Add various polish to Conduwuit

https://github.com/Virkkunen and I have been working on the same feature
simultaneously.

This patch adds my additional independent work on top of his changes.

Notable changes here compared to Virkkunen's original work:

- renaming config-related variables (`matrix_conduwuit_*` ->
  `matrix_conduwuit_config_*`). This is consistent with other roles (and
  better), but deviates from how the Conduit role was implemented.

- using a full configuration sample from https://conduwuit.puppyirl.gay/configuration.html
  instead of using the old Conduit config file template

- introducing configurability for more Conduwuit config settings, to support easy registration, etc.

- removing configuration settings that Conduwuit does not support
  anymore (e.g. `max_concurrent_requests`)

- cross-linking docs pages for Conduit and Conduwuit

- a Conduwuit docs page which is much improved compared to the old
  Conduit one

- REAMDE updates

roles/custom/matrix-conduwuit/defaults/main.yml

@@ -1,5 +1,5 @@
 ---
-# Conduwuit is a fork of Conduit, powered by Matrix
+# conduwuit is a very cool, featureful fork of conduit (https://gitlab.com/famedly/conduit).
 # Project source code URL: https://github.com/girlbossceo/conduwuit
 # See: https://conduwuit.puppyirl.gay/
 
@@ -7,17 +7,18 @@ matrix_conduwuit_enabled: true
 
 matrix_conduwuit_hostname: ''
 
-matrix_conduwuit_docker_image: "{{ matrix_conduwuit_docker_image_name_prefix }}girlbossceo/conduwuit:{{ matrix_conduwuit_docker_image_tag }}"
+matrix_conduwuit_docker_image: "{{ matrix_conduwuit_docker_image_registry_prefix }}girlbossceo/conduwuit:{{ matrix_conduwuit_docker_image_tag }}"
 matrix_conduwuit_docker_image_name_prefix: "docker.io/"
-# renovate: datasource=docker depName=girlbossceo/conduwuit
-matrix_conduwuit_docker_image_tag: "main"
+# renovate: datasource=docker depName=ghcr.io/girlbossceo/conduwuit
+matrix_conduwuit_docker_image_tag: v0.4.6-8f7ade4c22533a3177bfd8f175e178573ba6c1d4
 matrix_conduwuit_docker_image_force_pull: "{{ matrix_conduwuit_docker_image.endswith(':latest') }}"
+matrix_conduwuit_docker_image_registry_prefix: ghcr.io/
 
 matrix_conduwuit_base_path: "{{ matrix_base_data_path }}/conduwuit"
 matrix_conduwuit_config_path: "{{ matrix_conduwuit_base_path }}/config"
 matrix_conduwuit_data_path: "{{ matrix_conduwuit_base_path }}/data"
 
-matrix_conduwuit_port_number: 6167
+matrix_conduwuit_config_port_number: 6167
 
 matrix_conduwuit_tmp_directory_size_mb: 500
 
@@ -88,7 +89,7 @@ matrix_conduwuit_container_labels_internal_client_api_traefik_priority: "{{ matr
 matrix_conduwuit_container_labels_internal_client_api_traefik_entrypoints: ""
 
 # Controls whether labels will be added that expose the Server-Server API (Federation API) on a public Traefik entrypoint.
-matrix_conduwuit_container_labels_public_federation_api_enabled: "{{ matrix_conduwuit_allow_federation }}"
+matrix_conduwuit_container_labels_public_federation_api_enabled: "{{ matrix_conduwuit_config_allow_federation }}"
 matrix_conduwuit_container_labels_public_federation_api_traefik_hostname: "{{ matrix_conduwuit_hostname }}"
 matrix_conduwuit_container_labels_public_federation_api_traefik_path_prefix: /_matrix
 matrix_conduwuit_container_labels_public_federation_api_traefik_rule: "Host(`{{ matrix_conduwuit_container_labels_public_federation_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_conduwuit_container_labels_public_federation_api_traefik_path_prefix }}`)"
@@ -98,6 +99,16 @@ matrix_conduwuit_container_labels_public_federation_api_traefik_entrypoints: ''
 matrix_conduwuit_container_labels_public_federation_api_traefik_tls: true
 matrix_conduwuit_container_labels_public_federation_api_traefik_tls_certResolver: "{{ matrix_conduwuit_container_labels_traefik_tls_certResolver }}"  # noqa var-naming
 
