Merge branch 'master' of https://github.com/spantaleev/matrix-docker-ansible-deploy into add-support-for-suse-linux
This commit is contained in:
commit
6f99f95aa2
@ -26,7 +26,7 @@ The following repositories allow you to copy and use this setup:
|
||||
|
||||
Updates to this section are trailed here:
|
||||
|
||||
[GoMatrixHosting Matrix Docker Ansible Deploy](https://gitlab.com/GoMatrixHosting/gomatrixhosting-matrix-docker-ansible-deploy)
|
||||
[GoMatrixHosting Matrix Docker Ansible Deploy](https://gitlab.com/GoMatrixHosting/matrix-docker-ansible-deploy)
|
||||
|
||||
|
||||
## Does I need an AWX setup to use this? How do I configure it?
|
||||
|
@ -108,6 +108,9 @@ matrix_nginx_proxy_container_federation_host_bind_port: '127.0.0.1:8449'
|
||||
# Since we don't obtain any certificates (`matrix_ssl_retrieval_method: none` above), it won't work by default.
|
||||
# An alternative is to tweak some of: `matrix_coturn_tls_enabled`, `matrix_coturn_tls_cert_path` and `matrix_coturn_tls_key_path`.
|
||||
matrix_coturn_enabled: false
|
||||
|
||||
# Trust the reverse proxy to send the correct `X-Forwarded-Proto` header as it is handling the SSL connection.
|
||||
matrix_nginx_proxy_trust_forwarded_proto: true
|
||||
```
|
||||
|
||||
With this, nginx would still be in use, but it would not bother with anything SSL related or with taking up public ports.
|
||||
|
@ -56,8 +56,40 @@ Name | Description
|
||||
`matrix_nginx_proxy_proxy_synapse_metrics`|Set this to `true` to make matrix-nginx-proxy expose the Synapse metrics at `https://matrix.DOMAIN/_synapse/metrics`
|
||||
`matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled`|Set this to `true` to password-protect (using HTTP Basic Auth) `https://matrix.DOMAIN/_synapse/metrics` (the username is always `prometheus`, the password is defined in `matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key`)
|
||||
`matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key`|Set this to a password to use for HTTP Basic Auth for protecting `https://matrix.DOMAIN/_synapse/metrics` (the username is always `prometheus` - it's not configurable)
|
||||
`matrix_server_fqn_grafana`|Use this variable to override the domain at which the Grafana web user-interface is at (defaults to `stats.DOMAIN`).
|
||||
`matrix_server_fqn_grafana`|Use this variable to override the domain at which the Grafana web user-interface is at (defaults to `stats.DOMAIN`)
|
||||
|
||||
### Collecting system and Postgres metrics to an external Prometheus server (advanced)
|
||||
|
||||
When you normally enable the Prometheus and Grafana via the playbook, it will also show general system (via node-exporter) and Postgres (via postgres-exporter) stats. If you are instead collecting your metrics to an external Prometheus server, you can follow this advanced configuration example to also export these stats.
|
||||
|
||||
It would be possible to use `matrix_prometheus_node_exporter_container_http_host_bind_port` etc., but that is not always the best choice, for example because your server is on a public network.
|
||||
|
||||
Use the following variables in addition to the ones mentioned above:
|
||||
|
||||
Name | Description
|
||||
-----|----------
|
||||
`matrix_nginx_proxy_proxy_grafana_enabled`|Set this to `true` to make the stats subdomain (`matrix_server_fqn_grafana`) available via the Nginx proxy
|
||||
`matrix_ssl_additional_domains_to_obtain_certificates_for`|Add `"{{ matrix_server_fqn_grafana }}"` to this list to have letsencrypt fetch a certificate for the stats subdomain
|
||||
`matrix_prometheus_node_exporter_enabled`|Set this to `true` to enable the node (general system stats) exporter
|
||||
`matrix_prometheus_postgres_exporter_enabled`|Set this to `true` to enable the Postgres exporter
|
||||
`matrix_nginx_proxy_proxy_grafana_additional_server_configuration_blocks`|Add locations to this list depending on which of the above exporters you enabled (see below)
|
||||
|
||||
```nginx
|
||||
matrix_nginx_proxy_proxy_grafana_additional_server_configuration_blocks:
|
||||
- 'location /node-exporter/ {
|
||||
resolver 127.0.0.11 valid=5s;
|
||||
proxy_pass http://matrix-prometheus-node-exporter:9100/;
|
||||
auth_basic "protected";
|
||||
auth_basic_user_file /nginx-data/matrix-synapse-metrics-htpasswd;
|
||||
}'
|
||||
- 'location /postgres-exporter/ {
|
||||
resolver 127.0.0.11 valid=5s;
|
||||
proxy_pass http://matrix-prometheus-postgres-exporter:9187/;
|
||||
auth_basic "protected";
|
||||
auth_basic_user_file /nginx-data/matrix-synapse-metrics-htpasswd;
|
||||
}'
|
||||
```
|
||||
You can customize the `location`s to your liking, just point your Prometheus to there later (e.g. `stats.DOMAIN/node-exporter/metrics`). Nginx is very picky about the `proxy_pass`syntax: take care to follow the example closely and note the trailing slash as well as absent use of variables. postgres-exporter uses the nonstandard port 9187.
|
||||
|
||||
## More information
|
||||
|
||||
|
@ -121,7 +121,7 @@ This is similar to the [EMnify/matrix-synapse-auto-deploy](https://github.com/EM
|
||||
|
||||
- this one **can be executed more than once** without causing trouble
|
||||
|
||||
- works on various distros: **CentOS** (7.0+), Debian-based distributions (**Debian** 9/Stretch+, **Ubuntu** 16.04+), **Archlinux**
|
||||
- works on various distros: **CentOS** (7.0+), Debian-based distributions (**Debian** 10/Buster+, **Ubuntu** 18.04+), **Archlinux**
|
||||
|
||||
- this one installs everything in a single directory (`/matrix` by default) and **doesn't "contaminate" your server** with files all over the place
|
||||
|
||||
|
@ -60,7 +60,7 @@ ALTER TABLE public.application_services_state OWNER TO synapse_user;
|
||||
It can be worked around by changing the username to `synapse`, for example by using `sed`:
|
||||
|
||||
```Shell
|
||||
$ sed -i "s/synapse_user/synapse/g" homeserver.sql"
|
||||
$ sed -i "s/synapse_user/synapse/g" homeserver.sql
|
||||
```
|
||||
|
||||
This uses sed to perform an 'in-place' (`-i`) replacement globally (`/g`), searching for `synapse user` and replacing with `synapse` (`s/synapse_user/synapse`). If your database username was different, change `synapse_user` to that username instead.
|
||||
|
@ -4,8 +4,8 @@ To install Matrix services using this Ansible playbook, you need:
|
||||
|
||||
- (Recommended) An **x86** server ([What kind of server specs do I need?](faq.md#what-kind-of-server-specs-do-i-need)) running one of these operating systems:
|
||||
- **CentOS** (7 only for now; [8 is not yet supported](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/300))
|
||||
- **Debian** (9/Stretch or newer)
|
||||
- **Ubuntu** (16.04 or newer, although [20.04 may be problematic](ansible.md#supported-ansible-versions))
|
||||
- **Debian** (10/Buster or newer)
|
||||
- **Ubuntu** (18.04 or newer, although [20.04 may be problematic](ansible.md#supported-ansible-versions))
|
||||
- **Archlinux**
|
||||
|
||||
Generally, newer is better. We only strive to support released stable versions of distributions, not betas or pre-releases. This playbook can take over your whole server or co-exist with other services that you have there.
