrix-client-hydrogen/tasks/main.yml b/roles/matrix-client-hydrogen/tasks/main.yml new file mode 100644 index 000000000..6534db05d --- /dev/null +++ b/roles/matrix-client-hydrogen/tasks/main.yml @@ -0,0 +1,15 @@ +- import_tasks: "{{ role_path }}/tasks/init.yml" + tags: + - always + +- import_tasks: "{{ role_path }}/tasks/validate_config.yml" + when: "run_setup|bool and matrix_client_hydrogen_enabled|bool" + tags: + - setup-all + - setup-client-hydrogen + +- import_tasks: "{{ role_path }}/tasks/setup.yml" + when: run_setup|bool + tags: + - setup-all + - setup-client-hydrogen diff --git a/roles/matrix-client-hydrogen/tasks/self_check.yml b/roles/matrix-client-hydrogen/tasks/self_check.yml new file mode 100644 index 000000000..c7407dcd5 --- /dev/null +++ b/roles/matrix-client-hydrogen/tasks/self_check.yml @@ -0,0 +1,22 @@ +--- + +- set_fact: + matrix_client_hydrogen_url_endpoint_public: "https://{{ matrix_server_fqn_hydrogen }}" + +- name: Check Hydrogen + uri: + url: "{{ matrix_client_hydrogen_url_endpoint_public }}" + follow_redirects: none + validate_certs: "{{ matrix_client_hydrogen_self_check_validate_certificates }}" + register: matrix_client_hydrogen_self_check_result + check_mode: no + ignore_errors: true + +- name: Fail if Hydrogen not working + fail: + msg: "Failed checking Hydrogen is up at `{{ matrix_server_fqn_hydrogen }}` (checked endpoint: `{{ matrix_client_hydrogen_url_endpoint_public }}`). Is Hydrogen running? Is port 443 open in your firewall? Full error: {{ matrix_client_hydrogen_self_check_result }}" + when: "matrix_client_hydrogen_self_check_result.failed or 'json' not in matrix_client_hydrogen_self_check_result" + +- name: Report working Hydrogen + debug: + msg: "Hydrogen at `{{ matrix_server_fqn_hydrogen }}` is working (checked endpoint: `{{ matrix_client_hydrogen_url_endpoint_public }}`)" diff --git a/roles/matrix-client-hydrogen/tasks/setup.yml b/roles/matrix-client-hydrogen/tasks/setup.yml new file mode 100644 index 000000000..3d9eea44e --- /dev/null +++ b/roles/matrix-client-hydrogen/tasks/setup.yml @@ -0,0 +1,119 @@ +--- + +# +# Tasks related to setting up Hydrogen +# + +- name: Ensure Hydrogen paths exists + file: + path: "{{ item.path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - { path: "{{ matrix_client_hydrogen_data_path }}", when: true } + - { path: "{{ matrix_client_hydrogen_docker_src_files_path }}", when: "{{ matrix_client_hydrogen_container_image_self_build }}" } + when: matrix_client_hydrogen_enabled|bool and item.when + +- name: Ensure Hydrogen Docker image is pulled + docker_image: + name: "{{ matrix_client_hydrogen_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_client_hydrogen_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_client_hydrogen_docker_image_force_pull }}" + when: matrix_client_hydrogen_enabled|bool and not matrix_client_hydrogen_container_image_self_build + +- name: Ensure Hydrogen repository is present on self-build + git: + repo: "{{ matrix_client_hydrogen_container_image_self_build_repo }}" + dest: "{{ matrix_client_hydrogen_docker_src_files_path }}" + version: "{{ matrix_client_hydrogen_docker_image.split(':')[1] }}" + force: "yes" + register: matrix_client_hydrogen_git_pull_results + when: "matrix_client_hydrogen_enabled|bool and matrix_client_hydrogen_container_image_self_build|bool" + +- name: Ensure Hydrogen Docker image is built + docker_image: + name: "{{ matrix_client_hydrogen_docker_image }}" + source: build + force_source: "{{ matrix_client_hydrogen_git_pull_results.changed }}" + build: + dockerfile: Dockerfile + path: "{{ matrix_client_hydrogen_docker_src_files_path }}" + pull: yes + when: "matrix_client_hydrogen_enabled|bool and matrix_client_hydrogen_container_image_self_build|bool" + +- name: Ensure Hydrogen configuration installed + copy: + content: "{{ matrix_client_hydrogen_configuration|to_nice_json }}" + dest: "{{ matrix_client_hydrogen_data_path }}/config.json" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + when: matrix_client_hydrogen_enabled|bool + +- name: Ensure Hydrogen config files installed + template: + src: "{{ item.src }}" + dest: "{{ matrix_client_hydrogen_data_path }}/{{ item.name }}" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - {src: "{{ role_path }}/templates/nginx.conf.j2", name: "nginx.conf"} + when: "matrix_client_hydrogen_enabled|bool and item.src is not none" + +- name: Ensure matrix-client-hydrogen.service installed + template: + src: "{{ role_path }}/templates/systemd/matrix-client-hydrogen.service.j2" + dest: "{{ matrix_systemd_path }}/matrix-client-hydrogen.service" + mode: 0644 + register: matrix_client_hydrogen_systemd_service_result + when: matrix_client_hydrogen_enabled|bool + +- name: Ensure systemd reloaded after matrix-client-hydrogen.service installation + service: + daemon_reload: yes + when: "matrix_client_hydrogen_enabled and matrix_client_hydrogen_systemd_service_result.changed" + +# +# Tasks related to getting rid of Hydrogen (if it was previously enabled) +# + +- name: Check existence of matrix-client-hydrogen.service + stat: + path: "{{ matrix_systemd_path }}/matrix-client-hydrogen.service" + register: matrix_client_hydrogen_service_stat + when: "not matrix_client_hydrogen_enabled|bool" + +- name: Ensure matrix-client-hydrogen is stopped + service: + name: matrix-client-hydrogen + state: stopped + daemon_reload: yes + register: stopping_result + when: "not matrix_client_hydrogen_enabled|bool and matrix_client_hydrogen_service_stat.stat.exists" + +- name: Ensure matrix-client-hydrogen.service doesn't exist + file: + path: "{{ matrix_systemd_path }}/matrix-client-hydrogen.service" + state: absent + when: "not matrix_client_hydrogen_enabled|bool and matrix_client_hydrogen_service_stat.stat.exists" + +- name: Ensure systemd reloaded after matrix-client-hydrogen.service removal + service: + daemon_reload: yes + when: "not matrix_client_hydrogen_enabled|bool and matrix_client_hydrogen_service_stat.stat.exists" + +- name: Ensure Hydrogen paths doesn't exist + file: + path: "{{ matrix_client_hydrogen_data_path }}" + state: absent + when: "not matrix_client_hydrogen_enabled|bool" + +- name: Ensure Hydrogen Docker image doesn't exist + docker_image: + name: "{{ matrix_client_hydrogen_docker_image }}" + state: absent + when: "not matrix_client_hydrogen_enabled|bool" diff --git a/roles/matrix-client-hydrogen/templates/config.json.j2 b/roles/matrix-client-hydrogen/templates/config.json.j2 new file mode 100644 index 000000000..62a849b0f --- /dev/null +++ b/roles/matrix-client-hydrogen/templates/config.json.j2 @@ -0,0 +1,3 @@ +{ + "defaultHomeServer": {{ matrix_client_hydrogen_default_hs_url|string|to_json }} +} diff --git a/roles/matrix-client-hydrogen/templates/nginx.conf.j2 b/roles/matrix-client-hydrogen/templates/nginx.conf.j2 new file mode 100644 index 000000000..fba16bbdc --- /dev/null +++ b/roles/matrix-client-hydrogen/templates/nginx.conf.j2 @@ -0,0 +1,66 @@ +#jinja2: lstrip_blocks: "True" +# This is a custom nginx configuration file that we use in the container (instead of the default one), +# because it allows us to run nginx with a non-root user. +# +# For this to work, the default vhost file (`/etc/nginx/conf.d/default.conf`) also needs to be removed. +# (mounting `/dev/null` over `/etc/nginx/conf.d/default.conf` works well) +# +# The following changes have been done compared to a default nginx configuration file: +# - default server port is changed (80 -> 8080), so that a non-root user can bind it +# - various temp paths are changed to `/tmp`, so that a non-root user can write to them +# - the `user` directive was removed, as we don't want nginx to switch users + +worker_processes 1; + +error_log /var/log/nginx/error.log warn; +pid /tmp/nginx.pid; + + +events { + worker_connections 1024; +} + + +http { + proxy_temp_path /tmp/proxy_temp; + client_body_temp_path /tmp/client_temp; + fastcgi_temp_path /tmp/fastcgi_temp; + uwsgi_temp_path /tmp/uwsgi_temp; + scgi_temp_path /tmp/scgi_temp; + + include /etc/nginx/mime.types; + default_type application/octet-stream; + + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + access_log /var/log/nginx/access.log main; + + sendfile on; + #tcp_nopush on; + + keepalive_timeout 65; + + #gzip on; + + server { + listen 8080; + server_name localhost; + + root /usr/share/nginx/html; + + location / { + index index.html index.htm; + } + + location ~* ^/(config(.+)?\.json$|(.+)\.html$|i18n) { + expires -1; + } + + error_page 500 502 503 504 /50x.html; + location = /50x.html { + root /usr/share/nginx/html; + } + } +} diff --git a/roles/matrix-client-hydrogen/templates/systemd/matrix-client-hydrogen.service.j2 b/roles/matrix-client-hydrogen/templates/systemd/matrix-client-hydrogen.service.j2 new file mode 100644 index 000000000..227d105b7 --- /dev/null +++ b/roles/matrix-client-hydrogen/templates/systemd/matrix-client-hydrogen.service.j2 @@ -0,0 +1,40 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=Matrix Hydrogen Client +{% for service in matrix_client_hydrogen_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +DefaultDependencies=no + +[Service] +Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-client-hydrogen 2>/dev/null' +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-client-hydrogen 2>/dev/null' + +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-client-hydrogen \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --read-only \ + --network={{ matrix_docker_network }} \ + {% if matrix_client_hydrogen_container_http_host_bind_port %} + -p {{ matrix_client_hydrogen_container_http_host_bind_port }}:8080 \ + {% endif %} + --tmpfs=/tmp:rw,noexec,nosuid,size=10m \ + --mount type=bind,src={{ matrix_client_hydrogen_data_path }}/nginx.conf,dst=/etc/nginx/nginx.conf,ro \ + --mount type=bind,src={{ matrix_client_hydrogen_data_path }}/config.json,dst=/app/config.json,ro \ + {% for arg in matrix_client_hydrogen_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + {{ matrix_client_hydrogen_docker_image }} + +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-client-hydrogen 2>/dev/null' +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-client-hydrogen 2>/dev/null' +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-client-hydrogen + +[Install] +WantedBy=multi-user.target diff --git a/roles/matrix-coturn/tasks/init.yml b/roles/matrix-coturn/tasks/init.yml index be011b7fe..172701622 100644 --- a/roles/matrix-coturn/tasks/init.yml +++ b/roles/matrix-coturn/tasks/init.yml @@ -7,7 +7,7 @@ when: "matrix_coturn_enabled|bool and matrix_coturn_tls_enabled|bool" # ansible lower than 2.8, does not support docker_image build parameters -# for self buildig it is explicitly needed, so we rather fail here +# for self building it is explicitly needed, so we rather fail here - name: Fail if running on Ansible lower than 2.8 and trying self building fail: msg: "To self build Coturn image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." diff --git a/roles/matrix-ma1sd/tasks/init.yml b/roles/matrix-ma1sd/tasks/init.yml index 89283a1fb..64f2781ee 100644 --- a/roles/matrix-ma1sd/tasks/init.yml +++ b/roles/matrix-ma1sd/tasks/init.yml @@ -3,7 +3,7 @@ when: matrix_ma1sd_enabled|bool # ansible lower than 2.8, does not support docker_image build parameters -# for self buildig it is explicitly needed, so we rather fail here +# for self building it is explicitly needed, so we rather fail here - name: Fail if running on Ansible lower than 2.8 and trying self building fail: msg: "To self build ma1sd image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index a7d9aeb28..97ba7539c 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -113,6 +113,10 @@ matrix_nginx_proxy_proxy_synapse_federation_api_addr_sans_container: "localhost: matrix_nginx_proxy_proxy_element_enabled: false matrix_nginx_proxy_proxy_element_hostname: "{{ matrix_server_fqn_element }}" +# Controls whether proxying the Hydrogen domain should be done. +matrix_nginx_proxy_proxy_hydrogen_enabled: false +matrix_nginx_proxy_proxy_hydrogen_hostname: "{{ matrix_server_fqn_hydrogen }}" + # Controls whether proxying the matrix domain should be done. matrix_nginx_proxy_proxy_matrix_enabled: false matrix_nginx_proxy_proxy_matrix_hostname: "{{ matrix_server_fqn_matrix }}" @@ -251,6 +255,9 @@ matrix_nginx_proxy_proxy_riot_additional_server_configuration_blocks: [] # A list of strings containing additional configuration blocks to add to Element's server configuration (matrix-client-element.conf). matrix_nginx_proxy_proxy_element_additional_server_configuration_blocks: [] +# A list of strings containing additional configuration blocks to add to Element's server configuration (matrix-client-element.conf). +matrix_nginx_proxy_proxy_hydrogen_additional_server_configuration_blocks: [] + # A list of strings containing additional configuration blocks to add to Dimension's server configuration (matrix-dimension.conf). matrix_nginx_proxy_proxy_dimension_additional_server_configuration_blocks: [] diff --git a/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml b/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml index 7534d28c6..660f277cd 100644 --- a/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml +++ b/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml @@ -72,6 +72,13 @@ mode: 0644 when: matrix_nginx_proxy_proxy_riot_compat_redirect_enabled|bool +- name: Ensure Matrix nginx-proxy configuration for Hydrogen domain exists + template: + src: "{{ role_path }}/templates/nginx/conf.d/matrix-client-hydrogen.conf.j2" + dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-client-hydrogen.conf" + mode: 0644 + when: matrix_nginx_proxy_proxy_hydrogen_enabled|bool + - name: Ensure Matrix nginx-proxy configuration for dimension domain exists template: src: "{{ role_path }}/templates/nginx/conf.d/matrix-dimension.conf.j2" diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-hydrogen.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-hydrogen.conf.j2 new file mode 100644 index 000000000..9224dd862 --- /dev/null +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-hydrogen.conf.j2 @@ -0,0 +1,84 @@ +#jinja2: lstrip_blocks: "True" + +{% macro render_vhost_directives() %} + gzip on; + gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; + + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + add_header X-Content-Type-Options nosniff; + add_header X-Frame-Options SAMEORIGIN; + {% if matrix_nginx_proxy_floc_optout_enabled %} + add_header Permissions-Policy interest-cohort=() always; + {% endif %} + + {% for configuration_block in matrix_nginx_proxy_proxy_hydrogen_additional_server_configuration_blocks %} + {{- configuration_block }} + {% endfor %} + + location / { + {% if matrix_nginx_proxy_enabled %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "matrix-client-hydrogen:8080"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://127.0.0.1:8768; + {% endif %} + + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $remote_addr; + } +{% endmacro %} + +server { + listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }}; + + server_name {{ matrix_nginx_proxy_proxy_hydrogen_hostname }}; + + server_tokens off; + root /dev/null; + + {% if matrix_nginx_proxy_https_enabled %} + location /.well-known/acme-challenge { + {% if matrix_nginx_proxy_enabled %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "matrix-certbot:8080"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}; + {% endif %} + } + + location / { + return 301 https://$http_host$request_uri; + } + {% else %} + {{ render_vhost_directives() }} + {% endif %} +} + +{% if matrix_nginx_proxy_https_enabled %} +server { + listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; + listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; + + server_name {{ matrix_nginx_proxy_proxy_hydrogen_hostname }}; + + server_tokens off; + root /dev/null; + + ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_hydrogen_hostname }}/fullchain.pem; + ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_hydrogen_hostname }}/privkey.pem; + + ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; + {% if matrix_nginx_proxy_ssl_ciphers != "" %} + ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; + {% endif %} + ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; + + {{ render_vhost_directives() }} +} +{% endif %} diff --git a/roles/matrix-synapse/tasks/init.yml b/roles/matrix-synapse/tasks/init.yml index 04b8d2b8c..51dd99060 100644 --- a/roles/matrix-synapse/tasks/init.yml +++ b/roles/matrix-synapse/tasks/init.yml @@ -19,7 +19,7 @@ when: matrix_s3_media_store_enabled|bool # ansible lower than 2.8, does not support docker_image build parameters -# for self buildig it is explicitly needed, so we rather fail here +# for self building it is explicitly needed, so we rather fail here - name: Fail if running on Ansible lower than 2.8 and trying self building fail: msg: "To self build Synapse image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." diff --git a/setup.yml b/setup.yml index 4e2879e59..add6aae86 100755 --- a/setup.yml +++ b/setup.yml @@ -42,6 +42,7 @@ - matrix-grafana - matrix-registration - matrix-client-element + - matrix-client-hydrogen - matrix-jitsi - matrix-ma1sd - matrix-dimension From 9a8a81fdb095de6664f513110fd4d1baeb1ea4ea Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 21 May 2021 08:35:19 +0300 Subject: [PATCH 05/65] Disable OCSP stapling when self-signed certificates are used Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1073 --- group_vars/matrix_servers | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index e5ce10273..b4e5ac6e1 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1239,6 +1239,11 @@ matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container: "{{ m matrix_nginx_proxy_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else true }}" +# OCSP stapling does not make sense when self-signed certificates are used. +# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1073 +# and https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1074 +matrix_nginx_proxy_ocsp_stapling_enabled: "{{ matrix_ssl_retrieval_method != 'self-signed' }}" + matrix_nginx_proxy_synapse_presence_disabled: "{{ not matrix_synapse_presence_enabled }}" matrix_nginx_proxy_synapse_workers_enabled: "{{ matrix_synapse_workers_enabled }}" From 47b4608b96ddfb1b0069a0b2c21ae40531a40a63 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 21 May 2021 11:15:05 +0300 Subject: [PATCH 06/65] Fail in a friendlier way when trying to self-build on Ansible <= 2.8 Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 Related discussion here: https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 --- roles/matrix-bridge-appservice-irc/tasks/init.yml | 7 +++++++ .../matrix-bridge-appservice-slack/tasks/init.yml | 7 +++++++ .../matrix-bridge-mautrix-facebook/tasks/init.yml | 7 +++++++ .../matrix-bridge-mautrix-hangouts/tasks/init.yml | 7 +++++++ .../matrix-bridge-mautrix-instagram/tasks/init.yml | 7 +++++++ .../matrix-bridge-mautrix-telegram/tasks/init.yml | 7 +++++++ .../matrix-bridge-mx-puppet-discord/tasks/init.yml | 7 +++++++ .../matrix-bridge-mx-puppet-groupme/tasks/init.yml | 7 +++++++ .../tasks/init.yml | 7 +++++++ roles/matrix-bridge-mx-puppet-skype/tasks/init.yml | 7 +++++++ roles/matrix-bridge-mx-puppet-slack/tasks/init.yml | 7 +++++++ roles/matrix-bridge-mx-puppet-steam/tasks/init.yml | 7 +++++++ .../matrix-bridge-mx-puppet-twitter/tasks/init.yml | 7 +++++++ roles/matrix-client-element/tasks/init.yml | 8 ++++---- roles/matrix-corporal/tasks/init.yml | 7 +++++++ roles/matrix-coturn/tasks/init.yml | 14 +++++++------- roles/matrix-dynamic-dns/tasks/init.yml | 7 +++++++ roles/matrix-ma1sd/tasks/init.yml | 14 +++++++------- roles/matrix-mailer/tasks/init.yml | 7 +++++++ roles/matrix-registration/tasks/init.yml | 7 +++++++ roles/matrix-synapse-admin/tasks/init.yml | 7 +++++++ roles/matrix-synapse/tasks/init.yml | 14 +++++++------- 22 files changed, 151 insertions(+), 25 deletions(-) diff --git a/roles/matrix-bridge-appservice-irc/tasks/init.yml b/roles/matrix-bridge-appservice-irc/tasks/init.yml index ddf1b0310..b9a58e005 100644 --- a/roles/matrix-bridge-appservice-irc/tasks/init.yml +++ b/roles/matrix-bridge-appservice-irc/tasks/init.yml @@ -1,3 +1,10 @@ +# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 +# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 +- name: Fail if trying to self-build on Ansible < 2.8 + fail: + msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_appservice_irc_container_self_build" + # If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist. # We don't want to fail in such cases. - name: Fail if matrix-synapse role already executed diff --git a/roles/matrix-bridge-appservice-slack/tasks/init.yml b/roles/matrix-bridge-appservice-slack/tasks/init.yml index 045b6b73c..6a1bf869f 100644 --- a/roles/matrix-bridge-appservice-slack/tasks/init.yml +++ b/roles/matrix-bridge-appservice-slack/tasks/init.yml @@ -1,3 +1,10 @@ +# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 +# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 +- name: Fail if trying to self-build on Ansible < 2.8 + fail: + msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_appservice_slack_container_self_build" + # If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist. # We don't want to fail in such cases. - name: Fail if matrix-synapse role already executed diff --git a/roles/matrix-bridge-mautrix-facebook/tasks/init.yml b/roles/matrix-bridge-mautrix-facebook/tasks/init.yml index 9e1273163..84f1a6c0d 100644 --- a/roles/matrix-bridge-mautrix-facebook/tasks/init.yml +++ b/roles/matrix-bridge-mautrix-facebook/tasks/init.yml @@ -1,3 +1,10 @@ +# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 +# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 +- name: Fail if trying to self-build on Ansible < 2.8 + fail: + msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mautrix_facebook_container_image_self_build" + - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-facebook.service'] }}" when: matrix_mautrix_facebook_enabled|bool diff --git a/roles/matrix-bridge-mautrix-hangouts/tasks/init.yml b/roles/matrix-bridge-mautrix-hangouts/tasks/init.yml index 9209fa40f..a8c02703f 100644 --- a/roles/matrix-bridge-mautrix-hangouts/tasks/init.yml +++ b/roles/matrix-bridge-mautrix-hangouts/tasks/init.yml @@ -1,3 +1,10 @@ +# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 +# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 +- name: Fail if trying to self-build on Ansible < 2.8 + fail: + msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mautrix_hangouts_container_image_self_build" + - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-hangouts.service'] }}" when: matrix_mautrix_hangouts_enabled|bool diff --git a/roles/matrix-bridge-mautrix-instagram/tasks/init.yml b/roles/matrix-bridge-mautrix-instagram/tasks/init.yml index 2b407358d..2aa589404 100644 --- a/roles/matrix-bridge-mautrix-instagram/tasks/init.yml +++ b/roles/matrix-bridge-mautrix-instagram/tasks/init.yml @@ -1,3 +1,10 @@ +# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 +# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 +- name: Fail if trying to self-build on Ansible < 2.8 + fail: + msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mautrix_instagram_container_image_self_build" + - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-instagram.service'] }}" when: matrix_mautrix_instagram_enabled|bool diff --git a/roles/matrix-bridge-mautrix-telegram/tasks/init.yml b/roles/matrix-bridge-mautrix-telegram/tasks/init.yml index 721e98da7..c8f7f895e 100644 --- a/roles/matrix-bridge-mautrix-telegram/tasks/init.yml +++ b/roles/matrix-bridge-mautrix-telegram/tasks/init.yml @@ -1,3 +1,10 @@ +# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 +# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 +- name: Fail if trying to self-build on Ansible < 2.8 + fail: + msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mautrix_telegram_container_self_build" + - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-telegram.service'] }}" when: matrix_mautrix_telegram_enabled|bool diff --git a/roles/matrix-bridge-mx-puppet-discord/tasks/init.yml b/roles/matrix-bridge-mx-puppet-discord/tasks/init.yml index 4d8444e11..c29fc6e5a 100644 --- a/roles/matrix-bridge-mx-puppet-discord/tasks/init.yml +++ b/roles/matrix-bridge-mx-puppet-discord/tasks/init.yml @@ -1,3 +1,10 @@ +# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 +# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 +- name: Fail if trying to self-build on Ansible < 2.8 + fail: + msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_discord_container_image_self_build" + - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-discord.service'] }}" when: matrix_mx_puppet_discord_enabled|bool diff --git a/roles/matrix-bridge-mx-puppet-groupme/tasks/init.yml b/roles/matrix-bridge-mx-puppet-groupme/tasks/init.yml index 1f00e8a5a..e2870d606 100644 --- a/roles/matrix-bridge-mx-puppet-groupme/tasks/init.yml +++ b/roles/matrix-bridge-mx-puppet-groupme/tasks/init.yml @@ -1,3 +1,10 @@ +# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 +# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 +- name: Fail if trying to self-build on Ansible < 2.8 + fail: + msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_groupme_container_image_self_build" + - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-groupme.service'] }}" when: matrix_mx_puppet_groupme_enabled|bool diff --git a/roles/matrix-bridge-mx-puppet-instagram/tasks/init.yml b/roles/matrix-bridge-mx-puppet-instagram/tasks/init.yml index 0d319bc89..2ef99f025 100644 --- a/roles/matrix-bridge-mx-puppet-instagram/tasks/init.yml +++ b/roles/matrix-bridge-mx-puppet-instagram/tasks/init.yml @@ -1,3 +1,10 @@ +# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 +# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 +- name: Fail if trying to self-build on Ansible < 2.8 + fail: + msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_instagram_container_image_self_build" + - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-instagram.service'] }}" when: matrix_mx_puppet_instagram_enabled|bool diff --git a/roles/matrix-bridge-mx-puppet-skype/tasks/init.yml b/roles/matrix-bridge-mx-puppet-skype/tasks/init.yml index 605ea4928..e044881b8 100644 --- a/roles/matrix-bridge-mx-puppet-skype/tasks/init.yml +++ b/roles/matrix-bridge-mx-puppet-skype/tasks/init.yml @@ -1,3 +1,10 @@ +# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 +# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 +- name: Fail if trying to self-build on Ansible < 2.8 + fail: + msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_skype_container_image_self_build" + - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-skype.service'] }}" when: matrix_mx_puppet_skype_enabled|bool diff --git a/roles/matrix-bridge-mx-puppet-slack/tasks/init.yml b/roles/matrix-bridge-mx-puppet-slack/tasks/init.yml index 16afef20b..6e1b9a6a1 100644 --- a/roles/matrix-bridge-mx-puppet-slack/tasks/init.yml +++ b/roles/matrix-bridge-mx-puppet-slack/tasks/init.yml @@ -1,3 +1,10 @@ +# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 +# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 +- name: Fail if trying to self-build on Ansible < 2.8 + fail: + msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_slack_container_image_self_build" + - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-slack.service'] }}" when: matrix_mx_puppet_slack_enabled|bool diff --git a/roles/matrix-bridge-mx-puppet-steam/tasks/init.yml b/roles/matrix-bridge-mx-puppet-steam/tasks/init.yml index 9687944fc..d2e34b894 100644 --- a/roles/matrix-bridge-mx-puppet-steam/tasks/init.yml +++ b/roles/matrix-bridge-mx-puppet-steam/tasks/init.yml @@ -1,3 +1,10 @@ +# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 +# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 +- name: Fail if trying to self-build on Ansible < 2.8 + fail: + msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_steam_container_image_self_build" + - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-steam.service'] }}" when: matrix_mx_puppet_steam_enabled|bool diff --git a/roles/matrix-bridge-mx-puppet-twitter/tasks/init.yml b/roles/matrix-bridge-mx-puppet-twitter/tasks/init.yml index 86f302379..e49439a51 100644 --- a/roles/matrix-bridge-mx-puppet-twitter/tasks/init.yml +++ b/roles/matrix-bridge-mx-puppet-twitter/tasks/init.yml @@ -1,3 +1,10 @@ +# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 +# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 +- name: Fail if trying to self-build on Ansible < 2.8 + fail: + msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_twitter_container_image_self_build" + - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-twitter.service'] }}" when: matrix_mx_puppet_twitter_enabled|bool diff --git a/roles/matrix-client-element/tasks/init.yml b/roles/matrix-client-element/tasks/init.yml index a42e31437..102cae383 100644 --- a/roles/matrix-client-element/tasks/init.yml +++ b/roles/matrix-client-element/tasks/init.yml @@ -2,9 +2,9 @@ matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-client-element.service'] }}" when: matrix_client_element_enabled|bool -# ansible lower than 2.8, does not support docker_image build parameters -# for self buildig it is explicitly needed, so we rather fail here -- name: Fail if running on Ansible lower than 2.8 and trying self building +# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 +# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 +- name: Fail if trying to self-build on Ansible < 2.8 fail: - msg: "To self build the Element image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." + msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_client_element_container_image_self_build" diff --git a/roles/matrix-corporal/tasks/init.yml b/roles/matrix-corporal/tasks/init.yml index ffe5d5da2..993ace81e 100644 --- a/roles/matrix-corporal/tasks/init.yml +++ b/roles/matrix-corporal/tasks/init.yml @@ -1,3 +1,10 @@ +# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 +# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 +- name: Fail if trying to self-build on Ansible < 2.8 + fail: + msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_corporal_container_image_self_build" + - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-corporal.service'] }}" when: matrix_corporal_enabled|bool diff --git a/roles/matrix-coturn/tasks/init.yml b/roles/matrix-coturn/tasks/init.yml index be011b7fe..c645c06bf 100644 --- a/roles/matrix-coturn/tasks/init.yml +++ b/roles/matrix-coturn/tasks/init.yml @@ -1,3 +1,10 @@ +# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 +# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 +- name: Fail if trying to self-build on Ansible < 2.8 + fail: + msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_coturn_container_image_self_build" + - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-coturn.service'] }}" when: matrix_coturn_enabled|bool @@ -5,10 +12,3 @@ - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-coturn-reload.timer'] }}" when: "matrix_coturn_enabled|bool and matrix_coturn_tls_enabled|bool" - -# ansible lower than 2.8, does not support docker_image build parameters -# for self buildig it is explicitly needed, so we rather fail here -- name: Fail if running on Ansible lower than 2.8 and trying self building - fail: - msg: "To self build Coturn image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_coturn_container_image_self_build" diff --git a/roles/matrix-dynamic-dns/tasks/init.yml b/roles/matrix-dynamic-dns/tasks/init.yml index 1a0f1b3d8..039b5b023 100644 --- a/roles/matrix-dynamic-dns/tasks/init.yml +++ b/roles/matrix-dynamic-dns/tasks/init.yml @@ -1,3 +1,10 @@ +# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 +# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 +- name: Fail if trying to self-build on Ansible < 2.8 + fail: + msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_dynamic_dns_container_image_self_build" + - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-dynamic-dns.service'] }}" when: "matrix_dynamic_dns_enabled|bool" diff --git a/roles/matrix-ma1sd/tasks/init.yml b/roles/matrix-ma1sd/tasks/init.yml index 89283a1fb..f09cfcfd4 100644 --- a/roles/matrix-ma1sd/tasks/init.yml +++ b/roles/matrix-ma1sd/tasks/init.yml @@ -1,10 +1,10 @@ +# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 +# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 +- name: Fail if trying to self-build on Ansible < 2.8 + fail: + msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_ma1sd_container_image_self_build" + - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-ma1sd.service'] }}" when: matrix_ma1sd_enabled|bool - -# ansible lower than 2.8, does not support docker_image build parameters -# for self buildig it is explicitly needed, so we rather fail here -- name: Fail if running on Ansible lower than 2.8 and trying self building - fail: - msg: "To self build ma1sd image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_ma1sd_container_image_self_build" diff --git a/roles/matrix-mailer/tasks/init.yml b/roles/matrix-mailer/tasks/init.yml index e48e2a850..5895343e8 100644 --- a/roles/matrix-mailer/tasks/init.yml +++ b/roles/matrix-mailer/tasks/init.yml @@ -1,3 +1,10 @@ +# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 +# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 +- name: Fail if trying to self-build on Ansible < 2.8 + fail: + msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mailer_container_image_self_build" + - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mailer.service'] }}" when: matrix_mailer_enabled|bool diff --git a/roles/matrix-registration/tasks/init.yml b/roles/matrix-registration/tasks/init.yml index 158ad6051..b58ba659d 100644 --- a/roles/matrix-registration/tasks/init.yml +++ b/roles/matrix-registration/tasks/init.yml @@ -1,3 +1,10 @@ +# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 +# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 +- name: Fail if trying to self-build on Ansible < 2.8 + fail: + msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_registration_container_image_self_build" + - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-registration.service'] }}" when: matrix_registration_enabled|bool diff --git a/roles/matrix-synapse-admin/tasks/init.yml b/roles/matrix-synapse-admin/tasks/init.yml index 36bdb611b..7898dec94 100644 --- a/roles/matrix-synapse-admin/tasks/init.yml +++ b/roles/matrix-synapse-admin/tasks/init.yml @@ -1,3 +1,10 @@ +# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 +# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 +- name: Fail if trying to self-build on Ansible < 2.8 + fail: + msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_synapse_admin_container_self_build" + - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-synapse-admin.service'] }}" when: matrix_synapse_admin_enabled|bool diff --git a/roles/matrix-synapse/tasks/init.yml b/roles/matrix-synapse/tasks/init.yml index 04b8d2b8c..167906646 100644 --- a/roles/matrix-synapse/tasks/init.yml +++ b/roles/matrix-synapse/tasks/init.yml @@ -1,3 +1,10 @@ +# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 +# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 +- name: Fail if trying to self-build on Ansible < 2.8 + fail: + msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_synapse_container_image_self_build" + # Unless `matrix_synapse_workers_enabled_list` is explicitly defined, # we'll generate it dynamically. - import_tasks: "{{ role_path }}/tasks/synapse/workers/init.yml" @@ -17,10 +24,3 @@ - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-goofys.service'] }}" when: matrix_s3_media_store_enabled|bool - -# ansible lower than 2.8, does not support docker_image build parameters -# for self buildig it is explicitly needed, so we rather fail here -- name: Fail if running on Ansible lower than 2.8 and trying self building - fail: - msg: "To self build Synapse image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_synapse_container_image_self_build" From 9437f78c9e419c42cd0973ed4b1fc78598494b42 Mon Sep 17 00:00:00 2001 From: Aaron Raimist Date: Fri, 21 May 2021 03:45:21 -0500 Subject: [PATCH 07/65] Build using custom config.json, add CSP, update to 0.1.53 --- group_vars/matrix_servers | 1 + .../matrix-client-hydrogen/defaults/main.yml | 5 +- roles/matrix-client-hydrogen/tasks/init.yml | 14 ++-- roles/matrix-client-hydrogen/tasks/setup.yml | 29 +++----- .../tasks/validate_config.yml | 9 +++ .../templates/nginx.conf.j2 | 66 ------------------- .../conf.d/matrix-client-hydrogen.conf.j2 | 2 + 7 files changed, 31 insertions(+), 95 deletions(-) create mode 100644 roles/matrix-client-hydrogen/tasks/validate_config.yml delete mode 100644 roles/matrix-client-hydrogen/templates/nginx.conf.j2 diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index f5ed72c7e..d43fbb666 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1172,6 +1172,7 @@ matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain: "{{ matrix_s matrix_nginx_proxy_proxy_matrix_enabled: true matrix_nginx_proxy_proxy_element_enabled: "{{ matrix_client_element_enabled }}" +matrix_nginx_proxy_proxy_hydrogen_enabled: "{{ matrix_client_hydrogen_enabled }}" matrix_nginx_proxy_proxy_dimension_enabled: "{{ matrix_dimension_enabled }}" matrix_nginx_proxy_proxy_bot_go_neb_enabled: "{{ matrix_bot_go_neb_enabled }}" matrix_nginx_proxy_proxy_jitsi_enabled: "{{ matrix_jitsi_enabled }}" diff --git a/roles/matrix-client-hydrogen/defaults/main.yml b/roles/matrix-client-hydrogen/defaults/main.yml index cf6e9a0cf..f7a3059e4 100644 --- a/roles/matrix-client-hydrogen/defaults/main.yml +++ b/roles/matrix-client-hydrogen/defaults/main.yml @@ -1,10 +1,11 @@ matrix_client_hydrogen_enabled: true -# as of 2021-05-15 the pre-built images were not working so self building is enabled by default +# Self building is used by default because the `config.json` file is only read at build time. +# The pre-built images also were not functional as of 2021-05-15. matrix_client_hydrogen_container_image_self_build: true matrix_client_hydrogen_container_image_self_build_repo: "https://github.com/vector-im/hydrogen-web.git" -matrix_client_hydrogen_version: v0.1.51 +matrix_client_hydrogen_version: v0.1.53 matrix_client_hydrogen_docker_image: "{{ matrix_client_hydrogen_docker_image_name_prefix }}vectorim/hydrogen-web:{{ matrix_client_hydrogen_version }}" matrix_client_hydrogen_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_hydrogen_container_image_self_build }}" matrix_client_hydrogen_docker_image_force_pull: "{{ matrix_client_hydrogen_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-client-hydrogen/tasks/init.yml b/roles/matrix-client-hydrogen/tasks/init.yml index be72a9835..1115f63d6 100644 --- a/roles/matrix-client-hydrogen/tasks/init.yml +++ b/roles/matrix-client-hydrogen/tasks/init.yml @@ -1,10 +1,10 @@ +# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 +# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 +- name: Fail if trying to self-build on Ansible < 2.8 + fail: + msg: "To self-build the Hydrogen image, you should use Ansible 2.8 or higher. See docs/ansible.md" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_client_hydrogen_container_image_self_build" + - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-client-hydrogen.service'] }}" when: matrix_client_hydrogen_enabled|bool - -# ansible lower than 2.8, does not support docker_image build parameters -# for self building it is explicitly needed, so we rather fail here -- name: Fail if running on Ansible lower than 2.8 and trying self building - fail: - msg: "To self build the Hydrogen image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_client_hydrogen_container_image_self_build" diff --git a/roles/matrix-client-hydrogen/tasks/setup.yml b/roles/matrix-client-hydrogen/tasks/setup.yml index 3d9eea44e..cb1a6f2e3 100644 --- a/roles/matrix-client-hydrogen/tasks/setup.yml +++ b/roles/matrix-client-hydrogen/tasks/setup.yml @@ -33,6 +33,15 @@ register: matrix_client_hydrogen_git_pull_results when: "matrix_client_hydrogen_enabled|bool and matrix_client_hydrogen_container_image_self_build|bool" +- name: Ensure Hydrogen configuration installed + copy: + content: "{{ matrix_client_hydrogen_configuration|to_nice_json }}" + dest: "{{ matrix_client_hydrogen_docker_src_files_path }}/assets/config.json" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + when: matrix_client_hydrogen_enabled|bool + - name: Ensure Hydrogen Docker image is built docker_image: name: "{{ matrix_client_hydrogen_docker_image }}" @@ -44,26 +53,6 @@ pull: yes when: "matrix_client_hydrogen_enabled|bool and matrix_client_hydrogen_container_image_self_build|bool" -- name: Ensure Hydrogen configuration installed - copy: - content: "{{ matrix_client_hydrogen_configuration|to_nice_json }}" - dest: "{{ matrix_client_hydrogen_data_path }}/config.json" - mode: 0644 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - when: matrix_client_hydrogen_enabled|bool - -- name: Ensure Hydrogen config files installed - template: - src: "{{ item.src }}" - dest: "{{ matrix_client_hydrogen_data_path }}/{{ item.name }}" - mode: 0644 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - with_items: - - {src: "{{ role_path }}/templates/nginx.conf.j2", name: "nginx.conf"} - when: "matrix_client_hydrogen_enabled|bool and item.src is not none" - - name: Ensure matrix-client-hydrogen.service installed template: src: "{{ role_path }}/templates/systemd/matrix-client-hydrogen.service.j2" diff --git a/roles/matrix-client-hydrogen/tasks/validate_config.yml b/roles/matrix-client-hydrogen/tasks/validate_config.yml new file mode 100644 index 000000000..6d4b7d21b --- /dev/null +++ b/roles/matrix-client-hydrogen/tasks/validate_config.yml @@ -0,0 +1,9 @@ +--- + +- name: Fail if required Hydrogen settings not defined + fail: + msg: > + You need to define a required configuration setting (`{{ item }}`) to use Hydrogen. + when: "vars[item] == '' or vars[item] is none" + with_items: + - "matrix_client_hydrogen_default_hs_url" diff --git a/roles/matrix-client-hydrogen/templates/nginx.conf.j2 b/roles/matrix-client-hydrogen/templates/nginx.conf.j2 deleted file mode 100644 index fba16bbdc..000000000 --- a/roles/matrix-client-hydrogen/templates/nginx.conf.j2 +++ /dev/null @@ -1,66 +0,0 @@ -#jinja2: lstrip_blocks: "True" -# This is a custom nginx configuration file that we use in the container (instead of the default one), -# because it allows us to run nginx with a non-root user. -# -# For this to work, the default vhost file (`/etc/nginx/conf.d/default.conf`) also needs to be removed. -# (mounting `/dev/null` over `/etc/nginx/conf.d/default.conf` works well) -# -# The following changes have been done compared to a default nginx configuration file: -# - default server port is changed (80 -> 8080), so that a non-root user can bind it -# - various temp paths are changed to `/tmp`, so that a non-root user can write to them -# - the `user` directive was removed, as we don't want nginx to switch users - -worker_processes 1; - -error_log /var/log/nginx/error.log warn; -pid /tmp/nginx.pid; - - -events { - worker_connections 1024; -} - - -http { - proxy_temp_path /tmp/proxy_temp; - client_body_temp_path /tmp/client_temp; - fastcgi_temp_path /tmp/fastcgi_temp; - uwsgi_temp_path /tmp/uwsgi_temp; - scgi_temp_path /tmp/scgi_temp; - - include /etc/nginx/mime.types; - default_type application/octet-stream; - - log_format main '$remote_addr - $remote_user [$time_local] "$request" ' - '$status $body_bytes_sent "$http_referer" ' - '"$http_user_agent" "$http_x_forwarded_for"'; - - access_log /var/log/nginx/access.log main; - - sendfile on; - #tcp_nopush on; - - keepalive_timeout 65; - - #gzip on; - - server { - listen 8080; - server_name localhost; - - root /usr/share/nginx/html; - - location / { - index index.html index.htm; - } - - location ~* ^/(config(.+)?\.json$|(.+)\.html$|i18n) { - expires -1; - } - - error_page 500 502 503 504 /50x.html; - location = /50x.html { - root /usr/share/nginx/html; - } - } -} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-hydrogen.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-hydrogen.conf.j2 index 9224dd862..782d9a282 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-hydrogen.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-hydrogen.conf.j2 @@ -7,6 +7,8 @@ add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; add_header X-Content-Type-Options nosniff; add_header X-Frame-Options SAMEORIGIN; + add_header X-XSS-Protection "1; mode=block"; + add_header Content-Security-Policy "frame-ancestors 'none'"; {% if matrix_nginx_proxy_floc_optout_enabled %} add_header Permissions-Policy interest-cohort=() always; {% endif %} From 1633f61018d31a321e91779cdba5f6e79e938f4c Mon Sep 17 00:00:00 2001 From: Aaron Raimist Date: Fri, 21 May 2021 04:23:06 -0500 Subject: [PATCH 08/65] Only install config.json when self building --- roles/matrix-client-hydrogen/tasks/setup.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-client-hydrogen/tasks/setup.yml b/roles/matrix-client-hydrogen/tasks/setup.yml index cb1a6f2e3..d33cea705 100644 --- a/roles/matrix-client-hydrogen/tasks/setup.yml +++ b/roles/matrix-client-hydrogen/tasks/setup.yml @@ -40,7 +40,7 @@ mode: 0644 owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" - when: matrix_client_hydrogen_enabled|bool + when: "matrix_client_hydrogen_enabled|bool and matrix_client_hydrogen_container_image_self_build|bool" - name: Ensure Hydrogen Docker image is built docker_image: From ac4ede20afcd89283618d1f764b463b314c4c9ab Mon Sep 17 00:00:00 2001 From: Aaron Raimist Date: Fri, 21 May 2021 04:43:04 -0500 Subject: [PATCH 09/65] Add docs --- README.md | 2 ++ docs/configuring-dns.md | 3 +++ docs/configuring-playbook-client-hydrogen.md | 21 +++++++++++++++++++ .../tasks/validate_config.yml | 2 +- 4 files changed, 27 insertions(+), 1 deletion(-) create mode 100644 docs/configuring-playbook-client-hydrogen.md diff --git a/README.md b/README.md index beb938b4d..8448680cf 100644 --- a/README.md +++ b/README.md @@ -105,6 +105,8 @@ Using this playbook, you can get the following services configured on your serve - (optional) the [Sygnal](https://github.com/matrix-org/sygnal) push gateway - see [Setting up the Sygnal push gateway](docs/configuring-playbook-sygnal.md) for setup documentation +- (optional) the [Hydrogen](https://github.com/vector-im/hydrogen-web) web client - see [docs/configuring-playbook-client-hydrogen.md](docs/configuring-playbook-client-hydrogen.md) for setup documentation + Basically, this playbook aims to get you up-and-running with all the necessities around Matrix, without you having to do anything else. **Note**: the list above is exhaustive. It includes optional or even some advanced components that you will most likely not need. diff --git a/docs/configuring-dns.md b/docs/configuring-dns.md index 285ded424..adff4e285 100644 --- a/docs/configuring-dns.md +++ b/docs/configuring-dns.md @@ -36,6 +36,7 @@ If you are using Cloudflare DNS, make sure to disable the proxy and set all reco | CNAME | `stats` (*) | - | - | - | `matrix.