Merge branch 'master' into master

This commit is contained in:
sakkiii 2021-04-24 11:46:52 +05:30 committed by GitHub
commit 3564635f0f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
34 changed files with 182 additions and 68 deletions

View File

@ -2,16 +2,37 @@
The playbook can install and configure [mautrix-facebook](https://github.com/tulir/mautrix-facebook) for you. The playbook can install and configure [mautrix-facebook](https://github.com/tulir/mautrix-facebook) for you.
See the project's [documentation](https://github.com/tulir/mautrix-facebook/wiki#usage) to learn what it does and why it might be useful to you. See the project's [documentation](https://github.com/tulir/mautrix-facebook/blob/master/ROADMAP.md) to learn what it does and why it might be useful to you.
```yaml ```yaml
matrix_mautrix_facebook_enabled: true matrix_mautrix_facebook_enabled: true
``` ```
There are some additional things you may wish to configure about the bridge before you continue.
Encryption support is off by default. If you would like to enable encryption, add the following to your `vars.yml` file:
```yaml
matrix_mautrix_facebook_configuration_extension_yaml: |
bridge:
encryption:
allow: true
default: true
```
If you would like to be able to administrate the bridge from your account it can be configured like this:
```yaml
matrix_mautrix_facebook_configuration_extension_yaml: |
bridge:
permissions:
'@YOUR_USERNAME:YOUR_DOMAIN': admin
```
You may wish to look at `roles/matrix-bridge-mautrix-facebook/templates/config.yaml.j2` to find other things you would like to configure.
## Set up Double Puppeting ## Set up Double Puppeting
If you'd like to use [Double Puppeting](https://github.com/tulir/mautrix-facebook/wiki/Authentication#double-puppeting) (hint: you most likely do), you have 2 ways of going about it. If you'd like to use [Double Puppeting](https://docs.mau.fi/bridges/general/double-puppeting.html) (hint: you most likely do), you have 2 ways of going about it.
### Method 1: automatically, by enabling Shared Secret Auth ### Method 1: automatically, by enabling Shared Secret Auth
@ -42,9 +63,7 @@ https://matrix.DOMAIN/_matrix/client/r0/login
You then need to start a chat with `@facebookbot:YOUR_DOMAIN` (where `YOUR_DOMAIN` is your base domain, not the `matrix.` domain). You then need to start a chat with `@facebookbot:YOUR_DOMAIN` (where `YOUR_DOMAIN` is your base domain, not the `matrix.` domain).
Send `login YOUR_FACEBOOK_EMAIL_ADDRESS YOUR_FACEBOOK_PASSWORD` to the bridge bot to enable bridging for your Facebook/Messenger account. Send `login YOUR_FACEBOOK_EMAIL_ADDRESS` to the bridge bot to enable bridging for your Facebook Messenger account. You can learn more here about authentication from the bridge's [official documentation on Authentication](https://docs.mau.fi/bridges/python/facebook/authentication.html).
You can learn more here about authentication from the bridge's [official documentation on Authentication](https://github.com/tulir/mautrix-facebook/wiki/Authentication).
If you run into trouble, check the [Troubleshooting](#troubleshooting) section below. If you run into trouble, check the [Troubleshooting](#troubleshooting) section below.

View File

@ -13,8 +13,8 @@ Before installing Jitsi, make sure you've created the `jitsi.DOMAIN` DNS record.
You may also need to open the following ports to your server: You may also need to open the following ports to your server:
- `10000/udp` - RTP media over UDP
- `4443/tcp` - RTP media fallback over TCP - `4443/tcp` - RTP media fallback over TCP
- `10000/udp` - RTP media over UDP. Depending on your firewall/NAT setup, incoming RTP packets on port `10000` may have the external IP of your firewall as destination address, due to the usage of STUN in JVB (see [`matrix_jitsi_jvb_stun_servers`](../roles/matrix-jitsi/defaults/main.yml)).
## Installation ## Installation

View File

@ -6,6 +6,8 @@ It's a web UI tool you can use to **administrate users and rooms on your Matrix
See the project's [documentation](https://github.com/Awesome-Technologies/synapse-admin) to learn what it does and why it might be useful to you. See the project's [documentation](https://github.com/Awesome-Technologies/synapse-admin) to learn what it does and why it might be useful to you.
**Warning**: Synapse Admin will likely not work with Synapse v1.32 for now. See [this issue](https://github.com/Awesome-Technologies/synapse-admin/issues/132). If you insist on using Synapse Admin before there's a solution to this issue, you may wish to downgrade Synapse (adding `matrix_synapse_version: v1.31.0` or `matrix_synapse_version_arm64: v1.31.0` to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file).
