finallycoffee/matrix-docker-ansible-deploy
5
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity

0.2.1 revision

Browse Source
This commit is contained in:
Michael
2021-02-28 22:21:40 +08:00
parent 4c882c513b
commit 33ec5710d9
62 changed files with 384 additions and 248 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
roles/matrix-awx/surveys/configure_website_access_backup.json.j2
View File

@ -1,30 +0,0 @@
{
"name": "Configure Website Access Backup",
"description": "Configure base domain website settings and access the services backup.",
"spec": [
{
"question_name": "Customise Base Domain Website",
"question_description": "Set if you want to adjust the base domain website using SFTP.",
"required": true,
"min": null,
"max": null,
"default": "{{ customise_base_domain_website|string|lower }}",
"choices": "true\nfalse",
"new_question": true,
"variable": "customise_base_domain_website",
"type": "multiplechoice"
},
{
"question_name": "SFTP Password",
"question_description": "Sets the password of the 'sftp' account, which allows you to upload a multi-file static website by SFTP, as well as download the latest copy of your services backup. If empty the password won't be updated. WARNING: You must set a strong and unique password here.",
"required": false,
"min": 0,
"max": 64,
"default": "{{ sftp_password }}",
"choices": "",
"new_question": true,
"variable": "sftp_password",
"type": "password"
}
]
}

54
roles/matrix-awx/surveys/configure_website_access_export.json.j2 Executable file
View File

@ -0,0 +1,54 @@
{
"name": "Configure Website Access Backup",
"description": "Configure base domain website settings and access the services backup.",
"spec": [
{
"question_name": "Customise Base Domain Website",
"question_description": "Set if you want to adjust the base domain website using SFTP.",
"required": true,
"min": null,
"max": null,
"default": "{{ customise_base_domain_website | string | lower }}",
"choices": "true\nfalse",
"new_question": true,
"variable": "customise_base_domain_website",
"type": "multiplechoice"
},
{
"question_name": "SFTP Authorisation Method",
"question_description": "Set whether you want to disable SFTP, use a password to connect to SFTP or connect with a more secure SSH key.",
"required": true,
"min": null,
"max": null,
"default": "{{ sftp_auth_method | string }}",
"choices": "Disabled\nPassword\nSSH Key",
"new_question": true,
"variable": "sftp_auth_method",
"type": "multiplechoice"
},
{
"question_name": "SFTP Password",
"question_description": "Sets the password of the 'sftp' account, which allows you to upload a multi-file static website by SFTP, as well as export the latest copy of your Matrix service. Must be defined if 'Password' method is selected. WARNING: You must set a strong and unique password here.",
"required": false,
"min": 0,
"max": 64,
"default": "{{ sftp_password }}",
"choices": "",
"new_question": true,
"variable": "sftp_password",
"type": "password"
},
{
"question_name": "SFTP Public SSH Key (More Secure)",
"question_description": "Sets the public SSH key used to access the 'sftp' account, which allows you to upload a multi-file static website by SFTP, as well as export the latest copy of your Matrix service. Must be defined if 'SSH Key' method is selected.",
"required": false,
"min": 0,
"max": 16384,
"default": "{{ sftp_public_key }}",
"choices": "",
"new_question": true,
"variable": "sftp_public_key",
"type": "text"
}
]
}

2
roles/matrix-awx/tasks/create_user.yml
View File

@ -20,7 +20,7 @@
- name: Create user account
command: |
/usr/local/bin/matrix-synapse-register-user {{ new_username }} '{{ new_password }}' {{ admin_bool }}
/usr/local/bin/matrix-synapse-register-user {{ new_username | quote }} {{ new_password | quote }} {{ admin_bool }}
register: cmd
- name: Result

167
roles/matrix-awx/tasks/customise_website_access_backup.yml → roles/matrix-awx/tasks/customise_website_access_export.yml
View File

@ -21,17 +21,20 @@
with_dict:
'matrix_nginx_proxy_base_domain_homepage_enabled': 'false'
when: customise_base_domain_website|bool == true
- name: Record 'Customise Website + Access Backup' variables locally on AWX
- name: Record custom 'Customise Website + Access Export' variables locally on AWX
delegate_to: 127.0.0.1
lineinfile:
path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
regexp: "^#? *{{ item.key | regex_escape() }}:"
line: "{{ item.key }}: {{ item.value }}"
insertafter: '# AWX Settings'
insertafter: '# Custom Settings'
with_dict:
'customise_base_domain_website': '{{ customise_base_domain_website }}'
'sftp_auth_method': '"{{ sftp_auth_method }}"'
'sftp_password': '"{{ sftp_password }}"'
'sftp_public_key': '"{{ sftp_public_key }}"'
- name: Copy new 'matrix_vars.yml' to target machine
copy:
src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
@ -41,17 +44,18 @@
- name: Reload vars in matrix_vars.yml
include_vars:
file: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
no_log: True
- name: Save new 'Customise Website + Access Backup' survey.json to the AWX tower, template
- name: Save new 'Customise Website + Access Export' survey.json to the AWX tower, template
delegate_to: 127.0.0.1
template:
src: './roles/matrix-awx/surveys/configure_website_access_backup.json.j2'
dest: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_website_access_backup.json'
src: './roles/matrix-awx/surveys/configure_website_access_export.json.j2'
dest: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_website_access_export.json'
- name: Copy new 'Customise Website + Access Backup' survey.json to target machine
- name: Copy new 'Customise Website + Access Export' survey.json to target machine
copy:
src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_website_access_backup.json'
dest: '/matrix/awx/configure_website_access_backup.json'
src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_website_access_export.json'
dest: '/matrix/awx/configure_website_access_export.json'
mode: '0660'
- name: Collect AWX admin token the hard way!
@ -61,11 +65,11 @@
register: tower_token
no_log: True
- name: Recreate 'Customise Base Domain Website' job template
- name: Recreate 'Customise Base Domain Export' job template
delegate_to: 127.0.0.1
awx.awx.tower_job_template:
name: "{{ matrix_domain }} - 1 - Configure Website + Access Backup"
description: "Configure base domain website settings and access the services backup."
name: "{{ matrix_domain }} - 1 - Configure Website + Access Export"
description: "Configure base domain website settings and access the servers export."
extra_vars: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/extra_vars.json') }}"
job_type: run
job_tags: "start,setup-nginx-proxy"
@ -74,7 +78,7 @@
playbook: setup.yml
credential: "{{ member_id }} - AWX SSH Key"
survey_enabled: true
survey_spec: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_website_access_backup.json') }}"
survey_spec: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_website_access_export.json') }}"
become_enabled: yes
state: present
verbosity: 1
@ -82,40 +86,32 @@
tower_oauthtoken: "{{ tower_token.stdout }}"
validate_certs: yes
# Copied over from provision stage
- name: Copy ssh_sftp.service file
copy:
src: './roles/matrix-awx/templates/sftp/ssh_sftp.service'
dest: '/lib/systemd/system/ssh_sftp.service'
mode: 0644
- name: Copy sshd config file
copy:
src: './roles/matrix-awx/templates/sftp/sshd_sftp_config'
dest: '/etc/ssh/sshd_sftp_config'
mode: 0644
- name: Ensure group "sftp" exists
group:
name: sftp
state: present
- name: If user defines sftp_password, enable account / set password on 'stfp' account.
- name: If user doesn't define a sftp_password, create a disabled 'sftp' account
user:
name: sftp
comment: SFTP user to set custom web files
comment: SFTP user to set custom web files and access servers export
shell: /bin/false
home: /home/sftp/
home: /home/sftp
group: sftp
password: '*'
update_password: always
when: sftp_password|length == 0
- name: If user defines sftp_password, enable account and set password on 'stfp' account
user:
name: sftp
comment: SFTP user to set custom web files and access servers export
shell: /bin/false
home: /home/sftp
group: sftp
password: "{{ sftp_password | password_hash('sha512') }}"
update_password: always
when: (sftp_password is defined) and (sftp_password|length > 0)
# would be safer if it generated the password for you!
- name: Setup SFTP users default root path
shell: sudo usermod -d / sftp
when: sftp_password|length > 0
- name: adding existing user 'sftp' to group matrix
user:
@ -131,7 +127,7 @@
group: root
mode: '1755'
- name: Create the rw /chroot/website directory if it doesn't exist.
- name: Ensure /chroot/website location exists.
file:
path: /chroot/website
state: directory
@ -139,21 +135,96 @@
group: matrix
mode: '0574'
- name: Ensure /chroot/backup/ location exists
- name: Ensure /chroot/export location exists
file:
path: /chroot/backup
path: /chroot/export
state: directory
owner: sftp
group: sftp
mode: '0700'
- name: Enable service ssh_sftp.service
service:
name: ssh_sftp.service
enabled: yes
- name: Ensure /home/sftp/.ssh location exists
file:
path: /home/sftp/.ssh
state: directory
owner: sftp
group: sftp
mode: '0700'
- name: Start service ssh_sftp.service
service:
name: ssh_sftp.service
state: started
- name: Ensure /home/sftp/authorized_keys exists
file:
path: /home/sftp/.ssh/authorized_keys
state: touch
owner: sftp
group: sftp
mode: '0644'
- name: Clear authorized_keys file
shell: echo "" > /home/sftp/.ssh/authorized_keys
- name: Insert public SSH key into authorized_keys file
lineinfile:
path: /home/sftp/.ssh/authorized_keys
line: "{{ sftp_public_key }}"
owner: sftp
group: sftp
mode: '0644'
when: (sftp_public_key | length > 0) and (sftp_auth_method == "SSH Key")
- name: Alter SSH Subsystem State 1
lineinfile:
path: /etc/ssh/sshd_config
line: "Subsystem sftp /usr/lib/openssh/sftp-server"
state: absent
- name: Alter SSH Subsystem State 2
lineinfile:
path: /etc/ssh/sshd_config
insertafter: "^# override default of no subsystems"
line: "Subsystem sftp internal-sftp"
- name: Add SSH Match User section for disabled auth
blockinfile:
path: /etc/ssh/sshd_config
state: absent
block: |
Match User sftp
ChrootDirectory /chroot
PermitTunnel no
X11Forwarding no
AllowTcpForwarding no
PasswordAuthentication yes
AuthorizedKeysFile /home/sftp/.ssh/authorized_keys
when: sftp_auth_method == "Disabled"
- name: Add SSH Match User section for password auth
blockinfile:
path: /etc/ssh/sshd_config
state: present
block: |
Match User sftp
ChrootDirectory /chroot
PermitTunnel no
X11Forwarding no
AllowTcpForwarding no
PasswordAuthentication yes
when: sftp_auth_method == "Password"
- name: Add SSH Match User section for publickey auth
blockinfile:
path: /etc/ssh/sshd_config
state: present
block: |
Match User sftp
ChrootDirectory /chroot
PermitTunnel no
X11Forwarding no
AllowTcpForwarding no
AuthorizedKeysFile /home/sftp/.ssh/authorized_keys
when: sftp_auth_method == "SSH Key"
- name: Restart service ssh.service
service:
name: ssh.service
state: restarted