` | | CNAME | `goneb` (*) | - | - | - | `matrix.` | | CNAME | `sygnal` (*) | - | - | - | `matrix.` | +| CNAME | `hydrogen` (*) | - | - | - | `matrix.` | ## Subdomains setup @@ -54,6 +55,8 @@ The `goneb.` subdomain may be necessary, because this playbook coul The `sygnal.` subdomain may be necessary, because this playbook could install the [Sygnal](https://github.com/matrix-org/sygnal) push gateway. The installation of Sygnal is disabled by default, it is not a core required component. To learn how to install it, see our [configuring Sygnal guide](configuring-playbook-sygnal.md). If you do not wish to set up Sygnal (you probably don't, unless you're also developing/building your own Matrix apps), feel free to skip the `sygnal.` DNS record. +The `hydrogen.` subdomain may be necessary, because this playbook could install the [Hydrogen](https://github.com/vector-im/hydrogen-web) web client. The installation of Hydrogen is disabled by default, it is not a core required component. To learn how to install it, see our [configuring Hydrogen guide](configuring-playbook-client-hydrogen.md). If you do not wish to set up Hydrogen, feel free to skip the `sygnal.` DNS record. + ## `_matrix-identity._tcp` SRV record setup diff --git a/docs/configuring-playbook-client-hydrogen.md b/docs/configuring-playbook-client-hydrogen.md new file mode 100644 index 000000000..fda5aec37 --- /dev/null +++ b/docs/configuring-playbook-client-hydrogen.md @@ -0,0 +1,21 @@ +# Configuring Hydrogen (optional) + +This playbook can install the [Hydrogen](https://github.com/vector-im/hydrogen-web) Matrix web client for you. +Hydrogen is a lightweight web client that supports mobile and legacy web browsers. +Hydrogen can be installed alongside or instead of Element. + +If you'd like Hydrogen to be installed, add the following to your configuration file (`inventory/host_vars/matrix./vars.yml`): + +```yaml +matrix_client_hydrogen_enabled: true +``` + +You will also need to add a DNS record so that Hydrogen can be accessed. +By default Hydrogen will use https://hydrogen.DOMAIN so you will need to create an CNAME record +for `hydrogen`. See [docs/configuring-dns.md](docs/configuring-dns.md). + +If you would like to use a different domain, add the following to your configuration file (changing it to use your preferred domain): + +```yaml + matrix_server_fqn_hydrogen: "helium.{{ matrix_domain }}" +``` diff --git a/roles/matrix-client-hydrogen/tasks/validate_config.yml b/roles/matrix-client-hydrogen/tasks/validate_config.yml index 6d4b7d21b..d3b9a709b 100644 --- a/roles/matrix-client-hydrogen/tasks/validate_config.yml +++ b/roles/matrix-client-hydrogen/tasks/validate_config.yml @@ -4,6 +4,6 @@ fail: msg: > You need to define a required configuration setting (`{{ item }}`) to use Hydrogen. - when: "vars[item] == '' or vars[item] is none" + when: "(vars[item] == '' or vars[item] is none) and matrix_client_hydrogen_container_image_self_build|bool" with_items: - "matrix_client_hydrogen_default_hs_url" From b7142223844e97ff543b000840f164b1e11d03b5 Mon Sep 17 00:00:00 2001 From: Aaron Raimist Date: Fri, 21 May 2021 04:45:40 -0500 Subject: [PATCH 10/65] typo --- docs/configuring-dns.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuring-dns.md b/docs/configuring-dns.md index adff4e285..0016464fa 100644 --- a/docs/configuring-dns.md +++ b/docs/configuring-dns.md @@ -55,7 +55,7 @@ The `goneb.` subdomain may be necessary, because this playbook coul The `sygnal.` subdomain may be necessary, because this playbook could install the [Sygnal](https://github.com/matrix-org/sygnal) push gateway. The installation of Sygnal is disabled by default, it is not a core required component. To learn how to install it, see our [configuring Sygnal guide](configuring-playbook-sygnal.md). If you do not wish to set up Sygnal (you probably don't, unless you're also developing/building your own Matrix apps), feel free to skip the `sygnal.` DNS record. -The `hydrogen.` subdomain may be necessary, because this playbook could install the [Hydrogen](https://github.com/vector-im/hydrogen-web) web client. The installation of Hydrogen is disabled by default, it is not a core required component. To learn how to install it, see our [configuring Hydrogen guide](configuring-playbook-client-hydrogen.md). If you do not wish to set up Hydrogen, feel free to skip the `sygnal.` DNS record. +The `hydrogen.` subdomain may be necessary, because this playbook could install the [Hydrogen](https://github.com/vector-im/hydrogen-web) web client. The installation of Hydrogen is disabled by default, it is not a core required component. To learn how to install it, see our [configuring Hydrogen guide](configuring-playbook-client-hydrogen.md). If you do not wish to set up Hydrogen, feel free to skip the `hydrogen.` DNS record. ## `_matrix-identity._tcp` SRV record setup From d0de21ab34e4a0624ce7209fe08e8927895d9d14 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 21 May 2021 12:58:32 +0300 Subject: [PATCH 11/65] Delete Hydrogen nginx configuration file when disabled --- roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml b/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml index 660f277cd..1d59f5677 100644 --- a/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml +++ b/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml @@ -211,6 +211,12 @@ state: absent when: "not matrix_nginx_proxy_proxy_riot_compat_redirect_enabled|bool" +- name: Ensure Matrix nginx-proxy configuration for Hydrogen domain deleted + file: + path: "{{ matrix_nginx_proxy_confd_path }}/matrix-client-hydrogen.conf" + state: absent + when: "not matrix_nginx_proxy_proxy_hydrogen_enabled|bool" + - name: Ensure Matrix nginx-proxy configuration for dimension domain deleted file: path: "{{ matrix_nginx_proxy_confd_path }}/matrix-dimension.conf" From 6f802927453719c4d800e6a16203331aa21d77e1 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 21 May 2021 13:40:37 +0300 Subject: [PATCH 12/65] Add OCSP stapling support and other SSL optimizations to Hydrogen vhost Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1061 and https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1057 --- .../nginx/conf.d/matrix-client-hydrogen.conf.j2 | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-hydrogen.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-hydrogen.conf.j2 index 782d9a282..5ad99603d 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-hydrogen.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-hydrogen.conf.j2 @@ -81,6 +81,18 @@ server { {% endif %} ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; + {% if matrix_nginx_proxy_ocsp_stapling_enabled %} + ssl_stapling on; + ssl_stapling_verify on; + ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_element_hostname }}/chain.pem; + {% endif %} + + {% if matrix_nginx_proxy_ssl_session_tickets_off %} + ssl_session_tickets off; + {% endif %} + ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }}; + ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }}; + {{ render_vhost_directives() }} } {% endif %} From c5d52d49da024909b05bb42a2a8b36a5d8cd31c0 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 21 May 2021 13:50:45 +0300 Subject: [PATCH 13/65] Announce Hydrogen support Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1055 --- CHANGELOG.md | 11 +++++++++++ docs/configuring-playbook.md | 2 ++ 2 files changed, 13 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 337e961ea..6e8137f16 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,14 @@ +# 2021-05-21 + +## Hydrogen support + +Thanks to [Aaron Raimist](https://github.com/aaronraimist), the playbook now supports [Hydrogen](https://github.com/vector-im/hydrogen-web) - a new lightweight matrix client with legacy and mobile browser support. + +By default, we still install Element, as Hydrogen is still not fully-featured. Still, people who'd like to try Hydrogen out can now install it via the plabook. + +Additional details are available in [Setting up Heisenbridge bouncer-style IRC bridging](docs/configuring-playbook-client-hydrogen.md). + + # 2021-05-19 ## Heisenbridge support diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index 17f925758..fae66dca2 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -68,6 +68,8 @@ When you're done with all the configuration you'd like to do, continue with [Ins - [Adjusting email-sending settings](configuring-playbook-email.md) (optional) +- [Setting up Hydrogen](configuring-playbook-client-hydrogen.md) - a new lightweight matrix client with legacy and mobile browser support (optional) + ### Authentication and user-related From 0a662dcbcd67c1e62e90f75fa47f0c310b43c19a Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 21 May 2021 13:52:07 +0300 Subject: [PATCH 14/65] Fix typo --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6e8137f16..7d58ad67b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,7 +4,7 @@ Thanks to [Aaron Raimist](https://github.com/aaronraimist), the playbook now supports [Hydrogen](https://github.com/vector-im/hydrogen-web) - a new lightweight matrix client with legacy and mobile browser support. -By default, we still install Element, as Hydrogen is still not fully-featured. Still, people who'd like to try Hydrogen out can now install it via the plabook. +By default, we still install Element, as Hydrogen is still not fully-featured. Still, people who'd like to try Hydrogen out can now install it via the playbook. Additional details are available in [Setting up Heisenbridge bouncer-style IRC bridging](docs/configuring-playbook-client-hydrogen.md). From 55b92d5a1325e59968b8bb3265cd41a1e9456b43 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 21 May 2021 13:52:33 +0300 Subject: [PATCH 15/65] Fix another typo --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7d58ad67b..8fd1c8d2d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,7 +6,7 @@ Thanks to [Aaron Raimist](https://github.com/aaronraimist), the playbook now sup By default, we still install Element, as Hydrogen is still not fully-featured. Still, people who'd like to try Hydrogen out can now install it via the playbook. -Additional details are available in [Setting up Heisenbridge bouncer-style IRC bridging](docs/configuring-playbook-client-hydrogen.md). +Additional details are available in [Setting up Hydrogen](docs/configuring-playbook-client-hydrogen.md). # 2021-05-19 From 7a086d7dd9fee8c449a3f8c48d232555646c88db Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 21 May 2021 14:01:01 +0300 Subject: [PATCH 16/65] Mention Hydrgeon in self-building.md Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1055 --- docs/self-building.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/self-building.md b/docs/self-building.md index 0d41e419e..303344acd 100644 --- a/docs/self-building.md +++ b/docs/self-building.md @@ -14,6 +14,7 @@ List of roles where self-building the Docker image is currently possible: - `matrix-synapse` - `matrix-synapse-admin` - `matrix-client-element` +- `matrix-client-hydrogen` - `matrix-registration` - `matrix-coturn` - `matrix-corporal` From b2d0a8a5e5e854e1ee2b8261413ed0650bd21336 Mon Sep 17 00:00:00 2001 From: throwawayay Date: Fri, 21 May 2021 07:40:01 -0400 Subject: [PATCH 17/65] docs: update Configuring DNS in Hydrogen setup --- docs/configuring-playbook-client-hydrogen.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuring-playbook-client-hydrogen.md b/docs/configuring-playbook-client-hydrogen.md index fda5aec37..4b05240ba 100644 --- a/docs/configuring-playbook-client-hydrogen.md +++ b/docs/configuring-playbook-client-hydrogen.md @@ -12,7 +12,7 @@ matrix_client_hydrogen_enabled: true You will also need to add a DNS record so that Hydrogen can be accessed. By default Hydrogen will use https://hydrogen.DOMAIN so you will need to create an CNAME record -for `hydrogen`. See [docs/configuring-dns.md](docs/configuring-dns.md). +for `hydrogen`. See [Configuring DNS](configuring-dns.md). If you would like to use a different domain, add the following to your configuration file (changing it to use your preferred domain): From 4a772e50f4fe02bc2041078bfe350510e8b5f52a Mon Sep 17 00:00:00 2001 From: ewang Date: Fri, 21 May 2021 15:26:06 +0200 Subject: [PATCH 18/65] Allow Jitsi XMPP webscoket support for users using own webserver. Added: - Conditional localhost Port bindings for Jitsi Prosody systemd template - Added variable to main.yml to allow overriding from vars.yml --- roles/matrix-jitsi/defaults/main.yml | 2 +- .../templates/prosody/matrix-jitsi-prosody.service.j2 | 3 +++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/roles/matrix-jitsi/defaults/main.yml b/roles/matrix-jitsi/defaults/main.yml index 7dcff9872..9d092b533 100644 --- a/roles/matrix-jitsi/defaults/main.yml +++ b/roles/matrix-jitsi/defaults/main.yml @@ -175,7 +175,7 @@ matrix_jitsi_prosody_container_extra_arguments: [] # List of systemd services that matrix-jitsi-prosody.service depends on matrix_jitsi_prosody_systemd_required_services_list: ['docker.service'] - +matrix_jitsi_prosody_container_http_host_bind_port: '' matrix_jitsi_jicofo_docker_image: "{{ matrix_container_global_registry_prefix }}jitsi/jicofo:{{ matrix_jitsi_container_image_tag }}" matrix_jitsi_jicofo_docker_image_force_pull: "{{ matrix_jitsi_jicofo_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2 b/roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2 index b3525a745..48036fb52 100644 --- a/roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2 +++ b/roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2 @@ -16,6 +16,9 @@ ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-jitsi-prosody \ --log-driver=none \ --network={{ matrix_docker_network }} \ + {% if matrix_jitsi_prosody_container_http_host_bind_port %} + -p {{ matrix_jitsi_prosody_container_http_host_bind_port }}:{{ matrix_jitsi_prosody_container_http_host_bind_port }} + {% endif %} --env-file={{ matrix_jitsi_prosody_base_path }}/env \ --mount type=bind,src={{ matrix_jitsi_prosody_config_path }},dst=/config \ --mount type=bind,src={{ matrix_jitsi_prosody_plugins_path }},dst=/prosody-plugins-custom \ From 3c0452ff5ad342b9f0a95fe2d1f22bd92e9c6203 Mon Sep 17 00:00:00 2001 From: Aaron Raimist Date: Fri, 21 May 2021 17:22:40 -0500 Subject: [PATCH 19/65] Remove unnecessary bind for config.json, use proper nginx.conf --- roles/matrix-client-hydrogen/tasks/setup.yml | 11 ++++ .../templates/nginx.conf.j2 | 66 +++++++++++++++++++ .../systemd/matrix-client-hydrogen.service.j2 | 1 - 3 files changed, 77 insertions(+), 1 deletion(-) create mode 100644 roles/matrix-client-hydrogen/templates/nginx.conf.j2 diff --git a/roles/matrix-client-hydrogen/tasks/setup.yml b/roles/matrix-client-hydrogen/tasks/setup.yml index d33cea705..205fa3ceb 100644 --- a/roles/matrix-client-hydrogen/tasks/setup.yml +++ b/roles/matrix-client-hydrogen/tasks/setup.yml @@ -42,6 +42,17 @@ group: "{{ matrix_user_groupname }}" when: "matrix_client_hydrogen_enabled|bool and matrix_client_hydrogen_container_image_self_build|bool" +- name: Ensure Hydrogen additional config files installed + template: + src: "{{ item.src }}" + dest: "{{ matrix_client_hydrogen_data_path }}/{{ item.name }}" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - {src: "{{ role_path }}/templates/nginx.conf.j2", name: "nginx.conf"} + when: "matrix_client_hydrogen_enabled|bool and item.src is not none" + - name: Ensure Hydrogen Docker image is built docker_image: name: "{{ matrix_client_hydrogen_docker_image }}" diff --git a/roles/matrix-client-hydrogen/templates/nginx.conf.j2 b/roles/matrix-client-hydrogen/templates/nginx.conf.j2 new file mode 100644 index 000000000..fba16bbdc --- /dev/null +++ b/roles/matrix-client-hydrogen/templates/nginx.conf.j2 @@ -0,0 +1,66 @@ +#jinja2: lstrip_blocks: "True" +# This is a custom nginx configuration file that we use in the container (instead of the default one), +# because it allows us to run nginx with a non-root user. +# +# For this to work, the default vhost file (`/etc/nginx/conf.d/default.conf`) also needs to be removed. +# (mounting `/dev/null` over `/etc/nginx/conf.d/default.conf` works well) +# +# The following changes have been done compared to a default nginx configuration file: +# - default server port is changed (80 -> 8080), so that a non-root user can bind it +# - various temp paths are changed to `/tmp`, so that a non-root user can write to them +# - the `user` directive was removed, as we don't want nginx to switch users + +worker_processes 1; + +error_log /var/log/nginx/error.log warn; +pid /tmp/nginx.pid; + + +events { + worker_connections 1024; +} + + +http { + proxy_temp_path /tmp/proxy_temp; + client_body_temp_path /tmp/client_temp; + fastcgi_temp_path /tmp/fastcgi_temp; + uwsgi_temp_path /tmp/uwsgi_temp; + scgi_temp_path /tmp/scgi_temp; + + include /etc/nginx/mime.types; + default_type application/octet-stream; + + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + access_log /var/log/nginx/access.log main; + + sendfile on; + #tcp_nopush on; + + keepalive_timeout 65; + + #gzip on; + + server { + listen 8080; + server_name localhost; + + root /usr/share/nginx/html; + + location / { + index index.html index.htm; + } + + location ~* ^/(config(.+)?\.json$|(.+)\.html$|i18n) { + expires -1; + } + + error_page 500 502 503 504 /50x.html; + location = /50x.html { + root /usr/share/nginx/html; + } + } +} diff --git a/roles/matrix-client-hydrogen/templates/systemd/matrix-client-hydrogen.service.j2 b/roles/matrix-client-hydrogen/templates/systemd/matrix-client-hydrogen.service.j2 index 227d105b7..c85aeb978 100644 --- a/roles/matrix-client-hydrogen/templates/systemd/matrix-client-hydrogen.service.j2 +++ b/roles/matrix-client-hydrogen/templates/systemd/matrix-client-hydrogen.service.j2 @@ -24,7 +24,6 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-client-hydroge {% endif %} --tmpfs=/tmp:rw,noexec,nosuid,size=10m \ --mount type=bind,src={{ matrix_client_hydrogen_data_path }}/nginx.conf,dst=/etc/nginx/nginx.conf,ro \ - --mount type=bind,src={{ matrix_client_hydrogen_data_path }}/config.json,dst=/app/config.json,ro \ {% for arg in matrix_client_hydrogen_container_extra_arguments %} {{ arg }} \ {% endfor %} From 1bb6ed97aeaad2f40d802a4fb06a50148aa7354d Mon Sep 17 00:00:00 2001 From: ewang Date: Sat, 22 May 2021 15:53:42 +0200 Subject: [PATCH 20/65] Make port bindings default for those disabling nginx proxy I changed the conditional statement in prosody systemd template to bind the localhost port by default if people have set ```matrix_nginx_proxy_enabled == false ```. Hopefully that should make it the default behaviour now. --- .../templates/prosody/matrix-jitsi-prosody.service.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2 b/roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2 index 48036fb52..0d604e129 100644 --- a/roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2 +++ b/roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2 @@ -16,8 +16,8 @@ ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-jitsi-prosody \ --log-driver=none \ --network={{ matrix_docker_network }} \ - {% if matrix_jitsi_prosody_container_http_host_bind_port %} - -p {{ matrix_jitsi_prosody_container_http_host_bind_port }}:{{ matrix_jitsi_prosody_container_http_host_bind_port }} + {% if matrix_nginx_proxy_enabled == false %} + -p {{ matrix_jitsi_prosody_container_http_host_bind_port }}:5280 \ {% endif %} --env-file={{ matrix_jitsi_prosody_base_path }}/env \ --mount type=bind,src={{ matrix_jitsi_prosody_config_path }},dst=/config \ From ef6a7e051c18d6fb465f1c3373e77c8e49eff56b Mon Sep 17 00:00:00 2001 From: Eagle-251 <70513930+Eagle-251@users.noreply.github.com> Date: Sat, 22 May 2021 15:55:50 +0200 Subject: [PATCH 21/65] Fix missing port binding. --- roles/matrix-jitsi/defaults/main.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/roles/matrix-jitsi/defaults/main.yml b/roles/matrix-jitsi/defaults/main.yml index 9d092b533..811df1338 100644 --- a/roles/matrix-jitsi/defaults/main.yml +++ b/roles/matrix-jitsi/defaults/main.yml @@ -175,7 +175,9 @@ matrix_jitsi_prosody_container_extra_arguments: [] # List of systemd services that matrix-jitsi-prosody.service depends on matrix_jitsi_prosody_systemd_required_services_list: ['docker.service'] -matrix_jitsi_prosody_container_http_host_bind_port: '' + +# Neccessary Port binding for those disabling the integrated nginx proxy +matrix_jitsi_prosody_container_http_host_bind_port: 5280 matrix_jitsi_jicofo_docker_image: "{{ matrix_container_global_registry_prefix }}jitsi/jicofo:{{ matrix_jitsi_container_image_tag }}" matrix_jitsi_jicofo_docker_image_force_pull: "{{ matrix_jitsi_jicofo_docker_image.endswith(':latest') }}" From 409cd2b9a36b384055226a0d274cba4ef81a458e Mon Sep 17 00:00:00 2001 From: ewang Date: Sun, 23 May 2021 14:06:18 +0200 Subject: [PATCH 22/65] Source port binding from group vars in line other components --- group_vars/matrix_servers | 2 ++ roles/matrix-jitsi/defaults/main.yml | 2 +- .../templates/prosody/matrix-jitsi-prosody.service.j2 | 2 +- 3 files changed, 4 insertions(+), 2 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index e9be72ca3..86f1d5a36 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1053,6 +1053,8 @@ matrix_jitsi_web_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_ena matrix_jitsi_jvb_container_colibri_ws_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:13090' }}" +matrix_jitsi_prosody_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:5280' }}" + matrix_jitsi_jibri_xmpp_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'jibri') | to_uuid }}" matrix_jitsi_jicofo_auth_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'jicofo') | to_uuid }}" matrix_jitsi_jvb_auth_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'jvb') | to_uuid }}" diff --git a/roles/matrix-jitsi/defaults/main.yml b/roles/matrix-jitsi/defaults/main.yml index 811df1338..14545bc97 100644 --- a/roles/matrix-jitsi/defaults/main.yml +++ b/roles/matrix-jitsi/defaults/main.yml @@ -177,7 +177,7 @@ matrix_jitsi_prosody_container_extra_arguments: [] matrix_jitsi_prosody_systemd_required_services_list: ['docker.service'] # Neccessary Port binding for those disabling the integrated nginx proxy -matrix_jitsi_prosody_container_http_host_bind_port: 5280 +matrix_jitsi_prosody_container_http_host_bind_port: '' matrix_jitsi_jicofo_docker_image: "{{ matrix_container_global_registry_prefix }}jitsi/jicofo:{{ matrix_jitsi_container_image_tag }}" matrix_jitsi_jicofo_docker_image_force_pull: "{{ matrix_jitsi_jicofo_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2 b/roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2 index 0d604e129..4445e52bd 100644 --- a/roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2 +++ b/roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2 @@ -16,7 +16,7 @@ ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-jitsi-prosody \ --log-driver=none \ --network={{ matrix_docker_network }} \ - {% if matrix_nginx_proxy_enabled == false %} + {% if matrix_jitsi_prosody_container_http_host_bind_port %} -p {{ matrix_jitsi_prosody_container_http_host_bind_port }}:5280 \ {% endif %} --env-file={{ matrix_jitsi_prosody_base_path }}/env \ From 794035790c609c7e66d76b925df7581f0fc2b374 Mon Sep 17 00:00:00 2001 From: Aaron Raimist Date: Sun, 23 May 2021 16:53:14 -0500 Subject: [PATCH 23/65] Remove synapse-admin incompatibility note --- docs/configuring-playbook-synapse-admin.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/docs/configuring-playbook-synapse-admin.md b/docs/configuring-playbook-synapse-admin.md index 5b9519e24..68d703052 100644 --- a/docs/configuring-playbook-synapse-admin.md +++ b/docs/configuring-playbook-synapse-admin.md @@ -6,8 +6,6 @@ It's a web UI tool you can use to **administrate users and rooms on your Matrix See the project's [documentation](https://github.com/Awesome-Technologies/synapse-admin) to learn what it does and why it might be useful to you. -**Warning**: Synapse Admin will likely not work with Synapse v1.32 for now. See [this issue](https://github.com/Awesome-Technologies/synapse-admin/issues/132). If you insist on using Synapse Admin before there's a solution to this issue, you may wish to downgrade Synapse (adding `matrix_synapse_version: v1.31.0` or `matrix_synapse_version_arm64: v1.31.0` to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file). - ## Adjusting the playbook configuration From df2d91970d3c96425056acfa59ca988e02ac65a8 Mon Sep 17 00:00:00 2001 From: sakkiii Date: Mon, 24 May 2021 17:02:47 +0530 Subject: [PATCH 24/65] matrix_nginx_proxy_xss_protection --- roles/matrix-nginx-proxy/defaults/main.yml | 4 ++++ .../templates/nginx/conf.d/matrix-base-domain.conf.j2 | 8 ++++++++ .../templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 | 2 +- .../templates/nginx/conf.d/matrix-client-element.conf.j2 | 4 +--- .../templates/nginx/conf.d/matrix-dimension.conf.j2 | 2 +- .../templates/nginx/conf.d/matrix-domain.conf.j2 | 8 ++++++++ .../templates/nginx/conf.d/matrix-jitsi.conf.j2 | 2 +- .../templates/nginx/conf.d/matrix-riot-web.conf.j2 | 8 ++++++++ .../templates/nginx/conf.d/matrix-sygnal.conf.j2 | 2 +- 9 files changed, 33 insertions(+), 7 deletions(-) diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index 3a6f943ac..dd0fc21ea 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -290,6 +290,10 @@ matrix_nginx_proxy_floc_optout_enabled: true # - https://hstspreload.org/#opt-in matrix_nginx_proxy_hsts_preload_enable: false +# +# +matrix_nginx_proxy_xss_protection: "1; mode=block" + # Specifies the SSL configuration that should be used for the SSL protocols and ciphers # This is based on the Mozilla Server Side TLS Recommended configurations. # diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2 index a2d59e86b..0a7612360 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2 @@ -9,6 +9,14 @@ {% if matrix_nginx_proxy_floc_optout_enabled %} add_header Permissions-Policy interest-cohort=() always; {% endif %} + + {% if matrix_nginx_proxy_hsts_preload_enable %} + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + {% else %} + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + {% endif %} + + add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}"; {% for configuration_block in matrix_nginx_proxy_proxy_domain_additional_server_configuration_blocks %} {{- configuration_block }} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 index d0b317979..b3ef5980c 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 @@ -8,7 +8,7 @@ {% else %} add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; {% endif %} - add_header X-XSS-Protection "1; mode=block";; + add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}"; add_header X-Content-Type-Options nosniff; {% for configuration_block in matrix_nginx_proxy_proxy_bot_go_neb_additional_server_configuration_blocks %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 index 2859cbb51..1e0ba2f10 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 @@ -10,10 +10,8 @@ add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; {% endif %} add_header X-Content-Type-Options nosniff; - add_header X-XSS-Protection "1; mode=block"; + add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}"; add_header X-Frame-Options SAMEORIGIN; - add_header Content-Security-Policy "frame-ancestors 'none'; require-trusted-types-for 'script'; base-uri 'self'"; - add_header Referrer-Policy "strict-origin-when-cross-origin"; {% if matrix_nginx_proxy_floc_optout_enabled %} add_header Permissions-Policy interest-cohort=() always; diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 index 4c2f4ee0a..3ccb3a133 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 @@ -8,7 +8,7 @@ {% else %} add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; {% endif %} - add_header X-XSS-Protection "1; mode=block"; + add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}"; add_header X-Content-Type-Options nosniff; {% if matrix_nginx_proxy_floc_optout_enabled %} add_header Permissions-Policy interest-cohort=() always; diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 index 703c490e9..7713661e4 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 @@ -20,6 +20,14 @@ {% if matrix_nginx_proxy_floc_optout_enabled %} add_header Permissions-Policy interest-cohort=() always; {% endif %} + + {% if matrix_nginx_proxy_hsts_preload_enable %} + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + {% else %} + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + {% endif %} + + add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}"; location /.well-known/matrix { root {{ matrix_static_files_base_path }}; diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 index eed665a01..cf9ae712c 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 @@ -8,7 +8,7 @@ {% else %} add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; {% endif %} - add_header X-XSS-Protection "1; mode=block"; + add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}"; add_header X-Content-Type-Options nosniff; {% if matrix_nginx_proxy_floc_optout_enabled %} add_header Permissions-Policy interest-cohort=() always; diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 index a69424f46..4e89521e5 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 @@ -4,6 +4,14 @@ {% if matrix_nginx_proxy_floc_optout_enabled %} add_header Permissions-Policy interest-cohort=() always; {% endif %} + + {% if matrix_nginx_proxy_hsts_preload_enable %} + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + {% else %} + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + {% endif + + add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}"; {% for configuration_block in matrix_nginx_proxy_proxy_riot_additional_server_configuration_blocks %} {{- configuration_block }} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2 index 2064fad88..ef600ab7f 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2 @@ -8,7 +8,7 @@ {% else %} add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; {% endif %} - add_header X-XSS-Protection "1; mode=block"; + add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}"; add_header X-Content-Type-Options nosniff; add_header X-Frame-Options DENY; From 7cc5328ede3bfeb892afba49c5ba0dc1990b1e6a Mon Sep 17 00:00:00 2001 From: sakkiii Date: Mon, 24 May 2021 17:20:54 +0530 Subject: [PATCH 25/65] Comments & Ref --- roles/matrix-nginx-proxy/defaults/main.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index dd0fc21ea..0adf9c5f2 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -290,8 +290,13 @@ matrix_nginx_proxy_floc_optout_enabled: true # - https://hstspreload.org/#opt-in matrix_nginx_proxy_hsts_preload_enable: false +# X-XSS-Protection Enable +# Stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. +# Note: Not applicable for grafana # -# +# Learn more about it is here: +# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection +# - https://portswigger.net/web-security/cross-site-scripting/reflected matrix_nginx_proxy_xss_protection: "1; mode=block" # Specifies the SSL configuration that should be used for the SSL protocols and ciphers From dcd5e5657d14e6e255b6dd31d7a74cd3dbfe78e1 Mon Sep 17 00:00:00 2001 From: sakkiii <11132948+sakkiii@users.noreply.github.com> Date: Mon, 24 May 2021 17:59:34 +0530 Subject: [PATCH 26/65] OCSP Stapling SSL manually-managed # chain.pem file is required for 'ssl_trusted_certificate` --- docs/configuring-playbook-ssl-certificates.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/configuring-playbook-ssl-certificates.md b/docs/configuring-playbook-ssl-certificates.md index 1b5ea2349..2e288cc89 100644 --- a/docs/configuring-playbook-ssl-certificates.md +++ b/docs/configuring-playbook-ssl-certificates.md @@ -43,6 +43,7 @@ With such a configuration, the playbook would expect you to drop the SSL certifi - `/live//fullchain.pem` - `/live//privkey.pem` +- `/live//chain.pem` where `` refers to the domains that you need (usually `matrix.` and `element.`). From 0648b1b618143e4fc8d90643a8e289ff4daedc3b Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 24 May 2021 20:38:30 +0300 Subject: [PATCH 27/65] Upgrade Element (1.7.28 -> 1.7.29) --- roles/matrix-client-element/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-client-element/defaults/main.yml b/roles/matrix-client-element/defaults/main.yml index c2a546c63..f0596d917 100644 --- a/roles/matrix-client-element/defaults/main.yml +++ b/roles/matrix-client-element/defaults/main.yml @@ -3,7 +3,7 @@ matrix_client_element_enabled: true matrix_client_element_container_image_self_build: false matrix_client_element_container_image_self_build_repo: "https://github.com/vector-im/riot-web.git" -matrix_client_element_version: v1.7.28 +matrix_client_element_version: v1.7.29 matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}" matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}" From 3436f9c10a0f59d5c8e8aec22bfca3058062224b Mon Sep 17 00:00:00 2001 From: sakkiii <11132948+sakkiii@users.noreply.github.com> Date: Tue, 25 May 2021 00:56:59 +0530 Subject: [PATCH 28/65] rename to matrix_nginx_proxy_hsts_preload_enabled --- roles/matrix-nginx-proxy/defaults/main.yml | 2 +- .../templates/nginx/conf.d/matrix-base-domain.conf.j2 | 2 +- .../templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 | 2 +- .../templates/nginx/conf.d/matrix-client-element.conf.j2 | 2 +- .../templates/nginx/conf.d/matrix-dimension.conf.j2 | 2 +- .../templates/nginx/conf.d/matrix-domain.conf.j2 | 2 +- .../templates/nginx/conf.d/matrix-grafana.conf.j2 | 2 +- .../templates/nginx/conf.d/matrix-jitsi.conf.j2 | 2 +- .../templates/nginx/conf.d/matrix-riot-web.conf.j2 | 2 +- .../templates/nginx/conf.d/matrix-sygnal.conf.j2 | 2 +- 10 files changed, 10 insertions(+), 10 deletions(-) diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index 0adf9c5f2..bbbe1c3d7 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -288,7 +288,7 @@ matrix_nginx_proxy_floc_optout_enabled: true # - https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security # - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security # - https://hstspreload.org/#opt-in -matrix_nginx_proxy_hsts_preload_enable: false +matrix_nginx_proxy_hsts_preload_enabled: false # X-XSS-Protection Enable # Stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2 index 0a7612360..cc8b760da 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2 @@ -10,7 +10,7 @@ add_header Permissions-Policy interest-cohort=() always; {% endif %} - {% if matrix_nginx_proxy_hsts_preload_enable %} + {% if matrix_nginx_proxy_hsts_preload_enabled %} add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; {% else %} add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 index b3ef5980c..88d2fcc85 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 @@ -3,7 +3,7 @@ {% macro render_vhost_directives() %} gzip on; gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; - {% if matrix_nginx_proxy_hsts_preload_enable %} + {% if matrix_nginx_proxy_hsts_preload_enabled %} add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; {% else %} add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 index 1e0ba2f10..ba46ecbe7 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 @@ -4,7 +4,7 @@ gzip on; gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; - {% if matrix_nginx_proxy_hsts_preload_enable %} + {% if matrix_nginx_proxy_hsts_preload_enabled %} add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; {% else %} add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 index 3ccb3a133..271627e72 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 @@ -3,7 +3,7 @@ {% macro render_vhost_directives() %} gzip on; gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; - {% if matrix_nginx_proxy_hsts_preload_enable %} + {% if matrix_nginx_proxy_hsts_preload_enabled %} add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; {% else %} add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 index 7713661e4..e1206e5ae 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 @@ -21,7 +21,7 @@ add_header Permissions-Policy interest-cohort=() always; {% endif %} - {% if matrix_nginx_proxy_hsts_preload_enable %} + {% if matrix_nginx_proxy_hsts_preload_enabled %} add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; {% else %} add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-grafana.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-grafana.conf.j2 index 8feb99bd2..a5e7c39e4 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-grafana.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-grafana.conf.j2 @@ -4,7 +4,7 @@ gzip on; gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; - {% if matrix_nginx_proxy_hsts_preload_enable %} + {% if matrix_nginx_proxy_hsts_preload_enabled %} add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; {% else %} add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 index cf9ae712c..8531c5c89 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 @@ -3,7 +3,7 @@ {% macro render_vhost_directives() %} gzip on; gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; - {% if matrix_nginx_proxy_hsts_preload_enable %} + {% if matrix_nginx_proxy_hsts_preload_enabled %} add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; {% else %} add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 index 4e89521e5..349b63147 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 @@ -5,7 +5,7 @@ add_header Permissions-Policy interest-cohort=() always; {% endif %} - {% if matrix_nginx_proxy_hsts_preload_enable %} + {% if matrix_nginx_proxy_hsts_preload_enabled %} add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; {% else %} add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2 index ef600ab7f..d7e142093 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2 @@ -3,7 +3,7 @@ {% macro render_vhost_directives() %} gzip on; gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; - {% if matrix_nginx_proxy_hsts_preload_enable %} + {% if matrix_nginx_proxy_hsts_preload_enabled %} add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; {% else %} add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; From 4a4a7f136e5b1fb096804ec05343c8e9c5230fea Mon Sep 17 00:00:00 2001 From: sakkiii <11132948+sakkiii@users.noreply.github.com> Date: Tue, 25 May 2021 11:42:51 +0530 Subject: [PATCH 29/65] changes added to hydrogen client --- .../templates/nginx/conf.d/matrix-client-hydrogen.conf.j2 | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-hydrogen.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-hydrogen.conf.j2 index 5ad99603d..d9a05926c 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-hydrogen.