GMH v04.3
This commit is contained in:
parent
0607e01304
commit
50d7209c5b
14
CHANGELOG.md
14
CHANGELOG.md
@ -1,3 +1,17 @@
|
|||||||
|
# 2021-04-16
|
||||||
|
|
||||||
|
## Disabling TLSv1 and TLSv1.1 for Coturn
|
||||||
|
|
||||||
|
To improve security, we've [removed TLSv1 and TLSv1.1 support](https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/999) from our default [Coturn](https://github.com/coturn/coturn) configuration.
|
||||||
|
|
||||||
|
If you need to support old clients, you can re-enable both (or whichever one you need) with the following configuration:
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
matrix_coturn_tls_v1_enabled: true
|
||||||
|
matrix_coturn_tls_v1_1_enabled: true
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
# 2021-04-05
|
# 2021-04-05
|
||||||
|
|
||||||
## Automated local Postgres backup support
|
## Automated local Postgres backup support
|
||||||
|
@ -2,16 +2,37 @@
|
|||||||
|
|
||||||
The playbook can install and configure [mautrix-facebook](https://github.com/tulir/mautrix-facebook) for you.
|
The playbook can install and configure [mautrix-facebook](https://github.com/tulir/mautrix-facebook) for you.
|
||||||
|
|
||||||
See the project's [documentation](https://github.com/tulir/mautrix-facebook/wiki#usage) to learn what it does and why it might be useful to you.
|
See the project's [documentation](https://github.com/tulir/mautrix-facebook/blob/master/ROADMAP.md) to learn what it does and why it might be useful to you.
|
||||||
|
|
||||||
```yaml
|
```yaml
|
||||||
matrix_mautrix_facebook_enabled: true
|
matrix_mautrix_facebook_enabled: true
|
||||||
```
|
```
|
||||||
|
|
||||||
|
There are some additional things you may wish to configure about the bridge before you continue.
|
||||||
|
|
||||||
|
Encryption support is off by default. If you would like to enable encryption, add the following to your `vars.yml` file:
|
||||||
|
```yaml
|
||||||
|
matrix_mautrix_facebook_configuration_extension_yaml: |
|
||||||
|
bridge:
|
||||||
|
encryption:
|
||||||
|
allow: true
|
||||||
|
default: true
|
||||||
|
```
|
||||||
|
|
||||||
|
If you would like to be able to administrate the bridge from your account it can be configured like this:
|
||||||
|
```yaml
|
||||||
|
matrix_mautrix_facebook_configuration_extension_yaml: |
|
||||||
|
bridge:
|
||||||
|
permissions:
|
||||||
|
'@YOUR_USERNAME:YOUR_DOMAIN': admin
|
||||||
|
```
|
||||||
|
|
||||||
|
You may wish to look at `roles/matrix-bridge-mautrix-facebook/templates/config.yaml.j2` to find other things you would like to configure.
|
||||||
|
|
||||||
|
|
||||||
## Set up Double Puppeting
|
## Set up Double Puppeting
|
||||||
|
|
||||||
If you'd like to use [Double Puppeting](https://github.com/tulir/mautrix-facebook/wiki/Authentication#double-puppeting) (hint: you most likely do), you have 2 ways of going about it.
|
If you'd like to use [Double Puppeting](https://docs.mau.fi/bridges/general/double-puppeting.html) (hint: you most likely do), you have 2 ways of going about it.
|
||||||
|
|
||||||
### Method 1: automatically, by enabling Shared Secret Auth
|
### Method 1: automatically, by enabling Shared Secret Auth
|
||||||
|
|
||||||
@ -42,9 +63,7 @@ https://matrix.DOMAIN/_matrix/client/r0/login
|
|||||||
|
|
||||||
You then need to start a chat with `@facebookbot:YOUR_DOMAIN` (where `YOUR_DOMAIN` is your base domain, not the `matrix.` domain).
|
You then need to start a chat with `@facebookbot:YOUR_DOMAIN` (where `YOUR_DOMAIN` is your base domain, not the `matrix.` domain).
|
||||||
|
|
||||||
Send `login YOUR_FACEBOOK_EMAIL_ADDRESS YOUR_FACEBOOK_PASSWORD` to the bridge bot to enable bridging for your Facebook/Messenger account.
|
Send `login YOUR_FACEBOOK_EMAIL_ADDRESS` to the bridge bot to enable bridging for your Facebook Messenger account. You can learn more here about authentication from the bridge's [official documentation on Authentication](https://docs.mau.fi/bridges/python/facebook/authentication.html).
|
||||||
|
|
||||||
You can learn more here about authentication from the bridge's [official documentation on Authentication](https://github.com/tulir/mautrix-facebook/wiki/Authentication).
|
|
||||||
|
|
||||||
If you run into trouble, check the [Troubleshooting](#troubleshooting) section below.
|
If you run into trouble, check the [Troubleshooting](#troubleshooting) section below.
