Make roles more independent of one another
With this change, the following roles are now only dependent on the minimal `matrix-base` role: - `matrix-corporal` - `matrix-coturn` - `matrix-mailer` - `matrix-mxisd` - `matrix-postgres` - `matrix-riot-web` - `matrix-synapse` The `matrix-nginx-proxy` role still does too much and remains dependent on the others. Wiring up the various (now-independent) roles happens via a glue variables file (`group_vars/matrix-servers`). It's triggered for all hosts in the `matrix-servers` group. According to Ansible's rules of priority, we have the following chain of inclusion/overriding now: - role defaults (mostly empty or good for independent usage) - playbook glue variables (`group_vars/matrix-servers`) - inventory host variables (`inventory/host_vars/matrix.<your-domain>`) All roles default to enabling their main component (e.g. `matrix_mxisd_enabled: true`, `matrix_riot_web_enabled: true`). Reasoning: if a role is included in a playbook (especially separately, in another playbook), it should "work" by default. Our playbook disables some of those if they are not generally useful (e.g. `matrix_corporal_enabled: false`).
This commit is contained in:
parent
515f04e936
commit
c10182e5a6
37
CHANGELOG.md
37
CHANGELOG.md
@ -1,3 +1,40 @@
|
|||||||
|
# 2019-01-xx
|
||||||
|
|
||||||
|
## (BC Break) Making the playbook's roles more independent of one another
|
||||||
|
|
||||||
|
The following change **affects people running a more non-standard setup** - external Postgres or using our roles in their own other playbook.
|
||||||
|
**Most users don't need to do anything**, besides becoming aware of the new glue variables file [`group_vars/matrix-servers`](group_vars/matrix-servers).
|
||||||
|
|
||||||
|
Because people like using the playbook's components independently (outside of this playbook) and because it's much better for maintainability, we've continued working on separating them.
|
||||||
|
Still, we'd like to offer a turnkey solution for running a fully-featured Matrix server, so this playbook remains important for wiring up the various components.
|
||||||
|
|
||||||
|
With the new changes, the following roles are now only dependent on the minimal `matrix-base` role:
|
||||||
|
- `matrix-corporal`
|
||||||
|
- `matrix-coturn`
|
||||||
|
- `matrix-mailer`
|
||||||
|
- `matrix-mxisd`
|
||||||
|
- `matrix-postgres`
|
||||||
|
- `matrix-riot-web`
|
||||||
|
- `matrix-synapse`
|
||||||
|
|
||||||
|
The `matrix-nginx-proxy` role still does too much and remains dependent on the others.
|
||||||
|
|
||||||
|
In addition, the following components can be completely disabled now (for those who want/need to):
|
||||||
|
- `matrix-coturn`
|
||||||
|
- `matrix-mailer`
|
||||||
|
- `matrix-postgres`
|
||||||
|
|
||||||
|
The following changes had to be done:
|
||||||
|
|
||||||
|
- glue variables had to be introduced to the playbook, so it can wire together the various components. Those glue vars are stored in the [`group_vars/matrix-servers`](group_vars/matrix-servers) file. When overriding variables for a given component (role), you need to be aware of both the role defaults (`role/ROLE/defaults/main.yml`) and the role's corresponding section in the [`group_vars/matrix-servers`](group_vars/matrix-servers) file.
|
||||||
|
|
||||||
|
- `matrix_postgres_use_external` has been superceeded by the more consistently named `matrix_postgres_enabled` variable and a few other `matrix_synapse_database_` variables. See the [Using an external PostgreSQL server (optional)](docs/configuring-playbook-external-postgres.md) documentation page for an up-to-date replacement.
|
||||||
|
|
||||||
|
- Postgres tools (`matrix-postgres-cli` and `matrix-make-user-admin`) are no longer installed if you're using an external Postgres server (`matrix_postgres_enabled: false`)
|
||||||
|
|
||||||
|
- roles, being more independent now, are more minimal and do not do so much magic for you. People that are building their own playbook using our roles will definitely need to take a look at the [`group_vars/matrix-servers`](group_vars/matrix-servers) file and adapt their playbooks with the same (or similar) wiring logic.
|
||||||
|
|
||||||
|
|
||||||
# 2019-01-16
|
# 2019-01-16
|
||||||
|
|
||||||
## Splitting the playbook into multiple roles
|
## Splitting the playbook into multiple roles
|
||||||
|
12
README.md
12
README.md
@ -8,17 +8,17 @@ That is, it lets you join the Matrix network with your own `@<username>:<your-do
|
|||||||
|
|
||||||
Using this playbook, you can get the following services configured on your server:
|
Using this playbook, you can get the following services configured on your server:
|
||||||
|
|
||||||
- a [Matrix Synapse](https://github.com/matrix-org/synapse) homeserver - storing your data and managing your presence in the [Matrix](http://matrix.org/) network
|
- a [Synapse](https://github.com/matrix-org/synapse) homeserver - storing your data and managing your presence in the [Matrix](http://matrix.org/) network
|
||||||
|
|
||||||
- (optional) [Amazon S3](https://aws.amazon.com/s3/) storage for your Matrix Synapse's content repository (`media_store`) files using [Goofys](https://github.com/kahing/goofys)
|
- (optional) [Amazon S3](https://aws.amazon.com/s3/) storage for Synapse's content repository (`media_store`) files using [Goofys](https://github.com/kahing/goofys)
|
||||||
|
|
||||||
- (optional, default) [PostgreSQL](https://www.postgresql.org/) database for Matrix Synapse. [Using an external PostgreSQL server](docs/configuring-playbook-external-postgres.md) is also possible.
|
- (optional, default) [PostgreSQL](https://www.postgresql.org/) database for Synapse. [Using an external PostgreSQL server](docs/configuring-playbook-external-postgres.md) is also possible.
|
||||||
|
|
||||||
- a [coturn](https://github.com/coturn/coturn) STUN/TURN server for WebRTC audio/video calls
|
- (optional, default) a [coturn](https://github.com/coturn/coturn) STUN/TURN server for WebRTC audio/video calls
|
||||||
|
|
||||||
- (optional, default) free [Let's Encrypt](https://letsencrypt.org/) SSL certificate, which secures the connection to the Synapse server and the Riot web UI
|
- (optional, default) free [Let's Encrypt](https://letsencrypt.org/) SSL certificate, which secures the connection to the Synapse server and the Riot web UI
|
||||||
|
|
||||||
- (optional, default) a [Riot](https://riot.im/) web UI, which is configured to connect to your own Matrix Synapse server by default
|
- (optional, default) a [Riot](https://riot.im/) web UI, which is configured to connect to your own Synapse server by default
|
||||||
|
|
||||||
- (optional, default) an [mxisd](https://github.com/kamax-io/mxisd) Matrix Identity server
|
- (optional, default) an [mxisd](https://github.com/kamax-io/mxisd) Matrix Identity server
|
||||||
|
|
||||||
@ -67,7 +67,7 @@ This is similar to the [EMnify/matrix-synapse-auto-deploy](https://github.com/EM
|
|||||||
|
|
||||||
- this one optionally can store the `media_store` content repository files on [Amazon S3](https://aws.amazon.com/s3/) (but defaults to storing files on the server's filesystem)
|
- this one optionally can store the `media_store` content repository files on [Amazon S3](https://aws.amazon.com/s3/) (but defaults to storing files on the server's filesystem)
|
||||||
|
|
||||||
- this one optionally **allows you to use an external PostgreSQL server** for Matrix Synapse's database (but defaults to running one in a container)
|
- this one optionally **allows you to use an external PostgreSQL server** for Synapse's database (but defaults to running one in a container)
|
||||||
|
|
||||||
|
|
||||||
## Installation
|
## Installation
|
||||||
|
@ -7,14 +7,16 @@ If you'd like to use an external PostgreSQL server that you manage, you can edit
|
|||||||
It should be something like this:
|
It should be something like this:
|
||||||
|
|
||||||
```yaml
|
```yaml
|
||||||
matrix_postgres_use_external: true
|
matrix_postgres_enabled: false
|
||||||
matrix_postgres_connection_hostname: "your-postgres-server-hostname"
|
|
||||||
matrix_postgres_connection_username: "your-postgres-server-username"
|
# Rewire Synapse to use your external Postgres server
|
||||||
matrix_postgres_connection_password: "your-postgres-server-password"
|
matrix_synapse_database_host: "your-postgres-server-hostname"
|
||||||
matrix_postgres_db_name: "your-postgres-server-database-name"
|
matrix_synapse_database_user: "your-postgres-server-username"
|
||||||
|
matrix_synapse_database_password: "your-postgres-server-password"
|
||||||
|
matrix_synapse_database_database: "your-postgres-server-database-name"
|
||||||
```
|
```
|
||||||
|
|
||||||
The database (as specified in `matrix_postgres_db_name`) must exist and be accessible with the given credentials.
|
The database (as specified in `matrix_synapse_database_database`) must exist and be accessible with the given credentials.
|
||||||
It must be empty or contain a valid Matrix Synapse database. If empty, Matrix Synapse would populate it the first time it runs.
|
It must be empty or contain a valid Synapse database. If empty, Synapse would populate it the first time it runs.
|
||||||
|
|
||||||
**Note**: the external server that you specify in `matrix_postgres_connection_hostname` must be accessible from within the container `matrix-synapse` Docker container (and possibly others). This means that it either needs to be a publicly accessible hostname or that it's a hostname on the same Docker network where all containers installed by this playbook run (a network called `matrix` by default). Using a local PostgreSQL instance on the host (running on the same machine, but not in a contianer) is not possible.
|
**Note**: the external server that you specify in `matrix_synapse_database_host` must be accessible from within the `matrix-synapse` Docker container (and possibly other containers too). This means that it either needs to be a publicly accessible hostname or that it's a hostname on the same Docker network where all containers installed by this playbook run (a network called `matrix` by default). Using a local PostgreSQL instance on the host (running on the same machine, but not in a container) is not possible.