+# Controls whether labels will be added that expose the `/_conduwuit` path prefix on a public Traefik entrypoint.
+matrix_conduwuit_container_labels_public_conduwuit_api_enabled: true
+matrix_conduwuit_container_labels_public_conduwuit_api_traefik_hostname: "{{ matrix_conduwuit_hostname }}"
+matrix_conduwuit_container_labels_public_conduwuit_api_traefik_path_prefix: /_conduwuit
+matrix_conduwuit_container_labels_public_conduwuit_api_traefik_rule: "Host(`{{ matrix_conduwuit_container_labels_public_conduwuit_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_conduwuit_container_labels_public_conduwuit_api_traefik_path_prefix }}`)"
+matrix_conduwuit_container_labels_public_conduwuit_api_traefik_priority: 0
+matrix_conduwuit_container_labels_public_conduwuit_api_traefik_entrypoints: "{{ matrix_conduwuit_container_labels_traefik_entrypoints }}"
+matrix_conduwuit_container_labels_public_conduwuit_api_traefik_tls: "{{ matrix_conduwuit_container_labels_public_conduwuit_api_traefik_entrypoints != 'web' }}"
+matrix_conduwuit_container_labels_public_conduwuit_api_traefik_tls_certResolver: "{{ matrix_conduwuit_container_labels_traefik_tls_certResolver }}"  # noqa var-naming
+
 # matrix_conduwuit_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file.
 # See `../templates/labels.j2` for details.
 #
@@ -118,25 +129,61 @@ matrix_conduwuit_container_extra_arguments: []
 matrix_conduwuit_template_conduwuit_config: "{{ role_path }}/templates/conduwuit.toml.j2"
 
 # Max size for uploads, in bytes
-matrix_conduwuit_max_request_size: 20_000_000
+matrix_conduwuit_config_server_name: "{{ matrix_domain }}"
+
+# Max size for uploads, in bytes
+matrix_conduwuit_config_max_request_size: 20_000_000
 
 # Enables registration. If set to false, no users can register on this server.
-matrix_conduwuit_allow_registration: false
+matrix_conduwuit_config_allow_registration: false
 
-matrix_conduwuit_allow_federation: true
+# Controls the `yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse` setting.
+# This is only used when `matrix_conduwuit_config_allow_registration` is set to true and no registration token is configured.
+matrix_conduwuit_config_yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse: false
 
-# The display name suffix on registration. Change to '' to disable.
-matrix_conduwuit_new_user_displayname_suffix: ''
+# Controls the `registration_token` setting.
+# When registration is enabled (`matrix_conduwuit_config_allow_registration`) you:
+# - either need to set a token to protect registration from abuse
+# - or you need to enable the `yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse` setting
+#   (see `matrix_conduwuit_config_yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse`),
+#   to allow registration without any form of 2nd-step.
+matrix_conduwuit_config_registration_token: ''
+
+# Controls the `new_user_displayname_suffix` setting.
+# This is the suffix that will be added to the displayname of new users.
+# Upstream defaults this to "🏳️‍⚧️", but we keep this consistent across all homeserver implementations and do not enable a suffix.
+matrix_conduwuit_config_new_user_displayname_suffix: ""
+
+# Controls the `allow_check_for_updates` setting.
+matrix_conduwuit_config_allow_check_for_updates: false
+
+# Controls the `emergency_password` setting.
+matrix_conduwuit_config_emergency_password: ''
+
+# Controls the `allow_federation` setting.
+matrix_conduwuit_config_allow_federation: true
 
 matrix_conduwuit_trusted_servers:
  - "matrix.org"
 
