From 3fb016cd6b06731e889b3d5c8f771cedccc14423 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 5 Jan 2024 06:13:12 +0200 Subject: [PATCH] Put bots and bridges in the same network and remove a few variables Downsides: decreasing security slightly due to less networking isolation Benefits: - decreased complexity - having a generically-named `matrix-addons` network we may use for other things now (client apps, etc.) - not exhausting the container networks pool with 2 (or more) networks and using just 1 --- group_vars/matrix_servers | 74 ++++++++++------------ roles/custom/matrix-base/defaults/main.yml | 28 +++----- 2 files changed, 43 insertions(+), 59 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index b8857376f..ccf39c009 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -189,13 +189,9 @@ matrix_homeserver_app_service_config_files_auto: | (['/matrix-cactus-comments.yaml'] if matrix_cactus_comments_enabled else []) }} -matrix_bridges_homeserver_container_network: "{{ matrix_homeserver_proxy_container_network if matrix_homeserver_proxy_enabled else matrix_homeserver_container_network }}" -matrix_bridges_homeserver_client_api_url: "{{ matrix_homeserver_proxy_client_api_url if matrix_homeserver_proxy_enabled else matrix_homeserver_container_url }}" -matrix_bridges_homeserver_systemd_services_list: "{{ ([matrix_homeserver_proxy_ident + '.service']) if matrix_homeserver_proxy_enabled else matrix_homeserver_systemd_services_list }}" - -matrix_bots_homeserver_container_network: "{{ matrix_homeserver_proxy_container_network if matrix_homeserver_proxy_enabled else matrix_homeserver_container_network }}" -matrix_bots_homeserver_client_api_url: "{{ matrix_homeserver_proxy_client_api_url if matrix_homeserver_proxy_enabled else matrix_homeserver_container_url }}" -matrix_bots_homeserver_systemd_services_list: "{{ ([matrix_homeserver_proxy_ident + '.service']) if matrix_homeserver_proxy_enabled else matrix_homeserver_systemd_services_list }}" +matrix_addons_homeserver_container_network: "{{ matrix_homeserver_proxy_container_network if matrix_homeserver_proxy_enabled else matrix_homeserver_container_network }}" +matrix_addons_homeserver_client_api_url: "{{ matrix_homeserver_proxy_client_api_url if matrix_homeserver_proxy_enabled else matrix_homeserver_container_url }}" +matrix_addons_homeserver_systemd_services_list: "{{ ([matrix_homeserver_proxy_ident + '.service']) if matrix_homeserver_proxy_enabled else matrix_homeserver_systemd_services_list }}" # Starting from version `0.6.0` conduit natively supports some sync v3 (sliding-sync) features. matrix_homeserver_sliding_sync_url: "{{ matrix_sliding_sync_base_url if matrix_sliding_sync_enabled else (matrix_homeserver_url if matrix_homeserver_implementation in ['conduit'] else '') }}" @@ -808,12 +804,12 @@ matrix_mautrix_discord_enabled: false matrix_mautrix_discord_container_image_self_build: "{{ matrix_architecture not in ['arm64', 'amd64'] }}" -matrix_mautrix_discord_container_network: "{{ matrix_bridges_container_network }}" +matrix_mautrix_discord_container_network: "{{ matrix_addons_container_network }}" matrix_mautrix_discord_container_additional_networks_auto: |- {{ ( - ([] if matrix_bridges_homeserver_container_network == '' else [matrix_bridges_homeserver_container_network]) + ([] if matrix_addons_homeserver_container_network == '' else [matrix_addons_homeserver_container_network]) + ([devture_postgres_container_network] if devture_postgres_enabled and matrix_mautrix_facebook_database_hostname == devture_postgres_connection_hostname else []) ) | unique @@ -821,14 +817,14 @@ matrix_mautrix_discord_container_additional_networks_auto: |- matrix_mautrix_discord_systemd_required_services_list_auto: | {{ - matrix_bots_homeserver_systemd_services_list + matrix_addons_homeserver_systemd_services_list + ([devture_postgres_identifier ~ '.service'] if (devture_postgres_enabled and matrix_mautrix_discord_database_hostname == devture_postgres_connection_hostname) else []) }} matrix_mautrix_discord_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'maudisc.as.tok', rounds=655555) | to_uuid }}" -matrix_mautrix_discord_homeserver_address: "{{ matrix_bridges_homeserver_client_api_url }}" +matrix_mautrix_discord_homeserver_address: "{{ matrix_addons_homeserver_client_api_url }}" matrix_mautrix_discord_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'maudisc.hs.tok', rounds=655555) | to_uuid }}" @@ -897,12 +893,12 @@ matrix_mautrix_facebook_enabled: false matrix_mautrix_facebook_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm64'] }}" -matrix_mautrix_facebook_container_network: "{{ matrix_bridges_container_network }}" +matrix_mautrix_facebook_container_network: "{{ matrix_addons_container_network }}" matrix_mautrix_facebook_container_additional_networks_auto: |- {{ ( - ([] if matrix_bridges_homeserver_container_network == '' else [matrix_bridges_homeserver_container_network]) + ([] if matrix_addons_homeserver_container_network == '' else [matrix_addons_homeserver_container_network]) + ([devture_postgres_container_network] if devture_postgres_enabled and matrix_mautrix_facebook_database_hostname == devture_postgres_connection_hostname else []) + @@ -912,7 +908,7 @@ matrix_mautrix_facebook_container_additional_networks_auto: |- matrix_mautrix_facebook_systemd_required_services_list_auto: | {{ - matrix_bots_homeserver_systemd_services_list + matrix_addons_homeserver_systemd_services_list + ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled and matrix_mautrix_facebook_database_hostname == devture_postgres_connection_hostname else []) }} @@ -928,7 +924,7 @@ matrix_mautrix_facebook_container_labels_metrics_middleware_basic_auth_users: "{ matrix_mautrix_facebook_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'fb.as.token', rounds=655555) | to_uuid }}" -matrix_mautrix_facebook_homeserver_address: "{{ matrix_bridges_homeserver_client_api_url }}" +matrix_mautrix_facebook_homeserver_address: "{{ matrix_addons_homeserver_client_api_url }}" matrix_mautrix_facebook_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'fb.hs.token', rounds=655555) | to_uuid }}" @@ -1056,12 +1052,12 @@ matrix_mautrix_instagram_enabled: false matrix_mautrix_instagram_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm64'] }}" -matrix_mautrix_instagram_container_network: "{{ matrix_bridges_container_network }}" +matrix_mautrix_instagram_container_network: "{{ matrix_addons_container_network }}" matrix_mautrix_instagram_container_additional_networks_auto: |- {{ ( - ([] if matrix_bridges_homeserver_container_network == '' else [matrix_bridges_homeserver_container_network]) + ([] if matrix_addons_homeserver_container_network == '' else [matrix_addons_homeserver_container_network]) + ([devture_postgres_container_network] if devture_postgres_enabled and matrix_mautrix_instagram_database_hostname == devture_postgres_connection_hostname else []) + @@ -1079,14 +1075,14 @@ matrix_mautrix_instagram_container_labels_metrics_middleware_basic_auth_users: " matrix_mautrix_instagram_systemd_required_services_list_auto: | {{ - matrix_bots_homeserver_systemd_services_list + matrix_addons_homeserver_systemd_services_list + ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled and matrix_mautrix_instagram_database_hostname == devture_postgres_connection_hostname else []) }} matrix_mautrix_instagram_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'ig.as.token', rounds=655555) | to_uuid }}" -matrix_mautrix_instagram_homeserver_address: "{{ matrix_bridges_homeserver_client_api_url }}" +matrix_mautrix_instagram_homeserver_address: "{{ matrix_addons_homeserver_client_api_url }}" matrix_mautrix_instagram_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'ig.hs.token', rounds=655555) | to_uuid }}" @@ -1342,12 +1338,12 @@ matrix_mautrix_whatsapp_enabled: false matrix_mautrix_whatsapp_container_image_self_build: "{{ matrix_architecture not in ['arm64', 'amd64'] }}" -matrix_mautrix_whatsapp_container_network: "{{ matrix_bridges_container_network }}" +matrix_mautrix_whatsapp_container_network: "{{ matrix_addons_container_network }}" matrix_mautrix_whatsapp_container_additional_networks_auto: |- {{ ( - ([] if matrix_bridges_homeserver_container_network == '' else [matrix_bridges_homeserver_container_network]) + ([] if matrix_addons_homeserver_container_network == '' else [matrix_addons_homeserver_container_network]) + ([devture_postgres_container_network] if devture_postgres_enabled and matrix_mautrix_whatsapp_database_hostname == devture_postgres_connection_hostname else []) + @@ -1365,14 +1361,14 @@ matrix_mautrix_whatsapp_container_labels_metrics_middleware_basic_auth_users: "{ matrix_mautrix_whatsapp_systemd_required_services_list_auto: | {{ - matrix_bots_homeserver_systemd_services_list + matrix_addons_homeserver_systemd_services_list + ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled and matrix_mautrix_whatsapp_database_hostname == devture_postgres_connection_hostname else []) }} matrix_mautrix_whatsapp_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'whats.as.token', rounds=655555) | to_uuid }}" -matrix_mautrix_whatsapp_homeserver_address: "{{ matrix_bridges_homeserver_client_api_url }}" +matrix_mautrix_whatsapp_homeserver_address: "{{ matrix_addons_homeserver_client_api_url }}" matrix_mautrix_whatsapp_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'whats.hs.token', rounds=655555) | to_uuid }}" matrix_mautrix_whatsapp_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" @@ -1464,11 +1460,11 @@ matrix_hookshot_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_se matrix_hookshot_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'hookshot.hs.tok', rounds=655555) | to_uuid }}" -matrix_hookshot_homeserver_address: "{{ matrix_bridges_homeserver_client_api_url }}" +matrix_hookshot_homeserver_address: "{{ matrix_addons_homeserver_client_api_url }}" matrix_hookshot_systemd_wanted_services_list: | {{ - matrix_bridges_homeserver_systemd_services_list + matrix_addons_homeserver_systemd_services_list + ([(redis_identifier + '.service')] if redis_enabled and matrix_hookshot_queue_host == redis_identifier else []) }} @@ -1478,12 +1474,12 @@ matrix_hookshot_systemd_wanted_services_list: | # because connectivity is still potentially troublesome and is to be investigated. matrix_hookshot_queue_host: "{{ redis_identifier if redis_enabled and matrix_hookshot_experimental_encryption_enabled else '' }}" -matrix_hookshot_container_network: "{{ matrix_bridges_container_network }}" +matrix_hookshot_container_network: "{{ matrix_addons_container_network }}" matrix_hookshot_container_additional_networks_auto: | {{ ( - ([] if matrix_bridges_homeserver_container_network == '' else [matrix_bridges_homeserver_container_network]) + ([] if matrix_addons_homeserver_container_network == '' else [matrix_addons_homeserver_container_network]) + ([redis_container_network] if redis_enabled and matrix_hookshot_queue_host == redis_identifier else []) + @@ -1773,7 +1769,7 @@ matrix_bot_matrix_reminder_bot_enabled: false matrix_bot_matrix_reminder_bot_systemd_required_services_list_auto: | {{ - matrix_bots_homeserver_systemd_services_list + matrix_addons_homeserver_systemd_services_list + ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled and matrix_bot_matrix_reminder_bot_database_hostname == devture_postgres_connection_hostname else []) }} @@ -1784,17 +1780,17 @@ matrix_bot_matrix_reminder_bot_database_hostname: "{{ devture_postgres_connectio matrix_bot_matrix_reminder_bot_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'reminder.bot.db', rounds=655555) | to_uuid }}" matrix_bot_matrix_reminder_bot_container_image_self_build: "{{ matrix_architecture != 'amd64' }}" -matrix_bot_matrix_reminder_bot_container_network: "{{ matrix_bots_container_network }}" +matrix_bot_matrix_reminder_bot_container_network: "{{ matrix_addons_container_network }}" matrix_bot_matrix_reminder_bot_container_additional_networks_auto: |- {{ ( - ([] if matrix_bots_homeserver_container_network == '' else [matrix_bots_homeserver_container_network]) + ([] if matrix_addons_homeserver_container_network == '' else [matrix_addons_homeserver_container_network]) + ([devture_postgres_container_network] if devture_postgres_enabled and matrix_bot_matrix_reminder_bot_database_hostname == devture_postgres_connection_hostname else []) ) | unique }} -matrix_bot_matrix_reminder_bot_matrix_homeserver_url: "{{ matrix_bots_homeserver_client_api_url }}" +matrix_bot_matrix_reminder_bot_matrix_homeserver_url: "{{ matrix_addons_homeserver_client_api_url }}" ###################################################################### # @@ -2051,7 +2047,7 @@ matrix_playbook_bot_postmoogle_traefik_certs_dumper_waiter_services: "{% for dom matrix_bot_postmoogle_systemd_required_services_list_auto: | {{ - matrix_bots_homeserver_systemd_services_list + matrix_addons_homeserver_systemd_services_list + ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled and matrix_bot_postmoogle_database_hostname == matrix_bot_postmoogle_database_hostname else []) + @@ -2063,14 +2059,14 @@ matrix_bot_postmoogle_database_engine: "{{ 'postgres' if devture_postgres_enable