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-hydrogen.conf.j2 @@ -4,10 +4,14 @@ gzip on; gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + {% if matrix_nginx_proxy_hsts_preload_enabled %} + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + {% else %} + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + {% endif %} + add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}"; add_header X-Content-Type-Options nosniff; add_header X-Frame-Options SAMEORIGIN; - add_header X-XSS-Protection "1; mode=block"; add_header Content-Security-Policy "frame-ancestors 'none'"; {% if matrix_nginx_proxy_floc_optout_enabled %} add_header Permissions-Policy interest-cohort=() always; From 1ed0857019c85fc8ea55de6b18ab042e3839c1ae Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 25 May 2021 11:45:17 +0300 Subject: [PATCH 30/65] Fix syntax error Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1024 --- .../templates/nginx/conf.d/matrix-riot-web.conf.j2 | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 index c46c53614..d153d5c20 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 @@ -4,13 +4,13 @@ {% if matrix_nginx_proxy_floc_optout_enabled %} add_header Permissions-Policy interest-cohort=() always; {% endif %} - + {% if matrix_nginx_proxy_hsts_preload_enabled %} add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; {% else %} add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; - {% endif - + {% endif %} + add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}"; {% for configuration_block in matrix_nginx_proxy_proxy_riot_additional_server_configuration_blocks %} @@ -75,7 +75,7 @@ server { ssl_stapling_verify on; ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_riot_compat_redirect_hostname }}/chain.pem; {% endif %} - + {% if matrix_nginx_proxy_ssl_session_tickets_off %} ssl_session_tickets off; {% endif %} From ee088d5d46c76f732eef6592116ad4c844ba8203 Mon Sep 17 00:00:00 2001 From: Ahmad Haghighi Date: Tue, 25 May 2021 13:14:28 +0430 Subject: [PATCH 31/65] Synapse LDAP auth: add support for Active Directory Signed-off-by: Ahmad Haghighi --- roles/matrix-synapse/defaults/main.yml | 2 ++ roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 | 6 ++++++ 2 files changed, 8 insertions(+) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index d966665f9..89f0320ab 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -497,6 +497,8 @@ matrix_synapse_ext_password_provider_ldap_attributes_name: "cn" matrix_synapse_ext_password_provider_ldap_bind_dn: "" matrix_synapse_ext_password_provider_ldap_bind_password: "" matrix_synapse_ext_password_provider_ldap_filter: "" +matrix_synapse_ext_password_provider_ldap_is_active_directory: false +matrix_synapse_ext_password_provider_ldap_default_domain: "" # Enable this to activate the Synapse Antispam spam-checker module. # See: https://github.com/t2bot/synapse-simple-antispam diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index 22f5f1ea4..66730d36b 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -2596,6 +2596,12 @@ password_providers: uri: {{ matrix_synapse_ext_password_provider_ldap_uri|string|to_json }} start_tls: {{ matrix_synapse_ext_password_provider_ldap_start_tls|to_json }} base: {{ matrix_synapse_ext_password_provider_ldap_base|string|to_json }} + {% if matrix_synapse_ext_password_provider_ldap_is_active_directory %} + active_directory: true + {% endif %} + {% if matrix_synapse_ext_password_provider_ldap_default_domain != '' %} + default_domain: {{ matrix_synapse_ext_password_provider_ldap_default_domain|string|to_json }} + {% endif %} attributes: uid: {{ matrix_synapse_ext_password_provider_ldap_attributes_uid|string|to_json }} mail: {{ matrix_synapse_ext_password_provider_ldap_attributes_mail|string|to_json }} From 209d59070e7ba6147c34242515418554028e787a Mon Sep 17 00:00:00 2001 From: Ahmad Haghighi Date: Tue, 25 May 2021 15:41:38 +0430 Subject: [PATCH 32/65] Avoiding if(s), fix #1083 Conversation: https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1083#discussion_r638671860 Signed-off-by: Ahmad Haghighi --- roles/matrix-synapse/defaults/main.yml | 2 +- roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 | 6 +----- 2 files changed, 2 insertions(+), 6 deletions(-) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index 89f0320ab..e112df5ce 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -497,7 +497,7 @@ matrix_synapse_ext_password_provider_ldap_attributes_name: "cn" matrix_synapse_ext_password_provider_ldap_bind_dn: "" matrix_synapse_ext_password_provider_ldap_bind_password: "" matrix_synapse_ext_password_provider_ldap_filter: "" -matrix_synapse_ext_password_provider_ldap_is_active_directory: false +matrix_synapse_ext_password_provider_ldap_active_directory: false matrix_synapse_ext_password_provider_ldap_default_domain: "" # Enable this to activate the Synapse Antispam spam-checker module. diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index 66730d36b..aa07ae5b0 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -2596,12 +2596,8 @@ password_providers: uri: {{ matrix_synapse_ext_password_provider_ldap_uri|string|to_json }} start_tls: {{ matrix_synapse_ext_password_provider_ldap_start_tls|to_json }} base: {{ matrix_synapse_ext_password_provider_ldap_base|string|to_json }} - {% if matrix_synapse_ext_password_provider_ldap_is_active_directory %} - active_directory: true - {% endif %} - {% if matrix_synapse_ext_password_provider_ldap_default_domain != '' %} + active_directory: {{ matrix_synapse_ext_password_provider_ldap_active_directory|to_json }} default_domain: {{ matrix_synapse_ext_password_provider_ldap_default_domain|string|to_json }} - {% endif %} attributes: uid: {{ matrix_synapse_ext_password_provider_ldap_attributes_uid|string|to_json }} mail: {{ matrix_synapse_ext_password_provider_ldap_attributes_mail|string|to_json }} From 85777e8f966f491161c3cb1f9086e9f33e04fd3d Mon Sep 17 00:00:00 2001 From: Michael-GMH Date: Tue, 25 May 2021 21:08:00 +0800 Subject: [PATCH 33/65] merge with upstream --- CHANGELOG.md | 20 ++ README.md | 19 +- docs/configuring-awx-system.md | 5 +- docs/configuring-dns.md | 3 + ...figuring-playbook-bridge-appservice-irc.md | 4 +- ...guring-playbook-bridge-appservice-slack.md | 4 +- ...onfiguring-playbook-bridge-heisenbridge.md | 36 ++++ ...iguring-playbook-bridge-mx-puppet-slack.md | 2 + docs/configuring-playbook-client-hydrogen.md | 21 ++ ...configuring-playbook-prometheus-grafana.md | 1 + docs/configuring-playbook-ssl-certificates.md | 1 + docs/configuring-playbook-synapse-admin.md | 2 - docs/configuring-playbook.md | 4 + docs/self-building.md | 1 + examples/caddy2/Caddyfile | 1 - examples/caddy2/README.md | 4 +- group_vars/matrix_servers | 65 +++++- .../scripts/matrix_build_room_list.py | 28 +++ .../matrix-awx/tasks/purge_database_main.yml | 199 +++++++++++++----- roles/matrix-base/defaults/main.yml | 3 + .../tasks/init.yml | 7 + .../tasks/setup_install.yml | 5 +- .../tasks/init.yml | 7 + .../tasks/setup_install.yml | 3 +- .../defaults/main.yml | 47 +++++ .../matrix-bridge-heisenbridge/tasks/init.yml | 24 +++ .../matrix-bridge-heisenbridge/tasks/main.yml | 15 ++ .../tasks/setup_install.yml | 38 ++++ .../tasks/setup_uninstall.yml | 24 +++ .../systemd/matrix-heisenbridge.service.j2 | 50 +++++ .../tasks/init.yml | 9 +- .../tasks/setup_install.yml | 3 +- .../tasks/init.yml | 9 +- .../tasks/setup_install.yml | 3 +- .../tasks/init.yml | 9 +- .../tasks/setup_install.yml | 3 +- .../tasks/init.yml | 7 + .../tasks/setup_install.yml | 5 +- .../tasks/init.yml | 9 +- .../tasks/setup_install.yml | 3 +- .../tasks/init.yml | 9 +- .../tasks/setup_install.yml | 3 +- .../tasks/init.yml | 7 + .../tasks/setup_install.yml | 3 +- .../tasks/init.yml | 9 +- .../tasks/setup_install.yml | 3 +- .../tasks/init.yml | 9 +- .../tasks/setup_install.yml | 3 +- .../tasks/init.yml | 9 +- .../tasks/setup_install.yml | 3 +- .../tasks/init.yml | 9 +- .../tasks/setup_install.yml | 3 +- roles/matrix-client-element/defaults/main.yml | 2 +- roles/matrix-client-element/tasks/init.yml | 8 +- roles/matrix-client-element/tasks/setup.yml | 3 +- .../matrix-client-hydrogen/defaults/main.yml | 68 ++++++ roles/matrix-client-hydrogen/tasks/init.yml | 10 + roles/matrix-client-hydrogen/tasks/main.yml | 15 ++ .../tasks/self_check.yml | 22 ++ roles/matrix-client-hydrogen/tasks/setup.yml | 119 +++++++++++ .../tasks/validate_config.yml | 9 + .../templates/config.json.j2 | 3 + .../templates/nginx.conf.j2 | 66 ++++++ .../systemd/matrix-client-hydrogen.service.j2 | 39 ++++ roles/matrix-common-after/defaults/main.yml | 16 ++ roles/matrix-common-after/tasks/start.yml | 5 +- roles/matrix-corporal/tasks/init.yml | 7 + .../matrix-corporal/tasks/setup_corporal.yml | 3 +- roles/matrix-coturn/tasks/init.yml | 14 +- roles/matrix-coturn/tasks/setup_install.yml | 3 +- roles/matrix-dynamic-dns/tasks/init.yml | 7 + roles/matrix-dynamic-dns/tasks/install.yml | 3 +- roles/matrix-grafana/defaults/main.yml | 2 +- roles/matrix-grafana/templates/grafana.ini.j2 | 3 + roles/matrix-jitsi/defaults/main.yml | 2 + .../prosody/matrix-jitsi-prosody.service.j2 | 3 + roles/matrix-ma1sd/tasks/init.yml | 14 +- roles/matrix-mailer/defaults/main.yml | 2 +- roles/matrix-mailer/tasks/init.yml | 7 + roles/matrix-mailer/tasks/setup_mailer.yml | 3 +- roles/matrix-nginx-proxy/defaults/main.yml | 49 +++++ .../tasks/setup_nginx_proxy.yml | 13 ++ .../nginx/conf.d/matrix-base-domain.conf.j2 | 12 ++ .../nginx/conf.d/matrix-bot-go-neb.conf.j2 | 12 ++ .../conf.d/matrix-client-element.conf.j2 | 12 ++ .../conf.d/matrix-client-hydrogen.conf.j2 | 98 +++++++++ .../nginx/conf.d/matrix-dimension.conf.j2 | 12 ++ .../nginx/conf.d/matrix-domain.conf.j2 | 32 ++- .../nginx/conf.d/matrix-grafana.conf.j2 | 13 ++ .../nginx/conf.d/matrix-jitsi.conf.j2 | 12 ++ .../nginx/conf.d/matrix-riot-web.conf.j2 | 12 ++ .../nginx/conf.d/matrix-sygnal.conf.j2 | 12 ++ .../tasks/util/migrate_db_to_postgres.yml | 3 +- roles/matrix-prometheus/defaults/main.yml | 2 +- roles/matrix-registration/tasks/init.yml | 7 + .../tasks/setup_install.yml | 3 +- roles/matrix-synapse-admin/defaults/main.yml | 2 +- roles/matrix-synapse-admin/tasks/init.yml | 7 + roles/matrix-synapse-admin/tasks/setup.yml | 3 +- roles/matrix-synapse/defaults/main.yml | 6 +- roles/matrix-synapse/tasks/init.yml | 14 +- .../rust-synapse-compress-state/main.yml | 2 +- .../tasks/synapse/setup_install.yml | 3 +- .../templates/synapse/homeserver.yaml.j2 | 18 ++ setup.yml | 2 + 105 files changed, 1451 insertions(+), 141 deletions(-) create mode 100644 docs/configuring-playbook-bridge-heisenbridge.md create mode 100644 docs/configuring-playbook-client-hydrogen.md create mode 100644 roles/matrix-awx/scripts/matrix_build_room_list.py create mode 100644 roles/matrix-bridge-heisenbridge/defaults/main.yml create mode 100644 roles/matrix-bridge-heisenbridge/tasks/init.yml create mode 100644 roles/matrix-bridge-heisenbridge/tasks/main.yml create mode 100644 roles/matrix-bridge-heisenbridge/tasks/setup_install.yml create mode 100644 roles/matrix-bridge-heisenbridge/tasks/setup_uninstall.yml create mode 100644 roles/matrix-bridge-heisenbridge/templates/systemd/matrix-heisenbridge.service.j2 create mode 100644 roles/matrix-client-hydrogen/defaults/main.yml create mode 100644 roles/matrix-client-hydrogen/tasks/init.yml create mode 100644 roles/matrix-client-hydrogen/tasks/main.yml create mode 100644 roles/matrix-client-hydrogen/tasks/self_check.yml create mode 100644 roles/matrix-client-hydrogen/tasks/setup.yml create mode 100644 roles/matrix-client-hydrogen/tasks/validate_config.yml create mode 100644 roles/matrix-client-hydrogen/templates/config.json.j2 create mode 100644 roles/matrix-client-hydrogen/templates/nginx.conf.j2 create mode 100644 roles/matrix-client-hydrogen/templates/systemd/matrix-client-hydrogen.service.j2 create mode 100644 roles/matrix-common-after/defaults/main.yml create mode 100644 roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-hydrogen.conf.j2 diff --git a/CHANGELOG.md b/CHANGELOG.md index 37988c94c..8fd1c8d2d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,23 @@ +# 2021-05-21 + +## Hydrogen support + +Thanks to [Aaron Raimist](https://github.com/aaronraimist), the playbook now supports [Hydrogen](https://github.com/vector-im/hydrogen-web) - a new lightweight matrix client with legacy and mobile browser support. + +By default, we still install Element, as Hydrogen is still not fully-featured. Still, people who'd like to try Hydrogen out can now install it via the playbook. + +Additional details are available in [Setting up Hydrogen](docs/configuring-playbook-client-hydrogen.md). + + +# 2021-05-19 + +## Heisenbridge support + +Thanks to [Toni Spets (hifi)](https://github.com/hifi), the playbook now supports bridging to [IRC](https://en.wikipedia.org/wiki/Internet_Relay_Chat) using yet another bridge (besides matrix-appservice-irc), called [Heisenbridge](https://github.com/hifi/heisenbridge). + +Additional details are available in [Setting up Heisenbridge bouncer-style IRC bridging](docs/configuring-playbook-bridge-heisenbridge.md). + + # 2021-04-16 ## Disabling TLSv1 and TLSv1.1 for Coturn diff --git a/README.md b/README.md index 301e7f05f..8448680cf 100644 --- a/README.md +++ b/README.md @@ -29,7 +29,7 @@ Using this playbook, you can get the following services configured on your serve - (optional, default) an [Element](https://app.element.io/) ([formerly Riot](https://element.io/previously-riot)) web UI, which is configured to connect to your own Synapse server by default -- (optional, default) an [ma1sd](https://github.com/ma1uta/ma1sd) Matrix Identity server +- (optional, default) a [ma1sd](https://github.com/ma1uta/ma1sd) Matrix Identity server - (optional, default) an [Exim](https://www.exim.org/) mail server, through which all Matrix services send outgoing email (can be configured to relay through another SMTP server) @@ -47,7 +47,7 @@ Using this playbook, you can get the following services configured on your serve - (optional) the [mautrix-telegram](https://github.com/tulir/mautrix-telegram) bridge for bridging your Matrix server to [Telegram](https://telegram.org/) -- (optional) the [mautrix-whatsapp](https://github.com/tulir/mautrix-whatsapp) bridge for bridging your Matrix server to [Whatsapp](https://www.whatsapp.com/) +- (optional) the [mautrix-whatsapp](https://github.com/tulir/mautrix-whatsapp) bridge for bridging your Matrix server to [WhatsApp](https://www.whatsapp.com/) - (optional) the [mautrix-facebook](https://github.com/tulir/mautrix-facebook) bridge for bridging your Matrix server to [Facebook](https://facebook.com/) @@ -67,6 +67,8 @@ Using this playbook, you can get the following services configured on your serve - (optional) the [matrix-sms-bridge](https://github.com/benkuly/matrix-sms-bridge) for bridging your Matrix server to SMS - see [docs/configuring-playbook-bridge-matrix-bridge-sms.md](docs/configuring-playbook-bridge-matrix-bridge-sms.md) for setup documentation +- (optional) the [Heisenbridge](https://github.com/hifi/heisenbridge) for bridging your Matrix server to IRC bouncer-style - see [docs/configuring-playbook-bridge-heisenbridge.md](docs/configuring-playbook-bridge-heisenbridge.md) for setup documentation + - (optional) the [mx-puppet-skype](https://hub.docker.com/r/sorunome/mx-puppet-skype) for bridging your Matrix server to [Skype](https://www.skype.com) - see [docs/configuring-playbook-bridge-mx-puppet-skype.md](docs/configuring-playbook-bridge-mx-puppet-skype.md) for setup documentation - (optional) the [mx-puppet-slack](https://hub.docker.com/r/sorunome/mx-puppet-slack) for bridging your Matrix server to [Slack](https://slack.com) - see [docs/configuring-playbook-bridge-mx-puppet-slack.md](docs/configuring-playbook-bridge-mx-puppet-slack.md) for setup documentation @@ -103,7 +105,9 @@ Using this playbook, you can get the following services configured on your serve - (optional) the [Sygnal](https://github.com/matrix-org/sygnal) push gateway - see [Setting up the Sygnal push gateway](docs/configuring-playbook-sygnal.md) for setup documentation -Basically, this playbook aims to get you up-and-running with all the basic necessities around Matrix, without you having to do anything else. +- (optional) the [Hydrogen](https://github.com/vector-im/hydrogen-web) web client - see [docs/configuring-playbook-client-hydrogen.md](docs/configuring-playbook-client-hydrogen.md) for setup documentation + +Basically, this playbook aims to get you up-and-running with all the necessities around Matrix, without you having to do anything else. **Note**: the list above is exhaustive. It includes optional or even some advanced components that you will most likely not need. Sticking with the defaults (which install a subset of the above components) is the best choice, especially for a new installation. @@ -128,4 +132,11 @@ When updating the playbook, refer to [the changelog](CHANGELOG.md) to catch up w - IRC channel: `#matrix-docker-ansible-deploy` on the [Freenode](https://freenode.net/) IRC network (irc.freenode.net) -- Github issues: [spantaleev/matrix-docker-ansible-deploy/issues](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues) +- GitHub issues: [spantaleev/matrix-docker-ansible-deploy/issues](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues) + + +## Services by the community + +- [etke.cc](https://etke.cc) - matrix-docker-ansible-deploy and system stuff "as a service". That service will create your matrix homeserver on your domain and server (doesn't matter if it's cloud provider or on an old laptop in the corner of your room), (optional) maintains it (server's system updates, cleanup, security adjustments, tuning, etc.; matrix homeserver updates & maintenance) and (optional) provide full-featured email service for your domain + +- [GoMatrixHosting](https://gomatrixhosting.com) - matrix-docker-ansible-deploy "as a service" with [Ansible AWX](https://github.com/ansible/awx). Members can be assigned a server from DigitalOcean, or they can connect their on-premises server. This AWX system can manage the updates, configuration, import and export, backups, and monitoring on its own. For more information [see our GitLab group](https://gitlab.com/GoMatrixHosting) or come [visit us on Matrix](https://matrix.to/#/#general:gomatrixhosting.com). diff --git a/docs/configuring-awx-system.md b/docs/configuring-awx-system.md index cc90fb98f..1ab6950a3 100644 --- a/docs/configuring-awx-system.md +++ b/docs/configuring-awx-system.md @@ -8,9 +8,7 @@ Members can be assigned a server from Digitalocean, or they can connect their ow The AWX system is arranged into 'members' each with their own 'subscriptions'. After creating a subscription the user enters the 'provision stage' where they defined the URLs they will use, the servers location and whether or not there's already a website at the base domain. They then proceed onto the 'deploy stage' where they can configure their Matrix server. -Ideally this system can manage the updates, configuration, backups and monitoring on it's own. It is an extension of the popular deploy script [spantaleev/matrix-docker-ansible-deploy](https://github.com/spantaleev/matrix-docker-ansible-deploy). - -Warning: This project is currently alpha quality and should only be run by the brave. +This system can manage the updates, configuration, import and export, backups and monitoring on its own. It is an extension of the popular deploy script [spantaleev/matrix-docker-ansible-deploy](https://github.com/spantaleev/matrix-docker-ansible-deploy). ## Other Required Playbooks @@ -23,6 +21,7 @@ The following repositories allow you to copy and use this setup: [Ansible Provision Server](https://gitlab.com/GoMatrixHosting/ansible-provision-server) - Used by AWX members to perform initial configuration of their DigitalOcean or On-Premises server. + ## Testing Fork For This Playbook Updates to this section are trailed here: diff --git a/docs/configuring-dns.md b/docs/configuring-dns.md index 285ded424..0016464fa 100644 --- a/docs/configuring-dns.md +++ b/docs/configuring-dns.md @@ -36,6 +36,7 @@ If you are using Cloudflare DNS, make sure to disable the proxy and set all reco | CNAME | `stats` (*) | - | - | - | `matrix.` | | CNAME | `goneb` (*) | - | - | - | `matrix.` | | CNAME | `sygnal` (*) | - | - | - | `matrix.` | +| CNAME | `hydrogen` (*) | - | - | - | `matrix.` | ## Subdomains setup @@ -54,6 +55,8 @@ The `goneb.` subdomain may be necessary, because this playbook coul The `sygnal.` subdomain may be necessary, because this playbook could install the [Sygnal](https://github.com/matrix-org/sygnal) push gateway. The installation of Sygnal is disabled by default, it is not a core required component. To learn how to install it, see our [configuring Sygnal guide](configuring-playbook-sygnal.md). If you do not wish to set up Sygnal (you probably don't, unless you're also developing/building your own Matrix apps), feel free to skip the `sygnal.` DNS record. +The `hydrogen.` subdomain may be necessary, because this playbook could install the [Hydrogen](https://github.com/vector-im/hydrogen-web) web client. The installation of Hydrogen is disabled by default, it is not a core required component. To learn how to install it, see our [configuring Hydrogen guide](configuring-playbook-client-hydrogen.md). If you do not wish to set up Hydrogen, feel free to skip the `hydrogen.` DNS record. + ## `_matrix-identity._tcp` SRV record setup diff --git a/docs/configuring-playbook-bridge-appservice-irc.md b/docs/configuring-playbook-bridge-appservice-irc.md index a9403cb58..93e0fb360 100644 --- a/docs/configuring-playbook-bridge-appservice-irc.md +++ b/docs/configuring-playbook-bridge-appservice-irc.md @@ -1,6 +1,8 @@ # Setting up Appservice IRC (optional) -The playbook can install and configure [matrix-appservice-irc](https://github.com/matrix-org/matrix-appservice-irc) for you. +**Note**: bridging to [IRC](https://en.wikipedia.org/wiki/Internet_Relay_Chat) can also happen via the [Heisenbridge](configuring-playbook-bridge-heisenbridge.md) bridge supported by the playbook. + +The playbook can install and configure the [matrix-appservice-irc](https://github.com/matrix-org/matrix-appservice-irc) bridge for you. See the project's [documentation](https://github.com/matrix-org/matrix-appservice-irc/blob/master/HOWTO.md) to learn what it does and why it might be useful to you. diff --git a/docs/configuring-playbook-bridge-appservice-slack.md b/docs/configuring-playbook-bridge-appservice-slack.md index a409a0508..7d45d34dd 100644 --- a/docs/configuring-playbook-bridge-appservice-slack.md +++ b/docs/configuring-playbook-bridge-appservice-slack.md @@ -1,5 +1,7 @@ # Setting up Appservice Slack (optional) +**Note**: bridging to [Slack](https://slack.com) can also happen via the [mx-puppet-slack](configuring-playbook-bridge-mx-puppet-slack.md) bridge supported by the playbook. + The playbook can install and configure [matrix-appservice-slack](https://github.com/matrix-org/matrix-appservice-slack) for you. See the project's [documentation](https://github.com/matrix-org/matrix-appservice-slack/blob/master/README.md) to learn what it does and why it might be useful to you. @@ -106,5 +108,5 @@ Check you logs, if they say something like `WARN SlackEventHandler Ignoring message from unrecognised slack channel id : %s (%s) ` -then unlink your room, reinvite the bot and re-link it again. This may particularly hit you, if you tried to unsuccessfully link +then unlink your room, reinvite the bot and re-link it again. This may particularly hit you, if you tried to unsuccessfully link your room multiple times without unlinking it after each failed attempt. diff --git a/docs/configuring-playbook-bridge-heisenbridge.md b/docs/configuring-playbook-bridge-heisenbridge.md new file mode 100644 index 000000000..9cf016f24 --- /dev/null +++ b/docs/configuring-playbook-bridge-heisenbridge.md @@ -0,0 +1,36 @@ +# Setting up Heisenbridge (optional) + +**Note**: bridging to [IRC](https://en.wikipedia.org/wiki/Internet_Relay_Chat) can also happen via the [matrix-appservice-irc](configuring-playbook-bridge-appservice-irc.md) bridge supported by the playbook. + +The playbook can install and configure [Heisenbridge](https://github.com/hifi/heisenbridge) - the bouncer-style [IRC](https://en.wikipedia.org/wiki/Internet_Relay_Chat) bridge for you. + +See the project's [README](https://github.com/hifi/heisenbridge/blob/master/README.md) to learn what it does and why it might be useful to you. + +## Configuration + +Below are the common configuration options that you may want to set, exhaustive list is in [the bridge's defaults var file](../roles/matrix-bridge-heisenbridge/defaults/main.yml). + +At a minimum, you only need to enable the bridge to get it up and running (`inventory/host_vars/matrix.DOMAIN/vars.yml`): + +```yaml +matrix_heisenbridge_enabled: true + +# set owner (optional) +matrix_heisenbridge_owner: "@you:your-homeserver" + +# to enable identd on host port 113/TCP (optional) +matrix_heisenbridge_identd_enabled: true +``` + +That's it! A registration file is automatically generated during the setup phase. + +Setting the owner is optional as the first local user to DM `@heisenbridge:your-homeserver` will be made the owner. +If you are not using a local user you must set it as otherwise you can't DM it at all. + +## Usage + +After the bridge is successfully running just DM `@heisenbridge:your-homeserver` to start setting it up. +Help is available for all commands with the `-h` switch. +If the bridge ignores you and a DM is not accepted then the owner setting may be wrong. + +If you encounter issues or feel lost you can join the project room at [#heisenbridge:vi.fi](https://matrix.to/#/#heisenbridge:vi.fi) for help. diff --git a/docs/configuring-playbook-bridge-mx-puppet-slack.md b/docs/configuring-playbook-bridge-mx-puppet-slack.md index 1f20219f1..61600c7a4 100644 --- a/docs/configuring-playbook-bridge-mx-puppet-slack.md +++ b/docs/configuring-playbook-bridge-mx-puppet-slack.md @@ -1,5 +1,7 @@ # Setting up MX Puppet Slack (optional) +**Note**: bridging to [Slack](https://slack.com) can also happen via the [matrix-appservice-slack](configuring-playbook-bridge-appservice-slack.md) bridge supported by the playbook. + The playbook can install and configure [mx-puppet-slack](https://github.com/Sorunome/mx-puppet-slack) for you. diff --git a/docs/configuring-playbook-client-hydrogen.md b/docs/configuring-playbook-client-hydrogen.md new file mode 100644 index 000000000..4b05240ba --- /dev/null +++ b/docs/configuring-playbook-client-hydrogen.md @@ -0,0 +1,21 @@ +# Configuring Hydrogen (optional) + +This playbook can install the [Hydrogen](https://github.com/vector-im/hydrogen-web) Matrix web client for you. +Hydrogen is a lightweight web client that supports mobile and legacy web browsers. +Hydrogen can be installed alongside or instead of Element. + +If you'd like Hydrogen to be installed, add the following to your configuration file (`inventory/host_vars/matrix./vars.yml`): + +```yaml +matrix_client_hydrogen_enabled: true +``` + +You will also need to add a DNS record so that Hydrogen can be accessed. +By default Hydrogen will use https://hydrogen.DOMAIN so you will need to create an CNAME record +for `hydrogen`. See [Configuring DNS](configuring-dns.md). + +If you would like to use a different domain, add the following to your configuration file (changing it to use your preferred domain): + +```yaml + matrix_server_fqn_hydrogen: "helium.{{ matrix_domain }}" +``` diff --git a/docs/configuring-playbook-prometheus-grafana.md b/docs/configuring-playbook-prometheus-grafana.md index 4968c5186..dc1b7b4cd 100644 --- a/docs/configuring-playbook-prometheus-grafana.md +++ b/docs/configuring-playbook-prometheus-grafana.md @@ -56,6 +56,7 @@ Name | Description `matrix_nginx_proxy_proxy_synapse_metrics`|Set this to `true` to make matrix-nginx-proxy expose the Synapse metrics at `https://matrix.DOMAIN/_synapse/metrics` `matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled`|Set this to `true` to password-protect (using HTTP Basic Auth) `https://matrix.DOMAIN/_synapse/metrics` (the username is always `prometheus`, the password is defined in `matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key`) `matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key`|Set this to a password to use for HTTP Basic Auth for protecting `https://matrix.DOMAIN/_synapse/metrics` (the username is always `prometheus` - it's not configurable) +`matrix_server_fqn_grafana`|Use this variable to override the domain at which the Grafana web user-interface is at (defaults to `stats.DOMAIN`). ## More information diff --git a/docs/configuring-playbook-ssl-certificates.md b/docs/configuring-playbook-ssl-certificates.md index 1b5ea2349..2e288cc89 100644 --- a/docs/configuring-playbook-ssl-certificates.md +++ b/docs/configuring-playbook-ssl-certificates.md @@ -43,6 +43,7 @@ With such a configuration, the playbook would expect you to drop the SSL certifi - `/live//fullchain.pem` - `/live//privkey.pem` +- `/live//chain.pem` where `` refers to the domains that you need (usually `matrix.` and `element.`). diff --git a/docs/configuring-playbook-synapse-admin.md b/docs/configuring-playbook-synapse-admin.md index 5b9519e24..68d703052 100644 --- a/docs/configuring-playbook-synapse-admin.md +++ b/docs/configuring-playbook-synapse-admin.md @@ -6,8 +6,6 @@ It's a web UI tool you can use to **administrate users and rooms on your Matrix See the project's [documentation](https://github.com/Awesome-Technologies/synapse-admin) to learn what it does and why it might be useful to you. -**Warning**: Synapse Admin will likely not work with Synapse v1.32 for now. See [this issue](https://github.com/Awesome-Technologies/synapse-admin/issues/132). If you insist on using Synapse Admin before there's a solution to this issue, you may wish to downgrade Synapse (adding `matrix_synapse_version: v1.31.0` or `matrix_synapse_version_arm64: v1.31.0` to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file). - ## Adjusting the playbook configuration diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index f6988930c..fae66dca2 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -68,6 +68,8 @@ When you're done with all the configuration you'd like to do, continue with [Ins - [Adjusting email-sending settings](configuring-playbook-email.md) (optional) +- [Setting up Hydrogen](configuring-playbook-client-hydrogen.md) - a new lightweight matrix client with legacy and mobile browser support (optional) + ### Authentication and user-related @@ -126,6 +128,8 @@ When you're done with all the configuration you'd like to do, continue with [Ins - [Setting up Matrix SMS bridging](configuring-playbook-bridge-matrix-bridge-sms.md) (optional) +- [Setting up Heisenbridge bouncer-style IRC bridging](configuring-playbook-bridge-heisenbridge.md) (optional) + ### Bots diff --git a/docs/self-building.md b/docs/self-building.md index 0d41e419e..303344acd 100644 --- a/docs/self-building.md +++ b/docs/self-building.md @@ -14,6 +14,7 @@ List of roles where self-building the Docker image is currently possible: - `matrix-synapse` - `matrix-synapse-admin` - `matrix-client-element` +- `matrix-client-hydrogen` - `matrix-registration` - `matrix-coturn` - `matrix-corporal` diff --git a/examples/caddy2/Caddyfile b/examples/caddy2/Caddyfile index 8999f2992..c6d2841bd 100644 --- a/examples/caddy2/Caddyfile +++ b/examples/caddy2/Caddyfile @@ -38,7 +38,6 @@ matrix.DOMAIN.tld { X-Frame-Options "DENY" # X-Robots-Tag X-Robots-Tag "noindex, noarchive, nofollow" - 167,9 79% } # Cache diff --git a/examples/caddy2/README.md b/examples/caddy2/README.md index 022a4fec1..fe8d57637 100644 --- a/examples/caddy2/README.md +++ b/examples/caddy2/README.md @@ -8,5 +8,5 @@ This directory contains sample files that show you how to do reverse-proxying us | ------------------ | -------- | | tls your@email.com | Specify an email address for your [ACME account](https://caddyserver.com/docs/caddyfile/directives/tls) (but if only one email is used for all sites, we recommend the email [global option](https://caddyserver.com/docs/caddyfile/options) instead) | | tls | To enable [tls](https://caddyserver.com/docs/caddyfile/directives/tls) support uncomment the lines for tls | -| Dimnension | To enable Dimension support uncomment the lines for Dimension and set your data | -| Jitsi | To enable Jitsi support uncomment the lines for Jitsi and set your data | \ No newline at end of file +| Dimension | To enable Dimension support uncomment the lines for Dimension and set your data | +| Jitsi | To enable Jitsi support uncomment the lines for Jitsi and set your data | diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 9fec86e97..86f1d5a36 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -488,6 +488,32 @@ matrix_sms_bridge_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | pas # ###################################################################### +###################################################################### +# +# matrix-bridge-heisenbridge +# +###################################################################### + +# We don't enable bridges by default. +matrix_heisenbridge_enabled: false + +matrix_heisenbridge_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'heisen.as.tok') | to_uuid }}" + +matrix_heisenbridge_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'heisen.hs.tok') | to_uuid }}" + +matrix_heisenbridge_systemd_wanted_services_list: | + {{ + (['matrix-synapse.service'] if matrix_synapse_enabled else []) + + + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) + }} + +###################################################################### +# +# /matrix-bridge-heisenbridge +# +###################################################################### + ###################################################################### # # matrix-bridge-mx-puppet-skype @@ -1027,6 +1053,8 @@ matrix_jitsi_web_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_ena matrix_jitsi_jvb_container_colibri_ws_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:13090' }}" +matrix_jitsi_prosody_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:5280' }}" + matrix_jitsi_jibri_xmpp_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'jibri') | to_uuid }}" matrix_jitsi_jicofo_auth_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'jicofo') | to_uuid }}" matrix_jitsi_jvb_auth_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'jvb') | to_uuid }}" @@ -1113,7 +1141,9 @@ matrix_ma1sd_synapsesql_connection: //{{ matrix_synapse_database_host }}/{{ matr matrix_ma1sd_dns_overwrite_enabled: true matrix_ma1sd_dns_overwrite_homeserver_client_name: "{{ matrix_server_fqn_matrix }}" -matrix_ma1sd_dns_overwrite_homeserver_client_value: "http://{{ matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container }}" +# The `matrix_ma1sd_dns_overwrite_homeserver_client_value` value when matrix_nginx_proxy_enabled is false covers the general case, +# but may be inaccurate if matrix-corporal is enabled. +matrix_ma1sd_dns_overwrite_homeserver_client_value: "{{ ('http://' + matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container) if matrix_nginx_proxy_enabled else matrix_homeserver_container_url }}" # By default, we send mail through the `matrix-mailer` service. matrix_ma1sd_threepid_medium_email_identity_from: "{{ matrix_mailer_sender_address }}" @@ -1170,6 +1200,7 @@ matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain: "{{ matrix_s matrix_nginx_proxy_proxy_matrix_enabled: true matrix_nginx_proxy_proxy_element_enabled: "{{ matrix_client_element_enabled }}" +matrix_nginx_proxy_proxy_hydrogen_enabled: "{{ matrix_client_hydrogen_enabled }}" matrix_nginx_proxy_proxy_dimension_enabled: "{{ matrix_dimension_enabled }}" matrix_nginx_proxy_proxy_bot_go_neb_enabled: "{{ matrix_bot_go_neb_enabled }}" matrix_nginx_proxy_proxy_jitsi_enabled: "{{ matrix_jitsi_enabled }}" @@ -1211,6 +1242,11 @@ matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container: "{{ m matrix_nginx_proxy_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else true }}" +# OCSP stapling does not make sense when self-signed certificates are used. +# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1073 +# and https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1074 +matrix_nginx_proxy_ocsp_stapling_enabled: "{{ matrix_ssl_retrieval_method != 'self-signed' }}" + matrix_nginx_proxy_synapse_presence_disabled: "{{ not matrix_synapse_presence_enabled }}" matrix_nginx_proxy_synapse_workers_enabled: "{{ matrix_synapse_workers_enabled }}" @@ -1240,6 +1276,8 @@ matrix_ssl_domains_to_obtain_certificates_for: | + ([matrix_nginx_proxy_proxy_riot_compat_redirect_hostname] if matrix_nginx_proxy_proxy_riot_compat_redirect_enabled else []) + + ([matrix_server_fqn_hydrogen] if matrix_client_hydrogen_enabled else []) + + ([matrix_server_fqn_dimension] if matrix_dimension_enabled else []) + ([matrix_server_fqn_bot_go_neb] if matrix_bot_go_neb_enabled else []) @@ -1543,6 +1581,31 @@ matrix_client_element_jitsi_preferredDomain: "{{ matrix_server_fqn_jitsi if matr +###################################################################### +# +# matrix-client-hydrogen +# +###################################################################### + +matrix_client_hydrogen_enabled: false + +# Normally, matrix-nginx-proxy is enabled and nginx can reach Hydrogen over the container network. +# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose +# the HTTP port to the local host. +matrix_client_hydrogen_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:8768' }}" + +matrix_client_hydrogen_default_hs_url: "{{ matrix_homeserver_url }}" + +matrix_client_hydrogen_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else true }}" + +###################################################################### +# +# /matrix-client-hydrogen +# +###################################################################### + + + ###################################################################### # # matrix-synapse diff --git a/roles/matrix-awx/scripts/matrix_build_room_list.py b/roles/matrix-awx/scripts/matrix_build_room_list.py new file mode 100644 index 000000000..3abfcd8c9 --- /dev/null +++ b/roles/matrix-awx/scripts/matrix_build_room_list.py @@ -0,0 +1,28 @@ + +import sys +import requests +import json + +janitor_token = sys.argv[1] +synapse_container_ip = sys.argv[2] + +# collect total amount of rooms + +rooms_raw_url = 'http://' + synapse_container_ip + ':8008/_synapse/admin/v1/rooms' +rooms_raw_header = {'Authorization': 'Bearer ' + janitor_token} +rooms_raw = requests.get(rooms_raw_url, headers=rooms_raw_header) +rooms_raw_python = json.loads(rooms_raw.text) +total_rooms = rooms_raw_python["total_rooms"] + +# build complete room list file + +room_list_file = open("/tmp/room_list_complete.json", "w") + +for i in range(0, total_rooms, 100): + rooms_inc_url = 'http://' + synapse_container_ip + ':8008/_synapse/admin/v1/rooms?from=' + str(i) + rooms_inc = requests.get(rooms_inc_url, headers=rooms_raw_header) + room_list_file.write(rooms_inc.text) + +room_list_file.close() + +print(total_rooms) diff --git a/roles/matrix-awx/tasks/purge_database_main.yml b/roles/matrix-awx/tasks/purge_database_main.yml index ccd46c81a..76a437e14 100644 --- a/roles/matrix-awx/tasks/purge_database_main.yml +++ b/roles/matrix-awx/tasks/purge_database_main.yml @@ -17,136 +17,132 @@ file: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' no_log: True -- name: Collect size of Synapse database +- name: Collect before shrink size of Synapse database shell: du -sh /matrix/postgres/data register: db_size_before_stat + when: (purge_mode.find("Perform final shrink") != -1) no_log: True -- name: Print before size of Synapse database - debug: - msg: "{{ db_size_before_stat.stdout.split('\n') }}" - when: db_size_before_stat is defined - - name: Collect the internal IP of the matrix-synapse container shell: "/usr/bin/docker inspect --format '{''{range.NetworkSettings.Networks}''}{''{.IPAddress}''}{''{end}''}' matrix-synapse" + when: (purge_mode.find("No local users [recommended]") != -1) or (purge_mode.find("Number of users [slower]") != -1) or (purge_mode.find("Number of events [slower]") != -1) register: synapse_container_ip - name: Collect access token for janitor user shell: | curl -X POST -d '{"type":"m.login.password", "user":"janitor", "password":"{{ matrix_awx_janitor_user_password }}"}' "{{ synapse_container_ip.stdout }}:8008/_matrix/client/r0/login" | jq '.access_token' + when: (purge_mode.find("No local users [recommended]") != -1) or (purge_mode.find("Number of users [slower]") != -1) or (purge_mode.find("Number of events [slower]") != -1) register: janitors_token no_log: True -- name: Collect total number of rooms +- name: Copy build_room_list.py script to target machine + copy: + src: ./roles/matrix-awx/scripts/matrix_build_room_list.py + dest: /usr/local/bin/matrix_build_room_list.py + owner: matrix + group: matrix + mode: '0755' + when: (purge_mode.find("No local users [recommended]") != -1) or (purge_mode.find("Number of users [slower]") != -1) or (purge_mode.find("Number of events [slower]") != -1) + +- name: Run build_room_list.py script shell: | - curl -X GET --header "Authorization: Bearer {{ janitors_token.stdout[1:-1] }}" '{{ synapse_container_ip.stdout }}:8008/_synapse/admin/v1/rooms' | jq '.total_rooms' - when: purge_rooms|bool + runuser -u matrix -- python3 /usr/local/bin/matrix_build_room_list.py {{ janitors_token.stdout[1:-1] }} {{ synapse_container_ip.stdout }} register: rooms_total + when: (purge_mode.find("No local users [recommended]") != -1) or (purge_mode.find("Number of users [slower]") != -1) or (purge_mode.find("Number of events [slower]") != -1) -- name: Print total number of rooms - debug: - msg: '{{ rooms_total.stdout }}' - when: purge_rooms|bool +- name: Fetch complete room list from target machine + fetch: + src: /tmp/room_list_complete.json + dest: "/tmp/{{ subscription_id }}_room_list_complete.json" + flat: yes + when: (purge_mode.find("No local users [recommended]") != -1) or (purge_mode.find("Number of users [slower]") != -1) or (purge_mode.find("Number of events [slower]") != -1) -- name: Calculate every 100 values for total number of rooms - delegate_to: 127.0.0.1 - shell: | - seq 0 100 {{ rooms_total.stdout }} - when: purge_rooms|bool - register: every_100_rooms - -- name: Ensure room_list_complete.json file exists - delegate_to: 127.0.0.1 +- name: Remove complete room list from target machine file: - path: /tmp/{{ subscription_id }}_room_list_complete.json - state: touch - when: purge_rooms|bool - -- name: Build file with total room list - include_tasks: purge_database_build_list.yml - loop: "{{ every_100_rooms.stdout_lines | flatten(levels=1) }}" - when: purge_rooms|bool + path: /tmp/room_list_complete.json + state: absent + when: (purge_mode.find("No local users [recommended]") != -1) or (purge_mode.find("Number of users [slower]") != -1) or (purge_mode.find("Number of events [slower]") != -1) - name: Generate list of rooms with no local users delegate_to: 127.0.0.1 shell: | jq 'try .rooms[] | select(.joined_local_members == 0) | .room_id' < /tmp/{{ subscription_id }}_room_list_complete.json > /tmp/{{ subscription_id }}_room_list_no_local_users.txt - when: purge_rooms|bool + when: (purge_mode.find("No local users [recommended]") != -1) or (purge_mode.find("Number of users [slower]") != -1) or (purge_mode.find("Number of events [slower]") != -1) - name: Count number of rooms with no local users delegate_to: 127.0.0.1 shell: | wc -l /tmp/{{ subscription_id }}_room_list_no_local_users.txt | awk '{ print $1 }' register: rooms_no_local_total - when: purge_rooms|bool + when: (purge_mode.find("No local users [recommended]") != -1) or (purge_mode.find("Number of users [slower]") != -1) or (purge_mode.find("Number of events [slower]") != -1) - name: Setting host fact room_list_no_local_users set_fact: room_list_no_local_users: "{{ lookup('file', '/tmp/{{ subscription_id }}_room_list_no_local_users.txt') }}" no_log: True - when: purge_rooms|bool + when: (purge_mode.find("No local users [recommended]") != -1) or (purge_mode.find("Number of users [slower]") != -1) or (purge_mode.find("Number of events [slower]") != -1) - name: Purge all rooms with no local users include_tasks: purge_database_no_local.yml loop: "{{ room_list_no_local_users.splitlines() | flatten(levels=1) }}" - when: purge_rooms|bool + when: (purge_mode.find("No local users [recommended]") != -1) or (purge_mode.find("Number of users [slower]") != -1) or (purge_mode.find("Number of events [slower]") != -1) - name: Collect epoche time from date delegate_to: 127.0.0.1 shell: | date -d '{{ purge_date }}' +"%s" - when: purge_rooms|bool + when: (purge_mode.find("Number of users [slower]") != -1) or (purge_mode.find("Number of events [slower]") != -1) register: purge_epoche_time - name: Generate list of rooms with more then N users delegate_to: 127.0.0.1 shell: | jq 'try .rooms[] | select(.joined_members > {{ purge_metric_value }}) | .room_id' < /tmp/{{ subscription_id }}_room_list_complete.json > /tmp/{{ subscription_id }}_room_list_joined_members.txt - when: (purge_metric.find("Number of users") != -1) and (purge_rooms|bool) + when: purge_mode.find("Number of users [slower]") != -1 - name: Count number of rooms with more then N users delegate_to: 127.0.0.1 shell: | wc -l /tmp/{{ subscription_id }}_room_list_joined_members.txt | awk '{ print $1 }' register: rooms_join_members_total - when: (purge_metric.find("Number of users") != -1) and (purge_rooms|bool) + when: purge_mode.find("Number of users [slower]") != -1 - name: Setting host fact room_list_joined_members delegate_to: 127.0.0.1 set_fact: room_list_joined_members: "{{ lookup('file', '/tmp/{{ subscription_id }}_room_list_joined_members.txt') }}" - when: (purge_metric.find("Number of users") != -1) and (purge_rooms|bool) + when: purge_mode.find("Number of users [slower]") != -1 no_log: True - name: Purge all rooms with more then N users include_tasks: purge_database_users.yml loop: "{{ room_list_joined_members.splitlines() | flatten(levels=1) }}" - when: (purge_metric.find("Number of users") != -1) and (purge_rooms|bool) + when: purge_mode.find("Number of users [slower]") != -1 - name: Generate list of rooms with more then N events delegate_to: 127.0.0.1 shell: | jq 'try .rooms[] | select(.state_events > {{ purge_metric_value }}) | .room_id' < /tmp/{{ subscription_id }}_room_list_complete.json > /tmp/{{ subscription_id }}_room_list_state_events.txt - when: (purge_metric.find("Number of events") != -1) and (purge_rooms|bool) + when: purge_mode.find("Number of events [slower]") != -1 -- name: Count number of rooms with more then N users +- name: Count number of rooms with more then N events delegate_to: 127.0.0.1 shell: | wc -l /tmp/{{ subscription_id }}_room_list_state_events.txt | awk '{ print $1 }' register: rooms_state_events_total - when: (purge_metric.find("Number of events") != -1) and (purge_rooms|bool) + when: purge_mode.find("Number of events [slower]") != -1 - name: Setting host fact room_list_state_events delegate_to: 127.0.0.1 set_fact: room_list_state_events: "{{ lookup('file', '/tmp/{{ subscription_id }}_room_list_state_events.txt') }}" - when: (purge_metric.find("Number of events") != -1) and (purge_rooms|bool) + when: purge_mode.find("Number of events [slower]") != -1 no_log: True - name: Purge all rooms with more then N events include_tasks: purge_database_events.yml loop: "{{ room_list_state_events.splitlines() | flatten(levels=1) }}" - when: (purge_metric.find("Number of events") != -1) and (purge_rooms|bool) + when: purge_mode.find("Number of events [slower]") != -1 - name: Collect AWX admin token the hard way! delegate_to: 127.0.0.1 @@ -155,75 +151,162 @@ register: tower_token no_log: True +- name: Adjust 'Deploy/Update a Server' job template + delegate_to: 127.0.0.1 + awx.awx.tower_job_template: + name: "{{ matrix_domain }} - 0 - Deploy/Update a Server" + description: "Creates a new matrix service with Spantaleev's playbooks" + extra_vars: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/extra_vars.json') }}" + job_type: run + job_tags: "rust-synapse-compress-state" + inventory: "{{ member_id }}" + project: "{{ member_id }} - Matrix Docker Ansible Deploy" + playbook: setup.yml + credential: "{{ member_id }} - AWX SSH Key" + state: present + verbosity: 1 + tower_host: "https://{{ tower_host }}" + tower_oauthtoken: "{{ tower_token.stdout }}" + validate_certs: yes + when: (purge_mode.find("No local users [recommended]") != -1) or (purge_mode.find("Number of users [slower]") != -1) or (purge_mode.find("Number of events [slower]") != -1) or (purge_mode.find("Skip purging rooms [faster]") != -1) + - name: Execute rust-synapse-compress-state job template delegate_to: 127.0.0.1 awx.awx.tower_job_launch: job_template: "{{ matrix_domain }} - 0 - Deploy/Update a Server" - tags: "rust-synapse-compress-state" wait: yes tower_host: "https://{{ tower_host }}" tower_oauthtoken: "{{ tower_token.stdout }}" validate_certs: yes - register: job + when: (purge_mode.find("No local users [recommended]") != -1) or (purge_mode.find("Number of users [slower]") != -1) or (purge_mode.find("Number of events [slower]") != -1) or (purge_mode.find("Skip purging rooms [faster]") != -1) -- name: Stop Synapse service - shell: systemctl stop matrix-synapse.service +- name: Revert 'Deploy/Update a Server' job template + delegate_to: 127.0.0.1 + awx.awx.tower_job_template: + name: "{{ matrix_domain }} - 0 - Deploy/Update a Server" + description: "Creates a new matrix service with Spantaleev's playbooks" + extra_vars: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/extra_vars.json') }}" + job_type: run + job_tags: "setup-all,start" + inventory: "{{ member_id }}" + project: "{{ member_id }} - Matrix Docker Ansible Deploy" + playbook: setup.yml + credential: "{{ member_id }} - AWX SSH Key" + state: present + verbosity: 1 + tower_host: "https://{{ tower_host }}" + tower_oauthtoken: "{{ tower_token.stdout }}" + validate_certs: yes + when: (purge_mode.find("No local users [recommended]") != -1) or (purge_mode.find("Number of users [slower]") != -1) or (purge_mode.find("Number of events [slower]") != -1) or (purge_mode.find("Skip purging rooms [faster]") != -1) + +- name: Ensure matrix-synapse is stopped + service: + name: matrix-synapse + state: stopped + daemon_reload: yes + when: (purge_mode.find("Perform final shrink") != -1) - name: Re-index Synapse database shell: docker exec -i matrix-postgres psql "host=127.0.0.1 port=5432 dbname=synapse user=synapse password={{ matrix_synapse_connection_password }}" -c 'REINDEX (VERBOSE) DATABASE synapse' + when: (purge_mode.find("Perform final shrink") != -1) + +- name: Ensure matrix-synapse is started + service: + name: matrix-synapse + state: started + daemon_reload: yes + when: (purge_mode.find("Perform final shrink") != -1) + +- name: Adjust 'Deploy/Update a Server' job template + delegate_to: 127.0.0.1 + awx.awx.tower_job_template: + name: "{{ matrix_domain }} - 0 - Deploy/Update a Server" + description: "Creates a new matrix service with Spantaleev's playbooks" + extra_vars: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/extra_vars.json') }}" + job_type: run + job_tags: "run-postgres-vacuum,start" + inventory: "{{ member_id }}" + project: "{{ member_id }} - Matrix Docker Ansible Deploy" + playbook: setup.yml + credential: "{{ member_id }} - AWX SSH Key" + state: present + verbosity: 1 + tower_host: "https://{{ tower_host }}" + tower_oauthtoken: "{{ tower_token.stdout }}" + validate_certs: yes + when: (purge_mode.find("Perform final shrink") != -1) - name: Execute run-postgres-vacuum job template delegate_to: 127.0.0.1 awx.awx.tower_job_launch: job_template: "{{ matrix_domain }} - 0 - Deploy/Update a Server" - tags: "run-postgres-vacuum,start" wait: yes tower_host: "https://{{ tower_host }}" tower_oauthtoken: "{{ tower_token.stdout }}" validate_certs: yes - register: job + when: (purge_mode.find("Perform final shrink") != -1) + +- name: Revert 'Deploy/Update a Server' job template + delegate_to: 127.0.0.1 + awx.awx.tower_job_template: + name: "{{ matrix_domain }} - 0 - Deploy/Update a Server" + description: "Creates a new matrix service with Spantaleev's playbooks" + extra_vars: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/extra_vars.json') }}" + job_type: run + job_tags: "setup-all,start" + inventory: "{{ member_id }}" + project: "{{ member_id }} - Matrix Docker Ansible Deploy" + playbook: setup.yml + credential: "{{ member_id }} - AWX SSH Key" + state: present + verbosity: 1 + tower_host: "https://{{ tower_host }}" + tower_oauthtoken: "{{ tower_token.stdout }}" + validate_certs: yes + when: (purge_mode.find("Perform final shrink") != -1) - name: Cleanup room_list files delegate_to: 127.0.0.1 shell: | rm /tmp/{{ subscription_id }}_room_list* - when: purge_rooms|bool + when: (purge_mode.find("No local users [recommended]") != -1) or (purge_mode.find("Number of users [slower]") != -1) or (purge_mode.find("Number of events [slower]") != -1) ignore_errors: yes -- name: Collect size of Synapse database +- name: Collect after shrink size of Synapse database shell: du -sh /matrix/postgres/data register: db_size_after_stat + when: (purge_mode.find("Perform final shrink") != -1) no_log: True - name: Print total number of rooms processed debug: msg: '{{ rooms_total.stdout }}' - when: purge_rooms|bool + when: (purge_mode.find("No local users [recommended]") != -1) or (purge_mode.find("Number of users [slower]") != -1) or (purge_mode.find("Number of events [slower]") != -1) - name: Print the number of rooms purged with no local users debug: msg: '{{ rooms_no_local_total.stdout }}' - when: purge_rooms|bool + when: (purge_mode.find("No local users [recommended]") != -1) or (purge_mode.find("Number of users [slower]") != -1) or (purge_mode.find("Number of events [slower]") != -1) - name: Print the number of rooms purged with more then N users debug: msg: '{{ rooms_join_members_total.stdout }}' - when: (purge_metric.find("Number of users") != -1) and (purge_rooms|bool) + when: purge_mode.find("Number of users") != -1 - name: Print the number of rooms purged with more then N events debug: msg: '{{ rooms_state_events_total.stdout }}' - when: (purge_metric.find("Number of events") != -1) and (purge_rooms|bool) + when: purge_mode.find("Number of events") != -1 - name: Print before purge size of Synapse database debug: msg: "{{ db_size_before_stat.stdout.split('\n') }}" - when: db_size_before_stat is defined + when: (db_size_before_stat is defined) and (purge_mode.find("Perform final shrink") != -1) - name: Print after purge size of Synapse database debug: msg: "{{ db_size_after_stat.stdout.split('\n') }}" - when: db_size_after_stat is defined + when: (db_size_after_stat is defined) and (purge_mode.find("Perform final shrink") != -1) - name: Set boolean value to exit playbook set_fact: diff --git a/roles/matrix-base/defaults/main.yml b/roles/matrix-base/defaults/main.yml index d1d3bf27e..ef30ad678 100644 --- a/roles/matrix-base/defaults/main.yml +++ b/roles/matrix-base/defaults/main.yml @@ -15,6 +15,9 @@ matrix_server_fqn_matrix: "matrix.