2
roles/matrix-awx/tasks/load_matrix_variables.yml
View File

@ -2,5 +2,5 @@
- name: Include vars in matrix_vars.yml
include_vars:
file: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
# no_log: True
no_log: True

4
roles/matrix-awx/tasks/main.yml
View File

@ -23,8 +23,8 @@
tags:
- import-awx
# Configure SFTP so user can upload a static website
- import_tasks: "{{ role_path }}/tasks/customise_website_access_backup.yml"
# Configure SFTP so user can upload a static website or access the servers export
- import_tasks: "{{ role_path }}/tasks/customise_website_access_export.yml"
when: run_setup|bool and matrix_awx_enabled|bool
tags:
- setup-nginx-proxy

23
roles/matrix-awx/templates/sftp/ssh_sftp.service
View File

@ -1,23 +0,0 @@
[Unit]
Description=OpenBSD Secure Shell server
Documentation=man:sshd(8) man:sshd_config(5)
After=network.target auditd.service
ConditionPathExists=!/etc/ssh/sshd_not_to_be_run
[Service]
EnvironmentFile=-/etc/default/ssh
ExecStartPre=/usr/sbin/sshd -t
ExecStart=/usr/sbin/sshd -D -f /etc/ssh/sshd_sftp_config $SSHD_OPTS
ExecReload=/usr/sbin/sshd -t
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
Restart=on-failure
RestartPreventExitStatus=255
Type=notify
RuntimeDirectory=sshd
RuntimeDirectoryMode=0755
[Install]
WantedBy=multi-user.target
Alias=sshd_sftp.service

33
roles/matrix-awx/templates/sftp/sshd_sftp_config
View File

@ -1,33 +0,0 @@
# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
Port 2222
PermitRootLogin no
PasswordAuthentication yes
ChallengeResponseAuthentication no
UsePAM yes
X11Forwarding yes
PrintMotd no
AcceptEnv LANG LC_*
# override default of no subsystems
Subsystem sftp internal-sftp
Match User sftp
ChrootDirectory /chroot
PermitTunnel no
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp

4
roles/matrix-bot-matrix-reminder-bot/defaults/main.yml
View File

@ -2,8 +2,8 @@
# See: https://github.com/anoadragon453/matrix-reminder-bot
matrix_bot_matrix_reminder_bot_enabled: true
matrix_bot_matrix_reminder_bot_docker_image: "docker.io/anoa/matrix-reminder-bot:release-v0.2.0"
matrix_bot_matrix_reminder_bot_version: release-v0.2.0
matrix_bot_matrix_reminder_bot_docker_image: "docker.io/anoa/matrix-reminder-bot:{{ matrix_bot_matrix_reminder_bot_version }}"
matrix_bot_matrix_reminder_bot_docker_image_force_pull: "{{ matrix_bot_matrix_reminder_bot_docker_image.endswith(':latest') }}"
matrix_bot_matrix_reminder_bot_base_path: "{{ matrix_base_data_path }}/matrix-reminder-bot"

3
roles/matrix-bridge-appservice-discord/defaults/main.yml
View File

@ -3,7 +3,8 @@
matrix_appservice_discord_enabled: true
matrix_appservice_discord_docker_image: "docker.io/halfshot/matrix-appservice-discord:v1.0.0"
matrix_appservice_discord_version: v1.0.0
matrix_appservice_discord_docker_image: "docker.io/halfshot/matrix-appservice-discord:{{ matrix_appservice_discord_version }}"
matrix_appservice_discord_docker_image_force_pull: "{{ matrix_appservice_discord_docker_image.endswith(':latest') }}"
matrix_appservice_discord_base_path: "{{ matrix_base_data_path }}/appservice-discord"