|
||||
|
@ -22,6 +22,7 @@ List of roles where self-building the Docker image is currently possible:
|
||||
- `matrix-mailer`
|
||||
- `matrix-bridge-appservice-irc`
|
||||
- `matrix-bridge-appservice-slack`
|
||||
- `matrix-bridge-appservice-webhooks`
|
||||
- `matrix-bridge-mautrix-facebook`
|
||||
- `matrix-bridge-mautrix-hangouts`
|
||||
- `matrix-bridge-mautrix-telegram`
|
||||
|
@ -14,7 +14,7 @@ matrix_domain: YOUR_BARE_DOMAIN_NAME_HERE
|
||||
#
|
||||
# In case SSL renewal fails at some point, you'll also get an email notification there.
|
||||
#
|
||||
# If you decide to use another method for managing SSL certifites (different than the default Let's Encrypt),
|
||||
# If you decide to use another method for managing SSL certificates (different than the default Let's Encrypt),
|
||||
# you won't be required to define this variable (see `docs/configuring-playbook-ssl-certificates.md`).
|
||||
#
|
||||
# Example value: someone@example.com
|
||||
|
@ -104,6 +104,8 @@ matrix_appservice_discord_database_password: "{{ matrix_synapse_macaroon_secret_
|
||||
# We don't enable bridges by default.
|
||||
matrix_appservice_webhooks_enabled: false
|
||||
|
||||
matrix_appservice_webhooks_container_image_self_build: "{{ matrix_architecture != 'amd64' }}"
|
||||
|
||||
# Normally, matrix-nginx-proxy is enabled and nginx can reach matrix-appservice-webhooks over the container network.
|
||||
# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose
|
||||
# matrix-appservice-webhooks' client-server port to the local host.
|
||||
|
@ -24,14 +24,6 @@
|
||||
mode: '0660'
|
||||
tags: use-survey
|
||||
|
||||
- name: Collect AWX admin token the hard way!
|
||||
delegate_to: 127.0.0.1
|
||||
shell: |
|
||||
curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g'
|
||||
register: tower_token
|
||||
no_log: True
|
||||
tags: use-survey
|
||||
|
||||
- name: Recreate 'Backup Server' job template
|
||||
delegate_to: 127.0.0.1
|
||||
awx.awx.tower_job_template:
|
||||
@ -49,8 +41,8 @@
|
||||
become_enabled: yes
|
||||
state: present
|
||||
verbosity: 1
|
||||
tower_host: "https://{{ tower_host }}"
|
||||
tower_oauthtoken: "{{ tower_token.stdout }}"
|
||||
tower_host: "https://{{ awx_host }}"
|
||||
tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
|
||||
validate_certs: yes
|
||||
tags: use-survey
|
||||
|
||||
@ -90,6 +82,15 @@
|
||||
command: borgmatic -c /root/.config/borgmatic/config_2.yaml
|
||||
when: matrix_awx_backup_enabled|bool
|
||||
|
||||
- name: Delete the AWX session token for executing modules
|
||||
awx.awx.tower_token:
|
||||
description: 'AWX Session Token'
|
||||
scope: "write"
|
||||
state: absent
|
||||
existing_token_id: "{{ awx_session_token.ansible_facts.tower_token.id }}"
|
||||
tower_host: "https://{{ awx_host }}"
|
||||
tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
|
||||
|
||||
- name: Set boolean value to exit playbook
|
||||
set_fact:
|
||||
end_playbook: true
|
||||
|
10
roles/matrix-awx/tasks/create_session_token.yml
Normal file
10
roles/matrix-awx/tasks/create_session_token.yml
Normal file
@ -0,0 +1,10 @@
|
||||
|
||||
- name: Create a AWX session token for executing modules
|
||||
awx.awx.tower_token:
|
||||
description: 'AWX Session Token'
|
||||
scope: "write"
|
||||
state: present
|
||||
tower_host: "https://{{ awx_host }}"
|
||||
tower_oauthtoken: "{{ awx_master_token }}"
|
||||
register: awx_session_token
|
||||
no_log: True
|
@ -23,6 +23,15 @@
|
||||
/usr/local/bin/matrix-synapse-register-user {{ new_username | quote }} {{ new_password | quote }} {{ admin_bool }}
|
||||
register: cmd
|
||||
|
||||
- name: Delete the AWX session token for executing modules
|
||||
awx.awx.tower_token:
|
||||
description: 'AWX Session Token'
|
||||
scope: "write"
|
||||
state: absent
|
||||
existing_token_id: "{{ awx_session_token.ansible_facts.tower_token.id }}"
|
||||
tower_host: "https://{{ awx_host }}"
|
||||
tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
|
||||
|
||||
- name: Result
|
||||
debug: msg="{{ cmd.stdout }}"
|
||||
|
||||
|
@ -77,13 +77,6 @@
|
||||
mode: '0660'
|
||||
when: customise_base_domain_website is undefined
|
||||
|
||||
- name: Collect AWX admin token the hard way!
|
||||
delegate_to: 127.0.0.1
|
||||
shell: |
|
||||
curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g'
|
||||
register: tower_token
|
||||
no_log: True
|
||||
|
||||
- name: Recreate 'Configure Website + Access Export' job template
|
||||
delegate_to: 127.0.0.1
|
||||
awx.awx.tower_job_template:
|
||||
@ -101,8 +94,8 @@
|
||||
become_enabled: yes
|
||||
state: present
|
||||
verbosity: 1
|
||||
tower_host: "https://{{ tower_host }}"
|
||||
tower_oauthtoken: "{{ tower_token.stdout }}"
|
||||
tower_host: "https://{{ awx_host }}"
|
||||
tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
|
||||
validate_certs: yes
|
||||
when: customise_base_domain_website is defined
|
||||
|
||||
@ -123,8 +116,8 @@
|
||||
become_enabled: yes
|
||||
state: present
|
||||
verbosity: 1
|
||||
tower_host: "https://{{ tower_host }}"
|
||||
tower_oauthtoken: "{{ tower_token.stdout }}"
|
||||
tower_host: "https://{{ awx_host }}"
|
||||
tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
|
||||
validate_certs: yes
|
||||
when: customise_base_domain_website is undefined
|
||||
|
||||
|
9
roles/matrix-awx/tasks/delete_session_token.yml
Normal file
9
roles/matrix-awx/tasks/delete_session_token.yml
Normal file
@ -0,0 +1,9 @@
|
||||
|
||||
- name: Delete the AWX session token for executing modules
|
||||
awx.awx.tower_token:
|
||||
description: 'AWX Session Token'
|
||||
scope: "write"
|
||||
state: absent
|
||||
existing_token_id: "{{ awx_session_token.ansible_facts.tower_token.id }}"
|
||||
tower_host: "https://{{ awx_host }}"
|
||||
tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
|
@ -24,6 +24,15 @@
|
||||
units: days
|
||||
unique: yes
|
||||
|
||||
- name: Delete the AWX session token for executing modules
|
||||
awx.awx.tower_token:
|
||||
description: 'AWX Session Token'
|
||||
scope: "write"
|
||||
state: absent
|
||||
existing_token_id: "{{ awx_session_token.ansible_facts.tower_token.id }}"
|
||||
tower_host: "https://{{ awx_host }}"
|
||||
tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
|
||||
|
||||
- name: Set boolean value to exit playbook
|
||||
set_fact:
|
||||
end_playbook: true
|
||||
|
@ -9,3 +9,7 @@
|
||||
file: '/var/lib/awx/projects/hosting/hosting_vars.yml'
|
||||
no_log: True
|
||||
|
||||
- name: Include AWX master token from awx_tokens.yml
|
||||
include_vars:
|
||||
file: /var/lib/awx/projects/hosting/awx_tokens.yml
|
||||
no_log: True
|
||||
|
@ -17,6 +17,15 @@
|
||||
tags:
|
||||
- always
|
||||
|
||||
# Create AWX session token
|
||||
- include_tasks:
|
||||
file: "create_session_token.yml"
|
||||
apply:
|
||||
tags: always
|
||||
when: run_setup|bool and matrix_awx_enabled|bool
|
||||
tags:
|
||||
- always
|
||||
|
||||
# Perform a backup of the server
|
||||
- include_tasks:
|
||||
file: "backup_server.yml"
|
||||
@ -25,7 +34,7 @@
|
||||
when: run_setup|bool and matrix_awx_enabled|bool
|
||||
tags:
|
||||
- backup-server
|
||||
|
||||
|
||||
# Perform a export of the server
|
||||
- include_tasks:
|
||||
file: "export_server.yml"
|
||||
@ -62,6 +71,15 @@
|
||||
tags:
|
||||
- purge-database
|
||||
|
||||
# Rotate SSH key if called
|
||||
- include_tasks:
|
||||
file: "rotate_ssh.yml"
|
||||
apply:
|
||||
tags: rotate-ssh
|
||||
when: run_setup|bool and matrix_awx_enabled|bool
|
||||
tags:
|
||||
- rotate-ssh
|
||||
|