|
||||||
|
|
||||||
|
@ -13,8 +13,8 @@ Before installing Jitsi, make sure you've created the `jitsi.DOMAIN` DNS record.
|
|||||||
|
|
||||||
You may also need to open the following ports to your server:
|
You may also need to open the following ports to your server:
|
||||||
|
|
||||||
- `10000/udp` - RTP media over UDP
|
|
||||||
- `4443/tcp` - RTP media fallback over TCP
|
- `4443/tcp` - RTP media fallback over TCP
|
||||||
|
- `10000/udp` - RTP media over UDP. Depending on your firewall/NAT setup, incoming RTP packets on port `10000` may have the external IP of your firewall as destination address, due to the usage of STUN in JVB (see [`matrix_jitsi_jvb_stun_servers`](../roles/matrix-jitsi/defaults/main.yml)).
|
||||||
|
|
||||||
|
|
||||||
## Installation
|
## Installation
|
||||||
|
@ -11,7 +11,7 @@ These services are enabled and used by default, but you can turn them off, if yo
|
|||||||
|
|
||||||
- [matrixdotorg/synapse](https://hub.docker.com/r/matrixdotorg/synapse/) - the official [Synapse](https://github.com/matrix-org/synapse) Matrix homeserver (optional)
|
- [matrixdotorg/synapse](https://hub.docker.com/r/matrixdotorg/synapse/) - the official [Synapse](https://github.com/matrix-org/synapse) Matrix homeserver (optional)
|
||||||
|
|
||||||
- [instrumentisto/coturn](https://hub.docker.com/r/instrumentisto/coturn/) - the [Coturn](https://github.com/coturn/coturn) STUN/TURN server (optional)
|
- [coturn/coturn](https://hub.docker.com/r/coturn/coturn/) - the [Coturn](https://github.com/coturn/coturn) STUN/TURN server (optional)
|
||||||
|
|
||||||
- [vectorim/element-web](https://hub.docker.com/r/vectorim/element-web/) - the [Element](https://element.io/) web client (optional)
|
- [vectorim/element-web](https://hub.docker.com/r/vectorim/element-web/) - the [Element](https://element.io/) web client (optional)
|
||||||
|
|
||||||
|
@ -34,7 +34,6 @@ If your distro runs within an [LXC container](https://linuxcontainers.org/), you
|
|||||||
- `5349/udp`: TURN over UDP (used by Coturn)
|
- `5349/udp`: TURN over UDP (used by Coturn)
|
||||||
- `8448/tcp`: Matrix Federation API HTTPS webserver. In some cases, this **may necessary even with federation disabled**. Integration Servers (like Dimension) and Identity Servers (like ma1sd) may need to access `openid` APIs on the federation port.
|
- `8448/tcp`: Matrix Federation API HTTPS webserver. In some cases, this **may necessary even with federation disabled**. Integration Servers (like Dimension) and Identity Servers (like ma1sd) may need to access `openid` APIs on the federation port.
|
||||||
- the range `49152-49172/udp`: TURN over UDP
|
- the range `49152-49172/udp`: TURN over UDP
|
||||||
- `4443/tcp`: Jitsi Harvester fallback
|
- potentially some other ports, depending on the additional (non-default) services that you enable in the **configuring the playbook** step (later on). Consult each service's documentation page in `docs/` for that.
|
||||||
- `10000/udp`: Jitsi video RTP. Depending on your firewall/NAT setup, incoming RTP packets on port `10000` may have the external IP of your firewall as destination address, due to the usage of STUN in JVB (see [`matrix_jitsi_jvb_stun_servers`](../roles/matrix-jitsi/defaults/main.yml)).
|
|
||||||
|
|
||||||
When ready to proceed, continue with [Configuring DNS](configuring-dns.md).
|
When ready to proceed, continue with [Configuring DNS](configuring-dns.md).
|
||||||
|
@ -1675,11 +1675,6 @@ matrix_synapse_admin_container_self_build: "{{ matrix_architecture != 'amd64' }}