3
roles/matrix-bridge-appservice-irc/defaults/main.yml
View File

@ -7,7 +7,8 @@ matrix_appservice_irc_container_self_build: false
matrix_appservice_irc_docker_repo: "https://github.com/matrix-org/matrix-appservice-irc.git"
matrix_appservice_irc_docker_src_files_path: "{{ matrix_base_data_path }}/appservice-irc/docker-src"
matrix_appservice_irc_docker_image: "docker.io/matrixdotorg/matrix-appservice-irc:release-0.23.0"
matrix_appservice_irc_version: release-0.23.0
matrix_appservice_irc_docker_image: "docker.io/matrixdotorg/matrix-appservice-irc:{{ matrix_appservice_irc_version }}"
matrix_appservice_irc_docker_image_force_pull: "{{ matrix_appservice_irc_docker_image.endswith(':latest') }}"
matrix_appservice_irc_base_path: "{{ matrix_base_data_path }}/appservice-irc"

3
roles/matrix-bridge-appservice-slack/defaults/main.yml
View File

@ -7,7 +7,8 @@ matrix_appservice_slack_container_self_build: false
matrix_appservice_slack_docker_repo: "https://github.com/matrix-org/matrix-appservice-slack.git"
matrix_appservice_slack_docker_src_files_path: "{{ matrix_base_data_path }}/appservice-slack/docker-src"
matrix_appservice_slack_docker_image: "docker.io/matrixdotorg/matrix-appservice-slack:release-1.5.0"
matrix_appservice_slack_version: release-1.5.0
matrix_appservice_slack_docker_image: "docker.io/matrixdotorg/matrix-appservice-slack:{{ matrix_appservice_slack_version }}"
matrix_appservice_slack_docker_image_force_pull: "{{ matrix_appservice_slack_docker_image.endswith(':latest') }}"
matrix_appservice_slack_base_path: "{{ matrix_base_data_path }}/appservice-slack"

3
roles/matrix-bridge-appservice-webhooks/defaults/main.yml
View File

@ -3,7 +3,8 @@
matrix_appservice_webhooks_enabled: true
matrix_appservice_webhooks_docker_image: "docker.io/turt2live/matrix-appservice-webhooks:latest"
matrix_appservice_webhooks_version: latest
matrix_appservice_webhooks_docker_image: "docker.io/turt2live/matrix-appservice-webhooks:{{ matrix_appservice_webhooks_version }}"
matrix_appservice_webhooks_docker_image_force_pull: "{{ matrix_appservice_webhooks_docker_image.endswith(':latest') }}"
matrix_appservice_webhooks_base_path: "{{ matrix_base_data_path }}/appservice-webhooks"

3
roles/matrix-bridge-mautrix-facebook/defaults/main.yml
View File

@ -6,8 +6,9 @@ matrix_mautrix_facebook_enabled: true
matrix_mautrix_facebook_container_image_self_build: false
matrix_mautrix_facebook_container_image_self_build_repo: "https://github.com/tulir/mautrix-facebook.git"
matrix_mautrix_facebook_version: latest
# See: https://mau.dev/tulir/mautrix-facebook/container_registry
matrix_mautrix_facebook_docker_image: "{{ matrix_mautrix_facebook_docker_image_name_prefix }}tulir/mautrix-facebook:latest"
matrix_mautrix_facebook_docker_image: "{{ matrix_mautrix_facebook_docker_image_name_prefix }}tulir/mautrix-facebook:{{ matrix_mautrix_facebook_version }}"
matrix_mautrix_facebook_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_facebook_container_image_self_build else 'dock.mau.dev/' }}"
matrix_mautrix_facebook_docker_image_force_pull: "{{ matrix_mautrix_facebook_docker_image.endswith(':latest') }}"

3
roles/matrix-bridge-mautrix-hangouts/defaults/main.yml
View File

@ -6,8 +6,9 @@ matrix_mautrix_hangouts_enabled: true
matrix_mautrix_hangouts_container_image_self_build: false
matrix_mautrix_hangouts_container_image_self_build_repo: "https://github.com/tulir/mautrix-hangouts.git"
matrix_mautrix_hangouts_version: latest
# See: https://mau.dev/tulir/mautrix-hangouts/container_registry
matrix_mautrix_hangouts_docker_image: "{{ matrix_mautrix_hangouts_docker_image_name_prefix }}tulir/mautrix-hangouts:latest"
matrix_mautrix_hangouts_docker_image: "{{ matrix_mautrix_hangouts_docker_image_name_prefix }}tulir/mautrix-hangouts:{{ matrix_mautrix_hangouts_version }}"
matrix_mautrix_hangouts_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_hangouts_container_image_self_build else 'dock.mau.dev/' }}"
matrix_mautrix_hangouts_docker_image_force_pull: "{{ matrix_mautrix_hangouts_docker_image.endswith(':latest') }}"

7
roles/matrix-bridge-mautrix-instagram/defaults/main.yml
View File

@ -6,8 +6,9 @@ matrix_mautrix_instagram_enabled: true
matrix_mautrix_instagram_container_image_self_build: false
matrix_mautrix_instagram_container_image_self_build_repo: "https://github.com/tulir/mautrix-instagram.git"
matrix_mautrix_instagram_version: latest
# See: https://mau.dev/tulir/mautrix-instagram/container_registry
matrix_mautrix_instagram_docker_image: "{{ matrix_mautrix_instagram_docker_image_name_prefix }}tulir/mautrix-instagram:latest"
matrix_mautrix_instagram_docker_image: "{{ matrix_mautrix_instagram_docker_image_name_prefix }}tulir/mautrix-instagram:{{ matrix_mautrix_instagram_version }}"
matrix_mautrix_instagram_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_instagram_container_image_self_build else 'dock.mau.dev/' }}"
matrix_mautrix_instagram_docker_image_force_pull: "{{ matrix_mautrix_instagram_docker_image.endswith(':latest') }}"
@ -16,7 +17,7 @@ matrix_mautrix_instagram_config_path: "{{ matrix_mautrix_instagram_base_path }}/
matrix_mautrix_instagram_data_path: "{{ matrix_mautrix_instagram_base_path }}/data"
matrix_mautrix_instagram_docker_src_files_path: "{{ matrix_mautrix_instagram_base_path }}/docker-src"
matrix_mautrix_instagram_homeserver_address: 'http://matrix-synapse:8008'
matrix_mautrix_instagram_homeserver_address: "{{ matrix_homeserver_container_url }}"
matrix_mautrix_instagram_homeserver_domain: '{{ matrix_domain }}'
matrix_mautrix_instagram_appservice_address: 'http://matrix-mautrix-instagram:29330'
@ -34,7 +35,7 @@ matrix_mautrix_instagram_homeserver_token: ''
# Database-related configuration fields.
#
#
# To use Postgres:
# - adjust your database credentials via the `matrix_mautrix_instagram_postgres_*` variables
matrix_mautrix_instagram_database_engine: 'postgres'

6
roles/matrix-bridge-mautrix-signal/defaults/main.yml
View File

@ -3,11 +3,13 @@
matrix_mautrix_signal_enabled: true
matrix_mautrix_signal_version: latest
matrix_mautrix_signal_daemon_version: latest
# See: https://mau.dev/tulir/mautrix-signal/container_registry
matrix_mautrix_signal_docker_image: "dock.mau.dev/tulir/mautrix-signal:latest"
matrix_mautrix_signal_docker_image: "dock.mau.dev/tulir/mautrix-signal:{{ matrix_mautrix_signal_version }}"
matrix_mautrix_signal_docker_image_force_pull: "{{ matrix_mautrix_signal_docker_image.endswith(':latest') }}"
matrix_mautrix_signal_daemon_docker_image: "dock.mau.dev/maunium/signald:latest"
matrix_mautrix_signal_daemon_docker_image: "dock.mau.dev/maunium/signald:{{ matrix_mautrix_signal_daemon_version }}"
matrix_mautrix_signal_daemon_docker_image_force_pull: "{{ matrix_mautrix_signal_daemon_docker_image.endswith(':latest') }}"
matrix_mautrix_signal_base_path: "{{ matrix_base_data_path }}/mautrix-signal"