||||
# Import configs, media repo from /chroot/backup import
|
||||
- include_tasks:
|
||||
file: "import_awx.yml"
|
||||
@ -179,6 +197,15 @@
|
||||
tags:
|
||||
- setup-synapse-admin
|
||||
|
||||
# Delete AWX session token
|
||||
- include_tasks:
|
||||
file: "delete_session_token.yml"
|
||||
apply:
|
||||
tags: always
|
||||
when: run_setup|bool and matrix_awx_enabled|bool
|
||||
tags:
|
||||
- always
|
||||
|
||||
# Load newly formed matrix variables from AWX volume
|
||||
- include_tasks:
|
||||
file: "load_matrix_variables.yml"
|
||||
|
@ -5,18 +5,18 @@
|
||||
name: dateutils
|
||||
state: latest
|
||||
|
||||
- name: Ensure dateutils, curl and jq intalled on target machine
|
||||
- name: Include vars in matrix_vars.yml
|
||||
include_vars:
|
||||
file: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
|
||||
no_log: True
|
||||
|
||||
- name: Ensure curl and jq intalled on target machine
|
||||
apt:
|
||||
pkg:
|
||||
- curl
|
||||
- jq
|
||||
state: present
|
||||
|
||||
- name: Include vars in matrix_vars.yml
|
||||
include_vars:
|
||||
file: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
|
||||
no_log: True
|
||||
|
||||
- name: Collect before shrink size of Synapse database
|
||||
shell: du -sh /matrix/postgres/data
|
||||
register: db_size_before_stat
|
||||
@ -144,13 +144,6 @@
|
||||
loop: "{{ room_list_state_events.splitlines() | flatten(levels=1) }}"
|
||||
when: purge_mode.find("Number of events [slower]") != -1
|
||||
|
||||
- name: Collect AWX admin token the hard way!
|
||||
delegate_to: 127.0.0.1
|
||||
shell: |
|
||||
curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g'
|
||||
register: tower_token
|
||||
no_log: True
|
||||
|
||||
- name: Adjust 'Deploy/Update a Server' job template
|
||||
delegate_to: 127.0.0.1
|
||||
awx.awx.tower_job_template:
|
||||
@ -165,8 +158,8 @@
|
||||
credential: "{{ member_id }} - AWX SSH Key"
|
||||
state: present
|
||||
verbosity: 1
|
||||
tower_host: "https://{{ tower_host }}"
|
||||
tower_oauthtoken: "{{ tower_token.stdout }}"
|
||||
tower_host: "https://{{ awx_host }}"
|
||||
tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
|
||||
validate_certs: yes
|
||||
when: (purge_mode.find("No local users [recommended]") != -1) or (purge_mode.find("Number of users [slower]") != -1) or (purge_mode.find("Number of events [slower]") != -1) or (purge_mode.find("Skip purging rooms [faster]") != -1)
|
||||
|
||||
@ -175,8 +168,8 @@
|
||||
awx.awx.tower_job_launch:
|
||||
job_template: "{{ matrix_domain }} - 0 - Deploy/Update a Server"
|
||||
wait: yes
|
||||
tower_host: "https://{{ tower_host }}"
|
||||
tower_oauthtoken: "{{ tower_token.stdout }}"
|
||||
tower_host: "https://{{ awx_host }}"
|
||||
tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
|
||||
validate_certs: yes
|
||||
when: (purge_mode.find("No local users [recommended]") != -1) or (purge_mode.find("Number of users [slower]") != -1) or (purge_mode.find("Number of events [slower]") != -1) or (purge_mode.find("Skip purging rooms [faster]") != -1)
|
||||
|
||||
@ -194,8 +187,8 @@
|
||||
credential: "{{ member_id }} - AWX SSH Key"
|
||||
state: present
|
||||
verbosity: 1
|
||||
tower_host: "https://{{ tower_host }}"
|
||||
tower_oauthtoken: "{{ tower_token.stdout }}"
|
||||
tower_host: "https://{{ awx_host }}"
|
||||
tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
|
||||
validate_certs: yes
|
||||
when: (purge_mode.find("No local users [recommended]") != -1) or (purge_mode.find("Number of users [slower]") != -1) or (purge_mode.find("Number of events [slower]") != -1) or (purge_mode.find("Skip purging rooms [faster]") != -1)
|
||||
|
||||
@ -231,8 +224,8 @@
|
||||
credential: "{{ member_id }} - AWX SSH Key"
|
||||
state: present
|
||||
verbosity: 1
|
||||
tower_host: "https://{{ tower_host }}"
|
||||
tower_oauthtoken: "{{ tower_token.stdout }}"
|
||||
tower_host: "https://{{ awx_host }}"
|
||||
tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
|
||||
validate_certs: yes
|
||||
when: (purge_mode.find("Perform final shrink") != -1)
|
||||
|
||||
@ -241,8 +234,8 @@
|
||||
awx.awx.tower_job_launch:
|
||||
job_template: "{{ matrix_domain }} - 0 - Deploy/Update a Server"
|
||||
wait: yes
|
||||
tower_host: "https://{{ tower_host }}"
|
||||
tower_oauthtoken: "{{ tower_token.stdout }}"
|
||||
tower_host: "https://{{ awx_host }}"
|
||||
tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
|
||||
validate_certs: yes
|
||||
when: (purge_mode.find("Perform final shrink") != -1)
|
||||
|
||||
@ -260,8 +253,8 @@
|
||||
credential: "{{ member_id }} - AWX SSH Key"
|
||||
state: present
|
||||
verbosity: 1
|
||||
tower_host: "https://{{ tower_host }}"
|
||||
tower_oauthtoken: "{{ tower_token.stdout }}"
|
||||
tower_host: "https://{{ awx_host }}"
|
||||
tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
|
||||
validate_certs: yes
|
||||
when: (purge_mode.find("Perform final shrink") != -1)
|
||||
|
||||
@ -308,6 +301,15 @@
|
||||
msg: "{{ db_size_after_stat.stdout.split('\n') }}"
|
||||
when: (db_size_after_stat is defined) and (purge_mode.find("Perform final shrink") != -1)
|
||||
|
||||
- name: Delete the AWX session token for executing modules
|
||||
awx.awx.tower_token:
|
||||
description: 'AWX Session Token'
|
||||
scope: "write"
|
||||
state: absent
|
||||
existing_token_id: "{{ awx_session_token.ansible_facts.tower_token.id }}"
|
||||
tower_host: "https://{{ awx_host }}"
|
||||
tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
|
||||
|
||||
- name: Set boolean value to exit playbook
|
||||
set_fact:
|
||||
end_playbook: true
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
- name: Ensure dateutils and curl is installed in AWX
|
||||
- name: Ensure dateutils is installed in AWX
|
||||
delegate_to: 127.0.0.1
|
||||
yum:
|
||||
name: dateutils
|
||||
@ -90,6 +90,15 @@
|
||||
msg: "{{ remote_media_size_after.stdout.split('\n') }}"
|
||||
when: matrix_purge_media_type == "Remote Media"
|
||||
|
||||
- name: Delete the AWX session token for executing modules
|
||||
awx.awx.tower_token:
|
||||
description: 'AWX Session Token'
|
||||
scope: "write"
|
||||
state: absent
|
||||
existing_token_id: "{{ awx_session_token.ansible_facts.tower_token.id }}"
|
||||
tower_host: "https://{{ awx_host }}"
|
||||
tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
|
||||
|
||||
- name: Set boolean value to exit playbook
|
||||
set_fact:
|
||||
end_playbook: true
|
||||
|
@ -5,4 +5,3 @@
|
||||
path: "/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml"
|
||||
regexp: 'matrix_synapse_use_presence'
|
||||
replace: 'matrix_synapse_presence_enabled'
|
||||
|
||||
|
24
roles/matrix-awx/tasks/rotate_ssh.yml
Normal file
24
roles/matrix-awx/tasks/rotate_ssh.yml
Normal file
@ -0,0 +1,24 @@
|
||||
|
||||
- name: Set the new authorized key taken from file
|
||||
authorized_key:
|
||||
user: root
|
||||
state: present
|
||||
exclusive: yes
|
||||
key: "{{ lookup('file', '/var/lib/awx/projects/hosting/client_public.key') }}"
|
||||
|
||||
- name: Delete the AWX session token for executing modules
|
||||
awx.awx.tower_token:
|
||||
description: 'AWX Session Token'
|
||||
scope: "write"
|
||||
state: absent
|
||||
existing_token_id: "{{ awx_session_token.ansible_facts.tower_token.id }}"
|
||||
tower_host: "https://{{ awx_host }}"
|
||||
tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
|
||||
|
||||
- name: Set boolean value to exit playbook
|
||||
set_fact:
|
||||
end_playbook: true
|
||||
|
||||
- name: End playbook if this task list is called.