|
@ -1,5 +1,5 @@
|
|||||||
# This is something which is provided to Let's Encrypt
|
# This is something which is provided to Let's Encrypt
|
||||||
# when retrieving the SSL certificates for `<your-domain>`.
|
# when retrieving the SSL certificates for domains.
|
||||||
#
|
#
|
||||||
# In case SSL renewal fails at some point, you'll also get
|
# In case SSL renewal fails at some point, you'll also get
|
||||||
# an email notification there.
|
# an email notification there.
|
||||||
@ -11,7 +11,7 @@
|
|||||||
# Example value: someone@example.com
|
# Example value: someone@example.com
|
||||||
host_specific_matrix_ssl_lets_encrypt_support_email: YOUR_EMAIL_ADDRESS_HERE
|
host_specific_matrix_ssl_lets_encrypt_support_email: YOUR_EMAIL_ADDRESS_HERE
|
||||||
|
|
||||||
# This is your bare domain name (`<your-domain`).
|
# This is your bare domain name (`<your-domain>`).
|
||||||
#
|
#
|
||||||
# Note: the server specified here is not touched.
|
# Note: the server specified here is not touched.
|
||||||
#
|
#
|
||||||
@ -22,7 +22,7 @@ host_specific_matrix_ssl_lets_encrypt_support_email: YOUR_EMAIL_ADDRESS_HERE
|
|||||||
# Example value: example.com
|
# Example value: example.com
|
||||||
host_specific_hostname_identity: YOUR_BARE_DOMAIN_NAME_HERE
|
host_specific_hostname_identity: YOUR_BARE_DOMAIN_NAME_HERE
|
||||||
|
|
||||||
# A shared secret (between Synapse and Coturn) used for authentication.
|
# A shared secret (between Coturn and Synapse) used for authentication.
|
||||||
# You can put any string here, but generating a strong one is preferred (e.g. `pwgen -s 64 1`).
|
# You can put any string here, but generating a strong one is preferred (e.g. `pwgen -s 64 1`).
|
||||||
matrix_coturn_turn_static_auth_secret: ""
|
matrix_coturn_turn_static_auth_secret: ""
|
||||||
|
|
||||||
|
289
group_vars/matrix-servers
Normal file
289
group_vars/matrix-servers
Normal file
@ -0,0 +1,289 @@
|
|||||||
|
---
|
||||||
|
|
||||||
|
# This variables file wires together the various components (roles) used by the playbook.
|
||||||
|
#
|
||||||
|
# Roles used by playbook are pretty minimal and kept independent of one another as much as possible.
|
||||||
|
# To deliver a turnkey fully-featured Matrix server, this playbook needs
|
||||||
|
# to connect them all together. It does so by overriding role variables.
|
||||||
|
#
|
||||||
|
# You can also override ANY variable (seen here or in any given role),
|
||||||
|
# by re-defining it in your own configuration file (`inventory/host_vars/matrix.<your-domain>`).
|
||||||
|
|
||||||
|
|
||||||
|
######################################################################
|
||||||
|
#
|
||||||
|
# matrix-base
|
||||||
|
#
|
||||||
|
######################################################################
|
||||||
|
|
||||||
|
matrix_identity_server_url: "{{ 'https://' + matrix_synapse_trusted_third_party_id_servers[0] if matrix_synapse_trusted_third_party_id_servers|length > 0 else None }}"
|
||||||
|
|
||||||
|
|
||||||
|
######################################################################
|
||||||
|
#
|
||||||
|
# /matrix-base
|
||||||
|
#
|
||||||
|
######################################################################
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
######################################################################
|
||||||
|
#
|
||||||
|
# matrix-corporal
|
||||||
|
#
|
||||||
|
######################################################################
|
||||||
|
|
||||||
|
matrix_corporal_enabled: false
|
||||||
|
|
||||||
|
# Normally, matrix-nginx-proxy is enabled and nginx can reach matrix-corporal over the container network.
|
||||||
|
# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose
|
||||||
|
# matrix-corporal's web-server ports to the local host (`127.0.0.1:41080` and `127.0.0.1:41081`).
|
||||||
|
matrix_corporal_container_expose_ports: "{{ not matrix_nginx_proxy_enabled }}"
|
||||||
|
|
||||||
|
matrix_corporal_systemd_required_services_list: |
|
||||||
|
{{
|
||||||
|
(['docker.service'])
|
||||||
|
+
|
||||||
|
(['matrix-synapse.service'])
|
||||||
|
}}
|
||||||
|
|
||||||
|
matrix_corporal_matrix_homeserver_api_endpoint: "http://matrix-synapse:8008"
|
||||||
|
|
||||||
|
matrix_corporal_matrix_auth_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret }}"
|
||||||
|
|
||||||
|
matrix_corporal_matrix_registration_shared_secret: "{{ matrix_synapse_registration_shared_secret }}"
|
||||||
|
|
||||||
|
######################################################################
|
||||||
|
#
|
||||||
|
# /matrix-corporal
|
||||||
|
#
|
||||||
|
######################################################################
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
######################################################################
|
||||||
|
#
|
||||||
|
# matrix-coturn
|
||||||
|
#
|
||||||
|
######################################################################
|
||||||
|
|
||||||
|
matrix_coturn_enabled: true
|
||||||
|
|
||||||
|
######################################################################
|
||||||
|
#
|
||||||
|
# /matrix-coturn
|
||||||
|
#
|
||||||
|
######################################################################
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
######################################################################
|
||||||
|
#
|
||||||
|
# matrix-mailer
|
||||||
|
#
|
||||||
|
######################################################################
|
||||||
|
|
||||||
|
# By default, this playbook sets up a postfix mailer server (running in a container).
|
||||||
|
# This is so that Synapse can send email reminders for unread messages.
|
||||||
|
# Other services (like mxisd), also use the mailer.
|
||||||
|
matrix_mailer_enabled: true
|
||||||
|
|
||||||
|
######################################################################
|
||||||
|
#
|
||||||
|
# /matrix-mailer
|
||||||
|
#
|
||||||
|
######################################################################
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
######################################################################
|
||||||
|
#
|
||||||
|
# matrix-mxisd
|
||||||
|
#
|
||||||
|
######################################################################
|
||||||
|
|
||||||
|
# By default, this playbook installs the mxisd identity server on the same domain as Synapse (`hostname_matrix`).
|
||||||
|
# If you wish to use the public identity servers (matrix.org, vector.im) instead of your own you may wish to disable this.
|
||||||
|
matrix_mxisd_enabled: true
|
||||||
|
|
||||||
|
# Normally, matrix-nginx-proxy is enabled and nginx can reach mxisd over the container network.
|
||||||
|
# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose
|
||||||
|
# mxisd's web-server port to the local host (`127.0.0.1:8090`).
|
||||||
|
matrix_mxisd_container_expose_port: "{{ not matrix_nginx_proxy_enabled }}"
|
||||||
|
|
||||||
|
# We enable Synapse integration via its Postgres database by default.
|
||||||
|
# When using another Identity store, you might wish to disable this and define
|
||||||
|
# your own configuration in `matrix_mxisd_configuration_extension_yaml`.
|
||||||
|
matrix_mxisd_synapsesql_enabled: true
|
||||||
|
matrix_mxisd_synapsesql_type: postgresql
|
||||||
|
matrix_mxisd_synapsesql_connection: //{{ matrix_synapse_database_host }}/{{ matrix_synapse_database_database }}?user={{ matrix_synapse_database_user }}&password={{ matrix_synapse_database_password }}
|
||||||
|
|
||||||
|
# By default, we send mail through the `matrix-mailer` service.
|
||||||
|
matrix_mxid_threepid_medium_email_identity_from: "{{ matrix_mailer_sender_address }}"
|
||||||
|
matrix_mxid_threepid_medium_email_connectors_smtp_host: "matrix-mailer"
|
||||||
|
matrix_mxid_threepid_medium_email_connectors_smtp_port: 587
|
||||||
|
matrix_mxid_threepid_medium_email_connectors_smtp_tls: 0
|
||||||
|
|
||||||
|
matrix_mxisd_systemd_wanted_services_list: |
|
||||||
|
{{
|
||||||
|
(['matrix-postgres.service'] if matrix_postgres_enabled else [])
|
||||||
|
+
|
||||||
|
(['matrix-mailer.service'] if matrix_mailer_enabled else [])
