Merge branch 'patch-2' of https://github.com/sakkiii/matrix-docker-ansible-deploy into patch-2
This commit is contained in:
commit
00eeccbd39
11
CHANGELOG.md
11
CHANGELOG.md
@ -1,3 +1,14 @@
|
||||
# 2021-05-21
|
||||
|
||||
## Hydrogen support
|
||||
|
||||
Thanks to [Aaron Raimist](https://github.com/aaronraimist), the playbook now supports [Hydrogen](https://github.com/vector-im/hydrogen-web) - a new lightweight matrix client with legacy and mobile browser support.
|
||||
|
||||
By default, we still install Element, as Hydrogen is still not fully-featured. Still, people who'd like to try Hydrogen out can now install it via the playbook.
|
||||
|
||||
Additional details are available in [Setting up Hydrogen](docs/configuring-playbook-client-hydrogen.md).
|
||||
|
||||
|
||||
# 2021-05-19
|
||||
|
||||
## Heisenbridge support
|
||||
|
@ -105,6 +105,8 @@ Using this playbook, you can get the following services configured on your serve
|
||||
|
||||
- (optional) the [Sygnal](https://github.com/matrix-org/sygnal) push gateway - see [Setting up the Sygnal push gateway](docs/configuring-playbook-sygnal.md) for setup documentation
|
||||
|
||||
- (optional) the [Hydrogen](https://github.com/vector-im/hydrogen-web) web client - see [docs/configuring-playbook-client-hydrogen.md](docs/configuring-playbook-client-hydrogen.md) for setup documentation
|
||||
|
||||
Basically, this playbook aims to get you up-and-running with all the necessities around Matrix, without you having to do anything else.
|
||||
|
||||
**Note**: the list above is exhaustive. It includes optional or even some advanced components that you will most likely not need.
|
||||
@ -128,7 +130,7 @@ When updating the playbook, refer to [the changelog](CHANGELOG.md) to catch up w
|
||||
|
||||
- Matrix room: [#matrix-docker-ansible-deploy:devture.com](https://matrix.to/#/#matrix-docker-ansible-deploy:devture.com)
|
||||
|
||||
- IRC channel: `#matrix-docker-ansible-deploy` on the [Freenode](https://freenode.net/) IRC network (irc.freenode.net)
|
||||
- IRC channel: `#matrix-docker-ansible-deploy` on the [Libera Chat](https://libera.chat/) IRC network (irc.libera.chat:6697)
|
||||
|
||||
- GitHub issues: [spantaleev/matrix-docker-ansible-deploy/issues](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues)
|
||||
|
||||
|
@ -8,9 +8,7 @@ Members can be assigned a server from Digitalocean, or they can connect their ow
|
||||
|
||||
The AWX system is arranged into 'members' each with their own 'subscriptions'. After creating a subscription the user enters the 'provision stage' where they defined the URLs they will use, the servers location and whether or not there's already a website at the base domain. They then proceed onto the 'deploy stage' where they can configure their Matrix server.
|
||||
|
||||
Ideally this system can manage the updates, configuration, backups and monitoring on it's own. It is an extension of the popular deploy script [spantaleev/matrix-docker-ansible-deploy](https://github.com/spantaleev/matrix-docker-ansible-deploy).
|
||||
|
||||
Warning: This project is currently alpha quality and should only be run by the brave.
|
||||
This system can manage the updates, configuration, import and export, backups and monitoring on its own. It is an extension of the popular deploy script [spantaleev/matrix-docker-ansible-deploy](https://github.com/spantaleev/matrix-docker-ansible-deploy).
|
||||
|
||||
|
||||
## Other Required Playbooks
|
||||
@ -23,6 +21,7 @@ The following repositories allow you to copy and use this setup:
|
||||
|
||||
[Ansible Provision Server](https://gitlab.com/GoMatrixHosting/ansible-provision-server) - Used by AWX members to perform initial configuration of their DigitalOcean or On-Premises server.
|
||||
|
||||
|
||||
## Testing Fork For This Playbook
|
||||
|
||||
Updates to this section are trailed here:
|
||||
@ -32,9 +31,9 @@ Updates to this section are trailed here:
|
||||
|
||||
## Does I need an AWX setup to use this? How do I configure it?
|
||||
|
||||
Yes, you'll need to configure an AWX instance, the [Create AWX System](https://gitlab.com/GoMatrixHosting/create-awx-system) repository makes it easy to do. Just follow the steps listed in ['/docs/Installation.md' of that repository](https://gitlab.com/GoMatrixHosting/create-awx-system/-/blob/master/docs/Installation.md).
|
||||
Yes, you'll need to configure an AWX instance, the [Create AWX System](https://gitlab.com/GoMatrixHosting/create-awx-system) repository makes it easy to do. Just follow the steps listed in ['/docs/Installation_AWX.md' of that repository](https://gitlab.com/GoMatrixHosting/create-awx-system/-/blob/master/docs/Installation_AWX.md).
|
||||
|
||||
For simpler installation steps you can use to get started with this system, check out our minimal installation guide at ['/doc/Installation_Minimal.md of that repository'](https://gitlab.com/GoMatrixHosting/create-awx-system/-/blob/master/docs/Installation_Minimal.md).
|
||||
For simpler installation steps you can use to get started with this system, check out our minimal installation guide at ['/doc/Installation_Minimal_AWX.md of that repository'](https://gitlab.com/GoMatrixHosting/create-awx-system/-/blob/master/docs/Installation_Minimal_AWX.md).
|
||||
|
||||
|
||||
## Does I need a front-end WordPress site? And a DigitalOcean account?
|
||||
|
@ -36,6 +36,7 @@ If you are using Cloudflare DNS, make sure to disable the proxy and set all reco
|
||||
| CNAME | `stats` (*) | - | - | - | `matrix.<your-domain>` |
|
||||
| CNAME | `goneb` (*) | - | - | - | `matrix.<your-domain>` |
|
||||
| CNAME | `sygnal` (*) | - | - | - | `matrix.<your-domain>` |
|
||||
| CNAME | `hydrogen` (*) | - | - | - | `matrix.<your-domain>` |
|
||||
|
||||
## Subdomains setup
|
||||
|
||||
@ -54,6 +55,8 @@ The `goneb.<your-domain>` subdomain may be necessary, because this playbook coul
|
||||
|
||||
The `sygnal.<your-domain>` subdomain may be necessary, because this playbook could install the [Sygnal](https://github.com/matrix-org/sygnal) push gateway. The installation of Sygnal is disabled by default, it is not a core required component. To learn how to install it, see our [configuring Sygnal guide](configuring-playbook-sygnal.md). If you do not wish to set up Sygnal (you probably don't, unless you're also developing/building your own Matrix apps), feel free to skip the `sygnal.<your-domain>` DNS record.
|
||||
|
||||
The `hydrogen.<your-domain>` subdomain may be necessary, because this playbook could install the [Hydrogen](https://github.com/vector-im/hydrogen-web) web client. The installation of Hydrogen is disabled by default, it is not a core required component. To learn how to install it, see our [configuring Hydrogen guide](configuring-playbook-client-hydrogen.md). If you do not wish to set up Hydrogen, feel free to skip the `hydrogen.<your-domain>` DNS record.
|
||||
|
||||
|
||||
## `_matrix-identity._tcp` SRV record setup
|
||||
|
||||
|
@ -4,8 +4,6 @@ The playbook can install and configure the [Mjolnir](https://github.com/matrix-o
|
||||
|
||||
See the project's [documentation](https://github.com/matrix-org/mjolnir) to learn what it does and why it might be useful to you.
|
||||
|
||||
Note: the playbook does not currently support the Mjolnir Synapse module. The playbook does support another antispam module, see [Setting up Synapse Simple Antispam](configuring-playbook-synapse-simple-antispam.md).
|
||||
|
||||
|
||||
## 1. Register the bot account
|
||||
|
||||
@ -90,8 +88,21 @@ matrix_bot_mjolnir_access_token: "ACCESS_TOKEN_FROM_STEP_2_GOES_HERE"
|
||||
matrix_bot_mjolnir_management_room: "ROOM_ID_FROM_STEP_4_GOES_HERE"
|
||||
```
|
||||
|
||||
## 6. Adding mjolnir synapse antispam module (optional)
|
||||
|
||||
## 6. Installing
|
||||
Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file (adapt to your needs):
|
||||
|
||||
|
||||
```yaml
|
||||
matrix_synapse_ext_spam_checker_mjolnir_antispam_enabled: true
|
||||
matrix_synapse_ext_spam_checker_mjolnir_antispam_config_block_invites: true
|
||||
matrix_synapse_ext_spam_checker_mjolnir_antispam_config_block_messages: false
|
||||
matrix_synapse_ext_spam_checker_mjolnir_antispam_config_block_usernames: false
|
||||
matrix_synapse_ext_spam_checker_mjolnir_antispam_config_ban_lists: []
|
||||
```
|
||||
|
||||
|
||||
## 7. Installing
|
||||
|
||||
After configuring the playbook, run the [installation](installing.md) command:
|
||||
|
||||
|
@ -4,7 +4,7 @@
|
||||
|
||||
The playbook can install and configure [Heisenbridge](https://github.com/hifi/heisenbridge) - the bouncer-style [IRC](https://en.wikipedia.org/wiki/Internet_Relay_Chat) bridge for you.
|
||||
|
||||
See the project's [README](https://github.com/hifi/heisenbridge/blob/master/README.md) to learn what it does and why it might be useful to you.
|
||||
See the project's [README](https://github.com/hifi/heisenbridge/blob/master/README.md) to learn what it does and why it might be useful to you. You can also take a look at [this demonstration video](https://www.youtube.com/watch?v=nQk1Bp4tk4I).
|
||||
|
||||
## Configuration
|
||||
|
||||
@ -33,4 +33,6 @@ After the bridge is successfully running just DM `@heisenbridge:your-homeserver`
|
||||
Help is available for all commands with the `-h` switch.
|
||||
If the bridge ignores you and a DM is not accepted then the owner setting may be wrong.
|
||||
|
||||
You can also learn the basics by watching [this demonstration video](https://www.youtube.com/watch?v=nQk1Bp4tk4I).
|
||||
|
||||
If you encounter issues or feel lost you can join the project room at [#heisenbridge:vi.fi](https://matrix.to/#/#heisenbridge:vi.fi) for help.
|
||||
|
21
docs/configuring-playbook-client-hydrogen.md
Normal file
21
docs/configuring-playbook-client-hydrogen.md
Normal file
@ -0,0 +1,21 @@
|
||||
# Configuring Hydrogen (optional)
|
||||
|
||||
This playbook can install the [Hydrogen](https://github.com/vector-im/hydrogen-web) Matrix web client for you.
|
||||
Hydrogen is a lightweight web client that supports mobile and legacy web browsers.
|
||||
Hydrogen can be installed alongside or instead of Element.
|
||||
|
||||
If you'd like Hydrogen to be installed, add the following to your configuration file (`inventory/host_vars/matrix.<your-domain>/vars.yml`):
|
||||
|
||||
```yaml
|
||||
matrix_client_hydrogen_enabled: true
|
||||
```
|
||||
|
||||
You will also need to add a DNS record so that Hydrogen can be accessed.
|
||||
By default Hydrogen will use https://hydrogen.DOMAIN so you will need to create an CNAME record
|
||||
for `hydrogen`. See [Configuring DNS](configuring-dns.md).
|
||||
|
||||
If you would like to use a different domain, add the following to your configuration file (changing it to use your preferred domain):
|
||||
|
||||
```yaml
|
||||
matrix_server_fqn_hydrogen: "helium.{{ matrix_domain }}"
|
||||
```
|
29
docs/configuring-playbook-prometheus-postgres.md
Normal file
29
docs/configuring-playbook-prometheus-postgres.md
Normal file
@ -0,0 +1,29 @@
|
||||
# Enabling metrics and graphs for Postgres (optional)
|
||||
|
||||
Expanding on the metrics exposed by the [synapse exporter and the node exporter](configuring-playbook-prometheus-grafana.md), the playbook enables the [postgres exporter](https://github.com/prometheus-community/postgres_exporter) that exposes more detailed information about what's happening on your postgres database.
|
||||
|
||||
You can enable this with the following settings in your configuration file (`inventory/host_vars/matrix.<your-domain>/vars.yml`):
|
||||
|
||||
|
||||
```yaml
|
||||
matrix_prometheus_postgres_exporter_enabled: true
|
||||
|
||||
# the role creates a postgres user as credential. You can configure these if required:
|
||||
matrix_prometheus_postgres_exporter_database_username: 'matrix_prometheus_postgres_exporter'
|
||||
matrix_prometheus_postgres_exporter_database_password: 'some-password'
|
||||
|
||||
```
|
||||
|
||||
## What does it do?
|
||||
|
||||
Name | Description
|
||||
-----|----------
|
||||
`matrix_prometheus_postgres_exporter_enabled`|Enable the postgres prometheus exporter. This sets up the docker container, connects it to the database and adds a 'job' to the prometheus config which tells prometheus about this new exporter. The default is 'false'
|
||||
`matrix_prometheus_postgres_exporter_database_username`| The 'username' for the user that the exporter uses to connect to the database. The default is 'matrix_prometheus_postgres_exporter'
|
||||
`matrix_prometheus_postgres_exporter_database_password`| The 'password' for the user that the exporter uses to connect to the database.
|
||||
|
||||
|
||||
## More information
|
||||
|
||||
- [The PostgresSQL dashboard](https://grafana.com/grafana/dashboards/9628) (generic postgres dashboard)
|
||||
|
@ -6,8 +6,6 @@ It's a web UI tool you can use to **administrate users and rooms on your Matrix
|
||||
|
||||
See the project's [documentation](https://github.com/Awesome-Technologies/synapse-admin) to learn what it does and why it might be useful to you.
|
||||
|
||||
**Warning**: Synapse Admin will likely not work with Synapse v1.32 for now. See [this issue](https://github.com/Awesome-Technologies/synapse-admin/issues/132). If you insist on using Synapse Admin before there's a solution to this issue, you may wish to downgrade Synapse (adding `matrix_synapse_version: v1.31.0` or `matrix_synapse_version_arm64: v1.31.0` to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file).
|
||||
|
||||
|
||||
## Adjusting the playbook configuration
|
||||
|
||||
|
@ -68,6 +68,8 @@ When you're done with all the configuration you'd like to do, continue with [Ins
|
||||
|
||||
- [Adjusting email-sending settings](configuring-playbook-email.md) (optional)
|
||||
|
||||
- [Setting up Hydrogen](configuring-playbook-client-hydrogen.md) - a new lightweight matrix client with legacy and mobile browser support (optional)
|
||||
|
||||
|
||||
### Authentication and user-related
|
||||
|
||||
|
@ -1,3 +1,7 @@
|
||||
> **Note**: This migration guide is applicable if you migrate from one server to another server having the same CPU architecture (e.g. both servers being `amd64`).
|
||||
>
|
||||
> If you're trying to migrate between different architectures (e.g. `amd64` --> `arm64`), simply copying the complete `/matrix` directory is not possible as it would move the raw PostgreSQL data between different architectures. In this specific case, you can use the guide below as a reference, but you would also need to dump the database on your current server and import it properly on the new server. See our [Backing up PostgreSQL](maintenance-postgres.md#backing-up-postgresql) docs for help with PostgreSQL backup/restore.
|
||||
|
||||
# Migrating to new server
|
||||
|
||||
1. Prepare by lowering DNS TTL for your domains (`matrix.DOMAIN`, etc.), so that DNS record changes (step 4 below) would happen faster, leading to less downtime
|
||||
|
@ -99,6 +99,8 @@ Example: `--extra-vars="postgres_dump_name=matrix-postgres-dump.sql"`
|
||||
|
||||
PostgreSQL can be tuned to make it run faster. This is done by passing extra arguments to Postgres with the `matrix_postgres_process_extra_arguments` variable. You should use a website like https://pgtune.leopard.in.ua/ or information from https://wiki.postgresql.org/wiki/Tuning_Your_PostgreSQL_Server to determine what Postgres settings you should change.
|
||||
|
||||
**Note**: the configuration generator at https://pgtune.leopard.in.ua/ adds spaces around the `=` sign, which is invalid. You'll need to remove it manually (`max_connections = 300` -> `max_connections=300`)
|
||||
|
||||
### Here are some examples:
|
||||
|
||||
These are not recommended values and they may not work well for you. This is just to give you an idea of some of the options that can be set. If you are an experienced PostgreSQL admin feel free to update this documentation with better examples.