3
roles/matrix-bridge-mautrix-telegram/defaults/main.yml
View File

@ -7,8 +7,9 @@ matrix_mautrix_telegram_container_self_build: false
matrix_mautrix_telegram_docker_repo: "https://mau.dev/tulir/mautrix-telegram.git"
matrix_mautrix_telegram_docker_src_files_path: "{{ matrix_base_data_path }}/mautrix-telegram/docker-src"
matrix_mautrix_telegram_version: v0.9.0
# See: https://mau.dev/tulir/mautrix-telegram/container_registry
matrix_mautrix_telegram_docker_image: "dock.mau.dev/tulir/mautrix-telegram:v0.9.0"
matrix_mautrix_telegram_docker_image: "dock.mau.dev/tulir/mautrix-telegram:{{ matrix_mautrix_telegram_version }}"
matrix_mautrix_telegram_docker_image_force_pull: "{{ matrix_mautrix_telegram_docker_image.endswith(':latest') }}"
matrix_mautrix_telegram_base_path: "{{ matrix_base_data_path }}/mautrix-telegram"

5
roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml
View File

@ -3,15 +3,16 @@
matrix_mautrix_whatsapp_enabled: true
matrix_mautrix_whatsapp_version: latest
# See: https://mau.dev/tulir/mautrix-whatsapp/container_registry
matrix_mautrix_whatsapp_docker_image: "dock.mau.dev/tulir/mautrix-whatsapp:latest"
matrix_mautrix_whatsapp_docker_image: "dock.mau.dev/tulir/mautrix-whatsapp:{{ matrix_mautrix_whatsapp_version }}"
matrix_mautrix_whatsapp_docker_image_force_pull: "{{ matrix_mautrix_whatsapp_docker_image.endswith(':latest') }}"
matrix_mautrix_whatsapp_base_path: "{{ matrix_base_data_path }}/mautrix-whatsapp"
matrix_mautrix_whatsapp_config_path: "{{ matrix_mautrix_whatsapp_base_path }}/config"
matrix_mautrix_whatsapp_data_path: "{{ matrix_mautrix_whatsapp_base_path }}/data"
matrix_mautrix_whatsapp_homeserver_address: "http://matrix-synapse:8008"
matrix_mautrix_whatsapp_homeserver_address: "{{ matrix_homeserver_container_url }}"
matrix_mautrix_whatsapp_homeserver_domain: "{{ matrix_domain }}"
matrix_mautrix_whatsapp_appservice_address: "http://matrix-mautrix-whatsapp:8080"

3
roles/matrix-bridge-mx-puppet-discord/defaults/main.yml
View File

@ -11,7 +11,8 @@ matrix_mx_puppet_discord_container_image_self_build_repo: "https://github.com/ma
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:8432"), or empty string to not expose.
matrix_mx_puppet_discord_container_http_host_bind_port: ''
matrix_mx_puppet_discord_docker_image: "{{ matrix_mx_puppet_discord_docker_image_name_prefix }}sorunome/mx-puppet-discord:latest"
matrix_mx_puppet_discord_version: latest
matrix_mx_puppet_discord_docker_image: "{{ matrix_mx_puppet_discord_docker_image_name_prefix }}sorunome/mx-puppet-discord:{{ matrix_mx_puppet_discord_version }}"
matrix_mx_puppet_discord_docker_image_name_prefix: "{{ 'localhost/' if matrix_mx_puppet_discord_container_image_self_build else 'docker.io/' }}"
matrix_mx_puppet_discord_docker_image_force_pull: "{{ matrix_mx_puppet_discord_docker_image.endswith(':latest') }}"

5
roles/matrix-bridge-mx-puppet-groupme/defaults/main.yml
View File

@ -11,7 +11,8 @@ matrix_mx_puppet_groupme_container_image_self_build_repo: "https://gitlab.com/ro
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:8437"), or empty string to not expose.
matrix_mx_puppet_groupme_container_http_host_bind_port: ''
matrix_mx_puppet_groupme_docker_image: "{{ matrix_mx_puppet_groupme_docker_image_name_prefix }}xangelix/mx-puppet-groupme:latest"
matrix_mx_puppet_groupme_version: latest
matrix_mx_puppet_groupme_docker_image: "{{ matrix_mx_puppet_groupme_docker_image_name_prefix }}xangelix/mx-puppet-groupme:{{ matrix_mx_puppet_groupme_version }}"
matrix_mx_puppet_groupme_docker_image_name_prefix: "{{ 'localhost/' if matrix_mx_puppet_groupme_container_image_self_build else 'docker.io/' }}"
matrix_mx_puppet_groupme_docker_image_force_pull: "{{ matrix_mx_puppet_groupme_docker_image.endswith(':latest') }}"
@ -22,7 +23,7 @@ matrix_mx_puppet_groupme_docker_src_files_path: "{{ matrix_mx_puppet_groupme_bas
matrix_mx_puppet_groupme_appservice_port: "8437"
matrix_mx_puppet_groupme_homeserver_address: 'http://matrix-synapse:8008'
matrix_mx_puppet_groupme_homeserver_address: "{{ matrix_homeserver_container_url }}"
matrix_mx_puppet_groupme_homeserver_domain: '{{ matrix_domain }}'
matrix_mx_puppet_groupme_appservice_address: 'http://matrix-mx-puppet-groupme:{{ matrix_mx_puppet_groupme_appservice_port }}'

3
roles/matrix-bridge-mx-puppet-instagram/defaults/main.yml
View File

@ -6,7 +6,8 @@ matrix_mx_puppet_instagram_enabled: true
matrix_mx_puppet_instagram_container_image_self_build: false
matrix_mx_puppet_instagram_container_image_self_build_repo: "https://github.com/Sorunome/mx-puppet-instagram.git"
matrix_mx_puppet_instagram_docker_image: "{{ matrix_mx_puppet_instagram_docker_image_name_prefix }}sorunome/mx-puppet-instagram:latest"
matrix_mx_puppet_instagram_version: latest
matrix_mx_puppet_instagram_docker_image: "{{ matrix_mx_puppet_instagram_docker_image_name_prefix }}sorunome/mx-puppet-instagram:{{ matrix_mx_puppet_instagram_version }}"
matrix_mx_puppet_instagram_docker_image_name_prefix: "{{ 'localhost/' if matrix_mx_puppet_instagram_container_image_self_build else 'docker.io/' }}"
matrix_mx_puppet_instagram_docker_image_force_pull: "{{ matrix_mx_puppet_instagram_docker_image.endswith(':latest') }}"

3
roles/matrix-bridge-mx-puppet-skype/defaults/main.yml
View File

@ -6,7 +6,8 @@ matrix_mx_puppet_skype_enabled: true
matrix_mx_puppet_skype_container_image_self_build: false
matrix_mx_puppet_skype_container_image_self_build_repo: "https://github.com/Sorunome/mx-puppet-skype.git"
matrix_mx_puppet_skype_docker_image: "{{ matrix_mx_puppet_skype_docker_image_name_prefix }}sorunome/mx-puppet-skype:latest"
matrix_mx_puppet_skype_version: latest
matrix_mx_puppet_skype_docker_image: "{{ matrix_mx_puppet_skype_docker_image_name_prefix }}sorunome/mx-puppet-skype:{{ matrix_mx_puppet_skype_version }}"
matrix_mx_puppet_skype_docker_image_name_prefix: "{{ 'localhost/' if matrix_mx_puppet_skype_container_image_self_build else 'docker.io/' }}"
matrix_mx_puppet_skype_docker_image_force_pull: "{{ matrix_mx_puppet_skype_docker_image.endswith(':latest') }}"

