From 3a9fe48deb025b5d49256675bf563f81c39f910b Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 24 Nov 2021 11:32:06 +0200 Subject: [PATCH 01/45] Make matrix-nginx-proxy's X-Forwarded-For header customizable Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1393 --- docs/configuring-playbook-own-webserver.md | 3 +++ roles/matrix-nginx-proxy/defaults/main.yml | 5 +++++ .../templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 | 2 +- .../nginx/conf.d/matrix-client-element.conf.j2 | 2 +- .../nginx/conf.d/matrix-client-hydrogen.conf.j2 | 2 +- .../templates/nginx/conf.d/matrix-dimension.conf.j2 | 2 +- .../templates/nginx/conf.d/matrix-domain.conf.j2 | 12 ++++++------ .../templates/nginx/conf.d/matrix-grafana.conf.j2 | 2 +- .../templates/nginx/conf.d/matrix-jitsi.conf.j2 | 6 +++--- .../templates/nginx/conf.d/matrix-sygnal.conf.j2 | 2 +- 10 files changed, 23 insertions(+), 15 deletions(-) diff --git a/docs/configuring-playbook-own-webserver.md b/docs/configuring-playbook-own-webserver.md index 6a33ffbe1..0f525df81 100644 --- a/docs/configuring-playbook-own-webserver.md +++ b/docs/configuring-playbook-own-webserver.md @@ -111,6 +111,9 @@ matrix_coturn_enabled: false # Trust the reverse proxy to send the correct `X-Forwarded-Proto` header as it is handling the SSL connection. matrix_nginx_proxy_trust_forwarded_proto: true + +# Trust and use the other reverse proxy's `X-Forwarded-For` header. +matrix_nginx_proxy_x_forwarded_for: '$proxy_add_x_forwarded_for' ``` With this, nginx would still be in use, but it would not bother with anything SSL related or with taking up public ports. diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index 5a4a873cc..a2a2a6b9e 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -382,6 +382,11 @@ matrix_nginx_proxy_ssl_prefer_server_ciphers: "{{ matrix_nginx_proxy_ssl_presets # To see the full list for suportes ciphers run `openssl ciphers` on your server matrix_nginx_proxy_ssl_ciphers: "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['ciphers'] }}" +# Specifies what to use for the X-Forwarded-For variable. +# If you're fronting the nginx reverse-proxy with additional reverse-proxy servers, +# you may wish to set this to '$proxy_add_x_forwarded_for' instead. +matrix_nginx_proxy_x_forwarded_for: '$remote_addr' + # Controls whether the self-check feature should validate SSL certificates. matrix_nginx_proxy_self_check_validate_certificates: true diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 index 79269f434..e5589f555 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 @@ -27,7 +27,7 @@ {% endif %} proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }}; } {% endmacro %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 index 095d5fcff..dea91b212 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 @@ -35,7 +35,7 @@ {% endif %} proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }}; } {% endmacro %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-hydrogen.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-hydrogen.conf.j2 index c0794205b..e9428c557 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-hydrogen.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-hydrogen.conf.j2 @@ -33,7 +33,7 @@ {% endif %} proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }}; } {% endmacro %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 index 292cc4c28..07347be62 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 @@ -30,7 +30,7 @@ {% endif %} proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }}; } {% endmacro %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 index 02201b9cc..4abcd40a0 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 @@ -58,7 +58,7 @@ {% endif %} proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }}; proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }}; } {% endif %} @@ -76,7 +76,7 @@ {% endif %} proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }}; proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }}; } {% endif %} @@ -94,7 +94,7 @@ {% endif %} proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }}; } {% endif %} @@ -111,7 +111,7 @@ {% endif %} proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }}; proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }}; } {% endif %} @@ -136,7 +136,7 @@ {% endif %} proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }}; proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }}; client_body_buffer_size 25M; @@ -284,7 +284,7 @@ server { {% endif %} proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }}; proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }}; client_body_buffer_size 25M; diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-grafana.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-grafana.conf.j2 index 209c1cd0c..def67f666 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-grafana.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-grafana.conf.j2 @@ -37,7 +37,7 @@ {% endif %} proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }}; } {% endmacro %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 index 7fccce945..54b8ea436 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 @@ -30,7 +30,7 @@ {% endif %} proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }}; } # colibri (JVB) websockets @@ -45,7 +45,7 @@ {% endif %} proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }}; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; @@ -70,7 +70,7 @@ proxy_read_timeout 900s; proxy_set_header Connection "upgrade"; proxy_set_header Upgrade $http_upgrade; - proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }}; proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }}; tcp_nodelay on; } diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2 index ba442b378..0f33c0a77 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2 @@ -28,7 +28,7 @@ {% endif %} proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }}; proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }}; } {% endmacro %} From ae45254d83387b349c4ce4daa142c41c6252bcf3 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 24 Nov 2021 11:34:30 +0200 Subject: [PATCH 02/45] Add missing headers in Traefik v2 example Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1393 --- docs/configuring-playbook-own-webserver.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/docs/configuring-playbook-own-webserver.md b/docs/configuring-playbook-own-webserver.md index 0f525df81..fb970ef03 100644 --- a/docs/configuring-playbook-own-webserver.md +++ b/docs/configuring-playbook-own-webserver.md @@ -139,6 +139,12 @@ matrix_nginx_proxy_https_enabled: false matrix_nginx_proxy_container_http_host_bind_port: '' matrix_nginx_proxy_container_federation_host_bind_port: '' +# Trust the reverse proxy to send the correct `X-Forwarded-Proto` header as it is handling the SSL connection. +matrix_nginx_proxy_trust_forwarded_proto: true + +# Trust and use the other reverse proxy's `X-Forwarded-For` header. +matrix_nginx_proxy_x_forwarded_for: '$proxy_add_x_forwarded_for' + # Disable Coturn because it needs SSL certs # (Clients can, though exposing IP address, use Matrix.org TURN) matrix_coturn_enabled: false From 87a2240dc268ff8fbd755dba41bdfb95a029694b Mon Sep 17 00:00:00 2001 From: Stefan Warnat Date: Wed, 24 Nov 2021 13:02:29 +0100 Subject: [PATCH 03/45] Create requirements.yml Add collections for simple awx compatiblity --- collections/requirements.yml | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 collections/requirements.yml diff --git a/collections/requirements.yml b/collections/requirements.yml new file mode 100644 index 000000000..2872cc53a --- /dev/null +++ b/collections/requirements.yml @@ -0,0 +1,3 @@ +--- +collections: + - name: community.general.docker_network From 4d5d855ff1ca11f7729846b1b107dd906e848122 Mon Sep 17 00:00:00 2001 From: Stefan Warnat Date: Wed, 24 Nov 2021 13:03:28 +0100 Subject: [PATCH 04/45] Update requirements.yml Correct collections name --- collections/requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/collections/requirements.yml b/collections/requirements.yml index 2872cc53a..afc836d72 100644 --- a/collections/requirements.yml +++ b/collections/requirements.yml @@ -1,3 +1,3 @@ --- collections: - - name: community.general.docker_network + - name: community.general From 65bb34c1ad09ea7b674c15d053df7b8ab953eccc Mon Sep 17 00:00:00 2001 From: Stefan Warnat Date: Wed, 24 Nov 2021 13:15:34 +0100 Subject: [PATCH 05/45] Update requirements.yml Use correct collection for docker commands --- collections/requirements.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/collections/requirements.yml b/collections/requirements.yml index afc836d72..9d365441f 100644 --- a/collections/requirements.yml +++ b/collections/requirements.yml @@ -1,3 +1,4 @@ --- collections: - name: community.general + - name: community.docker From cfc79ebe2902fe6e0e69b10315e1e62520657279 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 25 Nov 2021 09:21:05 +0200 Subject: [PATCH 06/45] Upgrade exim-relay (4.94.2-r0-5 -> 4.95-r0) --- roles/matrix-mailer/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-mailer/defaults/main.yml b/roles/matrix-mailer/defaults/main.yml index e60ea50f7..f006568f5 100644 --- a/roles/matrix-mailer/defaults/main.yml +++ b/roles/matrix-mailer/defaults/main.yml @@ -7,7 +7,7 @@ matrix_mailer_container_image_self_build_repository_url: "https://github.com/dev matrix_mailer_container_image_self_build_src_files_path: "{{ matrix_mailer_base_path }}/docker-src" matrix_mailer_container_image_self_build_version: "{{ matrix_mailer_docker_image.split(':')[1] }}" -matrix_mailer_version: 4.94.2-r0-5 +matrix_mailer_version: 4.95-r0 matrix_mailer_docker_image: "{{ matrix_mailer_docker_image_name_prefix }}devture/exim-relay:{{ matrix_mailer_version }}" matrix_mailer_docker_image_name_prefix: "{{ 'localhost/' if matrix_mailer_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_mailer_docker_image_force_pull: "{{ matrix_mailer_docker_image.endswith(':latest') }}" From 61391647e9681968f65096223507c6645ad03acb Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 26 Nov 2021 15:25:18 +0200 Subject: [PATCH 07/45] Make /.well-known/matrix/client and /.well-known/matrix/server customizable We recently had someone need to inject additional configuration into `/.well-known/matrix/client` as described here: https://github.com/turt2live/matrix-dimension/blob/22b245bbd11f7067b09c5f17efc48fc9c629b743/docs/bigbluebutton.md#have-dimension-create-meetings-with-elements-video-call-button There may be other use cases as well. --- roles/matrix-base/defaults/main.yml | 66 ++++++++++++++++++++ roles/matrix-base/tasks/setup_well_known.yml | 8 +-- 2 files changed, 70 insertions(+), 4 deletions(-) diff --git a/roles/matrix-base/defaults/main.yml b/roles/matrix-base/defaults/main.yml index 6639c223c..4767bcf43 100644 --- a/roles/matrix-base/defaults/main.yml +++ b/roles/matrix-base/defaults/main.yml @@ -118,6 +118,72 @@ matrix_client_element_e2ee_secure_backup_required: false # See: https://github.com/vector-im/element-web/blob/develop/docs/e2ee.md matrix_client_element_e2ee_secure_backup_setup_methods: [] +# Default `/.well-known/matrix/client` configuration - it covers the generic use case. +# You can customize it by controlling the various variables inside the template file that it references. +# +# For a more advanced customization, you can extend the default (see `matrix_well_known_matrix_client_configuration_extension_json`) +# or completely replace this variable with your own template. +# +# The side-effect of this lookup is that Ansible would even parse the JSON for us, returning a dict. +# This is unlike what it does when looking up YAML template files (no automatic parsing there). +matrix_well_known_matrix_client_configuration_default: "{{ lookup('template', 'templates/static-files/well-known/matrix-client.j2') }}" + +# Your custom JSON configuration for `/.well-known/matrix/client` should go to `matrix_well_known_matrix_client_configuration_extension_json`. +# This configuration extends the default starting configuration (`matrix_well_known_matrix_client_configuration_default`). +# +# You can override individual variables from the default configuration, or introduce new ones. +# +# If you need something more special, you can take full control by +# completely redefining `matrix_well_known_matrix_client_configuration`. +# +# Example configuration extension follows: +# +# matrix_well_known_matrix_client_configuration_extension_json: | +# { +# "io.element.call_behaviour": { +# "widget_build_url": "https://dimension.example.com/api/v1/dimension/bigbluebutton/widget_state" +# } +# } +matrix_well_known_matrix_client_configuration_extension_json: '{}' + +matrix_well_known_matrix_client_configuration_extension: "{{ matrix_well_known_matrix_client_configuration_extension_json|from_json if matrix_well_known_matrix_client_configuration_extension_json|from_json is mapping else {} }}" + +# Holds the final `/.well-known/matrix/client` configuration (a combination of the default and its extension). +# You most likely don't need to touch this variable. Instead, see `matrix_well_known_matrix_client_configuration_default` and `matrix_well_known_matrix_client_configuration_extension_json`. +matrix_well_known_matrix_client_configuration: "{{ matrix_well_known_matrix_client_configuration_default|combine(matrix_well_known_matrix_client_configuration_extension, recursive=True) }}" + +# Default `/.well-known/matrix/server` configuration - it covers the generic use case. +# You can customize it by controlling the various variables inside the template file that it references. +# +# For a more advanced customization, you can extend the default (see `matrix_well_known_matrix_server_configuration_extension_json`) +# or completely replace this variable with your own template. +# +# The side-effect of this lookup is that Ansible would even parse the JSON for us, returning a dict. +# This is unlike what it does when looking up YAML template files (no automatic parsing there). +matrix_well_known_matrix_server_configuration_default: "{{ lookup('template', 'templates/static-files/well-known/matrix-server.j2') }}" + +# Your custom JSON configuration for `/.well-known/matrix/server` should go to `matrix_well_known_matrix_server_configuration_extension_json`. +# This configuration extends the default starting configuration (`matrix_well_known_matrix_server_configuration_default`). +# +# You can override individual variables from the default configuration, or introduce new ones. +# +# If you need something more special, you can take full control by +# completely redefining `matrix_well_known_matrix_server_configuration`. +# +# Example configuration extension follows: +# +# matrix_well_known_matrix_server_configuration_extension_json: | +# { +# "something": "another" +# } +matrix_well_known_matrix_server_configuration_extension_json: '{}' + +matrix_well_known_matrix_server_configuration_extension: "{{ matrix_well_known_matrix_server_configuration_extension_json|from_json if matrix_well_known_matrix_server_configuration_extension_json|from_json is mapping else {} }}" + +# Holds the final `/.well-known/matrix/server` configuration (a combination of the default and its extension). +# You most likely don't need to touch this variable. Instead, see `matrix_well_known_matrix_server_configuration_default` and `matrix_well_known_matrix_server_configuration_extension_json`. +matrix_well_known_matrix_server_configuration: "{{ matrix_well_known_matrix_server_configuration_default|combine(matrix_well_known_matrix_server_configuration_extension, recursive=True) }}" + # The Docker network that all services would be put into matrix_docker_network: "matrix" diff --git a/roles/matrix-base/tasks/setup_well_known.yml b/roles/matrix-base/tasks/setup_well_known.yml index 3b81ce1e3..11ee48b92 100644 --- a/roles/matrix-base/tasks/setup_well_known.yml +++ b/roles/matrix-base/tasks/setup_well_known.yml @@ -13,16 +13,16 @@ - "{{ matrix_static_files_base_path }}/.well-known/matrix" - name: Ensure Matrix /.well-known/matrix/client file configured - template: - src: "{{ role_path }}/templates/static-files/well-known/matrix-client.j2" + copy: + content: "{{ matrix_well_known_matrix_client_configuration|to_nice_json }}" dest: "{{ matrix_static_files_base_path }}/.well-known/matrix/client" mode: 0644 owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" - name: Ensure Matrix /.well-known/matrix/server file configured - template: - src: "{{ role_path }}/templates/static-files/well-known/matrix-server.j2" + copy: + content: "{{ matrix_well_known_matrix_server_configuration|to_nice_json }}" dest: "{{ matrix_static_files_base_path }}/.well-known/matrix/server" mode: 0644 owner: "{{ matrix_user_username }}" From ab602385180944c403ff9aafd88944b3bf9f5cc5 Mon Sep 17 00:00:00 2001 From: Christos Karamolegkos Date: Fri, 26 Nov 2021 19:51:05 +0200 Subject: [PATCH 08/45] Support encrypted matrix_synapse_macaroon_secret_key This change forces ansible to decrypt the variable with ansible-vault if encrypted, to avoid the error '{"msg": "Unexpected templating type error occurred on ({{ matrix_synapse_macaroon_secret_key | password_hash('sha512') }}): secret must be unicode or bytes, not ansible.parsing.yaml.objects.AnsibleVaultEncryptedUnicode"}' Every other variable in the playbook was found to have no problems with encryption. The change has no negative impact on non-encrypted matrix_synapse_macaroon_secret_key. --- group_vars/matrix_servers | 146 +++++++++++++++++++------------------- 1 file changed, 73 insertions(+), 73 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 377c27cd2..7b2a74947 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -79,14 +79,14 @@ matrix_appservice_discord_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_appservice_discord_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'discord.as.token') | to_uuid }}" +matrix_appservice_discord_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'discord.as.token') | to_uuid }}" -matrix_appservice_discord_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'discord.hs.token') | to_uuid }}" +matrix_appservice_discord_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'discord.hs.token') | to_uuid }}" # We only make this use Postgres if our own Postgres server is enabled. # It's only then (for now) that we can automatically create the necessary database and user for this service. matrix_appservice_discord_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_appservice_discord_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'as.discord.db') | to_uuid }}" +matrix_appservice_discord_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'as.discord.db') | to_uuid }}" ###################################################################### # @@ -111,12 +111,12 @@ matrix_appservice_webhooks_container_image_self_build: "{{ matrix_architecture ! # matrix-appservice-webhooks' client-server port to the local host. matrix_appservice_webhooks_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else ('127.0.0.1:' ~ matrix_appservice_webhooks_matrix_port) }}" -matrix_appservice_webhooks_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'webhook.as.token') | to_uuid }}" +matrix_appservice_webhooks_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'webhook.as.token') | to_uuid }}" matrix_appservice_webhooks_homeserver_url: "http://matrix-synapse:{{ matrix_synapse_container_client_api_port }}" -matrix_appservice_webhooks_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'webhook.hs.token') | to_uuid }}" +matrix_appservice_webhooks_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'webhook.hs.token') | to_uuid }}" -matrix_appservice_webhooks_id_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'webhook.id.token') | to_uuid }}" +matrix_appservice_webhooks_id_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'webhook.id.token') | to_uuid }}" matrix_appservice_webhooks_systemd_required_services_list: | {{ @@ -150,12 +150,12 @@ matrix_appservice_slack_container_self_build: "{{ matrix_architecture != 'amd64' # matrix-appservice-slack's client-server port to the local host. matrix_appservice_slack_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else ('127.0.0.1:' ~ matrix_appservice_slack_slack_port) }}" -matrix_appservice_slack_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'slack.as.token') | to_uuid }}" +matrix_appservice_slack_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'slack.as.token') | to_uuid }}" matrix_appservice_slack_homeserver_url: "http://matrix-synapse:{{ matrix_synapse_container_client_api_port }}" -matrix_appservice_slack_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'slack.hs.token') | to_uuid }}" +matrix_appservice_slack_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'slack.hs.token') | to_uuid }}" -matrix_appservice_slack_id_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'slack.id.token') | to_uuid }}" +matrix_appservice_slack_id_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'slack.id.token') | to_uuid }}" matrix_appservice_slack_systemd_required_services_list: | {{ @@ -168,7 +168,7 @@ matrix_appservice_slack_systemd_required_services_list: | # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_appservice_slack_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'nedb' }}" -matrix_appservice_slack_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'as.slack.db') | to_uuid }}" +matrix_appservice_slack_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'as.slack.db') | to_uuid }}" ###################################################################### # @@ -205,12 +205,12 @@ matrix_appservice_irc_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_appservice_irc_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'irc.as.token') | to_uuid }}" +matrix_appservice_irc_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'irc.as.token') | to_uuid }}" -matrix_appservice_irc_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'irc.hs.token') | to_uuid }}" +matrix_appservice_irc_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'irc.hs.token') | to_uuid }}" matrix_appservice_irc_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'nedb' }}" -matrix_appservice_irc_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'as.irc.db') | to_uuid }}" +matrix_appservice_irc_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'as.irc.db') | to_uuid }}" ###################################################################### @@ -240,15 +240,15 @@ matrix_beeper_linkedin_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_beeper_linkedin_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'linked.as.token') | to_uuid }}" +matrix_beeper_linkedin_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'linked.as.token') | to_uuid }}" -matrix_beeper_linkedin_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'linked.hs.token') | to_uuid }}" +matrix_beeper_linkedin_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'linked.hs.token') | to_uuid }}" matrix_beeper_linkedin_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" matrix_beeper_linkedin_bridge_presence: "{{ matrix_synapse_presence_enabled if matrix_synapse_enabled else true }}" -matrix_beeper_linkedin_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'maulinkedin.db') | to_uuid }}" +matrix_beeper_linkedin_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'maulinkedin.db') | to_uuid }}" ###################################################################### # @@ -278,9 +278,9 @@ matrix_mautrix_facebook_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mautrix_facebook_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'fb.as.token') | to_uuid }}" +matrix_mautrix_facebook_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'fb.as.token') | to_uuid }}" -matrix_mautrix_facebook_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'fb.hs.token') | to_uuid }}" +matrix_mautrix_facebook_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'fb.hs.token') | to_uuid }}" matrix_mautrix_facebook_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" @@ -289,7 +289,7 @@ matrix_mautrix_facebook_bridge_presence: "{{ matrix_synapse_presence_enabled if # We'd like to force-set people with external Postgres to SQLite, so the bridge role can complain # and point them to a migration path. matrix_mautrix_facebook_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mautrix_facebook_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mau.fb.db') | to_uuid }}" +matrix_mautrix_facebook_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mau.fb.db') | to_uuid }}" ###################################################################### # @@ -320,9 +320,9 @@ matrix_mautrix_hangouts_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mautrix_hangouts_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'ho.as.token') | to_uuid }}" +matrix_mautrix_hangouts_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'ho.as.token') | to_uuid }}" -matrix_mautrix_hangouts_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'ho.hs.token') | to_uuid }}" +matrix_mautrix_hangouts_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'ho.hs.token') | to_uuid }}" matrix_mautrix_hangouts_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:9007' }}" @@ -330,7 +330,7 @@ matrix_mautrix_hangouts_login_shared_secret: "{{ matrix_synapse_ext_password_pro # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mautrix_hangouts_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mautrix_hangouts_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mau.hangouts.db') | to_uuid }}" +matrix_mautrix_hangouts_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mau.hangouts.db') | to_uuid }}" ###################################################################### # @@ -361,9 +361,9 @@ matrix_mautrix_googlechat_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mautrix_googlechat_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'gc.as.token') | to_uuid }}" +matrix_mautrix_googlechat_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'gc.as.token') | to_uuid }}" -matrix_mautrix_googlechat_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'gc.hs.token') | to_uuid }}" +matrix_mautrix_googlechat_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'gc.hs.token') | to_uuid }}" matrix_mautrix_googlechat_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:9007' }}" @@ -371,7 +371,7 @@ matrix_mautrix_googlechat_login_shared_secret: "{{ matrix_synapse_ext_password_p # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mautrix_googlechat_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mautrix_googlechat_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mau.gc.db') | to_uuid }}" +matrix_mautrix_googlechat_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mau.gc.db') | to_uuid }}" ###################################################################### # @@ -402,9 +402,9 @@ matrix_mautrix_instagram_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mautrix_instagram_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'ig.as.token') | to_uuid }}" +matrix_mautrix_instagram_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'ig.as.token') | to_uuid }}" -matrix_mautrix_instagram_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'ig.hs.token') | to_uuid }}" +matrix_mautrix_instagram_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'ig.hs.token') | to_uuid }}" matrix_mautrix_instagram_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" @@ -413,7 +413,7 @@ matrix_mautrix_instagram_bridge_presence: "{{ matrix_synapse_presence_enabled if # We'd like to force-set people with external Postgres to SQLite, so the bridge role can complain # and point them to a migration path. matrix_mautrix_instagram_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mautrix_instagram_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mau.ig.db') | to_uuid }}" +matrix_mautrix_instagram_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mau.ig.db') | to_uuid }}" ###################################################################### # @@ -448,14 +448,14 @@ matrix_mautrix_signal_homeserver_domain: '{{ matrix_domain }}' matrix_mautrix_signal_homeserver_address: "{{ matrix_homeserver_container_url }}" -matrix_mautrix_signal_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'si.hs.token') | to_uuid }}" +matrix_mautrix_signal_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'si.hs.token') | to_uuid }}" -matrix_mautrix_signal_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'si.as.token') | to_uuid }}" +matrix_mautrix_signal_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'si.as.token') | to_uuid }}" matrix_mautrix_signal_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" matrix_mautrix_signal_database_engine: 'postgres' -matrix_mautrix_signal_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mau.signal.db') | to_uuid }}" +matrix_mautrix_signal_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mau.signal.db') | to_uuid }}" matrix_mautrix_signal_container_self_build: "{{ matrix_architecture not in ['amd64', 'arm64'] }}" matrix_mautrix_signal_daemon_container_self_build: "{{ matrix_architecture != 'amd64' }}" @@ -491,11 +491,11 @@ matrix_mautrix_telegram_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mautrix_telegram_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'telegr.as.token') | to_uuid }}" +matrix_mautrix_telegram_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'telegr.as.token') | to_uuid }}" -matrix_mautrix_telegram_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'telegr.hs.token') | to_uuid }}" +matrix_mautrix_telegram_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'telegr.hs.token') | to_uuid }}" -matrix_mautrix_telegram_public_endpoint: "/{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'telegram') | to_uuid }}" +matrix_mautrix_telegram_public_endpoint: "/{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'telegram') | to_uuid }}" matrix_mautrix_telegram_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:9006' }}" @@ -503,7 +503,7 @@ matrix_mautrix_telegram_login_shared_secret: "{{ matrix_synapse_ext_password_pro # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mautrix_telegram_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mautrix_telegram_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mau.telegram.db') | to_uuid }}" +matrix_mautrix_telegram_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mau.telegram.db') | to_uuid }}" ###################################################################### # @@ -533,15 +533,15 @@ matrix_mautrix_whatsapp_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mautrix_whatsapp_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'whats.as.token') | to_uuid }}" +matrix_mautrix_whatsapp_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'whats.as.token') | to_uuid }}" -matrix_mautrix_whatsapp_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'whats.hs.token') | to_uuid }}" +matrix_mautrix_whatsapp_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'whats.hs.token') | to_uuid }}" matrix_mautrix_whatsapp_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mautrix_whatsapp_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mautrix_whatsapp_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mauwhatsapp.db') | to_uuid }}" +matrix_mautrix_whatsapp_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mauwhatsapp.db') | to_uuid }}" ###################################################################### # @@ -567,10 +567,10 @@ matrix_sms_bridge_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_sms_bridge_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'sms.as.token') | to_uuid }}" +matrix_sms_bridge_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'sms.as.token') | to_uuid }}" matrix_sms_bridge_homeserver_port: "{{ matrix_synapse_container_client_api_port }}" -matrix_sms_bridge_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'sms.hs.token') | to_uuid }}" +matrix_sms_bridge_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'sms.hs.token') | to_uuid }}" ###################################################################### # @@ -587,9 +587,9 @@ matrix_sms_bridge_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | pas # We don't enable bridges by default. matrix_heisenbridge_enabled: false -matrix_heisenbridge_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'heisen.as.tok') | to_uuid }}" +matrix_heisenbridge_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'heisen.as.tok') | to_uuid }}" -matrix_heisenbridge_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'heisen.hs.tok') | to_uuid }}" +matrix_heisenbridge_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'heisen.hs.tok') | to_uuid }}" matrix_heisenbridge_systemd_wanted_services_list: | {{ @@ -626,15 +626,15 @@ matrix_mx_puppet_skype_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mx_puppet_skype_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'skype.as.tok') | to_uuid }}" +matrix_mx_puppet_skype_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'skype.as.tok') | to_uuid }}" -matrix_mx_puppet_skype_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'skype.hs.tok') | to_uuid }}" +matrix_mx_puppet_skype_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'skype.hs.tok') | to_uuid }}" matrix_mx_puppet_skype_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mx_puppet_skype_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mx_puppet_skype_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxpup.skype.db') | to_uuid }}" +matrix_mx_puppet_skype_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxpup.skype.db') | to_uuid }}" ###################################################################### # @@ -665,15 +665,15 @@ matrix_mx_puppet_slack_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mx_puppet_slack_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxslk.as.tok') | to_uuid }}" +matrix_mx_puppet_slack_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxslk.as.tok') | to_uuid }}" -matrix_mx_puppet_slack_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxslk.hs.tok') | to_uuid }}" +matrix_mx_puppet_slack_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxslk.hs.tok') | to_uuid }}" matrix_mx_puppet_slack_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mx_puppet_slack_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mx_puppet_slack_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxpup.slack.db') | to_uuid }}" +matrix_mx_puppet_slack_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxpup.slack.db') | to_uuid }}" ###################################################################### # @@ -703,9 +703,9 @@ matrix_mx_puppet_twitter_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mx_puppet_twitter_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxtwt.as.tok') | to_uuid }}" +matrix_mx_puppet_twitter_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxtwt.as.tok') | to_uuid }}" -matrix_mx_puppet_twitter_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxtwt.hs.tok') | to_uuid }}" +matrix_mx_puppet_twitter_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxtwt.hs.tok') | to_uuid }}" matrix_mx_puppet_twitter_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" @@ -713,7 +713,7 @@ matrix_mx_puppet_twitter_container_http_host_bind_port: "{{ '' if matrix_nginx_p # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mx_puppet_twitter_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mx_puppet_twitter_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxpup.twitter.db') | to_uuid }}" +matrix_mx_puppet_twitter_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxpup.twitter.db') | to_uuid }}" ###################################################################### # @@ -744,15 +744,15 @@ matrix_mx_puppet_instagram_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mx_puppet_instagram_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxig.as.tok') | to_uuid }}" +matrix_mx_puppet_instagram_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxig.as.tok') | to_uuid }}" -matrix_mx_puppet_instagram_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxig.hs.tok') | to_uuid }}" +matrix_mx_puppet_instagram_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxig.hs.tok') | to_uuid }}" matrix_mx_puppet_instagram_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mx_puppet_instagram_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mx_puppet_instagram_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxpup.ig.db') | to_uuid }}" +matrix_mx_puppet_instagram_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxpup.ig.db') | to_uuid }}" ###################################################################### # @@ -782,15 +782,15 @@ matrix_mx_puppet_discord_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mx_puppet_discord_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxdsc.as.tok') | to_uuid }}" +matrix_mx_puppet_discord_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxdsc.as.tok') | to_uuid }}" -matrix_mx_puppet_discord_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxdsc.hs.tok') | to_uuid }}" +matrix_mx_puppet_discord_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxdsc.hs.tok') | to_uuid }}" matrix_mx_puppet_discord_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mx_puppet_discord_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mx_puppet_discord_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxpup.dsc.db') | to_uuid }}" +matrix_mx_puppet_discord_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxpup.dsc.db') | to_uuid }}" ###################################################################### # @@ -820,15 +820,15 @@ matrix_mx_puppet_steam_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mx_puppet_steam_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxste.as.tok') | to_uuid }}" +matrix_mx_puppet_steam_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxste.as.tok') | to_uuid }}" -matrix_mx_puppet_steam_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxste.hs.tok') | to_uuid }}" +matrix_mx_puppet_steam_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxste.hs.tok') | to_uuid }}" matrix_mx_puppet_steam_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mx_puppet_steam_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mx_puppet_steam_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxpup.steam.db') | to_uuid }}" +matrix_mx_puppet_steam_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxpup.steam.db') | to_uuid }}" ###################################################################### # @@ -858,15 +858,15 @@ matrix_mx_puppet_groupme_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mx_puppet_groupme_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxgro.as.tok') | to_uuid }}" +matrix_mx_puppet_groupme_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxgro.as.tok') | to_uuid }}" -matrix_mx_puppet_groupme_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxgro.hs.tok') | to_uuid }}" +matrix_mx_puppet_groupme_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxgro.hs.tok') | to_uuid }}" matrix_mx_puppet_groupme_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mx_puppet_groupme_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mx_puppet_groupme_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxpup.groupme.db') | to_uuid }}" +matrix_mx_puppet_groupme_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxpup.groupme.db') | to_uuid }}" ###################################################################### # @@ -896,7 +896,7 @@ matrix_bot_matrix_reminder_bot_systemd_required_services_list: | # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_bot_matrix_reminder_bot_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_bot_matrix_reminder_bot_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'reminder.bot.db') | to_uuid }}" +matrix_bot_matrix_reminder_bot_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'reminder.bot.db') | to_uuid }}" matrix_bot_matrix_reminder_bot_container_self_build: "{{ matrix_architecture != 'amd64' }}" ###################################################################### @@ -1068,7 +1068,7 @@ matrix_dimension_systemd_required_services_list: | # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_dimension_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_dimension_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'dimension.db') | to_uuid }}" +matrix_dimension_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'dimension.db') | to_uuid }}" ###################################################################### # @@ -1093,7 +1093,7 @@ matrix_etherpad_systemd_required_services_list: | (['matrix-postgres.service'] if matrix_postgres_enabled else []) }} -matrix_etherpad_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'etherpad.db') | to_uuid }}" +matrix_etherpad_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'etherpad.db') | to_uuid }}" ###################################################################### # @@ -1152,9 +1152,9 @@ matrix_jitsi_jvb_container_colibri_ws_host_bind_port: "{{ '' if matrix_nginx_pro matrix_jitsi_prosody_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:5280' }}" -matrix_jitsi_jibri_xmpp_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'jibri') | to_uuid }}" -matrix_jitsi_jicofo_auth_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'jicofo') | to_uuid }}" -matrix_jitsi_jvb_auth_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'jvb') | to_uuid }}" +matrix_jitsi_jibri_xmpp_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'jibri') | to_uuid }}" +matrix_jitsi_jicofo_auth_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'jicofo') | to_uuid }}" +matrix_jitsi_jvb_auth_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'jvb') | to_uuid }}" matrix_jitsi_web_stun_servers: | {{ @@ -1257,7 +1257,7 @@ matrix_ma1sd_systemd_wanted_services_list: | # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_ma1sd_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_ma1sd_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'ma1sd.db') | to_uuid }}" +matrix_ma1sd_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'ma1sd.db') | to_uuid }}" ###################################################################### # @@ -1746,7 +1746,7 @@ matrix_synapse_container_manhole_api_host_bind_port: "{{ '127.0.0.1:9000' if mat # For exposing the Synapse worker (and metrics) ports to the local host. matrix_synapse_workers_container_host_bind_address: "{{ '127.0.0.1' if (matrix_synapse_workers_enabled and not matrix_nginx_proxy_enabled) else '' }}" -matrix_synapse_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'synapse.db') | to_uuid }}" +matrix_synapse_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'synapse.db') | to_uuid }}" # We do not enable TLS in Synapse by default. # TLS is handled by the matrix-nginx-proxy, which proxies the requests to Synapse. @@ -1897,7 +1897,7 @@ matrix_prometheus_scraper_postgres_targets: "{{ ['matrix-prometheus-postgres-exp ###################################################################### matrix_prometheus_postgres_exporter_enabled: false -matrix_prometheus_postgres_exporter_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'prometheus.pg.db') | to_uuid }}" +matrix_prometheus_postgres_exporter_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'prometheus.pg.db') | to_uuid }}" matrix_prometheus_postgres_exporter_systemd_required_services_list: | {{ @@ -1973,7 +1973,7 @@ matrix_registration_systemd_required_services_list: | # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_registration_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_registration_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mx.registr.db') | to_uuid }}" +matrix_registration_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mx.registr.db') | to_uuid }}" ###################################################################### # From 8e1463a6a156535f532f7afd161911a42caa6864 Mon Sep 17 00:00:00 2001 From: SkepticalWaves Date: Sun, 28 Nov 2021 21:59:33 -0500 Subject: [PATCH 09/45] Update matrix-bridge-mautrix-telegram version --- roles/matrix-bridge-mautrix-telegram/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-mautrix-telegram/defaults/main.yml b/roles/matrix-bridge-mautrix-telegram/defaults/main.yml index a105621a6..f7c98950f 100644 --- a/roles/matrix-bridge-mautrix-telegram/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-telegram/defaults/main.yml @@ -13,7 +13,7 @@ matrix_mautrix_telegram_container_self_build: false matrix_mautrix_telegram_docker_repo: "https://mau.dev/mautrix/telegram.git" matrix_mautrix_telegram_docker_src_files_path: "{{ matrix_base_data_path }}/mautrix-telegram/docker-src" -matrix_mautrix_telegram_version: v0.10.1 +matrix_mautrix_telegram_version: v0.10.2 # See: https://mau.dev/mautrix/telegram/container_registry matrix_mautrix_telegram_docker_image: "dock.mau.dev/mautrix/telegram:{{ matrix_mautrix_telegram_version }}" matrix_mautrix_telegram_docker_image_force_pull: "{{ matrix_mautrix_telegram_docker_image.endswith(':latest') }}" From 1472958e25c729f3fb9f6c018c2df947bcae97aa Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 30 Nov 2021 16:35:23 +0200 Subject: [PATCH 10/45] Upgrade Synapse (1.47.1 -> 1.48.0) --- roles/matrix-synapse/defaults/main.yml | 4 ++-- .../templates/synapse/homeserver.yaml.j2 | 14 ++++++++++---- roles/matrix-synapse/vars/workers.yml | 10 +++++----- 3 files changed, 17 insertions(+), 11 deletions(-) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index 56d448df1..e888ac92b 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -15,8 +15,8 @@ matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_cont # amd64 gets released first. # arm32 relies on self-building, so the same version can be built immediately. # arm64 users need to wait for a prebuilt image to become available. -matrix_synapse_version: v1.47.1 -matrix_synapse_version_arm64: v1.47.1 +matrix_synapse_version: v1.48.0 +matrix_synapse_version_arm64: v1.48.0 matrix_synapse_docker_image_tag: "{{ matrix_synapse_version if matrix_architecture in ['arm32', 'amd64'] else matrix_synapse_version_arm64 }}" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index 042ea0839..f27fcb067 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -667,8 +667,8 @@ tls_private_key_path: {{ matrix_synapse_tls_private_key_path|to_json }} # #federation_certificate_verification_whitelist: # - lon.example.com -# - *.domain.com -# - *.onion +# - "*.domain.com" +# - "*.onion" # List of custom certificate authorities for federation traffic. # @@ -2229,6 +2229,12 @@ sso: # #algorithm: "provided-by-your-issuer" + # Name of the claim containing a unique identifier for the user. + # + # Optional, defaults to `sub`. + # + #subject_claim: "sub" + # The issuer to validate the "iss" claim against. # # Optional, if provided the "iss" claim will be required and @@ -2637,8 +2643,8 @@ user_directory: # indexes were (re)built was before Synapse 1.44, you'll have to # rebuild the indexes in order to search through all known users. # These indexes are built the first time Synapse starts; admins can - # manually trigger a rebuild following the instructions at - # https://matrix-org.github.io/synapse/latest/user_directory.html + # manually trigger a rebuild via API following the instructions at + # https://matrix-org.github.io/synapse/latest/usage/administration/admin_api/background_updates.html#run # # Uncomment to return search results containing all known users, even if that # user does not share a room with the requester. diff --git a/roles/matrix-synapse/vars/workers.yml b/roles/matrix-synapse/vars/workers.yml index def223f8b..2d6f393ad 100644 --- a/roles/matrix-synapse/vars/workers.yml +++ b/roles/matrix-synapse/vars/workers.yml @@ -5,10 +5,10 @@ matrix_synapse_workers_generic_worker_endpoints: # expressions: # Sync requests - - ^/_matrix/client/(v2_alpha|r0|v3)/sync$ - - ^/_matrix/client/(api/v1|v2_alpha|r0|v3)/events$ - - ^/_matrix/client/(api/v1|r0|v3)/initialSync$ - - ^/_matrix/client/(api/v1|r0|v3)/rooms/[^/]+/initialSync$ + - ^/_matrix/client/(v2_alpha|r0)/sync$ + - ^/_matrix/client/(api/v1|v2_alpha|r0)/events$ + - ^/_matrix/client/(api/v1|r0)/initialSync$ + - ^/_matrix/client/(api/v1|r0)/rooms/[^/]+/initialSync$ # Federation requests - ^/_matrix/federation/v1/event/ @@ -63,7 +63,7 @@ matrix_synapse_workers_generic_worker_endpoints: # Registration/login requests - ^/_matrix/client/(api/v1|r0|v3|unstable)/login$ - - ^/_matrix/client/(r0|v3|unstable)/register$ + - ^/_matrix/client/(r0|unstable)/register$ - ^/_matrix/client/unstable/org.matrix.msc3231/register/org.matrix.msc3231.login.registration_token/validity$ # Event sending requests From c2c68f814b02832b54ddfeda45a7dd6a84aa2c72 Mon Sep 17 00:00:00 2001 From: felixx9 <51174875+felixx9@users.noreply.github.com> Date: Tue, 30 Nov 2021 22:07:04 +0100 Subject: [PATCH 11/45] Update importing-postgres.md typos an suggestion to expand search/replace statement to not replace on wrong places. --- docs/importing-postgres.