|
||||
@ -106,11 +108,33 @@ These are not recommended values and they may not work well for you. This is jus
|
||||
Here is an example config for a small 2 core server with 4GB of RAM and SSD storage:
|
||||
```
|
||||
matrix_postgres_process_extra_arguments: [
|
||||
"-c 'shared_buffers=128MB'",
|
||||
"-c 'effective_cache_size=2304MB'",
|
||||
"-c 'effective_io_concurrency=100'",
|
||||
"-c 'random_page_cost=2.0'",
|
||||
"-c 'min_wal_size=500MB'",
|
||||
"-c shared_buffers=128MB",
|
||||
"-c effective_cache_size=2304MB",
|
||||
"-c effective_io_concurrency=100",
|
||||
"-c random_page_cost=2.0",
|
||||
"-c min_wal_size=500MB",
|
||||
]
|
||||
```
|
||||
|
||||
Here is an example config for a 4 core server with 8GB of RAM on a Virtual Private Server (VPS); the paramters have been configured using https://pgtune.leopard.in.ua with the following setup: PostgreSQL version 12, OS Type: Linux, DB Type: Mixed type of application, Data Storage: SSD storage:
|
||||
```
|
||||
matrix_postgres_process_extra_arguments: [
|
||||
"-c max_connections=100",
|
||||
"-c shared_buffers=2GB",
|
||||
"-c effective_cache_size=6GB",
|
||||
"-c maintenance_work_mem=512MB",
|
||||
"-c checkpoint_completion_target=0.9",
|
||||
"-c wal_buffers=16MB",
|
||||
"-c default_statistics_target=100",
|
||||
"-c random_page_cost=1.1",
|
||||
"-c effective_io_concurrency=200",
|
||||
"-c work_mem=5242kB",
|
||||
"-c min_wal_size=1GB",
|
||||
"-c max_wal_size=4GB",
|
||||
"-c max_worker_processes=4",
|
||||
"-c max_parallel_workers_per_gather=2",
|
||||
"-c max_parallel_workers=4",
|
||||
"-c max_parallel_maintenance_workers=2",
|
||||
]
|
||||
```
|
||||
|
||||
|
@ -14,6 +14,7 @@ List of roles where self-building the Docker image is currently possible:
|
||||
- `matrix-synapse`
|
||||
- `matrix-synapse-admin`
|
||||
- `matrix-client-element`
|
||||
- `matrix-client-hydrogen`
|
||||
- `matrix-registration`
|
||||
- `matrix-coturn`
|
||||
- `matrix-corporal`
|
||||
|
@ -1053,6 +1053,8 @@ matrix_jitsi_web_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_ena
|
||||
|
||||
matrix_jitsi_jvb_container_colibri_ws_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:13090' }}"
|
||||
|
||||
matrix_jitsi_prosody_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:5280' }}"
|
||||
|
||||
matrix_jitsi_jibri_xmpp_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'jibri') | to_uuid }}"
|
||||
matrix_jitsi_jicofo_auth_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'jicofo') | to_uuid }}"
|
||||
matrix_jitsi_jvb_auth_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'jvb') | to_uuid }}"
|
||||
@ -1198,6 +1200,7 @@ matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain: "{{ matrix_s
|
||||
|
||||
matrix_nginx_proxy_proxy_matrix_enabled: true
|
||||
matrix_nginx_proxy_proxy_element_enabled: "{{ matrix_client_element_enabled }}"
|
||||
matrix_nginx_proxy_proxy_hydrogen_enabled: "{{ matrix_client_hydrogen_enabled }}"
|
||||
matrix_nginx_proxy_proxy_dimension_enabled: "{{ matrix_dimension_enabled }}"
|
||||
matrix_nginx_proxy_proxy_bot_go_neb_enabled: "{{ matrix_bot_go_neb_enabled }}"
|
||||
matrix_nginx_proxy_proxy_jitsi_enabled: "{{ matrix_jitsi_enabled }}"
|
||||
@ -1239,6 +1242,11 @@ matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container: "{{ m
|
||||
|
||||
matrix_nginx_proxy_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else true }}"
|
||||
|
||||
# OCSP stapling does not make sense when self-signed certificates are used.
|
||||
# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1073
|
||||
# and https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1074
|
||||
matrix_nginx_proxy_ocsp_stapling_enabled: "{{ matrix_ssl_retrieval_method != 'self-signed' }}"
|
||||
|
||||
matrix_nginx_proxy_synapse_presence_disabled: "{{ not matrix_synapse_presence_enabled }}"
|
||||
|
||||
matrix_nginx_proxy_synapse_workers_enabled: "{{ matrix_synapse_workers_enabled }}"
|
||||
@ -1268,6 +1276,8 @@ matrix_ssl_domains_to_obtain_certificates_for: |
|
||||
+
|
||||
([matrix_nginx_proxy_proxy_riot_compat_redirect_hostname] if matrix_nginx_proxy_proxy_riot_compat_redirect_enabled else [])
|
||||
+
|
||||
([matrix_server_fqn_hydrogen] if matrix_client_hydrogen_enabled else [])
|
||||
+
|
||||
([matrix_server_fqn_dimension] if matrix_dimension_enabled else [])
|
||||
+
|
||||
([matrix_server_fqn_bot_go_neb] if matrix_bot_go_neb_enabled else [])
|
||||
@ -1456,6 +1466,13 @@ matrix_postgres_additional_databases: |
|
||||
'username': matrix_sygnal_database_username,
|
||||
'password': matrix_sygnal_database_password,
|
||||
}] if (matrix_sygnal_enabled and matrix_sygnal_database_engine == 'postgres' and matrix_sygnal_database_hostname == 'matrix-postgres') else [])
|
||||
+
|
||||
([{
|
||||
'name': matrix_prometheus_postgres_exporter_database_name,
|
||||
'username': matrix_prometheus_postgres_exporter_database_username,
|
||||
'password': matrix_prometheus_postgres_exporter_database_password,
|
||||
}] if (matrix_prometheus_postgres_exporter_enabled and matrix_prometheus_postgres_exporter_database_hostname == 'matrix-postgres') else [])
|
||||
|
||||
}}
|
||||
|
||||
matrix_postgres_import_roles_to_ignore: |
|
||||
@ -1571,6 +1588,31 @@ matrix_client_element_jitsi_preferredDomain: "{{ matrix_server_fqn_jitsi if matr
|
||||
|
||||
|
||||
|
||||
######################################################################
|
||||
#
|
||||
# matrix-client-hydrogen
|
||||
#
|
||||
######################################################################
|
||||
|
||||
matrix_client_hydrogen_enabled: false
|
||||
|
||||
# Normally, matrix-nginx-proxy is enabled and nginx can reach Hydrogen over the container network.
|
||||
# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose
|
||||
# the HTTP port to the local host.
|
||||
matrix_client_hydrogen_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:8768' }}"
|
||||
|
||||
matrix_client_hydrogen_default_hs_url: "{{ matrix_homeserver_url }}"
|
||||
|
||||
matrix_client_hydrogen_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else true }}"
|
||||
|
||||
######################################################################
|
||||
#
|
||||
# /matrix-client-hydrogen
|
||||
#
|
||||
######################################################################
|
||||
|
||||
|
||||
|
||||
######################################################################
|
||||
#
|
||||
# matrix-synapse
|
||||
@ -1731,6 +1773,10 @@ matrix_prometheus_scraper_synapse_rules_synapse_tag: "{{ matrix_synapse_docker_i
|
||||
matrix_prometheus_scraper_node_enabled: "{{ matrix_prometheus_node_exporter_enabled }}"
|
||||
matrix_prometheus_scraper_node_targets: "{{ ['matrix-prometheus-node-exporter:9100'] if matrix_prometheus_node_exporter_enabled else [] }}"
|
||||
|
||||
matrix_prometheus_scraper_postgres_enabled: "{{ matrix_prometheus_postgres_exporter_enabled }}"
|
||||
matrix_prometheus_scraper_postgres_targets: "{{ ['matrix-prometheus-postgres-exporter:'+ matrix_prometheus_postgres_exporter_port|string] if matrix_prometheus_scraper_postgres_enabled else [] }}"
|
||||
|
||||
|
||||
######################################################################
|
||||
#
|
||||
# /matrix-prometheus
|
||||
@ -1738,6 +1784,27 @@ matrix_prometheus_scraper_node_targets: "{{ ['matrix-prometheus-node-exporter:91
|
||||
######################################################################
|
||||
|
||||
|
||||
######################################################################
|
||||
#
|
||||
# matrix-prometheus-postgres-exporter
|
||||
#
|
||||
######################################################################
|
||||
|
||||
matrix_prometheus_postgres_exporter_enabled: false
|
||||
matrix_prometheus_postgres_exporter_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'prometheus.pg.db') | to_uuid }}"
|
||||
|
||||
matrix_prometheus_postgres_exporter_systemd_required_services_list: |
|
||||
{{
|
||||
['docker.service']
|
||||
+
|
||||
(['matrix-postgres.service'] if matrix_postgres_enabled else [])
|
||||
}}
|
||||
|
||||
######################################################################
|
||||
#
|
||||
# /matrix-prometheus-postgres-exporter
|
||||
#
|
||||
######################################################################
|
||||
|
||||
######################################################################
|
||||
#
|
||||
@ -1752,6 +1819,14 @@ matrix_grafana_enabled: false
|
||||
# Grafana's HTTP port to the local host.
|
||||
matrix_grafana_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:3000' }}"
|
||||
|
||||
matrix_grafana_dashboard_download_urls_all: |
|
||||
{{
|
||||
matrix_grafana_dashboard_download_urls
|
||||
+
|
||||
(matrix_prometheus_postgres_exporter_dashboard_urls if matrix_prometheus_postgres_exporter_enabled else [])
|
||||
}}
|
||||
|
||||
|
||||
######################################################################
|
||||
#
|
||||
# /matrix-grafana
|
||||
|
28
roles/matrix-awx/scripts/matrix_build_room_list.py
Normal file
28
roles/matrix-awx/scripts/matrix_build_room_list.py
Normal file
@ -0,0 +1,28 @@
|
||||
|
||||
import sys
|
||||
import requests
|
||||
import json
|
||||
|
||||
janitor_token = sys.argv[1]
|
||||
synapse_container_ip = sys.argv[2]
|
||||
|
||||
# collect total amount of rooms
|
||||
|
||||
rooms_raw_url = 'http://' + synapse_container_ip + ':8008/_synapse/admin/v1/rooms'
|
||||
rooms_raw_header = {'Authorization': 'Bearer ' + janitor_token}
|
||||
rooms_raw = requests.get(rooms_raw_url, headers=rooms_raw_header)
|
||||
rooms_raw_python = json.loads(rooms_raw.text)
|
||||
total_rooms = rooms_raw_python["total_rooms"]
|
||||
|
||||
# build complete room list file
|
||||
|
||||
room_list_file = open("/tmp/room_list_complete.json", "w")
|
||||
|
||||
for i in range(0, total_rooms, 100):
|
||||
rooms_inc_url = 'http://' + synapse_container_ip + ':8008/_synapse/admin/v1/rooms?from=' + str(i)
|
||||
rooms_inc = requests.get(rooms_inc_url, headers=rooms_raw_header)
|
||||
room_list_file.write(rooms_inc.text)
|
||||
|
||||
room_list_file.close()
|
||||
|
||||
print(total_rooms)
|
@ -61,18 +61,6 @@
|
||||
"new_question": true,
|
||||
"variable": "matrix_client_element_registration_enabled",
|
||||
"type": "multiplechoice"
|
||||
},
|
||||
{
|
||||
"question_name": "Set Element Subdomain",
|
||||
"question_description": "Sets the subdomain of the Element web-client, you should only specify the subdomain, not the base domain you've already set. (Eg: 'element' for element.example.org) Note that if you change this value you'll need to reconfigure your DNS.",
|
||||
"required": false,
|
||||
"min": 0,
|
||||
"max": 2048,
|
||||
"default": "{{ element_subdomain }}",
|
||||
"choices": "",
|
||||
"new_question": true,
|
||||
"variable": "element_subdomain",
|
||||
"type": "text"
|
||||
}
|
||||
]
|
||||
}
|
||||
|
18
roles/matrix-awx/surveys/configure_element_subdomain.json.j2
Normal file
18
roles/matrix-awx/surveys/configure_element_subdomain.json.j2
Normal file
@ -0,0 +1,18 @@
|
||||
{
|
||||
"name": "Configure Element Subdomain",
|
||||
"description": "Configure Element clients subdomain location. (Eg: 'element' for element.example.org)",
|
||||
"spec": [
|
||||
{
|
||||
"question_name": "Set Element Subdomain",
|
||||
"question_description": "Sets the subdomain of the Element web-client, you should only specify the subdomain, not the base domain you've already set. (Eg: 'element' for element.example.org) Note that if you change this value you'll need to reconfigure your DNS.",
|
||||
"required": false,
|
||||
"min": 0,
|
||||
"max": 2048,
|
||||
"default": "{{ element_subdomain }}",
|
||||
"choices": "",
|
||||
"new_question": true,
|
||||
"variable": "element_subdomain",
|
||||
"type": "text"
|
||||
}
|
||||
]
|
||||
}
|
19
roles/matrix-awx/surveys/configure_email_relay.json.j2
Normal file
19
roles/matrix-awx/surveys/configure_email_relay.json.j2
Normal file
@ -0,0 +1,19 @@
|
||||
{
|
||||
"name": "Configure Email Relay",
|
||||
"description": "Enable MailGun relay to increase verification email reliability.",
|
||||
"spec": [
|
||||
{
|
||||
"question_name": "Enable Email Relay",
|
||||
"question_description": "Enables the MailGun email relay server, enabling this will increase the reliability of your email verification.",
|
||||
"required": false,
|
||||
"min": null,
|
||||
"max": null,
|
||||
"default": "{{ matrix_mailer_relay_use | string | lower }}",
|
||||
"choices": "true\nfalse",
|
||||
"new_question": true,
|
||||
"variable": "matrix_mailer_relay_use",
|
||||
"type": "multiplechoice"
|
||||
}
|
||||
]
|
||||
}
|
||||
|
@ -107,7 +107,7 @@
|
||||
"default": "",
|
||||
"choices": "",
|
||||
"new_question": true,
|
||||
"variable": "matrix_synapse_registration_shared_secret",
|
||||
"variable": "ext_matrix_synapse_registration_shared_secret",
|
||||
"type": "password"
|
||||
},
|
||||
{
|
||||
|
@ -98,6 +98,24 @@
|
||||
tags:
|
||||
- setup-client-element
|
||||
|
||||
# Additional playbook to set the variable file during Mailer configuration
|
||||
- include_tasks:
|
||||
file: "set_variables_mailer.yml"
|
||||
apply:
|
||||
tags: setup-mailer
|
||||
when: run_setup|bool and matrix_awx_enabled|bool
|
||||
tags:
|
||||
- setup-mailer
|
||||
|
||||
# Additional playbook to set the variable file during Element configuration
|
||||
- include_tasks:
|
||||
file: "set_variables_element_subdomain.yml"
|
||||
apply:
|
||||
tags: setup-client-element-subdomain
|
||||
when: run_setup|bool and matrix_awx_enabled|bool
|
||||
tags:
|
||||
- setup-client-element-subdomain
|
||||
|
||||
# Additional playbook to set the variable file during Synapse configuration
|
||||
- include_tasks:
|
||||
file: "set_variables_synapse.yml"
|
||||
|
@ -17,136 +17,132 @@
|
||||
file: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
|
||||
no_log: True
|
||||
|
||||
- name: Collect size of Synapse database
|
||||
- name: Collect before shrink size of Synapse database
|
||||
shell: du -sh /matrix/postgres/data
|
||||
register: db_size_before_stat
|
||||
when: (purge_mode.find("Perform final shrink") != -1)
|
||||
no_log: True
|
||||
|
||||
- name: Print before size of Synapse database
|
||||
debug:
|
||||
msg: "{{ db_size_before_stat.stdout.split('\n') }}"
|
||||
when: db_size_before_stat is defined
|
||||
|
||||
- name: Collect the internal IP of the matrix-synapse container
|
||||
shell: "/usr/bin/docker inspect --format '{''{range.NetworkSettings.Networks}''}{''{.IPAddress}''}{''{end}''}' matrix-synapse"
|
||||
when: (purge_mode.find("No local users [recommended]") != -1) or (purge_mode.find("Number of users [slower]") != -1) or (purge_mode.find("Number of events [slower]") != -1)
|
||||
register: synapse_container_ip
|
||||
|
||||
- name: Collect access token for janitor user
|
||||
shell: |
|
||||
curl -X POST -d '{"type":"m.login.password", "user":"janitor", "password":"{{ matrix_awx_janitor_user_password }}"}' "{{ synapse_container_ip.stdout }}:8008/_matrix/client/r0/login" | jq '.access_token'
|
||||
when: (purge_mode.find("No local users [recommended]") != -1) or (purge_mode.find("Number of users [slower]") != -1) or (purge_mode.find("Number of events [slower]") != -1)
|
||||
register: janitors_token
|
||||
no_log: True
|
||||
|
||||
- name: Collect total number of rooms
|
||||
- name: Copy build_room_list.py script to target machine
|
||||
copy:
|
||||
src: ./roles/matrix-awx/scripts/matrix_build_room_list.py
|
||||
dest: /usr/local/bin/matrix_build_room_list.py
|
||||
owner: matrix
|
||||
group: matrix
|
||||
mode: '0755'
|
||||
when: (purge_mode.find("No local users [recommended]") != -1) or (purge_mode.find("Number of users [slower]") != -1) or (purge_mode.find("Number of events [slower]") != -1)
|
||||
|
||||
- name: Run build_room_list.py script
|
||||
shell: |
|
||||
curl -X GET --header "Authorization: Bearer {{ janitors_token.stdout[1:-1] }}" '{{ synapse_container_ip.stdout }}:8008/_synapse/admin/v1/rooms' | jq '.total_rooms'
|
||||
when: purge_rooms|bool
|
||||
runuser -u matrix -- python3 /usr/local/bin/matrix_build_room_list.py {{ janitors_token.stdout[1:-1] }} {{ synapse_container_ip.stdout }}
|
||||
register: rooms_total
|
||||
when: (purge_mode.find("No local users [recommended]") != -1) or (purge_mode.find("Number of users [slower]") != -1) or (purge_mode.find("Number of events [slower]") != -1)
|
||||
|
||||
- name: Print total number of rooms
|
||||
debug:
|
||||
msg: '{{ rooms_total.stdout }}'
|
||||
when: purge_rooms|bool
|
||||
- name: Fetch complete room list from target machine
|
||||
fetch:
|