|
||||||
|
}}
|
||||||
|
|
||||||
|
######################################################################
|
||||||
|
#
|
||||||
|
# /matrix-mxisd
|
||||||
|
#
|
||||||
|
######################################################################
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
######################################################################
|
||||||
|
#
|
||||||
|
# matrix-nginx-proxy
|
||||||
|
#
|
||||||
|
######################################################################
|
||||||
|
|
||||||
|
# By default, this playbook sets up a reverse-proxy nginx proxy server on port 80/443.
|
||||||
|
# This is fine if you're dedicating the whole server to Matrix.
|
||||||
|
# If that's not the case, you may wish to disable this and take care of proxying yourself.
|
||||||
|
matrix_nginx_proxy_enabled: true
|
||||||
|
matrix_nginx_proxy_matrix_client_api_addr_with_proxy_container: "{{ 'matrix-corporal:41080' if matrix_corporal_enabled else 'matrix-synapse:8008' }}"
|
||||||
|
matrix_nginx_proxy_matrix_client_api_addr_sans_proxy_container: "{{ 'localhost:41080' if matrix_corporal_enabled else 'localhost:8008' }}"
|
||||||
|
|
||||||
|
matrix_nginx_proxy_proxy_matrix_enabled: true
|
||||||
|
matrix_nginx_proxy_proxy_riot_enabled: "{{ matrix_riot_web_enabled }}"
|
||||||
|
|
||||||
|
matrix_nginx_proxy_systemd_wanted_services_list: |
|
||||||
|
{{
|
||||||
|
(['matrix-synapse.service'])
|
||||||
|
+
|
||||||
|
(['matrix-corporal.service'] if matrix_corporal_enabled else [])
|
||||||
|
+
|
||||||
|
(['matrix-mxisd.service'] if matrix_mxisd_enabled else [])
|
||||||
|
+
|
||||||
|
(['matrix-riot-web.service'] if matrix_riot_web_enabled else [])
|
||||||
|
}}
|
||||||
|
|
||||||
|
matrix_ssl_domains_to_obtain_certificates_for: |
|
||||||
|
{{
|
||||||
|
([hostname_matrix])
|
||||||
|
+
|
||||||
|
([hostname_riot] if matrix_riot_web_enabled else [])
|
||||||
|
}}
|
||||||
|
|
||||||
|
######################################################################
|
||||||
|
#
|
||||||
|
# /matrix-nginx-proxy
|
||||||
|
#
|
||||||
|
######################################################################
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
######################################################################
|
||||||
|
#
|
||||||
|
# matrix-postgres
|
||||||
|
#
|
||||||
|
######################################################################
|
||||||
|
|
||||||
|
matrix_postgres_enabled: true
|
||||||
|
|
||||||
|
matrix_postgres_connection_hostname: "matrix-postgres"
|
||||||
|
matrix_postgres_connection_username: "synapse"
|
||||||
|
matrix_postgres_connection_password: "synapse-password"
|
||||||
|
matrix_postgres_db_name: "homeserver"
|
||||||
|
|
||||||
|
######################################################################
|
||||||
|
#
|
||||||
|
# /matrix-postgres
|
||||||
|
#
|
||||||
|
######################################################################
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
######################################################################
|
||||||
|
#
|
||||||
|
# matrix-riot-web
|
||||||
|
#
|
||||||
|
######################################################################
|
||||||
|
|
||||||
|
# By default, this playbook installs the Riot.IM web UI on the `hostname_riot` domain.
|
||||||
|
# If you wish to connect to your Matrix server by other means, you may wish to disable this.
|
||||||
|
matrix_riot_web_enabled: true
|
||||||
|
|
||||||
|
# Normally, matrix-nginx-proxy is enabled and nginx can reach riot-web over the container network.
|
||||||
|
# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose
|
||||||
|
# the riot-web HTTP port to the local host (`127.0.0.1:80`).
|
||||||
|
matrix_riot_web_container_expose_port: "{{ not matrix_nginx_proxy_enabled }}"
|
||||||
|
|
||||||
|
matrix_riot_web_default_hs_url: "{{ matrix_homeserver_url }}"
|
||||||
|
matrix_riot_web_default_is_url: "{{ matrix_identity_server_url }}"
|
||||||
|
|
||||||
|
######################################################################
|
||||||
|
#
|
||||||
|
# /matrix-riot-web
|
||||||
|
#
|
||||||
|
######################################################################
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
######################################################################
|
||||||
|
#
|
||||||
|
# matrix-synapse
|
||||||
|
#
|
||||||
|
######################################################################
|
||||||
|
|
||||||
|
# When mxisd is enabled, we can use it instead of the default public Identity servers.
|
||||||
|
matrix_synapse_trusted_third_party_id_servers: "{{ [hostname_matrix] if matrix_mxisd_enabled else matrix_synapse_id_servers_public }}"
|
||||||
|
|
||||||
|
# Normally, matrix-nginx-proxy is enabled and nginx can reach Synapse over the container network.
|
||||||
|
# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose
|
||||||
|
# the Client/Server API's port to the local host (`127.0.0.1:8008`).
|
||||||
|
matrix_synapse_container_expose_client_server_api_port: "{{ not matrix_nginx_proxy_enabled }}"
|
||||||
|
|
||||||
|
matrix_synapse_database_host: "{{ matrix_postgres_connection_hostname }}"
|
||||||
|
matrix_synapse_database_user: "{{ matrix_postgres_connection_username }}"
|
||||||
|
matrix_synapse_database_password: "{{ matrix_postgres_connection_password }}"
|
||||||
|
matrix_synapse_database_database: "{{ matrix_postgres_db_name }}"
|
||||||
|
|
||||||
|
matrix_synapse_email_enabled: "{{ matrix_mailer_enabled }}"
|
||||||
|
matrix_synapse_email_smtp_host: "matrix-mailer"
|
||||||
|
matrix_synapse_email_smtp_port: 587
|
||||||
|
matrix_synapse_email_smtp_require_transport_security: false
|
||||||
|
matrix_synapse_email_notif_from: "Matrix <{{ matrix_mailer_sender_address }}>"
|
||||||
|
matrix_synapse_email_riot_base_url: "https://{{ hostname_riot }}"
|
||||||
|
|
||||||
|
matrix_synapse_turn_uris: |
|
||||||
|
{{
|
||||||
|
[
|
||||||
|
'turn:' + hostname_matrix + ':3478?transport=udp',
|
||||||
|
'turn:' + hostname_matrix + ':3478?transport=tcp',
|
||||||
|
]
|
||||||
|
if matrix_coturn_enabled
|
||||||
|
else []
|
||||||
|
}}
|
||||||
|
|
||||||
|
matrix_synapse_turn_shared_secret: "{{ matrix_coturn_turn_static_auth_secret if matrix_coturn_enabled else '' }}"
|
||||||
|
|
||||||
|
matrix_synapse_systemd_required_services_list: |
|
||||||
|
{{
|
||||||
|
(['docker.service'])
|
||||||
|
+
|
||||||
|
(['matrix-postgres.service'] if matrix_postgres_enabled else [])
|
||||||
|
+
|
||||||
|
(['matrix-goofys'] if matrix_s3_media_store_enabled else [])
|
||||||
|
}}
|
||||||
|
|
||||||
|
matrix_synapse_systemd_wanted_services_list: |
|
||||||
|
{{
|
||||||
|
(['matrix-coturn.service'] if matrix_coturn_enabled else [])
|
||||||
|
+
|
||||||
|
(['matrix-mailer.service'] if matrix_mailer_enabled else [])
|
||||||
|
}}
|
||||||
|
|
||||||
|
######################################################################
|
||||||
|
#
|
||||||
|
# /matrix-synapse
|
||||||
|
#
|
||||||
|
######################################################################
|
@ -22,7 +22,8 @@ matrix_base_data_path_mode: "750"
|
|||||||
matrix_static_files_base_path: "{{ matrix_base_data_path }}/static-files"
|
matrix_static_files_base_path: "{{ matrix_base_data_path }}/static-files"
|
||||||
|
|
||||||
matrix_homeserver_url: "https://{{ hostname_matrix }}"
|
matrix_homeserver_url: "https://{{ hostname_matrix }}"
|
||||||
matrix_identity_server_url: "https://{{ matrix_synapse_trusted_third_party_id_servers[0] }}"
|
|
||||||
|
matrix_identity_server_url: ~
|
||||||
|
|
||||||
# The Docker network that all services would be put into
|
# The Docker network that all services would be put into
|
||||||
matrix_docker_network: "matrix"
|
matrix_docker_network: "matrix"
|
||||||
|
@ -15,16 +15,6 @@
|
|||||||
msg: "{{ matrix_ansible_outdated_fail_msg }}"
|
msg: "{{ matrix_ansible_outdated_fail_msg }}"
|
||||||
when: "ansible_version.major == 2 and ansible_version.minor == 5 and ansible_version.revision < 2"
|
when: "ansible_version.major == 2 and ansible_version.minor == 5 and ansible_version.revision < 2"
|
||||||
|
|
||||||
- name: Fail if Macaroon key is missing
|
|
||||||
fail:
|
|
||||||
msg: "You need to set a secret in the matrix_synapse_macaroon_secret_key variable"
|
|
||||||
when: "matrix_synapse_macaroon_secret_key == ''"
|
|
||||||
|
|
||||||
- name: Fail if Coturn Auth secret is missing
|
|
||||||
fail:
|
|
||||||
msg: "You need to set a secret in the matrix_coturn_turn_static_auth_secret variable"
|
|
||||||
when: "matrix_coturn_turn_static_auth_secret == ''"
|
|
||||||
|
|
||||||
# This sanity check is only used to detect uppercase when people override these specific variables.
|
# This sanity check is only used to detect uppercase when people override these specific variables.
|
||||||
#
|
#
|
||||||
# If people set `host_specific_hostname_identity` without overriding other variables (the general use-case),
|
# If people set `host_specific_hostname_identity` without overriding other variables (the general use-case),
|
||||||
|
@ -1,12 +1,13 @@
|
|||||||
# Enable this to add support for matrix-corporal.
|
# matrix-corporal is a reconciliator and gateway for a managed Matrix server.
|
||||||
# See: https://github.com/devture/matrix-corporal
|
# See: https://github.com/devture/matrix-corporal
|
||||||
matrix_corporal_enabled: false
|
|
||||||
|
|
||||||
# Controls whether the matrix-corporal web server's ports are exposed outside of the container.
|
matrix_corporal_enabled: true
|
||||||
# Normally, matrix-nginx-proxy is enabled and nginx can reach matrix-corporal over the container network.
|
|
||||||
# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose
|
# Controls whether the matrix-corporal web server's ports (`41080` and `41081`) are exposed outside of the container.
|
||||||
# matrix-corporal's web-server ports to the local host (`127.0.0.1:41080` and `127.0.0.1:41081`).
|
matrix_corporal_container_expose_ports: false
|
||||||
matrix_corporal_container_expose_ports: "{{ not matrix_nginx_proxy_enabled }}"
|
|
||||||
|
# List of systemd services that matrix-corporal.service depends on
|
||||||
|
matrix_corporal_systemd_required_services_list: ['docker.service']
|
||||||
|
|
||||||
matrix_corporal_docker_image: "devture/matrix-corporal:1.2.2"
|
matrix_corporal_docker_image: "devture/matrix-corporal:1.2.2"
|
||||||
matrix_corporal_base_path: "{{ matrix_base_data_path }}/corporal"
|
matrix_corporal_base_path: "{{ matrix_base_data_path }}/corporal"
|
||||||
@ -14,6 +15,20 @@ matrix_corporal_config_dir_path: "{{ matrix_corporal_base_path }}/config"
|
|||||||
matrix_corporal_cache_dir_path: "{{ matrix_corporal_base_path }}/cache"
|
matrix_corporal_cache_dir_path: "{{ matrix_corporal_base_path }}/cache"
|
||||||
matrix_corporal_var_dir_path: "{{ matrix_corporal_base_path }}/var"
|
matrix_corporal_var_dir_path: "{{ matrix_corporal_base_path }}/var"
|
||||||
|
|
||||||
|
matrix_corporal_matrix_homeserver_domain_name: "{{ hostname_identity }}"
|
||||||
|
|
||||||
|
# Controls where matrix-corporal can reach your Synapse server (e.g. "http://matrix-synapse:8008").
|
||||||
|
# If Synapse runs on the same machine, you may need to add its service to `matrix_corporal_systemd_required_services_list`.