|
|||||||
|
|
||||||
matrix_prometheus_node_exporter_enabled: false
|
matrix_prometheus_node_exporter_enabled: false
|
||||||
|
|
||||||
# Normally, matrix-nginx-proxy is enabled and nginx can reach Prometheus Node Exporter over the container network.
|
|
||||||
# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose
|
|
||||||
# Prometheus' HTTP port to the local host.
|
|
||||||
matrix_prometheus_node_exporter_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:9200' }}"
|
|
||||||
|
|
||||||
######################################################################
|
######################################################################
|
||||||
#
|
#
|
||||||
# /matrix-prometheus-node-exporter
|
# /matrix-prometheus-node-exporter
|
||||||
@ -1706,6 +1701,7 @@ matrix_prometheus_scraper_synapse_targets: ['matrix-synapse:{{ matrix_synapse_me
|
|||||||
matrix_prometheus_scraper_synapse_rules_synapse_tag: "{{ matrix_synapse_docker_image_tag }}"
|
matrix_prometheus_scraper_synapse_rules_synapse_tag: "{{ matrix_synapse_docker_image_tag }}"
|
||||||
|
|
||||||
matrix_prometheus_scraper_node_enabled: "{{ matrix_prometheus_node_exporter_enabled }}"
|
matrix_prometheus_scraper_node_enabled: "{{ matrix_prometheus_node_exporter_enabled }}"
|
||||||
|
matrix_prometheus_scraper_node_targets: "{{ ['matrix-prometheus-node-exporter:9100'] if matrix_prometheus_node_exporter_enabled else [] }}"
|
||||||
|
|
||||||
######################################################################
|
######################################################################
|
||||||
#
|
#
|
||||||
|
@ -56,10 +56,10 @@
|
|||||||
"required": false,
|
"required": false,
|
||||||
"min": null,
|
"min": null,
|
||||||
"max": null,
|
"max": null,
|
||||||
"default": "{{ matrix_synapse_use_presence | string | lower }}",
|
"default": "{{ matrix_synapse_presence_enabled | string | lower }}",
|
||||||
"choices": "true\nfalse",
|
"choices": "true\nfalse",
|
||||||
"new_question": true,
|
"new_question": true,
|
||||||
"variable": "matrix_synapse_use_presence",
|
"variable": "matrix_synapse_presence_enabled",
|
||||||
"type": "multiplechoice"
|
"type": "multiplechoice"
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
|
@ -8,6 +8,15 @@
|
|||||||
tags:
|
tags:
|
||||||
- always
|
- always
|
||||||
|
|
||||||
|
# Renames the variables if needed
|
||||||
|
- include_tasks:
|
||||||
|
file: "rename_variables.yml"
|
||||||
|
apply:
|
||||||
|
tags: always
|
||||||
|
when: run_setup|bool and matrix_awx_enabled|bool
|
||||||
|
tags:
|
||||||
|
- always
|
||||||
|
|
||||||
# Perform a backup of the server
|
# Perform a backup of the server
|
||||||
- include_tasks:
|
- include_tasks:
|
||||||
file: "backup_server.yml"
|
file: "backup_server.yml"
|
||||||
|
8
roles/matrix-awx/tasks/rename_variables.yml
Normal file
8
roles/matrix-awx/tasks/rename_variables.yml
Normal file
@ -0,0 +1,8 @@
|
|||||||
|
|
||||||
|
- name: Rename synapse presence variable
|
||||||
|
delegate_to: 127.0.0.1
|
||||||
|
replace:
|
||||||
|
path: "/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml"
|
||||||
|
regexp: 'matrix_synapse_use_presence'
|
||||||
|
replace: 'matrix_synapse_presence_enabled'
|
||||||
|
|
@ -21,7 +21,7 @@
|
|||||||
'matrix_synapse_enable_registration': '{{ matrix_synapse_enable_registration }}'
|
'matrix_synapse_enable_registration': '{{ matrix_synapse_enable_registration }}'
|
||||||
'matrix_synapse_federation_enabled': '{{ matrix_synapse_federation_enabled }}'
|
'matrix_synapse_federation_enabled': '{{ matrix_synapse_federation_enabled }}'
|
||||||
'matrix_synapse_enable_group_creation': '{{ matrix_synapse_enable_group_creation }}'
|
'matrix_synapse_enable_group_creation': '{{ matrix_synapse_enable_group_creation }}'
|
||||||
'matrix_synapse_use_presence': '{{ matrix_synapse_use_presence }}'
|
'matrix_synapse_presence_enabled': '{{ matrix_synapse_presence_enabled }}'
|
||||||
'matrix_synapse_max_upload_size_mb': '{{ matrix_synapse_max_upload_size_mb }}'