## Adjusting the playbook configuration ## Adjusting the playbook configuration

View File

@ -11,7 +11,7 @@ These services are enabled and used by default, but you can turn them off, if yo
- [matrixdotorg/synapse](https://hub.docker.com/r/matrixdotorg/synapse/) - the official [Synapse](https://github.com/matrix-org/synapse) Matrix homeserver (optional) - [matrixdotorg/synapse](https://hub.docker.com/r/matrixdotorg/synapse/) - the official [Synapse](https://github.com/matrix-org/synapse) Matrix homeserver (optional)
- [instrumentisto/coturn](https://hub.docker.com/r/instrumentisto/coturn/) - the [Coturn](https://github.com/coturn/coturn) STUN/TURN server (optional) - [coturn/coturn](https://hub.docker.com/r/coturn/coturn/) - the [Coturn](https://github.com/coturn/coturn) STUN/TURN server (optional)
- [vectorim/element-web](https://hub.docker.com/r/vectorim/element-web/) - the [Element](https://element.io/) web client (optional) - [vectorim/element-web](https://hub.docker.com/r/vectorim/element-web/) - the [Element](https://element.io/) web client (optional)

View File

@ -297,7 +297,7 @@ matrix_coturn_enabled: false
# hundreds of servers inside is insanely heavy (https://github.com/matrix-org/synapse/issues/3971). # hundreds of servers inside is insanely heavy (https://github.com/matrix-org/synapse/issues/3971).
# #
# If your server does not federate with hundreds of others, enabling this doesn't hurt much. # If your server does not federate with hundreds of others, enabling this doesn't hurt much.
matrix_synapse_use_presence: false matrix_synapse_presence_enabled: false
``` ```
You can also consider implementing a restriction on room complexity, in order to prevent users from joining very heavy rooms: You can also consider implementing a restriction on room complexity, in order to prevent users from joining very heavy rooms:

View File

@ -74,7 +74,7 @@ You should then be able to browse the adminer database administration GUI at htt
## Make Synapse faster ## Make Synapse faster
Synapse's presence feature which tracks which users are online and which are offline can use a lot of processing power. You can disable presence by adding `matrix_synapse_use_presence: false` to your `vars.yml` file. Synapse's presence feature which tracks which users are online and which are offline can use a lot of processing power. You can disable presence by adding `matrix_synapse_presence_enabled: false` to your `vars.yml` file.
Tuning Synapse's cache factor can help reduce RAM usage. [See the upstream documentation](https://github.com/matrix-org/synapse#help-synapse-is-slow-and-eats-all-my-ram-cpu) for more information on what value to set the cache factor to. Use the variable `matrix_synapse_caches_global_factor` to set the cache factor. Tuning Synapse's cache factor can help reduce RAM usage. [See the upstream documentation](https://github.com/matrix-org/synapse#help-synapse-is-slow-and-eats-all-my-ram-cpu) for more information on what value to set the cache factor to. Use the variable `matrix_synapse_caches_global_factor` to set the cache factor.

View File

@ -34,7 +34,6 @@ If your distro runs within an [LXC container](https://linuxcontainers.org/), you
- `5349/udp`: TURN over UDP (used by Coturn) - `5349/udp`: TURN over UDP (used by Coturn)
- `8448/tcp`: Matrix Federation API HTTPS webserver. In some cases, this **may necessary even with federation disabled**. Integration Servers (like Dimension) and Identity Servers (like ma1sd) may need to access `openid` APIs on the federation port. - `8448/tcp`: Matrix Federation API HTTPS webserver. In some cases, this **may necessary even with federation disabled**. Integration Servers (like Dimension) and Identity Servers (like ma1sd) may need to access `openid` APIs on the federation port.
- the range `49152-49172/udp`: TURN over UDP - the range `49152-49172/udp`: TURN over UDP
- `4443/tcp`: Jitsi Harvester fallback - potentially some other ports, depending on the additional (non-default) services that you enable in the **configuring the playbook** step (later on). Consult each service's documentation page in `docs/` for that.
- `10000/udp`: Jitsi video RTP. Depending on your firewall/NAT setup, incoming RTP packets on port `10000` may have the external IP of your firewall as destination address, due to the usage of STUN in JVB (see [`matrix_jitsi_jvb_stun_servers`](../roles/matrix-jitsi/defaults/main.yml)).
When ready to proceed, continue with [Configuring DNS](configuring-dns.md). When ready to proceed, continue with [Configuring DNS](configuring-dns.md).

View File

@ -64,7 +64,7 @@ matrix_appservice_discord_enabled: false
matrix_appservice_discord_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:9005' }}" matrix_appservice_discord_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:9005' }}"
# If the homeserver disables presence, it's likely better (less wasteful) to also disable presence on the bridge side. # If the homeserver disables presence, it's likely better (less wasteful) to also disable presence on the bridge side.