|
||||||
|
matrix_corporal_matrix_homeserver_api_endpoint: ""
|
||||||
|
|
||||||
|
# The shared secret between matrix-corporal and Synapse's shared-secret-auth password provider module.
|
||||||
|
# To use matrix-corporal, the shared-secret-auth password provider needs to be enabled and the secret needs to be identical.
|
||||||
|
matrix_corporal_matrix_auth_shared_secret: ""
|
||||||
|
|
||||||
|
# The shared secret for registering users with Synapse.
|
||||||
|
# Needs to be identical to Synapse's `registration_shared_secret` setting.
|
||||||
|
matrix_corporal_matrix_registration_shared_secret: ""
|
||||||
|
|
||||||
matrix_corporal_matrix_timeout_milliseconds: 45000
|
matrix_corporal_matrix_timeout_milliseconds: 45000
|
||||||
|
|
||||||
matrix_corporal_reconciliation_retry_interval_milliseconds: 30000
|
matrix_corporal_reconciliation_retry_interval_milliseconds: 30000
|
||||||
|
@ -1,9 +1,3 @@
|
|||||||
- name: Override configuration specifying where the Matrix Client API is
|
|
||||||
set_fact:
|
|
||||||
matrix_nginx_proxy_matrix_client_api_addr_with_proxy_container: "matrix-corporal:41080"
|
|
||||||
matrix_nginx_proxy_matrix_client_api_addr_sans_proxy_container: "localhost:41080"
|
|
||||||
when: "matrix_corporal_enabled"
|
|
||||||
|
|
||||||
- set_fact:
|
- set_fact:
|
||||||
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-corporal'] }}"
|
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-corporal'] }}"
|
||||||
when: "matrix_corporal_enabled"
|
when: "matrix_corporal_enabled"
|
@ -2,6 +2,12 @@
|
|||||||
tags:
|
tags:
|
||||||
- always
|
- always
|
||||||
|
|
||||||
|
- import_tasks: "{{ role_path }}/tasks/validate_config.yml"
|
||||||
|
when: "run_setup and matrix_corporal_enabled"
|
||||||
|
tags:
|
||||||
|
- setup-all
|
||||||
|
- setup-corporal
|
||||||
|
|
||||||
- import_tasks: "{{ role_path }}/tasks/setup_corporal.yml"
|
- import_tasks: "{{ role_path }}/tasks/setup_corporal.yml"
|
||||||
when: run_setup
|
when: run_setup
|
||||||
tags:
|
tags:
|
||||||
|
@ -4,24 +4,6 @@
|
|||||||
# Tasks related to setting up matrix-corporal
|
# Tasks related to setting up matrix-corporal
|
||||||
#
|
#
|
||||||
|
|
||||||
- name: Fail if Shared Secret Auth extension not enabled
|
|
||||||
fail:
|
|
||||||
msg: "To use matrix-corporal, you need to enable the Shared Secret Auth module for Synapse (see matrix_synapse_ext_password_provider_shared_secret_auth_enabled)"
|
|
||||||
when: "matrix_corporal_enabled and not matrix_synapse_ext_password_provider_shared_secret_auth_enabled"
|
|
||||||
|
|
||||||
- name: Fail if HTTP API enabled, but no token set
|
|
||||||
fail:
|
|
||||||
msg: "The Matrix Corporal HTTP API is enabled, but no auth token has been set in matrix_corporal_http_api_auth_token"
|
|
||||||
when: "matrix_corporal_enabled and matrix_corporal_http_api_enabled and matrix_corporal_http_api_auth_token == ''"
|
|
||||||
|
|
||||||
- name: Fail if policy provider configuration not set
|
|
||||||
fail:
|
|
||||||
msg: "The Matrix Corporal policy provider configuration has not been set in matrix_corporal_policy_provider_config"
|
|
||||||
when: "matrix_corporal_enabled and matrix_corporal_policy_provider_config == ''"
|
|
||||||
|
|
||||||
# There are some additional initialization tasks in setup_corporal_overrides.yml,
|
|
||||||
# which need to always run, no matter what tag the playbook is running with.
|
|
||||||
|
|
||||||
- name: Ensure Matrix Corporal paths exist
|
- name: Ensure Matrix Corporal paths exist
|
||||||
file:
|
file:
|
||||||
path: "{{ item }}"
|
path: "{{ item }}"
|
||||||
|
17
roles/matrix-corporal/tasks/validate_config.yml
Normal file
17
roles/matrix-corporal/tasks/validate_config.yml
Normal file
@ -0,0 +1,17 @@
|
|||||||
|
---
|
||||||
|
|
||||||
|
- name: Fail if required matrix-corporal settings not defined
|
||||||
|
fail:
|
||||||
|
msg: >
|
||||||
|
You need to define a required configuration setting (`{{ item }}`) for using matrix-corporal.
|
||||||
|
when: "vars[item] == ''"
|
||||||
|
with_items:
|
||||||
|
- "matrix_corporal_matrix_homeserver_api_endpoint"
|
||||||
|
- "matrix_corporal_matrix_auth_shared_secret"
|
||||||
|
- "matrix_corporal_matrix_registration_shared_secret"
|
||||||
|
- "matrix_corporal_policy_provider_config"
|
||||||
|
|
||||||
|
- name: Fail if HTTP API enabled, but no token set
|
||||||
|
fail:
|
||||||
|
msg: "The Matrix Corporal HTTP API is enabled (`matrix_corporal_http_api_enabled`), but no auth token has been set in `matrix_corporal_http_api_auth_token`"
|
||||||
|
when: "matrix_corporal_http_api_enabled and matrix_corporal_http_api_auth_token == ''"
|
@ -1,9 +1,9 @@
|
|||||||
{
|
{
|
||||||
"Matrix": {
|
"Matrix": {
|
||||||
"HomeserverDomainName": "{{ hostname_identity }}",
|
"HomeserverDomainName": "{{ matrix_corporal_matrix_homeserver_domain_name }}",
|
||||||
"HomeserverApiEndpoint": "http://matrix-synapse:8008",
|
"HomeserverApiEndpoint": "{{ matrix_corporal_matrix_homeserver_api_endpoint }}",
|
||||||
"AuthSharedSecret": "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret }}",
|
"AuthSharedSecret": "{{ matrix_corporal_matrix_auth_shared_secret }}",
|
||||||
"RegistrationSharedSecret": "{{ matrix_synapse_registration_shared_secret }}",
|
"RegistrationSharedSecret": "{{ matrix_corporal_matrix_registration_shared_secret }}",
|
||||||
"TimeoutMilliseconds": {{ matrix_corporal_matrix_timeout_milliseconds }}
|
"TimeoutMilliseconds": {{ matrix_corporal_matrix_timeout_milliseconds }}
|
||||||
},
|
},
|
||||||
|
|
||||||
|
@ -1,9 +1,9 @@
|
|||||||
[Unit]
|
[Unit]
|
||||||
Description=Matrix Corporal
|
Description=Matrix Corporal
|
||||||
After=docker.service
|
{% for service in matrix_corporal_systemd_required_services_list %}
|
||||||
Requires=docker.service
|
Requires={{ service }}
|
||||||
Requires=matrix-synapse.service
|
After={{ service }}
|
||||||
After=matrix-synapse.service
|
{% endfor %}
|
||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
Type=simple
|
Type=simple
|
||||||
|
@ -1,8 +1,13 @@
|
|||||||
|
matrix_coturn_enabled: true
|
||||||
|
|
||||||
matrix_coturn_docker_image: "instrumentisto/coturn:4.5.0.8"
|
matrix_coturn_docker_image: "instrumentisto/coturn:4.5.0.8"
|
||||||
|
|
||||||
matrix_coturn_base_path: "{{ matrix_base_data_path }}/coturn"
|
matrix_coturn_base_path: "{{ matrix_base_data_path }}/coturn"
|
||||||
matrix_coturn_config_path: "{{ matrix_coturn_base_path }}/turnserver.conf"
|
matrix_coturn_config_path: "{{ matrix_coturn_base_path }}/turnserver.conf"
|
||||||
|
|
||||||
|
# List of systemd services that matrix-coturn.service depends on
|
||||||
|
matrix_coturn_systemd_required_services_list: ['docker.service']