|
||||
meta: end_play
|
||||
when: end_playbook is defined and end_playbook|bool
|
@ -218,13 +218,6 @@
|
||||
- debug:
|
||||
msg: "matrix_corporal_matrix_registration_shared_secret: {{ matrix_corporal_matrix_registration_shared_secret }}"
|
||||
|
||||
- name: Collect AWX admin token the hard way!
|
||||
delegate_to: 127.0.0.1
|
||||
shell: |
|
||||
curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g'
|
||||
register: tower_token
|
||||
no_log: True
|
||||
|
||||
- name: Recreate 'Configure Corporal (Advanced)' job template
|
||||
delegate_to: 127.0.0.1
|
||||
awx.awx.tower_job_template:
|
||||
@ -242,6 +235,6 @@
|
||||
become_enabled: yes
|
||||
state: present
|
||||
verbosity: 1
|
||||
tower_host: "https://{{ tower_host }}"
|
||||
tower_oauthtoken: "{{ tower_token.stdout }}"
|
||||
tower_host: "https://{{ awx_host }}"
|
||||
tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
|
||||
validate_certs: yes
|
||||
|
@ -82,13 +82,6 @@
|
||||
dest: '/matrix/awx/configure_dimension.json'
|
||||
mode: '0660'
|
||||
|
||||
- name: Collect AWX admin token the hard way!
|
||||
delegate_to: 127.0.0.1
|
||||
shell: |
|
||||
curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g'
|
||||
register: tower_token
|
||||
no_log: True
|
||||
|
||||
- name: Recreate 'Configure Dimension' job template
|
||||
delegate_to: 127.0.0.1
|
||||
awx.awx.tower_job_template:
|
||||
@ -106,6 +99,6 @@
|
||||
become_enabled: yes
|
||||
state: present
|
||||
verbosity: 1
|
||||
tower_host: "https://{{ tower_host }}"
|
||||
tower_oauthtoken: "{{ tower_token.stdout }}"
|
||||
tower_host: "https://{{ awx_host }}"
|
||||
tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
|
||||
validate_certs: yes
|
||||
|
@ -40,13 +40,6 @@
|
||||
dest: '/matrix/awx/configure_element.json'
|
||||
mode: '0660'
|
||||
|
||||
- name: Collect AWX admin token the hard way!
|
||||
delegate_to: 127.0.0.1
|
||||
shell: |
|
||||
curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g'
|
||||
register: tower_token
|
||||
no_log: True
|
||||
|
||||
- name: Recreate 'Configure Element' job template
|
||||
delegate_to: 127.0.0.1
|
||||
awx.awx.tower_job_template:
|
||||
@ -64,6 +57,6 @@
|
||||
become_enabled: yes
|
||||
state: present
|
||||
verbosity: 1
|
||||
tower_host: "https://{{ tower_host }}"
|
||||
tower_oauthtoken: "{{ tower_token.stdout }}"
|
||||
tower_host: "https://{{ awx_host }}"
|
||||
tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
|
||||
validate_certs: yes
|
||||
|
@ -21,13 +21,6 @@
|
||||
dest: '/matrix/awx/configure_element_subdomain.json'
|
||||
mode: '0660'
|
||||
|
||||
- name: Collect AWX admin token the hard way!
|
||||
delegate_to: 127.0.0.1
|
||||
shell: |
|
||||
curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g'
|
||||
register: tower_token
|
||||
no_log: True
|
||||
|
||||
- name: Recreate 'Configure Element Subdomain' job template
|
||||
delegate_to: 127.0.0.1
|
||||
awx.awx.tower_job_template:
|
||||
@ -44,6 +37,6 @@
|
||||
survey_spec: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_element_subdomain.json') }}"
|
||||
state: present
|
||||
verbosity: 1
|
||||
tower_host: "https://{{ tower_host }}"
|
||||
tower_oauthtoken: "{{ tower_token.stdout }}"
|
||||
tower_host: "https://{{ awx_host }}"
|
||||
tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
|
||||
validate_certs: yes
|
||||
|
@ -22,13 +22,6 @@
|
||||
dest: '/matrix/awx/configure_jitsi.json'
|
||||
mode: '0660'
|
||||
|
||||
- name: Collect AWX admin token the hard way!
|
||||
delegate_to: 127.0.0.1
|
||||
shell: |
|
||||
curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g'
|
||||
register: tower_token
|
||||
no_log: True
|
||||
|
||||
- name: Recreate 'Configure Jitsi' job template
|
||||
delegate_to: 127.0.0.1
|
||||
awx.awx.tower_job_template:
|
||||
@ -46,6 +39,6 @@
|
||||
become_enabled: yes
|
||||
state: present
|
||||
verbosity: 1
|
||||
tower_host: "https://{{ tower_host }}"
|
||||
tower_oauthtoken: "{{ tower_token.stdout }}"
|
||||
tower_host: "https://{{ awx_host }}"
|
||||
tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
|
||||
validate_certs: yes
|
||||
|
@ -79,13 +79,6 @@
|
||||
dest: '/matrix/awx/configure_ma1sd.json'
|
||||
mode: '0660'
|
||||
|
||||
- name: Collect AWX admin token the hard way!
|
||||
delegate_to: 127.0.0.1
|
||||
shell: |
|
||||
curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g'
|
||||
register: tower_token
|
||||
no_log: True
|
||||
|
||||
- name: Recreate 'Configure ma1sd (Advanced)' job template
|
||||
delegate_to: 127.0.0.1
|
||||
awx.awx.tower_job_template:
|
||||
@ -103,7 +96,7 @@
|
||||
become_enabled: yes
|
||||
state: present
|
||||
verbosity: 1
|
||||
tower_host: "https://{{ tower_host }}"
|
||||
tower_oauthtoken: "{{ tower_token.stdout }}"
|
||||
tower_host: "https://{{ awx_host }}"
|
||||
tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
|
||||
validate_certs: yes
|
||||
|
||||
|
@ -21,13 +21,6 @@
|
||||
dest: '/matrix/awx/configure_email_relay.json'
|
||||
mode: '0660'
|
||||
|
||||
- name: Collect AWX admin token the hard way!