matrix_appservice_discord_bridge_disablePresence: "{{ matrix_synapse_use_presence }}" matrix_appservice_discord_bridge_disablePresence: "{{ not matrix_synapse_presence_enabled }}"
matrix_appservice_discord_systemd_required_services_list: | matrix_appservice_discord_systemd_required_services_list: |
{{ {{
@ -188,7 +188,7 @@ matrix_appservice_irc_container_http_host_bind_port: "{{ '' if matrix_nginx_prox
# The IRC bridge docs say that if homeserver presence is disabled, it's better to also disable # The IRC bridge docs say that if homeserver presence is disabled, it's better to also disable
# IRC bridge presence, for performance reasons. # IRC bridge presence, for performance reasons.
matrix_appservice_irc_homeserver_enablePresence: "{{ matrix_synapse_use_presence }}" matrix_appservice_irc_homeserver_enablePresence: "{{ matrix_synapse_presence_enabled }}"
matrix_appservice_irc_systemd_required_services_list: | matrix_appservice_irc_systemd_required_services_list: |
{{ {{
@ -242,7 +242,7 @@ matrix_mautrix_facebook_homeserver_token: "{{ matrix_synapse_macaroon_secret_key
matrix_mautrix_facebook_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" matrix_mautrix_facebook_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}"
matrix_mautrix_facebook_bridge_presence: "{{ matrix_synapse_use_presence if matrix_synapse_enabled else true }}" matrix_mautrix_facebook_bridge_presence: "{{ matrix_synapse_presence_enabled if matrix_synapse_enabled else true }}"
# We'd like to force-set people with external Postgres to SQLite, so the bridge role can complain # We'd like to force-set people with external Postgres to SQLite, so the bridge role can complain
# and point them to a migration path. # and point them to a migration path.
@ -325,7 +325,7 @@ matrix_mautrix_instagram_homeserver_token: "{{ matrix_synapse_macaroon_secret_ke
matrix_mautrix_instagram_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" matrix_mautrix_instagram_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}"
matrix_mautrix_instagram_bridge_presence: "{{ matrix_synapse_use_presence if matrix_synapse_enabled else true }}" matrix_mautrix_instagram_bridge_presence: "{{ matrix_synapse_presence_enabled if matrix_synapse_enabled else true }}"
# We'd like to force-set people with external Postgres to SQLite, so the bridge role can complain # We'd like to force-set people with external Postgres to SQLite, so the bridge role can complain
# and point them to a migration path. # and point them to a migration path.
@ -1211,7 +1211,7 @@ matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container: "{{ m
matrix_nginx_proxy_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else true }}" matrix_nginx_proxy_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else true }}"
matrix_nginx_proxy_synapse_presence_disabled: "{{ not matrix_synapse_use_presence }}" matrix_nginx_proxy_synapse_presence_disabled: "{{ not matrix_synapse_presence_enabled }}"
matrix_nginx_proxy_synapse_workers_enabled: "{{ matrix_synapse_workers_enabled }}" matrix_nginx_proxy_synapse_workers_enabled: "{{ matrix_synapse_workers_enabled }}"
matrix_nginx_proxy_synapse_workers_list: "{{ matrix_synapse_workers_enabled_list }}" matrix_nginx_proxy_synapse_workers_list: "{{ matrix_synapse_workers_enabled_list }}"
@ -1527,7 +1527,7 @@ matrix_client_element_registration_enabled: "{{ matrix_synapse_enable_registrati
matrix_client_element_enable_presence_by_hs_url: | matrix_client_element_enable_presence_by_hs_url: |
{{ {{
none none
if matrix_synapse_use_presence if matrix_synapse_presence_enabled
else {matrix_client_element_default_hs_url: false} else {matrix_client_element_default_hs_url: false}
}} }}
@ -1675,11 +1675,6 @@ matrix_synapse_admin_container_self_build: "{{ matrix_architecture != 'amd64' }}
matrix_prometheus_node_exporter_enabled: false matrix_prometheus_node_exporter_enabled: false