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/importing-postgres.md b/docs/importing-postgres.md index 925ed14db..b72e7694b 100644 --- a/docs/importing-postgres.md +++ b/docs/importing-postgres.md @@ -48,7 +48,7 @@ where `synapse_user` is the database username from the previous Synapse installa This can be verified by examining the dump for ALTER TABLE statements which set OWNER TO that username: ```Shell -$ grep "ALTER TABLE" homeserver.sql" +$ grep "ALTER TABLE" homeserver.sql ALTER TABLE public.access_tokens OWNER TO synapse_user; ALTER TABLE public.account_data OWNER TO synapse_user; ALTER TABLE public.account_data_max_stream_id OWNER TO synapse_user; @@ -60,10 +60,10 @@ ALTER TABLE public.application_services_state OWNER TO synapse_user; It can be worked around by changing the username to `synapse`, for example by using `sed`: ```Shell -$ sed -i "s/synapse_user/synapse/g" homeserver.sql +$ sed -i "s/OWNER TO synapse_user;/OWNER TO synapse;/g" homeserver.sql ``` -This uses sed to perform an 'in-place' (`-i`) replacement globally (`/g`), searching for `synapse user` and replacing with `synapse` (`s/synapse_user/synapse`). If your database username was different, change `synapse_user` to that username instead. +This uses sed to perform an 'in-place' (`-i`) replacement globally (`/g`), searching for `synapse_user` and replacing with `synapse` (`s/synapse_user/synapse`). If your database username was different, change `synapse_user` to that username instead. Expand search/replace statement as shown in example above, in case of old user name like `matrix` - replacing `matrix` only would... well - you can imagine. Note that if the previous import failed with an error it may have made changes which are incompatible with re-running the import task right away; if you do so it may fail with an error such as: From d584b44f1057fc2ce2d95fa0fa2c816e78ffb6a4 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 1 Dec 2021 08:13:06 +0200 Subject: [PATCH 12/45] Upgrade matrix-corporal (2.2.1 -> 2.2.2) --- roles/matrix-corporal/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-corporal/defaults/main.yml b/roles/matrix-corporal/defaults/main.yml index dfc71479c..aede4d505 100644 --- a/roles/matrix-corporal/defaults/main.yml +++ b/roles/matrix-corporal/defaults/main.yml @@ -22,7 +22,7 @@ matrix_corporal_container_extra_arguments: [] # List of systemd services that matrix-corporal.service depends on matrix_corporal_systemd_required_services_list: ['docker.service'] -matrix_corporal_version: 2.2.1 +matrix_corporal_version: 2.2.2 matrix_corporal_docker_image: "{{ matrix_corporal_docker_image_name_prefix }}devture/matrix-corporal:{{ matrix_corporal_docker_image_tag }}" matrix_corporal_docker_image_name_prefix: "{{ 'localhost/' if matrix_corporal_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_corporal_docker_image_tag: "{{ matrix_corporal_version }}" # for backward-compatibility From 27e1451cbcc550abd66253fc88f84b9682aad4e8 Mon Sep 17 00:00:00 2001 From: WobbelTheBear Date: Thu, 2 Dec 2021 13:31:57 +0100 Subject: [PATCH 13/45] Update main.yml --- roles/matrix-grafana/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-grafana/defaults/main.yml b/roles/matrix-grafana/defaults/main.yml index 8e4bd7bb1..8998e3685 100644 --- a/roles/matrix-grafana/defaults/main.yml +++ b/roles/matrix-grafana/defaults/main.yml @@ -3,7 +3,7 @@ matrix_grafana_enabled: false -matrix_grafana_version: 8.2.2 +matrix_grafana_version: 8.3.0 matrix_grafana_docker_image: "{{ matrix_container_global_registry_prefix }}grafana/grafana:{{ matrix_grafana_version }}" matrix_grafana_docker_image_force_pull: "{{ matrix_grafana_docker_image.endswith(':latest') }}" From 3f0e8122eccfe4bde89f9323e0e04efc6e61d7cd Mon Sep 17 00:00:00 2001 From: WobbelTheBear Date: Thu, 2 Dec 2021 13:41:12 +0100 Subject: [PATCH 14/45] Update prometheus --- roles/matrix-prometheus/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-prometheus/defaults/main.yml b/roles/matrix-prometheus/defaults/main.yml index 1cbeed8bb..d76ce7442 100644 --- a/roles/matrix-prometheus/defaults/main.yml +++ b/roles/matrix-prometheus/defaults/main.yml @@ -3,7 +3,7 @@ matrix_prometheus_enabled: false -matrix_prometheus_version: v2.30.3 +matrix_prometheus_version: v2.31.1 matrix_prometheus_docker_image: "{{ matrix_container_global_registry_prefix }}prom/prometheus:{{ matrix_prometheus_version }}" matrix_prometheus_docker_image_force_pull: "{{ matrix_prometheus_docker_image.endswith(':latest') }}" From 229b93d7c8f6a8de1e2a6ea56de53016cafc3eb4 Mon Sep 17 00:00:00 2001 From: WobbelTheBear Date: Thu, 2 Dec 2021 13:54:57 +0100 Subject: [PATCH 15/45] Update redis (6.2.4 -> 6.2.6) --- roles/matrix-redis/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-redis/defaults/main.yml b/roles/matrix-redis/defaults/main.yml index 409c7926f..355679d05 100644 --- a/roles/matrix-redis/defaults/main.yml +++ b/roles/matrix-redis/defaults/main.yml @@ -5,7 +5,7 @@ matrix_redis_connection_password: "" matrix_redis_base_path: "{{ matrix_base_data_path }}/redis" matrix_redis_data_path: "{{ matrix_redis_base_path }}/data" -matrix_redis_version: 6.2.4-alpine +matrix_redis_version: 6.2.6-alpine matrix_redis_docker_image_v6: "{{ matrix_container_global_registry_prefix }}redis:{{ matrix_redis_version }}" matrix_redis_docker_image_latest: "{{ matrix_redis_docker_image_v6 }}" matrix_redis_docker_image_to_use: '{{ matrix_redis_docker_image_latest }}' From 20bc3eb24b06be3ed6380c653f3dafb333360895 Mon Sep 17 00:00:00 2001 From: Jan <31133207+Jaffex@users.noreply.github.com> Date: Sat, 4 Dec 2021 22:04:25 +0100 Subject: [PATCH 16/45] Update signal bridge configuration template --- .../templates/config.yaml.j2 | 73 +++++++++++++++---- 1 file changed, 57 insertions(+), 16 deletions(-) diff --git a/roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 b/roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 index 19c3ba053..0498d6ea5 100644 --- a/roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 @@ -15,6 +15,8 @@ homeserver: # If set, the bridge will make POST requests to this URL whenever a user's Signal connection state changes. # The bridge will use the appservice as_token to authorize requests. status_endpoint: null + # Endpoint for reporting per-message status. + message_send_checkpoint_endpoint: null # Application service host/registration related details # Changing these values requires regeneration of the registration. @@ -32,25 +34,19 @@ appservice: # Usually 1 is enough, but on high-traffic bridges you might need to increase this to avoid 413s max_body_size: 1 - # The full URI to the database. Only Postgres is currently supported. + # The full URI to the database. SQLite and Postgres are supported. + # Format examples: + # SQLite: sqlite:///filename.db + # Postgres: postgres://username:password@hostname/dbname database: {{ matrix_mautrix_signal_database_connection_string }} - # Additional arguments for asyncpg.create_pool() + # Additional arguments for asyncpg.create_pool() or sqlite3.connect() # https://magicstack.github.io/asyncpg/current/api/index.html#asyncpg.pool.create_pool + # https://docs.python.org/3/library/sqlite3.html#sqlite3.connect + # For sqlite, min_size is used as the connection thread pool size and max_size is ignored. database_opts: min_size: 5 max_size: 10 - # Provisioning API part of the web server for automated portal creation and fetching information. - # Used by things like mautrix-manager (https://github.com/tulir/mautrix-manager). - provisioning: - # Whether or not the provisioning API should be enabled. - enabled: true - # The prefix to use in the provisioning API endpoints. - prefix: /_matrix/provision/v1 - # The shared secret to authorize users of the API. - # Set to "generate" to generate and save a new token. - shared_secret: generate - # The unique ID of this appservice. id: signal # Username of the appservice bot. @@ -66,7 +62,12 @@ appservice: # Example: "+signal:example.com". Set to false to disable. community_id: false - # Authentication tokens for AS <-> HS communication. + # Whether or not to receive ephemeral events via appservice transactions. + # Requires MSC2409 support (i.e. Synapse 1.22+). + # You should disable bridge -> sync_with_custom_puppets when this is enabled. + ephemeral_events: false + + # Authentication tokens for AS <-> HS communication. Autogenerated; do not modify. as_token: "{{ matrix_mautrix_signal_appservice_token }}" hs_token: "{{ matrix_mautrix_signal_homeserver_token }}" @@ -75,6 +76,17 @@ metrics: enabled: false listen_port: 8000 +# Manhole config. +manhole: + # Whether or not opening the manhole is allowed. + enabled: false + # The path for the unix socket. + path: /var/tmp/mautrix-signal.manhole + # The list of UIDs who can be added to the whitelist. + # If empty, any UIDs can be specified in the open-manhole command. + whitelist: + - 0 + signal: # Path to signald unix socket socket_path: /signald/signald.sock @@ -91,6 +103,8 @@ signal: delete_unknown_accounts_on_start: false # Whether or not message attachments should be removed from disk after they're bridged. remove_file_after_handling: true + # Whether or not users can register a primary device + registration_enabled: true # Bridge config bridge: @@ -102,6 +116,7 @@ bridge: # available variable in displayname_preference. The variables in displayname_preference # can also be used here directly. displayname_template: "{displayname} (Signal)" + # Whether or not contact list displaynames should be used. # Possible values: disallow, allow, prefer # # Multi-user instances are recommended to disallow contact list names, as otherwise there can @@ -140,7 +155,7 @@ bridge: # If false, created portal rooms will never be federated. federate_rooms: true # End-to-bridge encryption support options. You must install the e2be optional dependency for - # this to work. See https://docs.mau.fi/bridges/general/end-to-bridge-encryption.html + # this to work. See https://github.com/tulir/mautrix-telegram/wiki/End‐to‐bridge-encryption encryption: # Allow encryption, work in group chat rooms with e2ee enabled allow: false @@ -173,12 +188,38 @@ bridge: # This field will automatically be changed back to false after it, # except if the config file is not writable. resend_bridge_info: false - # Interval at which to resync contacts. + # Interval at which to resync contacts (in seconds). periodic_sync: 0 + # Provisioning API part of the web server for automated portal creation and fetching information. + # Used by things like mautrix-manager (https://github.com/tulir/mautrix-manager). + provisioning: + # Whether or not the provisioning API should be enabled. + enabled: true + # The prefix to use in the provisioning API endpoints. + prefix: /_matrix/provision/v1 + # The shared secret to authorize users of the API. + # Set to "generate" to generate and save a new token. + shared_secret: generate + # The prefix for commands. Only required in non-management rooms. command_prefix: "!signal" + # Messages sent upon joining a management room. + # Markdown is supported. The defaults are listed below. + management_room_text: + # Sent when joining a room. + welcome: "Hello, I'm a Signal bridge bot." + # Sent when joining a management room and the user is already logged in. + welcome_connected: "Use `help` for help." + # Sent when joining a management room and the user is not logged in. + welcome_unconnected: "Use `help` for help or `register` to log in." + # Optional extra text sent when joining a management room. + additional_help: "" + + # Send each message separately (for readability in some clients) + management_room_multiple_messages: false + # Permissions for using the bridge. # Permitted values: # relay - Allowed to be relayed through the bridge, no access to commands. From d51a9118d348c54a6567e47d8632148b6a407579 Mon Sep 17 00:00:00 2001 From: felixx9 <51174875+felixx9@users.noreply.github.com> Date: Sun, 5 Dec 2021 09:41:00 +0100 Subject: [PATCH 17/45] Update importing-postgres.md with individual DB and repeat-import information (#1437) * Update importing-postgres.md Additional deatails, mostly on repeating import. Structure troubleshouting section. * Update importing-postgres.md removing -K * Fix path typo Co-authored-by: Slavi Pantaleev --- docs/importing-postgres.md | 24 ++++++++++++++++++++++-- 1 file changed, 22 insertions(+), 2 deletions(-) diff --git a/docs/importing-postgres.md b/docs/importing-postgres.md index b72e7694b..c5a8d8286 100644 --- a/docs/importing-postgres.md +++ b/docs/importing-postgres.md @@ -12,7 +12,8 @@ If your database name differs, be sure to change `matrix_synapse_database_databa The playbook supports importing Postgres dump files in **text** (e.g. `pg_dump > dump.sql`) or **gzipped** formats (e.g. `pg_dump | gzip -c > dump.sql.gz`). -Importing multiple databases (as dumped by `pg_dumpall`) is also supported. +Importing multiple databases (as dumped by `pg_dumpall`) is also supported. +But the migration might be a good moment, to "reset" a not properly working bridge. Be aware, that it might affect all users (new link to bridge, new roomes, ...) Before doing the actual import, **you need to upload your Postgres dump file to the server** (any path is okay). @@ -32,6 +33,7 @@ ansible-playbook -i inventory/hosts setup.yml \ ## Troubleshooting +### Table Ownership A table ownership issue can occur if you are importing from a Synapse installation which was both: - migrated from SQLite to Postgres, and @@ -71,6 +73,8 @@ Note that if the previous import failed with an error it may have made changes w ERROR: relation \"access_tokens\" already exists ``` +### Repeat import + In this case you can use the command suggested in the import task to clear the database before retrying the import: ```Shell @@ -79,4 +83,20 @@ In this case you can use the command suggested in the import task to clear the d # systemctl start matrix-postgres ``` -Once the database is clear and the ownership of the tables has been fixed in the SQL file, the import task should succeed. +Now on your local machine run `ansible-playbook -i inventory/hosts setup.yml --tags=setup-postgres` to prepare the database roles etc. + +If not, you probably get this error. `synapse` is the correct table owner, but the role is missing in database. +``` +"ERROR: role synapse does not exist" +``` + +Once the database is clear and the ownership of the tables has been fixed in the SQL file, the import task should succeed. +Check, if `--dbname` is set to `synapse` (not `matrix`) and replace paths (or even better, copy this line from your terminal) + +``` +/usr/bin/env docker run --rm --name matrix-postgres-import --log-driver=none --user=998:1001 --cap-drop=ALL --network=matrix --env-file=/matrix/postgres/env-postgres-psql --mount type=bind,src=/migration/synapse_dump.sql,dst=/synapse_dump.sql,ro --entrypoint=/bin/sh docker.io/postgres:14.1-alpine -c "cat /synapse_dump.sql | grep -vE '^(CREATE|ALTER) ROLE (matrix)(;| WITH)' | grep -vE '^CREATE DATABASE (matrix)\s' | psql -v ON_ERROR_STOP=1 -h matrix-postgres --dbname=synapse" +``` + +### Hints + +To open psql terminal run `/usr/local/bin/matrix-postgres-cli` From 9babaa5a2bfd9dd982ac3338d350e83186c666bb Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 6 Dec 2021 13:40:01 +0200 Subject: [PATCH 18/45] Fix mx-puppet-discord media URLs using container-network URLs (http://matrix-nginx-proxy:12080) --- .../matrix-bridge-mx-puppet-discord/defaults/main.yml | 2 ++ .../templates/config.yaml.j2 | 10 +++++----- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/roles/matrix-bridge-mx-puppet-discord/defaults/main.yml b/roles/matrix-bridge-mx-puppet-discord/defaults/main.yml index 1113bb1c4..cd9c1477f 100644 --- a/roles/matrix-bridge-mx-puppet-discord/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-discord/defaults/main.yml @@ -27,6 +27,8 @@ matrix_mx_puppet_discord_homeserver_address: "{{ matrix_homeserver_container_url matrix_mx_puppet_discord_homeserver_domain: '{{ matrix_domain }}' matrix_mx_puppet_discord_appservice_address: 'http://matrix-mx-puppet-discord:{{ matrix_mx_puppet_discord_appservice_port }}' +matrix_mx_puppet_discord_bridge_mediaUrl: "https:/{{ matrix_server_fqn_matrix }}" + # "@user:server.com" to allow specific user # "@.