3
roles/matrix-bridge-mx-puppet-slack/defaults/main.yml
View File

@ -11,7 +11,8 @@ matrix_mx_puppet_slack_container_image_self_build_repo: "https://github.com/Soru
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:8432"), or empty string to not expose.
matrix_mx_puppet_slack_container_http_host_bind_port: ''
matrix_mx_puppet_slack_docker_image: "{{ matrix_mx_puppet_slack_docker_image_name_prefix }}sorunome/mx-puppet-slack:latest"
matrix_mx_puppet_slack_version: latest
matrix_mx_puppet_slack_docker_image: "{{ matrix_mx_puppet_slack_docker_image_name_prefix }}sorunome/mx-puppet-slack:{{ matrix_mx_puppet_slack_version }}"
matrix_mx_puppet_slack_docker_image_name_prefix: "{{ 'localhost/' if matrix_mx_puppet_slack_container_image_self_build else 'docker.io/' }}"
matrix_mx_puppet_slack_docker_image_force_pull: "{{ matrix_mx_puppet_slack_docker_image.endswith(':latest') }}"

3
roles/matrix-bridge-mx-puppet-steam/defaults/main.yml
View File

@ -11,7 +11,8 @@ matrix_mx_puppet_steam_container_image_self_build_repo: "https://github.com/icew
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:8432"), or empty string to not expose.
matrix_mx_puppet_steam_container_http_host_bind_port: ''
matrix_mx_puppet_steam_docker_image: "{{ matrix_mx_puppet_steam_docker_image_name_prefix }}icewind1991/mx-puppet-steam:latest"
matrix_mx_puppet_steam_version: latest
matrix_mx_puppet_steam_docker_image: "{{ matrix_mx_puppet_steam_docker_image_name_prefix }}icewind1991/mx-puppet-steam:{{ matrix_mx_puppet_steam_version }}"
matrix_mx_puppet_steam_docker_image_name_prefix: "{{ 'localhost/' if matrix_mx_puppet_steam_container_image_self_build else 'docker.io/' }}"
matrix_mx_puppet_steam_docker_image_force_pull: "{{ matrix_mx_puppet_steam_docker_image.endswith(':latest') }}"

3
roles/matrix-bridge-mx-puppet-twitter/defaults/main.yml
View File

@ -11,7 +11,8 @@ matrix_mx_puppet_twitter_container_image_self_build_repo: "https://github.com/So
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:8432"), or empty string to not expose.
matrix_mx_puppet_twitter_container_http_host_bind_port: ''
matrix_mx_puppet_twitter_docker_image: "{{ matrix_mx_puppet_twitter_docker_image_name_prefix }}sorunome/mx-puppet-twitter:latest"
matrix_mx_puppet_twitter_version: latest
matrix_mx_puppet_twitter_docker_image: "{{ matrix_mx_puppet_twitter_docker_image_name_prefix }}sorunome/mx-puppet-twitter:{{ matrix_mx_puppet_twitter_version }}"
matrix_mx_puppet_twitter_docker_image_name_prefix: "{{ 'localhost/' if matrix_mx_puppet_twitter_container_image_self_build else 'docker.io/' }}"
matrix_mx_puppet_twitter_docker_image_force_pull: "{{ matrix_mx_puppet_twitter_docker_image.endswith(':latest') }}"

3
roles/matrix-bridge-sms/defaults/main.yml
View File

@ -3,7 +3,8 @@
matrix_sms_bridge_enabled: true
matrix_sms_bridge_docker_image: "docker.io/folivonet/matrix-sms-bridge:0.5.5"
matrix_sms_bridge_version: 0.5.5
matrix_sms_bridge_docker_image: "docker.io/folivonet/matrix-sms-bridge:{{ matrix_sms_bridge_version }}"
matrix_sms_bridge_base_path: "{{ matrix_base_data_path }}/matrix-sms-bridge"
matrix_sms_bridge_config_path: "{{ matrix_base_data_path }}/matrix-sms-bridge/config"

3
roles/matrix-client-element/defaults/main.yml
View File

@ -3,7 +3,8 @@ matrix_client_element_enabled: true
matrix_client_element_container_image_self_build: false
matrix_client_element_container_image_self_build_repo: "https://github.com/vector-im/riot-web.git"
matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:v1.7.21"
matrix_client_element_version: v1.7.21
matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}"
matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else 'docker.io/' }}"
matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}"

2
roles/matrix-common-after/tasks/awx_post.yml
View File

@ -2,7 +2,7 @@
- name: Create user account
command: |
/usr/local/bin/matrix-synapse-register-user janitor '{{ matrix_awx_janitor_user_password }}' 1
/usr/local/bin/matrix-synapse-register-user janitor {{ matrix_awx_janitor_user_password | quote }} 1
register: cmd
when: not matrix_awx_janitor_user_created|bool
no_log: True

3
roles/matrix-corporal/defaults/main.yml
View File

@ -22,9 +22,10 @@ matrix_corporal_container_extra_arguments: []
# List of systemd services that matrix-corporal.service depends on
matrix_corporal_systemd_required_services_list: ['docker.service']
matrix_corporal_version: 2.1.0
matrix_corporal_docker_image: "{{ matrix_corporal_docker_image_name_prefix }}devture/matrix-corporal:{{ matrix_corporal_docker_image_tag }}"
matrix_corporal_docker_image_name_prefix: "{{ 'localhost/' if matrix_corporal_container_image_self_build else 'docker.io/' }}"
matrix_corporal_docker_image_tag: "2.1.0"
matrix_corporal_docker_image_tag: "{{ matrix_corporal_version }}" # for backward-compatibility
matrix_corporal_docker_image_force_pull: "{{ matrix_corporal_docker_image.endswith(':latest') }}"
matrix_corporal_base_path: "{{ matrix_base_data_path }}/corporal"

3
roles/matrix-coturn/defaults/main.yml
View File

@ -3,7 +3,8 @@ matrix_coturn_enabled: true
matrix_coturn_container_image_self_build: false
matrix_coturn_container_image_self_build_repo: "https://github.com/instrumentisto/coturn-docker-image.git"
matrix_coturn_docker_image: "{{ matrix_coturn_docker_image_name_prefix }}instrumentisto/coturn:4.5.2"
matrix_coturn_version: 4.5.2
matrix_coturn_docker_image: "{{ matrix_coturn_docker_image_name_prefix }}instrumentisto/coturn:{{ matrix_coturn_version }}"
matrix_coturn_docker_image_name_prefix: "{{ 'localhost/' if matrix_coturn_container_image_self_build else 'docker.io/' }}"
matrix_coturn_docker_image_force_pull: "{{ matrix_coturn_docker_image.endswith(':latest') }}"

4
roles/matrix-coturn/templates/systemd/matrix-coturn-reload.timer.j2
View File

@ -3,8 +3,8 @@ Description=Reloads matrix-coturn periodically so that new SSL certificates can
[Timer]
Unit=matrix-coturn-reload.service
OnCalendar=Sunday *-*-* 13:00:00
RandomizedDelaySec=3h
OnCalendar=*-*-* 06:30:00
RandomizedDelaySec=1h
[Install]
WantedBy=timers.target

3
roles/matrix-dimension/defaults/main.yml
View File

@ -12,7 +12,8 @@ matrix_dimension_widgets_allow_self_signed_ssl_certificates: false
matrix_dimension_base_path: "{{ matrix_base_data_path }}/dimension"
matrix_dimension_docker_image: "docker.io/turt2live/matrix-dimension:latest"
matrix_dimension_version: latest
matrix_dimension_docker_image: "docker.io/turt2live/matrix-dimension:{{ matrix_dimension_version }}"
matrix_dimension_docker_image_force_pull: "{{ matrix_dimension_docker_image.endswith(':latest') }}"
# List of systemd services that matrix-dimension.service depends on.