# Normally, matrix-nginx-proxy is enabled and nginx can reach Prometheus Node Exporter over the container network.
# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose
# Prometheus' HTTP port to the local host.
matrix_prometheus_node_exporter_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:9200' }}"
###################################################################### ######################################################################
# #
# /matrix-prometheus-node-exporter # /matrix-prometheus-node-exporter
@ -1706,6 +1701,7 @@ matrix_prometheus_scraper_synapse_targets: ['matrix-synapse:{{ matrix_synapse_me
matrix_prometheus_scraper_synapse_rules_synapse_tag: "{{ matrix_synapse_docker_image_tag }}" matrix_prometheus_scraper_synapse_rules_synapse_tag: "{{ matrix_synapse_docker_image_tag }}"
matrix_prometheus_scraper_node_enabled: "{{ matrix_prometheus_node_exporter_enabled }}" matrix_prometheus_scraper_node_enabled: "{{ matrix_prometheus_node_exporter_enabled }}"
matrix_prometheus_scraper_node_targets: "{{ ['matrix-prometheus-node-exporter:9100'] if matrix_prometheus_node_exporter_enabled else [] }}"
###################################################################### ######################################################################
# #

View File

@ -56,10 +56,10 @@
"required": false, "required": false,
"min": null, "min": null,
"max": null, "max": null,
"default": "{{ matrix_synapse_use_presence | string | lower }}", "default": "{{ matrix_synapse_presence_enabled | string | lower }}",
"choices": "true\nfalse", "choices": "true\nfalse",
"new_question": true, "new_question": true,
"variable": "matrix_synapse_use_presence", "variable": "matrix_synapse_presence_enabled",
"type": "multiplechoice" "type": "multiplechoice"
}, },
{ {

View File

@ -8,6 +8,15 @@
tags: tags:
- always - always
# Renames the variables if needed
- include_tasks:
file: "rename_variables.yml"
apply:
tags: always
when: run_setup|bool and matrix_awx_enabled|bool
tags:
- always
# Perform a backup of the server # Perform a backup of the server
- include_tasks: - include_tasks:
file: "backup_server.yml" file: "backup_server.yml"

View File

@ -0,0 +1,8 @@
- name: Rename synapse presence variable
delegate_to: 127.0.0.1
replace:
path: "/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml"
regexp: 'matrix_synapse_use_presence'
replace: 'matrix_synapse_presence_enabled'

View File

@ -21,7 +21,7 @@
'matrix_synapse_enable_registration': '{{ matrix_synapse_enable_registration }}' 'matrix_synapse_enable_registration': '{{ matrix_synapse_enable_registration }}'
'matrix_synapse_federation_enabled': '{{ matrix_synapse_federation_enabled }}' 'matrix_synapse_federation_enabled': '{{ matrix_synapse_federation_enabled }}'
'matrix_synapse_enable_group_creation': '{{ matrix_synapse_enable_group_creation }}' 'matrix_synapse_enable_group_creation': '{{ matrix_synapse_enable_group_creation }}'
'matrix_synapse_use_presence': '{{ matrix_synapse_use_presence }}' 'matrix_synapse_presence_enabled': '{{ matrix_synapse_presence_enabled }}'
'matrix_synapse_max_upload_size_mb': '{{ matrix_synapse_max_upload_size_mb }}' 'matrix_synapse_max_upload_size_mb': '{{ matrix_synapse_max_upload_size_mb }}'
'matrix_synapse_url_preview_enabled': '{{ matrix_synapse_url_preview_enabled }}' 'matrix_synapse_url_preview_enabled': '{{ matrix_synapse_url_preview_enabled }}'
'matrix_synapse_allow_guest_access': '{{ matrix_synapse_allow_guest_access }}' 'matrix_synapse_allow_guest_access': '{{ matrix_synapse_allow_guest_access }}'

View File

@ -1,10 +1,10 @@
matrix_coturn_enabled: true matrix_coturn_enabled: true
matrix_coturn_container_image_self_build: false matrix_coturn_container_image_self_build: false
matrix_coturn_container_image_self_build_repo: "https://github.com/instrumentisto/coturn-docker-image.git" matrix_coturn_container_image_self_build_repo: "https://github.com/coturn/coturn/tree/master/docker/coturn/alpine.git"
matrix_coturn_version: 4.5.2 matrix_coturn_version: 4.5.2
matrix_coturn_docker_image: "{{ matrix_coturn_docker_image_name_prefix }}instrumentisto/coturn:{{ matrix_coturn_version }}" matrix_coturn_docker_image: "{{ matrix_coturn_docker_image_name_prefix }}coturn/coturn:{{ matrix_coturn_version }}-alpine"
matrix_coturn_docker_image_name_prefix: "{{ 'localhost/' if matrix_coturn_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_coturn_docker_image_name_prefix: "{{ 'localhost/' if matrix_coturn_container_image_self_build else matrix_container_global_registry_prefix }}"
matrix_coturn_docker_image_force_pull: "{{ matrix_coturn_docker_image.endswith(':latest') }}" matrix_coturn_docker_image_force_pull: "{{ matrix_coturn_docker_image.endswith(':latest') }}"

View File

@ -17,6 +17,7 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-coturn \
--log-driver=none \ --log-driver=none \
--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
--cap-drop=ALL \ --cap-drop=ALL \
--cap-add=NET_BIND_SERVICE \
--entrypoint=turnserver \ --entrypoint=turnserver \
--read-only \ --read-only \
--tmpfs=/var/tmp:rw,noexec,nosuid,size=100m \ --tmpfs=/var/tmp:rw,noexec,nosuid,size=100m \

View File

@ -3,7 +3,7 @@
matrix_grafana_enabled: false matrix_grafana_enabled: false
matrix_grafana_version: 7.5.2 matrix_grafana_version: 7.5.4
matrix_grafana_docker_image: "{{ matrix_container_global_registry_prefix }}grafana/grafana:{{ matrix_grafana_version }}" matrix_grafana_docker_image: "{{ matrix_container_global_registry_prefix }}grafana/grafana:{{ matrix_grafana_version }}"
matrix_grafana_docker_image_force_pull: "{{ matrix_grafana_docker_image.endswith(':latest') }}" matrix_grafana_docker_image_force_pull: "{{ matrix_grafana_docker_image.endswith(':latest') }}"

View File

@ -269,6 +269,16 @@ matrix_nginx_proxy_proxy_sygnal_additional_server_configuration_blocks: []
# A list of strings containing additional configuration blocks to add to the base domain server configuration (matrix-base-domain.conf). # A list of strings containing additional configuration blocks to add to the base domain server configuration (matrix-base-domain.conf).
matrix_nginx_proxy_proxy_domain_additional_server_configuration_blocks: [] matrix_nginx_proxy_proxy_domain_additional_server_configuration_blocks: []
# Controls whether to send a "Permissions-Policy interest-cohort=();" header along with all responses for all vhosts meant to be accessed by users.