*:yourserver.com" to allow users on a specific homeserver # "@.*" to allow anyone diff --git a/roles/matrix-bridge-mx-puppet-discord/templates/config.yaml.j2 b/roles/matrix-bridge-mx-puppet-discord/templates/config.yaml.j2 index 93c0a491e..edb0c280b 100644 --- a/roles/matrix-bridge-mx-puppet-discord/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mx-puppet-discord/templates/config.yaml.j2 @@ -9,17 +9,17 @@ bridge: domain: {{ matrix_mx_puppet_discord_homeserver_domain }} # Reachable URL of the Matrix homeserver homeserverUrl: {{ matrix_mx_puppet_discord_homeserver_address }} + # Optionally specify a different media URL used for the media store + # + # This is where Discord will download user profile pictures and media + # from + mediaUrl: {{ matrix_mx_puppet_discord_bridge_mediaUrl }} {% if matrix_mx_puppet_discord_login_shared_secret != '' %} loginSharedSecretMap: {{ matrix_domain }}: {{ matrix_mx_puppet_discord_login_shared_secret }} {% endif %} # Display name of the bridge bot displayname: Discord Puppet Bridge - # Optionally specify a different media URL used for the media store - # - # This is where Discord will download user profile pictures and media - # from - #mediaUrl: https://external-url.org presence: # Bridge Discord online/offline status From 391e095cb95a1426b89efeaa2f79b5a90e3bc383 Mon Sep 17 00:00:00 2001 From: WobbelTheBear Date: Mon, 6 Dec 2021 19:56:13 +0100 Subject: [PATCH 19/45] Update main.yml --- roles/matrix-client-element/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-client-element/defaults/main.yml b/roles/matrix-client-element/defaults/main.yml index b05f0d853..d1a6a73a5 100644 --- a/roles/matrix-client-element/defaults/main.yml +++ b/roles/matrix-client-element/defaults/main.yml @@ -7,7 +7,7 @@ matrix_client_element_container_image_self_build_repo: "https://github.com/vecto # - https://github.com/vector-im/element-web/issues/19544 matrix_client_element_container_image_self_build_low_memory_system_patch_enabled: "{{ ansible_memtotal_mb < 4096 }}" -matrix_client_element_version: v1.9.5 +matrix_client_element_version: v1.9.6 matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}" matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}" From ff720bedce2c6c2ae83784aacd41253787141900 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 7 Dec 2021 19:43:14 +0200 Subject: [PATCH 20/45] Upgrade matrix-postgres-backup default to v14 Related to c08880d175fdbb73778 --- roles/matrix-postgres-backup/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-postgres-backup/defaults/main.yml b/roles/matrix-postgres-backup/defaults/main.yml index e1f252fe0..efce36562 100644 --- a/roles/matrix-postgres-backup/defaults/main.yml +++ b/roles/matrix-postgres-backup/defaults/main.yml @@ -33,7 +33,7 @@ matrix_postgres_backup_docker_image_v11: "{{ matrix_container_global_registry_pr matrix_postgres_backup_docker_image_v12: "{{ matrix_container_global_registry_prefix }}prodrigestivill/postgres-backup-local:12{{ matrix_postgres_backup_docker_image_suffix }}" matrix_postgres_backup_docker_image_v13: "{{ matrix_container_global_registry_prefix }}prodrigestivill/postgres-backup-local:13{{ matrix_postgres_backup_docker_image_suffix }}" matrix_postgres_backup_docker_image_v14: "{{ matrix_container_global_registry_prefix }}prodrigestivill/postgres-backup-local:14{{ matrix_postgres_backup_docker_image_suffix }}" -matrix_postgres_backup_docker_image_latest: "{{ matrix_postgres_backup_docker_image_v13 }}" +matrix_postgres_backup_docker_image_latest: "{{ matrix_postgres_backup_docker_image_v14 }}" # This variable is assigned at runtime. Overriding its value has no effect. matrix_postgres_backup_docker_image_to_use: '{{ matrix_postgres_backup_docker_image_latest }}' From 18daf8f3da249f38086278c11182ed7dacb062cf Mon Sep 17 00:00:00 2001 From: Catalan Lover <48515417+FSG-Cat@users.noreply.github.com> Date: Tue, 7 Dec 2021 21:52:49 +0100 Subject: [PATCH 21/45] Update Grafana from 8.3.0 to 8.3.1 due to Security Flaw https://grafana.com/blog/2021/12/07/grafana-8.3.1-8.2.7-8.1.8-and-8.0.7-released-with-high-severity-security-fix/ --- roles/matrix-grafana/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-grafana/defaults/main.yml b/roles/matrix-grafana/defaults/main.yml index 8998e3685..37202d6d6 100644 --- a/roles/matrix-grafana/defaults/main.yml +++ b/roles/matrix-grafana/defaults/main.yml @@ -3,7 +3,7 @@ matrix_grafana_enabled: false -matrix_grafana_version: 8.3.0 +matrix_grafana_version: 8.3.1 matrix_grafana_docker_image: "{{ matrix_container_global_registry_prefix }}grafana/grafana:{{ matrix_grafana_version }}" matrix_grafana_docker_image_force_pull: "{{ matrix_grafana_docker_image.endswith(':latest') }}" From 0071828503a63fdeb57d7a80d411b081811130fd Mon Sep 17 00:00:00 2001 From: Aaron Raimist Date: Wed, 8 Dec 2021 08:37:55 +0000 Subject: [PATCH 22/45] Run `workers-doc-to-yaml.sh` MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 1472958e25c729f3fb9f6c018c2df947bcae97aa reverted some of the v3 changes. I'm not sure why. Running the `workers-doc-to-yaml.sh` script now puts them back 🤷‍♂️. --- roles/matrix-synapse/vars/workers.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/roles/matrix-synapse/vars/workers.yml b/roles/matrix-synapse/vars/workers.yml index 2d6f393ad..def223f8b 100644 --- a/roles/matrix-synapse/vars/workers.yml +++ b/roles/matrix-synapse/vars/workers.yml @@ -5,10 +5,10 @@ matrix_synapse_workers_generic_worker_endpoints: # expressions: # Sync requests - - ^/_matrix/client/(v2_alpha|r0)/sync$ - - ^/_matrix/client/(api/v1|v2_alpha|r0)/events$ - - ^/_matrix/client/(api/v1|r0)/initialSync$ - - ^/_matrix/client/(api/v1|r0)/rooms/[^/]+/initialSync$ + - ^/_matrix/client/(v2_alpha|r0|v3)/sync$ + - ^/_matrix/client/(api/v1|v2_alpha|r0|v3)/events$ + - ^/_matrix/client/(api/v1|r0|v3)/initialSync$ + - ^/_matrix/client/(api/v1|r0|v3)/rooms/[^/]+/initialSync$ # Federation requests - ^/_matrix/federation/v1/event/ @@ -63,7 +63,7 @@ matrix_synapse_workers_generic_worker_endpoints: # Registration/login requests - ^/_matrix/client/(api/v1|r0|v3|unstable)/login$ - - ^/_matrix/client/(r0|unstable)/register$ + - ^/_matrix/client/(r0|v3|unstable)/register$ - ^/_matrix/client/unstable/org.matrix.msc3231/register/org.matrix.msc3231.login.registration_token/validity$ # Event sending requests From 421b055cb5f09d104d4d31036dde5f48f22a4987 Mon Sep 17 00:00:00 2001 From: Aaron R Date: Wed, 8 Dec 2021 04:09:09 -0600 Subject: [PATCH 23/45] Fix comment about `matrix_mautrix_whatsapp_database_*` variables Was renamed in 087dbe4ddc80ba6308e7ee98391ea475354e8860 It is unclear to me if there is anything you actually need to adjust with these variables. It looks like that is done automatically in `matrix_servers`. --- roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml b/roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml index 3d630fcfd..81c451cf4 100644 --- a/roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml @@ -42,7 +42,7 @@ matrix_mautrix_whatsapp_appservice_bot_username: whatsappbot # # To use Postgres: # - change the engine (`matrix_mautrix_whatsapp_database_engine: 'postgres'`) -# - adjust your database credentials via the `matrix_mautrix_whatsapp_postgres_*` variables +# - adjust your database credentials via the `matrix_mautrix_whatsapp_database_*` variables matrix_mautrix_whatsapp_database_engine: 'sqlite' matrix_mautrix_whatsapp_sqlite_database_path_local: "{{ matrix_mautrix_whatsapp_data_path }}/mautrix-whatsapp.db" From fac497faa58e3f9b40075ec910c810eb76436f08 Mon Sep 17 00:00:00 2001 From: Aaron Raimist Date: Wed, 8 Dec 2021 10:13:12 +0000 Subject: [PATCH 24/45] Fix comments in other roles --- roles/matrix-bridge-appservice-discord/defaults/main.yml | 2 +- roles/matrix-bridge-mautrix-facebook/defaults/main.yml | 2 +- roles/matrix-bridge-mautrix-googlechat/defaults/main.yml | 2 +- roles/matrix-bridge-mautrix-hangouts/defaults/main.yml | 2 +- roles/matrix-bridge-mautrix-instagram/defaults/main.yml | 2 +- roles/matrix-bridge-mautrix-telegram/defaults/main.yml | 2 +- roles/matrix-dimension/defaults/main.yml | 2 +- roles/matrix-ma1sd/defaults/main.yml | 2 +- roles/matrix-registration/defaults/main.yml | 2 +- 9 files changed, 9 insertions(+), 9 deletions(-) diff --git a/roles/matrix-bridge-appservice-discord/defaults/main.yml b/roles/matrix-bridge-appservice-discord/defaults/main.yml index 9b9284dc3..92a51a31c 100644 --- a/roles/matrix-bridge-appservice-discord/defaults/main.yml +++ b/roles/matrix-bridge-appservice-discord/defaults/main.yml @@ -48,7 +48,7 @@ matrix_appservice_discord_bridge_enableSelfServiceBridging: false # # To use Postgres: # - change the engine (`matrix_appservice_discord_database_engine: 'postgres'`) -# - adjust your database credentials via the `matrix_appservice_discord_postgres_*` variables +# - adjust your database credentials via the `matrix_appservice_discord_database_*` variables matrix_appservice_discord_database_engine: 'sqlite' matrix_appservice_discord_sqlite_database_path_local: "{{ matrix_appservice_discord_data_path }}/discord.db" diff --git a/roles/matrix-bridge-mautrix-facebook/defaults/main.yml b/roles/matrix-bridge-mautrix-facebook/defaults/main.yml index 2b453babe..5d83e9cc2 100644 --- a/roles/matrix-bridge-mautrix-facebook/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-facebook/defaults/main.yml @@ -42,7 +42,7 @@ matrix_mautrix_facebook_homeserver_token: '' # - plan your migration to Postgres, as this bridge does not support SQLite anymore (and neither will the playbook in the future). # # To use Postgres: -# - adjust your database credentials via the `matrix_mautrix_facebook_postgres_*` variables +# - adjust your database credentials via the `matrix_mautrix_facebook_database_*` variables matrix_mautrix_facebook_database_engine: 'postgres' matrix_mautrix_facebook_sqlite_database_path_local: "{{ matrix_mautrix_facebook_data_path }}/mautrix-facebook.db" diff --git a/roles/matrix-bridge-mautrix-googlechat/defaults/main.yml b/roles/matrix-bridge-mautrix-googlechat/defaults/main.yml index 22f863fff..02bef16aa 100644 --- a/roles/matrix-bridge-mautrix-googlechat/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-googlechat/defaults/main.yml @@ -47,7 +47,7 @@ matrix_mautrix_googlechat_homeserver_token: '' # # To use Postgres: # - change the engine (`matrix_mautrix_googlechat_database_engine: 'postgres'`) -# - adjust your database credentials via the `matrix_mautrix_googlechat_postgres_*` variables +# - adjust your database credentials via the `matrix_mautrix_googlechat_database_*` variables matrix_mautrix_googlechat_database_engine: 'sqlite' matrix_mautrix_googlechat_sqlite_database_path_local: "{{ matrix_mautrix_googlechat_data_path }}/mautrix-googlechat.db" diff --git a/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml b/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml index fa46d33c9..013e1d14a 100644 --- a/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml @@ -47,7 +47,7 @@ matrix_mautrix_hangouts_homeserver_token: '' # # To use Postgres: # - change the engine (`matrix_mautrix_hangouts_database_engine: 'postgres'`) -# - adjust your database credentials via the `matrix_mautrix_hangouts_postgres_*` variables +# - adjust your database credentials via the `matrix_mautrix_hangouts_database_*` variables matrix_mautrix_hangouts_database_engine: 'sqlite' matrix_mautrix_hangouts_sqlite_database_path_local: "{{ matrix_mautrix_hangouts_data_path }}/mautrix-hangouts.db" diff --git a/roles/matrix-bridge-mautrix-instagram/defaults/main.yml b/roles/matrix-bridge-mautrix-instagram/defaults/main.yml index a648018ec..e1a1bddab 100644 --- a/roles/matrix-bridge-mautrix-instagram/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-instagram/defaults/main.yml @@ -37,7 +37,7 @@ matrix_mautrix_instagram_homeserver_token: '' # Database-related configuration fields. # # To use Postgres: -# - adjust your database credentials via the `matrix_mautrix_instagram_postgres_*` variables +# - adjust your database credentials via the `matrix_mautrix_instagram_database_*` variables matrix_mautrix_instagram_database_engine: 'postgres' matrix_mautrix_instagram_database_username: 'matrix_mautrix_instagram' diff --git a/roles/matrix-bridge-mautrix-telegram/defaults/main.yml b/roles/matrix-bridge-mautrix-telegram/defaults/main.yml index f7c98950f..45a7d6e88 100644 --- a/roles/matrix-bridge-mautrix-telegram/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-telegram/defaults/main.yml @@ -63,7 +63,7 @@ matrix_mautrix_telegram_homeserver_token: '' # # To use Postgres: # - change the engine (`matrix_mautrix_telegram_database_engine: 'postgres'`) -# - adjust your database credentials via the `matrix_mautrix_telegram_postgres_*` variables +# - adjust your database credentials via the `matrix_mautrix_telegram_database_*` variables matrix_mautrix_telegram_database_engine: 'sqlite' matrix_mautrix_telegram_sqlite_database_path_local: "{{ matrix_mautrix_telegram_data_path }}/mautrix-telegram.db" diff --git a/roles/matrix-dimension/defaults/main.yml b/roles/matrix-dimension/defaults/main.yml index fc1f17a65..10f8b13a8 100644 --- a/roles/matrix-dimension/defaults/main.yml +++ b/roles/matrix-dimension/defaults/main.yml @@ -48,7 +48,7 @@ matrix_dimension_homeserver_federationUrl: "" # # To use Postgres: # - change the engine (`matrix_dimension_database_engine: 'postgres'`) -# - adjust your database credentials via the `matrix_dimension_postgres_*` variables +# - adjust your database credentials via the `matrix_dimension_database_*` variables matrix_dimension_database_engine: 'sqlite' matrix_dimension_sqlite_database_path_local: "{{ matrix_dimension_base_path }}/dimension.db" diff --git a/roles/matrix-ma1sd/defaults/main.yml b/roles/matrix-ma1sd/defaults/main.yml index 6929f5cd9..f0e96effc 100644 --- a/roles/matrix-ma1sd/defaults/main.yml +++ b/roles/matrix-ma1sd/defaults/main.yml @@ -48,7 +48,7 @@ matrix_ma1sd_matrixorg_forwarding_enabled: false # # To use Postgres: # - change the engine (`matrix_ma1sd_database_engine: 'postgres'`) -# - adjust your database credentials via the `matrix_ma1sd_postgres_*` variables +# - adjust your database credentials via the `matrix_ma1sd_database_*` variables