4
roles/matrix-dynamic-dns/defaults/main.yml
View File

@ -4,8 +4,10 @@ matrix_dynamic_dns_enabled: true
# The dynamic dns daemon interval
matrix_dynamic_dns_daemon_interval: '300'
matrix_dynamic_dns_version: v3.9.1-ls45
# The docker container to use when in mode
matrix_dynamic_dns_docker_image: '{{ matrix_dynamic_dns_docker_image_name_prefix }}linuxserver/ddclient:v3.9.1-ls45'
matrix_dynamic_dns_docker_image: "{{ matrix_dynamic_dns_docker_image_name_prefix }}linuxserver/ddclient:{{ matrix_dynamic_dns_version }}"
matrix_dynamic_dns_docker_image_name_prefix: "{{ 'localhost/' if matrix_dynamic_dns_container_image_self_build else 'docker.io/' }}"

3
roles/matrix-email2matrix/defaults/main.yml
View File

@ -3,7 +3,8 @@ matrix_email2matrix_enabled: true
matrix_email2matrix_base_path: "{{ matrix_base_data_path }}/email2matrix"
matrix_email2matrix_config_dir_path: "{{ matrix_email2matrix_base_path }}/config"
matrix_email2matrix_docker_image: "docker.io/devture/email2matrix:1.0.1"
matrix_email2matrix_version: 1.0.1
matrix_email2matrix_docker_image: "docker.io/devture/email2matrix:{{ matrix_email2matrix_version }}"
matrix_email2matrix_docker_image_force_pull: "{{ matrix_email2matrix_docker_image.endswith(':latest') }}"
# A list of extra arguments to pass to the container

10
roles/matrix-etherpad/defaults/main.yml
View File

@ -2,7 +2,8 @@ matrix_etherpad_enabled: false
matrix_etherpad_base_path: "{{ matrix_base_data_path }}/etherpad"
matrix_etherpad_docker_image: "docker.io/etherpad/etherpad:1.8.7"
matrix_etherpad_version: 1.8.7
matrix_etherpad_docker_image: "docker.io/etherpad/etherpad:{{ matrix_etherpad_version }}"
matrix_etherpad_docker_image_force_pull: "{{ matrix_etherpad_docker_image.endswith(':latest') }}"
# List of systemd services that matrix-etherpad.service depends on.
@ -22,12 +23,7 @@ matrix_etherpad_user_gid: '5001'
matrix_etherpad_container_http_host_bind_port: ''
# A list of extra arguments to pass to the container
#
# We assume that a reverse proxy is used and tell the container to trust it
# Details: https://github.com/ether/etherpad-lite/blob/develop/doc/docker.md
matrix_etherpad_container_extra_arguments: [
'--env TRUST_PROXY=true'
]
matrix_etherpad_container_extra_arguments: []
matrix_etherpad_public_endpoint: '/etherpad'

3
roles/matrix-grafana/defaults/main.yml
View File

@ -3,7 +3,8 @@
matrix_grafana_enabled: false
matrix_grafana_docker_image: "docker.io/grafana/grafana:7.4.0"
matrix_grafana_version: 7.4.0
matrix_grafana_docker_image: "docker.io/grafana/grafana:{{ matrix_grafana_version }}"
matrix_grafana_docker_image_force_pull: "{{ matrix_grafana_docker_image.endswith(':latest') }}"
# Not conditional, because when someone disables metrics

13
roles/matrix-grafana/tasks/setup.yml
View File

@ -28,7 +28,7 @@
- "{{ matrix_grafana_config_path }}/dashboards"
- "{{ matrix_grafana_data_path }}"
when: matrix_grafana_enabled|bool
- name: Ensure grafana.ini present
template:
src: "{{ role_path }}/templates/grafana.ini.j2"
@ -37,7 +37,7 @@
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_groupname }}"
when: matrix_grafana_enabled|bool
- name: Ensure provisioning/datasources/default.yaml present
template:
src: "{{ role_path }}/templates/datasources.yaml.j2"
@ -46,7 +46,7 @@
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_groupname }}"
when: matrix_grafana_enabled|bool
- name: Ensure provisioning/dashboards/default.yaml present
template:
src: "{{ role_path }}/templates/dashboards.yaml.j2"
@ -55,7 +55,7 @@
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_groupname }}"
when: matrix_grafana_enabled|bool
- name: Ensure dashboard(s) downloaded
get_url:
url: "{{ item }}"
@ -108,8 +108,3 @@
daemon_reload: yes
when: "not matrix_grafana_enabled|bool and matrix_grafana_service_stat.stat.exists"
- name: Ensure matrix-grafana Docker image doesn't exist
docker_image:
name: "{{ matrix_grafana_docker_image }}"
state: absent
when: "not matrix_grafana_enabled|bool"

3
roles/matrix-jitsi/defaults/main.yml
View File

@ -52,7 +52,8 @@ matrix_jitsi_jibri_recorder_password: ''
matrix_jitsi_enable_lobby: false
matrix_jitsi_container_image_tag: "stable-5142"
matrix_jitsi_version: stable-5142
matrix_jitsi_container_image_tag: "{{ matrix_jitsi_version }}" # for backward-compatibility
matrix_jitsi_web_docker_image: "docker.io/jitsi/web:{{ matrix_jitsi_container_image_tag }}"
matrix_jitsi_web_docker_image_force_pull: "{{ matrix_jitsi_web_docker_image.endswith(':latest') }}"

3
roles/matrix-mailer/defaults/main.yml
View File

@ -7,7 +7,8 @@ matrix_mailer_container_image_self_build_repository_url: "https://github.com/dev
matrix_mailer_container_image_self_build_src_files_path: "{{ matrix_mailer_base_path }}/docker-src"
matrix_mailer_container_image_self_build_version: "{{ matrix_mailer_docker_image.split(':')[1] }}"
matrix_mailer_docker_image: "{{ matrix_mailer_docker_image_name_prefix }}devture/exim-relay:4.93-r1"
matrix_mailer_version: 4.93-r1
matrix_mailer_docker_image: "{{ matrix_mailer_docker_image_name_prefix }}devture/exim-relay:{{ matrix_mailer_version }}"
matrix_mailer_docker_image_name_prefix: "{{ 'localhost/' if matrix_mailer_container_image_self_build else 'docker.io/' }}"
matrix_mailer_docker_image_force_pull: "{{ matrix_mailer_docker_image.endswith(':latest') }}"