#
# Learn more about what it is here:
# - https://www.eff.org/deeplinks/2021/03/googles-floc-terrible-idea
# - https://paramdeo.com/blog/opting-your-website-out-of-googles-floc-network
# - https://amifloced.org/
#
# Of course, a better solution is to just stop using browsers (like Chrome), which participate in such tracking practices.
matrix_nginx_proxy_floc_optout_enabled: true
# Specifies the SSL configuration that should be used for the SSL protocols and ciphers # Specifies the SSL configuration that should be used for the SSL protocols and ciphers
# This is based on the Mozilla Server Side TLS Recommended configurations. # This is based on the Mozilla Server Side TLS Recommended configurations.
# #

View File

@ -5,6 +5,11 @@
gzip on; gzip on;
gzip_types text/plain application/json; gzip_types text/plain application/json;
{% if matrix_nginx_proxy_floc_optout_enabled %}
add_header Permissions-Policy interest-cohort=() always;
{% endif %}
{% for configuration_block in matrix_nginx_proxy_proxy_domain_additional_server_configuration_blocks %} {% for configuration_block in matrix_nginx_proxy_proxy_domain_additional_server_configuration_blocks %}
{{- configuration_block }} {{- configuration_block }}
{% endfor %} {% endfor %}

View File

@ -3,8 +3,10 @@
{% macro render_vhost_directives() %} {% macro render_vhost_directives() %}
gzip on; gzip on;
gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Content-Type-Options nosniff; add_header X-Content-Type-Options nosniff;
{% for configuration_block in matrix_nginx_proxy_proxy_bot_go_neb_additional_server_configuration_blocks %} {% for configuration_block in matrix_nginx_proxy_proxy_bot_go_neb_additional_server_configuration_blocks %}
{{- configuration_block }} {{- configuration_block }}
{% endfor %} {% endfor %}

View File

@ -3,12 +3,19 @@
{% macro render_vhost_directives() %} {% macro render_vhost_directives() %}
gzip on; gzip on;
gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
add_header X-Content-Type-Options nosniff; add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block"; add_header X-XSS-Protection "1; mode=block";
add_header X-Frame-Options SAMEORIGIN; add_header X-Frame-Options SAMEORIGIN;
add_header Content-Security-Policy "frame-ancestors 'none'; require-trusted-types-for 'script'; base-uri 'self'"; add_header Content-Security-Policy "frame-ancestors 'none'; require-trusted-types-for 'script'; base-uri 'self'";
add_header Referrer-Policy "strict-origin-when-cross-origin"; add_header Referrer-Policy "strict-origin-when-cross-origin";
{% if matrix_nginx_proxy_floc_optout_enabled %}
add_header Permissions-Policy interest-cohort=() always;
{% endif %}
{% for configuration_block in matrix_nginx_proxy_proxy_element_additional_server_configuration_blocks %} {% for configuration_block in matrix_nginx_proxy_proxy_element_additional_server_configuration_blocks %}
{{- configuration_block }} {{- configuration_block }}
{% endfor %} {% endfor %}

View File

@ -3,8 +3,13 @@
{% macro render_vhost_directives() %} {% macro render_vhost_directives() %}
gzip on; gzip on;
gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Content-Type-Options nosniff; add_header X-Content-Type-Options nosniff;
{% if matrix_nginx_proxy_floc_optout_enabled %}
add_header Permissions-Policy interest-cohort=() always;
{% endif %}
{% for configuration_block in matrix_nginx_proxy_proxy_dimension_additional_server_configuration_blocks %} {% for configuration_block in matrix_nginx_proxy_proxy_dimension_additional_server_configuration_blocks %}
{{- configuration_block }} {{- configuration_block }}
{% endfor %} {% endfor %}

View File

@ -17,6 +17,10 @@
gzip on; gzip on;
gzip_types text/plain application/json; gzip_types text/plain application/json;
{% if matrix_nginx_proxy_floc_optout_enabled %}
add_header Permissions-Policy interest-cohort=() always;
{% endif %}
location /.well-known/matrix { location /.well-known/matrix {
root {{ matrix_static_files_base_path }}; root {{ matrix_static_files_base_path }};
{# {#

View File

@ -3,13 +3,19 @@
{% macro render_vhost_directives() %} {% macro render_vhost_directives() %}