|
'matrix_synapse_max_upload_size_mb': '{{ matrix_synapse_max_upload_size_mb }}'
|
||||||
'matrix_synapse_url_preview_enabled': '{{ matrix_synapse_url_preview_enabled }}'
|
'matrix_synapse_url_preview_enabled': '{{ matrix_synapse_url_preview_enabled }}'
|
||||||
'matrix_synapse_allow_guest_access': '{{ matrix_synapse_allow_guest_access }}'
|
'matrix_synapse_allow_guest_access': '{{ matrix_synapse_allow_guest_access }}'
|
||||||
|
@ -1,10 +1,10 @@
|
|||||||
matrix_coturn_enabled: true
|
matrix_coturn_enabled: true
|
||||||
|
|
||||||
matrix_coturn_container_image_self_build: false
|
matrix_coturn_container_image_self_build: false
|
||||||
matrix_coturn_container_image_self_build_repo: "https://github.com/instrumentisto/coturn-docker-image.git"
|
matrix_coturn_container_image_self_build_repo: "https://github.com/coturn/coturn/tree/master/docker/coturn/alpine.git"
|
||||||
|
|
||||||
matrix_coturn_version: 4.5.2
|
matrix_coturn_version: 4.5.2
|
||||||
matrix_coturn_docker_image: "{{ matrix_coturn_docker_image_name_prefix }}instrumentisto/coturn:{{ matrix_coturn_version }}"
|
matrix_coturn_docker_image: "{{ matrix_coturn_docker_image_name_prefix }}coturn/coturn:{{ matrix_coturn_version }}"
|
||||||
matrix_coturn_docker_image_name_prefix: "{{ 'localhost/' if matrix_coturn_container_image_self_build else matrix_container_global_registry_prefix }}"
|
matrix_coturn_docker_image_name_prefix: "{{ 'localhost/' if matrix_coturn_container_image_self_build else matrix_container_global_registry_prefix }}"
|
||||||
matrix_coturn_docker_image_force_pull: "{{ matrix_coturn_docker_image.endswith(':latest') }}"
|
matrix_coturn_docker_image_force_pull: "{{ matrix_coturn_docker_image.endswith(':latest') }}"
|
||||||
|
|
||||||
@ -73,3 +73,6 @@ matrix_coturn_total_quota: null
|
|||||||
matrix_coturn_tls_enabled: false
|
matrix_coturn_tls_enabled: false
|
||||||
matrix_coturn_tls_cert_path: ~
|
matrix_coturn_tls_cert_path: ~
|
||||||
matrix_coturn_tls_key_path: ~
|
matrix_coturn_tls_key_path: ~
|
||||||
|
|
||||||
|
matrix_coturn_tls_v1_enabled: false
|
||||||
|
matrix_coturn_tls_v1_1_enabled: false
|
||||||
|
@ -17,6 +17,7 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-coturn \
|
|||||||
--log-driver=none \
|
--log-driver=none \
|
||||||
--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
|
--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
|
||||||
--cap-drop=ALL \
|
--cap-drop=ALL \
|
||||||
|
--cap-add=NET_BIND_SERVICE \
|
||||||
--entrypoint=turnserver \
|
--entrypoint=turnserver \
|
||||||
--read-only \
|
--read-only \
|
||||||
--tmpfs=/var/tmp:rw,noexec,nosuid,size=100m \
|
--tmpfs=/var/tmp:rw,noexec,nosuid,size=100m \
|
||||||
|
@ -16,6 +16,12 @@ no-cli
|
|||||||
{% if matrix_coturn_tls_enabled %}
|
{% if matrix_coturn_tls_enabled %}
|
||||||
cert={{ matrix_coturn_tls_cert_path }}
|
cert={{ matrix_coturn_tls_cert_path }}
|
||||||
pkey={{ matrix_coturn_tls_key_path }}
|
pkey={{ matrix_coturn_tls_key_path }}
|
||||||
|
{% if not matrix_coturn_tls_v1_enabled %}
|
||||||
|
no-tlsv1
|
||||||
|
{% endif %}
|
||||||
|
{% if not matrix_coturn_tls_v1_1_enabled %}
|
||||||
|
no-tlsv1_1
|
||||||
|
{% endif %}
|
||||||
{% else %}
|
{% else %}
|
||||||
no-tls
|
no-tls
|
||||||
no-dtls
|
no-dtls
|
||||||
|
@ -3,7 +3,7 @@
|
|||||||
|
|
||||||
matrix_grafana_enabled: false
|
matrix_grafana_enabled: false
|
||||||
|
|
||||||
matrix_grafana_version: 7.5.2
|
matrix_grafana_version: 7.5.4
|
||||||
matrix_grafana_docker_image: "{{ matrix_container_global_registry_prefix }}grafana/grafana:{{ matrix_grafana_version }}"
|
matrix_grafana_docker_image: "{{ matrix_container_global_registry_prefix }}grafana/grafana:{{ matrix_grafana_version }}"
|
||||||
matrix_grafana_docker_image_force_pull: "{{ matrix_grafana_docker_image.endswith(':latest') }}"
|
matrix_grafana_docker_image_force_pull: "{{ matrix_grafana_docker_image.endswith(':latest') }}"
|
||||||
|
|
||||||
@ -31,6 +31,12 @@ matrix_grafana_anonymous_access_org_name: 'Main Org.'