||||
src: /tmp/room_list_complete.json
|
||||
dest: "/tmp/{{ subscription_id }}_room_list_complete.json"
|
||||
flat: yes
|
||||
when: (purge_mode.find("No local users [recommended]") != -1) or (purge_mode.find("Number of users [slower]") != -1) or (purge_mode.find("Number of events [slower]") != -1)
|
||||
|
||||
- name: Calculate every 100 values for total number of rooms
|
||||
delegate_to: 127.0.0.1
|
||||
shell: |
|
||||
seq 0 100 {{ rooms_total.stdout }}
|
||||
when: purge_rooms|bool
|
||||
register: every_100_rooms
|
||||
|
||||
- name: Ensure room_list_complete.json file exists
|
||||
delegate_to: 127.0.0.1
|
||||
- name: Remove complete room list from target machine
|
||||
file:
|
||||
path: /tmp/{{ subscription_id }}_room_list_complete.json
|
||||
state: touch
|
||||
when: purge_rooms|bool
|
||||
|
||||
- name: Build file with total room list
|
||||
include_tasks: purge_database_build_list.yml
|
||||
loop: "{{ every_100_rooms.stdout_lines | flatten(levels=1) }}"
|
||||
when: purge_rooms|bool
|
||||
path: /tmp/room_list_complete.json
|
||||
state: absent
|
||||
when: (purge_mode.find("No local users [recommended]") != -1) or (purge_mode.find("Number of users [slower]") != -1) or (purge_mode.find("Number of events [slower]") != -1)
|
||||
|
||||
- name: Generate list of rooms with no local users
|
||||
delegate_to: 127.0.0.1
|
||||
shell: |
|
||||
jq 'try .rooms[] | select(.joined_local_members == 0) | .room_id' < /tmp/{{ subscription_id }}_room_list_complete.json > /tmp/{{ subscription_id }}_room_list_no_local_users.txt
|
||||
when: purge_rooms|bool
|
||||
when: (purge_mode.find("No local users [recommended]") != -1) or (purge_mode.find("Number of users [slower]") != -1) or (purge_mode.find("Number of events [slower]") != -1)
|
||||
|
||||
- name: Count number of rooms with no local users
|
||||
delegate_to: 127.0.0.1
|
||||
shell: |
|
||||
wc -l /tmp/{{ subscription_id }}_room_list_no_local_users.txt | awk '{ print $1 }'
|
||||
register: rooms_no_local_total
|
||||
when: purge_rooms|bool
|
||||
when: (purge_mode.find("No local users [recommended]") != -1) or (purge_mode.find("Number of users [slower]") != -1) or (purge_mode.find("Number of events [slower]") != -1)
|
||||
|
||||
- name: Setting host fact room_list_no_local_users
|
||||
set_fact:
|
||||
room_list_no_local_users: "{{ lookup('file', '/tmp/{{ subscription_id }}_room_list_no_local_users.txt') }}"
|
||||
no_log: True
|
||||
when: purge_rooms|bool
|
||||
when: (purge_mode.find("No local users [recommended]") != -1) or (purge_mode.find("Number of users [slower]") != -1) or (purge_mode.find("Number of events [slower]") != -1)
|
||||
|
||||
- name: Purge all rooms with no local users
|
||||
include_tasks: purge_database_no_local.yml
|
||||
loop: "{{ room_list_no_local_users.splitlines() | flatten(levels=1) }}"
|
||||
when: purge_rooms|bool
|
||||
when: (purge_mode.find("No local users [recommended]") != -1) or (purge_mode.find("Number of users [slower]") != -1) or (purge_mode.find("Number of events [slower]") != -1)
|
||||
|
||||
- name: Collect epoche time from date
|
||||
delegate_to: 127.0.0.1
|
||||
shell: |
|
||||
date -d '{{ purge_date }}' +"%s"
|
||||
when: purge_rooms|bool
|
||||
when: (purge_mode.find("Number of users [slower]") != -1) or (purge_mode.find("Number of events [slower]") != -1)
|
||||
register: purge_epoche_time
|
||||
|
||||
- name: Generate list of rooms with more then N users
|
||||
delegate_to: 127.0.0.1
|
||||
shell: |
|
||||
jq 'try .rooms[] | select(.joined_members > {{ purge_metric_value }}) | .room_id' < /tmp/{{ subscription_id }}_room_list_complete.json > /tmp/{{ subscription_id }}_room_list_joined_members.txt
|
||||
when: (purge_metric.find("Number of users") != -1) and (purge_rooms|bool)
|
||||
when: purge_mode.find("Number of users [slower]") != -1
|
||||
|
||||
- name: Count number of rooms with more then N users
|
||||
delegate_to: 127.0.0.1
|
||||
shell: |
|
||||
wc -l /tmp/{{ subscription_id }}_room_list_joined_members.txt | awk '{ print $1 }'
|
||||
register: rooms_join_members_total
|
||||
when: (purge_metric.find("Number of users") != -1) and (purge_rooms|bool)
|
||||
when: purge_mode.find("Number of users [slower]") != -1
|
||||
|
||||
- name: Setting host fact room_list_joined_members
|
||||
delegate_to: 127.0.0.1
|
||||
set_fact:
|
||||
room_list_joined_members: "{{ lookup('file', '/tmp/{{ subscription_id }}_room_list_joined_members.txt') }}"
|
||||
when: (purge_metric.find("Number of users") != -1) and (purge_rooms|bool)
|
||||
when: purge_mode.find("Number of users [slower]") != -1
|
||||
no_log: True
|
||||
|
||||
- name: Purge all rooms with more then N users
|
||||
include_tasks: purge_database_users.yml
|
||||
loop: "{{ room_list_joined_members.splitlines() | flatten(levels=1) }}"
|
||||
when: (purge_metric.find("Number of users") != -1) and (purge_rooms|bool)
|
||||
when: purge_mode.find("Number of users [slower]") != -1
|
||||
|
||||
- name: Generate list of rooms with more then N events
|
||||
delegate_to: 127.0.0.1
|
||||
shell: |
|
||||
jq 'try .rooms[] | select(.state_events > {{ purge_metric_value }}) | .room_id' < /tmp/{{ subscription_id }}_room_list_complete.json > /tmp/{{ subscription_id }}_room_list_state_events.txt
|
||||
when: (purge_metric.find("Number of events") != -1) and (purge_rooms|bool)
|
||||
when: purge_mode.find("Number of events [slower]") != -1
|
||||
|
||||
- name: Count number of rooms with more then N users
|
||||
- name: Count number of rooms with more then N events
|
||||
delegate_to: 127.0.0.1
|
||||
shell: |
|
||||
wc -l /tmp/{{ subscription_id }}_room_list_state_events.txt | awk '{ print $1 }'
|
||||
register: rooms_state_events_total
|
||||
when: (purge_metric.find("Number of events") != -1) and (purge_rooms|bool)
|
||||
when: purge_mode.find("Number of events [slower]") != -1
|
||||
|
||||
- name: Setting host fact room_list_state_events
|
||||
delegate_to: 127.0.0.1
|
||||
set_fact:
|
||||
room_list_state_events: "{{ lookup('file', '/tmp/{{ subscription_id }}_room_list_state_events.txt') }}"
|
||||
when: (purge_metric.find("Number of events") != -1) and (purge_rooms|bool)
|
||||
when: purge_mode.find("Number of events [slower]") != -1
|
||||
no_log: True
|
||||
|
||||
- name: Purge all rooms with more then N events
|
||||
include_tasks: purge_database_events.yml
|
||||
loop: "{{ room_list_state_events.splitlines() | flatten(levels=1) }}"
|
||||
when: (purge_metric.find("Number of events") != -1) and (purge_rooms|bool)
|
||||
when: purge_mode.find("Number of events [slower]") != -1
|
||||
|
||||
- name: Collect AWX admin token the hard way!
|
||||
delegate_to: 127.0.0.1
|
||||
@ -155,75 +151,162 @@
|
||||
register: tower_token
|
||||
no_log: True
|
||||
|
||||
- name: Adjust 'Deploy/Update a Server' job template
|
||||
delegate_to: 127.0.0.1
|
||||
awx.awx.tower_job_template:
|
||||
name: "{{ matrix_domain }} - 0 - Deploy/Update a Server"
|
||||
description: "Creates a new matrix service with Spantaleev's playbooks"
|
||||
extra_vars: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/extra_vars.json') }}"
|
||||
job_type: run
|
||||
job_tags: "rust-synapse-compress-state"
|
||||
inventory: "{{ member_id }}"
|
||||
project: "{{ member_id }} - Matrix Docker Ansible Deploy"
|
||||
playbook: setup.yml
|
||||
credential: "{{ member_id }} - AWX SSH Key"
|
||||
state: present
|
||||
verbosity: 1
|
||||
tower_host: "https://{{ tower_host }}"
|
||||
tower_oauthtoken: "{{ tower_token.stdout }}"
|
||||
validate_certs: yes
|
||||
when: (purge_mode.find("No local users [recommended]") != -1) or (purge_mode.find("Number of users [slower]") != -1) or (purge_mode.find("Number of events [slower]") != -1) or (purge_mode.find("Skip purging rooms [faster]") != -1)
|
||||
|
||||
- name: Execute rust-synapse-compress-state job template
|
||||
delegate_to: 127.0.0.1
|
||||
awx.awx.tower_job_launch:
|
||||
job_template: "{{ matrix_domain }} - 0 - Deploy/Update a Server"
|
||||
tags: "rust-synapse-compress-state"
|
||||
wait: yes
|
||||
tower_host: "https://{{ tower_host }}"
|
||||
tower_oauthtoken: "{{ tower_token.stdout }}"
|
||||
validate_certs: yes
|
||||
register: job
|
||||
when: (purge_mode.find("No local users [recommended]") != -1) or (purge_mode.find("Number of users [slower]") != -1) or (purge_mode.find("Number of events [slower]") != -1) or (purge_mode.find("Skip purging rooms [faster]") != -1)
|
||||
|
||||
- name: Stop Synapse service
|
||||
shell: systemctl stop matrix-synapse.service
|
||||
- name: Revert 'Deploy/Update a Server' job template
|
||||
delegate_to: 127.0.0.1
|
||||
awx.awx.tower_job_template:
|
||||
name: "{{ matrix_domain }} - 0 - Deploy/Update a Server"
|
||||
description: "Creates a new matrix service with Spantaleev's playbooks"
|
||||
extra_vars: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/extra_vars.json') }}"
|
||||
job_type: run
|
||||
job_tags: "setup-all,start"
|
||||
inventory: "{{ member_id }}"
|
||||
project: "{{ member_id }} - Matrix Docker Ansible Deploy"
|
||||
playbook: setup.yml
|
||||
credential: "{{ member_id }} - AWX SSH Key"
|
||||
state: present
|
||||
verbosity: 1
|
||||
tower_host: "https://{{ tower_host }}"
|
||||
tower_oauthtoken: "{{ tower_token.stdout }}"
|
||||
validate_certs: yes
|
||||
when: (purge_mode.find("No local users [recommended]") != -1) or (purge_mode.find("Number of users [slower]") != -1) or (purge_mode.find("Number of events [slower]") != -1) or (purge_mode.find("Skip purging rooms [faster]") != -1)
|
||||
|
||||
- name: Ensure matrix-synapse is stopped
|
||||
service:
|
||||
name: matrix-synapse
|
||||
state: stopped
|
||||
daemon_reload: yes
|
||||
when: (purge_mode.find("Perform final shrink") != -1)
|
||||
|
||||
- name: Re-index Synapse database
|
||||
shell: docker exec -i matrix-postgres psql "host=127.0.0.1 port=5432 dbname=synapse user=synapse password={{ matrix_synapse_connection_password }}" -c 'REINDEX (VERBOSE) DATABASE synapse'
|
||||
when: (purge_mode.find("Perform final shrink") != -1)
|
||||
|
||||
- name: Ensure matrix-synapse is started
|
||||
service:
|
||||
name: matrix-synapse
|
||||
state: started
|
||||
daemon_reload: yes
|
||||
when: (purge_mode.find("Perform final shrink") != -1)
|
||||
|
||||
- name: Adjust 'Deploy/Update a Server' job template
|
||||
delegate_to: 127.0.0.1
|
||||
awx.awx.tower_job_template:
|
||||
name: "{{ matrix_domain }} - 0 - Deploy/Update a Server"
|
||||
description: "Creates a new matrix service with Spantaleev's playbooks"
|
||||
extra_vars: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/extra_vars.json') }}"
|
||||
job_type: run
|
||||
job_tags: "run-postgres-vacuum,start"
|
||||
inventory: "{{ member_id }}"
|
||||
project: "{{ member_id }} - Matrix Docker Ansible Deploy"
|
||||
playbook: setup.yml
|
||||
credential: "{{ member_id }} - AWX SSH Key"
|
||||
state: present
|
||||
verbosity: 1
|
||||
tower_host: "https://{{ tower_host }}"
|
||||
tower_oauthtoken: "{{ tower_token.stdout }}"
|
||||
validate_certs: yes
|
||||
when: (purge_mode.find("Perform final shrink") != -1)
|
||||
|
||||
- name: Execute run-postgres-vacuum job template
|
||||
delegate_to: 127.0.0.1
|
||||
awx.awx.tower_job_launch:
|
||||
job_template: "{{ matrix_domain }} - 0 - Deploy/Update a Server"
|
||||
tags: "run-postgres-vacuum,start"
|
||||
wait: yes
|
||||
tower_host: "https://{{ tower_host }}"
|
||||
tower_oauthtoken: "{{ tower_token.stdout }}"
|
||||
validate_certs: yes
|
||||
register: job
|
||||
when: (purge_mode.find("Perform final shrink") != -1)
|
||||
|
||||
- name: Revert 'Deploy/Update a Server' job template
|
||||
delegate_to: 127.0.0.1
|
||||
awx.awx.tower_job_template:
|
||||
name: "{{ matrix_domain }} - 0 - Deploy/Update a Server"
|
||||
description: "Creates a new matrix service with Spantaleev's playbooks"
|
||||
extra_vars: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/extra_vars.json') }}"
|
||||
job_type: run
|
||||
job_tags: "setup-all,start"
|
||||
inventory: "{{ member_id }}"
|
||||
project: "{{ member_id }} - Matrix Docker Ansible Deploy"
|
||||
playbook: setup.yml
|
||||
credential: "{{ member_id }} - AWX SSH Key"
|
||||
state: present
|
||||
verbosity: 1
|
||||
tower_host: "https://{{ tower_host }}"
|
||||
tower_oauthtoken: "{{ tower_token.stdout }}"
|
||||
validate_certs: yes
|
||||
when: (purge_mode.find("Perform final shrink") != -1)
|
||||
|
||||
- name: Cleanup room_list files
|
||||
delegate_to: 127.0.0.1
|
||||
shell: |
|
||||
rm /tmp/{{ subscription_id }}_room_list*
|
||||
when: purge_rooms|bool
|
||||
when: (purge_mode.find("No local users [recommended]") != -1) or (purge_mode.find("Number of users [slower]") != -1) or (purge_mode.find("Number of events [slower]") != -1)
|
||||
ignore_errors: yes
|
||||
|
||||
- name: Collect size of Synapse database
|
||||
- name: Collect after shrink size of Synapse database
|
||||
shell: du -sh /matrix/postgres/data
|
||||
register: db_size_after_stat
|
||||
when: (purge_mode.find("Perform final shrink") != -1)
|
||||
no_log: True
|
||||
|
||||
- name: Print total number of rooms processed
|
||||
debug:
|
||||
msg: '{{ rooms_total.stdout }}'
|
||||
when: purge_rooms|bool
|
||||
when: (purge_mode.find("No local users [recommended]") != -1) or (purge_mode.find("Number of users [slower]") != -1) or (purge_mode.find("Number of events [slower]") != -1)
|
||||
|
||||
- name: Print the number of rooms purged with no local users
|
||||
debug:
|
||||
msg: '{{ rooms_no_local_total.stdout }}'
|
||||
when: purge_rooms|bool
|
||||
when: (purge_mode.find("No local users [recommended]") != -1) or (purge_mode.find("Number of users [slower]") != -1) or (purge_mode.find("Number of events [slower]") != -1)
|
||||
|
||||
- name: Print the number of rooms purged with more then N users
|
||||
debug:
|
||||
msg: '{{ rooms_join_members_total.stdout }}'
|
||||
when: (purge_metric.find("Number of users") != -1) and (purge_rooms|bool)
|
||||
when: purge_mode.find("Number of users") != -1
|
||||
|
||||
- name: Print the number of rooms purged with more then N events
|
||||
debug:
|
||||
msg: '{{ rooms_state_events_total.stdout }}'
|
||||
when: (purge_metric.find("Number of events") != -1) and (purge_rooms|bool)
|
||||
when: purge_mode.find("Number of events") != -1
|
||||
|
||||
- name: Print before purge size of Synapse database
|
||||
debug:
|
||||
msg: "{{ db_size_before_stat.stdout.split('\n') }}"
|
||||
when: db_size_before_stat is defined
|
||||
when: (db_size_before_stat is defined) and (purge_mode.find("Perform final shrink") != -1)
|
||||
|
||||
- name: Print after purge size of Synapse database
|
||||
debug:
|
||||
msg: "{{ db_size_after_stat.stdout.split('\n') }}"
|
||||
when: db_size_after_stat is defined
|
||||
when: (db_size_after_stat is defined) and (purge_mode.find("Perform final shrink") != -1)
|
||||
|
||||
- name: Set boolean value to exit playbook
|
||||
set_fact:
|
||||
|
@ -12,7 +12,6 @@
|
||||
'matrix_client_element_brand': '{{ matrix_client_element_brand }}'
|
||||
'matrix_client_element_default_theme': '{{ matrix_client_element_default_theme }}'
|
||||
'matrix_client_element_registration_enabled': '{{ matrix_client_element_registration_enabled }}'
|
||||
'matrix_server_fqn_element': "{{ element_subdomain }}.{{ matrix_domain }}"
|
||||
|
||||
- name: Set fact for 'https' string
|
||||
set_fact:
|
||||
|
49
roles/matrix-awx/tasks/set_variables_element_subdomain.yml
Normal file
49
roles/matrix-awx/tasks/set_variables_element_subdomain.yml
Normal file
@ -0,0 +1,49 @@
|
||||
|
||||
- name: Record Element-Web variables locally on AWX
|
||||
delegate_to: 127.0.0.1
|
||||
lineinfile:
|
||||
path: '{{ awx_cached_matrix_vars }}'
|
||||
regexp: "^#? *{{ item.key | regex_escape() }}:"
|
||||
line: "{{ item.key }}: {{ item.value }}"
|
||||
insertafter: '# Element Settings Start'
|
||||
with_dict:
|
||||
'matrix_server_fqn_element': "{{ element_subdomain }}.{{ matrix_domain }}"
|
||||
|
||||
- name: Save new 'Configure Element Subdomain' survey.json to the AWX tower, template
|
||||
delegate_to: 127.0.0.1
|
||||
template:
|
||||
src: 'roles/matrix-awx/surveys/configure_element_subdomain.json.j2'
|
||||
dest: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_element_subdomain.json'
|
||||
|
||||
- name: Copy new 'Configure Element Subdomain' survey.json to target machine
|
||||
copy:
|
||||
src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_element_subdomain.json'
|
||||
dest: '/matrix/awx/configure_element_subdomain.json'
|
||||
mode: '0660'
|
||||
|
||||
- name: Collect AWX admin token the hard way!