matrix_bot_postmoogle_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" matrix_bot_postmoogle_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'postmoogle.db', rounds=655555) | to_uuid }}" -matrix_bot_postmoogle_homeserver: "{{ matrix_bots_homeserver_client_api_url }}" +matrix_bot_postmoogle_homeserver: "{{ matrix_addons_homeserver_client_api_url }}" -matrix_bot_postmoogle_container_network: "{{ matrix_bots_container_network }}" +matrix_bot_postmoogle_container_network: "{{ matrix_addons_container_network }}" matrix_bot_postmoogle_container_additional_networks_auto: |- {{ ( - ([] if matrix_bots_homeserver_container_network == '' else [matrix_bots_homeserver_container_network]) + ([] if matrix_addons_homeserver_container_network == '' else [matrix_addons_homeserver_container_network]) + ([devture_postgres_container_network] if devture_postgres_enabled and matrix_bot_matrix_reminder_bot_database_hostname == devture_postgres_connection_hostname else []) ) | unique @@ -2094,12 +2090,12 @@ matrix_bot_chatgpt_enabled: false matrix_bot_chatgpt_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm64'] }}" -matrix_bot_chatgpt_container_network: "{{ matrix_bots_container_network }}" -matrix_bot_chatgpt_container_additional_networks_auto: "{{ [] if matrix_bots_homeserver_container_network == '' else [matrix_bots_homeserver_container_network] }}" +matrix_bot_chatgpt_container_network: "{{ matrix_addons_container_network }}" +matrix_bot_chatgpt_container_additional_networks_auto: "{{ [] if matrix_addons_homeserver_container_network == '' else [matrix_addons_homeserver_container_network] }}" -matrix_bot_chatgpt_matrix_homeserver_url: "{{ matrix_bots_homeserver_client_api_url }}" +matrix_bot_chatgpt_matrix_homeserver_url: "{{ matrix_addons_homeserver_client_api_url }}" -matrix_bot_chatgpt_systemd_required_services_list_auto: "{{ matrix_bots_homeserver_systemd_services_list }}" +matrix_bot_chatgpt_systemd_required_services_list_auto: "{{ matrix_addons_homeserver_systemd_services_list }}" ###################################################################### # diff --git a/roles/custom/matrix-base/defaults/main.yml b/roles/custom/matrix-base/defaults/main.yml index a4e591997..b5cb15e5a 100644 --- a/roles/custom/matrix-base/defaults/main.yml +++ b/roles/custom/matrix-base/defaults/main.yml @@ -19,29 +19,17 @@ matrix_bridges_encryption_enabled: false # Global var to enable/disable relay mode across all bridges with relay mode support matrix_bridges_relay_enabled: false -# A container network where all bridges would live. -matrix_bridges_container_network: matrix-bridges +# A container network where all addon services (bridges, bots, etc.) would live. +matrix_addons_container_network: matrix-addons -# The container network that the homeserver lives on and bridges should be connected to -matrix_bridges_homeserver_container_network: "{{ matrix_homeserver_container_network }}" +# The container network that the homeserver lives on and addon services (bridges, bots, etc.) should be connected to +matrix_addons_homeserver_container_network: "{{ matrix_homeserver_container_network }}" -# The URL where bridges can reach the homeserver. -matrix_bridges_homeserver_client_api_url: "{{ matrix_homeserver_container_url }}" +# The URL where addon services (bridges, bots, etc.) can reach the homeserver. +matrix_addons_homeserver_client_api_url: "{{ matrix_homeserver_container_url }}" -# The systemd services (representing the homeserver) that bridges should depend on -matrix_bridges_homeserver_systemd_services_list: "{{ matrix_homeserver_systemd_services_list }}" - -# A container network where all bots would live. -matrix_bots_container_network: matrix-bots - -# The container network that the homeserver lives on and bots should be connected to -matrix_bots_homeserver_container_network: "{{ matrix_homeserver_container_network }}" - -# The URL where bots can reach the homeserver. -matrix_bots_homeserver_client_api_url: "{{ matrix_homeserver_container_url }}" - -# The systemd services (representing the homeserver) that bots should depend on -matrix_bots_homeserver_systemd_services_list: "{{ matrix_homeserver_systemd_services_list }}" +# The systemd services (representing the homeserver) that addon services (bridges, bots, etc.) should depend on +matrix_addons_homeserver_systemd_services_list: "{{ matrix_homeserver_systemd_services_list }}" # matrix_homeserver_enabled controls whether to enable the homeserver systemd service, etc. #