|
|||||||
matrix_grafana_default_admin_user: admin
|
matrix_grafana_default_admin_user: admin
|
||||||
matrix_grafana_default_admin_password: admin
|
matrix_grafana_default_admin_password: admin
|
||||||
|
|
||||||
|
# Set to true to add the Content-Security-Policy header to your requests.
|
||||||
|
# CSP allows to control resources that the user agent can load and helps
|
||||||
|
# prevent XSS attacks.
|
||||||
|
# [Content Security Policy](https://grafana.com/docs/grafana/latest/administration/configuration/#content_security_policy)
|
||||||
|
matrix_grafana_content_security_policy: true
|
||||||
|
|
||||||
# A list of extra arguments to pass to the container
|
# A list of extra arguments to pass to the container
|
||||||
matrix_grafana_container_extra_arguments: []
|
matrix_grafana_container_extra_arguments: []
|
||||||
|
|
||||||
|
@ -5,6 +5,9 @@ admin_user = "{{ matrix_grafana_default_admin_user }}"
|
|||||||
# default admin password, can be changed before first start of grafana, or in profile settings
|
# default admin password, can be changed before first start of grafana, or in profile settings
|
||||||
admin_password = """{{ matrix_grafana_default_admin_password }}"""
|
admin_password = """{{ matrix_grafana_default_admin_password }}"""
|
||||||
|
|
||||||
|
# specify content_security_policy to add the Content-Security-Policy header to your requests
|
||||||
|
content_security_policy = "{{ matrix_grafana_content_security_policy }}"
|
||||||
|
|
||||||
[auth.anonymous]
|
[auth.anonymous]
|
||||||
# enable anonymous access
|
# enable anonymous access
|
||||||
enabled = {{ matrix_grafana_anonymous_access }}
|
enabled = {{ matrix_grafana_anonymous_access }}
|
||||||
|
@ -269,6 +269,16 @@ matrix_nginx_proxy_proxy_sygnal_additional_server_configuration_blocks: []
|
|||||||
# A list of strings containing additional configuration blocks to add to the base domain server configuration (matrix-base-domain.conf).
|
# A list of strings containing additional configuration blocks to add to the base domain server configuration (matrix-base-domain.conf).
|
||||||
matrix_nginx_proxy_proxy_domain_additional_server_configuration_blocks: []
|
matrix_nginx_proxy_proxy_domain_additional_server_configuration_blocks: []
|
||||||
|
|
||||||
|
# Controls whether to send a "Permissions-Policy interest-cohort=();" header along with all responses for all vhosts meant to be accessed by users.
|
||||||
|
#
|
||||||
|
# Learn more about what it is here:
|
||||||
|
# - https://www.eff.org/deeplinks/2021/03/googles-floc-terrible-idea
|
||||||
|
# - https://paramdeo.com/blog/opting-your-website-out-of-googles-floc-network
|
||||||
|
# - https://amifloced.org/
|
||||||
|
#
|
||||||
|
# Of course, a better solution is to just stop using browsers (like Chrome), which participate in such tracking practices.
|
||||||
|
matrix_nginx_proxy_floc_optout_enabled: true
|
||||||
|
|
||||||
# Specifies the SSL configuration that should be used for the SSL protocols and ciphers
|
# Specifies the SSL configuration that should be used for the SSL protocols and ciphers
|
||||||
# This is based on the Mozilla Server Side TLS Recommended configurations.
|
# This is based on the Mozilla Server Side TLS Recommended configurations.
|
||||||
#
|
#
|
||||||
|
@ -5,6 +5,11 @@
|
|||||||
|
|
||||||
gzip on;
|
gzip on;
|
||||||
gzip_types text/plain application/json;
|
gzip_types text/plain application/json;
|
||||||
|
|
||||||
|
{% if matrix_nginx_proxy_floc_optout_enabled %}
|
||||||
|
add_header Permissions-Policy interest-cohort=() always;
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
{% for configuration_block in matrix_nginx_proxy_proxy_domain_additional_server_configuration_blocks %}
|
{% for configuration_block in matrix_nginx_proxy_proxy_domain_additional_server_configuration_blocks %}
|
||||||
{{- configuration_block }}
|
{{- configuration_block }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
|
@ -3,8 +3,10 @@
|
|||||||
{% macro render_vhost_directives() %}
|
{% macro render_vhost_directives() %}
|
||||||
gzip on;
|
gzip on;
|
||||||
gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif;
|
gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif;
|
||||||
|
|
||||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
||||||
add_header X-Content-Type-Options nosniff;
|
add_header X-Content-Type-Options nosniff;
|
||||||
|
|
||||||
{% for configuration_block in matrix_nginx_proxy_proxy_bot_go_neb_additional_server_configuration_blocks %}
|
{% for configuration_block in matrix_nginx_proxy_proxy_bot_go_neb_additional_server_configuration_blocks %}
|
||||||
{{- configuration_block }}
|
{{- configuration_block }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
|
@ -3,9 +3,14 @@
|
|||||||
{% macro render_vhost_directives() %}
|
{% macro render_vhost_directives() %}
|
||||||
gzip on;
|
gzip on;
|
||||||
gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif;
|
gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif;
|
||||||
|
|
||||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
||||||
add_header X-Content-Type-Options nosniff;
|
add_header X-Content-Type-Options nosniff;
|
||||||
add_header X-Frame-Options SAMEORIGIN;
|
add_header X-Frame-Options SAMEORIGIN;
|
||||||
|
{% if matrix_nginx_proxy_floc_optout_enabled %}
|
||||||
|