-# How many requests conduwuit sends to other servers at the same time
-matrix_conduwuit_max_concurrent_requests: 100
+matrix_conduwuit_config_log: "info,state_res=warn,rocket=off,_=off,sled=off"
 
 # TURN integration.
-# See: https://gitlab.com/famedly/conduwuit/-/blob/next/TURN.md
-matrix_conduwuit_turn_uris: []
-matrix_conduwuit_turn_secret: ''
-matrix_conduwuit_turn_username: ''
-matrix_conduwuit_turn_password: ''
+# See: https://conduwuit.puppyirl.gay/turn.html
+matrix_conduwuit_config_turn_uris: []
+matrix_conduwuit_config_turn_secret: ''
+matrix_conduwuit_config_turn_username: ''
+matrix_conduwuit_config_turn_password: ''
+
+# Controls whether the self-check feature should validate SSL certificates.
+matrix_conduwuit_self_check_validate_certificates: true
+
+# Additional environment variables to pass to the container.
+#
+# Environment variables take priority over settings in the configuration file.
+#
+# Example:
+# matrix_conduwuit_environment_variables_extension: |
+#   CONDUWUIT_MAX_REQUEST_SIZE=50000000
+#   CONDUWUIT_REQUEST_TIMEOUT=60
+matrix_conduwuit_environment_variables_extension: ''

roles/custom/matrix-conduwuit/tasks/install.yml

@@ -0,0 +1,60 @@
+---
+
+- name: Ensure conduwuit config path exists
+  ansible.builtin.file:
+    path: "{{ matrix_conduwuit_config_path }}"
+    state: directory
+    mode: 0750
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+
+- name: Ensure conduwuit data path exists
+  ansible.builtin.file:
+    path: "{{ matrix_conduwuit_data_path }}"
+    state: directory
+    mode: 0770
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+
+- name: Ensure conduwuit configuration installed
+  ansible.builtin.template:
+    src: "{{ matrix_conduwuit_template_conduwuit_config }}"
+    dest: "{{ matrix_conduwuit_config_path }}/conduwuit.toml"
+    mode: 0644
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+
+- name: Ensure conduwuit support files installed
+  ansible.builtin.template:
+    src: "{{ role_path }}/templates/{{ item }}.j2"
+    dest: "{{ matrix_conduwuit_base_path }}/{{ item }}"
+    mode: 0640
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+  with_items:
+    - labels
+    - env
+
+- name: Ensure conduwuit container network is created
+  community.general.docker_network:
+    enable_ipv6: "{{ devture_systemd_docker_base_ipv6_enabled }}"
+    name: "{{ matrix_conduwuit_container_network }}"
+    driver: bridge
+    driver_options: "{{ devture_systemd_docker_base_container_networks_driver_options }}"
+
+- name: Ensure conduwuit container image is pulled
+  community.docker.docker_image:
+    name: "{{ matrix_conduwuit_docker_image }}"
+    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
+    force_source: "{{ matrix_conduwuit_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
+    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_conduwuit_docker_image_force_pull }}"
+  register: result
+  retries: "{{ devture_playbook_help_container_retries_count }}"
+  delay: "{{ devture_playbook_help_container_retries_delay }}"
+  until: result is not failed
+
+- name: Ensure matrix-conduwuit.service installed
+  ansible.builtin.template:
+    src: "{{ role_path }}/templates/systemd/matrix-conduwuit.service.j2"
+    dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-conduwuit.service"
+    mode: 0644

roles/custom/matrix-conduwuit/tasks/main.yml

@@ -10,11 +10,20 @@
       ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml"
 
     - when: matrix_conduwuit_enabled | bool
-      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml"
+      ansible.builtin.include_tasks: "{{ role_path }}/tasks/install.yml"
 