|
||||||
|
|
||||||
# A shared secret (between Synapse and Coturn) used for authentication.
|
# A shared secret (between Synapse and Coturn) used for authentication.
|
||||||
# You can put any string here, but generating a strong one is preferred (e.g. `pwgen -s 64 1`).
|
# You can put any string here, but generating a strong one is preferred (e.g. `pwgen -s 64 1`).
|
||||||
matrix_coturn_turn_static_auth_secret: ""
|
matrix_coturn_turn_static_auth_secret: ""
|
||||||
|
@ -2,8 +2,14 @@
|
|||||||
tags:
|
tags:
|
||||||
- always
|
- always
|
||||||
|
|
||||||
|
- import_tasks: "{{ role_path }}/tasks/validate_config.yml"
|
||||||
|
when: "run_setup and matrix_coturn_enabled"
|
||||||
|
tags:
|
||||||
|
- setup-all
|
||||||
|
- setup-coturn
|
||||||
|
|
||||||
- import_tasks: "{{ role_path }}/tasks/setup_coturn.yml"
|
- import_tasks: "{{ role_path }}/tasks/setup_coturn.yml"
|
||||||
when: run_setup
|
when: run_setup
|
||||||
tags:
|
tags:
|
||||||
- setup-coturn
|
- setup-all
|
||||||
- setup-all
|
- setup-coturn
|
@ -1,13 +1,13 @@
|
|||||||
---
|
---
|
||||||
|
|
||||||
- name: Fail if Coturn secret is missing
|
#
|
||||||
fail:
|
# Tasks related to setting up Coturn
|
||||||
msg: "You need to set a secret in the matrix_coturn_turn_static_auth_secret variable"
|
#
|
||||||
when: "matrix_coturn_turn_static_auth_secret == ''"
|
|
||||||
|
|
||||||
- name: Ensure Coturn image is pulled
|
- name: Ensure Coturn image is pulled
|
||||||
docker_image:
|
docker_image:
|
||||||
name: "{{ matrix_coturn_docker_image }}"
|
name: "{{ matrix_coturn_docker_image }}"
|
||||||
|
when: matrix_coturn_enabled
|
||||||
|
|
||||||
- name: Ensure Coturn configuration path exists
|
- name: Ensure Coturn configuration path exists
|
||||||
file:
|
file:
|
||||||
@ -16,18 +16,21 @@
|
|||||||
mode: 0750
|
mode: 0750
|
||||||
owner: "{{ matrix_user_username }}"
|
owner: "{{ matrix_user_username }}"
|
||||||
group: "{{ matrix_user_username }}"
|
group: "{{ matrix_user_username }}"
|
||||||
|
when: matrix_coturn_enabled
|
||||||
|
|
||||||
- name: Ensure turnserver.conf installed
|
- name: Ensure turnserver.conf installed
|
||||||
template:
|
template:
|
||||||
src: "{{ role_path }}/templates/turnserver.conf.j2"
|
src: "{{ role_path }}/templates/turnserver.conf.j2"
|
||||||
dest: "{{ matrix_coturn_config_path }}"
|
dest: "{{ matrix_coturn_config_path }}"
|
||||||
mode: 0644
|
mode: 0644
|
||||||
|
when: matrix_coturn_enabled
|
||||||
|
|
||||||
- name: Ensure matrix-coturn.service installed
|
- name: Ensure matrix-coturn.service installed
|
||||||
template:
|
template:
|
||||||
src: "{{ role_path }}/templates/systemd/matrix-coturn.service.j2"
|
src: "{{ role_path }}/templates/systemd/matrix-coturn.service.j2"
|
||||||
dest: "/etc/systemd/system/matrix-coturn.service"
|
dest: "/etc/systemd/system/matrix-coturn.service"
|
||||||
mode: 0644
|
mode: 0644
|
||||||
|
when: matrix_coturn_enabled
|
||||||
|
|
||||||
- name: Allow access to Coturn ports in firewalld
|
- name: Allow access to Coturn ports in firewalld
|
||||||
firewalld:
|
firewalld:
|
||||||
@ -39,4 +42,39 @@
|
|||||||
- '3478/tcp' # STUN
|
- '3478/tcp' # STUN
|
||||||
- '3478/udp' # STUN
|
- '3478/udp' # STUN
|
||||||
- "{{ matrix_coturn_turn_udp_min_port }}-{{ matrix_coturn_turn_udp_max_port }}/udp" # TURN
|
- "{{ matrix_coturn_turn_udp_min_port }}-{{ matrix_coturn_turn_udp_max_port }}/udp" # TURN
|
||||||
when: ansible_os_family == 'RedHat'
|
when: "matrix_coturn_enabled and ansible_os_family == 'RedHat'"
|
||||||
|
|
||||||
|
#
|
||||||
|
# Tasks related to getting rid of Coturn (if it was previously enabled)
|
||||||
|
#
|
||||||
|
|
||||||
|
- name: Check existence of matrix-coturn service
|
||||||
|
stat:
|
||||||
|
path: "/etc/systemd/system/matrix-coturn.service"
|
||||||
|
register: matrix_coturn_service_stat
|
||||||
|
|
||||||
|
- name: Ensure matrix-coturn is stopped
|
||||||
|
service:
|
||||||
|
name: matrix-coturn
|
||||||
|
state: stopped
|
||||||
|
daemon_reload: yes
|
||||||
|
register: stopping_result
|
||||||
|
when: "not matrix_coturn_enabled and matrix_coturn_service_stat.stat.exists"
|
||||||
|
|
||||||
|
- name: Ensure matrix-coturn.service doesn't exist
|
||||||
|
file:
|
||||||
|
path: "/etc/systemd/system/matrix-coturn.service"
|
||||||
|
state: absent
|
||||||
|
when: "not matrix_coturn_enabled and matrix_coturn_service_stat.stat.exists"
|
||||||
|
|
||||||
|
- name: Ensure Matrix coturn paths don't exist
|
||||||
|
file:
|
||||||
|
path: "{{ matrix_coturn_base_path }}"
|
||||||
|
state: absent
|
||||||
|
when: "not matrix_coturn_enabled"
|
||||||
|
|
||||||
|
- name: Ensure coturn Docker image doesn't exist
|
||||||
|
docker_image:
|
||||||
|
name: "{{ matrix_coturn_docker_image }}"
|
||||||
|
state: absent
|
||||||
|
when: "not matrix_coturn_enabled"
|
9
roles/matrix-coturn/tasks/validate_config.yml
Normal file
9
roles/matrix-coturn/tasks/validate_config.yml
Normal file
@ -0,0 +1,9 @@
|
|||||||
|
---
|
||||||
|
|
||||||
|
- name: Fail if required Coturn settings not defined
|
||||||
|
fail:
|
||||||
|
msg: >
|
||||||
|
You need to define a required configuration setting (`{{ item }}`) for using Coturn.
|
||||||
|
when: "vars[item] == ''"
|
||||||
|
with_items:
|
||||||
|
- "matrix_coturn_turn_static_auth_secret"
|
@ -1,7 +1,9 @@
|
|||||||
[Unit]
|
[Unit]
|
||||||
Description=Matrix Coturn server
|
Description=Matrix Coturn server
|
||||||
After=docker.service
|
{% for service in matrix_coturn_systemd_required_services_list %}
|
||||||
Requires=docker.service
|
Requires={{ service }}
|
||||||
|
After={{ service }}
|
||||||
|
{% endfor %}
|
||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
Type=simple
|
Type=simple
|
||||||
|
@ -1,6 +1,3 @@
|
|||||||
# By default, this playbook sets up a postfix mailer server (running in a container).
|
|
||||||
# This is so that Matrix Synapse can send email reminders for unread messages.
|
|
||||||
# Other services (like mxisd), however, also use that mailer to send emails through it.
|
|
||||||
matrix_mailer_enabled: true
|
matrix_mailer_enabled: true
|
||||||
|
|
||||||
matrix_mailer_base_path: "{{ matrix_base_data_path }}/mailer"
|
matrix_mailer_base_path: "{{ matrix_base_data_path }}/mailer"
|
||||||
|
@ -5,5 +5,5 @@
|
|||||||
- import_tasks: "{{ role_path }}/tasks/setup_mailer.yml"
|
- import_tasks: "{{ role_path }}/tasks/setup_mailer.yml"
|
||||||
when: run_setup
|
when: run_setup
|
||||||
tags:
|
tags:
|
||||||
- setup-mailer
|
- setup-all
|
||||||
- setup-all
|
- setup-mailer
|
@ -1,17 +1,18 @@
|
|||||||
# By default, this playbook installs the mxisd identity server on the same domain as Synapse (`hostname_matrix`).
|
|
||||||
# If you wish to use the public identity servers (matrix.org, vector.im, riot.im) instead of your own,
|
|
||||||
# you may wish to disable this.
|
|
||||||
matrix_mxisd_enabled: true
|
matrix_mxisd_enabled: true
|
||||||
|
|
||||||
matrix_mxisd_docker_image: "kamax/mxisd:1.2.2"
|
matrix_mxisd_docker_image: "kamax/mxisd:1.2.2"
|
||||||
matrix_mxisd_base_path: "{{ matrix_base_data_path }}/mxisd"
|
matrix_mxisd_base_path: "{{ matrix_base_data_path }}/mxisd"
|
||||||
matrix_mxisd_config_path: "{{ matrix_mxisd_base_path }}/config"
|
matrix_mxisd_config_path: "{{ matrix_mxisd_base_path }}/config"
|
||||||
matrix_mxisd_data_path: "{{ matrix_mxisd_base_path }}/data"
|
matrix_mxisd_data_path: "{{ matrix_mxisd_base_path }}/data"
|
||||||
|
|
||||||
# Controls whether the mxisd web server's port is exposed outside of the container.
|
# Controls whether the mxisd web server's port (`8090`) is exposed outside of the container.
|
||||||
# Normally, matrix-nginx-proxy is enabled and nginx can reach mxisd over the container network.
|
matrix_mxisd_container_expose_port: false
|
||||||
# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose
|
|
||||||
# mxisd's web-server port to the local host (`127.0.0.1:8090`).
|
# List of systemd services that matrix-mxisd.service depends on
|
||||||
matrix_mxisd_container_expose_port: "{{ not matrix_nginx_proxy_enabled }}"
|
matrix_mxisd_systemd_required_services_list: ['docker.service']
|
||||||
|
|
||||||
|
# List of systemd services that matrix-mxisd.service wants
|
||||||
|
matrix_mxisd_systemd_wanted_services_list: []