add_header Permissions-Policy interest-cohort=() always;
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
{% for configuration_block in matrix_nginx_proxy_proxy_element_additional_server_configuration_blocks %}
|
{% for configuration_block in matrix_nginx_proxy_proxy_element_additional_server_configuration_blocks %}
|
||||||
{{- configuration_block }}
|
{{- configuration_block }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
|
@ -3,8 +3,13 @@
|
|||||||
{% macro render_vhost_directives() %}
|
{% macro render_vhost_directives() %}
|
||||||
gzip on;
|
gzip on;
|
||||||
gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif;
|
gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif;
|
||||||
|
|
||||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
||||||
add_header X-Content-Type-Options nosniff;
|
add_header X-Content-Type-Options nosniff;
|
||||||
|
{% if matrix_nginx_proxy_floc_optout_enabled %}
|
||||||
|
add_header Permissions-Policy interest-cohort=() always;
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
{% for configuration_block in matrix_nginx_proxy_proxy_dimension_additional_server_configuration_blocks %}
|
{% for configuration_block in matrix_nginx_proxy_proxy_dimension_additional_server_configuration_blocks %}
|
||||||
{{- configuration_block }}
|
{{- configuration_block }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
|
@ -17,6 +17,10 @@
|
|||||||
gzip on;
|
gzip on;
|
||||||
gzip_types text/plain application/json;
|
gzip_types text/plain application/json;
|
||||||
|
|
||||||
|
{% if matrix_nginx_proxy_floc_optout_enabled %}
|
||||||
|
add_header Permissions-Policy interest-cohort=() always;
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
location /.well-known/matrix {
|
location /.well-known/matrix {
|
||||||
root {{ matrix_static_files_base_path }};
|
root {{ matrix_static_files_base_path }};
|
||||||
{#
|
{#
|
||||||
|
@ -3,9 +3,19 @@
|
|||||||
{% macro render_vhost_directives() %}
|
{% macro render_vhost_directives() %}
|
||||||
gzip on;
|
gzip on;
|
||||||
gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif;
|
gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif;
|
||||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
|
||||||
add_header X-Content-Type-Options nosniff;
|
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
|
||||||
add_header X-Frame-Options SAMEORIGIN;
|
# duplicate X-Content-Type-Options & X-Frame-Options header
|
||||||
|
# Enabled by grafana by default
|
||||||
|
# add_header X-Content-Type-Options nosniff;
|
||||||
|
# add_header X-Frame-Options SAMEORIGIN;
|
||||||
|
add_header Referrer-Policy "strict-origin-when-cross-origin";
|
||||||
|
{% if matrix_nginx_proxy_floc_optout_enabled %}
|
||||||
|
add_header Permissions-Policy interest-cohort=() always;
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
|
proxy_cookie_path / "/; HTTPOnly; Secure";
|
||||||
|
|
||||||
{% for configuration_block in matrix_nginx_proxy_proxy_grafana_additional_server_configuration_blocks %}
|
{% for configuration_block in matrix_nginx_proxy_proxy_grafana_additional_server_configuration_blocks %}
|
||||||
{{- configuration_block }}
|
{{- configuration_block }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
|
@ -3,8 +3,13 @@
|
|||||||
{% macro render_vhost_directives() %}
|
{% macro render_vhost_directives() %}
|
||||||
gzip on;
|
gzip on;
|
||||||
gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif;
|
gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif;
|
||||||
|
|
||||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
||||||
add_header X-Content-Type-Options nosniff;
|
add_header X-Content-Type-Options nosniff;
|
||||||
|
{% if matrix_nginx_proxy_floc_optout_enabled %}
|
||||||
|
add_header Permissions-Policy interest-cohort=() always;
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
{% for configuration_block in matrix_nginx_proxy_proxy_jitsi_additional_server_configuration_blocks %}
|
{% for configuration_block in matrix_nginx_proxy_proxy_jitsi_additional_server_configuration_blocks %}
|
||||||
{{- configuration_block }}
|
{{- configuration_block }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
|
@ -1,6 +1,10 @@
|
|||||||
#jinja2: lstrip_blocks: "True"
|
#jinja2: lstrip_blocks: "True"
|
||||||
|
|
||||||
{% macro render_vhost_directives() %}
|
{% macro render_vhost_directives() %}
|
||||||
|
{% if matrix_nginx_proxy_floc_optout_enabled %}
|
||||||
|
add_header Permissions-Policy interest-cohort=() always;
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
{% for configuration_block in matrix_nginx_proxy_proxy_riot_additional_server_configuration_blocks %}
|
{% for configuration_block in matrix_nginx_proxy_proxy_riot_additional_server_configuration_blocks %}
|
||||||
{{- configuration_block }}
|
{{- configuration_block }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
|
@ -3,9 +3,11 @@
|
|||||||
{% macro render_vhost_directives() %}
|
{% macro render_vhost_directives() %}
|
||||||
gzip on;
|
gzip on;
|
||||||
gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif;
|
gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif;
|
||||||
|
|
||||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
||||||
add_header X-Content-Type-Options nosniff;
|
add_header X-Content-Type-Options nosniff;
|
||||||
add_header X-Frame-Options DENY;
|
add_header X-Frame-Options DENY;