|
||||
delegate_to: 127.0.0.1
|
||||
shell: |
|
||||
curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g'
|
||||
register: tower_token
|
||||
no_log: True
|
||||
|
||||
- name: Recreate 'Configure Element Subdomain' job template
|
||||
delegate_to: 127.0.0.1
|
||||
awx.awx.tower_job_template:
|
||||
name: "{{ matrix_domain }} - 1 - Configure Element Subdomain"
|
||||
description: "Configure Element clients subdomain location. (Eg: 'element' for element.example.org)"
|
||||
extra_vars: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/extra_vars.json') }}"
|
||||
job_type: run
|
||||
job_tags: "start,setup-all,setup-client-element-subdomain"
|
||||
inventory: "{{ member_id }}"
|
||||
project: "{{ member_id }} - Matrix Docker Ansible Deploy"
|
||||
playbook: setup.yml
|
||||
credential: "{{ member_id }} - AWX SSH Key"
|
||||
survey_enabled: true
|
||||
survey_spec: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_element_subdomain.json') }}"
|
||||
state: present
|
||||
verbosity: 1
|
||||
tower_host: "https://{{ tower_host }}"
|
||||
tower_oauthtoken: "{{ tower_token.stdout }}"
|
||||
validate_certs: yes
|
50
roles/matrix-awx/tasks/set_variables_mailer.yml
Normal file
50
roles/matrix-awx/tasks/set_variables_mailer.yml
Normal file
@ -0,0 +1,50 @@
|
||||
|
||||
- name: Record Mailer variables locally on AWX
|
||||
delegate_to: 127.0.0.1
|
||||
lineinfile:
|
||||
path: '{{ awx_cached_matrix_vars }}'
|
||||
regexp: "^#? *{{ item.key | regex_escape() }}:"
|
||||
line: "{{ item.key }}: {{ item.value }}"
|
||||
insertafter: '# Email Settings Start'
|
||||
with_dict:
|
||||
'matrix_mailer_relay_use': '{{ matrix_mailer_relay_use }}'
|
||||
|
||||
- name: Save new 'Configure Email Relay' survey.json to the AWX tower, template
|
||||
delegate_to: 127.0.0.1
|
||||
template:
|
||||
src: 'roles/matrix-awx/surveys/configure_email_relay.json.j2'
|
||||
dest: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_email_relay.json'
|
||||
|
||||
- name: Copy new 'Configure Email Relay' survey.json to target machine
|
||||
copy:
|
||||
src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_email_relay.json'
|
||||
dest: '/matrix/awx/configure_email_relay.json'
|
||||
mode: '0660'
|
||||
|
||||
- name: Collect AWX admin token the hard way!
|
||||
delegate_to: 127.0.0.1
|
||||
shell: |
|
||||
curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g'
|
||||
register: tower_token
|
||||
no_log: True
|
||||
|
||||
- name: Recreate 'Configure Email Relay' job template
|
||||
delegate_to: 127.0.0.1
|
||||
awx.awx.tower_job_template:
|
||||
name: "{{ matrix_domain }} - 1 - Configure Email Relay"
|
||||
description: "Enable MailGun relay to increase verification email reliability."
|
||||
extra_vars: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/extra_vars.json') }}"
|
||||
job_type: run
|
||||
job_tags: "start,setup-mailer"
|
||||
inventory: "{{ member_id }}"
|
||||
project: "{{ member_id }} - Matrix Docker Ansible Deploy"
|
||||
playbook: setup.yml
|
||||
credential: "{{ member_id }} - AWX SSH Key"
|
||||
survey_enabled: true
|
||||
survey_spec: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_email_relay.json') }}"
|
||||
become_enabled: yes
|
||||
state: present
|
||||
verbosity: 1
|
||||
tower_host: "https://{{ tower_host }}"
|
||||
tower_oauthtoken: "{{ tower_token.stdout }}"
|
||||
validate_certs: yes
|
@ -59,8 +59,8 @@
|
||||
line: "{{ item.key }}: {{ item.value }}"
|
||||
insertafter: '# Synapse Settings Start'
|
||||
with_dict:
|
||||
'matrix_synapse_registration_shared_secret': '{{ matrix_synapse_registration_shared_secret }}'
|
||||
when: matrix_synapse_registration_shared_secret|length > 0
|
||||
'matrix_synapse_registration_shared_secret': '{{ ext_matrix_synapse_registration_shared_secret }}'
|
||||
when: ext_matrix_synapse_registration_shared_secret|length > 0
|
||||
|
||||
- name: Record registations_require_3pid extra variable if true
|
||||
delegate_to: 127.0.0.1
|
||||
|
@ -15,6 +15,9 @@ matrix_server_fqn_matrix: "matrix.{{ matrix_domain }}"
|
||||
# This and the Matrix FQN (see above) are expected to be on the same server.
|
||||
matrix_server_fqn_element: "element.{{ matrix_domain }}"
|
||||
|
||||
# This is where you access the Hydrogen web client from (if enabled via matrix_client_hydrogen_enabled; disabled by default).
|
||||
matrix_server_fqn_hydrogen: "hydrogen.{{ matrix_domain }}"
|
||||
|
||||
# This is where you access the Dimension.
|
||||
matrix_server_fqn_dimension: "dimension.{{ matrix_domain }}"
|
||||
|
||||
|
@ -7,7 +7,7 @@ matrix_appservice_irc_container_self_build: false
|
||||
matrix_appservice_irc_docker_repo: "https://github.com/matrix-org/matrix-appservice-irc.git"
|
||||
matrix_appservice_irc_docker_src_files_path: "{{ matrix_base_data_path }}/appservice-irc/docker-src"
|
||||
|
||||
matrix_appservice_irc_version: release-0.25.0
|
||||
matrix_appservice_irc_version: release-0.26.1
|
||||
matrix_appservice_irc_docker_image: "{{ matrix_container_global_registry_prefix }}matrixdotorg/matrix-appservice-irc:{{ matrix_appservice_irc_version }}"
|
||||
matrix_appservice_irc_docker_image_force_pull: "{{ matrix_appservice_irc_docker_image.endswith(':latest') }}"
|
||||
|
||||
|
@ -1,3 +1,10 @@
|
||||
# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070
|
||||
# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407
|
||||
- name: Fail if trying to self-build on Ansible < 2.8
|
||||
fail:
|
||||
msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md"
|
||||
when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_appservice_irc_container_self_build and matrix_appservice_irc_enabled"
|
||||
|
||||
# If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist.
|
||||
# We don't want to fail in such cases.
|
||||
- name: Fail if matrix-synapse role already executed
|
||||
|
@ -26,10 +26,16 @@
|
||||
become: false
|
||||
when: "matrix_postgres_service_start_result.changed|bool"
|
||||
|
||||
- name: Check existence of matrix-appservice-irc service
|
||||
stat:
|
||||
path: "{{ matrix_systemd_path }}/matrix-appservice-irc.service"
|
||||
register: matrix_appservice_irc_service_stat
|
||||
|
||||
- name: Ensure matrix-appservice-irc is stopped
|
||||
service:
|
||||
name: matrix-appservice-irc
|
||||
state: stopped
|
||||
when: "matrix_appservice_irc_service_stat.stat.exists"
|
||||
|
||||
- name: Import appservice-irc NeDB database into Postgres
|
||||
command:
|
||||
|
@ -1,3 +1,10 @@
|
||||
# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070
|
||||
# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407
|
||||
- name: Fail if trying to self-build on Ansible < 2.8
|
||||
fail:
|
||||
msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md"
|
||||
when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_appservice_slack_container_self_build and matrix_appservice_slack_enabled"
|
||||
|
||||
# If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist.
|
||||
# We don't want to fail in such cases.
|
||||
- name: Fail if matrix-synapse role already executed
|
||||
|
@ -22,7 +22,7 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-heisenbridge \
|
||||
--cap-drop=ALL \
|
||||
--network={{ matrix_docker_network }} \
|
||||
{% if matrix_heisenbridge_identd_enabled %}
|
||||
-p 113:113 \
|
||||
-p 113:13113 \
|
||||
{% endif %}
|
||||
-v {{ matrix_heisenbridge_base_path }}:/config:z \
|
||||
{% for arg in matrix_heisenbridge_container_extra_arguments %}
|
||||
@ -31,6 +31,7 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-heisenbridge \
|
||||
{{ matrix_heisenbridge_docker_image }} \
|
||||
{% if matrix_heisenbridge_identd_enabled %}
|
||||
--identd \
|
||||
--identd-port 13113 \
|
||||
{% endif %}
|
||||
{% if matrix_heisenbridge_owner %}
|
||||
-o {{ matrix_heisenbridge_owner }} \
|
||||
|
@ -1,3 +1,10 @@
|
||||
# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070
|
||||
# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407
|
||||
- name: Fail if trying to self-build on Ansible < 2.8
|
||||
fail:
|
||||
msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md"
|
||||
when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mautrix_facebook_container_image_self_build and matrix_mautrix_facebook_enabled"
|
||||
|
||||
- set_fact:
|
||||
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-facebook.service'] }}"
|
||||
when: matrix_mautrix_facebook_enabled|bool
|
||||
@ -16,7 +23,7 @@
|
||||
when: matrix_mautrix_facebook_enabled|bool
|
||||
|
||||
# ansible lower than 2.8, does not support docker_image build parameters
|
||||
# for self buildig it is explicitly needed, so we rather fail here
|
||||
# for self building it is explicitly needed, so we rather fail here
|
||||
- name: Fail if running on Ansible lower than 2.8 and trying self building
|
||||
fail:
|
||||
msg: "To self build Mautrix Facebook image, you should usa ansible 2.8 or higher. E.g. pip contains such packages."
|
||||
|
@ -1,3 +1,10 @@
|
||||
# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070
|
||||
# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407
|
||||
- name: Fail if trying to self-build on Ansible < 2.8
|
||||
fail:
|
||||
msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md"
|
||||
when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mautrix_hangouts_container_image_self_build and matrix_mautrix_hangouts_enabled"
|
||||
|
||||
- set_fact:
|
||||
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-hangouts.service'] }}"
|
||||
when: matrix_mautrix_hangouts_enabled|bool
|
||||
@ -62,7 +69,7 @@
|
||||
when: "matrix_mautrix_hangouts_enabled|bool and (matrix_nginx_proxy_enabled is not defined or matrix_nginx_proxy_enabled|bool == false)"
|
||||
|
||||
# ansible lower than 2.8, does not support docker_image build parameters
|
||||
# for self buildig it is explicitly needed, so we rather fail here
|
||||
# for self building it is explicitly needed, so we rather fail here
|
||||
- name: Fail if running on Ansible lower than 2.8 and trying self building
|
||||
fail:
|
||||
msg: "To self build Mautrix Hangouts image, you should usa ansible 2.8 or higher. E.g. pip contains such packages."
|
||||
|
@ -1,3 +1,10 @@
|
||||
# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070
|
||||
# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407
|
||||
- name: Fail if trying to self-build on Ansible < 2.8
|
||||
fail:
|
||||
msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md"
|
||||
when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mautrix_instagram_container_image_self_build and matrix_mautrix_instagram_enabled"
|
||||
|
||||
- set_fact:
|
||||
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-instagram.service'] }}"
|
||||
when: matrix_mautrix_instagram_enabled|bool
|
||||
@ -16,7 +23,7 @@
|
||||
when: matrix_mautrix_instagram_enabled|bool
|
||||
|
||||
# ansible lower than 2.8, does not support docker_image build parameters
|
||||
# for self buildig it is explicitly needed, so we rather fail here
|
||||
# for self building it is explicitly needed, so we rather fail here
|
||||
- name: Fail if running on Ansible lower than 2.8 and trying self building
|
||||
fail:
|
||||
msg: "To self build Mautrix instagram image, you should usa ansible 2.8 or higher. E.g. pip contains such packages."
|
||||
|
@ -1,3 +1,10 @@
|
||||
# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070
|
||||
# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407
|
||||
- name: Fail if trying to self-build on Ansible < 2.8
|
||||
fail:
|
||||
msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md"
|
||||
when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mautrix_telegram_container_self_build and matrix_mautrix_telegram_enabled"
|
||||
|
||||
- set_fact:
|
||||
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-telegram.service'] }}"
|
||||
when: matrix_mautrix_telegram_enabled|bool
|
||||
|
@ -1,3 +1,10 @@
|
||||
# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070
|
||||
# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407
|
||||
- name: Fail if trying to self-build on Ansible < 2.8
|
||||
fail:
|
||||
msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md"
|
||||
when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_discord_container_image_self_build and matrix_mx_puppet_discord_enabled"
|
||||
|
||||
- set_fact:
|
||||
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-discord.service'] }}"
|
||||
when: matrix_mx_puppet_discord_enabled|bool
|
||||
@ -16,7 +23,7 @@
|
||||
when: matrix_mx_puppet_discord_enabled|bool
|
||||
|
||||
# ansible lower than 2.8, does not support docker_image build parameters
|
||||
# for self buildig it is explicitly needed, so we rather fail here
|
||||
# for self building it is explicitly needed, so we rather fail here
|
||||
- name: Fail if running on Ansible lower than 2.8 and trying self building
|
||||
fail:
|
||||
msg: "To self build Puppet Slack image, you should usa ansible 2.8 or higher. E.g. pip contains such packages."
|
||||
|
@ -1,3 +1,10 @@
|
||||
# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070
|
||||
# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407
|
||||
- name: Fail if trying to self-build on Ansible < 2.8
|
||||
fail:
|
||||
msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md"
|
||||
when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_groupme_container_image_self_build and matrix_mx_puppet_groupme_enabled"
|
||||
|
||||
- set_fact:
|
||||
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-groupme.service'] }}"
|
||||
when: matrix_mx_puppet_groupme_enabled|bool
|
||||
@ -16,7 +23,7 @@
|
||||
when: matrix_mx_puppet_groupme_enabled|bool
|
||||
|
||||
# ansible lower than 2.8, does not support docker_image build parameters
|
||||
# for self buildig it is explicitly needed, so we rather fail here
|
||||
# for self building it is explicitly needed, so we rather fail here
|
||||
- name: Fail if running on Ansible lower than 2.8 and trying self building
|
||||
fail:
|
||||
msg: "To self build Puppet Slack image, you should usa ansible 2.8 or higher. E.g. pip contains such packages."
|
||||
|
@ -1,3 +1,10 @@
|
||||
# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070
|
||||
# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407
|
||||
- name: Fail if trying to self-build on Ansible < 2.8
|
||||
fail:
|
||||
msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md"
|
||||
when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_instagram_container_image_self_build and matrix_mx_puppet_instagram_enabled"
|
||||
|
||||
- set_fact:
|
||||
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-instagram.service'] }}"
|
||||
when: matrix_mx_puppet_instagram_enabled|bool
|
||||
|
@ -1,3 +1,10 @@
|
||||
# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070
|
||||
# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407
|
||||
- name: Fail if trying to self-build on Ansible < 2.8
|
||||
fail:
|
||||
msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md"
|
||||
when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_skype_container_image_self_build and matrix_mx_puppet_skype_enabled"
|
||||
|
||||
- set_fact:
|
||||
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-skype.service'] }}"
|
||||
when: matrix_mx_puppet_skype_enabled|bool
|
||||
@ -16,7 +23,7 @@
|
||||
when: matrix_mx_puppet_skype_enabled|bool
|
||||
|
||||
# ansible lower than 2.8, does not support docker_image build parameters
|
||||
# for self buildig it is explicitly needed, so we rather fail here
|
||||
# for self building it is explicitly needed, so we rather fail here
|
||||
- name: Fail if running on Ansible lower than 2.8 and trying self building
|
||||
fail:
|
||||
msg: "To self build Puppet Skype image, you should usa ansible 2.8 or higher. E.g. pip contains such packages."
|
||||
|
@ -1,3 +1,10 @@
|
||||
# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070
|
||||
# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407
|
||||
- name: Fail if trying to self-build on Ansible < 2.8
|
||||
fail:
|
||||
msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md"
|
||||
when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_slack_container_image_self_build and matrix_mx_puppet_slack_enabled"
|
||||
|
||||
- set_fact:
|
||||
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-slack.service'] }}"
|
||||
when: matrix_mx_puppet_slack_enabled|bool
|
||||
@ -63,7 +70,7 @@
|
||||
when: "matrix_mx_puppet_slack_enabled|bool and matrix_nginx_proxy_enabled is not defined"
|
||||
|
||||
# ansible lower than 2.8, does not support docker_image build parameters
|
||||
# for self buildig it is explicitly needed, so we rather fail here
|
||||
# for self building it is explicitly needed, so we rather fail here
|
||||
- name: Fail if running on Ansible lower than 2.8 and trying self building
|
||||
fail:
|
||||
msg: "To self build Puppet Slack image, you should usa ansible 2.8 or higher. E.g. pip contains such packages."
|
||||
|
@ -1,3 +1,10 @@
|
||||
# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070
|
||||
# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407
|
||||
- name: Fail if trying to self-build on Ansible < 2.8
|
||||
fail:
|
||||
msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md"
|
||||
when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_steam_container_image_self_build and matrix_mx_puppet_steam_enabled"
|
||||
|
||||
- set_fact:
|
||||
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-steam.service'] }}"
|
||||
when: matrix_mx_puppet_steam_enabled|bool
|
||||
@ -16,7 +23,7 @@
|
||||
when: matrix_mx_puppet_steam_enabled|bool
|
||||
|
||||
# ansible lower than 2.8, does not support docker_image build parameters
|
||||
# for self buildig it is explicitly needed, so we rather fail here
|
||||
# for self building it is explicitly needed, so we rather fail here
|
||||
- name: Fail if running on Ansible lower than 2.8 and trying self building
|
||||
fail:
|
||||
msg: "To self build Puppet Slack image, you should usa ansible 2.8 or higher. E.g. pip contains such packages."
|
||||
|
@ -1,3 +1,10 @@
|
||||
# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070
|
||||
# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407
|
||||
- name: Fail if trying to self-build on Ansible < 2.8
|
||||
fail:
|
||||
msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md"
|
||||
when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_twitter_container_image_self_build and matrix_mx_puppet_twitter_enabled"
|
||||
|
||||
- set_fact:
|
||||
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-twitter.service'] }}"
|
||||
when: matrix_mx_puppet_twitter_enabled|bool
|
||||
@ -63,7 +70,7 @@
|
||||
when: "matrix_mx_puppet_twitter_enabled|bool and matrix_nginx_proxy_enabled is not defined"
|
||||
|
||||
# ansible lower than 2.8, does not support docker_image build parameters
|
||||
# for self buildig it is explicitly needed, so we rather fail here
|
||||
# for self building it is explicitly needed, so we rather fail here
|
||||
- name: Fail if running on Ansible lower than 2.8 and trying self building
|
||||
fail:
|
||||
msg: "To self build Puppet Twitter image, you should usa ansible 2.8 or higher. E.g. pip contains such packages."