|
||||||
|
|
||||||
# Your identity server is private by default.
|
# Your identity server is private by default.
|
||||||
# To ensure maximum discovery, you can make your identity server
|
# To ensure maximum discovery, you can make your identity server
|
||||||
@ -21,14 +22,19 @@ matrix_mxisd_container_expose_port: "{{ not matrix_nginx_proxy_enabled }}"
|
|||||||
matrix_mxisd_matrixorg_forwarding_enabled: false
|
matrix_mxisd_matrixorg_forwarding_enabled: false
|
||||||
|
|
||||||
# mxisd has serveral supported identity stores.
|
# mxisd has serveral supported identity stores.
|
||||||
# One of them (which we enable by default) is storing identities directly in Synapse's database.
|
# One of them is storing identities directly in Synapse's database.
|
||||||
# Learn more here: https://github.com/kamax-matrix/mxisd/blob/master/docs/stores/synapse.md
|
# Learn more here: https://github.com/kamax-matrix/mxisd/blob/master/docs/stores/synapse.md
|
||||||
#
|
matrix_mxisd_synapsesql_enabled: false
|
||||||
# If you need to disable this in favor of some other store, you can toggle it to disabled here
|
matrix_mxisd_synapsesql_type: ""
|
||||||
# and add your own mxisd configuration for the other store in `matrix_mxisd_configuration_extension_yaml`.
|
matrix_mxisd_synapsesql_connection: ""
|
||||||
matrix_mxisd_synapsesql_enabled: true
|
|
||||||
matrix_mxisd_synapsesql_type: postgresql
|
# Setting up email-sending settings is required for using mxisd.
|
||||||
matrix_mxisd_synapsesql_connection: //{{ matrix_postgres_connection_hostname }}/{{ matrix_postgres_db_name }}?user={{ matrix_postgres_connection_username }}&password={{ matrix_postgres_connection_password }}
|
matrix_mxid_threepid_medium_email_identity_from: "matrix@{{ hostname_identity }}"
|
||||||
|
matrix_mxid_threepid_medium_email_connectors_smtp_host: ""
|
||||||
|
matrix_mxid_threepid_medium_email_connectors_smtp_port: 587
|
||||||
|
matrix_mxid_threepid_medium_email_connectors_smtp_tls: 1
|
||||||
|
matrix_mxid_threepid_medium_email_connectors_smtp_login: ""
|
||||||
|
matrix_mxid_threepid_medium_email_connectors_smtp_password: ""
|
||||||
|
|
||||||
# Default mxisd configuration template which covers the generic use case.
|
# Default mxisd configuration template which covers the generic use case.
|
||||||
# You can customize it by controlling the various variables inside it.
|
# You can customize it by controlling the various variables inside it.
|
||||||
@ -59,12 +65,14 @@ matrix_mxisd_configuration_yaml: |
|
|||||||
medium:
|
medium:
|
||||||
email:
|
email:
|
||||||
identity:
|
identity:
|
||||||
from: {{ matrix_mailer_sender_address }}
|
from: {{ matrix_mxid_threepid_medium_email_identity_from }}
|
||||||
connectors:
|
connectors:
|
||||||
smtp:
|
smtp:
|
||||||
host: matrix-mailer
|
host: {{ matrix_mxid_threepid_medium_email_connectors_smtp_host }}
|
||||||
port: 587
|
port: {{ matrix_mxid_threepid_medium_email_connectors_smtp_port }}
|
||||||
tls: 0
|
tls: {{ matrix_mxid_threepid_medium_email_connectors_smtp_tls }}
|
||||||
|
login: {{ matrix_mxid_threepid_medium_email_connectors_smtp_login }}
|
||||||
|
password: {{ matrix_mxid_threepid_medium_email_connectors_smtp_password }}
|
||||||
|
|
||||||
synapseSql:
|
synapseSql:
|
||||||
enabled: {{ matrix_mxisd_synapsesql_enabled }}
|
enabled: {{ matrix_mxisd_synapsesql_enabled }}
|
||||||
@ -92,10 +100,6 @@ matrix_mxisd_configuration_extension_yaml: |
|
|||||||
# bindDn: CN=My Mxisd User,OU=Users,DC=example,DC=org
|
# bindDn: CN=My Mxisd User,OU=Users,DC=example,DC=org
|
||||||
# bindPassword: TheUserPassword
|
# bindPassword: TheUserPassword
|
||||||
|
|
||||||
# Doing `|from_yaml` when the extension contains nothing yields an empty string ("").
|
|
||||||
# We need to ensure it's a dictionary or `|combine` (when building `matrix_mxisd_configuration`) will fail later.
|
|
||||||
matrix_mxisd_configuration_extension: "{{ matrix_mxisd_configuration_extension_yaml|from_yaml if matrix_mxisd_configuration_extension_yaml|from_yaml else {} }}"
|
|
||||||
|
|
||||||
# Holds the final mxisd configuration (a combination of the default and its extension).
|
# Holds the final mxisd configuration (a combination of the default and its extension).
|
||||||
# You most likely don't need to touch this variable. Instead, see `matrix_mxisd_configuration_yaml`.
|
# You most likely don't need to touch this variable. Instead, see `matrix_mxisd_configuration_yaml`.
|
||||||
matrix_mxisd_configuration: "{{ matrix_mxisd_configuration_yaml|from_yaml|combine(matrix_mxisd_configuration_extension, recursive=True) }}"
|
matrix_mxisd_configuration: "{{ matrix_mxisd_configuration_yaml|from_yaml|combine(matrix_mxisd_configuration_extension, recursive=True) }}"
|
@ -2,6 +2,12 @@
|
|||||||
tags:
|
tags:
|
||||||
- always
|
- always
|
||||||
|
|
||||||
|
- import_tasks: "{{ role_path }}/tasks/validate_config.yml"
|
||||||
|
when: "run_setup and matrix_mxisd_enabled"
|
||||||
|
tags:
|
||||||
|
- setup-all
|
||||||
|
- setup-mxisd
|
||||||
|
|
||||||
- import_tasks: "{{ role_path }}/tasks/setup_mxisd.yml"
|
- import_tasks: "{{ role_path }}/tasks/setup_mxisd.yml"
|
||||||
tags:
|
tags:
|
||||||
- setup-all
|
- setup-all
|
||||||
|
@ -4,49 +4,6 @@
|
|||||||
# Tasks related to setting up mxisd
|
# Tasks related to setting up mxisd
|
||||||
#
|
#
|
||||||
|
|
||||||
- name: (Deprecation) Warn about mxisd variables that are not used anymore
|
|
||||||
fail:
|
|
||||||
msg: >
|
|
||||||
The `{{ item }}` variable defined in your configuration is not used by this playbook anymore!
|
|
||||||
You'll need to adapt to the new way of extending mxisd configuration.
|
|
||||||
See the CHANGELOG and the `matrix_mxisd_configuration_extension_yaml` variable for more information and examples.
|
|
||||||
when: "matrix_mxisd_enabled and item in vars"
|
|
||||||
with_items:
|
|
||||||
- 'matrix_mxisd_ldap_enabled'
|
|
||||||
- 'matrix_mxisd_ldap_connection_host'
|
|
||||||
- 'matrix_mxisd_ldap_connection_tls'
|
|
||||||
- 'matrix_mxisd_ldap_connection_port'
|
|
||||||
- 'matrix_mxisd_ldap_connection_baseDn'
|
|
||||||
- 'matrix_mxisd_ldap_connection_baseDns'
|
|
||||||
- 'matrix_mxisd_ldap_connection_bindDn'
|
|
||||||
- 'matrix_mxisd_ldap_connection_bindPassword'
|
|
||||||
- 'matrix_mxisd_ldap_filter'
|
|
||||||
- 'matrix_mxisd_ldap_attribute_uid_type'
|
|
||||||
- 'matrix_mxisd_ldap_attribute_uid_value'
|
|
||||||
- 'matrix_mxisd_ldap_connection_bindPassword'
|
|
||||||
- 'matrix_mxisd_ldap_attribute_name'
|
|
||||||
- 'matrix_mxisd_ldap_attribute_threepid_email'
|
|
||||||
- 'matrix_mxisd_ldap_attribute_threepid_msisdn'
|
|
||||||
- 'matrix_mxisd_ldap_identity_filter'
|
|
||||||
- 'matrix_mxisd_ldap_identity_medium'
|
|
||||||
- 'matrix_mxisd_ldap_auth_filter'
|
|
||||||
- 'matrix_mxisd_ldap_directory_filter'
|
|
||||||
- 'matrix_mxisd_template_config'
|
|
||||||
|
|
||||||
- name: Ensure mxisd configuration does not contain any dot-notation keys
|
|
||||||
fail:
|
|
||||||
msg: >
|
|
||||||
Since version 1.3.0, mxisd will not accept property-style configuration keys.
|
|
||||||
You have defined a key (`{{ item.key }}`) which contains a dot.
|
|
||||||
Instead, use nesting. See: https://github.com/kamax-matrix/mxisd/wiki/Upgrade#v130
|
|
||||||
when: "matrix_mxisd_enabled and '.' in item.key"
|
|
||||||
with_dict: "{{ matrix_mxisd_configuration }}"
|
|
||||||
|
|
||||||
- name: Fail if mailer is not enabled
|
|
||||||
fail:
|
|
||||||
msg: "You need to enable the mailer service (`matrix_mailer_enabled`) to install mxisd"
|
|
||||||
when: "matrix_mxisd_enabled and not matrix_mailer_enabled"
|
|
||||||
|
|
||||||
- name: Ensure mxisd paths exist
|
- name: Ensure mxisd paths exist
|
||||||
file:
|
file:
|
||||||
path: "{{ item }}"
|
path: "{{ item }}"
|
||||||
|
47
roles/matrix-mxisd/tasks/validate_config.yml
Normal file
47
roles/matrix-mxisd/tasks/validate_config.yml
Normal file
@ -0,0 +1,47 @@
|
|||||||
|
---
|
||||||
|
|
||||||
|
- name: (Deprecation) Warn about mxisd variables that are not used anymore
|
||||||
|
fail:
|
||||||
|
msg: >
|
||||||
|
The `{{ item }}` variable defined in your configuration is not used by this playbook anymore!