|
||||||
|
|
||||||
{% for configuration_block in matrix_nginx_proxy_proxy_sygnal_additional_server_configuration_blocks %}
|
{% for configuration_block in matrix_nginx_proxy_proxy_sygnal_additional_server_configuration_blocks %}
|
||||||
{{- configuration_block }}
|
{{- configuration_block }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
|
@ -48,6 +48,8 @@ http {
|
|||||||
|
|
||||||
keepalive_timeout 65;
|
keepalive_timeout 65;
|
||||||
|
|
||||||
|
server_tokens off;
|
||||||
|
|
||||||
#gzip on;
|
#gzip on;
|
||||||
{# Map directive needed for proxied WebSocket upgrades #}
|
{# Map directive needed for proxied WebSocket upgrades #}
|
||||||
map $http_upgrade $connection_upgrade {
|
map $http_upgrade $connection_upgrade {
|
||||||
|
@ -3,7 +3,7 @@
|
|||||||
|
|
||||||
matrix_prometheus_node_exporter_enabled: false
|
matrix_prometheus_node_exporter_enabled: false
|
||||||
|
|
||||||
matrix_prometheus_node_exporter_version: v1.1.0
|
matrix_prometheus_node_exporter_version: v1.1.2
|
||||||
matrix_prometheus_node_exporter_docker_image: "{{ matrix_container_global_registry_prefix }}prom/node-exporter:{{ matrix_prometheus_node_exporter_version }}"
|
matrix_prometheus_node_exporter_docker_image: "{{ matrix_container_global_registry_prefix }}prom/node-exporter:{{ matrix_prometheus_node_exporter_version }}"
|
||||||
matrix_prometheus_node_exporter_docker_image_force_pull: "{{ matrix_prometheus_node_exporter_docker_image.endswith(':latest') }}"
|
matrix_prometheus_node_exporter_docker_image_force_pull: "{{ matrix_prometheus_node_exporter_docker_image.endswith(':latest') }}"
|
||||||
|
|
||||||
@ -18,5 +18,17 @@ matrix_prometheus_node_exporter_systemd_wanted_services_list: []
|
|||||||
|
|
||||||
# Controls whether the matrix-prometheus container exposes its HTTP port (tcp/9100 in the container).
|
# Controls whether the matrix-prometheus container exposes its HTTP port (tcp/9100 in the container).
|
||||||
#
|
#
|
||||||
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:9100"), or empty string to not expose.
|
# Takes an "<ip>:<port>" value (e.g. "127.0.0.1:9100"), or empty string to not expose.
|
||||||
|
#
|
||||||
|
# Official recommendations are to run this container with `--net=host`,
|
||||||
|
# but we don't do that, since it:
|
||||||
|
# - likely exposes the metrics web server way too publicly (before applying https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1008)
|
||||||
|
# - or listens on a loopback interface only (--net=host and 127.0.0.1:9100), which is not reachable from another container (like `matrix-prometheus`)
|
||||||
|
#
|
||||||
|
# Using `--net=host` and binding to Docker's `matrix` bridge network may be a solution to both,
|
||||||
|
# but that's trickier to accomplish and won't necessarily work (hasn't been tested).
|
||||||
|
#
|
||||||
|
# Not using `--net=host` means that our network statistic reports are likely broken (inaccurate),
|
||||||
|
# because node-exporter can't see all interfaces, etc.
|
||||||
|
# For now, we'll live with that, until someone develops a better solution.
|
||||||
matrix_prometheus_node_exporter_container_http_host_bind_port: ''
|
matrix_prometheus_node_exporter_container_http_host_bind_port: ''
|
||||||
|
@ -22,13 +22,13 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-prometheus-nod
|
|||||||
--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
|
--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
|
||||||
--cap-drop=ALL \
|
--cap-drop=ALL \
|
||||||
--read-only \
|
--read-only \
|
||||||
{% if matrix_prometheus_node_exporter_container_http_host_bind_port %}
|
|
||||||
-p {{ matrix_prometheus_node_exporter_container_http_host_bind_port }}:9100 \
|
|
||||||
{% endif %}
|
|
||||||
{% for arg in matrix_prometheus_node_exporter_container_extra_arguments %}
|
{% for arg in matrix_prometheus_node_exporter_container_extra_arguments %}
|
||||||
{{ arg }} \
|
{{ arg }} \
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
--net=host \
|
--network={{ matrix_docker_network }} \
|
||||||
|
{% if matrix_prometheus_node_exporter_container_http_host_bind_port %}
|
||||||
|
-p {{ matrix_prometheus_node_exporter_container_http_host_bind_port }}:9100 \
|
||||||
|
{% endif %}
|
||||||
--pid=host \
|
--pid=host \
|
||||||
--mount type=bind,src=/,dst=/host,ro,bind-propagation=rslave \
|
--mount type=bind,src=/,dst=/host,ro,bind-propagation=rslave \
|
||||||
{{ matrix_prometheus_node_exporter_docker_image }} \
|
{{ matrix_prometheus_node_exporter_docker_image }} \
|
||||||
|
@ -3,7 +3,7 @@
|
|||||||
|
|
||||||
matrix_prometheus_enabled: false
|
matrix_prometheus_enabled: false
|
||||||
|
|
||||||
matrix_prometheus_version: v2.24.1
|
matrix_prometheus_version: v2.26.0
|
||||||
matrix_prometheus_docker_image: "{{ matrix_container_global_registry_prefix }}prom/prometheus:{{ matrix_prometheus_version }}"
|
matrix_prometheus_docker_image: "{{ matrix_container_global_registry_prefix }}prom/prometheus:{{ matrix_prometheus_version }}"
|
||||||
matrix_prometheus_docker_image_force_pull: "{{ matrix_prometheus_docker_image.endswith(':latest') }}"
|
matrix_prometheus_docker_image_force_pull: "{{ matrix_prometheus_docker_image.endswith(':latest') }}"
|
||||||
|
|
||||||
@ -64,4 +64,3 @@ matrix_prometheus_configuration_extension: "{{ matrix_prometheus_configuration_e