gzip on; gzip on;
gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
# duplicate X-Content-Type-Options & X-Frame-Options header # duplicate X-Content-Type-Options & X-Frame-Options header
# Enabled by grafana by default # Enabled by grafana by default
# add_header X-Content-Type-Options nosniff; # add_header X-Content-Type-Options nosniff;
# add_header X-Frame-Options SAMEORIGIN; # add_header X-Frame-Options SAMEORIGIN;
add_header Referrer-Policy "strict-origin-when-cross-origin"; add_header Referrer-Policy "strict-origin-when-cross-origin";
{% if matrix_nginx_proxy_floc_optout_enabled %}
add_header Permissions-Policy interest-cohort=() always;
{% endif %}
proxy_cookie_path / "/; HTTPOnly; Secure"; proxy_cookie_path / "/; HTTPOnly; Secure";
{% for configuration_block in matrix_nginx_proxy_proxy_grafana_additional_server_configuration_blocks %} {% for configuration_block in matrix_nginx_proxy_proxy_grafana_additional_server_configuration_blocks %}
{{- configuration_block }} {{- configuration_block }}
{% endfor %} {% endfor %}

View File

@ -3,8 +3,13 @@
{% macro render_vhost_directives() %} {% macro render_vhost_directives() %}
gzip on; gzip on;
gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Content-Type-Options nosniff; add_header X-Content-Type-Options nosniff;
{% if matrix_nginx_proxy_floc_optout_enabled %}
add_header Permissions-Policy interest-cohort=() always;
{% endif %}
{% for configuration_block in matrix_nginx_proxy_proxy_jitsi_additional_server_configuration_blocks %} {% for configuration_block in matrix_nginx_proxy_proxy_jitsi_additional_server_configuration_blocks %}
{{- configuration_block }} {{- configuration_block }}
{% endfor %} {% endfor %}

View File

@ -1,6 +1,10 @@
#jinja2: lstrip_blocks: "True" #jinja2: lstrip_blocks: "True"
{% macro render_vhost_directives() %} {% macro render_vhost_directives() %}
{% if matrix_nginx_proxy_floc_optout_enabled %}
add_header Permissions-Policy interest-cohort=() always;
{% endif %}
{% for configuration_block in matrix_nginx_proxy_proxy_riot_additional_server_configuration_blocks %} {% for configuration_block in matrix_nginx_proxy_proxy_riot_additional_server_configuration_blocks %}
{{- configuration_block }} {{- configuration_block }}
{% endfor %} {% endfor %}

View File

@ -3,9 +3,11 @@
{% macro render_vhost_directives() %} {% macro render_vhost_directives() %}
gzip on; gzip on;
gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Content-Type-Options nosniff; add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options DENY; add_header X-Frame-Options DENY;
{% for configuration_block in matrix_nginx_proxy_proxy_sygnal_additional_server_configuration_blocks %} {% for configuration_block in matrix_nginx_proxy_proxy_sygnal_additional_server_configuration_blocks %}
{{- configuration_block }} {{- configuration_block }}
{% endfor %} {% endfor %}

View File

@ -48,6 +48,8 @@ http {
keepalive_timeout 65; keepalive_timeout 65;
server_tokens off;
#gzip on; #gzip on;
{# Map directive needed for proxied WebSocket upgrades #} {# Map directive needed for proxied WebSocket upgrades #}
map $http_upgrade $connection_upgrade { map $http_upgrade $connection_upgrade {

View File

@ -19,4 +19,16 @@ matrix_prometheus_node_exporter_systemd_wanted_services_list: []
# Controls whether the matrix-prometheus container exposes its HTTP port (tcp/9100 in the container). # Controls whether the matrix-prometheus container exposes its HTTP port (tcp/9100 in the container).
# #
# Takes an "<ip>:<port>" value (e.g. "127.0.0.1:9100"), or empty string to not expose. # Takes an "<ip>:<port>" value (e.g. "127.0.0.1:9100"), or empty string to not expose.
#
# Official recommendations are to run this container with `--net=host`,
# but we don't do that, since it:
# - likely exposes the metrics web server way too publicly (before applying https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1008)
# - or listens on a loopback interface only (--net=host and 127.0.0.1:9100), which is not reachable from another container (like `matrix-prometheus`)