{{ matrix_domain }}" # This and the Matrix FQN (see above) are expected to be on the same server. matrix_server_fqn_element: "element.{{ matrix_domain }}" +# This is where you access the Hydrogen web client from (if enabled via matrix_client_hydrogen_enabled; disabled by default). +matrix_server_fqn_hydrogen: "hydrogen.{{ matrix_domain }}" + # This is where you access the Dimension. matrix_server_fqn_dimension: "dimension.{{ matrix_domain }}" diff --git a/roles/matrix-bridge-appservice-irc/tasks/init.yml b/roles/matrix-bridge-appservice-irc/tasks/init.yml index ddf1b0310..b9a58e005 100644 --- a/roles/matrix-bridge-appservice-irc/tasks/init.yml +++ b/roles/matrix-bridge-appservice-irc/tasks/init.yml @@ -1,3 +1,10 @@ +# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 +# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 +- name: Fail if trying to self-build on Ansible < 2.8 + fail: + msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_appservice_irc_container_self_build" + # If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist. # We don't want to fail in such cases. - name: Fail if matrix-synapse role already executed diff --git a/roles/matrix-bridge-appservice-irc/tasks/setup_install.yml b/roles/matrix-bridge-appservice-irc/tasks/setup_install.yml index 09e1d4bab..75af882af 100644 --- a/roles/matrix-bridge-appservice-irc/tasks/setup_install.yml +++ b/roles/matrix-bridge-appservice-irc/tasks/setup_install.yml @@ -71,11 +71,12 @@ register: matrix_appservice_irc_git_pull_results when: "matrix_appservice_irc_enabled|bool and matrix_appservice_irc_container_self_build|bool" -- name: Ensure matrix-appservice-irc Docker image is build +- name: Ensure matrix-appservice-irc Docker image is built docker_image: name: "{{ matrix_appservice_irc_docker_image }}" source: build - force_source: yes + force_source: "{{ matrix_appservice_irc_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_appservice_irc_git_pull_results.changed }}" build: dockerfile: Dockerfile path: "{{ matrix_appservice_irc_docker_src_files_path }}" diff --git a/roles/matrix-bridge-appservice-slack/tasks/init.yml b/roles/matrix-bridge-appservice-slack/tasks/init.yml index 045b6b73c..6a1bf869f 100644 --- a/roles/matrix-bridge-appservice-slack/tasks/init.yml +++ b/roles/matrix-bridge-appservice-slack/tasks/init.yml @@ -1,3 +1,10 @@ +# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 +# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 +- name: Fail if trying to self-build on Ansible < 2.8 + fail: + msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_appservice_slack_container_self_build" + # If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist. # We don't want to fail in such cases. - name: Fail if matrix-synapse role already executed diff --git a/roles/matrix-bridge-appservice-slack/tasks/setup_install.yml b/roles/matrix-bridge-appservice-slack/tasks/setup_install.yml index 703d3fabf..b170fcb8c 100644 --- a/roles/matrix-bridge-appservice-slack/tasks/setup_install.yml +++ b/roles/matrix-bridge-appservice-slack/tasks/setup_install.yml @@ -51,7 +51,8 @@ docker_image: name: "{{ matrix_appservice_slack_docker_image }}" source: build - force_source: yes + force_source: "{{ matrix_appservice_slack_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_appservice_slack_git_pull_results.changed }}" build: dockerfile: Dockerfile path: "{{ matrix_appservice_slack_docker_src_files_path }}" diff --git a/roles/matrix-bridge-heisenbridge/defaults/main.yml b/roles/matrix-bridge-heisenbridge/defaults/main.yml new file mode 100644 index 000000000..be95af8da --- /dev/null +++ b/roles/matrix-bridge-heisenbridge/defaults/main.yml @@ -0,0 +1,47 @@ +# heisenbridge is a bouncer-style Matrix IRC bridge +# See: https://github.com/hifi/heisenbridge + +matrix_heisenbridge_enabled: true + +matrix_heisenbridge_version: latest +matrix_heisenbridge_docker_image: "{{ matrix_container_global_registry_prefix }}hif1/heisenbridge:{{ matrix_heisenbridge_version }}" +matrix_heisenbridge_docker_image_force_pull: "{{ matrix_heisenbridge_docker_image.endswith(':latest') }}" + +# Set this to your Matrix ID if you want to enforce the owner, otherwise first _local_ user becomes one +matrix_heisenbridge_owner: "" + +# Enabling identd will bind to host port 113/TCP +matrix_heisenbridge_identd_enabled: false + +matrix_heisenbridge_base_path: "{{ matrix_base_data_path }}/heisenbridge" + +# A list of extra arguments to pass to the container +matrix_heisenbridge_container_extra_arguments: [] + +# List of systemd services that service depends on. +matrix_heisenbridge_systemd_required_services_list: ['docker.service'] + +# List of systemd services that service wants +matrix_heisenbridge_systemd_wanted_services_list: [] + +matrix_heisenbridge_homeserver_url: "{{ matrix_homeserver_container_url }}" + +matrix_heisenbridge_appservice_token: '' +matrix_heisenbridge_homeserver_token: '' + +# Default registration file +matrix_heisenbridge_registration_yaml: + id: heisenbridge + url: http://matrix-heisenbridge:9898 + as_token: "{{ matrix_heisenbridge_appservice_token }}" + hs_token: "{{ matrix_heisenbridge_homeserver_token }}" + rate_limited: false + sender_localpart: heisenbridge + namespaces: + users: + - regex: '@hbirc_.*' + exclusive: true + aliases: [] + rooms: [] + +matrix_heisenbridge_registration: "{{ matrix_heisenbridge_registration_yaml|from_yaml }}" diff --git a/roles/matrix-bridge-heisenbridge/tasks/init.yml b/roles/matrix-bridge-heisenbridge/tasks/init.yml new file mode 100644 index 000000000..18e89b681 --- /dev/null +++ b/roles/matrix-bridge-heisenbridge/tasks/init.yml @@ -0,0 +1,24 @@ +# If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist. +# We don't want to fail in such cases. +- name: Fail if matrix-synapse role already executed + fail: + msg: >- + The matrix-bridge-heisenbridge role needs to execute before the matrix-synapse role. + when: "matrix_heisenbridge_enabled and matrix_synapse_role_executed|default(False)" + +- set_fact: + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-heisenbridge.service'] }}" + when: matrix_heisenbridge_enabled|bool + +# If the matrix-synapse role is not used, these variables may not exist. +- set_fact: + matrix_synapse_container_extra_arguments: > + {{ matrix_synapse_container_extra_arguments|default([]) }} + + + ["--mount type=bind,src={{ matrix_heisenbridge_base_path }}/registration.yaml,dst=/heisenbridge-registration.yaml,ro"] + + matrix_synapse_app_service_config_files: > + {{ matrix_synapse_app_service_config_files|default([]) }} + + + {{ ["/heisenbridge-registration.yaml"] }} + when: matrix_heisenbridge_enabled|bool diff --git a/roles/matrix-bridge-heisenbridge/tasks/main.yml b/roles/matrix-bridge-heisenbridge/tasks/main.yml new file mode 100644 index 000000000..1358709d8 --- /dev/null +++ b/roles/matrix-bridge-heisenbridge/tasks/main.yml @@ -0,0 +1,15 @@ +- import_tasks: "{{ role_path }}/tasks/init.yml" + tags: + - always + +- import_tasks: "{{ role_path }}/tasks/setup_install.yml" + when: "run_setup|bool and matrix_heisenbridge_enabled|bool" + tags: + - setup-all + - setup-heisenbridge + +- import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" + when: "run_setup|bool and not matrix_heisenbridge_enabled|bool" + tags: + - setup-all + - setup-heisenbridge diff --git a/roles/matrix-bridge-heisenbridge/tasks/setup_install.yml b/roles/matrix-bridge-heisenbridge/tasks/setup_install.yml new file mode 100644 index 000000000..03cf9ec3e --- /dev/null +++ b/roles/matrix-bridge-heisenbridge/tasks/setup_install.yml @@ -0,0 +1,38 @@ +--- + +- name: Ensure heisenbridge image is pulled + docker_image: + name: "{{ matrix_heisenbridge_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_heisenbridge_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_heisenbridge_docker_image_force_pull }}" + +- name: Ensure heisenbridge paths exist + file: + path: "{{ item }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - "{{ matrix_heisenbridge_base_path }}" + +- name: Ensure heisenbridge registration.yaml installed if provided + copy: + content: "{{ matrix_heisenbridge_registration|to_nice_yaml }}" + dest: "{{ matrix_heisenbridge_base_path }}/registration.yaml" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure matrix-heisenbridge.service installed + template: + src: "{{ role_path }}/templates/systemd/matrix-heisenbridge.service.j2" + dest: "{{ matrix_systemd_path }}/matrix-heisenbridge.service" + mode: 0644 + register: matrix_heisenbridge_systemd_service_result + +- name: Ensure systemd reloaded after matrix-heisenbridge.service installation + service: + daemon_reload: yes + when: matrix_heisenbridge_systemd_service_result.changed diff --git a/roles/matrix-bridge-heisenbridge/tasks/setup_uninstall.yml b/roles/matrix-bridge-heisenbridge/tasks/setup_uninstall.yml new file mode 100644 index 000000000..d5526f8a6 --- /dev/null +++ b/roles/matrix-bridge-heisenbridge/tasks/setup_uninstall.yml @@ -0,0 +1,24 @@ +--- + +- name: Check existence of matrix-heisenbridge service + stat: + path: "{{ matrix_systemd_path }}/matrix-heisenbridge.service" + register: matrix_heisenbridge_service_stat + +- name: Ensure matrix-heisenbridge is stopped + service: + name: heisenbridge + state: stopped + daemon_reload: yes + when: "matrix_heisenbridge_service_stat.stat.exists" + +- name: Ensure matrix-heisenbridge.service doesn't exist + file: + path: "{{ matrix_systemd_path }}/matrix-heisenbridge.service" + state: absent + when: "matrix_heisenbridge_service_stat.stat.exists" + +- name: Ensure systemd reloaded after matrix-heisenbridge.service removal + service: + daemon_reload: yes + when: "matrix_heisenbridge_service_stat.stat.exists" diff --git a/roles/matrix-bridge-heisenbridge/templates/systemd/matrix-heisenbridge.service.j2 b/roles/matrix-bridge-heisenbridge/templates/systemd/matrix-heisenbridge.service.j2 new file mode 100644 index 000000000..91ba39b32 --- /dev/null +++ b/roles/matrix-bridge-heisenbridge/templates/systemd/matrix-heisenbridge.service.j2 @@ -0,0 +1,50 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=a bouncer-style Matrix IRC bridge +{% for service in matrix_heisenbridge_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +{% for service in matrix_heisenbridge_systemd_wanted_services_list %} +Wants={{ service }} +{% endfor %} +DefaultDependencies=no + +[Service] +Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" +ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-heisenbridge +ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-heisenbridge + +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-heisenbridge \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --network={{ matrix_docker_network }} \ + {% if matrix_heisenbridge_identd_enabled %} + -p 113:113 \ + {% endif %} + -v {{ matrix_heisenbridge_base_path }}:/config:z \ + {% for arg in matrix_heisenbridge_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + {{ matrix_heisenbridge_docker_image }} \ + {% if matrix_heisenbridge_identd_enabled %} + --identd \ + {% endif %} + {% if matrix_heisenbridge_owner %} + -o {{ matrix_heisenbridge_owner }} \ + {% endif %} + --config /config/registration.yaml \ + --listen-address 0.0.0.0 \ + --listen-port 9898 \ + {{ matrix_heisenbridge_homeserver_url }} + +ExecStop=-{{ matrix_host_command_docker }} kill matrix-heisenbridge +ExecStop=-{{ matrix_host_command_docker }} rm matrix-heisenbridge +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-heisenbridge + +[Install] +WantedBy=multi-user.target diff --git a/roles/matrix-bridge-mautrix-facebook/tasks/init.yml b/roles/matrix-bridge-mautrix-facebook/tasks/init.yml index 9e1273163..83e54cb42 100644 --- a/roles/matrix-bridge-mautrix-facebook/tasks/init.yml +++ b/roles/matrix-bridge-mautrix-facebook/tasks/init.yml @@ -1,3 +1,10 @@ +# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 +# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 +- name: Fail if trying to self-build on Ansible < 2.8 + fail: + msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mautrix_facebook_container_image_self_build" + - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-facebook.service'] }}" when: matrix_mautrix_facebook_enabled|bool @@ -16,7 +23,7 @@ when: matrix_mautrix_facebook_enabled|bool # ansible lower than 2.8, does not support docker_image build parameters -# for self buildig it is explicitly needed, so we rather fail here +# for self building it is explicitly needed, so we rather fail here - name: Fail if running on Ansible lower than 2.8 and trying self building fail: msg: "To self build Mautrix Facebook image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." diff --git a/roles/matrix-bridge-mautrix-facebook/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-facebook/tasks/setup_install.yml index 599984634..4cfbde9ed 100644 --- a/roles/matrix-bridge-mautrix-facebook/tasks/setup_install.yml +++ b/roles/matrix-bridge-mautrix-facebook/tasks/setup_install.yml @@ -69,7 +69,8 @@ docker_image: name: "{{ matrix_mautrix_facebook_docker_image }}" source: build - force_source: "{{ matrix_mautrix_facebook_git_pull_results.changed }}" + force_source: "{{ matrix_mautrix_facebook_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_facebook_git_pull_results.changed }}" build: dockerfile: Dockerfile path: "{{ matrix_mautrix_facebook_docker_src_files_path }}" diff --git a/roles/matrix-bridge-mautrix-hangouts/tasks/init.yml b/roles/matrix-bridge-mautrix-hangouts/tasks/init.yml index 9209fa40f..07fb254db 100644 --- a/roles/matrix-bridge-mautrix-hangouts/tasks/init.yml +++ b/roles/matrix-bridge-mautrix-hangouts/tasks/init.yml @@ -1,3 +1,10 @@ +# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 +# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 +- name: Fail if trying to self-build on Ansible < 2.8 + fail: + msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mautrix_hangouts_container_image_self_build" + - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-hangouts.service'] }}" when: matrix_mautrix_hangouts_enabled|bool @@ -62,7 +69,7 @@ when: "matrix_mautrix_hangouts_enabled|bool and (matrix_nginx_proxy_enabled is not defined or matrix_nginx_proxy_enabled|bool == false)" # ansible lower than 2.8, does not support docker_image build parameters -# for self buildig it is explicitly needed, so we rather fail here +# for self building it is explicitly needed, so we rather fail here - name: Fail if running on Ansible lower than 2.8 and trying self building fail: msg: "To self build Mautrix Hangouts image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." diff --git a/roles/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml index 2ce8a4416..14ae255f5 100644 --- a/roles/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml +++ b/roles/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml @@ -68,7 +68,8 @@ docker_image: name: "{{ matrix_mautrix_hangouts_docker_image }}" source: build - force_source: "{{ matrix_mautrix_hangouts_git_pull_results.changed }}" + force_source: "{{ matrix_mautrix_hangouts_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_hangouts_git_pull_results.changed }}" build: dockerfile: Dockerfile path: "{{ matrix_mautrix_hangouts_docker_src_files_path }}" diff --git a/roles/matrix-bridge-mautrix-instagram/tasks/init.yml b/roles/matrix-bridge-mautrix-instagram/tasks/init.yml index 2b407358d..6944003eb 100644 --- a/roles/matrix-bridge-mautrix-instagram/tasks/init.yml +++ b/roles/matrix-bridge-mautrix-instagram/tasks/init.yml @@ -1,3 +1,10 @@ +# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 +# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 +- name: Fail if trying to self-build on Ansible < 2.8 + fail: + msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mautrix_instagram_container_image_self_build" + - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-instagram.service'] }}" when: matrix_mautrix_instagram_enabled|bool @@ -16,7 +23,7 @@ when: matrix_mautrix_instagram_enabled|bool # ansible lower than 2.8, does not support docker_image build parameters -# for self buildig it is explicitly needed, so we rather fail here +# for self building it is explicitly needed, so we rather fail here - name: Fail if running on Ansible lower than 2.8 and trying self building fail: msg: "To self build Mautrix instagram image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." diff --git a/roles/matrix-bridge-mautrix-instagram/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-instagram/tasks/setup_install.yml index b83deab3f..604742309 100644 --- a/roles/matrix-bridge-mautrix-instagram/tasks/setup_install.yml +++ b/roles/matrix-bridge-mautrix-instagram/tasks/setup_install.yml @@ -44,7 +44,8 @@ docker_image: name: "{{ matrix_mautrix_instagram_docker_image }}" source: build - force_source: "{{ matrix_mautrix_instagram_git_pull_results.changed }}" + force_source: "{{ matrix_mautrix_instagram_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_instagram_git_pull_results.changed }}" build: dockerfile: Dockerfile path: "{{ matrix_mautrix_instagram_docker_src_files_path }}" diff --git a/roles/matrix-bridge-mautrix-telegram/tasks/init.yml b/roles/matrix-bridge-mautrix-telegram/tasks/init.yml index 721e98da7..c8f7f895e 100644 --- a/roles/matrix-bridge-mautrix-telegram/tasks/init.yml +++ b/roles/matrix-bridge-mautrix-telegram/tasks/init.yml @@ -1,3 +1,10 @@ +# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 +# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 +- name: Fail if trying to self-build on Ansible < 2.8 + fail: + msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mautrix_telegram_container_self_build" + - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-telegram.service'] }}" when: matrix_mautrix_telegram_enabled|bool diff --git a/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml index 042671619..704f0e262 100644 --- a/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml +++ b/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml @@ -64,11 +64,12 @@ register: matrix_mautrix_telegram_git_pull_results when: "matrix_mautrix_telegram_container_self_build|bool" -- name: Ensure matrix-mautrix-telegram Docker image is build +- name: Ensure matrix-mautrix-telegram Docker image is built docker_image: name: "{{ matrix_mautrix_telegram_docker_image }}" source: build - force_source: yes + force_source: "{{ matrix_mautrix_telegram_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_telegram_git_pull_results.changed }}" build: dockerfile: Dockerfile path: "{{ matrix_mautrix_telegram_docker_src_files_path }}" diff --git a/roles/matrix-bridge-mx-puppet-discord/tasks/init.yml b/roles/matrix-bridge-mx-puppet-discord/tasks/init.yml index 4d8444e11..983e3895e 100644 --- a/roles/matrix-bridge-mx-puppet-discord/tasks/init.yml +++ b/roles/matrix-bridge-mx-puppet-discord/tasks/init.yml @@ -1,3 +1,10 @@ +# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 +# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 +- name: Fail if trying to self-build on Ansible < 2.8 + fail: + msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_discord_container_image_self_build" + - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-discord.service'] }}" when: matrix_mx_puppet_discord_enabled|bool @@ -16,7 +23,7 @@ when: matrix_mx_puppet_discord_enabled|bool # ansible lower than 2.8, does not support docker_image build parameters -# for self buildig it is explicitly needed, so we rather fail here +# for self building it is explicitly needed, so we rather fail here - name: Fail if running on Ansible lower than 2.8 and trying self building fail: msg: "To self build Puppet Slack image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." diff --git a/roles/matrix-bridge-mx-puppet-discord/tasks/setup_install.yml b/roles/matrix-bridge-mx-puppet-discord/tasks/setup_install.yml index c7865e98a..f9985ed83 100644 --- a/roles/matrix-bridge-mx-puppet-discord/tasks/setup_install.yml +++ b/roles/matrix-bridge-mx-puppet-discord/tasks/setup_install.yml @@ -85,7 +85,8 @@ docker_image: name: "{{ matrix_mx_puppet_discord_docker_image }}" source: build - force_source: "{{ matrix_mx_puppet_discord_git_pull_results.changed }}" + force_source: "{{ matrix_mx_puppet_discord_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mx_puppet_discord_git_pull_results.changed }}" build: dockerfile: Dockerfile path: "{{ matrix_mx_puppet_discord_docker_src_files_path }}" diff --git a/roles/matrix-bridge-mx-puppet-groupme/tasks/init.yml b/roles/matrix-bridge-mx-puppet-groupme/tasks/init.yml index 1f00e8a5a..eb598ecb5 100644 --- a/roles/matrix-bridge-mx-puppet-groupme/tasks/init.yml +++ b/roles/matrix-bridge-mx-puppet-groupme/tasks/init.yml @@ -1,3 +1,10 @@ +# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 +# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 +- name: Fail if trying to self-build on Ansible < 2.8 + fail: + msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_groupme_container_image_self_build" + - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-groupme.service'] }}" when: matrix_mx_puppet_groupme_enabled|bool @@ -16,7 +23,7 @@ when: matrix_mx_puppet_groupme_enabled|bool # ansible lower than 2.8, does not support docker_image build parameters -# for self buildig it is explicitly needed, so we rather fail here +# for self building it is explicitly needed, so we rather fail here - name: Fail if running on Ansible lower than 2.8 and trying self building fail: msg: "To self build Puppet Slack image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." diff --git a/roles/matrix-bridge-mx-puppet-groupme/tasks/setup_install.yml b/roles/matrix-bridge-mx-puppet-groupme/tasks/setup_install.yml index 58fe94852..b1d5f0b50 100644 --- a/roles/matrix-bridge-mx-puppet-groupme/tasks/setup_install.yml +++ b/roles/matrix-bridge-mx-puppet-groupme/tasks/setup_install.yml @@ -85,7 +85,8 @@ docker_image: name: "{{ matrix_mx_puppet_groupme_docker_image }}" source: build - force_source: "{{ matrix_mx_puppet_groupme_git_pull_results.changed }}" + force_source: "{{ matrix_mx_puppet_groupme_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mx_puppet_groupme_git_pull_results.changed }}" build: dockerfile: Dockerfile path: "{{ matrix_mx_puppet_groupme_docker_src_files_path }}" diff --git a/roles/matrix-bridge-mx-puppet-instagram/tasks/init.yml b/roles/matrix-bridge-mx-puppet-instagram/tasks/init.yml index 0d319bc89..2ef99f025 100644 --- a/roles/matrix-bridge-mx-puppet-instagram/tasks/init.yml +++ b/roles/matrix-bridge-mx-puppet-instagram/tasks/init.yml @@ -1,3 +1,10 @@ +# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 +# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 +- name: Fail if trying to self-build on Ansible < 2.8 + fail: + msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_instagram_container_image_self_build" + - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-instagram.service'] }}" when: matrix_mx_puppet_instagram_enabled|bool diff --git a/roles/matrix-bridge-mx-puppet-instagram/tasks/setup_install.yml b/roles/matrix-bridge-mx-puppet-instagram/tasks/setup_install.yml index 5701a9165..cdbaa18e8 100644 --- a/roles/matrix-bridge-mx-puppet-instagram/tasks/setup_install.yml +++ b/roles/matrix-bridge-mx-puppet-instagram/tasks/setup_install.yml @@ -69,7 +69,8 @@ docker_image: name: "{{ matrix_mx_puppet_instagram_docker_image }}" source: build - force_source: "{{ matrix_mx_puppet_instagram_git_pull_results.changed }}" + force_source: "{{ matrix_mx_puppet_instagram_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mx_puppet_instagram_git_pull_results.changed }}" build: dockerfile: Dockerfile path: "{{ matrix_mx_puppet_instagram_docker_src_files_path }}" diff --git a/roles/matrix-bridge-mx-puppet-skype/tasks/init.yml b/roles/matrix-bridge-mx-puppet-skype/tasks/init.yml index 605ea4928..1bdc4c2ba 100644 --- a/roles/matrix-bridge-mx-puppet-skype/tasks/init.yml +++ b/roles/matrix-bridge-mx-puppet-skype/tasks/init.yml @@ -1,3 +1,10 @@ +# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 +# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 +- name: Fail if trying to self-build on Ansible < 2.8 + fail: + msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_skype_container_image_self_build" + - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-skype.service'] }}" when: matrix_mx_puppet_skype_enabled|bool @@ -16,7 +23,7 @@ when: matrix_mx_puppet_skype_enabled|bool # ansible lower than 2.8, does not support docker_image build parameters -# for self buildig it is explicitly needed, so we rather fail here +# for self building it is explicitly needed, so we rather fail here - name: Fail if running on Ansible lower than 2.8 and trying self building fail: msg: "To self build Puppet Skype image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." diff --git a/roles/matrix-bridge-mx-puppet-skype/tasks/setup_install.yml b/roles/matrix-bridge-mx-puppet-skype/tasks/setup_install.yml index 68a1d7f42..997a63174 100644 --- a/roles/matrix-bridge-mx-puppet-skype/tasks/setup_install.yml +++ b/roles/matrix-bridge-mx-puppet-skype/tasks/setup_install.yml @@ -85,7 +85,8 @@ docker_image: name: "{{ matrix_mx_puppet_skype_docker_image }}" source: build - force_source: "{{ matrix_mx_puppet_skype_git_pull_results.changed }}" + force_source: "{{ matrix_mx_puppet_skype_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mx_puppet_skype_git_pull_results.changed }}" build: dockerfile: Dockerfile path: "{{ matrix_mx_puppet_skype_docker_src_files_path }}" diff --git a/roles/matrix-bridge-mx-puppet-slack/tasks/init.yml b/roles/matrix-bridge-mx-puppet-slack/tasks/init.yml index 16afef20b..de3ffd7cd 100644 --- a/roles/matrix-bridge-mx-puppet-slack/tasks/init.yml +++ b/roles/matrix-bridge-mx-puppet-slack/tasks/init.yml @@ -1,3 +1,10 @@ +# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 +# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 +- name: Fail if trying to self-build on Ansible < 2.8 + fail: + msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_slack_container_image_self_build" + - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-slack.service'] }}" when: matrix_mx_puppet_slack_enabled|bool @@ -63,7 +70,7 @@ when: "matrix_mx_puppet_slack_enabled|bool and matrix_nginx_proxy_enabled is not defined" # ansible lower than 2.8, does not support docker_image build parameters -# for self buildig it is explicitly needed, so we rather fail here +# for self building it is explicitly needed, so we rather fail here - name: Fail if running on Ansible lower than 2.8 and trying self building fail: msg: "To self build Puppet Slack image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." diff --git a/roles/matrix-bridge-mx-puppet-slack/tasks/setup_install.yml b/roles/matrix-bridge-mx-puppet-slack/tasks/setup_install.yml index 04eab20a9..d816ceeba 100644 --- a/roles/matrix-bridge-mx-puppet-slack/tasks/setup_install.yml +++ b/roles/matrix-bridge-mx-puppet-slack/tasks/setup_install.yml @@ -81,7 +81,8 @@ docker_image: name: "{{ matrix_mx_puppet_slack_docker_image }}" source: build - force_source: "{{ matrix_mx_puppet_slack_git_pull_results.changed }}" + force_source: "{{ matrix_mx_puppet_slack_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mx_puppet_slack_git_pull_results.changed }}" build: dockerfile: Dockerfile path: "{{ matrix_mx_puppet_slack_docker_src_files_path }}" diff --git a/roles/matrix-bridge-mx-puppet-steam/tasks/init.yml b/roles/matrix-bridge-mx-puppet-steam/tasks/init.yml index 9687944fc..c7b3d67fb 100644 --- a/roles/matrix-bridge-mx-puppet-steam/tasks/init.yml +++ b/roles/matrix-bridge-mx-puppet-steam/tasks/init.yml @@ -1,3 +1,10 @@ +# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 +# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 +- name: Fail if trying to self-build on Ansible < 2.8 + fail: + msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_steam_container_image_self_build" + - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-steam.service'] }}" when: matrix_mx_puppet_steam_enabled|bool @@ -16,7 +23,7 @@ when: matrix_mx_puppet_steam_enabled|bool # ansible lower than 2.8, does not support docker_image build parameters -# for self buildig it is explicitly needed, so we rather fail here +# for self building it is explicitly needed, so we rather fail here - name: Fail if running on Ansible lower than 2.8 and trying self building fail: msg: "To self build Puppet Slack image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." diff --git a/roles/matrix-bridge-mx-puppet-steam/tasks/setup_install.yml b/roles/matrix-bridge-mx-puppet-steam/tasks/setup_install.yml index 6b5746562..3bcef36e9 100644 --- a/roles/matrix-bridge-mx-puppet-steam/tasks/setup_install.yml +++ b/roles/matrix-bridge-mx-puppet-steam/tasks/setup_install.yml @@ -85,7 +85,8 @@ docker_image: name: "{{ matrix_mx_puppet_steam_docker_image }}" source: build - force_source: "{{ matrix_mx_puppet_steam_git_pull_results.changed }}" + force_source: "{{ matrix_mx_puppet_steam_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mx_puppet_steam_git_pull_results.changed }}" build: dockerfile: Dockerfile path: "{{ matrix_mx_puppet_steam_docker_src_files_path }}" diff --git a/roles/matrix-bridge-mx-puppet-twitter/tasks/init.yml b/roles/matrix-bridge-mx-puppet-twitter/tasks/init.yml index 86f302379..94fafd900 100644 --- a/roles/matrix-bridge-mx-puppet-twitter/tasks/init.yml +++ b/roles/matrix-bridge-mx-puppet-twitter/tasks/init.yml @@ -1,3 +1,10 @@ +# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 +# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 +- name: Fail if trying to self-build on Ansible < 2.8 + fail: + msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_twitter_container_image_self_build" + - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-twitter.service'] }}" when: matrix_mx_puppet_twitter_enabled|bool @@ -63,7 +70,7 @@ when: "matrix_mx_puppet_twitter_enabled|bool and matrix_nginx_proxy_enabled is not defined" # ansible lower than 2.8, does not support docker_image build parameters -# for self buildig it is explicitly needed, so we rather fail here +# for self building it is explicitly needed, so we rather fail here - name: Fail if running on Ansible lower than 2.8 and trying self building fail: msg: "To self build Puppet Twitter image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." diff --git a/roles/matrix-bridge-mx-puppet-twitter/tasks/setup_install.yml b/roles/matrix-bridge-mx-puppet-twitter/tasks/setup_install.yml index 1c48c0309..5767ed172 100644 --- a/roles/matrix-bridge-mx-puppet-twitter/tasks/setup_install.yml +++ b/roles/matrix-bridge-mx-puppet-twitter/tasks/setup_install.yml @@ -85,7 +85,8 @@ docker_image: name: "{{ matrix_mx_puppet_twitter_docker_image }}" source: build - force_source: "{{ matrix_mx_puppet_twitter_git_pull_results.changed }}" + force_source: "{{ matrix_mx_puppet_twitter_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mx_puppet_twitter_git_pull_results.changed }}" build: dockerfile: Dockerfile path: "{{ matrix_mx_puppet_twitter_docker_src_files_path }}" diff --git a/roles/matrix-client-element/defaults/main.yml b/roles/matrix-client-element/defaults/main.yml index 8904c295a..f0596d917 100644 --- a/roles/matrix-client-element/defaults/main.yml +++ b/roles/matrix-client-element/defaults/main.yml @@ -3,7 +3,7 @@ matrix_client_element_enabled: true matrix_client_element_container_image_self_build: false matrix_client_element_container_image_self_build_repo: "https://github.com/vector-im/riot-web.git" -matrix_client_element_version: v1.7.26 +matrix_client_element_version: v1.7.29 matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}" matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-client-element/tasks/init.yml b/roles/matrix-client-element/tasks/init.yml index a42e31437..102cae383 100644 --- a/roles/matrix-client-element/tasks/init.yml +++ b/roles/matrix-client-element/tasks/init.yml @@ -2,9 +2,9 @@ matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-client-element.service'] }}" when: matrix_client_element_enabled|bool -# ansible lower than 2.8, does not support docker_image build parameters -# for self buildig it is explicitly needed, so we rather fail here -- name: Fail if running on Ansible lower than 2.8 and trying self building +# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 +# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 +- name: Fail if trying to self-build on Ansible < 2.8 fail: - msg: "To self build the Element image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." + msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_client_element_container_image_self_build" diff --git a/roles/matrix-client-element/tasks/setup.yml b/roles/matrix-client-element/tasks/setup.yml index c4ed08479..117a09f48 100644 --- a/roles/matrix-client-element/tasks/setup.yml +++ b/roles/matrix-client-element/tasks/setup.yml @@ -37,7 +37,8 @@ docker_image: name: "{{ matrix_client_element_docker_image }}" source: build - force_source: "{{ matrix_client_element_git_pull_results.changed }}" + force_source: "{{ matrix_client_element_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_client_element_git_pull_results.changed }}" build: dockerfile: Dockerfile path: "{{ matrix_client_element_docker_src_files_path }}" diff --git a/roles/matrix-client-hydrogen/defaults/main.yml b/roles/matrix-client-hydrogen/defaults/main.yml new file mode 100644 index 000000000..f7a3059e4 --- /dev/null +++ b/roles/matrix-client-hydrogen/defaults/main.yml @@ -0,0 +1,68 @@ +matrix_client_hydrogen_enabled: true + +# Self building is used by default because the `config.json` file is only read at build time. +# The pre-built images also were not functional as of 2021-05-15. +matrix_client_hydrogen_container_image_self_build: true +matrix_client_hydrogen_container_image_self_build_repo: "https://github.com/vector-im/hydrogen-web.git" + +matrix_client_hydrogen_version: v0.1.53 +matrix_client_hydrogen_docker_image: "{{ matrix_client_hydrogen_docker_image_name_prefix }}vectorim/hydrogen-web:{{ matrix_client_hydrogen_version }}" +matrix_client_hydrogen_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_hydrogen_container_image_self_build }}" +matrix_client_hydrogen_docker_image_force_pull: "{{ matrix_client_hydrogen_docker_image.endswith(':latest') }}" + +matrix_client_hydrogen_data_path: "{{ matrix_base_data_path }}/client-hydrogen" +matrix_client_hydrogen_docker_src_files_path: "{{ matrix_client_hydrogen_data_path }}/docker-src" + +# Controls whether the container exposes its HTTP port (tcp/8080 in the container). +# +# Takes an ":" or "" value (e.g. "127.0.0.1:8768"), or empty string to not expose. +matrix_client_hydrogen_container_http_host_bind_port: '' + +# A list of extra arguments to pass to the container +matrix_client_hydrogen_container_extra_arguments: [] + +# List of systemd services that matrix-client-hydrogen.service depends on +matrix_client_hydrogen_systemd_required_services_list: ['docker.service'] + +# Controls whether the self-check feature should validate SSL certificates. +matrix_client_hydrogen_self_check_validate_certificates: true + +# config.json +matrix_client_hydrogen_default_hs_url: "" + +# Default Hydrogen configuration template which covers the generic use case. +# You can customize it by controlling the various variables inside it. +# +# For a more advanced customization, you can extend the default (see `matrix_client_hydrogen_configuration_extension_json`) +# or completely replace this variable with your own template. +# +# The side-effect of this lookup is that Ansible would even parse the JSON for us, returning a dict. +# This is unlike what it does when looking up YAML template files (no automatic parsing there). +matrix_client_hydrogen_configuration_default: "{{ lookup('template', 'templates/config.json.j2') }}" + +# Your custom JSON configuration for Hydrogen should go to `matrix_client_hydrogen_configuration_extension_json`. +# This configuration extends the default starting configuration (`matrix_client_hydrogen_configuration_default`). +# +# You can override individual variables from the default configuration, or introduce new ones. +# +# If you need something more special, you can take full control by +# completely redefining `matrix_client_hydrogen_configuration_default`. +# +# Example configuration extension follows: +# +# matrix_client_hydrogen_configuration_extension_json: | +# { +# "push": { +# "appId": "io.element.hydrogen.web", +# "gatewayUrl": "https://matrix.org", +# "applicationServerKey": "BC-gpSdVHEXhvHSHS0AzzWrQoukv2BE7KzpoPO_FfPacqOo3l1pdqz7rSgmB04pZCWaHPz7XRe6fjLaC-WPDopM" +# }, +# "defaultHomeServer": "matrix.org" +# } +matrix_client_hydrogen_configuration_extension_json: '{}' + +matrix_client_hydrogen_configuration_extension: "{{ matrix_client_hydrogen_configuration_extension_json|from_json if matrix_client_hydrogen_configuration_extension_json|from_json is mapping else {} }}" + +# Holds the final Hydrogen configuration (a combination of the default and its extension). +# You most likely don't need to touch this variable. Instead, see `matrix_client_hydrogen_configuration_default`. +matrix_client_hydrogen_configuration: "{{ matrix_client_hydrogen_configuration_default|combine(matrix_client_hydrogen_configuration_extension, recursive=True) }}" diff --git a/roles/matrix-client-hydrogen/tasks/init.yml b/roles/matrix-client-hydrogen/tasks/init.yml new file mode 100644 index 000000000..1115f63d6 --- /dev/null +++ b/roles/matrix-client-hydrogen/tasks/init.yml @@ -0,0 +1,10 @@ +# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 +# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 +- name: Fail if trying to self-build on Ansible < 2.8 + fail: + msg: "To self-build the Hydrogen image, you should use Ansible 2.8 or higher. See docs/ansible.md" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_client_hydrogen_container_image_self_build" + +- set_fact: + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-client-hydrogen.service'] }}" + when: matrix_client_hydrogen_enabled|bool diff --git a/roles/matrix-client-hydrogen/tasks/main.yml b/roles/matrix-client-hydrogen/tasks/main.yml new file mode 100644 index 000000000..6534db05d --- /dev/null +++ b/roles/matrix-client-hydrogen/tasks/main.yml @@ -0,0 +1,15 @@ +- import_tasks: "{{ role_path }}/tasks/init.yml" + tags: + - always + +- import_tasks: "{{ role_path }}/tasks/validate_config.yml" + when: "run_setup|bool and matrix_client_hydrogen_enabled|bool" + tags: + - setup-all + - setup-client-hydrogen + +- import_tasks: "{{ role_path }}/tasks/setup.yml" + when: run_setup|bool + tags: + - setup-all + - setup-client-hydrogen diff --git a/roles/matrix-client-hydrogen/tasks/self_check.yml b/roles/matrix-client-hydrogen/tasks/self_check.yml new file mode 100644 index 000000000..c7407dcd5 --- /dev/null +++ b/roles/matrix-client-hydrogen/tasks/self_check.yml @@ -0,0 +1,22 @@ +--- + +- set_fact: + matrix_client_hydrogen_url_endpoint_public: "https://{{ matrix_server_fqn_hydrogen }}" + +- name: Check Hydrogen + uri: + url: "{{ matrix_client_hydrogen_url_endpoint_public }}" + follow_redirects: none + validate_certs: "{{ matrix_client_hydrogen_self_check_validate_certificates }}" + register: matrix_client_hydrogen_self_check_result + check_mode: no + ignore_errors: true + +- name: Fail if Hydrogen not working + fail: + msg: "Failed checking Hydrogen is up at `{{ matrix_server_fqn_hydrogen }}` (checked endpoint: `{{ matrix_client_hydrogen_url_endpoint_public }}`). Is Hydrogen running? Is port 443 open in your firewall? Full error: {{ matrix_client_hydrogen_self_check_result }}" + when: "matrix_client_hydrogen_self_check_result.failed or 'json' not in matrix_client_hydrogen_self_check_result" + +- name: Report working Hydrogen + debug: + msg: "Hydrogen at `{{ matrix_server_fqn_hydrogen }}` is working (checked endpoint: `{{ matrix_client_hydrogen_url_endpoint_public }}`)" diff --git a/roles/matrix-client-hydrogen/tasks/setup.yml b/roles/matrix-client-hydrogen/tasks/setup.yml new file mode 100644 index 000000000..205fa3ceb --- /dev/null +++ b/roles/matrix-client-hydrogen/tasks/setup.yml @@ -0,0 +1,119 @@ +--- + +# +# Tasks related to setting up Hydrogen +# + +- name: Ensure Hydrogen paths exists + file: + path: "{{ item.path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - { path: "{{ matrix_client_hydrogen_data_path }}", when: true } + - { path: "{{ matrix_client_hydrogen_docker_src_files_path }}", when: "{{ matrix_client_hydrogen_container_image_self_build }}" } + when: matrix_client_hydrogen_enabled|bool and item.when + +- name: Ensure Hydrogen Docker image is pulled + docker_image: + name: "{{ matrix_client_hydrogen_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_client_hydrogen_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_client_hydrogen_docker_image_force_pull }}" + when: matrix_client_hydrogen_enabled|bool and not matrix_client_hydrogen_container_image_self_build + +- name: Ensure Hydrogen repository is present on self-build + git: + repo: "{{ matrix_client_hydrogen_container_image_self_build_repo }}" + dest: "{{ matrix_client_hydrogen_docker_src_files_path }}" + version: "{{ matrix_client_hydrogen_docker_image.split(':')[1] }}" + force: "yes" + register: matrix_client_hydrogen_git_pull_results + when: "matrix_client_hydrogen_enabled|bool and matrix_client_hydrogen_container_image_self_build|bool" + +- name: Ensure Hydrogen configuration installed + copy: + content: "{{ matrix_client_hydrogen_configuration|to_nice_json }}" + dest: "{{ matrix_client_hydrogen_docker_src_files_path }}/assets/config.json" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + when: "matrix_client_hydrogen_enabled|bool and matrix_client_hydrogen_container_image_self_build|bool" + +- name: Ensure Hydrogen additional config files installed + template: + src: "{{ item.src }}" + dest: "{{ matrix_client_hydrogen_data_path }}/{{ item.name }}" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - {src: "{{ role_path }}/templates/nginx.conf.j2", name: "nginx.conf"} + when: "matrix_client_hydrogen_enabled|bool and item.src is not none" + +- name: Ensure Hydrogen Docker image is built + docker_image: + name: "{{ matrix_client_hydrogen_docker_image }}" + source: build + force_source: "{{ matrix_client_hydrogen_git_pull_results.changed }}" + build: + dockerfile: Dockerfile + path: "{{ matrix_client_hydrogen_docker_src_files_path }}" + pull: yes + when: "matrix_client_hydrogen_enabled|bool and matrix_client_hydrogen_container_image_self_build|bool" + +- name: Ensure matrix-client-hydrogen.service installed + template: + src: "{{ role_path }}/templates/systemd/matrix-client-hydrogen.service.j2" + dest: "{{ matrix_systemd_path }}/matrix-client-hydrogen.service" + mode: 0644 + register: matrix_client_hydrogen_systemd_service_result + when: matrix_client_hydrogen_enabled|bool + +- name: Ensure systemd reloaded after matrix-client-hydrogen.service installation + service: + daemon_reload: yes + when: "matrix_client_hydrogen_enabled and matrix_client_hydrogen_systemd_service_result.changed" + +# +# Tasks related to getting rid of Hydrogen (if it was previously enabled) +# + +- name: Check existence of matrix-client-hydrogen.service + stat: + path: "{{ matrix_systemd_path }}/matrix-client-hydrogen.service" + register: matrix_client_hydrogen_service_stat + when: "not matrix_client_hydrogen_enabled|bool" + +- name: Ensure matrix-client-hydrogen is stopped + service: + name: matrix-client-hydrogen + state: stopped + daemon_reload: yes + register: stopping_result + when: "not matrix_client_hydrogen_enabled|bool and matrix_client_hydrogen_service_stat.stat.exists" + +- name: Ensure matrix-client-hydrogen.service doesn't exist + file: + path: "{{ matrix_systemd_path }}/matrix-client-hydrogen.service" + state: absent + when: "not matrix_client_hydrogen_enabled|bool and matrix_client_hydrogen_service_stat.stat.exists" + +- name: Ensure systemd reloaded after matrix-client-hydrogen.service removal + service: + daemon_reload: yes + when: "not matrix_client_hydrogen_enabled|bool and matrix_client_hydrogen_service_stat.stat.exists" + +- name: Ensure Hydrogen paths doesn't exist + file: + path: "{{ matrix_client_hydrogen_data_path }}" + state: absent + when: "not matrix_client_hydrogen_enabled|bool" + +- name: Ensure Hydrogen Docker image doesn't exist + docker_image: + name: "{{ matrix_client_hydrogen_docker_image }}" + state: absent + when: "not matrix_client_hydrogen_enabled|bool" diff --git a/roles/matrix-client-hydrogen/tasks/validate_config.yml b/roles/matrix-client-hydrogen/tasks/validate_config.yml new file mode 100644 index 000000000..d3b9a709b --- /dev/null +++ b/roles/matrix-client-hydrogen/tasks/validate_config.yml @@ -0,0 +1,9 @@ +--- + +- name: Fail if required Hydrogen settings not defined + fail: + msg: > + You need to define a required configuration setting (`{{ item }}`) to use Hydrogen. + when: "(vars[item] == '' or vars[item] is none) and matrix_client_hydrogen_container_image_self_build|bool" + with_items: + - "matrix_client_hydrogen_default_hs_url" diff --git a/roles/matrix-client-hydrogen/templates/config.json.j2 b/roles/matrix-client-hydrogen/templates/config.json.j2 new file mode 100644 index 000000000..62a849b0f --- /dev/null +++ b/roles/matrix-client-hydrogen/templates/config.json.j2 @@ -0,0 +1,3 @@ +{ + "defaultHomeServer": {{ matrix_client_hydrogen_default_hs_url|string|to_json }} +} diff --git a/roles/matrix-client-hydrogen/templates/nginx.conf.j2 b/roles/matrix-client-hydrogen/templates/nginx.conf.j2 new file mode 100644 index 000000000..fba16bbdc --- /dev/null +++ b/roles/matrix-client-hydrogen/templates/nginx.conf.j2 @@ -0,0 +1,66 @@ +#jinja2: lstrip_blocks: "True" +# This is a custom nginx configuration file that we use in the container (instead of the default one), +# because it allows us to run nginx with a non-root user. +# +# For this to work, the default vhost file (`/etc/nginx/conf.d/default.conf`) also needs to be removed. +# (mounting `/dev/null` over `/etc/nginx/conf.d/default.conf` works well) +# +# The following changes have been done compared to a default nginx configuration file: +# - default server port is changed (80 -> 8080), so that a non-root user can bind it +# - various temp paths are changed to `/tmp`, so that a non-root user can write to them +# - the `user` directive was removed, as we don't want nginx to switch users + +worker_processes 1; + +error_log /var/log/nginx/error.log warn; +pid /tmp/nginx.pid; + + +events { + worker_connections 1024; +} + + +http { + proxy_temp_path /tmp/proxy_temp; + client_body_temp_path /tmp/client_temp; + fastcgi_temp_path /tmp/fastcgi_temp; + uwsgi_temp_path /tmp/uwsgi_temp; + scgi_temp_path /tmp/scgi_temp; + + include /etc/nginx/mime.types; + default_type application/octet-stream; + + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + access_log /var/log/nginx/access.log main; + + sendfile on; + #tcp_nopush on; + + keepalive_timeout 65; + + #gzip on; + + server { + listen 8080; + server_name localhost; + + root /usr/share/nginx/html; + + location / { + index index.html index.htm; + } + + location ~* ^/(config(.