|
|||||||
# Holds the final configuration (a combination of the default and its extension).
|
# Holds the final configuration (a combination of the default and its extension).
|
||||||
# You most likely don't need to touch this variable. Instead, see `matrix_prometheus_configuration_yaml`.
|
# You most likely don't need to touch this variable. Instead, see `matrix_prometheus_configuration_yaml`.
|
||||||
matrix_prometheus_configuration: "{{ matrix_prometheus_configuration_yaml|from_yaml|combine(matrix_prometheus_configuration_extension, recursive=True) }}"
|
matrix_prometheus_configuration: "{{ matrix_prometheus_configuration_yaml|from_yaml|combine(matrix_prometheus_configuration_extension, recursive=True) }}"
|
||||||
|
|
||||||
|
@ -19,22 +19,6 @@
|
|||||||
- "{{ matrix_prometheus_config_path }}"
|
- "{{ matrix_prometheus_config_path }}"
|
||||||
- "{{ matrix_prometheus_data_path }}"
|
- "{{ matrix_prometheus_data_path }}"
|
||||||
|
|
||||||
- block:
|
|
||||||
# Well, this actually creates the network if it doesn't exist, but..
|
|
||||||
# The network should have been created by `matrix-base` already.
|
|
||||||
# We don't rely on that other call and its result, because it runs
|
|
||||||
# on `--tags=setup-all`, but will get skipped during `--tags=setup-prometheus`.
|
|
||||||
- name: Fetch Matrix Docker network details
|
|
||||||
docker_network:
|
|
||||||
name: "{{ matrix_docker_network }}"
|
|
||||||
driver: bridge
|
|
||||||
register: matrix_docker_network_info
|
|
||||||
|
|
||||||
- set_fact:
|
|
||||||
matrix_prometheus_scraper_node_targets: ["{{ matrix_docker_network_info.network.IPAM.Config[0].Gateway }}:9100"]
|
|
||||||
when: "matrix_prometheus_scraper_node_enabled|bool and matrix_prometheus_scraper_node_targets|length == 0"
|
|
||||||
|
|
||||||
|
|
||||||
- name: Download synapse-v2.rules
|
- name: Download synapse-v2.rules
|
||||||
get_url:
|
get_url:
|
||||||
url: "{{ matrix_prometheus_scraper_synapse_rules_download_url }}"
|
url: "{{ matrix_prometheus_scraper_synapse_rules_download_url }}"
|
||||||
|
@ -8,7 +8,7 @@ matrix_synapse_admin_container_self_build_repo: "https://github.com/Awesome-Tech
|
|||||||
|
|
||||||
matrix_synapse_admin_docker_src_files_path: "{{ matrix_base_data_path }}/synapse-admin/docker-src"
|
matrix_synapse_admin_docker_src_files_path: "{{ matrix_base_data_path }}/synapse-admin/docker-src"
|
||||||
|
|
||||||
matrix_synapse_admin_version: 0.7.0
|
matrix_synapse_admin_version: 0.7.2
|
||||||
matrix_synapse_admin_docker_image: "{{ matrix_synapse_admin_docker_image_name_prefix }}awesometechnologies/synapse-admin:{{ matrix_synapse_admin_version }}"
|
matrix_synapse_admin_docker_image: "{{ matrix_synapse_admin_docker_image_name_prefix }}awesometechnologies/synapse-admin:{{ matrix_synapse_admin_version }}"
|
||||||
matrix_synapse_admin_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_admin_container_self_build else matrix_container_global_registry_prefix }}"
|
matrix_synapse_admin_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_admin_container_self_build else matrix_container_global_registry_prefix }}"
|
||||||
matrix_synapse_admin_docker_image_force_pull: "{{ matrix_synapse_admin_docker_image.endswith(':latest') }}"
|
matrix_synapse_admin_docker_image_force_pull: "{{ matrix_synapse_admin_docker_image.endswith(':latest') }}"
|
||||||
|
Loading…
Reference in New Issue
Block a user