#
# Using `--net=host` and binding to Docker's `matrix` bridge network may be a solution to both,
# but that's trickier to accomplish and won't necessarily work (hasn't been tested).
#
# Not using `--net=host` means that our network statistic reports are likely broken (inaccurate),
# because node-exporter can't see all interfaces, etc.
# For now, we'll live with that, until someone develops a better solution.
matrix_prometheus_node_exporter_container_http_host_bind_port: '' matrix_prometheus_node_exporter_container_http_host_bind_port: ''

View File

@ -25,15 +25,13 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-prometheus-nod
{% for arg in matrix_prometheus_node_exporter_container_extra_arguments %} {% for arg in matrix_prometheus_node_exporter_container_extra_arguments %}
{{ arg }} \ {{ arg }} \
{% endfor %} {% endfor %}
--net=host \ --network={{ matrix_docker_network }} \
{% if matrix_prometheus_node_exporter_container_http_host_bind_port %}
-p {{ matrix_prometheus_node_exporter_container_http_host_bind_port }}:9100 \
{% endif %}
--pid=host \ --pid=host \
--mount type=bind,src=/,dst=/host,ro,bind-propagation=rslave \ --mount type=bind,src=/,dst=/host,ro,bind-propagation=rslave \
{{ matrix_prometheus_node_exporter_docker_image }} \ {{ matrix_prometheus_node_exporter_docker_image }} \
{% if matrix_prometheus_node_exporter_container_http_host_bind_port %}
--web.listen-address={{ matrix_prometheus_node_exporter_container_http_host_bind_port }} \
{% else %}
--web.listen-address=localhost:9100 \
{% endif %}
--path.rootfs=/host --path.rootfs=/host
ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-prometheus-node-exporter 2>/dev/null' ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-prometheus-node-exporter 2>/dev/null'

View File

@ -19,24 +19,6 @@
- "{{ matrix_prometheus_config_path }}" - "{{ matrix_prometheus_config_path }}"
- "{{ matrix_prometheus_data_path }}" - "{{ matrix_prometheus_data_path }}"
- block:
# Well, this actually creates the network if it doesn't exist, but..
# The network should have been created by `matrix-base` already.
# We don't rely on that other call and its result, because it runs
# on `--tags=setup-all`, but will get skipped during `--tags=setup-prometheus`.
- name: Fetch Matrix Docker network details
docker_network:
name: "{{ matrix_docker_network }}"
driver: bridge
register: matrix_docker_network_info
# The `matrix_docker_network_info.ansible_facts.docker_network` workaroudn is for Ansible <= 2.8.
# See: https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/907
- set_fact:
matrix_prometheus_scraper_node_targets: ["{{ matrix_docker_network_info.network|default(matrix_docker_network_info.ansible_facts.docker_network).IPAM.Config[0].Gateway }}:9100"]
when: "matrix_prometheus_scraper_node_enabled|bool and matrix_prometheus_scraper_node_targets|length == 0"
- name: Download synapse-v2.rules - name: Download synapse-v2.rules
get_url: get_url:
url: "{{ matrix_prometheus_scraper_synapse_rules_download_url }}" url: "{{ matrix_prometheus_scraper_synapse_rules_download_url }}"

View File

@ -8,7 +8,7 @@ matrix_synapse_admin_container_self_build_repo: "https://github.com/Awesome-Tech
matrix_synapse_admin_docker_src_files_path: "{{ matrix_base_data_path }}/synapse-admin/docker-src" matrix_synapse_admin_docker_src_files_path: "{{ matrix_base_data_path }}/synapse-admin/docker-src"
matrix_synapse_admin_version: 0.7.0 matrix_synapse_admin_version: 0.7.2
matrix_synapse_admin_docker_image: "{{ matrix_synapse_admin_docker_image_name_prefix }}awesometechnologies/synapse-admin:{{ matrix_synapse_admin_version }}" matrix_synapse_admin_docker_image: "{{ matrix_synapse_admin_docker_image_name_prefix }}awesometechnologies/synapse-admin:{{ matrix_synapse_admin_version }}"
matrix_synapse_admin_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_admin_container_self_build else matrix_container_global_registry_prefix }}" matrix_synapse_admin_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_admin_container_self_build else matrix_container_global_registry_prefix }}"
matrix_synapse_admin_docker_image_force_pull: "{{ matrix_synapse_admin_docker_image.endswith(':latest') }}" matrix_synapse_admin_docker_image_force_pull: "{{ matrix_synapse_admin_docker_image.endswith(':latest') }}"

View File

@ -15,8 +15,8 @@ matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_cont
# amd64 gets released first. # amd64 gets released first.
# arm32 relies on self-building, so the same version can be built immediately. # arm32 relies on self-building, so the same version can be built immediately.
# arm64 users need to wait for a prebuilt image to become available. # arm64 users need to wait for a prebuilt image to become available.
matrix_synapse_version: v1.31.0 matrix_synapse_version: v1.32.2
matrix_synapse_version_arm64: v1.31.0 matrix_synapse_version_arm64: v1.32.2
matrix_synapse_docker_image_tag: "{{ matrix_synapse_version if matrix_architecture in ['arm32', 'amd64'] else matrix_synapse_version_arm64 }}" matrix_synapse_docker_image_tag: "{{ matrix_synapse_version if matrix_architecture in ['arm32', 'amd64'] else matrix_synapse_version_arm64 }}"
matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}"
@ -170,7 +170,7 @@ matrix_synapse_report_stats: false
# Controls whether the Matrix server will track presence status (online, offline, unavailable) for users. # Controls whether the Matrix server will track presence status (online, offline, unavailable) for users.
# If users participate in large rooms with many other servers, # If users participate in large rooms with many other servers,
# disabling this will decrease server load significantly. # disabling this will decrease server load significantly.
matrix_synapse_use_presence: true matrix_synapse_presence_enabled: true
# Controls whether accessing the server's public rooms directory can be done without authentication. # Controls whether accessing the server's public rooms directory can be done without authentication.