+)?\.json$|(.+)\.html$|i18n) { + expires -1; + } + + error_page 500 502 503 504 /50x.html; + location = /50x.html { + root /usr/share/nginx/html; + } + } +} diff --git a/roles/matrix-client-hydrogen/templates/systemd/matrix-client-hydrogen.service.j2 b/roles/matrix-client-hydrogen/templates/systemd/matrix-client-hydrogen.service.j2 new file mode 100644 index 000000000..c85aeb978 --- /dev/null +++ b/roles/matrix-client-hydrogen/templates/systemd/matrix-client-hydrogen.service.j2 @@ -0,0 +1,39 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=Matrix Hydrogen Client +{% for service in matrix_client_hydrogen_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +DefaultDependencies=no + +[Service] +Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-client-hydrogen 2>/dev/null' +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-client-hydrogen 2>/dev/null' + +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-client-hydrogen \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --read-only \ + --network={{ matrix_docker_network }} \ + {% if matrix_client_hydrogen_container_http_host_bind_port %} + -p {{ matrix_client_hydrogen_container_http_host_bind_port }}:8080 \ + {% endif %} + --tmpfs=/tmp:rw,noexec,nosuid,size=10m \ + --mount type=bind,src={{ matrix_client_hydrogen_data_path }}/nginx.conf,dst=/etc/nginx/nginx.conf,ro \ + {% for arg in matrix_client_hydrogen_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + {{ matrix_client_hydrogen_docker_image }} + +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-client-hydrogen 2>/dev/null' +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-client-hydrogen 2>/dev/null' +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-client-hydrogen + +[Install] +WantedBy=multi-user.target diff --git a/roles/matrix-common-after/defaults/main.yml b/roles/matrix-common-after/defaults/main.yml new file mode 100644 index 000000000..8112191a2 --- /dev/null +++ b/roles/matrix-common-after/defaults/main.yml @@ -0,0 +1,16 @@ +# Specifies how long to wait between starting systemd services and checking if they're started. +# +# A too low value may lead to a failure, as services may not have enough time to start and potentially fail. +# +# A value higher than 30 seconds (or any multiple of that) may also not work well, because a failing systemd service +# auto-restarts after 30 seconds (`RestartSec=30` in systemd service files). +# Checking if a service is running right after it had potentially restarted in such a way will lead us to +# thinking it's running, while it's merely starting again (and likely to fail again, given that it already did once). +# +# All of the services we manage are also started sequentially, which in itself can take a long time. +# There may be a ~10 second (or even larger) interval between starting the first service and starting the last one. +# This makes it even harder to pick a correct value. Such a 10 second gap and a waiting time of 20 seconds will +# put us right at the "dangerous" 30-second mark. +# +# We can try to measure this gap and adjust our waiting time accordingly, but we currently don't. +matrix_common_after_systemd_service_start_wait_for_timeout_seconds: 15 diff --git a/roles/matrix-common-after/tasks/start.yml b/roles/matrix-common-after/tasks/start.yml index 300de94c7..64ab4d990 100644 --- a/roles/matrix-common-after/tasks/start.yml +++ b/roles/matrix-common-after/tasks/start.yml @@ -30,7 +30,7 @@ # as we may run into systemd's automatic restart logic retrying the service. - name: Wait a bit, so that services can start (or fail) wait_for: - timeout: 15 + timeout: "{{ matrix_common_after_systemd_service_start_wait_for_timeout_seconds }}" delegate_to: 127.0.0.1 become: false @@ -44,6 +44,9 @@ {{ item }} was not detected to be running. It's possible that there's a configuration problem or another service on your server interferes with it (uses the same ports, etc.). Try running `systemctl status {{ item }}` and `journalctl -fu {{ item }}` on the server to investigate. + If you're on a slow or overloaded server, it may be that services take a longer time to start and that this error is a false-positive. + You can consider raising the value of the `matrix_common_after_systemd_service_start_wait_for_timeout_seconds` variable. + See `roles/matrix-common-after/defaults/main.yml` for more details about that. with_items: "{{ matrix_systemd_services_list }}" when: - "item.endswith('.service') and (ansible_facts.services[item]|default(none) is none or ansible_facts.services[item].state != 'running')" diff --git a/roles/matrix-corporal/tasks/init.yml b/roles/matrix-corporal/tasks/init.yml index ffe5d5da2..993ace81e 100644 --- a/roles/matrix-corporal/tasks/init.yml +++ b/roles/matrix-corporal/tasks/init.yml @@ -1,3 +1,10 @@ +# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 +# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 +- name: Fail if trying to self-build on Ansible < 2.8 + fail: + msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_corporal_container_image_self_build" + - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-corporal.service'] }}" when: matrix_corporal_enabled|bool diff --git a/roles/matrix-corporal/tasks/setup_corporal.yml b/roles/matrix-corporal/tasks/setup_corporal.yml index 188f09bfe..e668de273 100644 --- a/roles/matrix-corporal/tasks/setup_corporal.yml +++ b/roles/matrix-corporal/tasks/setup_corporal.yml @@ -30,7 +30,8 @@ docker_image: name: "{{ matrix_corporal_docker_image }}" source: build - force_source: "{{ matrix_corporal_git_pull_results.changed }}" + force_source: "{{ matrix_corporal_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_corporal_git_pull_results.changed }}" build: dockerfile: etc/docker/Dockerfile path: "{{ matrix_corporal_container_src_files_path }}" diff --git a/roles/matrix-coturn/tasks/init.yml b/roles/matrix-coturn/tasks/init.yml index be011b7fe..c645c06bf 100644 --- a/roles/matrix-coturn/tasks/init.yml +++ b/roles/matrix-coturn/tasks/init.yml @@ -1,3 +1,10 @@ +# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 +# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 +- name: Fail if trying to self-build on Ansible < 2.8 + fail: + msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_coturn_container_image_self_build" + - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-coturn.service'] }}" when: matrix_coturn_enabled|bool @@ -5,10 +12,3 @@ - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-coturn-reload.timer'] }}" when: "matrix_coturn_enabled|bool and matrix_coturn_tls_enabled|bool" - -# ansible lower than 2.8, does not support docker_image build parameters -# for self buildig it is explicitly needed, so we rather fail here -- name: Fail if running on Ansible lower than 2.8 and trying self building - fail: - msg: "To self build Coturn image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_coturn_container_image_self_build" diff --git a/roles/matrix-coturn/tasks/setup_install.yml b/roles/matrix-coturn/tasks/setup_install.yml index 24f038db6..c31406b1b 100644 --- a/roles/matrix-coturn/tasks/setup_install.yml +++ b/roles/matrix-coturn/tasks/setup_install.yml @@ -38,7 +38,8 @@ docker_image: name: "{{ matrix_coturn_docker_image }}" source: build - force_source: "{{ matrix_coturn_git_pull_results.changed }}" + force_source: "{{ matrix_coturn_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_coturn_git_pull_results.changed }}" build: dockerfile: "{{ matrix_coturn_container_image_self_build_repo_dockerfile_path }}" path: "{{ matrix_coturn_docker_src_files_path }}" diff --git a/roles/matrix-dynamic-dns/tasks/init.yml b/roles/matrix-dynamic-dns/tasks/init.yml index 1a0f1b3d8..039b5b023 100644 --- a/roles/matrix-dynamic-dns/tasks/init.yml +++ b/roles/matrix-dynamic-dns/tasks/init.yml @@ -1,3 +1,10 @@ +# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 +# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 +- name: Fail if trying to self-build on Ansible < 2.8 + fail: + msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_dynamic_dns_container_image_self_build" + - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-dynamic-dns.service'] }}" when: "matrix_dynamic_dns_enabled|bool" diff --git a/roles/matrix-dynamic-dns/tasks/install.yml b/roles/matrix-dynamic-dns/tasks/install.yml index e7b06d95b..ac69ec896 100644 --- a/roles/matrix-dynamic-dns/tasks/install.yml +++ b/roles/matrix-dynamic-dns/tasks/install.yml @@ -33,7 +33,8 @@ docker_image: name: "{{ matrix_dynamic_dns_docker_image }}" source: build - force_source: "{{ matrix_dynamic_dns_git_pull_results.changed }}" + force_source: "{{ matrix_dynamic_dns_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_dynamic_dns_git_pull_results.changed }}" build: dockerfile: Dockerfile path: "{{ matrix_dynamic_dns_docker_src_files_path }}" diff --git a/roles/matrix-grafana/defaults/main.yml b/roles/matrix-grafana/defaults/main.yml index a5d60338f..7c5c217c7 100644 --- a/roles/matrix-grafana/defaults/main.yml +++ b/roles/matrix-grafana/defaults/main.yml @@ -3,7 +3,7 @@ matrix_grafana_enabled: false -matrix_grafana_version: 7.5.5 +matrix_grafana_version: 7.5.7 matrix_grafana_docker_image: "{{ matrix_container_global_registry_prefix }}grafana/grafana:{{ matrix_grafana_version }}" matrix_grafana_docker_image_force_pull: "{{ matrix_grafana_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-grafana/templates/grafana.ini.j2 b/roles/matrix-grafana/templates/grafana.ini.j2 index 42cfcb120..322762b42 100644 --- a/roles/matrix-grafana/templates/grafana.ini.j2 +++ b/roles/matrix-grafana/templates/grafana.ini.j2 @@ -1,3 +1,6 @@ +[server] +root_url = "https://{{ matrix_server_fqn_grafana }}" + [security] # default admin user, created on startup admin_user = "{{ matrix_grafana_default_admin_user }}" diff --git a/roles/matrix-jitsi/defaults/main.yml b/roles/matrix-jitsi/defaults/main.yml index 7dcff9872..14545bc97 100644 --- a/roles/matrix-jitsi/defaults/main.yml +++ b/roles/matrix-jitsi/defaults/main.yml @@ -176,6 +176,8 @@ matrix_jitsi_prosody_container_extra_arguments: [] # List of systemd services that matrix-jitsi-prosody.service depends on matrix_jitsi_prosody_systemd_required_services_list: ['docker.service'] +# Neccessary Port binding for those disabling the integrated nginx proxy +matrix_jitsi_prosody_container_http_host_bind_port: '' matrix_jitsi_jicofo_docker_image: "{{ matrix_container_global_registry_prefix }}jitsi/jicofo:{{ matrix_jitsi_container_image_tag }}" matrix_jitsi_jicofo_docker_image_force_pull: "{{ matrix_jitsi_jicofo_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2 b/roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2 index b3525a745..4445e52bd 100644 --- a/roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2 +++ b/roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2 @@ -16,6 +16,9 @@ ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-jitsi-prosody \ --log-driver=none \ --network={{ matrix_docker_network }} \ + {% if matrix_jitsi_prosody_container_http_host_bind_port %} + -p {{ matrix_jitsi_prosody_container_http_host_bind_port }}:5280 \ + {% endif %} --env-file={{ matrix_jitsi_prosody_base_path }}/env \ --mount type=bind,src={{ matrix_jitsi_prosody_config_path }},dst=/config \ --mount type=bind,src={{ matrix_jitsi_prosody_plugins_path }},dst=/prosody-plugins-custom \ diff --git a/roles/matrix-ma1sd/tasks/init.yml b/roles/matrix-ma1sd/tasks/init.yml index 89283a1fb..f09cfcfd4 100644 --- a/roles/matrix-ma1sd/tasks/init.yml +++ b/roles/matrix-ma1sd/tasks/init.yml @@ -1,10 +1,10 @@ +# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 +# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 +- name: Fail if trying to self-build on Ansible < 2.8 + fail: + msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_ma1sd_container_image_self_build" + - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-ma1sd.service'] }}" when: matrix_ma1sd_enabled|bool - -# ansible lower than 2.8, does not support docker_image build parameters -# for self buildig it is explicitly needed, so we rather fail here -- name: Fail if running on Ansible lower than 2.8 and trying self building - fail: - msg: "To self build ma1sd image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_ma1sd_container_image_self_build" diff --git a/roles/matrix-mailer/defaults/main.yml b/roles/matrix-mailer/defaults/main.yml index c1d2cc670..1340cc702 100644 --- a/roles/matrix-mailer/defaults/main.yml +++ b/roles/matrix-mailer/defaults/main.yml @@ -7,7 +7,7 @@ matrix_mailer_container_image_self_build_repository_url: "https://github.com/dev matrix_mailer_container_image_self_build_src_files_path: "{{ matrix_mailer_base_path }}/docker-src" matrix_mailer_container_image_self_build_version: "{{ matrix_mailer_docker_image.split(':')[1] }}" -matrix_mailer_version: 4.94.2-r0 +matrix_mailer_version: 4.94.2-r0-1 matrix_mailer_docker_image: "{{ matrix_mailer_docker_image_name_prefix }}devture/exim-relay:{{ matrix_mailer_version }}" matrix_mailer_docker_image_name_prefix: "{{ 'localhost/' if matrix_mailer_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_mailer_docker_image_force_pull: "{{ matrix_mailer_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-mailer/tasks/init.yml b/roles/matrix-mailer/tasks/init.yml index e48e2a850..5895343e8 100644 --- a/roles/matrix-mailer/tasks/init.yml +++ b/roles/matrix-mailer/tasks/init.yml @@ -1,3 +1,10 @@ +# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 +# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 +- name: Fail if trying to self-build on Ansible < 2.8 + fail: + msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mailer_container_image_self_build" + - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mailer.service'] }}" when: matrix_mailer_enabled|bool diff --git a/roles/matrix-mailer/tasks/setup_mailer.yml b/roles/matrix-mailer/tasks/setup_mailer.yml index cb9790809..251a52da5 100644 --- a/roles/matrix-mailer/tasks/setup_mailer.yml +++ b/roles/matrix-mailer/tasks/setup_mailer.yml @@ -36,7 +36,8 @@ docker_image: name: "{{ matrix_mailer_docker_image }}" source: build - force_source: "{{ matrix_mailer_git_pull_results.changed }}" + force_source: "{{ matrix_mailer_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mailer_git_pull_results.changed }}" build: dockerfile: Dockerfile path: "{{ matrix_mailer_container_image_self_build_src_files_path }}" diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index a7d9aeb28..c0ee3b51b 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -113,6 +113,10 @@ matrix_nginx_proxy_proxy_synapse_federation_api_addr_sans_container: "localhost: matrix_nginx_proxy_proxy_element_enabled: false matrix_nginx_proxy_proxy_element_hostname: "{{ matrix_server_fqn_element }}" +# Controls whether proxying the Hydrogen domain should be done. +matrix_nginx_proxy_proxy_hydrogen_enabled: false +matrix_nginx_proxy_proxy_hydrogen_hostname: "{{ matrix_server_fqn_hydrogen }}" + # Controls whether proxying the matrix domain should be done. matrix_nginx_proxy_proxy_matrix_enabled: false matrix_nginx_proxy_proxy_matrix_hostname: "{{ matrix_server_fqn_matrix }}" @@ -223,6 +227,7 @@ matrix_nginx_proxy_proxy_matrix_federation_api_addr_sans_container: "localhost:1 matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb: "{{ (matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb | int) * 3 }}" matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate: "{{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/fullchain.pem" matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate_key: "{{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/privkey.pem" +matrix_nginx_proxy_proxy_matrix_federation_api_ssl_trusted_certificate: "{{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/chain.pem" # The tmpfs at /tmp needs to be large enough to handle multiple concurrent file uploads. matrix_nginx_proxy_tmp_directory_size_mb: "{{ (matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb | int) * 50 }}" @@ -251,6 +256,9 @@ matrix_nginx_proxy_proxy_riot_additional_server_configuration_blocks: [] # A list of strings containing additional configuration blocks to add to Element's server configuration (matrix-client-element.conf). matrix_nginx_proxy_proxy_element_additional_server_configuration_blocks: [] +# A list of strings containing additional configuration blocks to add to Element's server configuration (matrix-client-element.conf). +matrix_nginx_proxy_proxy_hydrogen_additional_server_configuration_blocks: [] + # A list of strings containing additional configuration blocks to add to Dimension's server configuration (matrix-dimension.conf). matrix_nginx_proxy_proxy_dimension_additional_server_configuration_blocks: [] @@ -385,6 +393,47 @@ matrix_ssl_log_dir_path: "{{ matrix_ssl_base_path }}/log" matrix_ssl_pre_obtaining_required_service_name: ~ matrix_ssl_pre_obtaining_required_service_start_wait_time_seconds: 60 +# Nginx Optimize SSL Session +# +# ssl_session_cache: +# - Creating a cache of TLS connection parameters reduces the number of handshakes +# and thus can improve the performance of application. +# - Default session cache is not optimal as it can be used by only one worker process +# and can cause memory fragmentation. It is much better to use shared cache. +# - Learn More: https://nginx.org/en/docs/http/ngx_http_ssl_module.html +# +# ssl_session_timeout: +# - Nginx by default it is set to 5 minutes which is very low. +# should be like 4h or 1d but will require you to increase the size of cache. +# - Learn More: +# https://github.com/certbot/certbot/issues/6903 +# https://github.com/mozilla/server-side-tls/issues/198 +# +# ssl_session_tickets: +# - In case of session tickets, information about session is given to the client. +# Enabling this improve performance also make Perfect Forward Secrecy useless. +# - If you would instead like to use ssl_session_tickets by yourself, you can set +# matrix_nginx_proxy_ssl_session_tickets_off false. +# - Learn More: https://github.com/mozilla/server-side-tls/issues/135 +# +# Presets are taken from Mozilla's Server Side TLS Recommended configurations +matrix_nginx_proxy_ssl_session_cache: "shared:MozSSL:10m" +matrix_nginx_proxy_ssl_session_timeout: "1d" +matrix_nginx_proxy_ssl_session_tickets_off: true + +# OCSP Stapling eliminating the need for clients to contact the CA, with the aim of improving both security and performance. +# OCSP stapling can provide a performance boost of up to 30% +# nginx web server supports OCSP stapling since version 1.3.7. +# +# *warning* Nginx is lazy loading OCSP responses, which means that for the first few web requests it is unable to add the OCSP response. +# set matrix_nginx_proxy_ocsp_stapling_enabled false to disable OCSP Stapling +# +# Learn more about what it is here: +# - https://en.wikipedia.org/wiki/OCSP_stapling +# - https://blog.cloudflare.com/high-reliability-ocsp-stapling/ +# - https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/ +matrix_nginx_proxy_ocsp_stapling_enabled: true + # nginx status page configurations. matrix_nginx_proxy_proxy_matrix_nginx_status_enabled: false matrix_nginx_proxy_proxy_matrix_nginx_status_allowed_addresses: ['{{ ansible_default_ipv4.address }}'] diff --git a/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml b/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml index 7534d28c6..1d59f5677 100644 --- a/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml +++ b/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml @@ -72,6 +72,13 @@ mode: 0644 when: matrix_nginx_proxy_proxy_riot_compat_redirect_enabled|bool +- name: Ensure Matrix nginx-proxy configuration for Hydrogen domain exists + template: + src: "{{ role_path }}/templates/nginx/conf.d/matrix-client-hydrogen.conf.j2" + dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-client-hydrogen.conf" + mode: 0644 + when: matrix_nginx_proxy_proxy_hydrogen_enabled|bool + - name: Ensure Matrix nginx-proxy configuration for dimension domain exists template: src: "{{ role_path }}/templates/nginx/conf.d/matrix-dimension.conf.j2" @@ -204,6 +211,12 @@ state: absent when: "not matrix_nginx_proxy_proxy_riot_compat_redirect_enabled|bool" +- name: Ensure Matrix nginx-proxy configuration for Hydrogen domain deleted + file: + path: "{{ matrix_nginx_proxy_confd_path }}/matrix-client-hydrogen.conf" + state: absent + when: "not matrix_nginx_proxy_proxy_hydrogen_enabled|bool" + - name: Ensure Matrix nginx-proxy configuration for dimension domain deleted file: path: "{{ matrix_nginx_proxy_confd_path }}/matrix-dimension.conf" diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2 index a2d59e86b..55f5b2662 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2 @@ -69,6 +69,18 @@ server { ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; {% endif %} ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; + + {% if matrix_nginx_proxy_ocsp_stapling_enabled %} + ssl_stapling on; + ssl_stapling_verify on; + ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_base_domain_hostname }}/chain.pem; + {% endif %} + + {% if matrix_nginx_proxy_ssl_session_tickets_off %} + ssl_session_tickets off; + {% endif %} + ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }}; + ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }}; {{ render_vhost_directives() }} } diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 index 91cd9e413..da3c7b1d0 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 @@ -74,6 +74,18 @@ server { {% endif %} ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; + {% if matrix_nginx_proxy_ocsp_stapling_enabled %} + ssl_stapling on; + ssl_stapling_verify on; + ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_bot_go_neb_hostname }}/chain.pem; + {% endif %} + + {% if matrix_nginx_proxy_ssl_session_tickets_off %} + ssl_session_tickets off; + {% endif %} + ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }}; + ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }}; + {{ render_vhost_directives() }} } {% endif %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 index f3a537da6..e79fb1fbb 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 @@ -79,6 +79,18 @@ server { {% endif %} ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; + {% if matrix_nginx_proxy_ocsp_stapling_enabled %} + ssl_stapling on; + ssl_stapling_verify on; + ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_element_hostname }}/chain.pem; + {% endif %} + + {% if matrix_nginx_proxy_ssl_session_tickets_off %} + ssl_session_tickets off; + {% endif %} + ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }}; + ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }}; + {{ render_vhost_directives() }} } {% endif %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-hydrogen.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-hydrogen.conf.j2 new file mode 100644 index 000000000..5ad99603d --- /dev/null +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-hydrogen.conf.j2 @@ -0,0 +1,98 @@ +#jinja2: lstrip_blocks: "True" + +{% macro render_vhost_directives() %} + gzip on; + gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; + + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + add_header X-Content-Type-Options nosniff; + add_header X-Frame-Options SAMEORIGIN; + add_header X-XSS-Protection "1; mode=block"; + add_header Content-Security-Policy "frame-ancestors 'none'"; + {% if matrix_nginx_proxy_floc_optout_enabled %} + add_header Permissions-Policy interest-cohort=() always; + {% endif %} + + {% for configuration_block in matrix_nginx_proxy_proxy_hydrogen_additional_server_configuration_blocks %} + {{- configuration_block }} + {% endfor %} + + location / { + {% if matrix_nginx_proxy_enabled %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "matrix-client-hydrogen:8080"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://127.0.0.1:8768; + {% endif %} + + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $remote_addr; + } +{% endmacro %} + +server { + listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }}; + + server_name {{ matrix_nginx_proxy_proxy_hydrogen_hostname }}; + + server_tokens off; + root /dev/null; + + {% if matrix_nginx_proxy_https_enabled %} + location /.well-known/acme-challenge { + {% if matrix_nginx_proxy_enabled %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "matrix-certbot:8080"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}; + {% endif %} + } + + location / { + return 301 https://$http_host$request_uri; + } + {% else %} + {{ render_vhost_directives() }} + {% endif %} +} + +{% if matrix_nginx_proxy_https_enabled %} +server { + listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; + listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; + + server_name {{ matrix_nginx_proxy_proxy_hydrogen_hostname }}; + + server_tokens off; + root /dev/null; + + ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_hydrogen_hostname }}/fullchain.pem; + ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_hydrogen_hostname }}/privkey.pem; + + ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; + {% if matrix_nginx_proxy_ssl_ciphers != "" %} + ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; + {% endif %} + ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; + + {% if matrix_nginx_proxy_ocsp_stapling_enabled %} + ssl_stapling on; + ssl_stapling_verify on; + ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_element_hostname }}/chain.pem; + {% endif %} + + {% if matrix_nginx_proxy_ssl_session_tickets_off %} + ssl_session_tickets off; + {% endif %} + ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }}; + ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }}; + + {{ render_vhost_directives() }} +} +{% endif %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 index db93be48f..671617451 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 @@ -77,6 +77,18 @@ server { {% endif %} ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; + {% if matrix_nginx_proxy_ocsp_stapling_enabled %} + ssl_stapling on; + ssl_stapling_verify on; + ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_dimension_hostname }}/chain.pem; + {% endif %} + + {% if matrix_nginx_proxy_ssl_session_tickets_off %} + ssl_session_tickets off; + {% endif %} + ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }}; + ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }}; + {{ render_vhost_directives() }} } {% endif %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 index 703c490e9..fc0d54b5d 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 @@ -136,7 +136,13 @@ proxy_max_temp_file_size 0; } - location / { + {# + We only handle the root URI for this redirect or homepage serving. + Unhandled URIs (mostly by `matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_prefix_regexes` above) should result in a 404, + instead of causing a redirect. + See: https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1058 + #} + location ~* ^/$ { {% if matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain %} return 302 $scheme://{{ matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain }}$request_uri; {% else %} @@ -196,6 +202,18 @@ server { {% endif %} ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; + {% if matrix_nginx_proxy_ocsp_stapling_enabled %} + ssl_stapling on; + ssl_stapling_verify on; + ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/chain.pem; + {% endif %} + + {% if matrix_nginx_proxy_ssl_session_tickets_off %} + ssl_session_tickets off; + {% endif %} + ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }}; + ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }}; + {{ render_vhost_directives() }} } {% endif %} @@ -230,6 +248,18 @@ server { ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; {% endif %} ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; + + {% if matrix_nginx_proxy_ocsp_stapling_enabled %} + ssl_stapling on; + ssl_stapling_verify on; + ssl_trusted_certificate {{ matrix_nginx_proxy_proxy_matrix_federation_api_ssl_trusted_certificate }}; + {% endif %} + + {% if matrix_nginx_proxy_ssl_session_tickets_off %} + ssl_session_tickets off; + {% endif %} + ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }}; + ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }}; {% endif %} location / { diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-grafana.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-grafana.conf.j2 index c19785635..08df8050b 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-grafana.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-grafana.conf.j2 @@ -10,6 +10,7 @@ # add_header X-Content-Type-Options nosniff; # add_header X-Frame-Options SAMEORIGIN; add_header Referrer-Policy "strict-origin-when-cross-origin"; + {% if matrix_nginx_proxy_floc_optout_enabled %} add_header Permissions-Policy interest-cohort=() always; {% endif %} @@ -84,6 +85,18 @@ server { {% endif %} ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; + {% if matrix_nginx_proxy_ocsp_stapling_enabled %} + ssl_stapling on; + ssl_stapling_verify on; + ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_grafana_hostname }}/chain.pem; + {% endif %} + + {% if matrix_nginx_proxy_ssl_session_tickets_off %} + ssl_session_tickets off; + {% endif %} + ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }}; + ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }}; + {{ render_vhost_directives() }} } {% endif %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 index 0b44f44d6..0949cb268 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 @@ -119,6 +119,18 @@ server { {% endif %} ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; + {% if matrix_nginx_proxy_ocsp_stapling_enabled %} + ssl_stapling on; + ssl_stapling_verify on; + ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_jitsi_hostname }}/chain.pem; + {% endif %} + + {% if matrix_nginx_proxy_ssl_session_tickets_off %} + ssl_session_tickets off; + {% endif %} + ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }}; + ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }}; + {{ render_vhost_directives() }} } {% endif %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 index a69424f46..36a28039c 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 @@ -62,6 +62,18 @@ server { {% endif %} ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; + {% if matrix_nginx_proxy_ocsp_stapling_enabled %} + ssl_stapling on; + ssl_stapling_verify on; + ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_riot_compat_redirect_hostname }}/chain.pem; + {% endif %} + + {% if matrix_nginx_proxy_ssl_session_tickets_off %} + ssl_session_tickets off; + {% endif %} + ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }}; + ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }}; + {{ render_vhost_directives() }} } {% endif %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2 index ac0253d51..5482fa8e9 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2 @@ -76,6 +76,18 @@ server { {% endif %} ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; + {% if matrix_nginx_proxy_ocsp_stapling_enabled %} + ssl_stapling on; + ssl_stapling_verify on; + ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_sygnal_hostname }}/chain.pem; + {% endif %} + + {% if matrix_nginx_proxy_ssl_session_tickets_off %} + ssl_session_tickets off; + {% endif %} + ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }}; + ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }}; + {{ render_vhost_directives() }} } {% endif %} diff --git a/roles/matrix-postgres/tasks/util/migrate_db_to_postgres.yml b/roles/matrix-postgres/tasks/util/migrate_db_to_postgres.yml index d3429c97e..cf595ade2 100644 --- a/roles/matrix-postgres/tasks/util/migrate_db_to_postgres.yml +++ b/roles/matrix-postgres/tasks/util/migrate_db_to_postgres.yml @@ -61,7 +61,8 @@ docker_image: name: "{{ matrix_postgres_pgloader_docker_image }}" source: build - force_source: "{{ matrix_postgres_pgloader_git_pull_results.changed }}" + force_source: "{{ matrix_postgres_pgloader_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_postgres_pgloader_git_pull_results.changed }}" build: dockerfile: Dockerfile path: "{{ matrix_postgres_pgloader_container_image_self_build_src_path }}" diff --git a/roles/matrix-prometheus/defaults/main.yml b/roles/matrix-prometheus/defaults/main.yml index 1c9bc144b..02afd9e96 100644 --- a/roles/matrix-prometheus/defaults/main.yml +++ b/roles/matrix-prometheus/defaults/main.yml @@ -3,7 +3,7 @@ matrix_prometheus_enabled: false -matrix_prometheus_version: v2.26.0 +matrix_prometheus_version: v2.27.0 matrix_prometheus_docker_image: "{{ matrix_container_global_registry_prefix }}prom/prometheus:{{ matrix_prometheus_version }}" matrix_prometheus_docker_image_force_pull: "{{ matrix_prometheus_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-registration/tasks/init.yml b/roles/matrix-registration/tasks/init.yml index 158ad6051..b58ba659d 100644 --- a/roles/matrix-registration/tasks/init.yml +++ b/roles/matrix-registration/tasks/init.yml @@ -1,3 +1,10 @@ +# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 +# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 +- name: Fail if trying to self-build on Ansible < 2.8 + fail: + msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_registration_container_image_self_build" + - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-registration.service'] }}" when: matrix_registration_enabled|bool diff --git a/roles/matrix-registration/tasks/setup_install.yml b/roles/matrix-registration/tasks/setup_install.yml index 2b806fe04..0d7da9cee 100644 --- a/roles/matrix-registration/tasks/setup_install.yml +++ b/roles/matrix-registration/tasks/setup_install.yml @@ -66,7 +66,8 @@ docker_image: name: "{{ matrix_registration_docker_image }}" source: build - force_source: "{{ matrix_registration_git_pull_results.changed }}" + force_source: "{{ matrix_registration_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_registration_git_pull_results.changed }}" build: dockerfile: Dockerfile path: "{{ matrix_registration_docker_src_files_path }}" diff --git a/roles/matrix-synapse-admin/defaults/main.yml b/roles/matrix-synapse-admin/defaults/main.yml index 612b33e32..dc4cc7700 100644 --- a/roles/matrix-synapse-admin/defaults/main.yml +++ b/roles/matrix-synapse-admin/defaults/main.yml @@ -8,7 +8,7 @@ matrix_synapse_admin_container_self_build_repo: "https://github.com/Awesome-Tech matrix_synapse_admin_docker_src_files_path: "{{ matrix_base_data_path }}/synapse-admin/docker-src" -matrix_synapse_admin_version: 0.8.0 +matrix_synapse_admin_version: latest matrix_synapse_admin_docker_image: "{{ matrix_synapse_admin_docker_image_name_prefix }}awesometechnologies/synapse-admin:{{ matrix_synapse_admin_version }}" matrix_synapse_admin_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_admin_container_self_build else matrix_container_global_registry_prefix }}" matrix_synapse_admin_docker_image_force_pull: "{{ matrix_synapse_admin_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-synapse-admin/tasks/init.yml b/roles/matrix-synapse-admin/tasks/init.yml index 36bdb611b..7898dec94 100644 --- a/roles/matrix-synapse-admin/tasks/init.yml +++ b/roles/matrix-synapse-admin/tasks/init.yml @@ -1,3 +1,10 @@ +# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 +# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 +- name: Fail if trying to self-build on Ansible < 2.8 + fail: + msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_synapse_admin_container_self_build" + - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-synapse-admin.service'] }}" when: matrix_synapse_admin_enabled|bool diff --git a/roles/matrix-synapse-admin/tasks/setup.yml b/roles/matrix-synapse-admin/tasks/setup.yml index a96ec10fb..002ff68d1 100644 --- a/roles/matrix-synapse-admin/tasks/setup.yml +++ b/roles/matrix-synapse-admin/tasks/setup.yml @@ -24,7 +24,8 @@ docker_image: name: "{{ matrix_synapse_admin_docker_image }}" source: build - force_source: "{{ matrix_synapse_admin_git_pull_results.changed }}" + force_source: "{{ matrix_synapse_admin_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_synapse_admin_git_pull_results.changed }}" build: dockerfile: Dockerfile path: "{{ matrix_synapse_admin_docker_src_files_path }}" diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index a6b035c0b..4e53852a9 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -15,8 +15,8 @@ matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_cont # amd64 gets released first. # arm32 relies on self-building, so the same version can be built immediately. # arm64 users need to wait for a prebuilt image to become available. -matrix_synapse_version: v1.33.1 -matrix_synapse_version_arm64: v1.33.1 +matrix_synapse_version: v1.34.0 +matrix_synapse_version_arm64: v1.34.0 matrix_synapse_docker_image_tag: "{{ matrix_synapse_version if matrix_architecture in ['arm32', 'amd64'] else matrix_synapse_version_arm64 }}" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" @@ -454,6 +454,7 @@ matrix_synapse_sentry_dsn: "" # Postgres database information matrix_synapse_database_host: "matrix-postgres" +matrix_synapse_database_port: 5432 matrix_synapse_database_user: "synapse" matrix_synapse_database_password: "" matrix_synapse_database_database: "synapse" @@ -586,3 +587,4 @@ matrix_synapse_configuration_extension: "{{ matrix_synapse_configuration_extensi # Holds the final Synapse configuration (a combination of the default and its extension). # You most likely don't need to touch this variable. Instead, see `matrix_synapse_configuration_yaml`. matrix_synapse_configuration: "{{ matrix_synapse_configuration_yaml|from_yaml|combine(matrix_synapse_configuration_extension, recursive=True) }}" + diff --git a/roles/matrix-synapse/tasks/init.yml b/roles/matrix-synapse/tasks/init.yml index 04b8d2b8c..167906646 100644 --- a/roles/matrix-synapse/tasks/init.yml +++ b/roles/matrix-synapse/tasks/init.yml @@ -1,3 +1,10 @@ +# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 +# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 +- name: Fail if trying to self-build on Ansible < 2.8 + fail: + msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_synapse_container_image_self_build" + # Unless `matrix_synapse_workers_enabled_list` is explicitly defined, # we'll generate it dynamically. - import_tasks: "{{ role_path }}/tasks/synapse/workers/init.yml" @@ -17,10 +24,3 @@ - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-goofys.service'] }}" when: matrix_s3_media_store_enabled|bool - -# ansible lower than 2.8, does not support docker_image build parameters -# for self buildig it is explicitly needed, so we rather fail here -- name: Fail if running on Ansible lower than 2.8 and trying self building - fail: - msg: "To self build Synapse image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_synapse_container_image_self_build" diff --git a/roles/matrix-synapse/tasks/rust-synapse-compress-state/main.yml b/roles/matrix-synapse/tasks/rust-synapse-compress-state/main.yml index eef46cb37..106c59d5b 100644 --- a/roles/matrix-synapse/tasks/rust-synapse-compress-state/main.yml +++ b/roles/matrix-synapse/tasks/rust-synapse-compress-state/main.yml @@ -10,7 +10,7 @@ - name: Set matrix_synapse_rust_synapse_compress_state_find_rooms_command_wait_time, if not provided set_fact: - matrix_synapse_rust_synapse_compress_state_find_rooms_command_wait_time: 180 + matrix_synapse_rust_synapse_compress_state_find_rooms_command_wait_time: 300 when: "matrix_synapse_rust_synapse_compress_state_find_rooms_command_wait_time|default('') == ''" - name: Set matrix_synapse_rust_synapse_compress_state_compress_room_time, if not provided diff --git a/roles/matrix-synapse/tasks/synapse/setup_install.yml b/roles/matrix-synapse/tasks/synapse/setup_install.yml index f1abcbcc5..d4a7268fe 100644 --- a/roles/matrix-synapse/tasks/synapse/setup_install.yml +++ b/roles/matrix-synapse/tasks/synapse/setup_install.yml @@ -31,7 +31,8 @@ docker_image: name: "{{ matrix_synapse_docker_image }}" source: build - force_source: "{{ matrix_synapse_git_pull_results.changed }}" + force_source: "{{ matrix_synapse_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_synapse_git_pull_results.changed }}" build: dockerfile: docker/Dockerfile path: "{{ matrix_synapse_docker_src_files_path }}" diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index df280dd54..22f5f1ea4 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -128,6 +128,16 @@ default_room_version: {{ matrix_synapse_default_room_version|to_json }} # #gc_thresholds: [700, 10, 10] +# The minimum time in seconds between each GC for a generation, regardless of +# the GC thresholds. This ensures that we don't do GC too frequently. +# +# A value of `[1s, 10s, 30s]` indicates that a second must pass between consecutive +# generation 0 GCs, etc. +# +# Defaults to `[1s, 10s, 30s]`. +# +#gc_min_interval: [0.5s, 30s, 1m] + # Set the limit on the returned events in the timeline in the get # and sync operations. The default value is 100. -1 means no upper limit. # @@ -757,6 +767,12 @@ federation_domain_whitelist: {{ matrix_synapse_federation_domain_whitelist|to_js # #allow_profile_lookup_over_federation: false +# Uncomment to disable device display name lookup over federation. By default, the +# Federation API allows other homeservers to obtain device display names of any user +# on this homeserver. Defaults to 'true'. +# +#allow_device_name_lookup_over_federation: false + ## Caching ## @@ -813,6 +829,7 @@ database: password: {{ matrix_synapse_database_password|string|to_json }} database: "{{ matrix_synapse_database_database }}" host: "{{ matrix_synapse_database_host }}" + port: {{ matrix_synapse_database_port }} cp_min: 5 cp_max: 10 @@ -1519,6 +1536,7 @@ room_prejoin_state: # - m.room.avatar # - m.room.encryption # - m.room.name + # - m.room.create # # Uncomment the following to disable these defaults (so that only the event # types listed in 'additional_event_types' are shared). Defaults to 'false'. diff --git a/setup.yml b/setup.yml index 4e2879e59..9e3cd6254 100755 --- a/setup.yml +++ b/setup.yml @@ -32,6 +32,7 @@ - matrix-bridge-mx-puppet-twitter - matrix-bridge-mx-puppet-instagram - matrix-bridge-sms + - matrix-bridge-heisenbridge - matrix-bot-matrix-reminder-bot - matrix-bot-go-neb - matrix-bot-mjolnir @@ -42,6 +43,7 @@ - matrix-grafana - matrix-registration - matrix-client-element + - matrix-client-hydrogen - matrix-jitsi - matrix-ma1sd - matrix-dimension From 36910348cfd2987657c0bfeb050521b4b78b536b Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 25 May 2021 16:21:11 +0300 Subject: [PATCH 34/65] Switch synapse-admin to tagged release (0.8.1) Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1084 --- roles/matrix-synapse-admin/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-synapse-admin/defaults/main.yml b/roles/matrix-synapse-admin/defaults/main.yml index dc4cc7700..069b62794 100644 --- a/roles/matrix-synapse-admin/defaults/main.yml +++ b/roles/matrix-synapse-admin/defaults/main.yml @@ -8,7 +8,7 @@ matrix_synapse_admin_container_self_build_repo: "https://github.com/Awesome-Tech matrix_synapse_admin_docker_src_files_path: "{{ matrix_base_data_path }}/synapse-admin/docker-src" -matrix_synapse_admin_version: latest +matrix_synapse_admin_version: 0.8.1 matrix_synapse_admin_docker_image: "{{ matrix_synapse_admin_docker_image_name_prefix }}awesometechnologies/synapse-admin:{{ matrix_synapse_admin_version }}" matrix_synapse_admin_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_admin_container_self_build else matrix_container_global_registry_prefix }}" matrix_synapse_admin_docker_image_force_pull: "{{ matrix_synapse_admin_docker_image.endswith(':latest') }}" From 6f40d783532c92403f022b4fc49a052cd2ca5ee8 Mon Sep 17 00:00:00 2001 From: Michael-GMH Date: Tue, 25 May 2021 21:25:40 +0800 Subject: [PATCH 35/65] fix random edits to upstream --- .../nginx/conf.d/matrix-client-hydrogen.conf.j2 | 8 ++++++-- .../templates/nginx/conf.d/matrix-riot-web.conf.j2 | 10 +++++++++- roles/matrix-synapse/defaults/main.yml | 1 - 3 files changed, 15 insertions(+), 4 deletions(-) diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-hydrogen.