|
||||
|
@ -3,7 +3,7 @@ matrix_client_element_enabled: true
|
||||
matrix_client_element_container_image_self_build: false
|
||||
matrix_client_element_container_image_self_build_repo: "https://github.com/vector-im/riot-web.git"
|
||||
|
||||
matrix_client_element_version: v1.7.28
|
||||
matrix_client_element_version: v1.7.30
|
||||
matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}"
|
||||
matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_container_global_registry_prefix }}"
|
||||
matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}"
|
||||
|
@ -2,9 +2,9 @@
|
||||
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-client-element.service'] }}"
|
||||
when: matrix_client_element_enabled|bool
|
||||
|
||||
# ansible lower than 2.8, does not support docker_image build parameters
|
||||
# for self buildig it is explicitly needed, so we rather fail here
|
||||
- name: Fail if running on Ansible lower than 2.8 and trying self building
|
||||
# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070
|
||||
# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407
|
||||
- name: Fail if trying to self-build on Ansible < 2.8
|
||||
fail:
|
||||
msg: "To self build the Element image, you should usa ansible 2.8 or higher. E.g. pip contains such packages."
|
||||
when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_client_element_container_image_self_build"
|
||||
msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md"
|
||||
when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_client_element_container_image_self_build and matrix_client_element_enabled"
|
||||
|
68
roles/matrix-client-hydrogen/defaults/main.yml
Normal file
68
roles/matrix-client-hydrogen/defaults/main.yml
Normal file
@ -0,0 +1,68 @@
|
||||
matrix_client_hydrogen_enabled: true
|
||||
|
||||
# Self building is used by default because the `config.json` file is only read at build time.
|
||||
# The pre-built images also were not functional as of 2021-05-15.
|
||||
matrix_client_hydrogen_container_image_self_build: true
|
||||
matrix_client_hydrogen_container_image_self_build_repo: "https://github.com/vector-im/hydrogen-web.git"
|
||||
|
||||
matrix_client_hydrogen_version: v0.1.56
|
||||
matrix_client_hydrogen_docker_image: "{{ matrix_client_hydrogen_docker_image_name_prefix }}vectorim/hydrogen-web:{{ matrix_client_hydrogen_version }}"
|
||||
matrix_client_hydrogen_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_hydrogen_container_image_self_build }}"
|
||||
matrix_client_hydrogen_docker_image_force_pull: "{{ matrix_client_hydrogen_docker_image.endswith(':latest') }}"
|
||||
|
||||
matrix_client_hydrogen_data_path: "{{ matrix_base_data_path }}/client-hydrogen"
|
||||
matrix_client_hydrogen_docker_src_files_path: "{{ matrix_client_hydrogen_data_path }}/docker-src"
|
||||
|
||||
# Controls whether the container exposes its HTTP port (tcp/8080 in the container).
|
||||
#
|
||||
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:8768"), or empty string to not expose.
|
||||
matrix_client_hydrogen_container_http_host_bind_port: ''
|
||||
|
||||
# A list of extra arguments to pass to the container
|
||||
matrix_client_hydrogen_container_extra_arguments: []
|
||||
|
||||
# List of systemd services that matrix-client-hydrogen.service depends on
|
||||
matrix_client_hydrogen_systemd_required_services_list: ['docker.service']
|
||||
|
||||
# Controls whether the self-check feature should validate SSL certificates.
|
||||
matrix_client_hydrogen_self_check_validate_certificates: true
|
||||
|
||||
# config.json
|
||||
matrix_client_hydrogen_default_hs_url: ""
|
||||
|
||||
# Default Hydrogen configuration template which covers the generic use case.
|
||||
# You can customize it by controlling the various variables inside it.
|
||||
#
|
||||
# For a more advanced customization, you can extend the default (see `matrix_client_hydrogen_configuration_extension_json`)
|
||||
# or completely replace this variable with your own template.
|
||||
#
|
||||
# The side-effect of this lookup is that Ansible would even parse the JSON for us, returning a dict.
|
||||
# This is unlike what it does when looking up YAML template files (no automatic parsing there).
|
||||
matrix_client_hydrogen_configuration_default: "{{ lookup('template', 'templates/config.json.j2') }}"
|
||||
|
||||
# Your custom JSON configuration for Hydrogen should go to `matrix_client_hydrogen_configuration_extension_json`.
|
||||
# This configuration extends the default starting configuration (`matrix_client_hydrogen_configuration_default`).
|
||||
#
|
||||
# You can override individual variables from the default configuration, or introduce new ones.
|
||||
#
|
||||
# If you need something more special, you can take full control by
|
||||
# completely redefining `matrix_client_hydrogen_configuration_default`.
|
||||
#
|
||||
# Example configuration extension follows:
|
||||
#
|
||||
# matrix_client_hydrogen_configuration_extension_json: |
|
||||
# {
|
||||
# "push": {
|
||||
# "appId": "io.element.hydrogen.web",
|
||||
# "gatewayUrl": "https://matrix.org",
|
||||
# "applicationServerKey": "BC-gpSdVHEXhvHSHS0AzzWrQoukv2BE7KzpoPO_FfPacqOo3l1pdqz7rSgmB04pZCWaHPz7XRe6fjLaC-WPDopM"
|
||||
# },
|
||||
# "defaultHomeServer": "matrix.org"
|
||||
# }
|
||||
matrix_client_hydrogen_configuration_extension_json: '{}'
|
||||
|
||||
matrix_client_hydrogen_configuration_extension: "{{ matrix_client_hydrogen_configuration_extension_json|from_json if matrix_client_hydrogen_configuration_extension_json|from_json is mapping else {} }}"
|
||||
|
||||
# Holds the final Hydrogen configuration (a combination of the default and its extension).
|
||||
# You most likely don't need to touch this variable. Instead, see `matrix_client_hydrogen_configuration_default`.
|
||||
matrix_client_hydrogen_configuration: "{{ matrix_client_hydrogen_configuration_default|combine(matrix_client_hydrogen_configuration_extension, recursive=True) }}"
|
10
roles/matrix-client-hydrogen/tasks/init.yml
Normal file
10
roles/matrix-client-hydrogen/tasks/init.yml
Normal file
@ -0,0 +1,10 @@
|
||||
# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070
|
||||
# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407
|
||||
- name: Fail if trying to self-build on Ansible < 2.8
|
||||
fail:
|
||||
msg: "To self-build the Hydrogen image, you should use Ansible 2.8 or higher. See docs/ansible.md"
|
||||
when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_client_hydrogen_container_image_self_build and matrix_client_hydrogen_enabled"
|
||||
|
||||
- set_fact:
|
||||
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-client-hydrogen.service'] }}"
|
||||
when: matrix_client_hydrogen_enabled|bool
|
15
roles/matrix-client-hydrogen/tasks/main.yml
Normal file
15
roles/matrix-client-hydrogen/tasks/main.yml
Normal file
@ -0,0 +1,15 @@
|
||||
- import_tasks: "{{ role_path }}/tasks/init.yml"
|
||||
tags:
|
||||
- always
|
||||
|
||||
- import_tasks: "{{ role_path }}/tasks/validate_config.yml"
|
||||
when: "run_setup|bool and matrix_client_hydrogen_enabled|bool"
|
||||
tags:
|
||||
- setup-all
|
||||
- setup-client-hydrogen
|
||||
|
||||
- import_tasks: "{{ role_path }}/tasks/setup.yml"
|
||||
when: run_setup|bool
|
||||
tags:
|
||||
- setup-all
|
||||
- setup-client-hydrogen
|
22
roles/matrix-client-hydrogen/tasks/self_check.yml
Normal file
22
roles/matrix-client-hydrogen/tasks/self_check.yml
Normal file
@ -0,0 +1,22 @@
|
||||
---
|
||||
|
||||
- set_fact:
|
||||
matrix_client_hydrogen_url_endpoint_public: "https://{{ matrix_server_fqn_hydrogen }}"
|
||||
|
||||
- name: Check Hydrogen
|
||||
uri:
|
||||
url: "{{ matrix_client_hydrogen_url_endpoint_public }}"
|
||||
follow_redirects: none
|
||||
validate_certs: "{{ matrix_client_hydrogen_self_check_validate_certificates }}"
|
||||
register: matrix_client_hydrogen_self_check_result
|
||||
check_mode: no
|
||||
ignore_errors: true
|
||||
|
||||
- name: Fail if Hydrogen not working
|
||||
fail:
|
||||
msg: "Failed checking Hydrogen is up at `{{ matrix_server_fqn_hydrogen }}` (checked endpoint: `{{ matrix_client_hydrogen_url_endpoint_public }}`). Is Hydrogen running? Is port 443 open in your firewall? Full error: {{ matrix_client_hydrogen_self_check_result }}"
|
||||
when: "matrix_client_hydrogen_self_check_result.failed or 'json' not in matrix_client_hydrogen_self_check_result"
|
||||
|
||||
- name: Report working Hydrogen
|
||||
debug:
|
||||
msg: "Hydrogen at `{{ matrix_server_fqn_hydrogen }}` is working (checked endpoint: `{{ matrix_client_hydrogen_url_endpoint_public }}`)"
|
119
roles/matrix-client-hydrogen/tasks/setup.yml
Normal file
119
roles/matrix-client-hydrogen/tasks/setup.yml
Normal file
@ -0,0 +1,119 @@
|
||||
---
|
||||
|
||||
#
|
||||
# Tasks related to setting up Hydrogen
|
||||
#
|
||||
|
||||
- name: Ensure Hydrogen paths exists
|
||||
file:
|
||||
path: "{{ item.path }}"
|
||||
state: directory
|
||||
mode: 0750
|
||||
owner: "{{ matrix_user_username }}"
|
||||
group: "{{ matrix_user_groupname }}"
|
||||
with_items:
|
||||
- { path: "{{ matrix_client_hydrogen_data_path }}", when: true }
|
||||
- { path: "{{ matrix_client_hydrogen_docker_src_files_path }}", when: "{{ matrix_client_hydrogen_container_image_self_build }}" }
|
||||
when: matrix_client_hydrogen_enabled|bool and item.when
|
||||
|
||||
- name: Ensure Hydrogen Docker image is pulled
|
||||
docker_image:
|
||||
name: "{{ matrix_client_hydrogen_docker_image }}"
|
||||
source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
|
||||
force_source: "{{ matrix_client_hydrogen_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
|
||||
force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_client_hydrogen_docker_image_force_pull }}"
|
||||
when: matrix_client_hydrogen_enabled|bool and not matrix_client_hydrogen_container_image_self_build
|
||||
|
||||
- name: Ensure Hydrogen repository is present on self-build
|
||||
git:
|
||||
repo: "{{ matrix_client_hydrogen_container_image_self_build_repo }}"
|
||||
dest: "{{ matrix_client_hydrogen_docker_src_files_path }}"
|
||||
version: "{{ matrix_client_hydrogen_docker_image.split(':')[1] }}"
|
||||
force: "yes"
|
||||
register: matrix_client_hydrogen_git_pull_results
|
||||
when: "matrix_client_hydrogen_enabled|bool and matrix_client_hydrogen_container_image_self_build|bool"
|
||||
|
||||
- name: Ensure Hydrogen configuration installed
|
||||
copy:
|
||||
content: "{{ matrix_client_hydrogen_configuration|to_nice_json }}"
|
||||
dest: "{{ matrix_client_hydrogen_docker_src_files_path }}/assets/config.json"
|
||||
mode: 0644
|
||||
owner: "{{ matrix_user_username }}"
|
||||
group: "{{ matrix_user_groupname }}"
|
||||
when: "matrix_client_hydrogen_enabled|bool and matrix_client_hydrogen_container_image_self_build|bool"
|
||||
|
||||
- name: Ensure Hydrogen additional config files installed
|
||||
template:
|
||||
src: "{{ item.src }}"
|
||||
dest: "{{ matrix_client_hydrogen_data_path }}/{{ item.name }}"
|
||||
mode: 0644
|
||||
owner: "{{ matrix_user_username }}"
|
||||
group: "{{ matrix_user_groupname }}"
|
||||
with_items:
|
||||
- {src: "{{ role_path }}/templates/nginx.conf.j2", name: "nginx.conf"}
|
||||
when: "matrix_client_hydrogen_enabled|bool and item.src is not none"
|
||||
|
||||
- name: Ensure Hydrogen Docker image is built
|
||||
docker_image:
|
||||
name: "{{ matrix_client_hydrogen_docker_image }}"
|
||||
source: build
|
||||
force_source: "{{ matrix_client_hydrogen_git_pull_results.changed }}"
|
||||
build:
|
||||
dockerfile: Dockerfile
|
||||
path: "{{ matrix_client_hydrogen_docker_src_files_path }}"
|
||||
pull: yes
|
||||
when: "matrix_client_hydrogen_enabled|bool and matrix_client_hydrogen_container_image_self_build|bool"
|
||||
|
||||
- name: Ensure matrix-client-hydrogen.service installed
|
||||
template:
|
||||
src: "{{ role_path }}/templates/systemd/matrix-client-hydrogen.service.j2"
|
||||
dest: "{{ matrix_systemd_path }}/matrix-client-hydrogen.service"
|
||||
mode: 0644
|
||||
register: matrix_client_hydrogen_systemd_service_result
|
||||
when: matrix_client_hydrogen_enabled|bool
|
||||
|
||||
- name: Ensure systemd reloaded after matrix-client-hydrogen.service installation
|
||||
service:
|
||||
daemon_reload: yes
|
||||
when: "matrix_client_hydrogen_enabled and matrix_client_hydrogen_systemd_service_result.changed"
|
||||
|
||||
#
|
||||
# Tasks related to getting rid of Hydrogen (if it was previously enabled)
|
||||
#
|
||||
|
||||
- name: Check existence of matrix-client-hydrogen.service
|
||||
stat:
|
||||
path: "{{ matrix_systemd_path }}/matrix-client-hydrogen.service"
|
||||
register: matrix_client_hydrogen_service_stat
|
||||
when: "not matrix_client_hydrogen_enabled|bool"
|
||||
|
||||
- name: Ensure matrix-client-hydrogen is stopped
|
||||
service:
|
||||
name: matrix-client-hydrogen
|
||||
state: stopped
|
||||
daemon_reload: yes
|
||||
register: stopping_result
|
||||
when: "not matrix_client_hydrogen_enabled|bool and matrix_client_hydrogen_service_stat.stat.exists"
|
||||
|
||||
- name: Ensure matrix-client-hydrogen.service doesn't exist
|
||||
file:
|
||||
path: "{{ matrix_systemd_path }}/matrix-client-hydrogen.service"
|
||||
state: absent
|
||||
when: "not matrix_client_hydrogen_enabled|bool and matrix_client_hydrogen_service_stat.stat.exists"
|
||||
|
||||
- name: Ensure systemd reloaded after matrix-client-hydrogen.service removal
|
||||
service:
|
||||
daemon_reload: yes
|
||||
when: "not matrix_client_hydrogen_enabled|bool and matrix_client_hydrogen_service_stat.stat.exists"
|
||||
|
||||
- name: Ensure Hydrogen paths doesn't exist
|
||||
file:
|
||||
path: "{{ matrix_client_hydrogen_data_path }}"
|
||||
state: absent
|
||||
when: "not matrix_client_hydrogen_enabled|bool"
|
||||
|
||||
- name: Ensure Hydrogen Docker image doesn't exist
|
||||
docker_image:
|
||||
name: "{{ matrix_client_hydrogen_docker_image }}"
|
||||
state: absent
|
||||
when: "not matrix_client_hydrogen_enabled|bool"
|
9
roles/matrix-client-hydrogen/tasks/validate_config.yml
Normal file
9
roles/matrix-client-hydrogen/tasks/validate_config.yml
Normal file
@ -0,0 +1,9 @@
|
||||
---
|
||||
|
||||
- name: Fail if required Hydrogen settings not defined
|
||||
fail:
|
||||
msg: >
|
||||
You need to define a required configuration setting (`{{ item }}`) to use Hydrogen.
|
||||
when: "(vars[item] == '' or vars[item] is none) and matrix_client_hydrogen_container_image_self_build|bool"
|
||||
with_items:
|
||||
- "matrix_client_hydrogen_default_hs_url"
|
3
roles/matrix-client-hydrogen/templates/config.json.j2
Normal file
3
roles/matrix-client-hydrogen/templates/config.json.j2
Normal file
@ -0,0 +1,3 @@
|
||||
{
|
||||
"defaultHomeServer": {{ matrix_client_hydrogen_default_hs_url|string|to_json }}
|
||||
}
|
66
roles/matrix-client-hydrogen/templates/nginx.conf.j2
Normal file
66
roles/matrix-client-hydrogen/templates/nginx.conf.j2
Normal file
@ -0,0 +1,66 @@
|
||||
#jinja2: lstrip_blocks: "True"