 - tags:
     - setup-all
     - setup-conduwuit
   block:
     - when: not matrix_conduwuit_enabled | bool
-      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"
+      ansible.builtin.include_tasks: "{{ role_path }}/tasks/uninstall.yml"
+
+- tags:
+    - self-check
+  block:
+    - when: matrix_conduwuit_enabled | bool
+      ansible.builtin.include_tasks: "{{ role_path }}/tasks/self_check_client_api.yml"
+
+    - when: matrix_conduwuit_enabled | bool
+      ansible.builtin.include_tasks: "{{ role_path }}/tasks/self_check_federation_api.yml"

roles/custom/matrix-conduwuit/tasks/self_check_client_api.yml

@@ -0,0 +1,23 @@
+---
+
+- name: Check Matrix Client API
+  ansible.builtin.uri:
+    url: "{{ matrix_conduwuit_client_api_url_endpoint_public }}"
+    follow_redirects: none
+    validate_certs: "{{ matrix_conduwuit_self_check_validate_certificates }}"
+  register: result_matrix_conduwuit_client_api
+  ignore_errors: true
+  check_mode: false
+  when: matrix_conduwuit_enabled | bool
+  delegate_to: 127.0.0.1
+  become: false
+
+- name: Fail if Matrix Client API not working
+  ansible.builtin.fail:
+    msg: "Failed checking Matrix Client API is up at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ matrix_conduwuit_client_api_url_endpoint_public }}`). Is Conduwuit running? Is port 443 open in your firewall? Full error: {{ result_matrix_conduwuit_client_api }}"
+  when: "matrix_conduwuit_enabled | bool and (result_matrix_conduwuit_client_api.failed or 'json' not in result_matrix_conduwuit_client_api)"
+
+- name: Report working Matrix Client API
+  ansible.builtin.debug:
+    msg: "The Matrix Client API at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ matrix_conduwuit_client_api_url_endpoint_public }}`) is working"
+  when: matrix_conduwuit_enabled | bool

roles/custom/matrix-conduwuit/tasks/self_check_federation_api.yml

@@ -0,0 +1,28 @@
+---
+
+- name: Check Matrix Federation API
+  ansible.builtin.uri:
+    url: "{{ matrix_synapse_federation_api_url_endpoint_public }}"
+    follow_redirects: none
+    validate_certs: "{{ matrix_synapse_self_check_validate_certificates }}"
+  register: result_matrix_synapse_federation_api
+  ignore_errors: true
+  check_mode: false
+  when: matrix_synapse_enabled | bool
+  delegate_to: 127.0.0.1
+  become: false
+
+- name: Fail if Matrix Federation API not working
+  ansible.builtin.fail:
+    msg: "Failed checking Matrix Federation API is up at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ matrix_synapse_federation_api_url_endpoint_public }}`). Is Synapse running? Is port {{ matrix_federation_public_port }} open in your firewall? Full error: {{ result_matrix_synapse_federation_api }}"
+  when: "matrix_synapse_enabled | bool and matrix_synapse_federation_enabled | bool and (result_matrix_synapse_federation_api.failed or 'json' not in result_matrix_synapse_federation_api)"
+
+- name: Fail if Matrix Federation API unexpectedly enabled
+  ansible.builtin.fail:
+    msg: "Matrix Federation API is up at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ matrix_synapse_federation_api_url_endpoint_public }}`) despite being disabled."
+  when: "matrix_synapse_enabled | bool and not matrix_synapse_federation_enabled | bool and not result_matrix_synapse_federation_api.failed"
+
+- name: Report working Matrix Federation API
+  ansible.builtin.debug:
+    msg: "The Matrix Federation API at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ matrix_synapse_federation_api_url_endpoint_public }}`) is working"
+  when: "matrix_synapse_enabled | bool and matrix_synapse_federation_enabled | bool"