|
||||||
|
You'll need to adapt to the new way of extending mxisd configuration.
|
||||||
|
See the CHANGELOG and the `matrix_mxisd_configuration_extension_yaml` variable for more information and examples.
|
||||||
|
when: "item in vars"
|
||||||
|
with_items:
|
||||||
|
- 'matrix_mxisd_ldap_enabled'
|
||||||
|
- 'matrix_mxisd_ldap_connection_host'
|
||||||
|
- 'matrix_mxisd_ldap_connection_tls'
|
||||||
|
- 'matrix_mxisd_ldap_connection_port'
|
||||||
|
- 'matrix_mxisd_ldap_connection_baseDn'
|
||||||
|
- 'matrix_mxisd_ldap_connection_baseDns'
|
||||||
|
- 'matrix_mxisd_ldap_connection_bindDn'
|
||||||
|
- 'matrix_mxisd_ldap_connection_bindPassword'
|
||||||
|
- 'matrix_mxisd_ldap_filter'
|
||||||
|
- 'matrix_mxisd_ldap_attribute_uid_type'
|
||||||
|
- 'matrix_mxisd_ldap_attribute_uid_value'
|
||||||
|
- 'matrix_mxisd_ldap_connection_bindPassword'
|
||||||
|
- 'matrix_mxisd_ldap_attribute_name'
|
||||||
|
- 'matrix_mxisd_ldap_attribute_threepid_email'
|
||||||
|
- 'matrix_mxisd_ldap_attribute_threepid_msisdn'
|
||||||
|
- 'matrix_mxisd_ldap_identity_filter'
|
||||||
|
- 'matrix_mxisd_ldap_identity_medium'
|
||||||
|
- 'matrix_mxisd_ldap_auth_filter'
|
||||||
|
- 'matrix_mxisd_ldap_directory_filter'
|
||||||
|
- 'matrix_mxisd_template_config'
|
||||||
|
|
||||||
|
- name: Ensure mxisd configuration does not contain any dot-notation keys
|
||||||
|
fail:
|
||||||
|
msg: >
|
||||||
|
Since version 1.3.0, mxisd will not accept property-style configuration keys.
|
||||||
|
You have defined a key (`{{ item.key }}`) which contains a dot.
|
||||||
|
Instead, use nesting. See: https://github.com/kamax-matrix/mxisd/wiki/Upgrade#v130
|
||||||
|
when: "'.' in item.key"
|
||||||
|
with_dict: "{{ matrix_mxisd_configuration }}"
|
||||||
|
|
||||||
|
- name: Fail if required mxisd settings not defined
|
||||||
|
fail:
|
||||||
|
msg: >
|
||||||
|
You need to define a required configuration setting (`{{ item }}`) for using mxisd.
|
||||||
|
when: "vars[item] == ''"
|
||||||
|
with_items:
|
||||||
|
- "matrix_mxid_threepid_medium_email_connectors_smtp_host"
|
@ -1,11 +1,12 @@
|
|||||||
[Unit]
|
[Unit]
|
||||||
Description=Matrix mxisd identity server
|
Description=Matrix mxisd Identity server
|
||||||
After=docker.service
|
{% for service in matrix_mxisd_systemd_required_services_list %}
|
||||||
Requires=docker.service
|
Requires={{ service }}
|
||||||
{% if not matrix_postgres_use_external %}
|
After={{ service }}
|
||||||
Requires=matrix-postgres.service
|
{% endfor %}
|
||||||
After=matrix-postgres.service
|
{% for service in matrix_mxisd_systemd_wanted_services_list %}
|
||||||
{% endif %}
|
Wants={{ service }}
|
||||||
|
{% endfor %}
|
||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
Type=simple
|
Type=simple
|
||||||
|
5
roles/matrix-mxisd/vars/main.yml
Normal file
5
roles/matrix-mxisd/vars/main.yml
Normal file
@ -0,0 +1,5 @@
|
|||||||
|
---
|
||||||
|
|
||||||
|
# Doing `|from_yaml` when the extension contains nothing yields an empty string ("").
|
||||||
|
# We need to ensure it's a dictionary or `|combine` (when building `matrix_mxisd_configuration`) will fail later.
|
||||||
|
matrix_mxisd_configuration_extension: "{{ matrix_mxisd_configuration_extension_yaml|from_yaml if matrix_mxisd_configuration_extension_yaml|from_yaml else {} }}"
|
@ -1,7 +1,3 @@
|
|||||||
# By default, this playbook sets up its own nginx proxy server on port 80/443.
|
|
||||||
# This is fine if you're dedicating the whole server to Matrix.
|
|
||||||
# But in case that's not the case, you may wish to prevent that
|
|
||||||
# and take care of proxying by yourself.
|
|
||||||
matrix_nginx_proxy_enabled: true
|
matrix_nginx_proxy_enabled: true
|
||||||
|
|
||||||
matrix_nginx_proxy_docker_image: "nginx:1.15.8-alpine"
|
matrix_nginx_proxy_docker_image: "nginx:1.15.8-alpine"
|
||||||
@ -9,6 +5,20 @@ matrix_nginx_proxy_docker_image: "nginx:1.15.8-alpine"
|
|||||||
matrix_nginx_proxy_data_path: "{{ matrix_base_data_path }}/nginx-proxy"
|
matrix_nginx_proxy_data_path: "{{ matrix_base_data_path }}/nginx-proxy"
|
||||||
matrix_nginx_proxy_confd_path: "{{ matrix_nginx_proxy_data_path }}/conf.d"
|
matrix_nginx_proxy_confd_path: "{{ matrix_nginx_proxy_data_path }}/conf.d"
|
||||||
|
|
||||||
|
# List of systemd services that matrix-nginx-proxy.service depends on
|
||||||
|
matrix_nginx_proxy_systemd_required_services_list: ['docker.service']
|
||||||
|
|
||||||
|
# List of systemd services that matrix-nginx-proxy.service wants
|
||||||
|
matrix_nginx_proxy_systemd_wanted_services_list: []
|
||||||
|
|
||||||
|
# Controls whether proxying the riot domain should be done.
|
||||||
|
matrix_nginx_proxy_proxy_riot_enabled: false
|
||||||
|
matrix_nginx_proxy_proxy_riot_hostname: "{{ hostname_riot }}"
|
||||||
|
|
||||||
|
# Controls whether proxying the matrix domain should be done.
|
||||||
|
matrix_nginx_proxy_proxy_matrix_enabled: false
|
||||||
|
matrix_nginx_proxy_proxy_matrix_hostname: "{{ hostname_matrix }}"
|
||||||
|
|
||||||
# The addresses where the Matrix Client API is.
|
# The addresses where the Matrix Client API is.
|
||||||
# Certain extensions (like matrix-corporal) may override this in order to capture all traffic.
|
# Certain extensions (like matrix-corporal) may override this in order to capture all traffic.
|
||||||
matrix_nginx_proxy_matrix_client_api_addr_with_proxy_container: "matrix-synapse:8008"
|
matrix_nginx_proxy_matrix_client_api_addr_with_proxy_container: "matrix-synapse:8008"
|
||||||
@ -39,6 +49,9 @@ matrix_nginx_proxy_ssl_protocols: "TLSv1.1 TLSv1.2"
|
|||||||
# where <domain> refers to the domains that you need (usually `hostname_matrix` and `hostname_riot`).
|
# where <domain> refers to the domains that you need (usually `hostname_matrix` and `hostname_riot`).
|
||||||
matrix_ssl_retrieval_method: "lets-encrypt"
|
matrix_ssl_retrieval_method: "lets-encrypt"
|
||||||
|
|
||||||
|
# The list of domains that this role will obtain certificates for.
|
||||||
|
matrix_ssl_domains_to_obtain_certificates_for: []