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-hydrogen.conf.j2 index 5ad99603d..d9a05926c 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-hydrogen.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-hydrogen.conf.j2 @@ -4,10 +4,14 @@ gzip on; gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + {% if matrix_nginx_proxy_hsts_preload_enabled %} + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + {% else %} + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + {% endif %} + add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}"; add_header X-Content-Type-Options nosniff; add_header X-Frame-Options SAMEORIGIN; - add_header X-XSS-Protection "1; mode=block"; add_header Content-Security-Policy "frame-ancestors 'none'"; {% if matrix_nginx_proxy_floc_optout_enabled %} add_header Permissions-Policy interest-cohort=() always; diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 index 36a28039c..d153d5c20 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 @@ -5,6 +5,14 @@ add_header Permissions-Policy interest-cohort=() always; {% endif %} + {% if matrix_nginx_proxy_hsts_preload_enabled %} + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + {% else %} + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + {% endif %} + + add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}"; + {% for configuration_block in matrix_nginx_proxy_proxy_riot_additional_server_configuration_blocks %} {{- configuration_block }} {% endfor %} @@ -67,7 +75,7 @@ server { ssl_stapling_verify on; ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_riot_compat_redirect_hostname }}/chain.pem; {% endif %} - + {% if matrix_nginx_proxy_ssl_session_tickets_off %} ssl_session_tickets off; {% endif %} diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index 4e53852a9..d966665f9 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -587,4 +587,3 @@ matrix_synapse_configuration_extension: "{{ matrix_synapse_configuration_extensi # Holds the final Synapse configuration (a combination of the default and its extension). # You most likely don't need to touch this variable. Instead, see `matrix_synapse_configuration_yaml`. matrix_synapse_configuration: "{{ matrix_synapse_configuration_yaml|from_yaml|combine(matrix_synapse_configuration_extension, recursive=True) }}" - From 763952395b6eff3f70cd08fd3572f9eeeeac5ea6 Mon Sep 17 00:00:00 2001 From: BG Date: Tue, 25 May 2021 16:42:04 +0200 Subject: [PATCH 36/65] Adding mjolnir antispam synapse modul. --- roles/matrix-synapse/defaults/main.yml | 21 ++++++++ .../tasks/ext/mjolnir-antispam/setup.yml | 7 +++ .../ext/mjolnir-antispam/setup_install.yml | 52 +++++++++++++++++++ .../ext/mjolnir-antispam/setup_uninstall.yml | 6 +++ roles/matrix-synapse/tasks/ext/setup.yml | 2 + 5 files changed, 88 insertions(+) create mode 100644 roles/matrix-synapse/tasks/ext/mjolnir-antispam/setup.yml create mode 100644 roles/matrix-synapse/tasks/ext/mjolnir-antispam/setup_install.yml create mode 100644 roles/matrix-synapse/tasks/ext/mjolnir-antispam/setup_uninstall.yml diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index d966665f9..c7f0a9f76 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -505,6 +505,27 @@ matrix_synapse_ext_spam_checker_synapse_simple_antispam_git_repository_url: "htt matrix_synapse_ext_spam_checker_synapse_simple_antispam_git_version: "923ca5c85b08f157181721abbae50dd89c31e4b5" matrix_synapse_ext_spam_checker_synapse_simple_antispam_config_blocked_homeservers: [] +# Enable this to activate the Mjolnir Antispam spam-checker module. +# See: https://github.com/matrix-org/mjolnir#synapse-module +matrix_synapse_ext_spam_checker_mjolnir_antispam_enabled: false +matrix_synapse_ext_spam_checker_mjolnir_antispam_git_repository_url: "https://github.com/matrix-org/mjolnir" +matrix_synapse_ext_spam_checker_mjolnir_antispam_git_version: "70f353fbbad0af469b1001080dea194d512b2815" +matrix_synapse_ext_spam_checker_mjolnir_antispam_config_block_invites: true +# Flag messages sent by servers/users in the ban lists as spam. Currently +# this means that spammy messages will appear as empty to users. Default +# false. +matrix_synapse_ext_spam_checker_mjolnir_antispam_config_block_messages: false +# Remove users from the user directory search by filtering matrix IDs and +# display names by the entries in the user ban list. Default false. +matrix_synapse_ext_spam_checker_mjolnir_antispam_config_block_usernames: false +# The room IDs of the ban lists to honour. Unlike other parts of Mjolnir, +# this list cannot be room aliases or permalinks. This server is expected +# to already be joined to the room - Mjolnir will not automatically join +# these rooms. +# ["!roomid:example.org"] +matrix_synapse_ext_spam_checker_mjolnir_antispam_config_ban_lists: [] + + matrix_s3_media_store_enabled: false matrix_s3_media_store_custom_endpoint_enabled: false matrix_s3_goofys_docker_image: "ewoutp/goofys:latest" diff --git a/roles/matrix-synapse/tasks/ext/mjolnir-antispam/setup.yml b/roles/matrix-synapse/tasks/ext/mjolnir-antispam/setup.yml new file mode 100644 index 000000000..6c45f4693 --- /dev/null +++ b/roles/matrix-synapse/tasks/ext/mjolnir-antispam/setup.yml @@ -0,0 +1,7 @@ +--- + +- import_tasks: "{{ role_path }}/tasks/ext/mjolnir-antispam/setup_install.yml" + when: matrix_synapse_ext_spam_checker_mjolnir_antispam_enabled|bool + +- import_tasks: "{{ role_path }}/tasks/ext/mjolnir-antispam/setup_uninstall.yml" + when: "not matrix_synapse_ext_spam_checker_mjolnir_antispam_enabled|bool" diff --git a/roles/matrix-synapse/tasks/ext/mjolnir-antispam/setup_install.yml b/roles/matrix-synapse/tasks/ext/mjolnir-antispam/setup_install.yml new file mode 100644 index 000000000..a416e42ba --- /dev/null +++ b/roles/matrix-synapse/tasks/ext/mjolnir-antispam/setup_install.yml @@ -0,0 +1,52 @@ +--- + +- name: Ensure git installed (RedHat) + yum: + name: + - git + state: present + update_cache: no + when: "ansible_os_family == 'RedHat'" + +- name: Ensure git installed (Debian) + apt: + name: + - git + state: present + update_cache: no + when: "ansible_os_family == 'Debian'" + +- name: Ensure git installed (Archlinux) + pacman: + name: + - git + state: present + update_cache: no + when: "ansible_distribution == 'Archlinux'" + +- name: Clone mjolnir-antispam git repository + git: + repo: "{{ matrix_synapse_ext_spam_checker_mjolnir_antispam_git_repository_url }}" + version: "{{ matrix_synapse_ext_spam_checker_mjolnir_antispam_git_version }}" + dest: "{{ matrix_synapse_ext_path }}/mjolnir" + become: true + become_user: "{{ matrix_user_username }}" + +- set_fact: + matrix_synapse_spam_checker: > + {{ matrix_synapse_spam_checker }} + + + [{ + "module": "mjolnir.AntiSpam", + "config": { + "block_invites": {{ matrix_synapse_ext_spam_checker_mjolnir_antispam_config_block_invites }}, + "block_messages": {{ matrix_synapse_ext_spam_checker_mjolnir_antispam_config_block_messages }}, + "block_usernames": {{ matrix_synapse_ext_spam_checker_mjolnir_antispam_config_block_usernames }}, + "ban_lists": {{ matrix_synapse_ext_spam_checker_mjolnir_antispam_config_ban_lists }} + } + }] + + matrix_synapse_container_extra_arguments: > + {{ matrix_synapse_container_extra_arguments|default([]) }} + + + ["--mount type=bind,src={{ matrix_synapse_ext_path }}/mjolnir/synapse_antispam/mjolnir,dst={{ matrix_synapse_in_container_python_packages_path }}/mjolnir,ro"] diff --git a/roles/matrix-synapse/tasks/ext/mjolnir-antispam/setup_uninstall.yml b/roles/matrix-synapse/tasks/ext/mjolnir-antispam/setup_uninstall.yml new file mode 100644 index 000000000..d3c52e5f5 --- /dev/null +++ b/roles/matrix-synapse/tasks/ext/mjolnir-antispam/setup_uninstall.yml @@ -0,0 +1,6 @@ +--- + +- name: Ensure mjolnir-antispam doesn't exist + file: + path: "{{ matrix_synapse_ext_path }}/mjolnir-antispam" + state: absent diff --git a/roles/matrix-synapse/tasks/ext/setup.yml b/roles/matrix-synapse/tasks/ext/setup.yml index 5e06ea9d4..31637fa97 100644 --- a/roles/matrix-synapse/tasks/ext/setup.yml +++ b/roles/matrix-synapse/tasks/ext/setup.yml @@ -7,3 +7,5 @@ - import_tasks: "{{ role_path }}/tasks/ext/ldap-auth/setup.yml" - import_tasks: "{{ role_path }}/tasks/ext/synapse-simple-antispam/setup.yml" + +- import_tasks: "{{ role_path }}/tasks/ext/mjolnir-antispam/setup.yml" From 9a7eddd563e68b370432d7666fd53247f1356211 Mon Sep 17 00:00:00 2001 From: BG Date: Tue, 25 May 2021 16:59:49 +0200 Subject: [PATCH 37/65] Updating docs. --- docs/configuring-playbook-bot-mjolnir.md | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/docs/configuring-playbook-bot-mjolnir.md b/docs/configuring-playbook-bot-mjolnir.md index 1b0241e15..6dc4e3a64 100644 --- a/docs/configuring-playbook-bot-mjolnir.md +++ b/docs/configuring-playbook-bot-mjolnir.md @@ -90,8 +90,21 @@ matrix_bot_mjolnir_access_token: "ACCESS_TOKEN_FROM_STEP_2_GOES_HERE" matrix_bot_mjolnir_management_room: "ROOM_ID_FROM_STEP_4_GOES_HERE" ``` +## 6. Adding mjolnir synapse antispam module (optional) -## 6. Installing +Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file (adapt to your needs): + + +```yaml +matrix_synapse_ext_spam_checker_mjolnir_antispam_enabled: true +matrix_synapse_ext_spam_checker_mjolnir_antispam_config_block_invites: true +matrix_synapse_ext_spam_checker_mjolnir_antispam_config_block_messages: false +matrix_synapse_ext_spam_checker_mjolnir_antispam_config_block_usernames: false +matrix_synapse_ext_spam_checker_mjolnir_antispam_config_ban_lists: [] +``` + + +## 7. Installing After configuring the playbook, run the [installation](installing.md) command: From 4ddd8bbb84844905d9ea0f43f267a40c52893642 Mon Sep 17 00:00:00 2001 From: rakshazi Date: Tue, 25 May 2021 17:06:39 +0000 Subject: [PATCH 38/65] Updated nginx-proxy (1.20.0 -> 1.21.0) --- roles/matrix-nginx-proxy/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index 8dc8a2590..3e79ab041 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -1,5 +1,5 @@ matrix_nginx_proxy_enabled: true -matrix_nginx_proxy_version: 1.20.0-alpine +matrix_nginx_proxy_version: 1.21.0-alpine # We use an official nginx image, which we fix-up to run unprivileged. # An alternative would be an `nginxinc/nginx-unprivileged` image, but From 719ecb03a80863dc4086a2e28983943d27da3c9f Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 26 May 2021 09:55:31 +0300 Subject: [PATCH 39/65] Add note about pgtune.leopard.in.ua --- docs/maintenance-postgres.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/maintenance-postgres.md b/docs/maintenance-postgres.md index 9b748d281..e2307f785 100644 --- a/docs/maintenance-postgres.md +++ b/docs/maintenance-postgres.md @@ -99,6 +99,8 @@ Example: `--extra-vars="postgres_dump_name=matrix-postgres-dump.sql"` PostgreSQL can be tuned to make it run faster. This is done by passing extra arguments to Postgres with the `matrix_postgres_process_extra_arguments` variable. You should use a website like https://pgtune.leopard.in.ua/ or information from https://wiki.postgresql.org/wiki/Tuning_Your_PostgreSQL_Server to determine what Postgres settings you should change. +**Note**: the configuration generator at https://pgtune.leopard.in.ua/ adds spaces around the `=` sign, which is invalid. You'll need to remove it manually (`max_connections = 300` -> `max_connections=300`) + ### Here are some examples: These are not recommended values and they may not work well for you. This is just to give you an idea of some of the options that can be set. If you are an experienced PostgreSQL admin feel free to update this documentation with better examples. From f8ba97ac14362c40d4a40a9e6cd20159e7024672 Mon Sep 17 00:00:00 2001 From: BG Date: Wed, 26 May 2021 09:05:28 +0200 Subject: [PATCH 40/65] Removing antispam note. --- docs/configuring-playbook-bot-mjolnir.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/docs/configuring-playbook-bot-mjolnir.md b/docs/configuring-playbook-bot-mjolnir.md index 6dc4e3a64..5ddb2ad3c 100644 --- a/docs/configuring-playbook-bot-mjolnir.md +++ b/docs/configuring-playbook-bot-mjolnir.md @@ -4,8 +4,6 @@ The playbook can install and configure the [Mjolnir](https://github.com/matrix-o See the project's [documentation](https://github.com/matrix-org/mjolnir) to learn what it does and why it might be useful to you. -Note: the playbook does not currently support the Mjolnir Synapse module. The playbook does support another antispam module, see [Setting up Synapse Simple Antispam](configuring-playbook-synapse-simple-antispam.md). - ## 1. Register the bot account From d61fe94bae2bbbd98220f6aed4a38996fd265574 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 26 May 2021 10:52:15 +0300 Subject: [PATCH 41/65] Fix incorrect path in Mjolnir uninstallation tasks --- .../tasks/ext/mjolnir-antispam/setup_uninstall.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-synapse/tasks/ext/mjolnir-antispam/setup_uninstall.yml b/roles/matrix-synapse/tasks/ext/mjolnir-antispam/setup_uninstall.yml index d3c52e5f5..f8439a873 100644 --- a/roles/matrix-synapse/tasks/ext/mjolnir-antispam/setup_uninstall.yml +++ b/roles/matrix-synapse/tasks/ext/mjolnir-antispam/setup_uninstall.yml @@ -2,5 +2,5 @@ - name: Ensure mjolnir-antispam doesn't exist file: - path: "{{ matrix_synapse_ext_path }}/mjolnir-antispam" + path: "{{ matrix_synapse_ext_path }}/mjolnir" state: absent From af4bd50c2a7fe2ceab9e30842870b185ac665a1e Mon Sep 17 00:00:00 2001 From: Thom Wiggers Date: Wed, 26 May 2021 11:04:47 +0200 Subject: [PATCH 42/65] Update IRC appservice --- roles/matrix-bridge-appservice-irc/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-appservice-irc/defaults/main.yml b/roles/matrix-bridge-appservice-irc/defaults/main.yml index 410299b76..bdf49f65b 100644 --- a/roles/matrix-bridge-appservice-irc/defaults/main.yml +++ b/roles/matrix-bridge-appservice-irc/defaults/main.yml @@ -7,7 +7,7 @@ matrix_appservice_irc_container_self_build: false matrix_appservice_irc_docker_repo: "https://github.com/matrix-org/matrix-appservice-irc.git" matrix_appservice_irc_docker_src_files_path: "{{ matrix_base_data_path }}/appservice-irc/docker-src" -matrix_appservice_irc_version: release-0.25.0 +matrix_appservice_irc_version: release-0.26.0 matrix_appservice_irc_docker_image: "{{ matrix_container_global_registry_prefix }}matrixdotorg/matrix-appservice-irc:{{ matrix_appservice_irc_version }}" matrix_appservice_irc_docker_image_force_pull: "{{ matrix_appservice_irc_docker_image.endswith(':latest') }}" From 1b41e9c7dd07ebf3696d344c7c352ef95569a087 Mon Sep 17 00:00:00 2001 From: Wobbel The Bear Date: Wed, 26 May 2021 13:50:35 +0200 Subject: [PATCH 43/65] Update PostgreSQL Maintenance page Added a mid-sized VPS configuration with configuration changes to the PostgreSQL database config. Deleted single quotes in one of the examples to unify the examples --- docs/maintenance-postgres.md | 32 +++++++++++++++++++++++++++----- 1 file changed, 27 insertions(+), 5 deletions(-) diff --git a/docs/maintenance-postgres.md b/docs/maintenance-postgres.md index e2307f785..52d2d9eed 100644 --- a/docs/maintenance-postgres.md +++ b/docs/maintenance-postgres.md @@ -108,11 +108,33 @@ These are not recommended values and they may not work well for you. This is jus Here is an example config for a small 2 core server with 4GB of RAM and SSD storage: ``` matrix_postgres_process_extra_arguments: [ - "-c 'shared_buffers=128MB'", - "-c 'effective_cache_size=2304MB'", - "-c 'effective_io_concurrency=100'", - "-c 'random_page_cost=2.0'", - "-c 'min_wal_size=500MB'", + "-c shared_buffers=128MB", + "-c effective_cache_size=2304MB", + "-c effective_io_concurrency=100", + "-c random_page_cost=2.0", + "-c min_wal_size=500MB", +] +``` + +Here is an example config for a 4 core server with 8GB of RAM on a Virtual Private Server (VPS); the paramters have been configured using https://pgtune.leopard.in.ua with the following setup: PostgreSQL version 12, OS Type: Linux, DB Type: Mixed type of application, Data Storage: SSD storage: +``` +matrix_postgres_process_extra_arguments: [ + "-c max_connections=100", + "-c shared_buffers=2GB", + "-c effective_cache_size=6GB", + "-c maintenance_work_mem=512MB", + "-c checkpoint_completion_target=0.9", + "-c wal_buffers=16MB", + "-c default_statistics_target=100", + "-c random_page_cost=1.1", + "-c effective_io_concurrency=200", + "-c work_mem=5242kB", + "-c min_wal_size=1GB", + "-c max_wal_size=4GB", + "-c max_worker_processes=4", + "-c max_parallel_workers_per_gather=2", + "-c max_parallel_workers=4", + "-c max_parallel_maintenance_workers=2", ] ``` From 8472848286483f2ba19e8b94ff1eb24febb8d61d Mon Sep 17 00:00:00 2001 From: WobbelTheBear Date: Wed, 26 May 2021 16:30:08 +0200 Subject: [PATCH 44/65] Annotate server migration Annotate server migration with a note in regard to migration between different architectures and the need to dump/restore the database. --- docs/maintenance-migrating.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/docs/maintenance-migrating.md b/docs/maintenance-migrating.md index d6380b992..1d12ef45b 100644 --- a/docs/maintenance-migrating.md +++ b/docs/maintenance-migrating.md @@ -1,3 +1,8 @@ +> **Note**: This migration guide is applicable if you migrate from server to another that are of the same architecture, i.e. e.g. the servers both are amd64. +> +> In case that you migrate between two different architectures (e.g. amd64 --> arm64), simply copying the complete folder is not possible as it would move the raw PostgreSQL data between different architectures. In this specific case, you would need to dump the database on your current server and import it properly on the new server. +> + # Migrating to new server 1. Prepare by lowering DNS TTL for your domains (`matrix.DOMAIN`, etc.), so that DNS record changes (step 4 below) would happen faster, leading to less downtime From 54e1c67e53c2ddc12444c6a215f72dd1966dc526 Mon Sep 17 00:00:00 2001 From: WobbelTheBear Date: Wed, 26 May 2021 16:31:01 +0200 Subject: [PATCH 45/65] Update maintenance-migrating.md --- docs/maintenance-migrating.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/maintenance-migrating.md b/docs/maintenance-migrating.md index 1d12ef45b..56cdea792 100644 --- a/docs/maintenance-migrating.md +++ b/docs/maintenance-migrating.md @@ -1,4 +1,4 @@ -> **Note**: This migration guide is applicable if you migrate from server to another that are of the same architecture, i.e. e.g. the servers both are amd64. +> **Note**: This migration guide is applicable if you migrate from server to another that are of the same cpu architecture, e.g. the servers both are amd64. > > In case that you migrate between two different architectures (e.g. amd64 --> arm64), simply copying the complete folder is not possible as it would move the raw PostgreSQL data between different architectures. In this specific case, you would need to dump the database on your current server and import it properly on the new server. > From c791d1900ccb91d9ae7bcfccbeba2bd75bc84c23 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 26 May 2021 18:03:47 +0300 Subject: [PATCH 46/65] Improve wording --- docs/maintenance-migrating.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/docs/maintenance-migrating.md b/docs/maintenance-migrating.md index 56cdea792..fd5936914 100644 --- a/docs/maintenance-migrating.md +++ b/docs/maintenance-migrating.md @@ -1,7 +1,6 @@ -> **Note**: This migration guide is applicable if you migrate from server to another that are of the same cpu architecture, e.g. the servers both are amd64. -> -> In case that you migrate between two different architectures (e.g. amd64 --> arm64), simply copying the complete folder is not possible as it would move the raw PostgreSQL data between different architectures. In this specific case, you would need to dump the database on your current server and import it properly on the new server. +> **Note**: This migration guide is applicable if you migrate from one server to another server having the same CPU architecture (e.g. both servers being `amd64`). > +> If you're trying to migrate between different architectures (e.g. `amd64` --> `arm64`), simply copying the complete `/matrix` directory is not possible as it would move the raw PostgreSQL data between different architectures. In this specific case, you can use the guide below as a reference, but you would also need to dump the database on your current server and import it properly on the new server. See our [Backing up PostgreSQL](maintenance-postgres.md#backing-up-postgresql) docs for help with PostgreSQL backup/restore. # Migrating to new server From a8dbd93f61eb227fb41ac4426a256918fe0c035d Mon Sep 17 00:00:00 2001 From: Jez Cope Date: Wed, 26 May 2021 20:41:52 +0100 Subject: [PATCH 47/65] Check irc service is present before stopping it --- .../tasks/migrate_nedb_to_postgres.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/roles/matrix-bridge-appservice-irc/tasks/migrate_nedb_to_postgres.yml b/roles/matrix-bridge-appservice-irc/tasks/migrate_nedb_to_postgres.yml index 3fab195ab..6b39ac62a 100644 --- a/roles/matrix-bridge-appservice-irc/tasks/migrate_nedb_to_postgres.yml +++ b/roles/matrix-bridge-appservice-irc/tasks/migrate_nedb_to_postgres.yml @@ -26,10 +26,16 @@ become: false when: "matrix_postgres_service_start_result.changed|bool" +- name: Check existence of matrix-appservice-irc service + stat: + path: "{{ matrix_systemd_path }}/matrix-appservice-irc.service" + register: matrix_appservice_irc_service_stat + - name: Ensure matrix-appservice-irc is stopped service: name: matrix-appservice-irc state: stopped + when: "matrix_appservice_irc_service_stat.stat.exists" - name: Import appservice-irc NeDB database into Postgres command: From 4e2780ff8858198704f73ca4bbd4a0325376bb2a Mon Sep 17 00:00:00 2001 From: Raymond Coetzee Date: Thu, 27 May 2021 20:13:29 +0100 Subject: [PATCH 48/65] Add support for a prometheus postgres exporter This commit introduces a new role that downloads and installs the prometheus community postgres exporter https://github.com/prometheus-community/postgres_exporter. A new credential is added to matrix_postgres_additional_databases that allows the exporter access to the database to gather statistics. A new dashboard was added to the grafana role, with some refactoring to enable the dashboard only if the new role is enabled. I've included some basic instructions for how to enable the role in the Docs section. In terms of testing, I've tested enabling the role, and disabling it to make sure it cleans up the container and systemd role. --- ...onfiguring-playbook-prometheus-postgres.md | 29 ++++++++++ group_vars/matrix_servers | 40 ++++++++++++++ roles/matrix-grafana/tasks/setup.yml | 2 +- .../defaults/main.yml | 49 +++++++++++++++++ .../tasks/init.yml | 5 ++ .../tasks/main.yml | 8 +++ .../tasks/setup.yml | 54 +++++++++++++++++++ ...ix-prometheus-postgres-exporter.service.j2 | 42 +++++++++++++++ .../templates/prometheus.yml.j2 | 6 +++ setup.yml | 4 +- 10 files changed, 236 insertions(+), 3 deletions(-) create mode 100644 docs/configuring-playbook-prometheus-postgres.md create mode 100644 roles/matrix-prometheus-postgres-exporter/defaults/main.yml create mode 100644 roles/matrix-prometheus-postgres-exporter/tasks/init.yml create mode 100644 roles/matrix-prometheus-postgres-exporter/tasks/main.yml create mode 100644 roles/matrix-prometheus-postgres-exporter/tasks/setup.yml create mode 100644 roles/matrix-prometheus-postgres-exporter/templates/systemd/matrix-prometheus-postgres-exporter.service.j2 diff --git a/docs/configuring-playbook-prometheus-postgres.md b/docs/configuring-playbook-prometheus-postgres.md new file mode 100644 index 000000000..9a6312968 --- /dev/null +++ b/docs/configuring-playbook-prometheus-postgres.md @@ -0,0 +1,29 @@ +# Enabling metrics and graphs for Postgres (optional) + +Expanding on the metrics exposed by the [syapse exporter and the node exporter](configuring-playbook-prometheus-grafana.md), the playbook enables the [postgres exporter](https://github.com/prometheus-community/postgres_exporter) that exposes more detailed information about what's happening on your postgres database. + +You can enable this with the following settings in your configuration file (`inventory/host_vars/matrix./vars.yml`): + + +```yaml +matrix_prometheus_postgres_exporter_enabled: true + +# the role creates a postgres user as credential. You can configure these if required: +matrix_prometheus_postgres_exporter_database_username: 'matrix_prometheus_postgres_exporter' +matrix_prometheus_postgres_exporter_database_password: 'some-password' + +``` + +## What does it do? + +Name | Description +-----|---------- +`matrix_prometheus_postgres_exporter_enabled`|Enable the postgres prometheus exporter. This sets up the docker container, connects it to the database and adds a 'job' to the prometheus config which tells prometheus about this new exporter. The default is 'false' +`matrix_prometheus_postgres_exporter_database_username`| The 'username' for the user that the exporter uses to connect to the database. The default is 'matrix_prometheus_postgres_exporter' +`matrix_prometheus_postgres_exporter_database_password`| The 'username' for the user that the exporter uses to connect to the database. + + +## More information + +- [The PostgresSQL dashboard](https://grafana.com/grafana/dashboards/9628) (generic postgres dashboard) + diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 86f1d5a36..96b933f35 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1466,6 +1466,13 @@ matrix_postgres_additional_databases: | 'username': matrix_sygnal_database_username, 'password': matrix_sygnal_database_password, }] if (matrix_sygnal_enabled and matrix_sygnal_database_engine == 'postgres' and matrix_sygnal_database_hostname == 'matrix-postgres') else []) + + + ([{ + 'name': matrix_prometheus_postgres_exporter_database_name, + 'username': matrix_prometheus_postgres_exporter_database_username, + 'password': matrix_prometheus_postgres_exporter_database_password, + }] if (matrix_prometheus_postgres_exporter_enabled and matrix_prometheus_postgres_exporter_database_hostname == 'matrix-postgres') else []) + }} matrix_postgres_import_roles_to_ignore: | @@ -1766,6 +1773,10 @@ matrix_prometheus_scraper_synapse_rules_synapse_tag: "{{ matrix_synapse_docker_i matrix_prometheus_scraper_node_enabled: "{{ matrix_prometheus_node_exporter_enabled }}" matrix_prometheus_scraper_node_targets: "{{ ['matrix-prometheus-node-exporter:9100'] if matrix_prometheus_node_exporter_enabled else [] }}" +matrix_prometheus_scraper_postgres_enabled: "{{ matrix_prometheus_postgres_exporter_enabled }}" +matrix_prometheus_scraper_postgres_targets: "{{ ['matrix-prometheus-postgres-exporter:'+ matrix_prometheus_postgres_exporter_port|string] if matrix_prometheus_scraper_postgres_enabled else [] }}" + + ###################################################################### # # /matrix-prometheus @@ -1773,6 +1784,27 @@ matrix_prometheus_scraper_node_targets: "{{ ['matrix-prometheus-node-exporter:91 ###################################################################### +###################################################################### +# +# matrix-prometheus-postgres-exporter +# +###################################################################### + +matrix_prometheus_postgres_exporter_enabled: false +matrix_prometheus_postgres_exporter_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'prometheus.pg.db') | to_uuid }}" + +matrix_prometheus_postgres_exporter_systemd_required_services_list: | + {{ + ['docker.service'] + + + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + }} + +###################################################################### +# +# /matrix-prometheus-postgres-exporter +# +###################################################################### ###################################################################### # @@ -1787,6 +1819,14 @@ matrix_grafana_enabled: false # Grafana's HTTP port to the local host. matrix_grafana_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:3000' }}" +matrix_grafana_dashboard_download_urls_all: | + {{ + matrix_grafana_dashboard_download_urls + + + (matrix_prometheus_postgres_exporter_dashboard_urls if matrix_prometheus_postgres_exporter_enabled else []) + }} + + ###################################################################### # # /matrix-grafana diff --git a/roles/matrix-grafana/tasks/setup.yml b/roles/matrix-grafana/tasks/setup.yml index c2eea3485..00d2e230d 100644 --- a/roles/matrix-grafana/tasks/setup.yml +++ b/roles/matrix-grafana/tasks/setup.yml @@ -64,7 +64,7 @@ mode: 0440 owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" - with_items: "{{ matrix_grafana_dashboard_download_urls }}" + with_items: "{{ matrix_grafana_dashboard_download_urls_all }}" when: matrix_grafana_enabled|bool - name: Ensure matrix-grafana.service installed diff --git a/roles/matrix-prometheus-postgres-exporter/defaults/main.yml b/roles/matrix-prometheus-postgres-exporter/defaults/main.yml new file mode 100644 index 000000000..8aca45762 --- /dev/null +++ b/roles/matrix-prometheus-postgres-exporter/defaults/main.yml @@ -0,0 +1,49 @@ +# matrix-prometheus-postgres-exporter is an Prometheus exporter for postgres metrics +# See: https://github.com/prometheus-community/postgres_exporter + +matrix_prometheus_postgres_exporter_enabled: false + +matrix_prometheus_postgres_exporter_version: v0.9.0 +matrix_prometheus_postgres_exporter_port: 9187 + +matrix_prometheus_postgres_exporter_docker_image: "quay.io/prometheuscommunity/postgres-exporter:{{ matrix_prometheus_postgres_exporter_version }}" +matrix_prometheus_postgres_exporter_docker_image_force_pull: "{{ matrix_prometheus_postgres_exporter_docker_image.endswith(':latest') }}" + +# A list of extra arguments to pass to the container +matrix_prometheus_postgres_exporter_container_extra_arguments: ["-e PG_EXPORTER_AUTO_DISCOVER_DATABASES=true", + "-e PG_EXPORTER_WEB_LISTEN_ADDRESS=\":{{matrix_prometheus_postgres_exporter_port}}\"", + "-e DATA_SOURCE_NAME=\"postgresql://{{matrix_prometheus_postgres_exporter_database_username}}:{{matrix_prometheus_postgres_exporter_database_password}}@{{matrix_prometheus_postgres_exporter_database_hostname}}:5432/{{matrix_prometheus_postgres_exporter_database_name}}?sslmode=disable\"" ] + +# List of systemd services that matrix-prometheus-postgres-exporter.service depends on +matrix_prometheus_postgres_exporter_systemd_required_services_list: ['docker.service'] + +# List of systemd services that matrix-prometheus-postgres-exporter.service wants +matrix_prometheus_postgres_exporter_systemd_wanted_services_list: [] + +# details for connecting to the database +matrix_prometheus_postgres_exporter_database_username: 'matrix_prometheus_postgres_exporter' +matrix_prometheus_postgres_exporter_database_password: 'some-password' +matrix_prometheus_postgres_exporter_database_hostname: 'matrix-postgres' +matrix_prometheus_postgres_exporter_database_port: 5432 +matrix_prometheus_postgres_exporter_database_name: 'matrix_prometheus_postgres_exporter' + + +# Controls whether the matrix-prometheus container exposes its HTTP port (tcp/9100 in the container). +# +# Takes an ":" value (e.g. "127.0.0.1:9100"), or empty string to not expose. +# +# Official recommendations are to run this container with `--net=host`, +# but we don't do that, since it: +# - likely exposes the metrics web server way too publicly (before applying https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1008) +# - or listens on a loopback interface only (--net=host and 127.0.0.1:9100), which is not reachable from another container (like `matrix-prometheus`) +# +# Using `--net=host` and binding to Docker's `matrix` bridge network may be a solution to both, +# but that's trickier to accomplish and won't necessarily work (hasn't been tested). +# +# Not using `--net=host` means that our network statistic reports are likely broken (inaccurate), +# because node-exporter can't see all interfaces, etc. +# For now, we'll live with that, until someone develops a better solution. +matrix_prometheus_postgres_exporter_container_http_host_bind_port: '' + +matrix_prometheus_postgres_exporter_dashboard_urls: +- "https://grafana.com/api/dashboards/9628/revisions/7/download" \ No newline at end of file diff --git a/roles/matrix-prometheus-postgres-exporter/tasks/init.yml b/roles/matrix-prometheus-postgres-exporter/tasks/init.yml new file mode 100644 index 000000000..2bd6904ec --- /dev/null +++ b/roles/matrix-prometheus-postgres-exporter/tasks/init.yml @@ -0,0 +1,5 @@ +- set_fact: + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-prometheus-postgres-exporter.service'] }}" + when: matrix_prometheus_postgres_exporter_enabled|bool + + diff --git a/roles/matrix-prometheus-postgres-exporter/tasks/main.yml b/roles/matrix-prometheus-postgres-exporter/tasks/main.yml new file mode 100644 index 000000000..e3c364fa9 --- /dev/null +++ b/roles/matrix-prometheus-postgres-exporter/tasks/main.yml @@ -0,0 +1,8 @@ +- import_tasks: "{{ role_path }}/tasks/init.yml" + tags: + - always + +- import_tasks: "{{ role_path }}/tasks/setup.yml" + tags: + - setup-all + - setup-prometheus-postgres-exporter diff --git a/roles/matrix-prometheus-postgres-exporter/tasks/setup.yml b/roles/matrix-prometheus-postgres-exporter/tasks/setup.yml new file mode 100644 index 000000000..076ece1a8 --- /dev/null +++ b/roles/matrix-prometheus-postgres-exporter/tasks/setup.yml @@ -0,0 +1,54 @@ +--- + +# +# Tasks related to setting up matrix-prometheus-postgres-exporter +# + +- name: Ensure matrix-prometheus-postgres-exporter image is pulled + docker_image: + name: "{{ matrix_prometheus_postgres_exporter_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_prometheus_postgres_exporter_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_prometheus_postgres_exporter_docker_image_force_pull }}" + when: "matrix_prometheus_postgres_exporter_enabled|bool" + +- name: Ensure matrix-prometheus-postgres-exporter.service installed + template: + src: "{{ role_path }}/templates/systemd/matrix-prometheus-postgres-exporter.service.j2" + dest: "{{ matrix_systemd_path }}/matrix-prometheus-postgres-exporter.service" + mode: 0644 + register: matrix_prometheus_postgres_exporter_systemd_service_result + when: matrix_prometheus_postgres_exporter_enabled|bool + +- name: Ensure systemd reloaded after matrix-prometheus.service installation + service: + daemon_reload: yes + when: "matrix_prometheus_postgres_exporter_enabled|bool and matrix_prometheus_postgres_exporter_systemd_service_result.changed" + +# +# Tasks related to getting rid of matrix-prometheus-postgres-exporter (if it was previously enabled) +# + +- name: Check existence of matrix-prometheus-postgres-exporter service + stat: + path: "{{ matrix_systemd_path }}/matrix-prometheus-postgres-exporter.service" + register: matrix_prometheus_postgres_exporter_service_stat + +- name: Ensure matrix-prometheus-postgres-exporter is stopped + service: + name: matrix-prometheus-postgres-exporter + state: stopped + daemon_reload: yes + register: stopping_result + when: "not matrix_prometheus_postgres_exporter_enabled|bool and matrix_prometheus_postgres_exporter_service_stat.stat.exists" + +- name: Ensure matrix-prometheus-postgres-exporter.service doesn't exist + file: + path: "{{ matrix_systemd_path }}/matrix-prometheus-postgres-exporter.service" + state: absent + when: "not matrix_prometheus_postgres_exporter_enabled|bool and matrix_prometheus_postgres_exporter_service_stat.stat.exists" + +- name: Ensure systemd reloaded after matrix-prometheus-postgres-exporter.service removal + service: + daemon_reload: yes + when: "not matrix_prometheus_postgres_exporter_enabled|bool and matrix_prometheus_postgres_exporter_service_stat.stat.exists" diff --git a/roles/matrix-prometheus-postgres-exporter/templates/systemd/matrix-prometheus-postgres-exporter.service.j2 b/roles/matrix-prometheus-postgres-exporter/templates/systemd/matrix-prometheus-postgres-exporter.service.j2 new file mode 100644 index 000000000..b25cb5ded --- /dev/null +++ b/roles/matrix-prometheus-postgres-exporter/templates/systemd/matrix-prometheus-postgres-exporter.service.j2 @@ -0,0 +1,42 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=matrix-prometheus-postgres-exporter +{% for service in matrix_prometheus_postgres_exporter_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +{% for service in matrix_prometheus_postgres_exporter_systemd_wanted_services_list %} +Wants={{ service }} +{% endfor %} +DefaultDependencies=no + +[Service] +Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-prometheus-postgres-exporter 2>/dev/null' +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-prometheus-postgres-exporter 2>/dev/null' + + +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-prometheus-postgres-exporter \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --read-only \ + {% for arg in matrix_prometheus_postgres_exporter_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + --network={{ matrix_docker_network }} \ + {% if matrix_prometheus_postgres_exporter_container_http_host_bind_port %} + -p {{ matrix_prometheus_postgres_exporter_container_http_host_bind_port }}:{{matrix_prometheus_postgres_exporter_port}} \ + {% endif %} + --pid=host \ + {{ matrix_prometheus_postgres_exporter_docker_image }} + +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-prometheus-postgres-exporter 2>/dev/null' +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-prometheus-postgres-exporter 2>/dev/null' +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-prometheus-postgres-exporter + +[Install] +WantedBy=multi-user.target diff --git a/roles/matrix-prometheus/templates/prometheus.yml.j2 b/roles/matrix-prometheus/templates/prometheus.yml.j2 index 9502a08b6..b3ee3b86e 100644 --- a/roles/matrix-prometheus/templates/prometheus.yml.j2 +++ b/roles/matrix-prometheus/templates/prometheus.yml.j2 @@ -38,3 +38,9 @@ scrape_configs: static_configs: - targets: {{ matrix_prometheus_scraper_node_targets|to_json }} {% endif %} + + {% if matrix_prometheus_scraper_postgres_enabled %} + - job_name: postgres + static_configs: + - targets: {{ matrix_prometheus_scraper_postgres_targets|to_json }} + {% endif %} \ No newline at end of file diff --git a/setup.yml b/setup.yml index 9e3cd6254..142364c46 100755 --- a/setup.yml +++ b/setup.yml @@ -54,5 +54,5 @@ - matrix-coturn - matrix-aux - matrix-postgres-backup - - matrix-common-after - + - matrix-prometheus-postgres-exporter + - matrix-common-after \ No newline at end of file From cf1a9078b070d6bd9d1574e04cc530031aea4707 Mon Sep 17 00:00:00 2001 From: Aaron Raimist Date: Thu, 27 May 2021 15:21:47 -0500 Subject: [PATCH 49/65] Update IRC channel --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 8448680cf..096c04e38 100644 --- a/README.md +++ b/README.md @@ -130,7 +130,7 @@ When updating the playbook, refer to [the changelog](CHANGELOG.md) to catch up w - Matrix room: [#matrix-docker-ansible-deploy:devture.com](https://matrix.to/#/#matrix-docker-ansible-deploy:devture.com) -- IRC channel: `#matrix-docker-ansible-deploy` on the [Freenode](https://freenode.net/) IRC network (irc.freenode.net) +- IRC channel: `#matrix-docker-ansible-deploy` on the [Libera Chat](https://libera.chat/) IRC network (irc.libera.chat:6697) - GitHub issues: [spantaleev/matrix-docker-ansible-deploy/issues](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues) From 28b8bb0bf1dd8ff2c95ba817ce6e172b59ea912c Mon Sep 17 00:00:00 2001 From: WobbelTheBear Date: Fri, 28 May 2021 09:31:55 +0200 Subject: [PATCH 50/65] Minor correction --- docs/configuring-playbook-prometheus-postgres.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/configuring-playbook-prometheus-postgres.md b/docs/configuring-playbook-prometheus-postgres.md index 9a6312968..34407aaed 100644 --- a/docs/configuring-playbook-prometheus-postgres.md +++ b/docs/configuring-playbook-prometheus-postgres.md @@ -1,6 +1,6 @@ # Enabling metrics and graphs for Postgres (optional) -Expanding on the metrics exposed by the [syapse exporter and the node exporter](configuring-playbook-prometheus-grafana.md), the playbook enables the [postgres exporter](https://github.com/prometheus-community/postgres_exporter) that exposes more detailed information about what's happening on your postgres database. +Expanding on the metrics exposed by the [synapse exporter and the node exporter](configuring-playbook-prometheus-grafana.md), the playbook enables the [postgres exporter](https://github.com/prometheus-community/postgres_exporter) that exposes more detailed information about what's happening on your postgres database. You can enable this with the following settings in your configuration file (`inventory/host_vars/matrix./vars.yml`): @@ -20,7 +20,7 @@ Name | Description -----|---------- `matrix_prometheus_postgres_exporter_enabled`|Enable the postgres prometheus exporter. This sets up the docker container, connects it to the database and adds a 'job' to the prometheus config which tells prometheus about this new exporter. The default is 'false' `matrix_prometheus_postgres_exporter_database_username`| The 'username' for the user that the exporter uses to connect to the database. The default is 'matrix_prometheus_postgres_exporter' -`matrix_prometheus_postgres_exporter_database_password`| The 'username' for the user that the exporter uses to connect to the database. +`matrix_prometheus_postgres_exporter_database_password`| The 'password' for the user that the exporter uses to connect to the database. ## More information From 4880dcceb0d91ef4c3f2b56c3ddb64c477e14f1f Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 28 May 2021 11:14:01 +0300 Subject: [PATCH 51/65] Fix OCSP-stapling-related errors due to missing resolver Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1057 --- roles/matrix-nginx-proxy/defaults/main.yml | 18 +++++++++++++++--- .../nginx/conf.d/matrix-base-domain.conf.j2 | 8 ++++---- .../templates/nginx/conf.d/nginx-http.conf.j2 | 5 +++++ 3 files changed, 24 insertions(+), 7 deletions(-) diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index 3e79ab041..e7ee00a52 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -289,7 +289,7 @@ matrix_nginx_proxy_floc_optout_enabled: true # HSTS Preloading Enable # -# In its strongest and recommended form, the [HSTS policy](https://www.chromium.org/hsts) includes all subdomains, and +# In its strongest and recommended form, the [HSTS policy](https://www.chromium.org/hsts) includes all subdomains, and # indicates a willingness to be “preloaded” into browsers: # `Strict-Transport-Security: max-age=31536000; includeSubDomains; preload` # For more information visit: @@ -357,6 +357,18 @@ matrix_nginx_proxy_self_check_validate_certificates: true # so we default to not following redirects as well. matrix_nginx_proxy_self_check_well_known_matrix_client_follow_redirects: none +# For OCSP purposes, we need to define a resolver at the `server{}` level or `http{}` level (we do the latter). +# +# Otherwise, we get warnings like this: +# > [warn] 22#22: no resolver defined to resolve r3.o.lencr.org while requesting certificate status, responder: r3.o.lencr.org, certificate: "/matrix/ssl/config/live/.../fullchain.pem" +# +# We point it to the internal Docker resolver, which likely delegates to nameservers defined in `/etc/resolv.conf`. +# +# When nginx proxy is disabled, our configuration is likely used by non-containerized nginx, so can't use the internal Docker resolver. +# Pointing `resolver` to some public DNS server might be an option, but for now we impose DNS servers on people. +# It might also be that no such warnings occur when not running in a container. +matrix_nginx_proxy_http_level_resolver: "{{ '127.0.0.11' if matrix_nginx_proxy_enabled else '' }}" + # By default, this playbook automatically retrieves and auto-renews # free SSL certificates from Let's Encrypt. # @@ -416,7 +428,7 @@ matrix_ssl_pre_obtaining_required_service_start_wait_time_seconds: 60 # Nginx Optimize SSL Session # # ssl_session_cache: -# - Creating a cache of TLS connection parameters reduces the number of handshakes +# - Creating a cache of TLS connection parameters reduces the number of handshakes # and thus can improve the performance of application. # - Default session cache is not optimal as it can be used by only one worker process # and can cause memory fragmentation. It is much better to use shared cache. @@ -425,7 +437,7 @@ matrix_ssl_pre_obtaining_required_service_start_wait_time_seconds: 60 # ssl_session_timeout: # - Nginx by default it is set to 5 minutes which is very low. # should be like 4h or 1d but will require you to increase the size of cache. -# - Learn More: +# - Learn More: # https://github.com/certbot/certbot/issues/6903 # https://github.com/mozilla/server-side-tls/issues/198 # diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2 index 3b0f213d3..37863d738 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2 @@ -9,13 +9,13 @@ {% if matrix_nginx_proxy_floc_optout_enabled %} add_header Permissions-Policy interest-cohort=() always; {% endif %} - + {% if matrix_nginx_proxy_hsts_preload_enabled %} add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; {% else %} add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; {% endif %} - + add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}"; {% for configuration_block in matrix_nginx_proxy_proxy_domain_additional_server_configuration_blocks %} @@ -77,13 +77,13 @@ server { ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; {% endif %} ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; - + {% if matrix_nginx_proxy_ocsp_stapling_enabled %} ssl_stapling on; ssl_stapling_verify on; ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_base_domain_hostname }}/chain.pem; {% endif %} - + {% if matrix_nginx_proxy_ssl_session_tickets_off %} ssl_session_tickets off; {% endif %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/nginx-http.