roles/custom/matrix-conduwuit/tasks/uninstall.yml

@@ -0,0 +1,19 @@
+---
+
+- name: Check existence of matrix-conduwuit service
+  ansible.builtin.stat:
+    path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-conduwuit.service"
+  register: matrix_conduwuit_service_stat
+
+- when: matrix_conduwuit_service_stat.stat.exists | bool
+  block:
+    - name: Ensure matrix-conduwuit is stopped
+      ansible.builtin.systemd:
+        name: matrix-conduwuit
+        state: stopped
+        daemon_reload: true
+
+    - name: Ensure matrix-conduwuit.service doesn't exist
+      ansible.builtin.file:
+        path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-conduwuit.service"
+        state: absent

roles/custom/matrix-conduwuit/templates/env.j2

@@ -0,0 +1 @@
+{{ matrix_conduwuit_environment_variables_extension }}

roles/custom/matrix-conduwuit/templates/labels.j2

@@ -5,7 +5,7 @@ traefik.enable=true
 traefik.docker.network={{ matrix_conduwuit_container_labels_traefik_docker_network }}
 {% endif %}
 
-traefik.http.services.matrix-conduwuit.loadbalancer.server.port={{ matrix_conduwuit_port_number }}
+traefik.http.services.matrix-conduwuit.loadbalancer.server.port={{ matrix_conduwuit_config_port_number }}
 
 
 {% if matrix_conduwuit_container_labels_public_client_root_enabled %}
@@ -129,6 +129,37 @@ traefik.http.routers.matrix-conduwuit-public-federation-api.tls.certResolver={{
 {% endif %}
 
 
+
+
+{% if matrix_conduwuit_container_labels_public_conduwuit_api_enabled %}
+############################################################
+#                                                          #
+# Public Conduwuit-API (/_conduwuit)                       #
+#                                                          #
+############################################################
+
+traefik.http.routers.matrix-conduwuit-public-conduwuit-api.rule={{ matrix_conduwuit_container_labels_public_conduwuit_api_traefik_rule }}
+
+{% if matrix_conduwuit_container_labels_public_conduwuit_api_traefik_priority | int > 0 %}
+traefik.http.routers.matrix-conduwuit-public-conduwuit-api.priority={{ matrix_conduwuit_container_labels_public_conduwuit_api_traefik_priority }}
+{% endif %}
+
+traefik.http.routers.matrix-conduwuit-public-conduwuit-api.service=matrix-conduwuit
+traefik.http.routers.matrix-conduwuit-public-conduwuit-api.entrypoints={{ matrix_conduwuit_container_labels_public_conduwuit_api_traefik_entrypoints }}
+
+traefik.http.routers.matrix-conduwuit-public-conduwuit-api.tls={{ matrix_conduwuit_container_labels_public_conduwuit_api_traefik_tls | to_json }}
+{% if matrix_conduwuit_container_labels_public_conduwuit_api_traefik_tls %}
+traefik.http.routers.matrix-conduwuit-public-conduwuit-api.tls.certResolver={{ matrix_conduwuit_container_labels_public_conduwuit_api_traefik_tls_certResolver }}
+{% endif %}
+
+############################################################
+#                                                          #
+# /Public Conduwuit-API (/_conduwuit)                      #
+#                                                          #
+############################################################
+{% endif %}
+
+
 {% endif %}
 