|
||||
delegate_to: 127.0.0.1
|
||||
shell: |
|
||||
curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g'
|
||||
register: tower_token
|
||||
no_log: True
|
||||
|
||||
- name: Recreate 'Configure Email Relay' job template
|
||||
delegate_to: 127.0.0.1
|
||||
awx.awx.tower_job_template:
|
||||
@ -45,6 +38,6 @@
|
||||
become_enabled: yes
|
||||
state: present
|
||||
verbosity: 1
|
||||
tower_host: "https://{{ tower_host }}"
|
||||
tower_oauthtoken: "{{ tower_token.stdout }}"
|
||||
tower_host: "https://{{ awx_host }}"
|
||||
tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
|
||||
validate_certs: yes
|
||||
|
@ -200,13 +200,6 @@
|
||||
dest: '/matrix/awx/configure_synapse.json'
|
||||
mode: '0660'
|
||||
|
||||
- name: Collect AWX admin token the hard way!
|
||||
delegate_to: 127.0.0.1
|
||||
shell: |
|
||||
curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g'
|
||||
register: tower_token
|
||||
no_log: True
|
||||
|
||||
- name: Recreate 'Configure Synapse' job template
|
||||
delegate_to: 127.0.0.1
|
||||
awx.awx.tower_job_template:
|
||||
@ -224,6 +217,6 @@
|
||||
become_enabled: yes
|
||||
state: present
|
||||
verbosity: 1
|
||||
tower_host: "https://{{ tower_host }}"
|
||||
tower_oauthtoken: "{{ tower_token.stdout }}"
|
||||
tower_host: "https://{{ awx_host }}"
|
||||
tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
|
||||
validate_certs: yes
|
||||
|
@ -21,13 +21,6 @@
|
||||
dest: '/matrix/awx/configure_synapse_admin.json'
|
||||
mode: '0660'
|
||||
|
||||
- name: Collect AWX admin token the hard way!
|
||||
delegate_to: 127.0.0.1
|
||||
shell: |
|
||||
curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g'
|
||||
register: tower_token
|
||||
no_log: True
|
||||
|
||||
- name: Recreate 'Configure Synapse Admin' job template
|
||||
delegate_to: 127.0.0.1
|
||||
awx.awx.tower_job_template:
|
||||
@ -45,6 +38,6 @@
|
||||
become_enabled: yes
|
||||
state: present
|
||||
verbosity: 1
|
||||
tower_host: "https://{{ tower_host }}"
|
||||
tower_oauthtoken: "{{ tower_token.stdout }}"
|
||||
tower_host: "https://{{ awx_host }}"
|
||||
tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
|
||||
validate_certs: yes
|
||||
|
@ -83,8 +83,8 @@ matrix_host_command_openssl: "/usr/bin/env openssl"
|
||||
matrix_host_command_systemctl: "/usr/bin/env systemctl"
|
||||
matrix_host_command_sh: "/usr/bin/env sh"
|
||||
|
||||
matrix_ntpd_package: "{{ 'systemd-timesyncd' if ansible_distribution == 'CentOS' and ansible_distribution_major_version > '7' else ( 'systemd' if ansible_os_family == 'Suse' else 'ntp' ) }}"
|
||||
matrix_ntpd_service: "{{ 'systemd-timesyncd' if ( (ansible_distribution == 'CentOS' and ansible_distribution_major_version > '7') or ansible_os_family == 'Suse') else ('ntpd' if ansible_os_family == 'RedHat' or ansible_distribution == 'Archlinux' else 'ntp') }}"
|
||||
matrix_ntpd_package: "{{ 'systemd-timesyncd' if (ansible_distribution == 'CentOS' and ansible_distribution_major_version > '7') or (ansible_distribution == 'Ubuntu' and ansible_distribution_major_version > '18') else ( 'systemd' if ansible_os_family == 'Suse' else 'ntp' ) }}"
|
||||
matrix_ntpd_service: "{{ 'systemd-timesyncd' if (ansible_distribution == 'CentOS' and ansible_distribution_major_version > '7') or (ansible_distribution == 'Ubuntu' and ansible_distribution_major_version > '18') or ansible_distribution == 'Archlinux' or ansible_os_family == 'Suse' else ('ntpd' if ansible_os_family == 'RedHat' else 'ntp') }}"
|
||||
|
||||
matrix_homeserver_url: "https://{{ matrix_server_fqn_matrix }}"
|
||||
|
||||
|
@ -4,7 +4,6 @@
|
||||
pacman:
|
||||
name:
|
||||
- python-docker
|
||||
- "{{ matrix_ntpd_package }}"
|
||||
# TODO This needs to be verified. Which version do we need?
|
||||
- fuse3
|
||||
- python-dnspython
|
||||
|
@ -3,7 +3,7 @@
|
||||
|
||||
matrix_bot_mjolnir_enabled: true
|
||||
|
||||
matrix_bot_mjolnir_version: "v0.1.19"
|
||||
matrix_bot_mjolnir_version: "v1.1.20"
|
||||
|
||||
matrix_bot_mjolnir_container_image_self_build: false
|
||||
matrix_bot_mjolnir_container_image_self_build_repo: "https://github.com/matrix-org/mjolnir.git"
|
||||
|
@ -7,7 +7,7 @@ matrix_appservice_irc_container_self_build: false
|
||||
matrix_appservice_irc_docker_repo: "https://github.com/matrix-org/matrix-appservice-irc.git"
|
||||
matrix_appservice_irc_docker_src_files_path: "{{ matrix_base_data_path }}/appservice-irc/docker-src"
|
||||
|
||||
matrix_appservice_irc_version: release-0.30.0
|
||||
matrix_appservice_irc_version: release-0.31.0
|
||||
matrix_appservice_irc_docker_image: "{{ matrix_container_global_registry_prefix }}matrixdotorg/matrix-appservice-irc:{{ matrix_appservice_irc_version }}"
|
||||
matrix_appservice_irc_docker_image_force_pull: "{{ matrix_appservice_irc_docker_image.endswith(':latest') }}"
|
||||
|
||||
|
@ -3,13 +3,20 @@
|
||||
|
||||
matrix_appservice_webhooks_enabled: true
|
||||
|
||||
matrix_appservice_webhooks_container_image_self_build: false
|
||||
matrix_appservice_webhooks_container_image_self_build_repo: "https://github.com/turt2live/matrix-appservice-webhooks"
|
||||
matrix_appservice_webhooks_container_image_self_build_repo_version: "{{ 'master' if matrix_appservice_webhooks_version == 'latest' else matrix_appservice_webhooks_version }}"
|
||||
matrix_appservice_webhooks_container_image_self_build_repo_dockerfile_path: "Dockerfile"
|
||||
|
||||
matrix_appservice_webhooks_version: latest
|
||||
matrix_appservice_webhooks_docker_image: "{{ matrix_container_global_registry_prefix }}turt2live/matrix-appservice-webhooks:{{ matrix_appservice_webhooks_version }}"
|
||||
matrix_appservice_webhooks_docker_image: "{{ matrix_appservice_webhooks_docker_image_name_prefix }}turt2live/matrix-appservice-webhooks:{{ matrix_appservice_webhooks_version }}"
|
||||
matrix_appservice_webhooks_docker_image_name_prefix: "{{ 'localhost/' if matrix_appservice_webhooks_container_image_self_build else matrix_container_global_registry_prefix }}"
|
||||
matrix_appservice_webhooks_docker_image_force_pull: "{{ matrix_appservice_webhooks_docker_image.endswith(':latest') }}"
|
||||
|
||||
matrix_appservice_webhooks_base_path: "{{ matrix_base_data_path }}/appservice-webhooks"
|
||||
matrix_appservice_webhooks_config_path: "{{ matrix_appservice_webhooks_base_path }}/config"
|
||||
matrix_appservice_webhooks_data_path: "{{ matrix_appservice_webhooks_base_path }}/data"
|
||||
matrix_appservice_webhooks_docker_src_files_path: "{{ matrix_appservice_webhooks_base_path }}/docker-src"
|
||||
|
||||
# If nginx-proxy is disabled, the bridge itself expects its endpoint to be on its own domain (e.g. "localhost:6789")
|
||||