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/nginx-http.conf.j2 index 4811ac99b..beea6afa1 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/nginx-http.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/nginx-http.conf.j2 @@ -4,6 +4,11 @@ # # Thus, we ensure a larger bucket size value is used. server_names_hash_bucket_size 64; + +{% if matrix_nginx_proxy_http_level_resolver %} + resolver {{ matrix_nginx_proxy_http_level_resolver }}; +{% endif %} + {% for configuration_block in matrix_nginx_proxy_proxy_http_additional_server_configuration_blocks %} {{- configuration_block }} {% endfor %} From bee14550abb63b903026258e4188520f36ad81bb Mon Sep 17 00:00:00 2001 From: pushytoxin Date: Fri, 28 May 2021 07:56:46 +0200 Subject: [PATCH 52/65] Fix local/bin scripts autocompletion by adding rx perms to everyone It's mildly annoying when trying to execute these scripts while logged in as a regular user, as the missing execute permissions will hinder autocompletion even when trying to use with sudo. These shell scripts don't contain secrets, but may fail when ran by a regular user. The failure is due to the lack of access to the /matrix directory, and does not result in any damage. --- .../matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml | 2 +- roles/matrix-postgres/tasks/setup_postgres.yml | 6 +++--- roles/matrix-synapse/tasks/synapse/setup_install.yml | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml index 5bf9102d7..bfd25894a 100644 --- a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml +++ b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml @@ -34,7 +34,7 @@ template: src: "{{ role_path }}/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2" dest: "{{ matrix_local_bin_path }}/matrix-ssl-lets-encrypt-certificates-renew" - mode: 0750 + mode: 0755 - name: Ensure SSL renewal systemd units installed template: diff --git a/roles/matrix-postgres/tasks/setup_postgres.yml b/roles/matrix-postgres/tasks/setup_postgres.yml index c072b2ea3..4294bc113 100644 --- a/roles/matrix-postgres/tasks/setup_postgres.yml +++ b/roles/matrix-postgres/tasks/setup_postgres.yml @@ -77,14 +77,14 @@ template: src: "{{ role_path }}/templates/usr-local-bin/matrix-postgres-cli.j2" dest: "{{ matrix_local_bin_path }}/matrix-postgres-cli" - mode: 0750 + mode: 0755 when: matrix_postgres_enabled|bool - name: Ensure matrix-change-user-admin-status script created template: src: "{{ role_path }}/templates/usr-local-bin/matrix-change-user-admin-status.j2" dest: "{{ matrix_local_bin_path }}/matrix-change-user-admin-status" - mode: 0750 + mode: 0755 when: matrix_postgres_enabled|bool - name: (Migration) Ensure old matrix-make-user-admin script deleted @@ -97,7 +97,7 @@ template: src: "{{ role_path }}/templates/usr-local-bin/matrix-postgres-update-user-password-hash.j2" dest: "{{ matrix_local_bin_path }}/matrix-postgres-update-user-password-hash" - mode: 0750 + mode: 0755 when: matrix_postgres_enabled|bool - name: Ensure matrix-postgres.service installed diff --git a/roles/matrix-synapse/tasks/synapse/setup_install.yml b/roles/matrix-synapse/tasks/synapse/setup_install.yml index d4a7268fe..b658cfffc 100644 --- a/roles/matrix-synapse/tasks/synapse/setup_install.yml +++ b/roles/matrix-synapse/tasks/synapse/setup_install.yml @@ -106,4 +106,4 @@ template: src: "{{ role_path }}/templates/synapse/usr-local-bin/matrix-synapse-register-user.j2" dest: "{{ matrix_local_bin_path }}/matrix-synapse-register-user" - mode: 0750 + mode: 0755 From 897c9825172b6872126019202ed0113d0aca3ce4 Mon Sep 17 00:00:00 2001 From: sakkiii <11132948+sakkiii@users.noreply.github.com> Date: Sun, 30 May 2021 14:32:51 +0530 Subject: [PATCH 53/65] prometheus security update 2.27.1 --- roles/matrix-prometheus/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-prometheus/defaults/main.yml b/roles/matrix-prometheus/defaults/main.yml index 02afd9e96..6c0fef317 100644 --- a/roles/matrix-prometheus/defaults/main.yml +++ b/roles/matrix-prometheus/defaults/main.yml @@ -3,7 +3,7 @@ matrix_prometheus_enabled: false -matrix_prometheus_version: v2.27.0 +matrix_prometheus_version: v2.27.1 matrix_prometheus_docker_image: "{{ matrix_container_global_registry_prefix }}prom/prometheus:{{ matrix_prometheus_version }}" matrix_prometheus_docker_image_force_pull: "{{ matrix_prometheus_docker_image.endswith(':latest') }}" From 3581e1b37b2a4c6d9d30333ba4f8fa18b3080586 Mon Sep 17 00:00:00 2001 From: Toni Spets Date: Mon, 31 May 2021 08:43:55 +0300 Subject: [PATCH 54/65] Heisenbridge identd on unprivileged port Fixes running the container as an unprivileged user. --- .../templates/systemd/matrix-heisenbridge.service.j2 | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/matrix-bridge-heisenbridge/templates/systemd/matrix-heisenbridge.service.j2 b/roles/matrix-bridge-heisenbridge/templates/systemd/matrix-heisenbridge.service.j2 index 91ba39b32..e27b88f1d 100644 --- a/roles/matrix-bridge-heisenbridge/templates/systemd/matrix-heisenbridge.service.j2 +++ b/roles/matrix-bridge-heisenbridge/templates/systemd/matrix-heisenbridge.service.j2 @@ -22,7 +22,7 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-heisenbridge \ --cap-drop=ALL \ --network={{ matrix_docker_network }} \ {% if matrix_heisenbridge_identd_enabled %} - -p 113:113 \ + -p 113:13113 \ {% endif %} -v {{ matrix_heisenbridge_base_path }}:/config:z \ {% for arg in matrix_heisenbridge_container_extra_arguments %} @@ -31,6 +31,7 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-heisenbridge \ {{ matrix_heisenbridge_docker_image }} \ {% if matrix_heisenbridge_identd_enabled %} --identd \ + --identd-port 13113 \ {% endif %} {% if matrix_heisenbridge_owner %} -o {{ matrix_heisenbridge_owner }} \ From ad7bbd644259da36ba82ab89c97077f16f428393 Mon Sep 17 00:00:00 2001 From: Michael-GMH Date: Tue, 1 Jun 2021 16:00:13 +0800 Subject: [PATCH 55/65] merge upstream --- README.md | 2 +- docs/configuring-playbook-bot-mjolnir.md | 17 ++++-- ...onfiguring-playbook-prometheus-postgres.md | 29 ++++++++++ docs/maintenance-migrating.md | 4 ++ docs/maintenance-postgres.md | 34 ++++++++++-- group_vars/matrix_servers | 40 ++++++++++++++ .../surveys/configure_element.json.j2 | 12 ----- .../configure_element_subdomain.json.j2 | 18 +++++++ .../surveys/configure_synapse.json.j2 | 2 +- roles/matrix-awx/tasks/main.yml | 9 ++++ .../tasks/set_variables_element.yml | 1 - .../tasks/set_variables_element_subdomain.yml | 49 +++++++++++++++++ .../tasks/set_variables_synapse.yml | 4 +- .../defaults/main.yml | 2 +- .../tasks/migrate_nedb_to_postgres.yml | 6 +++ .../systemd/matrix-heisenbridge.service.j2 | 3 +- roles/matrix-grafana/tasks/setup.yml | 2 +- roles/matrix-nginx-proxy/defaults/main.yml | 20 +++++-- .../tasks/ssl/setup_ssl_lets_encrypt.yml | 2 +- .../nginx/conf.d/matrix-base-domain.conf.j2 | 8 +-- .../templates/nginx/conf.d/nginx-http.conf.j2 | 5 ++ .../matrix-postgres/tasks/setup_postgres.yml | 6 +-- .../defaults/main.yml | 49 +++++++++++++++++ .../tasks/init.yml | 5 ++ .../tasks/main.yml | 8 +++ .../tasks/setup.yml | 54 +++++++++++++++++++ ...ix-prometheus-postgres-exporter.service.j2 | 42 +++++++++++++++ roles/matrix-prometheus/defaults/main.yml | 2 +- .../templates/prometheus.yml.j2 | 6 +++ roles/matrix-synapse-admin/defaults/main.yml | 2 +- roles/matrix-synapse/defaults/main.yml | 23 ++++++++ .../tasks/ext/mjolnir-antispam/setup.yml | 7 +++ .../ext/mjolnir-antispam/setup_install.yml | 52 ++++++++++++++++++ .../ext/mjolnir-antispam/setup_uninstall.yml | 6 +++ roles/matrix-synapse/tasks/ext/setup.yml | 2 + .../tasks/synapse/setup_install.yml | 2 +- .../templates/synapse/homeserver.yaml.j2 | 2 + setup.yml | 4 +- 38 files changed, 496 insertions(+), 45 deletions(-) create mode 100644 docs/configuring-playbook-prometheus-postgres.md create mode 100644 roles/matrix-awx/surveys/configure_element_subdomain.json.j2 create mode 100644 roles/matrix-awx/tasks/set_variables_element_subdomain.yml create mode 100644 roles/matrix-prometheus-postgres-exporter/defaults/main.yml create mode 100644 roles/matrix-prometheus-postgres-exporter/tasks/init.yml create mode 100644 roles/matrix-prometheus-postgres-exporter/tasks/main.yml create mode 100644 roles/matrix-prometheus-postgres-exporter/tasks/setup.yml create mode 100644 roles/matrix-prometheus-postgres-exporter/templates/systemd/matrix-prometheus-postgres-exporter.service.j2 create mode 100644 roles/matrix-synapse/tasks/ext/mjolnir-antispam/setup.yml create mode 100644 roles/matrix-synapse/tasks/ext/mjolnir-antispam/setup_install.yml create mode 100644 roles/matrix-synapse/tasks/ext/mjolnir-antispam/setup_uninstall.yml diff --git a/README.md b/README.md index 8448680cf..096c04e38 100644 --- a/README.md +++ b/README.md @@ -130,7 +130,7 @@ When updating the playbook, refer to [the changelog](CHANGELOG.md) to catch up w - Matrix room: [#matrix-docker-ansible-deploy:devture.com](https://matrix.to/#/#matrix-docker-ansible-deploy:devture.com) -- IRC channel: `#matrix-docker-ansible-deploy` on the [Freenode](https://freenode.net/) IRC network (irc.freenode.net) +- IRC channel: `#matrix-docker-ansible-deploy` on the [Libera Chat](https://libera.chat/) IRC network (irc.libera.chat:6697) - GitHub issues: [spantaleev/matrix-docker-ansible-deploy/issues](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues) diff --git a/docs/configuring-playbook-bot-mjolnir.md b/docs/configuring-playbook-bot-mjolnir.md index 1b0241e15..5ddb2ad3c 100644 --- a/docs/configuring-playbook-bot-mjolnir.md +++ b/docs/configuring-playbook-bot-mjolnir.md @@ -4,8 +4,6 @@ The playbook can install and configure the [Mjolnir](https://github.com/matrix-o See the project's [documentation](https://github.com/matrix-org/mjolnir) to learn what it does and why it might be useful to you. -Note: the playbook does not currently support the Mjolnir Synapse module. The playbook does support another antispam module, see [Setting up Synapse Simple Antispam](configuring-playbook-synapse-simple-antispam.md). - ## 1. Register the bot account @@ -90,8 +88,21 @@ matrix_bot_mjolnir_access_token: "ACCESS_TOKEN_FROM_STEP_2_GOES_HERE" matrix_bot_mjolnir_management_room: "ROOM_ID_FROM_STEP_4_GOES_HERE" ``` +## 6. Adding mjolnir synapse antispam module (optional) -## 6. Installing +Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file (adapt to your needs): + + +```yaml +matrix_synapse_ext_spam_checker_mjolnir_antispam_enabled: true +matrix_synapse_ext_spam_checker_mjolnir_antispam_config_block_invites: true +matrix_synapse_ext_spam_checker_mjolnir_antispam_config_block_messages: false +matrix_synapse_ext_spam_checker_mjolnir_antispam_config_block_usernames: false +matrix_synapse_ext_spam_checker_mjolnir_antispam_config_ban_lists: [] +``` + + +## 7. Installing After configuring the playbook, run the [installation](installing.md) command: diff --git a/docs/configuring-playbook-prometheus-postgres.md b/docs/configuring-playbook-prometheus-postgres.md new file mode 100644 index 000000000..34407aaed --- /dev/null +++ b/docs/configuring-playbook-prometheus-postgres.md @@ -0,0 +1,29 @@ +# Enabling metrics and graphs for Postgres (optional) + +Expanding on the metrics exposed by the [synapse exporter and the node exporter](configuring-playbook-prometheus-grafana.md), the playbook enables the [postgres exporter](https://github.com/prometheus-community/postgres_exporter) that exposes more detailed information about what's happening on your postgres database. + +You can enable this with the following settings in your configuration file (`inventory/host_vars/matrix./vars.yml`): + + +```yaml +matrix_prometheus_postgres_exporter_enabled: true + +# the role creates a postgres user as credential. You can configure these if required: +matrix_prometheus_postgres_exporter_database_username: 'matrix_prometheus_postgres_exporter' +matrix_prometheus_postgres_exporter_database_password: 'some-password' + +``` + +## What does it do? + +Name | Description +-----|---------- +`matrix_prometheus_postgres_exporter_enabled`|Enable the postgres prometheus exporter. This sets up the docker container, connects it to the database and adds a 'job' to the prometheus config which tells prometheus about this new exporter. The default is 'false' +`matrix_prometheus_postgres_exporter_database_username`| The 'username' for the user that the exporter uses to connect to the database. The default is 'matrix_prometheus_postgres_exporter' +`matrix_prometheus_postgres_exporter_database_password`| The 'password' for the user that the exporter uses to connect to the database. + + +## More information + +- [The PostgresSQL dashboard](https://grafana.com/grafana/dashboards/9628) (generic postgres dashboard) + diff --git a/docs/maintenance-migrating.md b/docs/maintenance-migrating.md index d6380b992..fd5936914 100644 --- a/docs/maintenance-migrating.md +++ b/docs/maintenance-migrating.md @@ -1,3 +1,7 @@ +> **Note**: This migration guide is applicable if you migrate from one server to another server having the same CPU architecture (e.g. both servers being `amd64`). +> +> If you're trying to migrate between different architectures (e.g. `amd64` --> `arm64`), simply copying the complete `/matrix` directory is not possible as it would move the raw PostgreSQL data between different architectures. In this specific case, you can use the guide below as a reference, but you would also need to dump the database on your current server and import it properly on the new server. See our [Backing up PostgreSQL](maintenance-postgres.md#backing-up-postgresql) docs for help with PostgreSQL backup/restore. + # Migrating to new server 1. Prepare by lowering DNS TTL for your domains (`matrix.DOMAIN`, etc.), so that DNS record changes (step 4 below) would happen faster, leading to less downtime diff --git a/docs/maintenance-postgres.md b/docs/maintenance-postgres.md index 9b748d281..52d2d9eed 100644 --- a/docs/maintenance-postgres.md +++ b/docs/maintenance-postgres.md @@ -99,6 +99,8 @@ Example: `--extra-vars="postgres_dump_name=matrix-postgres-dump.sql"` PostgreSQL can be tuned to make it run faster. This is done by passing extra arguments to Postgres with the `matrix_postgres_process_extra_arguments` variable. You should use a website like https://pgtune.leopard.in.ua/ or information from https://wiki.postgresql.org/wiki/Tuning_Your_PostgreSQL_Server to determine what Postgres settings you should change. +**Note**: the configuration generator at https://pgtune.leopard.in.ua/ adds spaces around the `=` sign, which is invalid. You'll need to remove it manually (`max_connections = 300` -> `max_connections=300`) + ### Here are some examples: These are not recommended values and they may not work well for you. This is just to give you an idea of some of the options that can be set. If you are an experienced PostgreSQL admin feel free to update this documentation with better examples. @@ -106,11 +108,33 @@ These are not recommended values and they may not work well for you. This is jus Here is an example config for a small 2 core server with 4GB of RAM and SSD storage: ``` matrix_postgres_process_extra_arguments: [ - "-c 'shared_buffers=128MB'", - "-c 'effective_cache_size=2304MB'", - "-c 'effective_io_concurrency=100'", - "-c 'random_page_cost=2.0'", - "-c 'min_wal_size=500MB'", + "-c shared_buffers=128MB", + "-c effective_cache_size=2304MB", + "-c effective_io_concurrency=100", + "-c random_page_cost=2.0", + "-c min_wal_size=500MB", +] +``` + +Here is an example config for a 4 core server with 8GB of RAM on a Virtual Private Server (VPS); the paramters have been configured using https://pgtune.leopard.in.ua with the following setup: PostgreSQL version 12, OS Type: Linux, DB Type: Mixed type of application, Data Storage: SSD storage: +``` +matrix_postgres_process_extra_arguments: [ + "-c max_connections=100", + "-c shared_buffers=2GB", + "-c effective_cache_size=6GB", + "-c maintenance_work_mem=512MB", + "-c checkpoint_completion_target=0.9", + "-c wal_buffers=16MB", + "-c default_statistics_target=100", + "-c random_page_cost=1.1", + "-c effective_io_concurrency=200", + "-c work_mem=5242kB", + "-c min_wal_size=1GB", + "-c max_wal_size=4GB", + "-c max_worker_processes=4", + "-c max_parallel_workers_per_gather=2", + "-c max_parallel_workers=4", + "-c max_parallel_maintenance_workers=2", ] ``` diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 86f1d5a36..96b933f35 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1466,6 +1466,13 @@ matrix_postgres_additional_databases: | 'username': matrix_sygnal_database_username, 'password': matrix_sygnal_database_password, }] if (matrix_sygnal_enabled and matrix_sygnal_database_engine == 'postgres' and matrix_sygnal_database_hostname == 'matrix-postgres') else []) + + + ([{ + 'name': matrix_prometheus_postgres_exporter_database_name, + 'username': matrix_prometheus_postgres_exporter_database_username, + 'password': matrix_prometheus_postgres_exporter_database_password, + }] if (matrix_prometheus_postgres_exporter_enabled and matrix_prometheus_postgres_exporter_database_hostname == 'matrix-postgres') else []) + }} matrix_postgres_import_roles_to_ignore: | @@ -1766,6 +1773,10 @@ matrix_prometheus_scraper_synapse_rules_synapse_tag: "{{ matrix_synapse_docker_i matrix_prometheus_scraper_node_enabled: "{{ matrix_prometheus_node_exporter_enabled }}" matrix_prometheus_scraper_node_targets: "{{ ['matrix-prometheus-node-exporter:9100'] if matrix_prometheus_node_exporter_enabled else [] }}" +matrix_prometheus_scraper_postgres_enabled: "{{ matrix_prometheus_postgres_exporter_enabled }}" +matrix_prometheus_scraper_postgres_targets: "{{ ['matrix-prometheus-postgres-exporter:'+ matrix_prometheus_postgres_exporter_port|string] if matrix_prometheus_scraper_postgres_enabled else [] }}" + + ###################################################################### # # /matrix-prometheus @@ -1773,6 +1784,27 @@ matrix_prometheus_scraper_node_targets: "{{ ['matrix-prometheus-node-exporter:91 ###################################################################### +###################################################################### +# +# matrix-prometheus-postgres-exporter +# +###################################################################### + +matrix_prometheus_postgres_exporter_enabled: false +matrix_prometheus_postgres_exporter_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'prometheus.pg.db') | to_uuid }}" + +matrix_prometheus_postgres_exporter_systemd_required_services_list: | + {{ + ['docker.service'] + + + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + }} + +###################################################################### +# +# /matrix-prometheus-postgres-exporter +# +###################################################################### ###################################################################### # @@ -1787,6 +1819,14 @@ matrix_grafana_enabled: false # Grafana's HTTP port to the local host. matrix_grafana_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:3000' }}" +matrix_grafana_dashboard_download_urls_all: | + {{ + matrix_grafana_dashboard_download_urls + + + (matrix_prometheus_postgres_exporter_dashboard_urls if matrix_prometheus_postgres_exporter_enabled else []) + }} + + ###################################################################### # # /matrix-grafana diff --git a/roles/matrix-awx/surveys/configure_element.json.j2 b/roles/matrix-awx/surveys/configure_element.json.j2 index 02812fbc3..d85a0ee55 100755 --- a/roles/matrix-awx/surveys/configure_element.json.j2 +++ b/roles/matrix-awx/surveys/configure_element.json.j2 @@ -61,18 +61,6 @@ "new_question": true, "variable": "matrix_client_element_registration_enabled", "type": "multiplechoice" - }, - { - "question_name": "Set Element Subdomain", - "question_description": "Sets the subdomain of the Element web-client, you should only specify the subdomain, not the base domain you've already set. (Eg: 'element' for element.example.org) Note that if you change this value you'll need to reconfigure your DNS.", - "required": false, - "min": 0, - "max": 2048, - "default": "{{ element_subdomain }}", - "choices": "", - "new_question": true, - "variable": "element_subdomain", - "type": "text" } ] } diff --git a/roles/matrix-awx/surveys/configure_element_subdomain.json.j2 b/roles/matrix-awx/surveys/configure_element_subdomain.json.j2 new file mode 100644 index 000000000..a355af239 --- /dev/null +++ b/roles/matrix-awx/surveys/configure_element_subdomain.json.j2 @@ -0,0 +1,18 @@ +{ + "name": "Configure Element Subdomain", + "description": "Configure Element clients subdomain location. (Eg: 'element' for element.example.org)", + "spec": [ + { + "question_name": "Set Element Subdomain", + "question_description": "Sets the subdomain of the Element web-client, you should only specify the subdomain, not the base domain you've already set. (Eg: 'element' for element.example.org) Note that if you change this value you'll need to reconfigure your DNS.", + "required": false, + "min": 0, + "max": 2048, + "default": "{{ element_subdomain }}", + "choices": "", + "new_question": true, + "variable": "element_subdomain", + "type": "text" + } + ] +} diff --git a/roles/matrix-awx/surveys/configure_synapse.json.j2 b/roles/matrix-awx/surveys/configure_synapse.json.j2 index 22b80303e..7089f7b38 100755 --- a/roles/matrix-awx/surveys/configure_synapse.json.j2 +++ b/roles/matrix-awx/surveys/configure_synapse.json.j2 @@ -107,7 +107,7 @@ "default": "", "choices": "", "new_question": true, - "variable": "matrix_synapse_registration_shared_secret", + "variable": "ext_matrix_synapse_registration_shared_secret", "type": "password" }, { diff --git a/roles/matrix-awx/tasks/main.yml b/roles/matrix-awx/tasks/main.yml index abfef97cb..654cdf627 100755 --- a/roles/matrix-awx/tasks/main.yml +++ b/roles/matrix-awx/tasks/main.yml @@ -98,6 +98,15 @@ tags: - setup-client-element +# Additional playbook to set the variable file during Element configuration +- include_tasks: + file: "set_variables_element_subdomain.yml" + apply: + tags: setup-client-element-subdomain + when: run_setup|bool and matrix_awx_enabled|bool + tags: + - setup-client-element-subdomain + # Additional playbook to set the variable file during Synapse configuration - include_tasks: file: "set_variables_synapse.yml" diff --git a/roles/matrix-awx/tasks/set_variables_element.yml b/roles/matrix-awx/tasks/set_variables_element.yml index a0e41770c..29aac37f8 100755 --- a/roles/matrix-awx/tasks/set_variables_element.yml +++ b/roles/matrix-awx/tasks/set_variables_element.yml @@ -12,7 +12,6 @@ 'matrix_client_element_brand': '{{ matrix_client_element_brand }}' 'matrix_client_element_default_theme': '{{ matrix_client_element_default_theme }}' 'matrix_client_element_registration_enabled': '{{ matrix_client_element_registration_enabled }}' - 'matrix_server_fqn_element': "{{ element_subdomain }}.{{ matrix_domain }}" - name: Set fact for 'https' string set_fact: diff --git a/roles/matrix-awx/tasks/set_variables_element_subdomain.yml b/roles/matrix-awx/tasks/set_variables_element_subdomain.yml new file mode 100644 index 000000000..87259d0f5 --- /dev/null +++ b/roles/matrix-awx/tasks/set_variables_element_subdomain.yml @@ -0,0 +1,49 @@ + +- name: Record Element-Web variables locally on AWX + delegate_to: 127.0.0.1 + lineinfile: + path: '{{ awx_cached_matrix_vars }}' + regexp: "^#? *{{ item.key | regex_escape() }}:" + line: "{{ item.key }}: {{ item.value }}" + insertafter: '# Element Settings Start' + with_dict: + 'matrix_server_fqn_element': "{{ element_subdomain }}.{{ matrix_domain }}" + +- name: Save new 'Configure Element Subdomain' survey.json to the AWX tower, template + delegate_to: 127.0.0.1 + template: + src: 'roles/matrix-awx/surveys/configure_element_subdomain.json.j2' + dest: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_element_subdomain.json' + +- name: Copy new 'Configure Element Subdomain' survey.json to target machine + copy: + src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_element_subdomain.json' + dest: '/matrix/awx/configure_element_subdomain.json' + mode: '0660' + +- name: Collect AWX admin token the hard way! + delegate_to: 127.0.0.1 + shell: | + curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g' + register: tower_token + no_log: True + +- name: Recreate 'Configure Element Subdomain' job template + delegate_to: 127.0.0.1 + awx.awx.tower_job_template: + name: "{{ matrix_domain }} - 1 - Configure Element Subdomain" + description: "Configure Element clients subdomain location. (Eg: 'element' for element.example.org)" + extra_vars: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/extra_vars.json') }}" + job_type: run + job_tags: "start,setup-all,setup-client-element-subdomain" + inventory: "{{ member_id }}" + project: "{{ member_id }} - Matrix Docker Ansible Deploy" + playbook: setup.yml + credential: "{{ member_id }} - AWX SSH Key" + survey_enabled: true + survey_spec: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_element_subdomain.json') }}" + state: present + verbosity: 1 + tower_host: "https://{{ tower_host }}" + tower_oauthtoken: "{{ tower_token.stdout }}" + validate_certs: yes diff --git a/roles/matrix-awx/tasks/set_variables_synapse.yml b/roles/matrix-awx/tasks/set_variables_synapse.yml index e1a7312c6..6459f5a27 100755 --- a/roles/matrix-awx/tasks/set_variables_synapse.yml +++ b/roles/matrix-awx/tasks/set_variables_synapse.yml @@ -59,8 +59,8 @@ line: "{{ item.key }}: {{ item.value }}" insertafter: '# Synapse Settings Start' with_dict: - 'matrix_synapse_registration_shared_secret': '{{ matrix_synapse_registration_shared_secret }}' - when: matrix_synapse_registration_shared_secret|length > 0 + 'matrix_synapse_registration_shared_secret': '{{ ext_matrix_synapse_registration_shared_secret }}' + when: ext_matrix_synapse_registration_shared_secret|length > 0 - name: Record registations_require_3pid extra variable if true delegate_to: 127.0.0.1 diff --git a/roles/matrix-bridge-appservice-irc/defaults/main.yml b/roles/matrix-bridge-appservice-irc/defaults/main.yml index 410299b76..bdf49f65b 100644 --- a/roles/matrix-bridge-appservice-irc/defaults/main.yml +++ b/roles/matrix-bridge-appservice-irc/defaults/main.yml @@ -7,7 +7,7 @@ matrix_appservice_irc_container_self_build: false matrix_appservice_irc_docker_repo: "https://github.com/matrix-org/matrix-appservice-irc.git" matrix_appservice_irc_docker_src_files_path: "{{ matrix_base_data_path }}/appservice-irc/docker-src" -matrix_appservice_irc_version: release-0.25.0 +matrix_appservice_irc_version: release-0.26.0 matrix_appservice_irc_docker_image: "{{ matrix_container_global_registry_prefix }}matrixdotorg/matrix-appservice-irc:{{ matrix_appservice_irc_version }}" matrix_appservice_irc_docker_image_force_pull: "{{ matrix_appservice_irc_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-bridge-appservice-irc/tasks/migrate_nedb_to_postgres.yml b/roles/matrix-bridge-appservice-irc/tasks/migrate_nedb_to_postgres.yml index 3fab195ab..6b39ac62a 100644 --- a/roles/matrix-bridge-appservice-irc/tasks/migrate_nedb_to_postgres.yml +++ b/roles/matrix-bridge-appservice-irc/tasks/migrate_nedb_to_postgres.yml @@ -26,10 +26,16 @@ become: false when: "matrix_postgres_service_start_result.changed|bool" +- name: Check existence of matrix-appservice-irc service + stat: + path: "{{ matrix_systemd_path }}/matrix-appservice-irc.service" + register: matrix_appservice_irc_service_stat + - name: Ensure matrix-appservice-irc is stopped service: name: matrix-appservice-irc state: stopped + when: "matrix_appservice_irc_service_stat.stat.exists" - name: Import appservice-irc NeDB database into Postgres command: diff --git a/roles/matrix-bridge-heisenbridge/templates/systemd/matrix-heisenbridge.service.j2 b/roles/matrix-bridge-heisenbridge/templates/systemd/matrix-heisenbridge.service.j2 index 91ba39b32..e27b88f1d 100644 --- a/roles/matrix-bridge-heisenbridge/templates/systemd/matrix-heisenbridge.service.j2 +++ b/roles/matrix-bridge-heisenbridge/templates/systemd/matrix-heisenbridge.service.j2 @@ -22,7 +22,7 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-heisenbridge \ --cap-drop=ALL \ --network={{ matrix_docker_network }} \ {% if matrix_heisenbridge_identd_enabled %} - -p 113:113 \ + -p 113:13113 \ {% endif %} -v {{ matrix_heisenbridge_base_path }}:/config:z \ {% for arg in matrix_heisenbridge_container_extra_arguments %} @@ -31,6 +31,7 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-heisenbridge \ {{ matrix_heisenbridge_docker_image }} \ {% if matrix_heisenbridge_identd_enabled %} --identd \ + --identd-port 13113 \ {% endif %} {% if matrix_heisenbridge_owner %} -o {{ matrix_heisenbridge_owner }} \ diff --git a/roles/matrix-grafana/tasks/setup.yml b/roles/matrix-grafana/tasks/setup.yml index c2eea3485..00d2e230d 100644 --- a/roles/matrix-grafana/tasks/setup.yml +++ b/roles/matrix-grafana/tasks/setup.yml @@ -64,7 +64,7 @@ mode: 0440 owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" - with_items: "{{ matrix_grafana_dashboard_download_urls }}" + with_items: "{{ matrix_grafana_dashboard_download_urls_all }}" when: matrix_grafana_enabled|bool - name: Ensure matrix-grafana.service installed diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index 8dc8a2590..e7ee00a52 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -1,5 +1,5 @@ matrix_nginx_proxy_enabled: true -matrix_nginx_proxy_version: 1.20.0-alpine +matrix_nginx_proxy_version: 1.21.0-alpine # We use an official nginx image, which we fix-up to run unprivileged. # An alternative would be an `nginxinc/nginx-unprivileged` image, but @@ -289,7 +289,7 @@ matrix_nginx_proxy_floc_optout_enabled: true # HSTS Preloading Enable # -# In its strongest and recommended form, the [HSTS policy](https://www.chromium.org/hsts) includes all subdomains, and +# In its strongest and recommended form, the [HSTS policy](https://www.chromium.org/hsts) includes all subdomains, and # indicates a willingness to be “preloaded” into browsers: # `Strict-Transport-Security: max-age=31536000; includeSubDomains; preload` # For more information visit: @@ -357,6 +357,18 @@ matrix_nginx_proxy_self_check_validate_certificates: true # so we default to not following redirects as well. matrix_nginx_proxy_self_check_well_known_matrix_client_follow_redirects: none +# For OCSP purposes, we need to define a resolver at the `server{}` level or `http{}` level (we do the latter). +# +# Otherwise, we get warnings like this: +# > [warn] 22#22: no resolver defined to resolve r3.o.lencr.org while requesting certificate status, responder: r3.o.lencr.org, certificate: "/matrix/ssl/config/live/.../fullchain.pem" +# +# We point it to the internal Docker resolver, which likely delegates to nameservers defined in `/etc/resolv.conf`. +# +# When nginx proxy is disabled, our configuration is likely used by non-containerized nginx, so can't use the internal Docker resolver. +# Pointing `resolver` to some public DNS server might be an option, but for now we impose DNS servers on people. +# It might also be that no such warnings occur when not running in a container. +matrix_nginx_proxy_http_level_resolver: "{{ '127.0.0.11' if matrix_nginx_proxy_enabled else '' }}" + # By default, this playbook automatically retrieves and auto-renews # free SSL certificates from Let's Encrypt. # @@ -416,7 +428,7 @@ matrix_ssl_pre_obtaining_required_service_start_wait_time_seconds: 60 # Nginx Optimize SSL Session # # ssl_session_cache: -# - Creating a cache of TLS connection parameters reduces the number of handshakes +# - Creating a cache of TLS connection parameters reduces the number of handshakes # and thus can improve the performance of application. # - Default session cache is not optimal as it can be used by only one worker process # and can cause memory fragmentation. It is much better to use shared cache. @@ -425,7 +437,7 @@ matrix_ssl_pre_obtaining_required_service_start_wait_time_seconds: 60 # ssl_session_timeout: # - Nginx by default it is set to 5 minutes which is very low. # should be like 4h or 1d but will require you to increase the size of cache. -# - Learn More: +# - Learn More: # https://github.com/certbot/certbot/issues/6903 # https://github.com/mozilla/server-side-tls/issues/198 # diff --git a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml index 5bf9102d7..bfd25894a 100644 --- a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml +++ b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml @@ -34,7 +34,7 @@ template: src: "{{ role_path }}/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2" dest: "{{ matrix_local_bin_path }}/matrix-ssl-lets-encrypt-certificates-renew" - mode: 0750 + mode: 0755 - name: Ensure SSL renewal systemd units installed template: diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2 index 3b0f213d3..37863d738 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2 @@ -9,13 +9,13 @@ {% if matrix_nginx_proxy_floc_optout_enabled %} add_header Permissions-Policy interest-cohort=() always; {% endif %} - + {% if matrix_nginx_proxy_hsts_preload_enabled %} add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; {% else %} add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; {% endif %} - + add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}"; {% for configuration_block in matrix_nginx_proxy_proxy_domain_additional_server_configuration_blocks %} @@ -77,13 +77,13 @@ server { ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; {% endif %} ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; - + {% if matrix_nginx_proxy_ocsp_stapling_enabled %} ssl_stapling on; ssl_stapling_verify on; ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_base_domain_hostname }}/chain.pem; {% endif %} - + {% if matrix_nginx_proxy_ssl_session_tickets_off %} ssl_session_tickets off; {% endif %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/nginx-http.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/nginx-http.conf.j2 index 4811ac99b..beea6afa1 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/nginx-http.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/nginx-http.conf.j2 @@ -4,6 +4,11 @@ # # Thus, we ensure a larger bucket size value is used. server_names_hash_bucket_size 64; + +{% if matrix_nginx_proxy_http_level_resolver %} + resolver {{ matrix_nginx_proxy_http_level_resolver }}; +{% endif %} + {% for configuration_block in matrix_nginx_proxy_proxy_http_additional_server_configuration_blocks %} {{- configuration_block }} {% endfor %} diff --git a/roles/matrix-postgres/tasks/setup_postgres.yml b/roles/matrix-postgres/tasks/setup_postgres.yml index c072b2ea3..4294bc113 100644 --- a/roles/matrix-postgres/tasks/setup_postgres.yml +++ b/roles/matrix-postgres/tasks/setup_postgres.yml @@ -77,14 +77,14 @@ template: src: "{{ role_path }}/templates/usr-local-bin/matrix-postgres-cli.j2" dest: "{{ matrix_local_bin_path }}/matrix-postgres-cli" - mode: 0750 + mode: 0755 when: matrix_postgres_enabled|bool - name: Ensure matrix-change-user-admin-status script created template: src: "{{ role_path }}/templates/usr-local-bin/matrix-change-user-admin-status.j2" dest: "{{ matrix_local_bin_path }}/matrix-change-user-admin-status" - mode: 0750 + mode: 0755 when: matrix_postgres_enabled|bool - name: (Migration) Ensure old matrix-make-user-admin script deleted @@ -97,7 +97,7 @@ template: src: "{{ role_path }}/templates/usr-local-bin/matrix-postgres-update-user-password-hash.j2" dest: "{{ matrix_local_bin_path }}/matrix-postgres-update-user-password-hash" - mode: 0750 + mode: 0755 when: matrix_postgres_enabled|bool - name: Ensure matrix-postgres.service installed diff --git a/roles/matrix-prometheus-postgres-exporter/defaults/main.yml b/roles/matrix-prometheus-postgres-exporter/defaults/main.yml new file mode 100644 index 000000000..8aca45762 --- /dev/null +++ b/roles/matrix-prometheus-postgres-exporter/defaults/main.yml @@ -0,0 +1,49 @@ +# matrix-prometheus-postgres-exporter is an Prometheus exporter for postgres metrics +# See: https://github.com/prometheus-community/postgres_exporter + +matrix_prometheus_postgres_exporter_enabled: false + +matrix_prometheus_postgres_exporter_version: v0.9.0 +matrix_prometheus_postgres_exporter_port: 9187 + +matrix_prometheus_postgres_exporter_docker_image: "quay.io/prometheuscommunity/postgres-exporter:{{ matrix_prometheus_postgres_exporter_version }}" +matrix_prometheus_postgres_exporter_docker_image_force_pull: "{{ matrix_prometheus_postgres_exporter_docker_image.endswith(':latest') }}" + +# A list of extra arguments to pass to the container +matrix_prometheus_postgres_exporter_container_extra_arguments: ["-e PG_EXPORTER_AUTO_DISCOVER_DATABASES=true", + "-e PG_EXPORTER_WEB_LISTEN_ADDRESS=\":{{matrix_prometheus_postgres_exporter_port}}\"", + "-e DATA_SOURCE_NAME=\"postgresql://{{matrix_prometheus_postgres_exporter_database_username}}:{{matrix_prometheus_postgres_exporter_database_password}}@{{matrix_prometheus_postgres_exporter_database_hostname}}:5432/{{matrix_prometheus_postgres_exporter_database_name}}?sslmode=disable\"" ] + +# List of systemd services that matrix-prometheus-postgres-exporter.service depends on +matrix_prometheus_postgres_exporter_systemd_required_services_list: ['docker.service'] + +# List of systemd services that matrix-prometheus-postgres-exporter.service wants +matrix_prometheus_postgres_exporter_systemd_wanted_services_list: [] + +# details for connecting to the database +matrix_prometheus_postgres_exporter_database_username: 'matrix_prometheus_postgres_exporter' +matrix_prometheus_postgres_exporter_database_password: 'some-password' +matrix_prometheus_postgres_exporter_database_hostname: 'matrix-postgres' +matrix_prometheus_postgres_exporter_database_port: 5432 +matrix_prometheus_postgres_exporter_database_name: 'matrix_prometheus_postgres_exporter' + + +# Controls whether the matrix-prometheus container exposes its HTTP port (tcp/9100 in the container). +# +# Takes an ":" value (e.g. "127.0.0.1:9100"), or empty string to not expose. +# +# Official recommendations are to run this container with `--net=host`, +# but we don't do that, since it: +# - likely exposes the metrics web server way too publicly (before applying https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1008) +# - or listens on a loopback interface only (--net=host and 127.0.0.1:9100), which is not reachable from another container (like `matrix-prometheus`) +# +# Using `--net=host` and binding to Docker's `matrix` bridge network may be a solution to both, +# but that's trickier to accomplish and won't necessarily work (hasn't been tested). +# +# Not using `--net=host` means that our network statistic reports are likely broken (inaccurate), +# because node-exporter can't see all interfaces, etc. +# For now, we'll live with that, until someone develops a better solution. +matrix_prometheus_postgres_exporter_container_http_host_bind_port: '' + +matrix_prometheus_postgres_exporter_dashboard_urls: +- "https://grafana.com/api/dashboards/9628/revisions/7/download" \ No newline at end of file diff --git a/roles/matrix-prometheus-postgres-exporter/tasks/init.yml b/roles/matrix-prometheus-postgres-exporter/tasks/init.yml new file mode 100644 index 000000000..2bd6904ec --- /dev/null +++ b/roles/matrix-prometheus-postgres-exporter/tasks/init.yml @@ -0,0 +1,5 @@ +- set_fact: + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-prometheus-postgres-exporter.service'] }}" + when: matrix_prometheus_postgres_exporter_enabled|bool + + diff --git a/roles/matrix-prometheus-postgres-exporter/tasks/main.yml b/roles/matrix-prometheus-postgres-exporter/tasks/main.yml new file mode 100644 index 000000000..e3c364fa9 --- /dev/null +++ b/roles/matrix-prometheus-postgres-exporter/tasks/main.yml @@ -0,0 +1,8 @@ +- import_tasks: "{{ role_path }}/tasks/init.yml" + tags: + - always + +- import_tasks: "{{ role_path }}/tasks/setup.yml" + tags: + - setup-all + - setup-prometheus-postgres-exporter diff --git a/roles/matrix-prometheus-postgres-exporter/tasks/setup.yml b/roles/matrix-prometheus-postgres-exporter/tasks/setup.yml new file mode 100644 index 000000000..076ece1a8 --- /dev/null +++ b/roles/matrix-prometheus-postgres-exporter/tasks/setup.yml @@ -0,0 +1,54 @@ +--- + +# +# Tasks related to setting up matrix-prometheus-postgres-exporter +# + +- name: Ensure matrix-prometheus-postgres-exporter image is pulled + docker_image: + name: "{{ matrix_prometheus_postgres_exporter_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_prometheus_postgres_exporter_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_prometheus_postgres_exporter_docker_image_force_pull }}" + when: "matrix_prometheus_postgres_exporter_enabled|bool" + +- name: Ensure matrix-prometheus-postgres-exporter.service installed + template: + src: "{{ role_path }}/templates/systemd/matrix-prometheus-postgres-exporter.service.j2" + dest: "{{ matrix_systemd_path }}/matrix-prometheus-postgres-exporter.service" + mode: 0644 + register: matrix_prometheus_postgres_exporter_systemd_service_result + when: matrix_prometheus_postgres_exporter_enabled|bool + +- name: Ensure systemd reloaded after matrix-prometheus.service installation + service: + daemon_reload: yes + when: "matrix_prometheus_postgres_exporter_enabled|bool and matrix_prometheus_postgres_exporter_systemd_service_result.changed" + +# +# Tasks related to getting rid of matrix-prometheus-postgres-exporter (if it was previously enabled) +# + +- name: Check existence of matrix-prometheus-postgres-exporter service + stat: + path: "{{ matrix_systemd_path }}/matrix-prometheus-postgres-exporter.service" + register: matrix_prometheus_postgres_exporter_service_stat + +- name: Ensure matrix-prometheus-postgres-exporter is stopped + service: + name: matrix-prometheus-postgres-exporter + state: stopped + daemon_reload: yes + register: stopping_result + when: "not matrix_prometheus_postgres_exporter_enabled|bool and matrix_prometheus_postgres_exporter_service_stat.stat.exists" + +- name: Ensure matrix-prometheus-postgres-exporter.service doesn't exist + file: + path: "{{ matrix_systemd_path }}/matrix-prometheus-postgres-exporter.service" + state: absent + when: "not matrix_prometheus_postgres_exporter_enabled|bool and matrix_prometheus_postgres_exporter_service_stat.stat.exists" + +- name: Ensure systemd reloaded after matrix-prometheus-postgres-exporter.service removal + service: + daemon_reload: yes + when: "not matrix_prometheus_postgres_exporter_enabled|bool and matrix_prometheus_postgres_exporter_service_stat.stat.exists" diff --git a/roles/matrix-prometheus-postgres-exporter/templates/systemd/matrix-prometheus-postgres-exporter.service.j2 b/roles/matrix-prometheus-postgres-exporter/templates/systemd/matrix-prometheus-postgres-exporter.service.j2 new file mode 100644 index 000000000..b25cb5ded --- /dev/null +++ b/roles/matrix-prometheus-postgres-exporter/templates/systemd/matrix-prometheus-postgres-exporter.service.j2 @@ -0,0 +1,42 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=matrix-prometheus-postgres-exporter +{% for service in matrix_prometheus_postgres_exporter_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +{% for service in matrix_prometheus_postgres_exporter_systemd_wanted_services_list %} +Wants={{ service }} +{% endfor %} +DefaultDependencies=no + +[Service] +Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-prometheus-postgres-exporter 2>/dev/null' +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-prometheus-postgres-exporter 2>/dev/null' + + +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-prometheus-postgres-exporter \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --read-only \ + {% for arg in matrix_prometheus_postgres_exporter_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + --network={{ matrix_docker_network }} \ + {% if matrix_prometheus_postgres_exporter_container_http_host_bind_port %} + -p {{ matrix_prometheus_postgres_exporter_container_http_host_bind_port }}:{{matrix_prometheus_postgres_exporter_port}} \ + {% endif %} + --pid=host \ + {{ matrix_prometheus_postgres_exporter_docker_image }} + +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-prometheus-postgres-exporter 2>/dev/null' +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-prometheus-postgres-exporter 2>/dev/null' +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-prometheus-postgres-exporter + +[Install] +WantedBy=multi-user.target diff --git a/roles/matrix-prometheus/defaults/main.yml b/roles/matrix-prometheus/defaults/main.yml index 02afd9e96..6c0fef317 100644 --- a/roles/matrix-prometheus/defaults/main.yml +++ b/roles/matrix-prometheus/defaults/main.yml @@ -3,7 +3,7 @@ matrix_prometheus_enabled: false -matrix_prometheus_version: v2.27.0 +matrix_prometheus_version: v2.27.1 matrix_prometheus_docker_image: "{{ matrix_container_global_registry_prefix }}prom/prometheus:{{ matrix_prometheus_version }}" matrix_prometheus_docker_image_force_pull: "{{ matrix_prometheus_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-prometheus/templates/prometheus.yml.j2 b/roles/matrix-prometheus/templates/prometheus.yml.j2 index 9502a08b6..b3ee3b86e 100644 --- a/roles/matrix-prometheus/templates/prometheus.yml.j2 +++ b/roles/matrix-prometheus/templates/prometheus.yml.j2 @@ -38,3 +38,9 @@ scrape_configs: static_configs: - targets: {{ matrix_prometheus_scraper_node_targets|to_json }} {% endif %} + + {% if matrix_prometheus_scraper_postgres_enabled %} + - job_name: postgres + static_configs: + - targets: {{ matrix_prometheus_scraper_postgres_targets|to_json }} + {% endif %} \ No newline at end of file diff --git a/roles/matrix-synapse-admin/defaults/main.yml b/roles/matrix-synapse-admin/defaults/main.yml index dc4cc7700..069b62794 100644 --- a/roles/matrix-synapse-admin/defaults/main.yml +++ b/roles/matrix-synapse-admin/defaults/main.yml @@ -8,7 +8,7 @@ matrix_synapse_admin_container_self_build_repo: "https://github.com/Awesome-Tech matrix_synapse_admin_docker_src_files_path: "{{ matrix_base_data_path }}/synapse-admin/docker-src" -matrix_synapse_admin_version: latest +matrix_synapse_admin_version: 0.8.1 matrix_synapse_admin_docker_image: "{{ matrix_synapse_admin_docker_image_name_prefix }}awesometechnologies/synapse-admin:{{ matrix_synapse_admin_version }}" matrix_synapse_admin_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_admin_container_self_build else matrix_container_global_registry_prefix }}" matrix_synapse_admin_docker_image_force_pull: "{{ matrix_synapse_admin_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index d966665f9..89d01bd06 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -497,6 +497,8 @@ matrix_synapse_ext_password_provider_ldap_attributes_name: "cn" matrix_synapse_ext_password_provider_ldap_bind_dn: "" matrix_synapse_ext_password_provider_ldap_bind_password: "" matrix_synapse_ext_password_provider_ldap_filter: "" +matrix_synapse_ext_password_provider_ldap_active_directory: false +matrix_synapse_ext_password_provider_ldap_default_domain: "" # Enable this to activate the Synapse Antispam spam-checker module. # See: https://github.com/t2bot/synapse-simple-antispam @@ -505,6 +507,27 @@ matrix_synapse_ext_spam_checker_synapse_simple_antispam_git_repository_url: "htt matrix_synapse_ext_spam_checker_synapse_simple_antispam_git_version: "923ca5c85b08f157181721abbae50dd89c31e4b5" matrix_synapse_ext_spam_checker_synapse_simple_antispam_config_blocked_homeservers: [] +# Enable this to activate the Mjolnir Antispam spam-checker module. +# See: https://github.com/matrix-org/mjolnir#synapse-module +matrix_synapse_ext_spam_checker_mjolnir_antispam_enabled: false +matrix_synapse_ext_spam_checker_mjolnir_antispam_git_repository_url: "https://github.com/matrix-org/mjolnir" +matrix_synapse_ext_spam_checker_mjolnir_antispam_git_version: "70f353fbbad0af469b1001080dea194d512b2815" +matrix_synapse_ext_spam_checker_mjolnir_antispam_config_block_invites: true +# Flag messages sent by servers/users in the ban lists as spam. Currently +# this means that spammy messages will appear as empty to users. Default +# false. +matrix_synapse_ext_spam_checker_mjolnir_antispam_config_block_messages: false +# Remove users from the user directory search by filtering matrix IDs and +# display names by the entries in the user ban list. Default false. +matrix_synapse_ext_spam_checker_mjolnir_antispam_config_block_usernames: false +# The room IDs of the ban lists to honour. Unlike other parts of Mjolnir, +# this list cannot be room aliases or permalinks. This server is expected +# to already be joined to the room - Mjolnir will not automatically join +# these rooms. +# ["!roomid:example.org"] +matrix_synapse_ext_spam_checker_mjolnir_antispam_config_ban_lists: [] + + matrix_s3_media_store_enabled: false matrix_s3_media_store_custom_endpoint_enabled: false matrix_s3_goofys_docker_image: "ewoutp/goofys:latest" diff --git a/roles/matrix-synapse/tasks/ext/mjolnir-antispam/setup.yml b/roles/matrix-synapse/tasks/ext/mjolnir-antispam/setup.yml new file mode 100644 index 000000000..6c45f4693 --- /dev/null +++ b/roles/matrix-synapse/tasks/ext/mjolnir-antispam/setup.yml @@ -0,0 +1,7 @@ +--- + +- import_tasks: "{{ role_path }}/tasks/ext/mjolnir-antispam/setup_install.yml" + when: matrix_synapse_ext_spam_checker_mjolnir_antispam_enabled|bool + +- import_tasks: "{{ role_path }}/tasks/ext/mjolnir-antispam/setup_uninstall.yml" + when: "not matrix_synapse_ext_spam_checker_mjolnir_antispam_enabled|bool" diff --git a/roles/matrix-synapse/tasks/ext/mjolnir-antispam/setup_install.yml b/roles/matrix-synapse/tasks/ext/mjolnir-antispam/setup_install.yml new file mode 100644 index 000000000..a416e42ba --- /dev/null +++ b/roles/matrix-synapse/tasks/ext/mjolnir-antispam/setup_install.yml @@ -0,0 +1,52 @@ +--- + +- name: Ensure git installed (RedHat) + yum: + name: + - git + state: present + update_cache: no + when: "ansible_os_family == 'RedHat'" + +- name: Ensure git installed (Debian) + apt: + name: + - git + state: present + update_cache: no + when: "ansible_os_family == 'Debian'" + +- name: Ensure git installed (Archlinux) + pacman: + name: + - git + state: present + update_cache: no + when: "ansible_distribution == 'Archlinux'" + +- name: Clone mjolnir-antispam git repository + git: + repo: "{{ matrix_synapse_ext_spam_checker_mjolnir_antispam_git_repository_url }}" + version: "{{ matrix_synapse_ext_spam_checker_mjolnir_antispam_git_version }}" + dest: "{{ matrix_synapse_ext_path }}/mjolnir" + become: true + become_user: "{{ matrix_user_username }}" + +- set_fact: + matrix_synapse_spam_checker: > + {{ matrix_synapse_spam_checker }} + + + [{ + "module": "mjolnir.AntiSpam", + "config": { + "block_invites": {{ matrix_synapse_ext_spam_checker_mjolnir_antispam_config_block_invites }}, + "block_messages": {{ matrix_synapse_ext_spam_checker_mjolnir_antispam_config_block_messages }}, + "block_usernames": {{ matrix_synapse_ext_spam_checker_mjolnir_antispam_config_block_usernames }}, + "ban_lists": {{ matrix_synapse_ext_spam_checker_mjolnir_antispam_config_ban_lists }} + } + }] + + matrix_synapse_container_extra_arguments: > + {{ matrix_synapse_container_extra_arguments|default([]) }} + + + ["--mount type=bind,src={{ matrix_synapse_ext_path }}/mjolnir/synapse_antispam/mjolnir,dst={{ matrix_synapse_in_container_python_packages_path }}/mjolnir,ro"] diff --git a/roles/matrix-synapse/tasks/ext/mjolnir-antispam/setup_uninstall.yml b/roles/matrix-synapse/tasks/ext/mjolnir-antispam/setup_uninstall.yml new file mode 100644 index 000000000..f8439a873 --- /dev/null +++ b/roles/matrix-synapse/tasks/ext/mjolnir-antispam/setup_uninstall.yml @@ -0,0 +1,6 @@ +--- + +- name: Ensure mjolnir-antispam doesn't exist + file: + path: "{{ matrix_synapse_ext_path }}/mjolnir" + state: absent diff --git a/roles/matrix-synapse/tasks/ext/setup.yml b/roles/matrix-synapse/tasks/ext/setup.yml index 5e06ea9d4..31637fa97 100644 --- a/roles/matrix-synapse/tasks/ext/setup.yml +++ b/roles/matrix-synapse/tasks/ext/setup.yml @@ -7,3 +7,5 @@ - import_tasks: "{{ role_path }}/tasks/ext/ldap-auth/setup.yml" - import_tasks: "{{ role_path }}/tasks/ext/synapse-simple-antispam/setup.yml" + +- import_tasks: "{{ role_path }}/tasks/ext/mjolnir-antispam/setup.yml" diff --git a/roles/matrix-synapse/tasks/synapse/setup_install.yml b/roles/matrix-synapse/tasks/synapse/setup_install.yml index d4a7268fe..b658cfffc 100644 --- a/roles/matrix-synapse/tasks/synapse/setup_install.yml +++ b/roles/matrix-synapse/tasks/synapse/setup_install.yml @@ -106,4 +106,4 @@ template: src: "{{ role_path }}/templates/synapse/usr-local-bin/matrix-synapse-register-user.j2" dest: "{{ matrix_local_bin_path }}/matrix-synapse-register-user" - mode: 0750 + mode: 0755 diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index 22f5f1ea4..aa07ae5b0 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -2596,6 +2596,8 @@ password_providers: uri: {{ matrix_synapse_ext_password_provider_ldap_uri|string|to_json }} start_tls: {{ matrix_synapse_ext_password_provider_ldap_start_tls|to_json }} base: {{ matrix_synapse_ext_password_provider_ldap_base|string|to_json }} + active_directory: {{ matrix_synapse_ext_password_provider_ldap_active_directory|to_json }} + default_domain: {{ matrix_synapse_ext_password_provider_ldap_default_domain|string|to_json }} attributes: uid: {{ matrix_synapse_ext_password_provider_ldap_attributes_uid|string|to_json }} mail: {{ matrix_synapse_ext_password_provider_ldap_attributes_mail|string|to_json }} diff --git a/setup.yml b/setup.yml index 9e3cd6254..142364c46 100755 --- a/setup.yml +++ b/setup.yml @@ -54,5 +54,5 @@ - matrix-coturn - matrix-aux - matrix-postgres-backup - - matrix-common-after - + - matrix-prometheus-postgres-exporter + - matrix-common-after \ No newline at end of file From b1f1c28ef085e63a600775ef5c475a24f065f200 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 1 Jun 2021 19:14:49 +0300 Subject: [PATCH 56/65] Upgrade Synapse (1.34.0 -> 1.35.0) --- roles/matrix-synapse/defaults/main.yml | 4 +- .../templates/synapse/homeserver.yaml.j2 | 63 +++++++++---------- 2 files changed, 32 insertions(+), 35 deletions(-) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index 89d01bd06..5cfa5c5fe 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -15,8 +15,8 @@ matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_cont # amd64 gets released first. # arm32 relies on self-building, so the same version can be built immediately. # arm64 users need to wait for a prebuilt image to become available. -matrix_synapse_version: v1.34.0 -matrix_synapse_version_arm64: v1.34.0 +matrix_synapse_version: v1.35.0 +matrix_synapse_version_arm64: v1.35.0 matrix_synapse_docker_image_tag: "{{ matrix_synapse_version if matrix_architecture in ['arm32', 'amd64'] else matrix_synapse_version_arm64 }}" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index aa07ae5b0..734a7e909 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -705,33 +705,6 @@ acme: # #account_key_file: /data/acme_account.key -# List of allowed TLS fingerprints for this server to publish along -# with the signing keys for this server. Other matrix servers that -# make HTTPS requests to this server will check that the TLS -# certificates returned by this server match one of the fingerprints. -# -# Synapse automatically adds the fingerprint of its own certificate -# to the list. So if federation traffic is handled directly by synapse -# then no modification to the list is required. -# -# If synapse is run behind a load balancer that handles the TLS then it -# will be necessary to add the fingerprints of the certificates used by -# the loadbalancers to this list if they are different to the one -# synapse is using. -# -# Homeservers are permitted to cache the list of TLS fingerprints -# returned in the key responses up to the "valid_until_ts" returned in -# key. It may be necessary to publish the fingerprints of a new -# certificate and wait until the "valid_until_ts" of the previous key -# responses have passed before deploying it. -# -# You can calculate a fingerprint from a given TLS listener via: -# openssl s_client -connect $host:$port < /dev/null 2> /dev/null | -# openssl x509 -outform DER | openssl sha256 -binary | base64 | tr -d '=' -# or by checking matrix.org/federationtester/api/report?server_name=$host -# -#tls_fingerprints: [{"sha256": ""}] - ## Federation ## @@ -2904,7 +2877,8 @@ opentracing: #enabled: true # The list of homeservers we wish to send and receive span contexts and span baggage. - # See docs/opentracing.rst + # See docs/opentracing.rst. + # # This is a list of regexes which are matched against the server_name of the # homeserver. # @@ -2913,19 +2887,26 @@ opentracing: #homeserver_whitelist: # - ".*" + # A list of the matrix IDs of users whose requests will always be traced, + # even if the tracing system would otherwise drop the traces due to + # probabilistic sampling. + # + # By default, the list is empty. + # + #force_tracing_for_users: + # - "@user1:server_name" + # - "@user2:server_name" + # Jaeger can be configured to sample traces at different rates. # All configuration options provided by Jaeger can be set here. - # Jaeger's configuration mostly related to trace sampling which + # Jaeger's configuration is mostly related to trace sampling which # is documented here: - # https://www.jaegertracing.io/docs/1.13/sampling/. + # https://www.jaegertracing.io/docs/latest/sampling/. # #jaeger_config: # sampler: # type: const # param: 1 - - # Logging whether spans were started and reported - # # logging: # false @@ -2995,4 +2976,20 @@ redis: # password: {{ matrix_synapse_redis_password }} + +# Enable experimental features in Synapse. +# +# Experimental features might break or be removed without a deprecation +# period. +# +experimental_features: + # Support for Spaces (MSC1772), it enables the following: + # + # * The Spaces Summary API (MSC2946). + # * Restricting room membership based on space membership (MSC3083). + # + # Uncomment to disable support for Spaces. + #spaces_enabled: false + + # vim:ft=yaml From b772d113421c219e29933edf1c3d258f14c7463e Mon Sep 17 00:00:00 2001 From: hanthor Date: Wed, 2 Jun 2021 15:37:56 -0400 Subject: [PATCH 57/65] Update main.yml Update hydrogen-web version to v0.1.56 --- roles/matrix-client-hydrogen/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-client-hydrogen/defaults/main.yml b/roles/matrix-client-hydrogen/defaults/main.yml index f7a3059e4..12e62b8cc 100644 --- a/roles/matrix-client-hydrogen/defaults/main.yml +++ b/roles/matrix-client-hydrogen/defaults/main.yml @@ -5,7 +5,7 @@ matrix_client_hydrogen_enabled: true matrix_client_hydrogen_container_image_self_build: true matrix_client_hydrogen_container_image_self_build_repo: "https://github.com/vector-im/hydrogen-web.git" -matrix_client_hydrogen_version: v0.1.53 +matrix_client_hydrogen_version: v0.1.56 matrix_client_hydrogen_docker_image: "{{ matrix_client_hydrogen_docker_image_name_prefix }}vectorim/hydrogen-web:{{ matrix_client_hydrogen_version }}" matrix_client_hydrogen_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_hydrogen_container_image_self_build }}" matrix_client_hydrogen_docker_image_force_pull: "{{ matrix_client_hydrogen_docker_image.endswith(':latest') }}" From ab08a4f60e572de07e63b831c4a5d1afbf31f556 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 3 Jun 2021 16:27:04 +0300 Subject: [PATCH 58/65] Upgrade Synapse (1.35.0 -> 1.35.1) --- roles/matrix-synapse/defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index 5cfa5c5fe..bf2fcac64 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -15,8 +15,8 @@ matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_cont # amd64 gets released first. # arm32 relies on self-building, so the same version can be built immediately. # arm64 users need to wait for a prebuilt image to become available. -matrix_synapse_version: v1.35.0 -matrix_synapse_version_arm64: v1.35.0 +matrix_synapse_version: v1.35.1 +matrix_synapse_version_arm64: v1.35.1 matrix_synapse_docker_image_tag: "{{ matrix_synapse_version if matrix_architecture in ['arm32', 'amd64'] else matrix_synapse_version_arm64 }}" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" From 122a92fa1c66f7489dd32f86c70d95119c74ee29 Mon Sep 17 00:00:00 2001 From: Michael-GMH Date: Fri, 4 Jun 2021 13:10:45 +0800 Subject: [PATCH 59/65] GoMatrixHosting v0.4.9 update --- docs/configuring-awx-system.md | 4 +- .../surveys/configure_email_relay.json.j2 | 19 ++++++ roles/matrix-awx/tasks/main.yml | 9 +++ .../matrix-awx/tasks/set_variables_mailer.yml | 50 +++++++++++++++ .../matrix-client-hydrogen/defaults/main.yml | 2 +- roles/matrix-synapse/defaults/main.yml | 4 +- .../templates/synapse/homeserver.yaml.j2 | 63 +++++++++---------- 7 files changed, 113 insertions(+), 38 deletions(-) create mode 100644 roles/matrix-awx/surveys/configure_email_relay.json.j2 create mode 100644 roles/matrix-awx/tasks/set_variables_mailer.yml diff --git a/docs/configuring-awx-system.md b/docs/configuring-awx-system.md index 1ab6950a3..87ea228a9 100644 --- a/docs/configuring-awx-system.md +++ b/docs/configuring-awx-system.md @@ -31,9 +31,9 @@ Updates to this section are trailed here: ## Does I need an AWX setup to use this? How do I configure it? -Yes, you'll need to configure an AWX instance, the [Create AWX System](https://gitlab.com/GoMatrixHosting/create-awx-system) repository makes it easy to do. Just follow the steps listed in ['/docs/Installation.md' of that repository](https://gitlab.com/GoMatrixHosting/create-awx-system/-/blob/master/docs/Installation.md). +Yes, you'll need to configure an AWX instance, the [Create AWX System](https://gitlab.com/GoMatrixHosting/create-awx-system) repository makes it easy to do. Just follow the steps listed in ['/docs/Installation_AWX.md' of that repository](https://gitlab.com/GoMatrixHosting/create-awx-system/-/blob/master/docs/Installation_AWX.md). -For simpler installation steps you can use to get started with this system, check out our minimal installation guide at ['/doc/Installation_Minimal.md of that repository'](https://gitlab.com/GoMatrixHosting/create-awx-system/-/blob/master/docs/Installation_Minimal.md). +For simpler installation steps you can use to get started with this system, check out our minimal installation guide at ['/doc/Installation_Minimal_AWX.md of that repository'](https://gitlab.com/GoMatrixHosting/create-awx-system/-/blob/master/docs/Installation_Minimal_AWX.md). ## Does I need a front-end WordPress site? And a DigitalOcean account? diff --git a/roles/matrix-awx/surveys/configure_email_relay.json.j2 b/roles/matrix-awx/surveys/configure_email_relay.json.j2 new file mode 100644 index 000000000..65c21a94b --- /dev/null +++ b/roles/matrix-awx/surveys/configure_email_relay.json.j2 @@ -0,0 +1,19 @@ +{ + "name": "Configure Email Relay", + "description": "Enable MailGun relay to increase verification email reliability.", + "spec": [ + { + "question_name": "Enable Email Relay", + "question_description": "Enables the MailGun email relay server, enabling this will increase the reliability of your email verification.", + "required": false, + "min": null, + "max": null, + "default": "{{ matrix_mailer_relay_use | string | lower }}", + "choices": "true\nfalse", + "new_question": true, + "variable": "matrix_mailer_relay_use", + "type": "multiplechoice" + } + ] +} + diff --git a/roles/matrix-awx/tasks/main.yml b/roles/matrix-awx/tasks/main.yml index 654cdf627..beee918e2 100755 --- a/roles/matrix-awx/tasks/main.yml +++ b/roles/matrix-awx/tasks/main.yml @@ -98,6 +98,15 @@ tags: - setup-client-element +# Additional playbook to set the variable file during Mailer configuration +- include_tasks: + file: "set_variables_mailer.yml" + apply: + tags: setup-mailer + when: run_setup|bool and matrix_awx_enabled|bool + tags: + - setup-mailer + # Additional playbook to set the variable file during Element configuration - include_tasks: file: "set_variables_element_subdomain.yml" diff --git a/roles/matrix-awx/tasks/set_variables_mailer.yml b/roles/matrix-awx/tasks/set_variables_mailer.yml new file mode 100644 index 000000000..924454d6e --- /dev/null +++ b/roles/matrix-awx/tasks/set_variables_mailer.yml @@ -0,0 +1,50 @@ + +- name: Record Mailer variables locally on AWX + delegate_to: 127.0.0.1 + lineinfile: + path: '{{ awx_cached_matrix_vars }}' + regexp: "^#? *{{ item.key | regex_escape() }}:" + line: "{{ item.key }}: {{ item.value }}" + insertafter: '# Email Settings Start' + with_dict: + 'matrix_mailer_relay_use': '{{ matrix_mailer_relay_use }}' + +- name: Save new 'Configure Email Relay' survey.json to the AWX tower, template + delegate_to: 127.0.0.1 + template: + src: 'roles/matrix-awx/surveys/configure_email_relay.json.j2' + dest: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_email_relay.json' + +- name: Copy new 'Configure Email Relay' survey.json to target machine + copy: + src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_email_relay.json' + dest: '/matrix/awx/configure_email_relay.json' + mode: '0660' + +- name: Collect AWX admin token the hard way! + delegate_to: 127.0.0.1 + shell: | + curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g' + register: tower_token + no_log: True + +- name: Recreate 'Configure Email Relay' job template + delegate_to: 127.0.0.1 + awx.awx.tower_job_template: + name: "{{ matrix_domain }} - 1 - Configure Email Relay" + description: "Enable MailGun relay to increase verification email reliability." + extra_vars: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/extra_vars.json') }}" + job_type: run + job_tags: "start,setup-mailer" + inventory: "{{ member_id }}" + project: "{{ member_id }} - Matrix Docker Ansible Deploy" + playbook: setup.yml + credential: "{{ member_id }} - AWX SSH Key" + survey_enabled: true + survey_spec: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_email_relay.json') }}" + become_enabled: yes + state: present + verbosity: 1 + tower_host: "https://{{ tower_host }}" + tower_oauthtoken: "{{ tower_token.stdout }}" + validate_certs: yes diff --git a/roles/matrix-client-hydrogen/defaults/main.yml b/roles/matrix-client-hydrogen/defaults/main.yml index f7a3059e4..12e62b8cc 100644 --- a/roles/matrix-client-hydrogen/defaults/main.yml +++ b/roles/matrix-client-hydrogen/defaults/main.yml @@ -5,7 +5,7 @@ matrix_client_hydrogen_enabled: true matrix_client_hydrogen_container_image_self_build: true matrix_client_hydrogen_container_image_self_build_repo: "https://github.com/vector-im/hydrogen-web.git" -matrix_client_hydrogen_version: v0.1.53 +matrix_client_hydrogen_version: v0.1.56 matrix_client_hydrogen_docker_image: "{{ matrix_client_hydrogen_docker_image_name_prefix }}vectorim/hydrogen-web:{{ matrix_client_hydrogen_version }}" matrix_client_hydrogen_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_hydrogen_container_image_self_build }}" matrix_client_hydrogen_docker_image_force_pull: "{{ matrix_client_hydrogen_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index 89d01bd06..bf2fcac64 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -15,8 +15,8 @@ matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_cont # amd64 gets released first. # arm32 relies on self-building, so the same version can be built immediately. # arm64 users need to wait for a prebuilt image to become available. -matrix_synapse_version: v1.34.0 -matrix_synapse_version_arm64: v1.34.0 +matrix_synapse_version: v1.35.1 +matrix_synapse_version_arm64: v1.35.1 matrix_synapse_docker_image_tag: "{{ matrix_synapse_version if matrix_architecture in ['arm32', 'amd64'] else matrix_synapse_version_arm64 }}" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index aa07ae5b0..734a7e909 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -705,33 +705,6 @@ acme: # #account_key_file: /data/acme_account.key -# List of allowed TLS fingerprints for this server to publish along -# with the signing keys for this server. Other matrix servers that -# make HTTPS requests to this server will check that the TLS -# certificates returned by this server match one of the fingerprints. -# -# Synapse automatically adds the fingerprint of its own certificate -# to the list. So if federation traffic is handled directly by synapse -# then no modification to the list is required. -# -# If synapse is run behind a load balancer that handles the TLS then it -# will be necessary to add the fingerprints of the certificates used by -# the loadbalancers to this list if they are different to the one -# synapse is using. -# -# Homeservers are permitted to cache the list of TLS fingerprints -# returned in the key responses up to the "valid_until_ts" returned in -# key. It may be necessary to publish the fingerprints of a new -# certificate and wait until the "valid_until_ts" of the previous key -# responses have passed before deploying it. -# -# You can calculate a fingerprint from a given TLS listener via: -# openssl s_client -connect $host:$port < /dev/null 2> /dev/null | -# openssl x509 -outform DER | openssl sha256 -binary | base64 | tr -d '=' -# or by checking matrix.org/federationtester/api/report?server_name=$host -# -#tls_fingerprints: [{"sha256": ""}] - ## Federation ## @@ -2904,7 +2877,8 @@ opentracing: #enabled: true # The list of homeservers we wish to send and receive span contexts and span baggage. - # See docs/opentracing.rst + # See docs/opentracing.rst. + # # This is a list of regexes which are matched against the server_name of the # homeserver. # @@ -2913,19 +2887,26 @@ opentracing: #homeserver_whitelist: # - ".*" + # A list of the matrix IDs of users whose requests will always be traced, + # even if the tracing system would otherwise drop the traces due to + # probabilistic sampling. + # + # By default, the list is empty. + # + #force_tracing_for_users: + # - "@user1:server_name" + # - "@user2:server_name" + # Jaeger can be configured to sample traces at different rates. # All configuration options provided by Jaeger can be set here. - # Jaeger's configuration mostly related to trace sampling which + # Jaeger's configuration is mostly related to trace sampling which # is documented here: - # https://www.jaegertracing.io/docs/1.13/sampling/. + # https://www.jaegertracing.io/docs/latest/sampling/. # #jaeger_config: # sampler: # type: const # param: 1 - - # Logging whether spans were started and reported - # # logging: # false @@ -2995,4 +2976,20 @@ redis: # password: {{ matrix_synapse_redis_password }} + +# Enable experimental features in Synapse. +# +# Experimental features might break or be removed without a deprecation +# period. +# +experimental_features: + # Support for Spaces (MSC1772), it enables the following: + # + # * The Spaces Summary API (MSC2946). + # * Restricting room membership based on space membership (MSC3083). + # + # Uncomment to disable support for Spaces. + #spaces_enabled: false + + # vim:ft=yaml From 8cf3bdb7720d7b61fa32bc7e1290439c533fbe3a Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 4 Jun 2021 09:32:22 +0300 Subject: [PATCH 60/65] Link to Heisenbridge demonstration video --- docs/configuring-playbook-bridge-heisenbridge.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/configuring-playbook-bridge-heisenbridge.md b/docs/configuring-playbook-bridge-heisenbridge.md index 9cf016f24..2c1b438f6 100644 --- a/docs/configuring-playbook-bridge-heisenbridge.md +++ b/docs/configuring-playbook-bridge-heisenbridge.md @@ -4,7 +4,7 @@ The playbook can install and configure [Heisenbridge](https://github.com/hifi/heisenbridge) - the bouncer-style [IRC](https://en.wikipedia.org/wiki/Internet_Relay_Chat) bridge for you. -See the project's [README](https://github.com/hifi/heisenbridge/blob/master/README.md) to learn what it does and why it might be useful to you. +See the project's [README](https://github.com/hifi/heisenbridge/blob/master/README.md) to learn what it does and why it might be useful to you. You can also take a look at [this demonstration video](https://www.youtube.com/watch?v=nQk1Bp4tk4I). ## Configuration @@ -33,4 +33,6 @@ After the bridge is successfully running just DM `@heisenbridge:your-homeserver` Help is available for all commands with the `-h` switch. If the bridge ignores you and a DM is not accepted then the owner setting may be wrong. +You can also learn the basics by watching [this demonstration video](https://www.youtube.com/watch?v=nQk1Bp4tk4I). + If you encounter issues or feel lost you can join the project room at [#heisenbridge:vi.fi](https://matrix.to/#/#heisenbridge:vi.fi) for help. From 7f4e71b22a67a664f8a0f7f5a382daa2a03afe3e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20K=C3=BChne?= Date: Sun, 6 Jun 2021 14:32:03 +0200 Subject: [PATCH 61/65] fix error when running with Ansible 2.7 in the hydrogen setup Without this the hydrogen task would fail for Ansible 2.7 even when hydrogen is not enabled. --- roles/matrix-client-hydrogen/tasks/init.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-client-hydrogen/tasks/init.yml b/roles/matrix-client-hydrogen/tasks/init.yml index 1115f63d6..8116a0034 100644 --- a/roles/matrix-client-hydrogen/tasks/init.yml +++ b/roles/matrix-client-hydrogen/tasks/init.yml @@ -3,7 +3,7 @@ - name: Fail if trying to self-build on Ansible < 2.8 fail: msg: "To self-build the Hydrogen image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_client_hydrogen_container_image_self_build" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_client_hydrogen_container_image_self_build and matrix_client_hydrogen_enabled" - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-client-hydrogen.service'] }}" From 3c05cc04bc40bd167ae624aabc24fab114d49727 Mon Sep 17 00:00:00 2001 From: Thom Wiggers Date: Mon, 7 Jun 2021 10:41:18 +0200 Subject: [PATCH 62/65] Update IRC appservice --- roles/matrix-bridge-appservice-irc/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-appservice-irc/defaults/main.yml b/roles/matrix-bridge-appservice-irc/defaults/main.yml index bdf49f65b..ca8797b4f 100644 --- a/roles/matrix-bridge-appservice-irc/defaults/main.yml +++ b/roles/matrix-bridge-appservice-irc/defaults/main.yml @@ -7,7 +7,7 @@ matrix_appservice_irc_container_self_build: false matrix_appservice_irc_docker_repo: "https://github.com/matrix-org/matrix-appservice-irc.git" matrix_appservice_irc_docker_src_files_path: "{{ matrix_base_data_path }}/appservice-irc/docker-src" -matrix_appservice_irc_version: release-0.26.0 +matrix_appservice_irc_version: release-0.26.1 matrix_appservice_irc_docker_image: "{{ matrix_container_global_registry_prefix }}matrixdotorg/matrix-appservice-irc:{{ matrix_appservice_irc_version }}" matrix_appservice_irc_docker_image_force_pull: "{{ matrix_appservice_irc_docker_image.endswith(':latest') }}" From fa76c1ee5bdd09ecb8f272c23c1f77ad06756b85 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 8 Jun 2021 08:59:02 +0300 Subject: [PATCH 63/65] Do not run self-build Ansible version-check, if component not enabled Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1108 --- roles/matrix-bridge-appservice-irc/tasks/init.yml | 2 +- roles/matrix-bridge-appservice-slack/tasks/init.yml | 2 +- roles/matrix-bridge-mautrix-facebook/tasks/init.yml | 2 +- roles/matrix-bridge-mautrix-hangouts/tasks/init.yml | 2 +- roles/matrix-bridge-mautrix-instagram/tasks/init.yml | 2 +- roles/matrix-bridge-mautrix-telegram/tasks/init.yml | 2 +- roles/matrix-bridge-mx-puppet-discord/tasks/init.yml | 2 +- roles/matrix-bridge-mx-puppet-groupme/tasks/init.yml | 2 +- roles/matrix-bridge-mx-puppet-instagram/tasks/init.yml | 2 +- roles/matrix-bridge-mx-puppet-skype/tasks/init.yml | 2 +- roles/matrix-bridge-mx-puppet-slack/tasks/init.yml | 2 +- roles/matrix-bridge-mx-puppet-steam/tasks/init.yml | 2 +- roles/matrix-bridge-mx-puppet-twitter/tasks/init.yml | 2 +- roles/matrix-client-element/tasks/init.yml | 2 +- roles/matrix-corporal/tasks/init.yml | 2 +- roles/matrix-coturn/tasks/init.yml | 2 +- roles/matrix-dynamic-dns/tasks/init.yml | 2 +- roles/matrix-ma1sd/tasks/init.yml | 2 +- roles/matrix-mailer/tasks/init.yml | 2 +- roles/matrix-registration/tasks/init.yml | 2 +- roles/matrix-synapse-admin/tasks/init.yml | 2 +- roles/matrix-synapse/tasks/init.yml | 2 +- 22 files changed, 22 insertions(+), 22 deletions(-) diff --git a/roles/matrix-bridge-appservice-irc/tasks/init.yml b/roles/matrix-bridge-appservice-irc/tasks/init.yml index b9a58e005..e13557963 100644 --- a/roles/matrix-bridge-appservice-irc/tasks/init.yml +++ b/roles/matrix-bridge-appservice-irc/tasks/init.yml @@ -3,7 +3,7 @@ - name: Fail if trying to self-build on Ansible < 2.8 fail: msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_appservice_irc_container_self_build" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_appservice_irc_container_self_build and matrix_appservice_irc_enabled" # If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist. # We don't want to fail in such cases. diff --git a/roles/matrix-bridge-appservice-slack/tasks/init.yml b/roles/matrix-bridge-appservice-slack/tasks/init.yml index 6a1bf869f..0584e6247 100644 --- a/roles/matrix-bridge-appservice-slack/tasks/init.yml +++ b/roles/matrix-bridge-appservice-slack/tasks/init.yml @@ -3,7 +3,7 @@ - name: Fail if trying to self-build on Ansible < 2.8 fail: msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_appservice_slack_container_self_build" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_appservice_slack_container_self_build and matrix_appservice_slack_enabled" # If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist. # We don't want to fail in such cases. diff --git a/roles/matrix-bridge-mautrix-facebook/tasks/init.yml b/roles/matrix-bridge-mautrix-facebook/tasks/init.yml index 83e54cb42..fdfdfdaed 100644 --- a/roles/matrix-bridge-mautrix-facebook/tasks/init.yml +++ b/roles/matrix-bridge-mautrix-facebook/tasks/init.yml @@ -3,7 +3,7 @@ - name: Fail if trying to self-build on Ansible < 2.8 fail: msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mautrix_facebook_container_image_self_build" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mautrix_facebook_container_image_self_build and matrix_mautrix_facebook_enabled" - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-facebook.service'] }}" diff --git a/roles/matrix-bridge-mautrix-hangouts/tasks/init.yml b/roles/matrix-bridge-mautrix-hangouts/tasks/init.yml index 07fb254db..63a046180 100644 --- a/roles/matrix-bridge-mautrix-hangouts/tasks/init.yml +++ b/roles/matrix-bridge-mautrix-hangouts/tasks/init.yml @@ -3,7 +3,7 @@ - name: Fail if trying to self-build on Ansible < 2.8 fail: msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mautrix_hangouts_container_image_self_build" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mautrix_hangouts_container_image_self_build and matrix_mautrix_hangouts_enabled" - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-hangouts.service'] }}" diff --git a/roles/matrix-bridge-mautrix-instagram/tasks/init.yml b/roles/matrix-bridge-mautrix-instagram/tasks/init.yml index 6944003eb..c0b7da32f 100644 --- a/roles/matrix-bridge-mautrix-instagram/tasks/init.yml +++ b/roles/matrix-bridge-mautrix-instagram/tasks/init.yml @@ -3,7 +3,7 @@ - name: Fail if trying to self-build on Ansible < 2.8 fail: msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mautrix_instagram_container_image_self_build" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mautrix_instagram_container_image_self_build and matrix_mautrix_instagram_enabled" - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-instagram.service'] }}" diff --git a/roles/matrix-bridge-mautrix-telegram/tasks/init.yml b/roles/matrix-bridge-mautrix-telegram/tasks/init.yml index c8f7f895e..84ac86d0b 100644 --- a/roles/matrix-bridge-mautrix-telegram/tasks/init.yml +++ b/roles/matrix-bridge-mautrix-telegram/tasks/init.yml @@ -3,7 +3,7 @@ - name: Fail if trying to self-build on Ansible < 2.8 fail: msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mautrix_telegram_container_self_build" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mautrix_telegram_container_self_build and matrix_mautrix_telegram_enabled" - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-telegram.service'] }}" diff --git a/roles/matrix-bridge-mx-puppet-discord/tasks/init.yml b/roles/matrix-bridge-mx-puppet-discord/tasks/init.yml index 983e3895e..33d35e603 100644 --- a/roles/matrix-bridge-mx-puppet-discord/tasks/init.yml +++ b/roles/matrix-bridge-mx-puppet-discord/tasks/init.yml @@ -3,7 +3,7 @@ - name: Fail if trying to self-build on Ansible < 2.8 fail: msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_discord_container_image_self_build" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_discord_container_image_self_build and matrix_mx_puppet_discord_enabled" - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-discord.service'] }}" diff --git a/roles/matrix-bridge-mx-puppet-groupme/tasks/init.yml b/roles/matrix-bridge-mx-puppet-groupme/tasks/init.yml index eb598ecb5..4cd3c6b3c 100644 --- a/roles/matrix-bridge-mx-puppet-groupme/tasks/init.yml +++ b/roles/matrix-bridge-mx-puppet-groupme/tasks/init.yml @@ -3,7 +3,7 @@ - name: Fail if trying to self-build on Ansible < 2.8 fail: msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_groupme_container_image_self_build" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_groupme_container_image_self_build and matrix_mx_puppet_groupme_enabled" - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-groupme.service'] }}" diff --git a/roles/matrix-bridge-mx-puppet-instagram/tasks/init.yml b/roles/matrix-bridge-mx-puppet-instagram/tasks/init.yml index 2ef99f025..a12885e78 100644 --- a/roles/matrix-bridge-mx-puppet-instagram/tasks/init.yml +++ b/roles/matrix-bridge-mx-puppet-instagram/tasks/init.yml @@ -3,7 +3,7 @@ - name: Fail if trying to self-build on Ansible < 2.8 fail: msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_instagram_container_image_self_build" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_instagram_container_image_self_build and matrix_mx_puppet_instagram_enabled" - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-instagram.service'] }}" diff --git a/roles/matrix-bridge-mx-puppet-skype/tasks/init.yml b/roles/matrix-bridge-mx-puppet-skype/tasks/init.yml index 1bdc4c2ba..e8ed1a3a6 100644 --- a/roles/matrix-bridge-mx-puppet-skype/tasks/init.yml +++ b/roles/matrix-bridge-mx-puppet-skype/tasks/init.yml @@ -3,7 +3,7 @@ - name: Fail if trying to self-build on Ansible < 2.8 fail: msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_skype_container_image_self_build" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_skype_container_image_self_build and matrix_mx_puppet_skype_enabled" - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-skype.service'] }}" diff --git a/roles/matrix-bridge-mx-puppet-slack/tasks/init.yml b/roles/matrix-bridge-mx-puppet-slack/tasks/init.yml index de3ffd7cd..716cb3517 100644 --- a/roles/matrix-bridge-mx-puppet-slack/tasks/init.yml +++ b/roles/matrix-bridge-mx-puppet-slack/tasks/init.yml @@ -3,7 +3,7 @@ - name: Fail if trying to self-build on Ansible < 2.8 fail: msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_slack_container_image_self_build" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_slack_container_image_self_build and matrix_mx_puppet_slack_enabled" - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-slack.service'] }}" diff --git a/roles/matrix-bridge-mx-puppet-steam/tasks/init.yml b/roles/matrix-bridge-mx-puppet-steam/tasks/init.yml index c7b3d67fb..38d0f9a22 100644 --- a/roles/matrix-bridge-mx-puppet-steam/tasks/init.yml +++ b/roles/matrix-bridge-mx-puppet-steam/tasks/init.yml @@ -3,7 +3,7 @@ - name: Fail if trying to self-build on Ansible < 2.8 fail: msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_steam_container_image_self_build" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_steam_container_image_self_build and matrix_mx_puppet_steam_enabled" - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-steam.service'] }}" diff --git a/roles/matrix-bridge-mx-puppet-twitter/tasks/init.yml b/roles/matrix-bridge-mx-puppet-twitter/tasks/init.yml index 94fafd900..f23a6a647 100644 --- a/roles/matrix-bridge-mx-puppet-twitter/tasks/init.yml +++ b/roles/matrix-bridge-mx-puppet-twitter/tasks/init.yml @@ -3,7 +3,7 @@ - name: Fail if trying to self-build on Ansible < 2.8 fail: msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_twitter_container_image_self_build" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_twitter_container_image_self_build and matrix_mx_puppet_twitter_enabled" - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-twitter.service'] }}" diff --git a/roles/matrix-client-element/tasks/init.yml b/roles/matrix-client-element/tasks/init.yml index 102cae383..44fa15440 100644 --- a/roles/matrix-client-element/tasks/init.yml +++ b/roles/matrix-client-element/tasks/init.yml @@ -7,4 +7,4 @@ - name: Fail if trying to self-build on Ansible < 2.8 fail: msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_client_element_container_image_self_build" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_client_element_container_image_self_build and matrix_client_element_enabled" diff --git a/roles/matrix-corporal/tasks/init.yml b/roles/matrix-corporal/tasks/init.yml index 993ace81e..e5062c275 100644 --- a/roles/matrix-corporal/tasks/init.yml +++ b/roles/matrix-corporal/tasks/init.yml @@ -3,7 +3,7 @@ - name: Fail if trying to self-build on Ansible < 2.8 fail: msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_corporal_container_image_self_build" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_corporal_container_image_self_build and matrix_corporal_enabled" - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-corporal.service'] }}" diff --git a/roles/matrix-coturn/tasks/init.yml b/roles/matrix-coturn/tasks/init.yml index c645c06bf..a7d8a3434 100644 --- a/roles/matrix-coturn/tasks/init.yml +++ b/roles/matrix-coturn/tasks/init.yml @@ -3,7 +3,7 @@ - name: Fail if trying to self-build on Ansible < 2.8 fail: msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_coturn_container_image_self_build" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_coturn_container_image_self_build and matrix_coturn_enabled" - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-coturn.service'] }}" diff --git a/roles/matrix-dynamic-dns/tasks/init.yml b/roles/matrix-dynamic-dns/tasks/init.yml index 039b5b023..e7d33ff28 100644 --- a/roles/matrix-dynamic-dns/tasks/init.yml +++ b/roles/matrix-dynamic-dns/tasks/init.yml @@ -3,7 +3,7 @@ - name: Fail if trying to self-build on Ansible < 2.8 fail: msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_dynamic_dns_container_image_self_build" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_dynamic_dns_container_image_self_build and matrix_dynamic_dns_enabled" - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-dynamic-dns.service'] }}" diff --git a/roles/matrix-ma1sd/tasks/init.yml b/roles/matrix-ma1sd/tasks/init.yml index f09cfcfd4..04cc3a213 100644 --- a/roles/matrix-ma1sd/tasks/init.yml +++ b/roles/matrix-ma1sd/tasks/init.yml @@ -3,7 +3,7 @@ - name: Fail if trying to self-build on Ansible < 2.8 fail: msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_ma1sd_container_image_self_build" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_ma1sd_container_image_self_build and matrix_ma1sd_enabled|bool" - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-ma1sd.service'] }}" diff --git a/roles/matrix-mailer/tasks/init.yml b/roles/matrix-mailer/tasks/init.yml index 5895343e8..d07380f0e 100644 --- a/roles/matrix-mailer/tasks/init.yml +++ b/roles/matrix-mailer/tasks/init.yml @@ -3,7 +3,7 @@ - name: Fail if trying to self-build on Ansible < 2.8 fail: msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mailer_container_image_self_build" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mailer_container_image_self_build and matrix_mailer_enabled" - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mailer.service'] }}" diff --git a/roles/matrix-registration/tasks/init.yml b/roles/matrix-registration/tasks/init.yml index b58ba659d..32a35c7da 100644 --- a/roles/matrix-registration/tasks/init.yml +++ b/roles/matrix-registration/tasks/init.yml @@ -3,7 +3,7 @@ - name: Fail if trying to self-build on Ansible < 2.8 fail: msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_registration_container_image_self_build" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_registration_container_image_self_build and matrix_registration_enabled" - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-registration.service'] }}" diff --git a/roles/matrix-synapse-admin/tasks/init.yml b/roles/matrix-synapse-admin/tasks/init.yml index 7898dec94..9e1710156 100644 --- a/roles/matrix-synapse-admin/tasks/init.yml +++ b/roles/matrix-synapse-admin/tasks/init.yml @@ -3,7 +3,7 @@ - name: Fail if trying to self-build on Ansible < 2.8 fail: msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_synapse_admin_container_self_build" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_synapse_admin_container_self_build and matrix_synapse_admin_enabled" - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-synapse-admin.service'] }}" diff --git a/roles/matrix-synapse/tasks/init.yml b/roles/matrix-synapse/tasks/init.yml index 167906646..bc23fc861 100644 --- a/roles/matrix-synapse/tasks/init.yml +++ b/roles/matrix-synapse/tasks/init.yml @@ -3,7 +3,7 @@ - name: Fail if trying to self-build on Ansible < 2.8 fail: msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_synapse_container_image_self_build" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_synapse_container_image_self_build and matrix_synapse_enabled" # Unless `matrix_synapse_workers_enabled_list` is explicitly defined, # we'll generate it dynamically. From 77fd1bff2201267519d202400b302262f6ce68bb Mon Sep 17 00:00:00 2001 From: rakshazi Date: Tue, 8 Jun 2021 14:57:49 +0000 Subject: [PATCH 64/65] Update element 1.7.29 -> 1.7.30 --- roles/matrix-client-element/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-client-element/defaults/main.yml b/roles/matrix-client-element/defaults/main.yml index f0596d917..f836d4a49 100644 --- a/roles/matrix-client-element/defaults/main.yml +++ b/roles/matrix-client-element/defaults/main.yml @@ -3,7 +3,7 @@ matrix_client_element_enabled: true matrix_client_element_container_image_self_build: false matrix_client_element_container_image_self_build_repo: "https://github.com/vector-im/riot-web.git" -matrix_client_element_version: v1.7.29 +matrix_client_element_version: v1.7.30 matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}" matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}" From 1cc1202df2a10340a6c799c866cee57041520e46 Mon Sep 17 00:00:00 2001 From: sakkiii <11132948+sakkiii@users.noreply.github.com> Date: Tue, 8 Jun 2021 23:59:31 +0530 Subject: [PATCH 65/65] update coturn --- roles/matrix-coturn/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-coturn/defaults/main.yml b/roles/matrix-coturn/defaults/main.yml index ad8735fe0..2539d8b1c 100644 --- a/roles/matrix-coturn/defaults/main.yml +++ b/roles/matrix-coturn/defaults/main.yml @@ -2,7 +2,7 @@ matrix_coturn_enabled: true matrix_coturn_container_image_self_build: false matrix_coturn_container_image_self_build_repo: "https://github.com/coturn/coturn" -matrix_coturn_container_image_self_build_repo_version: "docker/{{ matrix_coturn_version }}-r0" +matrix_coturn_container_image_self_build_repo_version: "docker/{{ matrix_coturn_version }}-r1" matrix_coturn_container_image_self_build_repo_dockerfile_path: "docker/coturn/alpine/Dockerfile" matrix_coturn_version: 4.5.2