# For private servers, you most likely wish to require authentication, # For private servers, you most likely wish to require authentication,

View File

@ -47,6 +47,7 @@
- {'old': 'matrix_synapse_container_expose_metrics_port', 'new': '<superseded by matrix_synapse_container_metrics_api_host_bind_port>'} - {'old': 'matrix_synapse_container_expose_metrics_port', 'new': '<superseded by matrix_synapse_container_metrics_api_host_bind_port>'}
- {'old': 'matrix_synapse_cache_factor', 'new': 'matrix_synapse_caches_global_factor'} - {'old': 'matrix_synapse_cache_factor', 'new': 'matrix_synapse_caches_global_factor'}
- {'old': 'matrix_synapse_trusted_third_party_id_servers', 'new': '<deprecated in Synapse v0.99.4 and removed in Synapse v1.19.0>'} - {'old': 'matrix_synapse_trusted_third_party_id_servers', 'new': '<deprecated in Synapse v0.99.4 and removed in Synapse v1.19.0>'}
- {'old': 'matrix_synapse_use_presence', 'new': 'matrix_synapse_presence_enabled'}
- name: (Deprecation) Catch and report renamed settings in matrix_synapse_configuration_extension_yaml - name: (Deprecation) Catch and report renamed settings in matrix_synapse_configuration_extension_yaml
fail: fail:

View File

@ -58,9 +58,28 @@ public_baseurl: https://{{ matrix_server_fqn_matrix }}/
# #
#soft_file_limit: 0 #soft_file_limit: 0
# Set to false to disable presence tracking on this homeserver. # Presence tracking allows users to see the state (e.g online/offline)
# of other local and remote users.
# #
use_presence: {{ matrix_synapse_use_presence|to_json }} presence:
# Uncomment to disable presence tracking on this homeserver. This option
# replaces the previous top-level 'use_presence' option.
#
enabled: {{ matrix_synapse_presence_enabled|to_json }}
# Presence routers are third-party modules that can specify additional logic
# to where presence updates from users are routed.
#
presence_router:
# The custom module's class. Uncomment to use a custom presence router module.
#
#module: "my_custom_router.PresenceRouter"
# Configuration options of the custom module. Refer to your module's
# documentation for available options.
#
#config:
# example_option: 'something'
# Whether to require authentication to retrieve profile data (avatars, # Whether to require authentication to retrieve profile data (avatars,
# display names) of other users through the client API. Defaults to # display names) of other users through the client API. Defaults to
@ -1252,9 +1271,9 @@ registrations_require_3pid: {{ matrix_synapse_registrations_require_3pid|to_json
# #
#allowed_local_3pids: #allowed_local_3pids:
# - medium: email # - medium: email
# pattern: '.*@matrix\.org' # pattern: '^[^@]+@matrix\.org$'
# - medium: email # - medium: email
# pattern: '.*@vector\.im' # pattern: '^[^@]+@vector\.im$'
# - medium: msisdn # - medium: msisdn
# pattern: '\+44' # pattern: '\+44'
{% if matrix_synapse_allowed_local_3pids|length > 0 %} {% if matrix_synapse_allowed_local_3pids|length > 0 %}
@ -1467,14 +1486,31 @@ report_stats: {{ matrix_synapse_report_stats|to_json }}
## API Configuration ## ## API Configuration ##
# A list of event types that will be included in the room_invite_state # Controls for the state that is shared with users who receive an invite
# to a room
# #
#room_invite_state_types: room_prejoin_state:
# - "m.room.join_rules" # By default, the following state event types are shared with users who
# - "m.room.canonical_alias" # receive invites to the room:
# - "m.room.avatar" #
# - "m.room.encryption" # - m.room.join_rules
# - "m.room.name" # - m.room.canonical_alias
# - m.room.avatar
# - m.room.encryption
# - m.room.name
#
# Uncomment the following to disable these defaults (so that only the event
# types listed in 'additional_event_types' are shared). Defaults to 'false'.
#
#disable_default_event_types: true
# Additional state event types to share with users when they are invited
# to a room.
#
# By default, this list is empty (so only the default event types are shared).
#
#additional_event_types:
# - org.example.custom.event.type
# A list of application service config files to use # A list of application service config files to use

View File

@ -6,7 +6,6 @@ matrix_synapse_federation_api_url_endpoint_public: "https://{{ matrix_server_fqn
# Tells whether this role had executed or not. Toggled to `true` during runtime. # Tells whether this role had executed or not. Toggled to `true` during runtime.
matrix_synapse_role_executed: false matrix_synapse_role_executed: false
matrix_synapse_media_store_parent_path: "{{ matrix_synapse_media_store_path|dirname }}"
matrix_synapse_media_store_directory_name: "{{ matrix_synapse_media_store_path|basename }}" matrix_synapse_media_store_directory_name: "{{ matrix_synapse_media_store_path|basename }}"
# A Synapse generic worker can handle both federation and client-server API endpoints. # A Synapse generic worker can handle both federation and client-server API endpoints.