|
||||
# This is a custom nginx configuration file that we use in the container (instead of the default one),
|
||||
# because it allows us to run nginx with a non-root user.
|
||||
#
|
||||
# For this to work, the default vhost file (`/etc/nginx/conf.d/default.conf`) also needs to be removed.
|
||||
# (mounting `/dev/null` over `/etc/nginx/conf.d/default.conf` works well)
|
||||
#
|
||||
# The following changes have been done compared to a default nginx configuration file:
|
||||
# - default server port is changed (80 -> 8080), so that a non-root user can bind it
|
||||
# - various temp paths are changed to `/tmp`, so that a non-root user can write to them
|
||||
# - the `user` directive was removed, as we don't want nginx to switch users
|
||||
|
||||
worker_processes 1;
|
||||
|
||||
error_log /var/log/nginx/error.log warn;
|
||||
pid /tmp/nginx.pid;
|
||||
|
||||
|
||||
events {
|
||||
worker_connections 1024;
|
||||
}
|
||||
|
||||
|
||||
http {
|
||||
proxy_temp_path /tmp/proxy_temp;
|
||||
client_body_temp_path /tmp/client_temp;
|
||||
fastcgi_temp_path /tmp/fastcgi_temp;
|
||||
uwsgi_temp_path /tmp/uwsgi_temp;
|
||||
scgi_temp_path /tmp/scgi_temp;
|
||||
|
||||
include /etc/nginx/mime.types;
|
||||
default_type application/octet-stream;
|
||||
|
||||
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
|
||||
'$status $body_bytes_sent "$http_referer" '
|
||||
'"$http_user_agent" "$http_x_forwarded_for"';
|
||||
|
||||
access_log /var/log/nginx/access.log main;
|
||||
|
||||
sendfile on;
|
||||
#tcp_nopush on;
|
||||
|
||||
keepalive_timeout 65;
|
||||
|
||||
#gzip on;
|
||||
|
||||
server {
|
||||
listen 8080;
|
||||
server_name localhost;
|
||||
|
||||
root /usr/share/nginx/html;
|
||||
|
||||
location / {
|
||||
index index.html index.htm;
|
||||
}
|
||||
|
||||
location ~* ^/(config(.+)?\.json$|(.+)\.html$|i18n) {
|
||||
expires -1;
|
||||
}
|
||||
|
||||
error_page 500 502 503 504 /50x.html;
|
||||
location = /50x.html {
|
||||
root /usr/share/nginx/html;
|
||||
}
|
||||
}
|
||||
}
|
@ -0,0 +1,39 @@
|
||||
#jinja2: lstrip_blocks: "True"
|
||||
[Unit]
|
||||
Description=Matrix Hydrogen Client
|
||||
{% for service in matrix_client_hydrogen_systemd_required_services_list %}
|
||||
Requires={{ service }}
|
||||
After={{ service }}
|
||||
{% endfor %}
|
||||
DefaultDependencies=no
|
||||
|
||||
[Service]
|
||||
Type=simple
|
||||
Environment="HOME={{ matrix_systemd_unit_home_path }}"
|
||||
ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-client-hydrogen 2>/dev/null'
|
||||
ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-client-hydrogen 2>/dev/null'
|
||||
|
||||
ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-client-hydrogen \
|
||||
--log-driver=none \
|
||||
--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
|
||||
--cap-drop=ALL \
|
||||
--read-only \
|
||||
--network={{ matrix_docker_network }} \
|
||||
{% if matrix_client_hydrogen_container_http_host_bind_port %}
|
||||
-p {{ matrix_client_hydrogen_container_http_host_bind_port }}:8080 \
|
||||
{% endif %}
|
||||
--tmpfs=/tmp:rw,noexec,nosuid,size=10m \
|
||||
--mount type=bind,src={{ matrix_client_hydrogen_data_path }}/nginx.conf,dst=/etc/nginx/nginx.conf,ro \
|
||||
{% for arg in matrix_client_hydrogen_container_extra_arguments %}
|
||||
{{ arg }} \
|
||||
{% endfor %}
|
||||
{{ matrix_client_hydrogen_docker_image }}
|
||||
|
||||
ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-client-hydrogen 2>/dev/null'
|
||||
ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-client-hydrogen 2>/dev/null'
|
||||
Restart=always
|
||||
RestartSec=30
|
||||
SyslogIdentifier=matrix-client-hydrogen
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
@ -1,3 +1,10 @@
|
||||
# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070
|
||||
# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407
|
||||
- name: Fail if trying to self-build on Ansible < 2.8
|
||||
fail:
|
||||
msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md"
|
||||
when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_corporal_container_image_self_build and matrix_corporal_enabled"
|
||||
|
||||
- set_fact:
|
||||
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-corporal.service'] }}"
|
||||
when: matrix_corporal_enabled|bool
|
||||
|
@ -2,7 +2,7 @@ matrix_coturn_enabled: true
|
||||
|
||||
matrix_coturn_container_image_self_build: false
|
||||
matrix_coturn_container_image_self_build_repo: "https://github.com/coturn/coturn"
|
||||
matrix_coturn_container_image_self_build_repo_version: "docker/{{ matrix_coturn_version }}-r0"
|
||||
matrix_coturn_container_image_self_build_repo_version: "docker/{{ matrix_coturn_version }}-r1"
|
||||
matrix_coturn_container_image_self_build_repo_dockerfile_path: "docker/coturn/alpine/Dockerfile"
|
||||
|
||||
matrix_coturn_version: 4.5.2
|
||||
|
@ -1,3 +1,10 @@
|
||||
# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070
|
||||
# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407
|
||||
- name: Fail if trying to self-build on Ansible < 2.8
|
||||
fail:
|
||||
msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md"
|
||||
when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_coturn_container_image_self_build and matrix_coturn_enabled"
|
||||
|
||||
- set_fact:
|
||||
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-coturn.service'] }}"
|
||||
when: matrix_coturn_enabled|bool
|
||||
@ -5,10 +12,3 @@
|
||||
- set_fact:
|
||||
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-coturn-reload.timer'] }}"
|
||||
when: "matrix_coturn_enabled|bool and matrix_coturn_tls_enabled|bool"
|
||||
|
||||
# ansible lower than 2.8, does not support docker_image build parameters
|
||||
# for self buildig it is explicitly needed, so we rather fail here
|
||||
- name: Fail if running on Ansible lower than 2.8 and trying self building
|
||||
fail:
|
||||
msg: "To self build Coturn image, you should usa ansible 2.8 or higher. E.g. pip contains such packages."
|
||||
when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_coturn_container_image_self_build"
|
||||
|
@ -1,3 +1,10 @@
|
||||
# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070
|
||||
# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407
|
||||
- name: Fail if trying to self-build on Ansible < 2.8
|
||||
fail:
|
||||
msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md"
|
||||
when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_dynamic_dns_container_image_self_build and matrix_dynamic_dns_enabled"
|
||||
|
||||
- set_fact:
|
||||
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-dynamic-dns.service'] }}"
|
||||
when: "matrix_dynamic_dns_enabled|bool"
|
||||
|
@ -64,7 +64,7 @@
|
||||
mode: 0440
|
||||
owner: "{{ matrix_user_username }}"
|
||||
group: "{{ matrix_user_groupname }}"
|
||||
with_items: "{{ matrix_grafana_dashboard_download_urls }}"
|
||||
with_items: "{{ matrix_grafana_dashboard_download_urls_all }}"
|
||||
when: matrix_grafana_enabled|bool
|
||||
|
||||
- name: Ensure matrix-grafana.service installed
|
||||
|
@ -176,6 +176,8 @@ matrix_jitsi_prosody_container_extra_arguments: []
|
||||
# List of systemd services that matrix-jitsi-prosody.service depends on
|
||||
matrix_jitsi_prosody_systemd_required_services_list: ['docker.service']
|
||||
|
||||
# Neccessary Port binding for those disabling the integrated nginx proxy
|
||||
matrix_jitsi_prosody_container_http_host_bind_port: ''
|
||||
|
||||
matrix_jitsi_jicofo_docker_image: "{{ matrix_container_global_registry_prefix }}jitsi/jicofo:{{ matrix_jitsi_container_image_tag }}"
|
||||
matrix_jitsi_jicofo_docker_image_force_pull: "{{ matrix_jitsi_jicofo_docker_image.endswith(':latest') }}"
|
||||
|
@ -16,6 +16,9 @@ ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }}
|
||||
ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-jitsi-prosody \
|
||||
--log-driver=none \
|
||||
--network={{ matrix_docker_network }} \
|
||||
{% if matrix_jitsi_prosody_container_http_host_bind_port %}
|
||||
-p {{ matrix_jitsi_prosody_container_http_host_bind_port }}:5280 \
|
||||
{% endif %}
|
||||
--env-file={{ matrix_jitsi_prosody_base_path }}/env \
|
||||
--mount type=bind,src={{ matrix_jitsi_prosody_config_path }},dst=/config \
|
||||
--mount type=bind,src={{ matrix_jitsi_prosody_plugins_path }},dst=/prosody-plugins-custom \
|
||||
|
@ -1,10 +1,10 @@
|
||||
# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070
|
||||
# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407
|
||||
- name: Fail if trying to self-build on Ansible < 2.8
|
||||
fail:
|
||||
msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md"
|
||||
when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_ma1sd_container_image_self_build and matrix_ma1sd_enabled|bool"
|
||||
|
||||
- set_fact:
|
||||
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-ma1sd.service'] }}"
|
||||
when: matrix_ma1sd_enabled|bool
|
||||
|
||||
# ansible lower than 2.8, does not support docker_image build parameters
|
||||
# for self buildig it is explicitly needed, so we rather fail here
|
||||
- name: Fail if running on Ansible lower than 2.8 and trying self building
|
||||
fail:
|
||||
msg: "To self build ma1sd image, you should usa ansible 2.8 or higher. E.g. pip contains such packages."
|
||||
when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_ma1sd_container_image_self_build"
|
||||
|
@ -1,3 +1,10 @@
|
||||
# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070
|
||||
# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407
|
||||
- name: Fail if trying to self-build on Ansible < 2.8
|
||||
fail:
|
||||
msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md"
|
||||
when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mailer_container_image_self_build and matrix_mailer_enabled"
|
||||
|
||||
- set_fact:
|
||||
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mailer.service'] }}"
|
||||
when: matrix_mailer_enabled|bool
|
||||
|
@ -1,5 +1,5 @@
|
||||
matrix_nginx_proxy_enabled: true
|
||||
matrix_nginx_proxy_version: 1.20.0-alpine
|
||||
matrix_nginx_proxy_version: 1.21.0-alpine
|
||||
|
||||
# We use an official nginx image, which we fix-up to run unprivileged.
|
||||
# An alternative would be an `nginxinc/nginx-unprivileged` image, but
|
||||
@ -113,6 +113,10 @@ matrix_nginx_proxy_proxy_synapse_federation_api_addr_sans_container: "localhost:
|
||||
matrix_nginx_proxy_proxy_element_enabled: false
|
||||
matrix_nginx_proxy_proxy_element_hostname: "{{ matrix_server_fqn_element }}"
|
||||
|
||||
# Controls whether proxying the Hydrogen domain should be done.
|
||||
matrix_nginx_proxy_proxy_hydrogen_enabled: false
|
||||
matrix_nginx_proxy_proxy_hydrogen_hostname: "{{ matrix_server_fqn_hydrogen }}"
|
||||
|
||||
# Controls whether proxying the matrix domain should be done.
|
||||
matrix_nginx_proxy_proxy_matrix_enabled: false
|
||||
matrix_nginx_proxy_proxy_matrix_hostname: "{{ matrix_server_fqn_matrix }}"
|
||||
@ -252,6 +256,9 @@ matrix_nginx_proxy_proxy_riot_additional_server_configuration_blocks: []
|
||||
# A list of strings containing additional configuration blocks to add to Element's server configuration (matrix-client-element.conf).
|
||||
matrix_nginx_proxy_proxy_element_additional_server_configuration_blocks: []
|
||||
|
||||
# A list of strings containing additional configuration blocks to add to Element's server configuration (matrix-client-element.conf).
|
||||
matrix_nginx_proxy_proxy_hydrogen_additional_server_configuration_blocks: []
|
||||
|
||||
# A list of strings containing additional configuration blocks to add to Dimension's server configuration (matrix-dimension.conf).
|
||||
matrix_nginx_proxy_proxy_dimension_additional_server_configuration_blocks: []
|
||||
|
||||
@ -280,6 +287,26 @@ matrix_nginx_proxy_proxy_domain_additional_server_configuration_blocks: []
|
||||
# Of course, a better solution is to just stop using browsers (like Chrome), which participate in such tracking practices.
|
||||
matrix_nginx_proxy_floc_optout_enabled: true
|
||||
|
||||
# HSTS Preloading Enable
|
||||
#
|
||||
# In its strongest and recommended form, the [HSTS policy](https://www.chromium.org/hsts) includes all subdomains, and
|
||||
# indicates a willingness to be “preloaded” into browsers:
|
||||
# `Strict-Transport-Security: max-age=31536000; includeSubDomains; preload`
|
||||
# For more information visit:
|
||||
# - https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
|
||||
# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
|
||||
# - https://hstspreload.org/#opt-in
|
||||
matrix_nginx_proxy_hsts_preload_enabled: false
|
||||
|
||||
# X-XSS-Protection Enable
|
||||
# Stops pages from loading when they detect reflected cross-site scripting (XSS) attacks.
|
||||
# Note: Not applicable for grafana
|
||||
#
|
||||
# Learn more about it is here:
|
||||
# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
|
||||
# - https://portswigger.net/web-security/cross-site-scripting/reflected
|
||||
matrix_nginx_proxy_xss_protection: "1; mode=block"
|
||||
|
||||
# Specifies the SSL configuration that should be used for the SSL protocols and ciphers
|
||||
# This is based on the Mozilla Server Side TLS Recommended configurations.
|
||||
#
|
||||
@ -330,6 +357,18 @@ matrix_nginx_proxy_self_check_validate_certificates: true
|
||||
# so we default to not following redirects as well.
|
||||
matrix_nginx_proxy_self_check_well_known_matrix_client_follow_redirects: none
|
||||
|
||||
# For OCSP purposes, we need to define a resolver at the `server{}` level or `http{}` level (we do the latter).
|
||||
#
|
||||
# Otherwise, we get warnings like this:
|
||||
# > [warn] 22#22: no resolver defined to resolve r3.o.lencr.org while requesting certificate status, responder: r3.o.lencr.org, certificate: "/matrix/ssl/config/live/.../fullchain.pem"
|
||||
#
|
||||
# We point it to the internal Docker resolver, which likely delegates to nameservers defined in `/etc/resolv.conf`.
|
||||
#
|
||||
# When nginx proxy is disabled, our configuration is likely used by non-containerized nginx, so can't use the internal Docker resolver.
|
||||
# Pointing `resolver` to some public DNS server might be an option, but for now we impose DNS servers on people.
|
||||
# It might also be that no such warnings occur when not running in a container.
|
||||
matrix_nginx_proxy_http_level_resolver: "{{ '127.0.0.11' if matrix_nginx_proxy_enabled else '' }}"
|
||||
|
||||
# By default, this playbook automatically retrieves and auto-renews
|
||||
# free SSL certificates from Let's Encrypt.
|
||||
#
|
||||
@ -389,7 +428,7 @@ matrix_ssl_pre_obtaining_required_service_start_wait_time_seconds: 60
|
||||
# Nginx Optimize SSL Session
|
||||
#
|
||||
# ssl_session_cache:
|
||||
# - Creating a cache of TLS connection parameters reduces the number of handshakes
|
||||
# - Creating a cache of TLS connection parameters reduces the number of handshakes
|
||||
# and thus can improve the performance of application.
|
||||
# - Default session cache is not optimal as it can be used by only one worker process
|
||||
# and can cause memory fragmentation. It is much better to use shared cache.
|
||||
@ -398,7 +437,7 @@ matrix_ssl_pre_obtaining_required_service_start_wait_time_seconds: 60