matrix_appservice_webhooks_public_endpoint: /appservice-webhooks
|
||||
|
@ -1,23 +1,47 @@
|
||||
---
|
||||
|
||||
- name: Ensure AppService webhooks paths exist
|
||||
file:
|
||||
path: "{{ item.path }}"
|
||||
state: directory
|
||||
mode: 0750
|
||||
owner: "{{ matrix_user_username }}"
|
||||
group: "{{ matrix_user_groupname }}"
|
||||
with_items:
|
||||
- { path: "{{ matrix_appservice_webhooks_base_path }}", when: true }
|
||||
- { path: "{{ matrix_appservice_webhooks_config_path }}", when: true }
|
||||
- { path: "{{ matrix_appservice_webhooks_data_path }}", when: true }
|
||||
- { path: "{{ matrix_appservice_webhooks_docker_src_files_path }}", when: "{{ matrix_appservice_webhooks_container_image_self_build }}"}
|
||||
when: "item.when|bool"
|
||||
|
||||
- name: Ensure Appservice webhooks image is pulled
|
||||
docker_image:
|
||||
name: "{{ matrix_appservice_webhooks_docker_image }}"
|
||||
source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
|
||||
force_source: "{{ matrix_appservice_webhooks_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
|
||||
force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_appservice_webhooks_docker_image_force_pull }}"
|
||||
when: "not matrix_appservice_webhooks_container_image_self_build|bool"
|
||||
|
||||
- name: Ensure AppService webhooks paths exist
|
||||
file:
|
||||
path: "{{ item }}"
|
||||
state: directory
|
||||
mode: 0750
|
||||
owner: "{{ matrix_user_username }}"
|
||||
group: "{{ matrix_user_groupname }}"
|
||||
with_items:
|
||||
- "{{ matrix_appservice_webhooks_base_path }}"
|
||||
- "{{ matrix_appservice_webhooks_config_path }}"
|
||||
- "{{ matrix_appservice_webhooks_data_path }}"
|
||||
- block:
|
||||
- name: Ensure Appservice webhooks repository is present on self-build
|
||||
git:
|
||||
repo: "{{ matrix_appservice_webhooks_container_image_self_build_repo }}"
|
||||
dest: "{{ matrix_appservice_webhooks_docker_src_files_path }}"
|
||||
version: "{{ matrix_appservice_webhooks_container_image_self_build_repo_version }}"
|
||||
force: "yes"
|
||||
register: matrix_appservice_webhooks_git_pull_results
|
||||
|
||||
- name: Ensure Appservice webhooks Docker image is built
|
||||
docker_image:
|
||||
name: "{{ matrix_appservice_webhooks_docker_image }}"
|
||||
source: build
|
||||
force_source: "{{ matrix_appservice_webhooks_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
|
||||
force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_appservice_webhooks_git_pull_results.changed }}"
|
||||
build:
|
||||
dockerfile: "{{ matrix_appservice_webhooks_container_image_self_build_repo_dockerfile_path }}"
|
||||
path: "{{ matrix_appservice_webhooks_docker_src_files_path }}"
|
||||
pull: yes
|
||||
when: "matrix_appservice_webhooks_container_image_self_build|bool"
|
||||
|
||||
- name: Ensure Matrix Appservice webhooks config is installed
|
||||
copy:
|
||||
|
@ -3,7 +3,7 @@
|
||||
|
||||
matrix_beeper_linkedin_enabled: true
|
||||
|
||||
matrix_beeper_linkedin_version: v0.5.0
|
||||
matrix_beeper_linkedin_version: v0.5.1
|
||||
# See: https://gitlab.com/beeper/linkedin/container_registry
|
||||
matrix_beeper_linkedin_docker_image: "registry.gitlab.com/beeper/linkedin:{{ matrix_beeper_linkedin_version }}-amd64"
|
||||
matrix_beeper_linkedin_docker_image_force_pull: "{{ matrix_beeper_linkedin_docker_image.endswith(':latest-amd64') }}"
|
||||
|
@ -3,7 +3,7 @@
|
||||
|
||||
matrix_heisenbridge_enabled: true
|
||||
|
||||
matrix_heisenbridge_version: 1.0.1
|
||||
matrix_heisenbridge_version: 1.2.1
|
||||
matrix_heisenbridge_docker_image: "{{ matrix_container_global_registry_prefix }}hif1/heisenbridge:{{ matrix_heisenbridge_version }}"
|
||||
matrix_heisenbridge_docker_image_force_pull: "{{ matrix_heisenbridge_docker_image.endswith(':latest') }}"
|
||||
|
||||
|
@ -3,7 +3,7 @@ matrix_client_element_enabled: true
|
||||
matrix_client_element_container_image_self_build: false
|
||||
matrix_client_element_container_image_self_build_repo: "https://github.com/vector-im/riot-web.git"
|
||||
|
||||
matrix_client_element_version: v1.8.4
|
||||
matrix_client_element_version: v1.9.0
|
||||
matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}"
|
||||
matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_container_global_registry_prefix }}"
|
||||
matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}"
|
||||
|
@ -15,7 +15,7 @@
|
||||
- name: Generate Etherpad proxying configuration for matrix-nginx-proxy
|
||||
set_fact:
|
||||
matrix_etherpad_matrix_nginx_proxy_configuration: |
|
||||
rewrite ^{{ matrix_etherpad_public_endpoint }}$ $scheme://$server_name{{ matrix_etherpad_public_endpoint }}/ permanent;
|
||||
rewrite ^{{ matrix_etherpad_public_endpoint }}$ {{ matrix_nginx_proxy_x_forwarded_proto_value }}://$server_name{{ matrix_etherpad_public_endpoint }}/ permanent;
|
||||
|
||||
location {{ matrix_etherpad_public_endpoint }}/ {
|
||||
{% if matrix_nginx_proxy_enabled|default(False) %}
|
||||
@ -27,7 +27,7 @@
|
||||
proxy_http_version 1.1; # recommended with keepalive connections
|
||||
proxy_pass_header Server;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Forwarded-Proto $scheme; # for EP to set secure cookie flag when https is used
|
||||
proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }}; # for EP to set secure cookie flag when https is used
|
||||
# WebSocket proxying - from http://nginx.org/en/docs/http/websocket.html
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection $connection_upgrade;
|
||||
|
@ -3,7 +3,7 @@
|
||||
|
||||
matrix_grafana_enabled: false
|
||||
|
||||
matrix_grafana_version: 8.1.3
|
||||
matrix_grafana_version: 8.1.4
|
||||
matrix_grafana_docker_image: "{{ matrix_container_global_registry_prefix }}grafana/grafana:{{ matrix_grafana_version }}"
|
||||
matrix_grafana_docker_image_force_pull: "{{ matrix_grafana_docker_image.endswith(':latest') }}"
|
||||
|
||||
|
@ -1,5 +1,5 @@
|
||||
matrix_nginx_proxy_enabled: true
|
||||
matrix_nginx_proxy_version: 1.21.1-alpine
|
||||
matrix_nginx_proxy_version: 1.21.3-alpine
|
||||
|
||||
# We use an official nginx image, which we fix-up to run unprivileged.
|
||||
# An alternative would be an `nginxinc/nginx-unprivileged` image, but
|
||||
@ -40,6 +40,12 @@ matrix_nginx_proxy_container_extra_arguments: []
|
||||
# - services are served directly from the HTTP vhost
|
||||
matrix_nginx_proxy_https_enabled: true
|
||||
|
||||
# Controls whether matrix-nginx-proxy trusts an upstream server's X-Forwarded-Proto header
|
||||
#
|
||||
# Required if you disable HTTPS for the container (see `matrix_nginx_proxy_https_enabled`) and have an upstream server handle it instead.