matrix_ma1sd_database_engine: 'sqlite' matrix_ma1sd_sqlite_database_path_local: "{{ matrix_ma1sd_data_path }}/ma1sd.db" diff --git a/roles/matrix-registration/defaults/main.yml b/roles/matrix-registration/defaults/main.yml index e03891b2e..4705fb5eb 100644 --- a/roles/matrix-registration/defaults/main.yml +++ b/roles/matrix-registration/defaults/main.yml @@ -38,7 +38,7 @@ matrix_registration_container_http_host_bind_port: '' # # To use Postgres: # - change the engine (`matrix_registration_database_engine: 'postgres'`) -# - adjust your database credentials via the `matrix_registration_postgres_*` variables +# - adjust your database credentials via the `matrix_registration_database_*` variables matrix_registration_database_engine: 'sqlite' matrix_registration_sqlite_database_path_local: "{{ matrix_registration_data_path }}/db.sqlite3" From 286871b9b59a652c89b8d4b911ce208c14d275b1 Mon Sep 17 00:00:00 2001 From: John M Date: Sun, 28 Nov 2021 04:31:06 +0000 Subject: [PATCH 25/45] Add self-build for Dimension Add a self-build option for the Dimension Dockerfile. - This helps further support arm64 hosts (i.e. A1.Flex w/Oracle) --- docs/self-building.md | 1 + group_vars/matrix_servers | 2 ++ roles/matrix-dimension/defaults/main.yml | 8 ++++++- .../matrix-dimension/tasks/setup_install.yml | 23 +++++++++++++++++++ 4 files changed, 33 insertions(+), 1 deletion(-) diff --git a/docs/self-building.md b/docs/self-building.md index 82726bb78..9ff28e4c5 100644 --- a/docs/self-building.md +++ b/docs/self-building.md @@ -18,6 +18,7 @@ List of roles where self-building the Docker image is currently possible: - `matrix-registration` - `matrix-coturn` - `matrix-corporal` +- `matrix-dimension` - `matrix-ma1sd` - `matrix-mailer` - `matrix-bridge-appservice-irc` diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 7b2a74947..64ec0bd12 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1045,6 +1045,8 @@ matrix_coturn_container_additional_volumes: | matrix_dimension_enabled: false +matrix_dimension_container_image_self_build: "{{ matrix_architecture != 'amd64' }}" + # Normally, matrix-nginx-proxy is enabled and nginx can reach Dimension over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose # the Dimension HTTP port to the local host. diff --git a/roles/matrix-dimension/defaults/main.yml b/roles/matrix-dimension/defaults/main.yml index fc1f17a65..6e1ad512d 100644 --- a/roles/matrix-dimension/defaults/main.yml +++ b/roles/matrix-dimension/defaults/main.yml @@ -10,10 +10,16 @@ matrix_dimension_admins: [] # Whether to allow Dimension widgets serve websites with invalid or self signed SSL certificates matrix_dimension_widgets_allow_self_signed_ssl_certificates: false +matrix_dimension_container_image_self_build: false +matrix_dimension_container_image_self_build_repo: "https://github.com/turt2live/matrix-dimension.git" +matrix_dimension_container_image_self_build_branch: master + matrix_dimension_base_path: "{{ matrix_base_data_path }}/dimension" +matrix_dimension_docker_src_files_path: "{{ matrix_base_data_path }}/docker-src/dimension" matrix_dimension_version: latest -matrix_dimension_docker_image: "{{ matrix_container_global_registry_prefix }}turt2live/matrix-dimension:{{ matrix_dimension_version }}" +matrix_dimension_docker_image: "{{ matrix_dimension_docker_image_name_prefix }}turt2live/matrix-dimension:{{ matrix_dimension_version }}" +matrix_dimension_docker_image_name_prefix: "{{ 'localhost/' if matrix_dimension_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_dimension_docker_image_force_pull: "{{ matrix_dimension_docker_image.endswith(':latest') }}" # List of systemd services that matrix-dimension.service depends on. diff --git a/roles/matrix-dimension/tasks/setup_install.yml b/roles/matrix-dimension/tasks/setup_install.yml index 804be88d7..c75fc0b96 100644 --- a/roles/matrix-dimension/tasks/setup_install.yml +++ b/roles/matrix-dimension/tasks/setup_install.yml @@ -90,6 +90,29 @@ source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" force_source: "{{ matrix_dimension_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_dimension_docker_image_force_pull }}" + when: "not matrix_dimension_container_image_self_build|bool" + register: matrix_dimension_pull_results + +- name: Ensure dimension repository is present on self-build + git: + repo: "{{ matrix_dimension_container_image_self_build_repo }}" + dest: "{{ matrix_dimension_docker_src_files_path }}" + version: "{{ matrix_dimension_container_image_self_build_branch }}" + force: "yes" + when: "matrix_dimension_container_image_self_build|bool" + register: matrix_dimension_git_pull_results + +- name: Ensure Dimension Docker image is built + docker_image: + name: "{{ matrix_dimension_docker_image }}" + source: build + force_source: "{{ matrix_dimension_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_dimension_git_pull_results.changed }}" + build: + dockerfile: Dockerfile + path: "{{ matrix_dimension_docker_src_files_path }}" + pull: yes + when: "matrix_dimension_container_image_self_build|bool" - name: Ensure matrix-dimension.service installed template: From f2cd37685c8dfbc1579dfa18222865356695171d Mon Sep 17 00:00:00 2001 From: ppacheco28 Date: Wed, 8 Dec 2021 19:52:05 -0300 Subject: [PATCH 26/45] Add support for Jitsi internal authentication user creation --- roles/matrix-jitsi/defaults/main.yml | 35 ++++++++++++++++--- .../tasks/setup_jitsi_prosody.yml | 21 +++++++---- .../tasks/util/setup_jitsi_auth.yml | 30 ++++++++++++++++ 3 files changed, 76 insertions(+), 10 deletions(-) create mode 100644 roles/matrix-jitsi/tasks/util/setup_jitsi_auth.yml diff --git a/roles/matrix-jitsi/defaults/main.yml b/roles/matrix-jitsi/defaults/main.yml index bef993e05..bdc553354 100644 --- a/roles/matrix-jitsi/defaults/main.yml +++ b/roles/matrix-jitsi/defaults/main.yml @@ -12,6 +12,9 @@ matrix_jitsi_enable_av_moderation: true # Authentication type, must be one of internal, jwt or ldap. Currently only # internal and ldap are supported by this playbook. matrix_jitsi_auth_type: internal +matrix_jitsi_prosody_auth_internal_accounts: + - username: "jitsti-moderator" + password: "" # Configuration options for LDAP authentication. For details see upstream: # https://github.com/jitsi/docker-jitsi-meet#authentication-using-ldap. @@ -41,16 +44,17 @@ matrix_jitsi_xmpp_guest_domain: guest.meet.jitsi matrix_jitsi_xmpp_muc_domain: muc.meet.jitsi matrix_jitsi_xmpp_internal_muc_domain: internal-muc.meet.jitsi matrix_jitsi_xmpp_modules: '' +matrix_jitsi_xmpp_muc_modules: '' +matrix_jitsi_xmpp_muc_modules_internal: '' matrix_jitsi_recorder_domain: recorder.meet.jitsi - +matrix_jitsi_jibri_recorder_user: recorder +matrix_jitsi_jibri_recorder_password: '' matrix_jitsi_jibri_brewery_muc: jibribrewery matrix_jitsi_jibri_pending_timeout: 90 matrix_jitsi_jibri_xmpp_user: jibri matrix_jitsi_jibri_xmpp_password: '' -matrix_jitsi_jibri_recorder_user: recorder -matrix_jitsi_jibri_recorder_password: '' matrix_jitsi_enable_lobby: false @@ -205,7 +209,6 @@ matrix_jitsi_jicofo_component_secret: '' matrix_jitsi_jicofo_auth_user: focus matrix_jitsi_jicofo_auth_password: '' - matrix_jitsi_jvb_docker_image: "{{ matrix_container_global_registry_prefix }}jitsi/jvb:{{ matrix_jitsi_container_image_tag }}" matrix_jitsi_jvb_docker_image_force_pull: "{{ matrix_jitsi_jvb_docker_image.endswith(':latest') }}" @@ -229,6 +232,30 @@ matrix_jitsi_jvb_brewery_muc: jvbbrewery matrix_jitsi_jvb_rtp_udp_port: 10000 matrix_jitsi_jvb_rtp_tcp_port: 4443 +# JWT Auth +matrix_jitsi_auth_jwt_id: jitsi +matrix_jitsi_auth_jwt_secret: '' +matrix_jitsi_auth_jwt_accepted_issuers: '' +matrix_jitsi_authjwt_allow_empty: false + +# Jigasi SIP Gateway Configuration - Not Fully Implemented +matrix_jitsi_jigasi_auth_user: '' +matrix_jitsi_jigasi_auth_password: '' +#JIGASI_SIP_URI: '' # SIP URI for incoming / outgoing calls test@sip2sip.info +#JIGASI_SIP_PASSWORD: '' # Password for the specified SIP account passw0rd +#JIGASI_SIP_SERVER SIP: '' # server (use the SIP account domain if in doubt) sip2sip.info +#JIGASI_SIP_PORT SIP: '5060' # server port 5060 +#JIGASI_SIP_TRANSPORT: 'UDP' # SIP transport UDP +#DIALIN_NUMBERS_URL: 'https://jitsi.chs.chat/dial-in.json' # URL to the JSON with all Dial-In numbers. Example: https://meet.example.com/dialin.json +#CONFCODE_URL: '' # URL to the API for checking/generating Dial-In codes. Example: https://jitsi-api.jitsi.net/conferenceMapper +#GC_PROJECT_ID: # project_id from Google Cloud Credentials +#GC_PRIVATE_KEY_ID: # private_key_id from Google Cloud Credentials +#GC_PRIVATE_KEY: # private_key from Google Cloud Credentials +#GC_CLIENT_EMAIL: # client_email from Google Cloud Credentials +#GC_CLIENT_ID: # client_id from Google Cloud Credentials +#GC_CLIENT_CERT_URL: # client_x509_cert_url from Google Cloud Credentials + + # Custom configuration to be injected into `custom-sip-communicator.properties`, passed to Jitsi JVB. # This configuration gets appended to the final configuration that Jitsi JVB uses. # diff --git a/roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml b/roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml index 39a571ae6..25dee8ec7 100644 --- a/roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml +++ b/roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml @@ -25,14 +25,14 @@ force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_jitsi_prosody_docker_image_force_pull }}" when: matrix_jitsi_enabled|bool -- name: Ensure jitsi-prosody environment variables file created +- name: Ensure jitsi-prosody environment variables file is created template: src: "{{ role_path }}/templates/prosody/env.j2" dest: "{{ matrix_jitsi_prosody_base_path }}/env" mode: 0640 when: matrix_jitsi_enabled|bool -- name: Ensure matrix-jitsi-prosody.service installed +- name: Ensure matrix-jitsi-prosody.service is installed template: src: "{{ role_path }}/templates/prosody/matrix-jitsi-prosody.service.j2" dest: "{{ matrix_systemd_path }}/matrix-jitsi-prosody.service" @@ -40,16 +40,25 @@ register: matrix_jitsi_prosody_systemd_service_result when: matrix_jitsi_enabled|bool -- name: Ensure systemd reloaded after matrix-jitsi-prosody.service installation +- name: Ensure systemd service is reloaded after matrix-jitsi-prosody.service installation service: daemon_reload: yes when: "matrix_jitsi_enabled and matrix_jitsi_prosody_systemd_service_result.changed" + +- name: Ensure authentication is properly configured + include_tasks: + file: "{{ role_path }}/tasks/util/setup_jitsi_auth.yml" + when: + - matrix_jitsi_enabled|bool + - matrix_jitsi_enable_auth|bool + + # # Tasks related to getting rid of jitsi-prosody (if it was previously enabled) # -- name: Check existence of matrix-jitsi-prosody service +- name: Ensure matrix-jitsi-prosody service file exists stat: path: "{{ matrix_systemd_path }}/matrix-jitsi-prosody.service" register: matrix_jitsi_prosody_service_stat @@ -64,13 +73,13 @@ register: stopping_result when: "not matrix_jitsi_enabled|bool and matrix_jitsi_prosody_service_stat.stat.exists" -- name: Ensure matrix-jitsi-prosody.service doesn't exist +- name: Ensure matrix-jitsi-prosody service file doesn't exist file: path: "{{ matrix_systemd_path }}/matrix-jitsi-prosody.service" state: absent when: "not matrix_jitsi_enabled|bool and matrix_jitsi_prosody_service_stat.stat.exists" -- name: Ensure systemd reloaded after matrix-jitsi-prosody.service removal +- name: Ensure systemd is reloaded after matrix-jitsi-prosody.service removal service: daemon_reload: yes when: "not matrix_jitsi_enabled|bool and matrix_jitsi_prosody_service_stat.stat.exists" diff --git a/roles/matrix-jitsi/tasks/util/setup_jitsi_auth.yml b/roles/matrix-jitsi/tasks/util/setup_jitsi_auth.yml new file mode 100644 index 000000000..804e6526f --- /dev/null +++ b/roles/matrix-jitsi/tasks/util/setup_jitsi_auth.yml @@ -0,0 +1,30 @@ +--- + +# +# Tasks related to setting up Jitsi authentication mechanisms +# + +- name: Ensure matrix-jitsi-prosody container is running + systemd: + state: started + name: matrix-jitsi-prosody + +- name: Ensire Jitsi internal authentication users are created + shell: "docker exec matrix-jitsi-prosody prosodyctl --config /config/prosody.cfg.lua register {{ item.username | quote }} meet.jitsi {{ item.password | quote }}" + with_items: "{{ matrix_jitsi_prosody_auth_internal_accounts }}" + when: + - matrix_jitsi_auth_type == "internal" + + +# +# Configure other authentication mechanisms below +# + + +# +# End +# +- name: Ensure matrix-jitsi-prosody container is stopped + systemd: + state: stopped + name: matrix-jitsi-prosody \ No newline at end of file From dd1feffcc245a72217dec11dfc21db779ed5b176 Mon Sep 17 00:00:00 2001 From: ppacheco28 Date: Wed, 8 Dec 2021 20:14:18 -0300 Subject: [PATCH 27/45] Add support for Jitsi internal authentication user creation --- roles/matrix-jitsi/defaults/main.yml | 24 ------------------- .../tasks/setup_jitsi_prosody.yml | 8 +++---- 2 files changed, 4 insertions(+), 28 deletions(-) diff --git a/roles/matrix-jitsi/defaults/main.yml b/roles/matrix-jitsi/defaults/main.yml index bdc553354..617421263 100644 --- a/roles/matrix-jitsi/defaults/main.yml +++ b/roles/matrix-jitsi/defaults/main.yml @@ -232,30 +232,6 @@ matrix_jitsi_jvb_brewery_muc: jvbbrewery matrix_jitsi_jvb_rtp_udp_port: 10000 matrix_jitsi_jvb_rtp_tcp_port: 4443 -# JWT Auth -matrix_jitsi_auth_jwt_id: jitsi -matrix_jitsi_auth_jwt_secret: '' -matrix_jitsi_auth_jwt_accepted_issuers: '' -matrix_jitsi_authjwt_allow_empty: false - -# Jigasi SIP Gateway Configuration - Not Fully Implemented -matrix_jitsi_jigasi_auth_user: '' -matrix_jitsi_jigasi_auth_password: '' -#JIGASI_SIP_URI: '' # SIP URI for incoming / outgoing calls test@sip2sip.info -#JIGASI_SIP_PASSWORD: '' # Password for the specified SIP account passw0rd -#JIGASI_SIP_SERVER SIP: '' # server (use the SIP account domain if in doubt) sip2sip.info -#JIGASI_SIP_PORT SIP: '5060' # server port 5060 -#JIGASI_SIP_TRANSPORT: 'UDP' # SIP transport UDP -#DIALIN_NUMBERS_URL: 'https://jitsi.chs.chat/dial-in.json' # URL to the JSON with all Dial-In numbers. Example: https://meet.example.com/dialin.json -#CONFCODE_URL: '' # URL to the API for checking/generating Dial-In codes. Example: https://jitsi-api.jitsi.net/conferenceMapper -#GC_PROJECT_ID: # project_id from Google Cloud Credentials -#GC_PRIVATE_KEY_ID: # private_key_id from Google Cloud Credentials -#GC_PRIVATE_KEY: # private_key from Google Cloud Credentials -#GC_CLIENT_EMAIL: # client_email from Google Cloud Credentials -#GC_CLIENT_ID: # client_id from Google Cloud Credentials -#GC_CLIENT_CERT_URL: # client_x509_cert_url from Google Cloud Credentials - - # Custom configuration to be injected into `custom-sip-communicator.properties`, passed to Jitsi JVB. # This configuration gets appended to the final configuration that Jitsi JVB uses. # diff --git a/roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml b/roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml index 25dee8ec7..d9b6fcba7 100644 --- a/roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml +++ b/roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml @@ -4,7 +4,7 @@ # Tasks related to setting up jitsi-prosody # -- name: Ensure Matrix jitsi-prosody path exists +- name: Ensure Matrix jitsi-prosody environment exists file: path: "{{ item.path }}" state: directory @@ -32,7 +32,7 @@ mode: 0640 when: matrix_jitsi_enabled|bool -- name: Ensure matrix-jitsi-prosody.service is installed +- name: Ensure matrix-jitsi-prosody.service file is installed template: src: "{{ role_path }}/templates/prosody/matrix-jitsi-prosody.service.j2" dest: "{{ matrix_systemd_path }}/matrix-jitsi-prosody.service" @@ -58,7 +58,7 @@ # Tasks related to getting rid of jitsi-prosody (if it was previously enabled) # -- name: Ensure matrix-jitsi-prosody service file exists +- name: Ensure matrix-jitsi-prosody.service file exists stat: path: "{{ matrix_systemd_path }}/matrix-jitsi-prosody.service" register: matrix_jitsi_prosody_service_stat @@ -73,7 +73,7 @@ register: stopping_result when: "not matrix_jitsi_enabled|bool and matrix_jitsi_prosody_service_stat.stat.exists" -- name: Ensure matrix-jitsi-prosody service file doesn't exist +- name: Ensure matrix-jitsi-prosody.service file doesn't exist file: path: "{{ matrix_systemd_path }}/matrix-jitsi-prosody.service" state: absent From 7a7dc0033387d8586739141af713587f4a6c64ee Mon Sep 17 00:00:00 2001 From: ppacheco28 Date: Wed, 8 Dec 2021 20:19:55 -0300 Subject: [PATCH 28/45] Update documentation to reflect added support for Jitsi internal authentication user creation --- docs/configuring-playbook-jitsi.md | 23 +++++++++-------------- 1 file changed, 9 insertions(+), 14 deletions(-) diff --git a/docs/configuring-playbook-jitsi.md b/docs/configuring-playbook-jitsi.md index f4e4c9f36..940252b45 100644 --- a/docs/configuring-playbook-jitsi.md +++ b/docs/configuring-playbook-jitsi.md @@ -41,13 +41,21 @@ If you're fine with such an open Jitsi instance, please skip to [Apply changes]( If you would like to control who is allowed to open meetings on your new Jitsi instance, then please follow this step to enable Jitsi's authentication and guests mode. With authentication enabled, all meeting rooms have to be opened by a registered user, after which guests are free to join. If a registered host is not yet present, guests are put on hold in individual waiting rooms. -Add these two lines to your `inventory/host_vars/matrix.DOMAIN/vars.yml` configuration: +Add these lines to your `inventory/host_vars/matrix.DOMAIN/vars.yml` configuration: ```yaml matrix_jitsi_enable_auth: true matrix_jitsi_enable_guests: true +matrix_jitsi_prosody_auth_internal_accounts: + - username: "jitsi-moderator" + password: "some-password" + - username: "other-user" + password: "some-other-password" ``` +**If you get an error** like this: "Error: Account creation/modification not supported.", it's likely that you had previously installed Jitsi without auth/guest support. In such a case, you should look into [Rebuilding your Jitsi installation](#rebuilding-your-jitsi-installation). + + ### (Optional) LDAP authentication The default authentication mode of Jitsi is `internal`, however LDAP is also supported. An example LDAP configuration could be: @@ -122,19 +130,6 @@ You may want to **limit the maximum video resolution**, to save up resources on Then re-run the playbook: `ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start` -## Required if configuring Jitsi with internal authentication: register new users - -Until this gets integrated into the playbook, we need to register new users / meeting hosts for Jitsi manually. -Please SSH into your matrix host machine and execute the following command targeting the `matrix-jitsi-prosody` container: - -```bash -docker exec matrix-jitsi-prosody prosodyctl --config /config/prosody.cfg.lua register meet.jitsi -``` - -Run this command for each user you would like to create, replacing `` and `` accordingly. After you've finished, please exit the host. - -**If you get an error** like this: "Error: Account creation/modification not supported.", it's likely that you had previously installed Jitsi without auth/guest support. In such a case, you should look into [Rebuilding your Jitsi installation](#rebuilding-your-jitsi-installation). - ## Usage From d086668f524d7859e52c581c252560c135323929 Mon Sep 17 00:00:00 2001 From: ppacheco28 Date: Thu, 9 Dec 2021 02:42:36 -0300 Subject: [PATCH 29/45] Ensure internal authentication users are properly configured --- roles/matrix-jitsi/tasks/validate_config.yml | 30 +++++++++++++++++--- 1 file changed, 26 insertions(+), 4 deletions(-) diff --git a/roles/matrix-jitsi/tasks/validate_config.yml b/roles/matrix-jitsi/tasks/validate_config.yml index d2887b12c..8f874176b 100644 --- a/roles/matrix-jitsi/tasks/validate_config.yml +++ b/roles/matrix-jitsi/tasks/validate_config.yml @@ -3,14 +3,14 @@ - name: Fail if required Jitsi settings not defined fail: msg: >- - You need to define a required configuration setting (`{{ item }}`) for using Jitsi. + You need to define a required configuration setting (`{{ item }}`) to properly configure Jitsi. If you're setting up Jitsi for the first time, you may have missed a step. Refer to our setup instructions (docs/configuring-playbook-jitsi.md). - If you had setup Jitsi successfully before and it's just now that you're observing this failure, - it means that your installation may be using some default passwords that the playbook used to define until now. - This is not secure and we urge you to rebuild your Jitsi setup. + If you had previously setup Jitsi successfully and are only now facing this error, + it means that your installation is most likely using default passwords previously defined by the playbook. + These defaults are insecure. Jitsi should be rebuilt with secure values. Refer to the "Rebuilding your Jitsi installation" section in our setup instructions (docs/configuring-playbook-jitsi.md). when: "vars[item] == ''" with_items: @@ -19,6 +19,28 @@ - "matrix_jitsi_jicofo_auth_password" - "matrix_jitsi_jvb_auth_password" + +- name: Fail if Jitsi internal authentication settings not defined + fail: + msg: >- + You must define the (`{{ item.username }}`) and (`{{ item.password }}`) configuration settings to properly configure an account using Jitsi's internal authentication. + + Please ensure you have defined at least one user and password when using internal authentication. + + If you're setting up Jitsi for the first time, you may have missed a step. + Refer to our setup instructions (docs/configuring-playbook-jitsi.md). + + If you had previously setup Jitsi successfully and are only now facing this error, + it means that your installation is most likely using default passwords previously defined by the playbook. + These defaults are insecure. Jitsi should be rebuilt with secure values. + Refer to the "Rebuilding your Jitsi installation" section in our setup instructions (docs/configuring-playbook-jitsi.md). + when: + - matrix_jitsi_auth_type == "internal" + - item.username == '' + - item.password == '' + with_items: "{{ matrix_jitsi_prosody_auth_internal_accounts }}" + + - name: (Deprecation) Catch and report renamed settings fail: msg: >- From 6e38ce42d880d23c574d084c666060e17f0924a6 Mon Sep 17 00:00:00 2001 From: ppacheco28 Date: Thu, 9 Dec 2021 07:40:25 -0300 Subject: [PATCH 30/45] Added check before stopping service, fixed unnecessary checking of user attributes, and created sections to clarify the file's purpose --- .../tasks/util/setup_jitsi_auth.yml | 27 ++++++++++++++----- 1 file changed, 20 insertions(+), 7 deletions(-) diff --git a/roles/matrix-jitsi/tasks/util/setup_jitsi_auth.yml b/roles/matrix-jitsi/tasks/util/setup_jitsi_auth.yml index 804e6526f..66fb7e5d1 100644 --- a/roles/matrix-jitsi/tasks/util/setup_jitsi_auth.yml +++ b/roles/matrix-jitsi/tasks/util/setup_jitsi_auth.yml @@ -1,30 +1,43 @@ --- - # -# Tasks related to setting up Jitsi authentication mechanisms +# Start Necessary Services # - name: Ensure matrix-jitsi-prosody container is running systemd: state: started name: matrix-jitsi-prosody + register: matrix_jitsi_prosody_start_result -- name: Ensire Jitsi internal authentication users are created + +# +# Tasks related to configuring Jitsi internal authentication +# + +- name: Ensure Jitsi internal authentication users are configured shell: "docker exec matrix-jitsi-prosody prosodyctl --config /config/prosody.cfg.lua register {{ item.username | quote }} meet.jitsi {{ item.password | quote }}" with_items: "{{ matrix_jitsi_prosody_auth_internal_accounts }}" when: - matrix_jitsi_auth_type == "internal" + - matrix_jitsi_prosody_auth_internal_accounts|length > 0 # -# Configure other authentication mechanisms below +# Tasks related to configuring other Jitsi authentication mechanisms +# + + + +# +# Tasks related to cleaning after Jitsi authentication configuration # # -# End +# Stop Necessary Services # -- name: Ensure matrix-jitsi-prosody container is stopped +- name: Ensure matrix-jitsi-prosody container is stopped if necessary systemd: state: stopped - name: matrix-jitsi-prosody \ No newline at end of file + name: matrix-jitsi-prosody + when: matrix_jitsi_prosody_start_result.changed|bool \ No newline at end of file From a26abb2f1b2c5e5c8ddd0eb2792ab02a921665c4 Mon Sep 17 00:00:00 2001 From: ppacheco28 Date: Thu, 9 Dec 2021 07:44:50 -0300 Subject: [PATCH 31/45] Removed an empty line (formatting) --- roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml b/roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml index d9b6fcba7..c1c7c7fca 100644 --- a/roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml +++ b/roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml @@ -45,7 +45,6 @@ daemon_reload: yes when: "matrix_jitsi_enabled and matrix_jitsi_prosody_systemd_service_result.changed" - - name: Ensure authentication is properly configured include_tasks: file: "{{ role_path }}/tasks/util/setup_jitsi_auth.yml" From 4c25c1df06f9eb68309e138fe1286d1d74437289 Mon Sep 17 00:00:00 2001 From: ppacheco28 Date: Thu, 9 Dec 2021 07:50:31 -0300 Subject: [PATCH 32/45] Changed matrix_jitsi_prosody_auth_internal_accounts default to an empty array, removed unused configuration declaration, and moved jibri configuration back to its proper place --- roles/matrix-jitsi/defaults/main.yml | 27 ++++++++++++++++++--------- 1 file changed, 18 insertions(+), 9 deletions(-) diff --git a/roles/matrix-jitsi/defaults/main.yml b/roles/matrix-jitsi/defaults/main.yml index 617421263..e233e0167 100644 --- a/roles/matrix-jitsi/defaults/main.yml +++ b/roles/matrix-jitsi/defaults/main.yml @@ -9,12 +9,22 @@ matrix_jitsi_enable_transcriptions: false matrix_jitsi_enable_p2p: true matrix_jitsi_enable_av_moderation: true -# Authentication type, must be one of internal, jwt or ldap. Currently only -# internal and ldap are supported by this playbook. +# Authentication type, must be one of internal, jwt or ldap. +# Currently only internal and ldap mechanisms are supported by this playbook. matrix_jitsi_auth_type: internal -matrix_jitsi_prosody_auth_internal_accounts: - - username: "jitsti-moderator" - password: "" + +# A list of Jitsi (Prosody) accounts to create using the internal authentication mechanism. +# +# Accounts added here and subsquently removed will not be automatically removed +# from the Prosody server until user account cleaning is integrated into the playbook. +# +# Example: +# matrix_jitsi_prosody_auth_internal_accounts: +# - username: "jitsi-moderator" +# password: "secret-password" +# - username: "another-user" +# password: "another-password" +matrix_jitsi_prosody_auth_internal_accounts: [] # Configuration options for LDAP authentication. For details see upstream: # https://github.com/jitsi/docker-jitsi-meet#authentication-using-ldap. @@ -44,17 +54,16 @@ matrix_jitsi_xmpp_guest_domain: guest.meet.jitsi matrix_jitsi_xmpp_muc_domain: muc.meet.jitsi matrix_jitsi_xmpp_internal_muc_domain: internal-muc.meet.jitsi matrix_jitsi_xmpp_modules: '' -matrix_jitsi_xmpp_muc_modules: '' -matrix_jitsi_xmpp_muc_modules_internal: '' matrix_jitsi_recorder_domain: recorder.meet.jitsi -matrix_jitsi_jibri_recorder_user: recorder -matrix_jitsi_jibri_recorder_password: '' + matrix_jitsi_jibri_brewery_muc: jibribrewery matrix_jitsi_jibri_pending_timeout: 90 matrix_jitsi_jibri_xmpp_user: jibri matrix_jitsi_jibri_xmpp_password: '' +matrix_jitsi_jibri_recorder_user: recorder +matrix_jitsi_jibri_recorder_password: '' matrix_jitsi_enable_lobby: false From 0c101f20c447ac5b4fe494cb7379f516f2f17ff1 Mon Sep 17 00:00:00 2001 From: ppacheco28 Date: Thu, 9 Dec 2021 07:54:40 -0300 Subject: [PATCH 33/45] Fixed unnecessary checking of user attributes, added check for matrix_jitsi_enable_auth boolean --- roles/matrix-jitsi/tasks/validate_config.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/matrix-jitsi/tasks/validate_config.yml b/roles/matrix-jitsi/tasks/validate_config.yml index 8f874176b..37b10cb4e 100644 --- a/roles/matrix-jitsi/tasks/validate_config.yml +++ b/roles/matrix-jitsi/tasks/validate_config.yml @@ -34,10 +34,10 @@ it means that your installation is most likely using default passwords previously defined by the playbook. These defaults are insecure. Jitsi should be rebuilt with secure values. Refer to the "Rebuilding your Jitsi installation" section in our setup instructions (docs/configuring-playbook-jitsi.md). - when: - - matrix_jitsi_auth_type == "internal" - - item.username == '' - - item.password == '' + when: + - matrix_jitsi_enable_auth|bool + - matrix_jitsi_auth_type == 'internal' + - matrix_jitsi_prosody_auth_internal_accounts|length == '0' with_items: "{{ matrix_jitsi_prosody_auth_internal_accounts }}" From f2293f61eebe49f47d7bb42363ed4f6b0fa9eb5a Mon Sep 17 00:00:00 2001 From: ppacheco28 Date: Thu, 9 Dec 2021 07:58:50 -0300 Subject: [PATCH 34/45] Updated documentation to better reflect the workings of Jitsi internal authentication with this playbook --- docs/configuring-playbook-jitsi.md | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/docs/configuring-playbook-jitsi.md b/docs/configuring-playbook-jitsi.md index 940252b45..f7e8a949c 100644 --- a/docs/configuring-playbook-jitsi.md +++ b/docs/configuring-playbook-jitsi.md @@ -48,11 +48,13 @@ matrix_jitsi_enable_auth: true matrix_jitsi_enable_guests: true matrix_jitsi_prosody_auth_internal_accounts: - username: "jitsi-moderator" - password: "some-password" - - username: "other-user" - password: "some-other-password" + password: "secret-password" + - username: "another-user" + password: "another-password" ``` +**Caution:** Accounts added here and subsquently removed will not be automatically removed from the Prosody server until user account cleaning is integrated into the playbook. + **If you get an error** like this: "Error: Account creation/modification not supported.", it's likely that you had previously installed Jitsi without auth/guest support. In such a case, you should look into [Rebuilding your Jitsi installation](#rebuilding-your-jitsi-installation). From a9e222d5238af3a76e8d77e2ef7801a05662dbdc Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 9 Dec 2021 19:45:39 +0200 Subject: [PATCH 35/45] Remove useless variable (matrix_appservice_webhooks_control_room_id) Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1447 Seems like there's such a variable in the `matrix-bridge-appservice-slack` role, which is probably where it got copied over from. --- roles/matrix-bridge-appservice-webhooks/defaults/main.