|
||||
# ssl_session_timeout:
|
||||
# - Nginx by default it is set to 5 minutes which is very low.
|
||||
# should be like 4h or 1d but will require you to increase the size of cache.
|
||||
# - Learn More:
|
||||
# - Learn More:
|
||||
# https://github.com/certbot/certbot/issues/6903
|
||||
# https://github.com/mozilla/server-side-tls/issues/198
|
||||
#
|
||||
|
@ -72,6 +72,13 @@
|
||||
mode: 0644
|
||||
when: matrix_nginx_proxy_proxy_riot_compat_redirect_enabled|bool
|
||||
|
||||
- name: Ensure Matrix nginx-proxy configuration for Hydrogen domain exists
|
||||
template:
|
||||
src: "{{ role_path }}/templates/nginx/conf.d/matrix-client-hydrogen.conf.j2"
|
||||
dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-client-hydrogen.conf"
|
||||
mode: 0644
|
||||
when: matrix_nginx_proxy_proxy_hydrogen_enabled|bool
|
||||
|
||||
- name: Ensure Matrix nginx-proxy configuration for dimension domain exists
|
||||
template:
|
||||
src: "{{ role_path }}/templates/nginx/conf.d/matrix-dimension.conf.j2"
|
||||
@ -204,6 +211,12 @@
|
||||
state: absent
|
||||
when: "not matrix_nginx_proxy_proxy_riot_compat_redirect_enabled|bool"
|
||||
|
||||
- name: Ensure Matrix nginx-proxy configuration for Hydrogen domain deleted
|
||||
file:
|
||||
path: "{{ matrix_nginx_proxy_confd_path }}/matrix-client-hydrogen.conf"
|
||||
state: absent
|
||||
when: "not matrix_nginx_proxy_proxy_hydrogen_enabled|bool"
|
||||
|
||||
- name: Ensure Matrix nginx-proxy configuration for dimension domain deleted
|
||||
file:
|
||||
path: "{{ matrix_nginx_proxy_confd_path }}/matrix-dimension.conf"
|
||||
|
@ -34,7 +34,7 @@
|
||||
template:
|
||||
src: "{{ role_path }}/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2"
|
||||
dest: "{{ matrix_local_bin_path }}/matrix-ssl-lets-encrypt-certificates-renew"
|
||||
mode: 0750
|
||||
mode: 0755
|
||||
|
||||
- name: Ensure SSL renewal systemd units installed
|
||||
template:
|
||||
|
@ -10,6 +10,14 @@
|
||||
add_header Permissions-Policy interest-cohort=() always;
|
||||
{% endif %}
|
||||
|
||||
{% if matrix_nginx_proxy_hsts_preload_enabled %}
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
|
||||
{% else %}
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
||||
{% endif %}
|
||||
|
||||
add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}";
|
||||
|
||||
{% for configuration_block in matrix_nginx_proxy_proxy_domain_additional_server_configuration_blocks %}
|
||||
{{- configuration_block }}
|
||||
{% endfor %}
|
||||
@ -69,13 +77,13 @@ server {
|
||||
ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }};
|
||||
{% endif %}
|
||||
ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }};
|
||||
|
||||
|
||||
{% if matrix_nginx_proxy_ocsp_stapling_enabled %}
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_base_domain_hostname }}/chain.pem;
|
||||
{% endif %}
|
||||
|
||||
|
||||
{% if matrix_nginx_proxy_ssl_session_tickets_off %}
|
||||
ssl_session_tickets off;
|
||||
{% endif %}
|
||||
|
@ -3,8 +3,12 @@
|
||||
{% macro render_vhost_directives() %}
|
||||
gzip on;
|
||||
gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif;
|
||||
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
||||
{% if matrix_nginx_proxy_hsts_preload_enabled %}
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
|
||||
{% else %}
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
||||
{% endif %}
|
||||
add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}";
|
||||
add_header X-Content-Type-Options nosniff;
|
||||
|
||||
{% for configuration_block in matrix_nginx_proxy_proxy_bot_go_neb_additional_server_configuration_blocks %}
|
||||
|
@ -4,13 +4,20 @@
|
||||
gzip on;
|
||||
gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif;
|
||||
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
||||
{% if matrix_nginx_proxy_hsts_preload_enabled %}
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
|
||||
{% else %}
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
||||
{% endif %}
|
||||
add_header X-Content-Type-Options nosniff;
|
||||
add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}";
|
||||
add_header X-Frame-Options SAMEORIGIN;
|
||||
|
||||
{% if matrix_nginx_proxy_floc_optout_enabled %}
|
||||
add_header Permissions-Policy interest-cohort=() always;
|
||||
{% endif %}
|
||||
|
||||
|
||||
{% for configuration_block in matrix_nginx_proxy_proxy_element_additional_server_configuration_blocks %}
|
||||
{{- configuration_block }}
|
||||
{% endfor %}
|
||||
|
@ -0,0 +1,102 @@
|
||||
#jinja2: lstrip_blocks: "True"
|
||||
|
||||
{% macro render_vhost_directives() %}
|
||||
gzip on;
|
||||
gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif;
|
||||
|
||||
{% if matrix_nginx_proxy_hsts_preload_enabled %}
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
|
||||
{% else %}
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
||||
{% endif %}
|
||||
add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}";
|
||||
add_header X-Content-Type-Options nosniff;
|
||||
add_header X-Frame-Options SAMEORIGIN;
|
||||
add_header Content-Security-Policy "frame-ancestors 'none'";
|
||||
{% if matrix_nginx_proxy_floc_optout_enabled %}
|
||||
add_header Permissions-Policy interest-cohort=() always;
|
||||
{% endif %}
|
||||
|
||||
{% for configuration_block in matrix_nginx_proxy_proxy_hydrogen_additional_server_configuration_blocks %}
|
||||
{{- configuration_block }}
|
||||
{% endfor %}
|
||||
|
||||
location / {
|
||||
{% if matrix_nginx_proxy_enabled %}
|
||||
{# Use the embedded DNS resolver in Docker containers to discover the service #}
|
||||
resolver 127.0.0.11 valid=5s;
|
||||
set $backend "matrix-client-hydrogen:8080";
|
||||
proxy_pass http://$backend;
|
||||
{% else %}
|
||||
{# Generic configuration for use outside of our container setup #}
|
||||
proxy_pass http://127.0.0.1:8768;
|
||||
{% endif %}
|
||||
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
}
|
||||
{% endmacro %}
|
||||
|
||||
server {
|
||||
listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }};
|
||||
|
||||
server_name {{ matrix_nginx_proxy_proxy_hydrogen_hostname }};
|
||||
|
||||
server_tokens off;
|
||||
root /dev/null;
|
||||
|
||||
{% if matrix_nginx_proxy_https_enabled %}
|
||||
location /.well-known/acme-challenge {
|
||||
{% if matrix_nginx_proxy_enabled %}
|
||||
{# Use the embedded DNS resolver in Docker containers to discover the service #}
|
||||
resolver 127.0.0.11 valid=5s;
|
||||
set $backend "matrix-certbot:8080";
|
||||
proxy_pass http://$backend;
|
||||
{% else %}
|
||||
{# Generic configuration for use outside of our container setup #}
|
||||
proxy_pass http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }};
|
||||
{% endif %}
|
||||
}
|
||||
|
||||
location / {
|
||||
return 301 https://$http_host$request_uri;
|
||||
}
|
||||
{% else %}
|
||||
{{ render_vhost_directives() }}
|
||||
{% endif %}
|
||||
}
|
||||
|
||||
{% if matrix_nginx_proxy_https_enabled %}
|
||||
server {
|
||||
listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2;
|
||||
listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2;
|
||||
|
||||
server_name {{ matrix_nginx_proxy_proxy_hydrogen_hostname }};
|
||||
|
||||
server_tokens off;
|
||||
root /dev/null;
|
||||
|
||||
ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_hydrogen_hostname }}/fullchain.pem;
|
||||
ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_hydrogen_hostname }}/privkey.pem;
|
||||
|
||||
ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }};
|
||||
{% if matrix_nginx_proxy_ssl_ciphers != "" %}
|
||||
ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }};
|
||||
{% endif %}
|
||||
ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }};
|
||||
|
||||
{% if matrix_nginx_proxy_ocsp_stapling_enabled %}
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_element_hostname }}/chain.pem;
|
||||
{% endif %}
|
||||
|
||||
{% if matrix_nginx_proxy_ssl_session_tickets_off %}
|
||||
ssl_session_tickets off;
|
||||
{% endif %}
|
||||
ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }};
|
||||
ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }};
|
||||
|
||||
{{ render_vhost_directives() }}
|
||||
}
|
||||
{% endif %}
|
@ -3,8 +3,12 @@
|
||||
{% macro render_vhost_directives() %}
|
||||
gzip on;
|
||||
gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif;
|
||||
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
||||
{% if matrix_nginx_proxy_hsts_preload_enabled %}
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
|
||||
{% else %}
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
||||
{% endif %}
|
||||
add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}";
|
||||
add_header X-Content-Type-Options nosniff;
|
||||
{% if matrix_nginx_proxy_floc_optout_enabled %}
|
||||
add_header Permissions-Policy interest-cohort=() always;
|
||||
|
@ -20,6 +20,14 @@
|
||||
{% if matrix_nginx_proxy_floc_optout_enabled %}
|
||||
add_header Permissions-Policy interest-cohort=() always;
|
||||
{% endif %}
|
||||
|
||||
{% if matrix_nginx_proxy_hsts_preload_enabled %}
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
|
||||
{% else %}
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
||||
{% endif %}
|
||||
|
||||
add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}";
|
||||
|
||||
location /.well-known/matrix {
|
||||
root {{ matrix_static_files_base_path }};
|
||||
|
@ -4,7 +4,11 @@
|
||||
gzip on;
|
||||
gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif;
|
||||
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
|
||||
{% if matrix_nginx_proxy_hsts_preload_enabled %}
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
|
||||
{% else %}
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
||||
{% endif %}
|
||||
# duplicate X-Content-Type-Options & X-Frame-Options header
|
||||
# Enabled by grafana by default
|
||||
# add_header X-Content-Type-Options nosniff;
|
||||
|
@ -3,8 +3,12 @@
|
||||
{% macro render_vhost_directives() %}
|
||||
gzip on;
|
||||
gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif;
|
||||
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
||||
{% if matrix_nginx_proxy_hsts_preload_enabled %}
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
|
||||
{% else %}
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
||||
{% endif %}
|
||||
add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}";
|
||||
add_header X-Content-Type-Options nosniff;
|
||||
{% if matrix_nginx_proxy_floc_optout_enabled %}
|
||||
add_header Permissions-Policy interest-cohort=() always;
|
||||
|
@ -5,6 +5,14 @@
|
||||
add_header Permissions-Policy interest-cohort=() always;
|
||||
{% endif %}
|
||||
|
||||
{% if matrix_nginx_proxy_hsts_preload_enabled %}
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
|
||||
{% else %}
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
||||
{% endif %}
|
||||
|
||||
add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}";
|
||||
|
||||
{% for configuration_block in matrix_nginx_proxy_proxy_riot_additional_server_configuration_blocks %}
|
||||
{{- configuration_block }}
|
||||
{% endfor %}
|
||||
@ -67,7 +75,7 @@ server {
|
||||
ssl_stapling_verify on;
|
||||
ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_riot_compat_redirect_hostname }}/chain.pem;
|
||||
{% endif %}
|
||||
|
||||
|
||||
{% if matrix_nginx_proxy_ssl_session_tickets_off %}
|
||||
ssl_session_tickets off;
|
||||
{% endif %}
|
||||
|
@ -3,8 +3,12 @@
|
||||
{% macro render_vhost_directives() %}
|
||||
gzip on;
|
||||
gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif;
|
||||
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
||||
{% if matrix_nginx_proxy_hsts_preload_enabled %}
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
|
||||
{% else %}
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
||||
{% endif %}
|
||||
add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}";
|
||||
add_header X-Content-Type-Options nosniff;
|
||||
add_header X-Frame-Options DENY;
|
||||
|
||||
|
@ -4,6 +4,11 @@
|
||||
#
|
||||
# Thus, we ensure a larger bucket size value is used.
|
||||
server_names_hash_bucket_size 64;
|
||||
|
||||
{% if matrix_nginx_proxy_http_level_resolver %}
|
||||
resolver {{ matrix_nginx_proxy_http_level_resolver }};
|
||||
{% endif %}
|
||||
|
||||
{% for configuration_block in matrix_nginx_proxy_proxy_http_additional_server_configuration_blocks %}
|
||||
{{- configuration_block }}
|
||||
{% endfor %}
|
||||
|
@ -77,14 +77,14 @@
|
||||
template:
|
||||
src: "{{ role_path }}/templates/usr-local-bin/matrix-postgres-cli.j2"
|
||||
dest: "{{ matrix_local_bin_path }}/matrix-postgres-cli"
|
||||
mode: 0750
|
||||
mode: 0755
|
||||
when: matrix_postgres_enabled|bool
|
||||
|
||||
- name: Ensure matrix-change-user-admin-status script created
|
||||
template:
|
||||
src: "{{ role_path }}/templates/usr-local-bin/matrix-change-user-admin-status.j2"
|
||||
dest: "{{ matrix_local_bin_path }}/matrix-change-user-admin-status"
|
||||
mode: 0750
|
||||
mode: 0755
|
||||
when: matrix_postgres_enabled|bool
|
||||
|
||||
- name: (Migration) Ensure old matrix-make-user-admin script deleted
|
||||
@ -97,7 +97,7 @@
|
||||
template:
|
||||
src: "{{ role_path }}/templates/usr-local-bin/matrix-postgres-update-user-password-hash.j2"
|
||||
dest: "{{ matrix_local_bin_path }}/matrix-postgres-update-user-password-hash"
|
||||
mode: 0750
|
||||
mode: 0755
|
||||
when: matrix_postgres_enabled|bool
|
||||
|
||||
- name: Ensure matrix-postgres.service installed
|
||||
|
49
roles/matrix-prometheus-postgres-exporter/defaults/main.yml
Normal file
49
roles/matrix-prometheus-postgres-exporter/defaults/main.yml
Normal file
@ -0,0 +1,49 @@
|
||||
# matrix-prometheus-postgres-exporter is an Prometheus exporter for postgres metrics
|
||||
# See: https://github.com/prometheus-community/postgres_exporter
|
||||
|
||||
matrix_prometheus_postgres_exporter_enabled: false
|
||||
|
||||
matrix_prometheus_postgres_exporter_version: v0.9.0
|
||||
matrix_prometheus_postgres_exporter_port: 9187
|
||||
|
||||
matrix_prometheus_postgres_exporter_docker_image: "quay.io/prometheuscommunity/postgres-exporter:{{ matrix_prometheus_postgres_exporter_version }}"
|
||||
matrix_prometheus_postgres_exporter_docker_image_force_pull: "{{ matrix_prometheus_postgres_exporter_docker_image.endswith(':latest') }}"
|
||||
|
||||
# A list of extra arguments to pass to the container
|
||||
matrix_prometheus_postgres_exporter_container_extra_arguments: ["-e PG_EXPORTER_AUTO_DISCOVER_DATABASES=true",
|
||||
"-e PG_EXPORTER_WEB_LISTEN_ADDRESS=\":{{matrix_prometheus_postgres_exporter_port}}\"",
|
||||
"-e DATA_SOURCE_NAME=\"postgresql://{{matrix_prometheus_postgres_exporter_database_username}}:{{matrix_prometheus_postgres_exporter_database_password}}@{{matrix_prometheus_postgres_exporter_database_hostname}}:5432/{{matrix_prometheus_postgres_exporter_database_name}}?sslmode=disable\"" ]
|
||||
|
||||
# List of systemd services that matrix-prometheus-postgres-exporter.service depends on
|
||||
matrix_prometheus_postgres_exporter_systemd_required_services_list: ['docker.service']
|
||||
|
||||
# List of systemd services that matrix-prometheus-postgres-exporter.service wants
|
||||
matrix_prometheus_postgres_exporter_systemd_wanted_services_list: []
|
||||
|
||||
# details for connecting to the database
|
||||
matrix_prometheus_postgres_exporter_database_username: 'matrix_prometheus_postgres_exporter'
|
||||
matrix_prometheus_postgres_exporter_database_password: 'some-password'
|
||||
matrix_prometheus_postgres_exporter_database_hostname: 'matrix-postgres'
|
||||
matrix_prometheus_postgres_exporter_database_port: 5432
|
||||
matrix_prometheus_postgres_exporter_database_name: 'matrix_prometheus_postgres_exporter'
|
||||
|
||||
|
||||
# Controls whether the matrix-prometheus container exposes its HTTP port (tcp/9100 in the container).
|
||||
#
|
||||
# Takes an "<ip>:<port>" value (e.g. "127.0.0.1:9100"), or empty string to not expose.
|
||||
#
|
||||
# Official recommendations are to run this container with `--net=host`,
|
||||
# but we don't do that, since it:
|
||||
# - likely exposes the metrics web server way too publicly (before applying https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1008)
|
||||
# - or listens on a loopback interface only (--net=host and 127.0.0.1:9100), which is not reachable from another container (like `matrix-prometheus`)
|
||||
#
|
||||
# Using `--net=host` and binding to Docker's `matrix` bridge network may be a solution to both,
|
||||
# but that's trickier to accomplish and won't necessarily work (hasn't been tested).
|
||||
#
|
||||
# Not using `--net=host` means that our network statistic reports are likely broken (inaccurate),
|
||||
# because node-exporter can't see all interfaces, etc.
|
||||
# For now, we'll live with that, until someone develops a better solution.
|
||||
matrix_prometheus_postgres_exporter_container_http_host_bind_port: ''
|
||||
|
||||
matrix_prometheus_postgres_exporter_dashboard_urls:
|
||||
- "https://grafana.com/api/dashboards/9628/revisions/7/download"
|
5
roles/matrix-prometheus-postgres-exporter/tasks/init.yml
Normal file
5
roles/matrix-prometheus-postgres-exporter/tasks/init.yml
Normal file
@ -0,0 +1,5 @@
|
||||
- set_fact:
|
||||
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-prometheus-postgres-exporter.service'] }}"
|
||||
when: matrix_prometheus_postgres_exporter_enabled|bool
|
||||
|
||||
|
8
roles/matrix-prometheus-postgres-exporter/tasks/main.yml
Normal file
8
roles/matrix-prometheus-postgres-exporter/tasks/main.yml
Normal file
@ -0,0 +1,8 @@
|
||||
- import_tasks: "{{ role_path }}/tasks/init.yml"
|
||||
tags:
|
||||
- always
|
||||
|
||||
- import_tasks: "{{ role_path }}/tasks/setup.yml"
|
||||
tags:
|
||||
- setup-all
|
||||
- setup-prometheus-postgres-exporter
|
54
roles/matrix-prometheus-postgres-exporter/tasks/setup.yml
Normal file
54
roles/matrix-prometheus-postgres-exporter/tasks/setup.yml
Normal file
@ -0,0 +1,54 @@
|
||||
---
|
||||
|
||||
#
|
||||
# Tasks related to setting up matrix-prometheus-postgres-exporter
|
||||
#
|
||||
|
||||
- name: Ensure matrix-prometheus-postgres-exporter image is pulled
|
||||
docker_image:
|
||||
name: "{{ matrix_prometheus_postgres_exporter_docker_image }}"
|
||||
source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
|
||||
force_source: "{{ matrix_prometheus_postgres_exporter_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
|
||||
force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_prometheus_postgres_exporter_docker_image_force_pull }}"
|
||||
when: "matrix_prometheus_postgres_exporter_enabled|bool"
|
||||
|
||||
- name: Ensure matrix-prometheus-postgres-exporter.service installed
|
||||
template:
|
||||
src: "{{ role_path }}/templates/systemd/matrix-prometheus-postgres-exporter.service.j2"
|
||||
dest: "{{ matrix_systemd_path }}/matrix-prometheus-postgres-exporter.service"
|
||||
mode: 0644
|
||||
register: matrix_prometheus_postgres_exporter_systemd_service_result
|
||||
when: matrix_prometheus_postgres_exporter_enabled|bool
|
||||
|
||||
- name: Ensure systemd reloaded after matrix-prometheus.service installation
|
||||
service:
|
||||
daemon_reload: yes
|
||||
when: "matrix_prometheus_postgres_exporter_enabled|bool and matrix_prometheus_postgres_exporter_systemd_service_result.changed"
|
||||
|
||||
#
|
||||
# Tasks related to getting rid of matrix-prometheus-postgres-exporter (if it was previously enabled)
|
||||
#
|
||||
|
||||
- name: Check existence of matrix-prometheus-postgres-exporter service
|
||||
stat:
|
||||
path: "{{ matrix_systemd_path }}/matrix-prometheus-postgres-exporter.service"
|
||||
register: matrix_prometheus_postgres_exporter_service_stat
|
||||
|
||||
- name: Ensure matrix-prometheus-postgres-exporter is stopped
|
||||
service:
|
||||
name: matrix-prometheus-postgres-exporter
|
||||
state: stopped
|
||||
daemon_reload: yes
|
||||
register: stopping_result
|
||||
when: "not matrix_prometheus_postgres_exporter_enabled|bool and matrix_prometheus_postgres_exporter_service_stat.stat.exists"
|
||||
|
||||
- name: Ensure matrix-prometheus-postgres-exporter.service doesn't exist
|
||||
file:
|
||||
path: "{{ matrix_systemd_path }}/matrix-prometheus-postgres-exporter.service"
|
||||
state: absent
|
||||
when: "not matrix_prometheus_postgres_exporter_enabled|bool and matrix_prometheus_postgres_exporter_service_stat.stat.exists"
|
||||
|
||||
- name: Ensure systemd reloaded after matrix-prometheus-postgres-exporter.service removal
|
||||
service:
|
||||
daemon_reload: yes
|
||||
when: "not matrix_prometheus_postgres_exporter_enabled|bool and matrix_prometheus_postgres_exporter_service_stat.stat.exists"
|
@ -0,0 +1,42 @@
|
||||
#jinja2: lstrip_blocks: "True"
|
||||
[Unit]
|
||||
Description=matrix-prometheus-postgres-exporter
|
||||
{% for service in matrix_prometheus_postgres_exporter_systemd_required_services_list %}
|
||||
Requires={{ service }}
|
||||
After={{ service }}
|
||||
{% endfor %}
|
||||
{% for service in matrix_prometheus_postgres_exporter_systemd_wanted_services_list %}
|
||||
Wants={{ service }}
|
||||
{% endfor %}
|
||||
DefaultDependencies=no
|
||||
|
||||
[Service]
|
||||
Type=simple
|
||||
Environment="HOME={{ matrix_systemd_unit_home_path }}"
|
||||
ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-prometheus-postgres-exporter 2>/dev/null'
|
||||
ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-prometheus-postgres-exporter 2>/dev/null'
|
||||
|
||||
|
||||
ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-prometheus-postgres-exporter \
|
||||
--log-driver=none \
|
||||
--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
|
||||
--cap-drop=ALL \
|
||||
--read-only \
|
||||
{% for arg in matrix_prometheus_postgres_exporter_container_extra_arguments %}
|
||||
{{ arg }} \
|
||||
{% endfor %}
|
||||
--network={{ matrix_docker_network }} \
|
||||
{% if matrix_prometheus_postgres_exporter_container_http_host_bind_port %}
|
||||
-p {{ matrix_prometheus_postgres_exporter_container_http_host_bind_port }}:{{matrix_prometheus_postgres_exporter_port}} \
|
||||
{% endif %}
|
||||
--pid=host \
|
||||
{{ matrix_prometheus_postgres_exporter_docker_image }}
|
||||
|
||||
ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-prometheus-postgres-exporter 2>/dev/null'
|
||||
ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-prometheus-postgres-exporter 2>/dev/null'
|
||||
Restart=always
|
||||
RestartSec=30
|
||||
SyslogIdentifier=matrix-prometheus-postgres-exporter
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
@ -3,7 +3,7 @@
|
||||
|
||||
matrix_prometheus_enabled: false
|
||||
|
||||
matrix_prometheus_version: v2.27.0
|
||||
matrix_prometheus_version: v2.27.1
|
||||
matrix_prometheus_docker_image: "{{ matrix_container_global_registry_prefix }}prom/prometheus:{{ matrix_prometheus_version }}"
|
||||
matrix_prometheus_docker_image_force_pull: "{{ matrix_prometheus_docker_image.endswith(':latest') }}"
|
||||
|
||||
|
@ -38,3 +38,9 @@ scrape_configs:
|
||||
static_configs:
|
||||
- targets: {{ matrix_prometheus_scraper_node_targets|to_json }}
|
||||
{% endif %}
|
||||
|
||||
{% if matrix_prometheus_scraper_postgres_enabled %}
|
||||
- job_name: postgres
|
||||
static_configs:
|
||||
- targets: {{ matrix_prometheus_scraper_postgres_targets|to_json }}
|
||||
{% endif %}
|
@ -1,3 +1,10 @@
|
||||
# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070
|
||||
# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407
|
||||
- name: Fail if trying to self-build on Ansible < 2.8
|
||||
fail:
|
||||
msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md"
|
||||
when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_registration_container_image_self_build and matrix_registration_enabled"
|
||||
|
||||
- set_fact:
|
||||
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-registration.service'] }}"
|
||||
when: matrix_registration_enabled|bool
|
||||
|
@ -8,7 +8,7 @@ matrix_synapse_admin_container_self_build_repo: "https://github.com/Awesome-Tech
|
||||
|
||||
matrix_synapse_admin_docker_src_files_path: "{{ matrix_base_data_path }}/synapse-admin/docker-src"
|
||||
|
||||
matrix_synapse_admin_version: latest
|
||||
matrix_synapse_admin_version: 0.8.1
|
||||
matrix_synapse_admin_docker_image: "{{ matrix_synapse_admin_docker_image_name_prefix }}awesometechnologies/synapse-admin:{{ matrix_synapse_admin_version }}"
|
||||
matrix_synapse_admin_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_admin_container_self_build else matrix_container_global_registry_prefix }}"
|
||||
matrix_synapse_admin_docker_image_force_pull: "{{ matrix_synapse_admin_docker_image.endswith(':latest') }}"
|
||||
|
@ -1,3 +1,10 @@
|
||||
# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070
|
||||
# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407
|
||||
- name: Fail if trying to self-build on Ansible < 2.8
|
||||
fail:
|
||||
msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md"
|
||||
when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_synapse_admin_container_self_build and matrix_synapse_admin_enabled"
|
||||
|
||||
- set_fact:
|
||||
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-synapse-admin.service'] }}"