|
||||
matrix_nginx_proxy_trust_forwarded_proto: false
|
||||
matrix_nginx_proxy_x_forwarded_proto_value: "{{ '$http_x_forwarded_proto' if matrix_nginx_proxy_trust_forwarded_proto else '$scheme' }}"
|
||||
|
||||
# Controls whether the matrix-nginx-proxy container exposes its HTTP port (tcp/8080 in the container).
|
||||
#
|
||||
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:80"), or empty string to not expose.
|
||||
@ -177,6 +183,10 @@ matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container: "127.0.0.1:809
|
||||
# Controls whether proxying for metrics (`/_synapse/metrics`) should be done (on the matrix domain)
|
||||
matrix_nginx_proxy_proxy_synapse_metrics: false
|
||||
matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled: false
|
||||
# The following value will be written verbatim to the htpasswd file that stores the password for nginx to check against and needs to be encoded appropriately.
|
||||
# Read the manpage at `man 1 htpasswd` to learn more, then encrypt your password, and paste the encrypted value here.
|
||||
# e.g. `htpasswd -c mypass.htpasswd prometheus` and enter `mysecurepw` when prompted yields `prometheus:$apr1$wZhqsn.U$7LC3kMmjUbjNAZjyMyvYv/`
|
||||
# The part after `prometheus:` is needed here. matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key: "$apr1$wZhqsn.U$7LC3kMmjUbjNAZjyMyvYv/"
|
||||
matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key: ""
|
||||
|
||||
# The addresses where the Matrix Client API is.
|
||||
@ -426,7 +436,7 @@ matrix_ssl_additional_domains_to_obtain_certificates_for: []
|
||||
|
||||
# Controls whether to obtain production or staging certificates from Let's Encrypt.
|
||||
matrix_ssl_lets_encrypt_staging: false
|
||||
matrix_ssl_lets_encrypt_certbot_docker_image: "{{ matrix_container_global_registry_prefix }}certbot/certbot:{{ matrix_ssl_architecture }}-v1.18.0"
|
||||
matrix_ssl_lets_encrypt_certbot_docker_image: "{{ matrix_container_global_registry_prefix }}certbot/certbot:{{ matrix_ssl_architecture }}-v1.20.0"
|
||||
matrix_ssl_lets_encrypt_certbot_docker_image_force_pull: "{{ matrix_ssl_lets_encrypt_certbot_docker_image.endswith(':latest') }}"
|
||||
matrix_ssl_lets_encrypt_certbot_standalone_http_port: 2402
|
||||
matrix_ssl_lets_encrypt_support_email: ~
|
||||
|
@ -88,7 +88,7 @@ server {
|
||||
{% if matrix_nginx_proxy_ocsp_stapling_enabled %}
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_element_hostname }}/chain.pem;
|
||||
ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_hydrogen_hostname }}/chain.pem;
|
||||
{% endif %}
|
||||
|
||||
{% if matrix_nginx_proxy_ssl_session_tickets_off %}
|
||||
|
@ -20,13 +20,13 @@
|
||||
{% if matrix_nginx_proxy_floc_optout_enabled %}
|
||||
add_header Permissions-Policy interest-cohort=() always;
|
||||
{% endif %}
|
||||
|
||||
|
||||
{% if matrix_nginx_proxy_hsts_preload_enabled %}
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
|
||||
{% else %}
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
||||
{% endif %}
|
||||
|
||||
|
||||
add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}";
|
||||
|
||||
location /.well-known/matrix {
|
||||
@ -59,7 +59,7 @@
|
||||
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }};
|
||||
}
|
||||
{% endif %}
|
||||
|
||||
@ -77,7 +77,7 @@
|
||||
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }};
|
||||
}
|
||||
{% endif %}
|
||||
|
||||
@ -112,7 +112,7 @@
|
||||
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }};
|
||||
}
|
||||
{% endif %}
|
||||
|
||||
@ -137,7 +137,7 @@
|
||||
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }};
|
||||
|
||||
client_body_buffer_size 25M;
|
||||
client_max_body_size {{ matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb }}M;
|
||||
@ -152,7 +152,7 @@
|
||||
#}
|
||||
location ~* ^/$ {
|
||||
{% if matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain %}
|
||||
return 302 $scheme://{{ matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain }}$request_uri;
|
||||
return 302 {{ matrix_nginx_proxy_x_forwarded_proto_value }}://{{ matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain }}$request_uri;
|
||||
{% else %}
|
||||
rewrite ^/$ /_matrix/static/ last;
|
||||
{% endif %}
|
||||
@ -215,12 +215,12 @@ server {
|
||||
ssl_stapling_verify on;
|
||||
ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/chain.pem;
|
||||
{% endif %}
|
||||
|
||||
|
||||
{% if matrix_nginx_proxy_ssl_session_tickets_off %}
|
||||
ssl_session_tickets off;
|
||||
{% endif %}
|
||||
ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }};
|
||||
ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }};
|
||||
ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }};
|
||||
|
||||
{{ render_vhost_directives() }}
|
||||
}
|
||||
@ -262,7 +262,7 @@ server {
|
||||
ssl_stapling_verify on;
|
||||
ssl_trusted_certificate {{ matrix_nginx_proxy_proxy_matrix_federation_api_ssl_trusted_certificate }};
|
||||
{% endif %}
|
||||
|
||||
|
||||
{% if matrix_nginx_proxy_ssl_session_tickets_off %}
|
||||
ssl_session_tickets off;
|
||||
{% endif %}
|
||||
@ -283,7 +283,7 @@ server {
|
||||
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }};
|
||||
|
||||
client_body_buffer_size 25M;
|
||||
client_max_body_size {{ matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb }}M;
|
||||
|
@ -71,7 +71,7 @@
|
||||
proxy_set_header Connection "upgrade";
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }};
|
||||
tcp_nodelay on;
|
||||
}
|
||||
{% endmacro %}
|
||||
@ -128,7 +128,7 @@ server {
|
||||
ssl_stapling_verify on;
|
||||
ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_jitsi_hostname }}/chain.pem;
|
||||
{% endif %}
|
||||
|
||||
|
||||
{% if matrix_nginx_proxy_ssl_session_tickets_off %}
|
||||
ssl_session_tickets off;
|
||||
{% endif %}
|
||||
|
@ -29,7 +29,7 @@
|
||||
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }};
|
||||
}
|
||||
{% endmacro %}
|
||||
|
||||
@ -85,7 +85,7 @@ server {
|
||||
ssl_stapling_verify on;
|
||||
ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_sygnal_hostname }}/chain.pem;
|
||||
{% endif %}
|
||||
|
||||
|
||||
{% if matrix_nginx_proxy_ssl_session_tickets_off %}
|
||||
ssl_session_tickets off;
|
||||
{% endif %}
|
||||
|
@ -22,7 +22,8 @@ matrix_postgres_docker_image_v10: "{{ matrix_container_global_registry_prefix }}
|
||||
matrix_postgres_docker_image_v11: "{{ matrix_container_global_registry_prefix }}postgres:11.13{{ matrix_postgres_docker_image_suffix }}"
|
||||
matrix_postgres_docker_image_v12: "{{ matrix_container_global_registry_prefix }}postgres:12.8{{ matrix_postgres_docker_image_suffix }}"
|
||||
matrix_postgres_docker_image_v13: "{{ matrix_container_global_registry_prefix }}postgres:13.4{{ matrix_postgres_docker_image_suffix }}"
|
||||
matrix_postgres_docker_image_latest: "{{ matrix_postgres_docker_image_v13 }}"
|
||||
matrix_postgres_docker_image_v14: "{{ matrix_container_global_registry_prefix }}postgres:14.0{{ matrix_postgres_docker_image_suffix }}"
|
||||
matrix_postgres_docker_image_latest: "{{ matrix_postgres_docker_image_v14 }}"
|
||||
|
||||
# This variable is assigned at runtime. Overriding its value has no effect.
|
||||
matrix_postgres_docker_image_to_use: '{{ matrix_postgres_docker_image_latest }}'
|
||||
|
@ -54,3 +54,8 @@
|
||||
set_fact:
|
||||
matrix_postgres_detected_version_corresponding_docker_image: "{{ matrix_postgres_docker_image_v12 }}"
|
||||
when: "matrix_postgres_detected_version == '12' or matrix_postgres_detected_version.startswith('12.')"