8
roles/matrix-nginx-proxy/defaults/main.yml
View File

@ -1,13 +1,15 @@
matrix_nginx_proxy_enabled: true
matrix_nginx_proxy_version: 1.19.6-alpine
# We use an official nginx image, which we fix-up to run unprivileged.
# An alternative would be an `nginxinc/nginx-unprivileged` image, but
# that is frequently out of date.
matrix_nginx_proxy_docker_image: "docker.io/nginx:1.19.6-alpine"
matrix_nginx_proxy_docker_image: "docker.io/nginx:{{ matrix_nginx_proxy_version }}"
matrix_nginx_proxy_docker_image_force_pull: "{{ matrix_nginx_proxy_docker_image.endswith(':latest') }}"
matrix_nginx_proxy_base_path: "{{ matrix_base_data_path }}/nginx-proxy"
matrix_nginx_proxy_data_path: "{{ matrix_nginx_proxy_base_path }}/data"
matrix_nginx_proxy_data_path_in_container: "/nginx-data"
matrix_nginx_proxy_confd_path: "{{ matrix_nginx_proxy_base_path }}/conf.d"
# List of systemd services that matrix-nginx-proxy.service depends on
@ -110,6 +112,10 @@ matrix_nginx_proxy_proxy_element_hostname: "{{ matrix_server_fqn_element }}"
# Controls whether proxying the matrix domain should be done.
matrix_nginx_proxy_proxy_matrix_enabled: false
matrix_nginx_proxy_proxy_matrix_hostname: "{{ matrix_server_fqn_matrix }}"
# The port name used for federation in the nginx configuration.
# This is not necessarily the port that it's actually on,
# as port-mapping happens (`-p ..`) for the `matrix-nginx-proxy` container.
matrix_nginx_proxy_proxy_matrix_federation_port: 8448
# Controls whether proxying the dimension domain should be done.
matrix_nginx_proxy_proxy_dimension_enabled: false

1
roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml
View File

@ -11,7 +11,6 @@
- "{{ matrix_cron_path }}/matrix-ssl-certificate-renewal"
- "{{ matrix_cron_path }}/matrix-nginx-proxy-periodic-restarter"
- "/etc/cron.d/matrix-ssl-lets-encrypt"
- "{{ matrix_local_bin_path }}/matrix-ssl-lets-encrypt-certificates-renew"
#
# Tasks related to setting up Let's Encrypt's management of certificates

6
roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2
View File

@ -199,10 +199,10 @@ server {
#}
server {
{% if matrix_nginx_proxy_https_enabled %}
listen 8448 ssl http2;
listen [::]:8448 ssl http2;
listen {{ matrix_nginx_proxy_proxy_matrix_federation_port }} ssl http2;
listen [::]:{{ matrix_nginx_proxy_proxy_matrix_federation_port }} ssl http2;
{% else %}
listen 8448;
listen {{ matrix_nginx_proxy_proxy_matrix_federation_port }};
{% endif %}
server_name {{ matrix_nginx_proxy_proxy_matrix_hostname }};

9
roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2
View File

@ -30,15 +30,10 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-nginx-proxy \
-p {{ matrix_nginx_proxy_container_https_host_bind_port }}:8443 \
{% endif %}
{% if matrix_nginx_proxy_proxy_matrix_federation_api_enabled and matrix_nginx_proxy_container_federation_host_bind_port %}
-p {{ matrix_nginx_proxy_container_federation_host_bind_port }}:8448 \
-p {{ matrix_nginx_proxy_container_federation_host_bind_port }}:{{ matrix_nginx_proxy_proxy_matrix_federation_port }} \
{% endif %}
--mount type=bind,src={{ matrix_nginx_proxy_base_path }}/nginx.conf,dst=/etc/nginx/nginx.conf,ro \
{% if matrix_awx_enabled|bool == false or matrix_nginx_proxy_base_domain_homepage_enabled %}
--mount type=bind,src={{ matrix_nginx_proxy_data_path }},dst=/nginx-data,ro \
{% endif %}
{% if matrix_awx_enabled and matrix_nginx_proxy_base_domain_homepage_enabled|bool == false %}
--mount type=bind,src=/chroot/website,dst=/nginx-data/matrix-domain,ro \
{% endif %}
--mount type=bind,src={{ matrix_nginx_proxy_data_path }},dst={{ matrix_nginx_proxy_data_path_in_container }},ro \
--mount type=bind,src={{ matrix_nginx_proxy_confd_path }},dst=/etc/nginx/conf.d,ro \
{% if matrix_ssl_retrieval_method != 'none' %}
--mount type=bind,src={{ matrix_ssl_config_dir_path }},dst={{ matrix_ssl_config_dir_path }},ro \

4
roles/matrix-nginx-proxy/templates/systemd/matrix-ssl-lets-encrypt-certificates-renew.timer.j2
View File

@ -3,8 +3,8 @@ Description=Renews Let's Encrypt SSL certificates periodically
[Timer]
Unit=matrix-ssl-lets-encrypt-certificates-renew.service
OnCalendar=Sunday *-*-* 05:00:00
RandomizedDelaySec=3h
OnCalendar=*-*-* 04:00:00
RandomizedDelaySec=2h
[Install]
WantedBy=timers.target

4
roles/matrix-nginx-proxy/templates/systemd/matrix-ssl-nginx-proxy-reload.timer.j2
View File

@ -3,8 +3,8 @@ Description=Reloads matrix-nginx-proxy periodically so that new SSL certificates
[Timer]
Unit=matrix-ssl-nginx-proxy-reload.service
OnCalendar=Sunday *-*-* 13:00:00
RandomizedDelaySec=3h
OnCalendar=*-*-* 06:30:00
RandomizedDelaySec=1h
[Install]
WantedBy=timers.target

3
roles/matrix-prometheus-node-exporter/defaults/main.yml
View File

@ -3,7 +3,8 @@
matrix_prometheus_node_exporter_enabled: false
matrix_prometheus_node_exporter_docker_image: "docker.io/prom/node-exporter:v1.1.0"
matrix_prometheus_node_exporter_version: v1.1.0
matrix_prometheus_node_exporter_docker_image: "docker.io/prom/node-exporter:{{ matrix_prometheus_node_exporter_version }}"
matrix_prometheus_node_exporter_docker_image_force_pull: "{{ matrix_prometheus_node_exporter_docker_image.endswith(':latest') }}"
# A list of extra arguments to pass to the container

6
roles/matrix-prometheus-node-exporter/tasks/setup.yml
View File

@ -52,9 +52,3 @@
service:
daemon_reload: yes
when: "not matrix_prometheus_node_exporter_enabled|bool and matrix_prometheus_node_exporter_service_stat.stat.exists"
- name: Ensure matrix-prometheus-node-exporter Docker image doesn't exist
docker_image:
name: "{{ matrix_prometheus_node_exporter_docker_image }}"
state: absent
when: "not matrix_prometheus_node_exporter_enabled|bool"

3
roles/matrix-prometheus/defaults/main.yml
View File

@ -3,7 +3,8 @@
matrix_prometheus_enabled: false
matrix_prometheus_docker_image: "docker.io/prom/prometheus:v2.24.1"
matrix_prometheus_version: v2.24.1
matrix_prometheus_docker_image: "docker.io/prom/prometheus:{{ matrix_prometheus_version }}"
matrix_prometheus_docker_image_force_pull: "{{ matrix_prometheus_docker_image.endswith(':latest') }}"
matrix_prometheus_base_path: "{{ matrix_base_data_path }}/prometheus"

6
roles/matrix-prometheus/tasks/setup_uninstall.yml
View File

@ -23,9 +23,3 @@
service:
daemon_reload: yes
when: "matrix_prometheus_service_stat.stat.exists|bool"
- name: Ensure matrix-prometheus Docker image doesn't exist
docker_image:
name: "{{ matrix_prometheus_docker_image }}"
state: absent
when: "not matrix_prometheus_enabled|bool"

3
roles/matrix-redis/defaults/main.yml
View File

@ -5,7 +5,8 @@ matrix_redis_connection_password: ""
matrix_redis_base_path: "{{ matrix_base_data_path }}/redis"
matrix_redis_data_path: "{{ matrix_redis_base_path }}/data"
matrix_redis_docker_image_v6: "docker.io/redis:6.0.10-alpine"
matrix_redis_version: 6.0.10-alpine
matrix_redis_docker_image_v6: "docker.io/redis:{{ matrix_redis_version }}"
matrix_redis_docker_image_latest: "{{ matrix_redis_docker_image_v6 }}"
matrix_redis_docker_image_to_use: '{{ matrix_redis_docker_image_latest }}'