|
||||
when: matrix_synapse_admin_enabled|bool
|
||||
|
@ -15,8 +15,8 @@ matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_cont
|
||||
# amd64 gets released first.
|
||||
# arm32 relies on self-building, so the same version can be built immediately.
|
||||
# arm64 users need to wait for a prebuilt image to become available.
|
||||
matrix_synapse_version: v1.34.0
|
||||
matrix_synapse_version_arm64: v1.34.0
|
||||
matrix_synapse_version: v1.35.1
|
||||
matrix_synapse_version_arm64: v1.35.1
|
||||
matrix_synapse_docker_image_tag: "{{ matrix_synapse_version if matrix_architecture in ['arm32', 'amd64'] else matrix_synapse_version_arm64 }}"
|
||||
matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}"
|
||||
|
||||
@ -497,6 +497,8 @@ matrix_synapse_ext_password_provider_ldap_attributes_name: "cn"
|
||||
matrix_synapse_ext_password_provider_ldap_bind_dn: ""
|
||||
matrix_synapse_ext_password_provider_ldap_bind_password: ""
|
||||
matrix_synapse_ext_password_provider_ldap_filter: ""
|
||||
matrix_synapse_ext_password_provider_ldap_active_directory: false
|
||||
matrix_synapse_ext_password_provider_ldap_default_domain: ""
|
||||
|
||||
# Enable this to activate the Synapse Antispam spam-checker module.
|
||||
# See: https://github.com/t2bot/synapse-simple-antispam
|
||||
@ -505,6 +507,27 @@ matrix_synapse_ext_spam_checker_synapse_simple_antispam_git_repository_url: "htt
|
||||
matrix_synapse_ext_spam_checker_synapse_simple_antispam_git_version: "923ca5c85b08f157181721abbae50dd89c31e4b5"
|
||||
matrix_synapse_ext_spam_checker_synapse_simple_antispam_config_blocked_homeservers: []
|
||||
|
||||
# Enable this to activate the Mjolnir Antispam spam-checker module.
|
||||
# See: https://github.com/matrix-org/mjolnir#synapse-module
|
||||
matrix_synapse_ext_spam_checker_mjolnir_antispam_enabled: false
|
||||
matrix_synapse_ext_spam_checker_mjolnir_antispam_git_repository_url: "https://github.com/matrix-org/mjolnir"
|
||||
matrix_synapse_ext_spam_checker_mjolnir_antispam_git_version: "70f353fbbad0af469b1001080dea194d512b2815"
|
||||
matrix_synapse_ext_spam_checker_mjolnir_antispam_config_block_invites: true
|
||||
# Flag messages sent by servers/users in the ban lists as spam. Currently
|
||||
# this means that spammy messages will appear as empty to users. Default
|
||||
# false.
|
||||
matrix_synapse_ext_spam_checker_mjolnir_antispam_config_block_messages: false
|
||||
# Remove users from the user directory search by filtering matrix IDs and
|
||||
# display names by the entries in the user ban list. Default false.
|
||||
matrix_synapse_ext_spam_checker_mjolnir_antispam_config_block_usernames: false
|
||||
# The room IDs of the ban lists to honour. Unlike other parts of Mjolnir,
|
||||
# this list cannot be room aliases or permalinks. This server is expected
|
||||
# to already be joined to the room - Mjolnir will not automatically join
|
||||
# these rooms.
|
||||
# ["!roomid:example.org"]
|
||||
matrix_synapse_ext_spam_checker_mjolnir_antispam_config_ban_lists: []
|
||||
|
||||
|
||||
matrix_s3_media_store_enabled: false
|
||||
matrix_s3_media_store_custom_endpoint_enabled: false
|
||||
matrix_s3_goofys_docker_image: "ewoutp/goofys:latest"
|
||||
|
@ -0,0 +1,7 @@
|
||||
---
|
||||
|
||||
- import_tasks: "{{ role_path }}/tasks/ext/mjolnir-antispam/setup_install.yml"
|
||||
when: matrix_synapse_ext_spam_checker_mjolnir_antispam_enabled|bool
|
||||
|
||||
- import_tasks: "{{ role_path }}/tasks/ext/mjolnir-antispam/setup_uninstall.yml"
|
||||
when: "not matrix_synapse_ext_spam_checker_mjolnir_antispam_enabled|bool"
|
@ -0,0 +1,52 @@
|
||||
---
|
||||
|
||||
- name: Ensure git installed (RedHat)
|
||||
yum:
|
||||
name:
|
||||
- git
|
||||
state: present
|
||||
update_cache: no
|
||||
when: "ansible_os_family == 'RedHat'"
|
||||
|
||||
- name: Ensure git installed (Debian)
|
||||
apt:
|
||||
name:
|
||||
- git
|
||||
state: present
|
||||
update_cache: no
|
||||
when: "ansible_os_family == 'Debian'"
|
||||
|
||||
- name: Ensure git installed (Archlinux)
|
||||
pacman:
|
||||
name:
|
||||
- git
|
||||
state: present
|
||||
update_cache: no
|
||||
when: "ansible_distribution == 'Archlinux'"
|
||||
|
||||
- name: Clone mjolnir-antispam git repository
|
||||
git:
|
||||
repo: "{{ matrix_synapse_ext_spam_checker_mjolnir_antispam_git_repository_url }}"
|
||||
version: "{{ matrix_synapse_ext_spam_checker_mjolnir_antispam_git_version }}"
|
||||
dest: "{{ matrix_synapse_ext_path }}/mjolnir"
|
||||
become: true
|
||||
become_user: "{{ matrix_user_username }}"
|
||||
|
||||
- set_fact:
|
||||
matrix_synapse_spam_checker: >
|
||||
{{ matrix_synapse_spam_checker }}
|
||||
+
|
||||
[{
|
||||
"module": "mjolnir.AntiSpam",
|
||||
"config": {
|
||||
"block_invites": {{ matrix_synapse_ext_spam_checker_mjolnir_antispam_config_block_invites }},
|
||||
"block_messages": {{ matrix_synapse_ext_spam_checker_mjolnir_antispam_config_block_messages }},
|
||||
"block_usernames": {{ matrix_synapse_ext_spam_checker_mjolnir_antispam_config_block_usernames }},
|
||||
"ban_lists": {{ matrix_synapse_ext_spam_checker_mjolnir_antispam_config_ban_lists }}
|
||||
}
|
||||
}]
|
||||
|
||||
matrix_synapse_container_extra_arguments: >
|
||||
{{ matrix_synapse_container_extra_arguments|default([]) }}
|
||||
+
|
||||
["--mount type=bind,src={{ matrix_synapse_ext_path }}/mjolnir/synapse_antispam/mjolnir,dst={{ matrix_synapse_in_container_python_packages_path }}/mjolnir,ro"]
|
@ -0,0 +1,6 @@
|
||||
---
|
||||
|
||||
- name: Ensure mjolnir-antispam doesn't exist
|
||||
file:
|
||||
path: "{{ matrix_synapse_ext_path }}/mjolnir"
|
||||
state: absent
|
@ -7,3 +7,5 @@
|
||||
- import_tasks: "{{ role_path }}/tasks/ext/ldap-auth/setup.yml"
|
||||
|
||||
- import_tasks: "{{ role_path }}/tasks/ext/synapse-simple-antispam/setup.yml"
|
||||
|
||||
- import_tasks: "{{ role_path }}/tasks/ext/mjolnir-antispam/setup.yml"
|
||||
|
@ -1,3 +1,10 @@
|
||||
# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070
|
||||
# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407
|
||||
- name: Fail if trying to self-build on Ansible < 2.8
|
||||
fail:
|
||||
msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md"
|
||||
when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_synapse_container_image_self_build and matrix_synapse_enabled"
|
||||
|
||||
# Unless `matrix_synapse_workers_enabled_list` is explicitly defined,
|
||||
# we'll generate it dynamically.
|
||||
- import_tasks: "{{ role_path }}/tasks/synapse/workers/init.yml"
|
||||
@ -17,10 +24,3 @@
|
||||
- set_fact:
|
||||
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-goofys.service'] }}"
|
||||
when: matrix_s3_media_store_enabled|bool
|
||||
|
||||
# ansible lower than 2.8, does not support docker_image build parameters
|
||||
# for self buildig it is explicitly needed, so we rather fail here
|
||||
- name: Fail if running on Ansible lower than 2.8 and trying self building
|
||||
fail:
|
||||
msg: "To self build Synapse image, you should usa ansible 2.8 or higher. E.g. pip contains such packages."
|
||||
when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_synapse_container_image_self_build"
|
||||
|
@ -10,7 +10,7 @@
|
||||
|
||||
- name: Set matrix_synapse_rust_synapse_compress_state_find_rooms_command_wait_time, if not provided
|
||||
set_fact:
|
||||
matrix_synapse_rust_synapse_compress_state_find_rooms_command_wait_time: 180
|
||||
matrix_synapse_rust_synapse_compress_state_find_rooms_command_wait_time: 300
|
||||
when: "matrix_synapse_rust_synapse_compress_state_find_rooms_command_wait_time|default('') == ''"
|
||||
|
||||
- name: Set matrix_synapse_rust_synapse_compress_state_compress_room_time, if not provided
|
||||
|
@ -106,4 +106,4 @@
|
||||
template:
|
||||
src: "{{ role_path }}/templates/synapse/usr-local-bin/matrix-synapse-register-user.j2"
|
||||
dest: "{{ matrix_local_bin_path }}/matrix-synapse-register-user"
|
||||
mode: 0750
|
||||
mode: 0755
|
||||
|
@ -705,33 +705,6 @@ acme:
|
||||
#
|
||||
#account_key_file: /data/acme_account.key
|
||||
|
||||
# List of allowed TLS fingerprints for this server to publish along
|
||||
# with the signing keys for this server. Other matrix servers that
|
||||
# make HTTPS requests to this server will check that the TLS
|
||||
# certificates returned by this server match one of the fingerprints.
|
||||
#
|
||||
# Synapse automatically adds the fingerprint of its own certificate
|
||||
# to the list. So if federation traffic is handled directly by synapse
|
||||
# then no modification to the list is required.
|
||||
#
|
||||
# If synapse is run behind a load balancer that handles the TLS then it
|
||||
# will be necessary to add the fingerprints of the certificates used by
|
||||
# the loadbalancers to this list if they are different to the one
|
||||
# synapse is using.
|
||||
#
|
||||
# Homeservers are permitted to cache the list of TLS fingerprints
|
||||
# returned in the key responses up to the "valid_until_ts" returned in
|
||||
# key. It may be necessary to publish the fingerprints of a new
|
||||
# certificate and wait until the "valid_until_ts" of the previous key
|
||||
# responses have passed before deploying it.
|
||||
#
|
||||
# You can calculate a fingerprint from a given TLS listener via:
|
||||
# openssl s_client -connect $host:$port < /dev/null 2> /dev/null |
|
||||
# openssl x509 -outform DER | openssl sha256 -binary | base64 | tr -d '='
|
||||
# or by checking matrix.org/federationtester/api/report?server_name=$host
|
||||
#
|
||||
#tls_fingerprints: [{"sha256": "<base64_encoded_sha256_fingerprint>"}]
|
||||
|
||||
|
||||
## Federation ##
|
||||
|
||||
@ -2596,6 +2569,8 @@ password_providers:
|
||||
uri: {{ matrix_synapse_ext_password_provider_ldap_uri|string|to_json }}
|
||||
start_tls: {{ matrix_synapse_ext_password_provider_ldap_start_tls|to_json }}
|
||||
base: {{ matrix_synapse_ext_password_provider_ldap_base|string|to_json }}
|
||||
active_directory: {{ matrix_synapse_ext_password_provider_ldap_active_directory|to_json }}
|
||||
default_domain: {{ matrix_synapse_ext_password_provider_ldap_default_domain|string|to_json }}
|
||||
attributes:
|
||||
uid: {{ matrix_synapse_ext_password_provider_ldap_attributes_uid|string|to_json }}
|
||||
mail: {{ matrix_synapse_ext_password_provider_ldap_attributes_mail|string|to_json }}
|
||||
@ -2902,7 +2877,8 @@ opentracing:
|
||||
#enabled: true
|
||||
|
||||
# The list of homeservers we wish to send and receive span contexts and span baggage.
|
||||
# See docs/opentracing.rst
|
||||
# See docs/opentracing.rst.
|
||||
#
|
||||
# This is a list of regexes which are matched against the server_name of the
|
||||
# homeserver.
|
||||
#
|
||||
@ -2911,19 +2887,26 @@ opentracing:
|
||||
#homeserver_whitelist:
|
||||
# - ".*"
|
||||
|
||||
# A list of the matrix IDs of users whose requests will always be traced,
|
||||
# even if the tracing system would otherwise drop the traces due to
|
||||
# probabilistic sampling.
|
||||
#
|
||||
# By default, the list is empty.
|
||||
#
|
||||
#force_tracing_for_users:
|
||||
# - "@user1:server_name"
|
||||
# - "@user2:server_name"
|
||||
|
||||
# Jaeger can be configured to sample traces at different rates.
|
||||
# All configuration options provided by Jaeger can be set here.
|
||||
# Jaeger's configuration mostly related to trace sampling which
|
||||
# Jaeger's configuration is mostly related to trace sampling which
|
||||
# is documented here:
|
||||
# https://www.jaegertracing.io/docs/1.13/sampling/.
|
||||
# https://www.jaegertracing.io/docs/latest/sampling/.
|
||||
#
|
||||
#jaeger_config:
|
||||
# sampler:
|
||||
# type: const
|
||||
# param: 1
|
||||
|
||||
# Logging whether spans were started and reported
|
||||
#
|
||||
# logging:
|
||||
# false
|
||||
|
||||
@ -2993,4 +2976,20 @@ redis:
|
||||
#
|
||||
password: {{ matrix_synapse_redis_password }}
|
||||
|
||||
|
||||
# Enable experimental features in Synapse.
|
||||
#
|
||||
# Experimental features might break or be removed without a deprecation
|
||||
# period.
|
||||
#
|
||||
experimental_features:
|
||||
# Support for Spaces (MSC1772), it enables the following:
|
||||
#
|
||||
# * The Spaces Summary API (MSC2946).
|
||||
# * Restricting room membership based on space membership (MSC3083).
|
||||
#
|
||||
# Uncomment to disable support for Spaces.
|
||||
#spaces_enabled: false
|
||||
|
||||
|
||||
# vim:ft=yaml
|
||||
|
@ -43,6 +43,7 @@
|
||||
- matrix-grafana
|
||||
- matrix-registration
|
||||
- matrix-client-element
|
||||
- matrix-client-hydrogen
|
||||
- matrix-jitsi
|
||||
- matrix-ma1sd
|
||||
- matrix-dimension
|
||||
@ -53,5 +54,5 @@
|
||||
- matrix-coturn
|
||||
- matrix-aux
|
||||
- matrix-postgres-backup
|
||||
- matrix-common-after
|
||||
|
||||
- matrix-prometheus-postgres-exporter
|
||||
- matrix-common-after
|
Loading…
Reference in New Issue
Block a user