 {{ matrix_conduwuit_container_labels_additional_labels }}

roles/custom/matrix-conduwuit/templates/systemd/matrix-conduwuit.service.j2

@@ -1,6 +1,6 @@
 #jinja2: lstrip_blocks: "True"
 [Unit]
-Description=Conduwuit Matrix homeserver
+Description=conduwuit Matrix homeserver
 {% for service in matrix_conduwuit_systemd_required_services_list %}
 Requires={{ service }}
 After={{ service }}
@@ -21,10 +21,10 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \
 			--read-only \
 			--tmpfs=/tmp:rw,noexec,nosuid,size={{ matrix_conduwuit_tmp_directory_size_mb }}m \
 			--network={{ matrix_conduwuit_container_network }} \
-			--env conduwuit_CONFIG=/etc/matrix-conduwuit/conduwuit.toml \
+			--env CONDUWUIT_CONFIG=/etc/conduwuit/conduwuit.toml \
 			--label-file={{ matrix_conduwuit_base_path }}/labels \
-			--mount type=bind,src={{ matrix_conduwuit_data_path }},dst=/var/lib/matrix-conduwuit \
-			--mount type=bind,src={{ matrix_conduwuit_config_path }},dst=/etc/matrix-conduwuit,ro \
+			--mount type=bind,src={{ matrix_conduwuit_data_path }},dst=/var/lib/conduwuit \
+			--mount type=bind,src={{ matrix_conduwuit_config_path }},dst=/etc/conduwuit,ro \
 			{% for arg in matrix_conduwuit_container_extra_arguments %}
 			{{ arg }} \
 			{% endfor %}

roles/custom/matrix-conduwuit/vars/main.yml

@@ -1,3 +1,4 @@
 ---
+
 matrix_conduwuit_client_api_url_endpoint_public: "{{ 'https' if matrix_playbook_ssl_enabled else 'http' }}://{{ matrix_conduwuit_hostname }}/_matrix/client/versions"
 matrix_conduwuit_federation_api_url_endpoint_public: "{{ 'https' if matrix_playbook_ssl_enabled else 'http' }}://{{ matrix_conduwuit_hostname }}:{{ matrix_federation_public_port }}/_matrix/federation/v1/version"

roles/custom/matrix_playbook_migration/tasks/validate_config.yml

@@ -302,14 +302,6 @@
         - {'old': 'matrix_nginx_proxy_proxy_conduit_federation_api_addr_with_container', 'new': '<removed>'}
         - {'old': 'matrix_nginx_proxy_proxy_conduit_federation_api_addr_sans_container', 'new': '<removed>'}
         - {'old': 'matrix_nginx_proxy_proxy_conduit_additional_server_configuration_blocks', 'new': '<removed>'}
-        - {'old': 'matrix_nginx_proxy_proxy_conduwuit_enabled', 'new': 'matrix_conduwuit_container_labels_traefik_enabled'}
-        - {'old': 'matrix_nginx_proxy_proxy_conduwuit_block_federation_api_on_client_port', 'new': '<not supported anymore - the /_matrix/federation endpoints are now also being served on the Client-Server API port>'}
-        - {'old': 'matrix_nginx_proxy_proxy_conduwuit_federation_api_enabled', 'new': 'matrix_conduwuit_container_labels_public_federation_api_enabled'}
-        - {'old': 'matrix_nginx_proxy_proxy_conduwuit_client_api_addr_with_container', 'new': '<removed>'}
-        - {'old': 'matrix_nginx_proxy_proxy_conduwuit_client_api_addr_sans_container', 'new': '<removed>'}
-        - {'old': 'matrix_nginx_proxy_proxy_conduwuit_federation_api_addr_with_container', 'new': '<removed>'}
-        - {'old': 'matrix_nginx_proxy_proxy_conduwuit_federation_api_addr_sans_container', 'new': '<removed>'}
-        - {'old': 'matrix_nginx_proxy_proxy_conduwuit_additional_server_configuration_blocks', 'new': '<removed>'}
         - {'old': 'matrix_nginx_proxy_proxy_dendrite_enabled', 'new': 'matrix_dendrite_container_labels_traefik_enabled'}
         - {'old': 'matrix_nginx_proxy_proxy_dendrite_block_federation_api_on_client_port', 'new': '<not supported anymore - the /_matrix/federation endpoints are now also being served on the Client-Server API port>'}
         - {'old': 'matrix_nginx_proxy_proxy_dendrite_federation_api_enabled', 'new': 'matrix_dendrite_container_labels_public_federation_api_enabled'}