3
roles/matrix-synapse-admin/defaults/main.yml
View File

@ -8,7 +8,8 @@ matrix_synapse_admin_container_self_build_repo: "https://github.com/Awesome-Tech
matrix_synapse_admin_docker_src_files_path: "{{ matrix_base_data_path }}/synapse-admin/docker-src"
matrix_synapse_admin_docker_image: "{{ matrix_synapse_admin_docker_image_name_prefix }}awesometechnologies/synapse-admin:0.7.0"
matrix_synapse_admin_version: 0.7.0
matrix_synapse_admin_docker_image: "{{ matrix_synapse_admin_docker_image_name_prefix }}awesometechnologies/synapse-admin:{{ matrix_synapse_admin_version }}"
matrix_synapse_admin_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_admin_container_self_build else 'docker.io/' }}"
matrix_synapse_admin_docker_image_force_pull: "{{ matrix_synapse_admin_docker_image.endswith(':latest') }}"

4
roles/matrix-synapse/defaults/main.yml
View File

@ -15,7 +15,9 @@ matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_cont
# amd64 gets released first.
# arm32 relies on self-building, so the same version can be built immediately.
# arm64 users need to wait for a prebuilt image to become available.
matrix_synapse_docker_image_tag: "{{ 'v1.27.0' if matrix_architecture in ['arm32', 'amd64'] else 'v1.26.0' }}"
matrix_synapse_version: v1.28.0
matrix_synapse_version_arm64: v1.28.0
matrix_synapse_docker_image_tag: "{{ matrix_synapse_version if matrix_architecture in ['arm32', 'amd64'] else matrix_synapse_version_arm64 }}"
matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}"
matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse"

28
roles/matrix-synapse/templates/synapse/homeserver.yaml.j2
View File

@ -141,6 +141,7 @@ default_room_version: {{ matrix_synapse_default_room_version|to_json }}
# - '100.64.0.0/10'
# - '192.0.0.0/24'
# - '169.254.0.0/16'
# - '192.88.99.0/24'
# - '198.18.0.0/15'
# - '192.0.2.0/24'
# - '198.51.100.0/24'
@ -149,6 +150,9 @@ default_room_version: {{ matrix_synapse_default_room_version|to_json }}
# - '::1/128'
# - 'fe80::/10'
# - 'fc00::/7'
# - '2001:db8::/32'
# - 'ff00::/8'
# - 'fec0::/10'
# List of IP address CIDR ranges that should be allowed for federation,
# identity servers, push servers, and for checking key validity for
@ -993,6 +997,7 @@ url_preview_ip_range_blacklist:
- '100.64.0.0/10'
- '192.0.0.0/24'
- '169.254.0.0/16'
- '192.88.99.0/24'
- '198.18.0.0/15'
- '192.0.2.0/24'
- '198.51.100.0/24'
@ -1001,6 +1006,9 @@ url_preview_ip_range_blacklist:
- '::1/128'
- 'fe80::/10'
- 'fc00::/7'
- '2001:db8::/32'
- 'ff00::/8'
- 'fec0::/10'
# List of IP address CIDR ranges that the URL preview spider is allowed
# to access even if they are specified in url_preview_ip_range_blacklist.
@ -1327,6 +1335,8 @@ account_threepid_delegates:
# By default, any room aliases included in this list will be created
# as a publicly joinable room when the first user registers for the
# homeserver. This behaviour can be customised with the settings below.
# If the room already exists, make certain it is a publicly joinable
# room. The join rule of the room must be set to 'public'.
#
#auto_join_rooms:
# - "#example:example.com"
@ -1869,9 +1879,9 @@ oidc_providers:
# user_mapping_provider:
# config:
# subject_claim: "id"
# localpart_template: "{ user.login }"
# display_name_template: "{ user.name }"
# email_template: "{ user.email }"
# localpart_template: "{% raw %}{{ user.login }}{% endraw %}"
# display_name_template: "{% raw %}{{ user.name }}{% endraw %}"
# email_template: "{% raw %}{{ user.email }}{% endraw %}"
# For use with Keycloak
#
@ -1898,8 +1908,8 @@ oidc_providers:
# user_mapping_provider:
# config:
# subject_claim: "id"
# localpart_template: "{ user.login }"
# display_name_template: "{ user.name }"
# localpart_template: "{% raw %}{{ user.login }}{% endraw %}"
# display_name_template: "{% raw %}{{ user.name }}{% endraw %}"
# Enable Central Authentication Service (CAS) for registration and login.
@ -2227,11 +2237,11 @@ password_config:
#require_uppercase: true
ui_auth:
# The number of milliseconds to allow a user-interactive authentication
# session to be active.
# The amount of time to allow a user-interactive authentication session
# to be active.
#
# This defaults to 0, meaning the user is queried for their credentials
# before every action, but this can be overridden to alow a single
# before every action, but this can be overridden to allow a single
# validation to be re-used. This weakens the protections afforded by
# the user-interactive authentication process, by allowing for multiple
# (and potentially different) operations to use the same validation session.
@ -2239,7 +2249,7 @@ ui_auth:
# Uncomment below to allow for credential validation to last for 15
# seconds.
#
#session_timeout: 15000
#session_timeout: "15s"
{% if matrix_synapse_email_enabled %}

5
roles/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker.service.j2
View File

@ -22,6 +22,11 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name {{ matrix_synapse_wor
--read-only \
--tmpfs=/tmp:rw,noexec,nosuid,size={{ matrix_synapse_tmp_directory_size_mb }}m \
--network={{ matrix_docker_network }} \
{% if matrix_synapse_worker_details.port != 0 %}
--health-cmd 'curl -fSs http://localhost:{{ matrix_synapse_worker_details.port }}/health || exit 1' \
{% else %}
--no-healthcheck \
{% endif %}
{% if matrix_synapse_workers_enabled and matrix_synapse_workers_container_host_bind_address %}
{% if matrix_synapse_worker_details.port != 0 %}
-p {{ '' if matrix_synapse_workers_container_host_bind_address == '*' else (matrix_synapse_workers_container_host_bind_address + ':') }}{{ matrix_synapse_worker_details.port }}:{{ matrix_synapse_worker_details.port }} \

13
roles/matrix-synapse/vars/workers.yml
View File

@ -107,7 +107,8 @@ matrix_synapse_workers_generic_worker_endpoints:
# Ensure that all SSO logins go to a single process.
# For multiple workers not handling the SSO endpoints properly, see
# [#7530](https://github.com/matrix-org/synapse/issues/7530).
# [#7530](https://github.com/matrix-org/synapse/issues/7530) and
# [#9427](https://github.com/matrix-org/synapse/issues/9427).
# Note that a HTTP listener with `client` and `federation` resources must be
# configured in the `worker_listeners` option in the worker config.
@ -203,7 +204,15 @@ matrix_synapse_workers_generic_worker_endpoints:
# REST endpoints itself, but you should set `start_pushers: False` in the
# shared configuration file to stop the main synapse sending push notifications.
# Note this worker cannot be load-balanced: only one instance should be active.
# To run multiple instances at once the `pusher_instances` option should list all
# pusher instances by their worker name, e.g.:
# ```yaml
# pusher_instances:
# - pusher_worker1
# - pusher_worker2
# ```
# ]
# appservice worker (no API endpoints) [