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/roles/matrix-bridge-appservice-webhooks/defaults/main.yml b/roles/matrix-bridge-appservice-webhooks/defaults/main.yml index 25419900c..bc9ae8b40 100644 --- a/roles/matrix-bridge-appservice-webhooks/defaults/main.yml +++ b/roles/matrix-bridge-appservice-webhooks/defaults/main.yml @@ -22,8 +22,6 @@ matrix_appservice_webhooks_docker_src_files_path: "{{ matrix_appservice_webhooks matrix_appservice_webhooks_public_endpoint: /appservice-webhooks matrix_appservice_webhooks_inbound_uri_prefix: "{{ matrix_homeserver_url }}{{ matrix_appservice_webhooks_public_endpoint }}" -# Once you make a control room in Matrix, you can get its ID by typing any message and checking its source -matrix_appservice_webhooks_control_room_id: '' matrix_appservice_webhooks_bot_name: 'webhookbot' matrix_appservice_webhooks_user_prefix: '_webhook' From c116f268f2f1aa03e2b14036201229b529b94d26 Mon Sep 17 00:00:00 2001 From: ppacheco28 Date: Thu, 9 Dec 2021 19:30:32 -0300 Subject: [PATCH 36/45] Fixed type mismatch --- roles/matrix-jitsi/tasks/validate_config.yml | 12 +++--------- 1 file changed, 3 insertions(+), 9 deletions(-) diff --git a/roles/matrix-jitsi/tasks/validate_config.yml b/roles/matrix-jitsi/tasks/validate_config.yml index 37b10cb4e..5452768a4 100644 --- a/roles/matrix-jitsi/tasks/validate_config.yml +++ b/roles/matrix-jitsi/tasks/validate_config.yml @@ -20,25 +20,19 @@ - "matrix_jitsi_jvb_auth_password" -- name: Fail if Jitsi internal authentication settings not defined +- name: Fail if a Jitsi internal authentication account is not defined fail: msg: >- - You must define the (`{{ item.username }}`) and (`{{ item.password }}`) configuration settings to properly configure an account using Jitsi's internal authentication. + Each Jitsi user in `matrix_jitsi_prosody_auth_internal_accounts` needs to have a non-empty `username`/`password`. Please ensure you have defined at least one user and password when using internal authentication. If you're setting up Jitsi for the first time, you may have missed a step. Refer to our setup instructions (docs/configuring-playbook-jitsi.md). - - If you had previously setup Jitsi successfully and are only now facing this error, - it means that your installation is most likely using default passwords previously defined by the playbook. - These defaults are insecure. Jitsi should be rebuilt with secure values. - Refer to the "Rebuilding your Jitsi installation" section in our setup instructions (docs/configuring-playbook-jitsi.md). when: - matrix_jitsi_enable_auth|bool - matrix_jitsi_auth_type == 'internal' - - matrix_jitsi_prosody_auth_internal_accounts|length == '0' - with_items: "{{ matrix_jitsi_prosody_auth_internal_accounts }}" + - matrix_jitsi_prosody_auth_internal_accounts == '' - name: (Deprecation) Catch and report renamed settings From fc55df9318efb28d17295293adf3a6edf7ab4b84 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 10 Dec 2021 08:29:57 +0200 Subject: [PATCH 37/45] Make some appservices reach the homeserver via nginx This is useful when Synapse is using a worker setup. In that case, we don't want appservices to connect to `matrix-synapse:8008`, because not all APIs are exposed there. Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1449 --- group_vars/matrix_servers | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 64ec0bd12..f9763c560 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -113,7 +113,7 @@ matrix_appservice_webhooks_container_http_host_bind_port: "{{ '' if matrix_nginx matrix_appservice_webhooks_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'webhook.as.token') | to_uuid }}" -matrix_appservice_webhooks_homeserver_url: "http://matrix-synapse:{{ matrix_synapse_container_client_api_port }}" +matrix_appservice_webhooks_homeserver_url: "{{ matrix_homeserver_container_url }}" matrix_appservice_webhooks_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'webhook.hs.token') | to_uuid }}" matrix_appservice_webhooks_id_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'webhook.id.token') | to_uuid }}" @@ -152,7 +152,7 @@ matrix_appservice_slack_container_http_host_bind_port: "{{ '' if matrix_nginx_pr matrix_appservice_slack_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'slack.as.token') | to_uuid }}" -matrix_appservice_slack_homeserver_url: "http://matrix-synapse:{{ matrix_synapse_container_client_api_port }}" +matrix_appservice_slack_homeserver_url: "{{ matrix_homeserver_container_url }}" matrix_appservice_slack_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'slack.hs.token') | to_uuid }}" matrix_appservice_slack_id_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'slack.id.token') | to_uuid }}" From 6568b68759901a1fdef4dd55d8f915837b435738 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 11 Dec 2021 10:14:33 +0200 Subject: [PATCH 38/45] Fix validation message The check was checking for an empty string in `matrix_jitsi_prosody_auth_internal_accounts`, which is unlikely to happen. We should check for an empty list instead. The check was not validating username/password values, so telling the user that they need a non-empty username/password is misleading. It was merely checking if there's at least one entry in the list. This patch adjusts the check and message accordingly. --- roles/matrix-jitsi/tasks/validate_config.yml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/roles/matrix-jitsi/tasks/validate_config.yml b/roles/matrix-jitsi/tasks/validate_config.yml index 5452768a4..a9d86764e 100644 --- a/roles/matrix-jitsi/tasks/validate_config.yml +++ b/roles/matrix-jitsi/tasks/validate_config.yml @@ -23,16 +23,14 @@ - name: Fail if a Jitsi internal authentication account is not defined fail: msg: >- - Each Jitsi user in `matrix_jitsi_prosody_auth_internal_accounts` needs to have a non-empty `username`/`password`. - - Please ensure you have defined at least one user and password when using internal authentication. + At least one Jitsi user needs to be defined in `matrix_jitsi_prosody_auth_internal_accounts` when using internal authentication. If you're setting up Jitsi for the first time, you may have missed a step. Refer to our setup instructions (docs/configuring-playbook-jitsi.md). when: - matrix_jitsi_enable_auth|bool - matrix_jitsi_auth_type == 'internal' - - matrix_jitsi_prosody_auth_internal_accounts == '' + - matrix_jitsi_prosody_auth_internal_accounts|length == 0 - name: (Deprecation) Catch and report renamed settings From ece163b29ff49ef706cbfb4bbeebe3d3f7aee2ef Mon Sep 17 00:00:00 2001 From: AnonyPla <86740652+AnonyPla@users.noreply.github.com> Date: Sat, 11 Dec 2021 08:16:33 +0000 Subject: [PATCH 39/45] Upgrade Mjolnir from 1.1.20 to version 1.2.1 (#1422) * Upgrade Mjolnir from 1.1.20 to version 1.2.1 https://hub.docker.com/r/matrixdotorg/mjolnir/tags using the "latest" tag seems inefficient as it doesn't actually redirect to the latest release In any case, the latest release is now 1.2.1 docker pull matrixdotorg/mjolnir:v1.2.1 * Fixup Co-authored-by: Slavi Pantaleev --- roles/matrix-bot-mjolnir/defaults/main.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/roles/matrix-bot-mjolnir/defaults/main.yml b/roles/matrix-bot-mjolnir/defaults/main.yml index 6e7331c45..72c685027 100644 --- a/roles/matrix-bot-mjolnir/defaults/main.yml +++ b/roles/matrix-bot-mjolnir/defaults/main.yml @@ -3,14 +3,13 @@ matrix_bot_mjolnir_enabled: true -matrix_bot_mjolnir_version: "v1.1.20" +matrix_bot_mjolnir_version: "v1.2.1" matrix_bot_mjolnir_container_image_self_build: false matrix_bot_mjolnir_container_image_self_build_repo: "https://github.com/matrix-org/mjolnir.git" matrix_bot_mjolnir_docker_image: "{{ matrix_bot_mjolnir_docker_image_name_prefix }}matrixdotorg/mjolnir:{{ matrix_bot_mjolnir_version }}" matrix_bot_mjolnir_docker_image_name_prefix: "{{ 'localhost/' if matrix_bot_mjolnir_container_image_self_build else matrix_container_global_registry_prefix }}" - matrix_bot_mjolnir_docker_image_force_pull: "{{ matrix_bot_mjolnir_docker_image.endswith(':latest') }}" matrix_bot_mjolnir_base_path: "{{ matrix_base_data_path }}/mjolnir" From eca26e49e1561603eecab65a8ba9e60f2d46f39c Mon Sep 17 00:00:00 2001 From: ppacheco28 Date: Sat, 11 Dec 2021 11:09:06 -0300 Subject: [PATCH 40/45] Update Jitsi to version stable-6727 --- roles/matrix-jitsi/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-jitsi/defaults/main.yml b/roles/matrix-jitsi/defaults/main.yml index e233e0167..b1002a7f2 100644 --- a/roles/matrix-jitsi/defaults/main.yml +++ b/roles/matrix-jitsi/defaults/main.yml @@ -67,7 +67,7 @@ matrix_jitsi_jibri_recorder_password: '' matrix_jitsi_enable_lobby: false -matrix_jitsi_version: stable-6173 +matrix_jitsi_version: stable-6726 matrix_jitsi_container_image_tag: "{{ matrix_jitsi_version }}" # for backward-compatibility matrix_jitsi_web_docker_image: "{{ matrix_container_global_registry_prefix }}jitsi/web:{{ matrix_jitsi_container_image_tag }}" From bbab82ee647348fc6d4f864ceac93f18dc3a9461 Mon Sep 17 00:00:00 2001 From: SkepticalWaves Date: Sat, 11 Dec 2021 10:26:55 -0500 Subject: [PATCH 41/45] Fix email sending broken by #1406 --- roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index f27fcb067..3e289b0c7 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -2344,8 +2344,10 @@ email: # Username/password for authentication to the SMTP server. By default, no # authentication is attempted. + {% if matrix_synapse_email_smtp_user %} smtp_user: {{ matrix_synapse_email_smtp_user|string|to_json }} smtp_pass: {{ matrix_synapse_email_smtp_pass|string|to_json }} + {% endif %} # Uncomment the following to require TLS transport security for SMTP. # By default, Synapse will connect over plain text, and will then switch to From dd903ffcc2c2beec08557b157f1cd4aa4ce0b16b Mon Sep 17 00:00:00 2001 From: laszabine Date: Sat, 11 Dec 2021 16:16:41 +0000 Subject: [PATCH 42/45] Updated signald docker image path --- roles/matrix-bridge-mautrix-signal/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-mautrix-signal/defaults/main.yml b/roles/matrix-bridge-mautrix-signal/defaults/main.yml index 93993fa11..6e0a9918b 100644 --- a/roles/matrix-bridge-mautrix-signal/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-signal/defaults/main.yml @@ -17,7 +17,7 @@ matrix_mautrix_signal_daemon_container_self_build: false matrix_mautrix_signal_daemon_docker_repo: "https://mau.dev/maunium/signald.git" matrix_mautrix_signal_daemon_docker_src_files_path: "{{ matrix_base_data_path }}/mautrix-signald/docker-src" -matrix_mautrix_signal_daemon_docker_image: "dock.mau.dev/maunium/signald:{{ matrix_mautrix_signal_daemon_version }}" +matrix_mautrix_signal_daemon_docker_image: "docker.io/signald/signald:{{ matrix_mautrix_signal_daemon_version }}" matrix_mautrix_signal_daemon_docker_image_force_pull: "{{ matrix_mautrix_signal_daemon_docker_image.endswith(':latest') }}" matrix_mautrix_signal_base_path: "{{ matrix_base_data_path }}/mautrix-signal" From 1f0d56fb75b053ca91d803416b01e498c2461901 Mon Sep 17 00:00:00 2001 From: rakshazi Date: Mon, 13 Dec 2021 15:55:40 +0000 Subject: [PATCH 43/45] (Security fix) Update Element 1.9.6 -> 1.9.7 Ref: https://matrix.org/blog/2021/12/13/disclosure-buffer-overflow-in-libolm-and-matrix-js-sdk --- roles/matrix-client-element/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-client-element/defaults/main.yml b/roles/matrix-client-element/defaults/main.yml index d1a6a73a5..28412a264 100644 --- a/roles/matrix-client-element/defaults/main.yml +++ b/roles/matrix-client-element/defaults/main.yml @@ -7,7 +7,7 @@ matrix_client_element_container_image_self_build_repo: "https://github.com/vecto # - https://github.com/vector-im/element-web/issues/19544 matrix_client_element_container_image_self_build_low_memory_system_patch_enabled: "{{ ansible_memtotal_mb < 4096 }}" -matrix_client_element_version: v1.9.6 +matrix_client_element_version: v1.9.7 matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}" matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}" From a8fc4fe6ce5e82d44060b7e50c131eca8b502aff Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 14 Dec 2021 12:33:59 +0200 Subject: [PATCH 44/45] Mention log4j vulnerability affecting mautrix-signal Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1459 and https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1452 --- CHANGELOG.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 43af8dd10..a6d15b963 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,12 @@ +# 2021-12-14 + +## (Security) Users of the Signal bridge may wish to upgrade it to work around log4j vulnerability + +Recently, a security vulnerability affecting the Java logging package `log4j` [has been discovered](https://www.huntress.com/blog/rapid-response-critical-rce-vulnerability-is-affecting-java). Software that uses this Java package is potentially vulnerable. + +One such piece of software that is part of the playbook is the [mautrix-signal bridge](./docs/configuring-playbook-bridge-mautrix-signal.md), which [has been patched already](https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1452). If you're running this bridge, you may wish to [upgrade](./docs/maintenance-upgrading-services.md). + + # 2021-11-11 ## Dropped support for Postgres v9.6 From 5be131054102398e20b7a825dd26d6de0021ef3e Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 14 Dec 2021 16:54:35 +0200 Subject: [PATCH 45/45] Upgrade Synapse (1.48.0 -> 1.49.0) --- roles/matrix-synapse/defaults/main.yml | 4 +- .../templates/synapse/homeserver.yaml.j2 | 40 +++++++++++++++++++ roles/matrix-synapse/vars/workers.yml | 4 +- 3 files changed, 44 insertions(+), 4 deletions(-) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index e888ac92b..d1d049d5e 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -15,8 +15,8 @@ matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_cont # amd64 gets released first. # arm32 relies on self-building, so the same version can be built immediately. # arm64 users need to wait for a prebuilt image to become available. -matrix_synapse_version: v1.48.0 -matrix_synapse_version_arm64: v1.48.0 +matrix_synapse_version: v1.49.0 +matrix_synapse_version_arm64: v1.49.0 matrix_synapse_docker_image_tag: "{{ matrix_synapse_version if matrix_architecture in ['arm32', 'amd64'] else matrix_synapse_version_arm64 }}" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index 3e289b0c7..1361eb9e1 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -1227,6 +1227,46 @@ enable_registration: {{ matrix_synapse_enable_registration|to_json }} # #session_lifetime: 24h +# Time that an access token remains valid for, if the session is +# using refresh tokens. +# For more information about refresh tokens, please see the manual. +# Note that this only applies to clients which advertise support for +# refresh tokens. +# +# Note also that this is calculated at login time and refresh time: +# changes are not applied to existing sessions until they are refreshed. +# +# By default, this is 5 minutes. +# +#refreshable_access_token_lifetime: 5m + +# Time that a refresh token remains valid for (provided that it is not +# exchanged for another one first). +# This option can be used to automatically log-out inactive sessions. +# Please see the manual for more information. +# +# Note also that this is calculated at login time and refresh time: +# changes are not applied to existing sessions until they are refreshed. +# +# By default, this is infinite. +# +#refresh_token_lifetime: 24h + +# Time that an access token remains valid for, if the session is NOT +# using refresh tokens. +# Please note that not all clients support refresh tokens, so setting +# this to a short value may be inconvenient for some users who will +# then be logged out frequently. +# +# Note also that this is calculated at login time: changes are not applied +# retrospectively to existing sessions for users that have already logged in. +# +# By default, this is infinite. +# +#nonrefreshable_access_token_lifetime: 24h + +# The user must provide all of the below types of 3PID when registering. + # The user must provide all of the below types of 3PID when registering. # #registrations_require_3pid: diff --git a/roles/matrix-synapse/vars/workers.yml b/roles/matrix-synapse/vars/workers.yml index def223f8b..1a279ad6b 100644 --- a/roles/matrix-synapse/vars/workers.yml +++ b/roles/matrix-synapse/vars/workers.yml @@ -33,7 +33,7 @@ matrix_synapse_workers_generic_worker_endpoints: - ^/_matrix/federation/v1/get_groups_publicised$ - ^/_matrix/key/v2/query - ^/_matrix/federation/unstable/org.matrix.msc2946/spaces/ - - ^/_matrix/federation/unstable/org.matrix.msc2946/hierarchy/ + - ^/_matrix/federation/(v1|unstable/org.matrix.msc2946)/hierarchy/ # Inbound federation transaction request - ^/_matrix/federation/v1/send/ @@ -46,7 +46,7 @@ matrix_synapse_workers_generic_worker_endpoints: - ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/members$ - ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/state$ - ^/_matrix/client/unstable/org.matrix.msc2946/rooms/.*/spaces$ - - ^/_matrix/client/unstable/org.matrix.msc2946/rooms/.*/hierarchy$ + - ^/_matrix/client/(v1|unstable/org.matrix.msc2946)/rooms/.*/hierarchy$ - ^/_matrix/client/unstable/im.nheko.summary/rooms/.*/summary$ - ^/_matrix/client/(api/v1|r0|v3|unstable)/account/3pid$ - ^/_matrix/client/(api/v1|r0|v3|unstable)/devices$