|
||||
|
||||
- name: Determine corresponding Docker image to detected version (use 13.x, if detected)
|
||||
set_fact:
|
||||
matrix_postgres_detected_version_corresponding_docker_image: "{{ matrix_postgres_docker_image_v13 }}"
|
||||
when: "matrix_postgres_detected_version == '13' or matrix_postgres_detected_version.startswith('13.')"
|
||||
|
@ -22,8 +22,8 @@
|
||||
- name: Generate matrix-registration proxying configuration for matrix-nginx-proxy
|
||||
set_fact:
|
||||
matrix_registration_matrix_nginx_proxy_configuration: |
|
||||
rewrite ^{{ matrix_registration_public_endpoint }}$ $scheme://$server_name{{ matrix_registration_public_endpoint }}/ permanent;
|
||||
rewrite ^{{ matrix_registration_public_endpoint }}/$ $scheme://$server_name{{ matrix_registration_public_endpoint }}/register redirect;
|
||||
rewrite ^{{ matrix_registration_public_endpoint }}$ {{ matrix_nginx_proxy_x_forwarded_proto_value }}://$server_name{{ matrix_registration_public_endpoint }}/ permanent;
|
||||
rewrite ^{{ matrix_registration_public_endpoint }}/$ {{ matrix_nginx_proxy_x_forwarded_proto_value }}://$server_name{{ matrix_registration_public_endpoint }}/register redirect;
|
||||
|
||||
location ~ ^{{ matrix_registration_public_endpoint }}/(.*) {
|
||||
{% if matrix_nginx_proxy_enabled|default(False) %}
|
||||
|
@ -22,7 +22,7 @@
|
||||
- name: Generate Synapse Admin proxying configuration for matrix-nginx-proxy
|
||||
set_fact:
|
||||
matrix_synapse_admin_matrix_nginx_proxy_configuration: |
|
||||
rewrite ^{{ matrix_synapse_admin_public_endpoint }}$ $scheme://$server_name{{ matrix_synapse_admin_public_endpoint }}/ permanent;
|
||||
rewrite ^{{ matrix_synapse_admin_public_endpoint }}$ {{ matrix_nginx_proxy_x_forwarded_proto_value }}://$server_name{{ matrix_synapse_admin_public_endpoint }}/ permanent;
|
||||
|
||||
location ~ ^{{ matrix_synapse_admin_public_endpoint }}/(.*) {
|
||||
{% if matrix_nginx_proxy_enabled|default(False) %}
|
||||
|
@ -15,8 +15,8 @@ matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_cont
|
||||
# amd64 gets released first.
|
||||
# arm32 relies on self-building, so the same version can be built immediately.
|
||||
# arm64 users need to wait for a prebuilt image to become available.
|
||||
matrix_synapse_version: v1.42.0
|
||||
matrix_synapse_version_arm64: v1.42.0
|
||||
matrix_synapse_version: v1.44.0
|
||||
matrix_synapse_version_arm64: v1.44.0
|
||||
matrix_synapse_docker_image_tag: "{{ matrix_synapse_version if matrix_architecture in ['arm32', 'amd64'] else matrix_synapse_version_arm64 }}"
|
||||
matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}"
|
||||
|
||||
|
@ -357,6 +357,24 @@ update_user_directory: false
|
||||
daemonize: false
|
||||
{% endif %}
|
||||
|
||||
# Connection settings for the manhole
|
||||
#
|
||||
manhole_settings:
|
||||
# The username for the manhole. This defaults to 'matrix'.
|
||||
#
|
||||
#username: manhole
|
||||
|
||||
# The password for the manhole. This defaults to 'rabbithole'.
|
||||
#
|
||||
#password: mypassword
|
||||
|
||||
# The private and public SSH key pair used to encrypt the manhole traffic.
|
||||
# If these are left unset, then hardcoded and non-secret keys are used,
|
||||
# which could allow traffic to be intercepted if sent over a public network.
|
||||
#
|
||||
#ssh_priv_key_path: /data/id_rsa
|
||||
#ssh_pub_key_path: /data/id_rsa.pub
|
||||
|
||||
# Forward extremities can build up in a room due to networking delays between
|
||||
# homeservers. Once this happens in a large room, calculation of the state of
|
||||
# that room can become quite expensive. To mitigate this, once the number of
|
||||
@ -2258,7 +2276,7 @@ password_config:
|
||||
#
|
||||
#require_lowercase: true
|
||||
|
||||
# Whether a password must contain at least one lowercase letter.
|
||||
# Whether a password must contain at least one uppercase letter.
|
||||
# Defaults to 'false'.
|
||||
#
|
||||
#require_uppercase: true
|
||||
@ -2594,12 +2612,16 @@ user_directory:
|
||||
#enabled: false
|
||||
|
||||
# Defines whether to search all users visible to your HS when searching
|
||||
# the user directory, rather than limiting to users visible in public
|
||||
# rooms. Defaults to false.
|
||||
# the user directory. If false, search results will only contain users
|
||||
# visible in public rooms and users sharing a room with the requester.
|
||||
# Defaults to false.
|
||||
#
|
||||
# If you set it true, you'll have to rebuild the user_directory search
|
||||
# indexes, see:
|
||||
# https://github.com/matrix-org/synapse/blob/master/docs/user_directory.md
|
||||
# NB. If you set this to true, and the last time the user_directory search
|
||||
# indexes were (re)built was before Synapse 1.44, you'll have to
|
||||
# rebuild the indexes in order to search through all known users.
|
||||
# These indexes are built the first time Synapse starts; admins can
|
||||
# manually trigger a rebuild following the instructions at
|
||||
# https://matrix-org.github.io/synapse/latest/user_directory.html
|
||||
#
|
||||
# Uncomment to return search results containing all known users, even if that
|
||||
# user does not share a room with the requester.
|
||||
|
@ -32,6 +32,8 @@ matrix_synapse_workers_generic_worker_endpoints:
|
||||
- ^/_matrix/federation/v1/user/devices/
|
||||
- ^/_matrix/federation/v1/get_groups_publicised$
|
||||
- ^/_matrix/key/v2/query
|
||||
- ^/_matrix/federation/unstable/org.matrix.msc2946/spaces/
|
||||
- ^/_matrix/federation/unstable/org.matrix.msc2946/hierarchy/
|
||||
|
||||
# Inbound federation transaction request
|
||||
- ^/_matrix/federation/v1/send/
|
||||
@ -43,6 +45,9 @@ matrix_synapse_workers_generic_worker_endpoints:
|
||||
- ^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/context/.*$
|
||||
- ^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/members$
|
||||
- ^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/state$
|
||||
- ^/_matrix/client/unstable/org.matrix.msc2946/rooms/.*/spaces$
|
||||
- ^/_matrix/client/unstable/org.matrix.msc2946/rooms/.*/hierarchy$
|
||||
- ^/_matrix/client/unstable/im.nheko.summary/rooms/.*/summary$
|
||||
- ^/_matrix/client/(api/v1|r0|unstable)/account/3pid$
|
||||
- ^/_matrix/client/(api/v1|r0|unstable)/devices$
|
||||
- ^/_matrix/client/(api/v1|r0|unstable)/keys/query$
|
||||
|
Loading…
Reference in New Issue
Block a user