|
||||||
|
|
||||||
# Controls whether to obtain production or staging certificates from Let's Encrypt.
|
# Controls whether to obtain production or staging certificates from Let's Encrypt.
|
||||||
matrix_ssl_lets_encrypt_staging: false
|
matrix_ssl_lets_encrypt_staging: false
|
||||||
matrix_ssl_lets_encrypt_certbot_docker_image: "certbot/certbot:v0.30.0"
|
matrix_ssl_lets_encrypt_certbot_docker_image: "certbot/certbot:v0.30.0"
|
||||||
|
@ -17,21 +17,30 @@
|
|||||||
mode: 0750
|
mode: 0750
|
||||||
owner: "{{ matrix_user_username }}"
|
owner: "{{ matrix_user_username }}"
|
||||||
group: "{{ matrix_user_username }}"
|
group: "{{ matrix_user_username }}"
|
||||||
recurse: yes
|
|
||||||
with_items:
|
with_items:
|
||||||
- "{{ matrix_nginx_proxy_data_path }}"
|
- "{{ matrix_nginx_proxy_data_path }}"
|
||||||
- "{{ matrix_nginx_proxy_confd_path }}"
|
- "{{ matrix_nginx_proxy_confd_path }}"
|
||||||
|
|
||||||
- name: Ensure Matrix nginx-proxy configured
|
- name: Ensure Matrix nginx-proxy configured (generic)
|
||||||
template:
|
template:
|
||||||
src: "{{ role_path }}/templates/nginx-conf.d/{{ item }}.j2"
|
src: "{{ role_path }}/templates/nginx-conf.d/nginx-http.conf.j2"
|
||||||
dest: "{{ matrix_nginx_proxy_confd_path }}/{{ item }}"
|
dest: "{{ matrix_nginx_proxy_confd_path }}/nginx-http.conf"
|
||||||
mode: 0644
|
mode: 0644
|
||||||
with_items:
|
when: "matrix_nginx_proxy_enabled"
|
||||||
- "nginx-http.conf"
|
|
||||||
- "matrix-synapse.conf"
|
|
||||||
- "matrix-riot-web.conf"
|
|
||||||
|
|
||||||
|
- name: Ensure Matrix nginx-proxy configuration for matrix domain exists
|
||||||
|
template:
|
||||||
|
src: "{{ role_path }}/templates/nginx-conf.d/matrix-synapse.conf.j2"
|
||||||
|
dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-synapse.conf"
|
||||||
|
mode: 0644
|
||||||
|
when: "matrix_nginx_proxy_proxy_matrix_enabled"
|
||||||
|
|
||||||
|
- name: Ensure Matrix nginx-proxy configuration for riot domain exists
|
||||||
|
template:
|
||||||
|
src: "{{ role_path }}/templates/nginx-conf.d/matrix-riot-web.conf.j2"
|
||||||
|
dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-riot-web.conf"
|
||||||
|
mode: 0644
|
||||||
|
when: "matrix_nginx_proxy_proxy_riot_enabled"
|
||||||
|
|
||||||
#
|
#
|
||||||
# Tasks related to setting up matrix-nginx-proxy
|
# Tasks related to setting up matrix-nginx-proxy
|
||||||
@ -50,7 +59,7 @@
|
|||||||
with_items:
|
with_items:
|
||||||
- "http"
|
- "http"
|
||||||
- "https"
|
- "https"
|
||||||
when: "ansible_os_family == 'RedHat' and matrix_nginx_proxy_enabled"
|
when: "matrix_nginx_proxy_enabled and ansible_os_family == 'RedHat'"
|
||||||
|
|
||||||
- name: Ensure matrix-nginx-proxy.service installed
|
- name: Ensure matrix-nginx-proxy.service installed
|
||||||
template:
|
template:
|
||||||
@ -82,3 +91,16 @@
|
|||||||
path: "/etc/systemd/system/matrix-nginx-proxy.service"
|
path: "/etc/systemd/system/matrix-nginx-proxy.service"
|
||||||
state: absent
|
state: absent
|
||||||
when: "not matrix_nginx_proxy_enabled and matrix_nginx_proxy_service_stat.stat.exists"
|
when: "not matrix_nginx_proxy_enabled and matrix_nginx_proxy_service_stat.stat.exists"
|
||||||
|
|
||||||
|
- name: Ensure Matrix nginx-proxy configuration for matrix domain deleted
|
||||||
|
file:
|
||||||
|
path: "{{ matrix_nginx_proxy_confd_path }}/matrix-synapse.conf"
|
||||||
|
state: absent
|
||||||
|
when: "not matrix_nginx_proxy_proxy_matrix_enabled"
|
||||||
|
|
||||||
|
- name: Ensure Matrix nginx-proxy configuration for riot domain deleted
|
||||||
|
file:
|
||||||
|
path: "{{ matrix_nginx_proxy_confd_path }}/matrix-riot-web.conf"
|
||||||
|
state: absent
|
||||||
|
when: "not matrix_nginx_proxy_proxy_riot_enabled"
|
||||||
|
|
||||||
|
@ -8,15 +8,6 @@
|
|||||||
|
|
||||||
# Common tasks, required by any method below.
|
# Common tasks, required by any method below.
|
||||||
|
|
||||||
- name: Determine domains that we require certificates for (Matrix)
|
|
||||||
set_fact:
|
|
||||||
domains_requiring_certificates: "['{{ hostname_matrix }}']"
|
|
||||||
|
|
||||||
- name: Determine domains that we require certificates for (Riot)
|
|
||||||
set_fact:
|
|
||||||
domains_requiring_certificates: "{{ domains_requiring_certificates + [hostname_riot] }}"
|
|
||||||
when: "matrix_riot_web_enabled"
|
|
||||||
|
|
||||||
- name: Ensure SSL certificate paths exists
|
- name: Ensure SSL certificate paths exists
|
||||||
file:
|
file:
|
||||||
path: "{{ item }}"
|
path: "{{ item }}"
|
||||||
|
@ -39,7 +39,7 @@
|
|||||||
|
|
||||||
- name: Obtain Let's Encrypt certificates
|
- name: Obtain Let's Encrypt certificates
|
||||||
include_tasks: "{{ role_path }}/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml"
|
include_tasks: "{{ role_path }}/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml"
|
||||||
with_items: "{{ domains_requiring_certificates }}"
|
with_items: "{{ matrix_ssl_domains_to_obtain_certificates_for }}"
|
||||||
loop_control:
|
loop_control:
|
||||||
loop_var: domain_name
|
loop_var: domain_name
|
||||||
when: "matrix_ssl_retrieval_method == 'lets-encrypt'"
|
when: "matrix_ssl_retrieval_method == 'lets-encrypt'"
|
||||||
|
@ -2,7 +2,7 @@
|
|||||||
|
|
||||||
- name: Verify certificates
|
- name: Verify certificates
|
||||||
include_tasks: "{{ role_path }}/tasks/ssl/setup_ssl_manually_managed_verify_for_domain.yml"
|
include_tasks: "{{ role_path }}/tasks/ssl/setup_ssl_manually_managed_verify_for_domain.yml"
|
||||||
with_items: "{{ domains_requiring_certificates }}"
|
with_items: "{{ matrix_ssl_domains_to_obtain_certificates_for }}"
|
||||||
loop_control:
|
loop_control:
|
||||||
loop_var: domain_name
|
loop_var: domain_name
|
||||||
when: "matrix_ssl_retrieval_method == 'manually-managed'"
|
when: "matrix_ssl_retrieval_method == 'manually-managed'"
|
@ -18,7 +18,7 @@
|
|||||||
|
|
||||||
- name: Generate self-signed certificates
|
- name: Generate self-signed certificates
|
||||||
include_tasks: "{{ role_path }}/tasks/ssl/setup_ssl_self_signed_obtain_for_domain.yml"
|
include_tasks: "{{ role_path }}/tasks/ssl/setup_ssl_self_signed_obtain_for_domain.yml"
|
||||||
with_items: "{{ domains_requiring_certificates }}"
|
with_items: "{{ matrix_ssl_domains_to_obtain_certificates_for }}"
|
||||||
loop_control:
|
loop_control:
|
||||||
loop_var: domain_name
|
loop_var: domain_name
|
||||||
when: "matrix_ssl_retrieval_method == 'self-signed'"
|
when: "matrix_ssl_retrieval_method == 'self-signed'"
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
server {
|
server {
|
||||||
listen 80;
|
listen 80;
|
||||||
server_name {{ hostname_riot }};
|
server_name {{ matrix_nginx_proxy_proxy_riot_hostname }};
|
||||||
|
|
||||||
server_tokens off;
|
server_tokens off;
|
||||||
|
|
||||||
@ -25,7 +25,7 @@ server {
|
|||||||
listen 443 ssl http2;
|
listen 443 ssl http2;
|
||||||
listen [::]:443 ssl http2;
|
listen [::]:443 ssl http2;
|
||||||
|
|
||||||
server_name {{ hostname_riot }};
|
server_name {{ matrix_nginx_proxy_proxy_riot_hostname }};
|
||||||
|
|
||||||
server_tokens off;
|
server_tokens off;
|
||||||
root /dev/null;
|
root /dev/null;
|
||||||
@ -33,8 +33,8 @@ server {
|
|||||||
gzip on;
|
gzip on;
|
||||||
gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif;
|
gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif;
|
||||||
|
|
||||||
ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ hostname_riot }}/fullchain.pem;
|
ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_riot_hostname }}/fullchain.pem;
|
||||||
ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ hostname_riot }}/privkey.pem;
|
ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_riot_hostname }}/privkey.pem;
|
||||||
ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }};
|
ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }};
|
||||||
ssl_prefer_server_ciphers on;
|
ssl_prefer_server_ciphers on;
|
||||||
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
|
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
server {
|
server {
|
||||||
listen 80;
|
listen 80;
|
||||||
server_name {{ hostname_matrix }};
|
server_name {{ matrix_nginx_proxy_proxy_matrix_hostname }};
|
||||||
|
|
||||||
server_tokens off;
|
server_tokens off;
|
||||||
|
|
||||||
@ -25,7 +25,7 @@ server {
|
|||||||
listen 443 ssl http2;
|
listen 443 ssl http2;
|
||||||
listen [::]:443 ssl http2;
|
listen [::]:443 ssl http2;
|
||||||
|
|
||||||
server_name {{ hostname_matrix }};
|
server_name {{ matrix_nginx_proxy_proxy_matrix_hostname }};
|
||||||
|
|
||||||
server_tokens off;
|
server_tokens off;
|
||||||
root /dev/null;
|
root /dev/null;
|
||||||
@ -33,8 +33,8 @@ server {
|
|||||||
gzip on;
|
gzip on;
|
||||||
gzip_types text/plain application/json;
|
gzip_types text/plain application/json;
|
||||||
|
|
||||||
ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ hostname_matrix }}/fullchain.pem;
|
ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/fullchain.pem;
|
||||||
ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ hostname_matrix }}/privkey.pem;
|
ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/privkey.pem;
|
||||||
ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }};
|
ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }};
|
||||||
ssl_prefer_server_ciphers on;
|
ssl_prefer_server_ciphers on;
|
||||||
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
|
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
|
||||||
|
@ -1,17 +1,12 @@
|
|||||||
[Unit]
|
[Unit]
|
||||||
Description=Matrix nginx proxy server
|
Description=Matrix nginx-proxy server
|
||||||
After=docker.service
|
{% for service in matrix_nginx_proxy_systemd_required_services_list %}
|
||||||
Requires=docker.service
|
Requires={{ service }}
|
||||||
Wants=matrix-synapse.service
|
After={{ service }}
|
||||||
{% if matrix_corporal_enabled %}
|
{% endfor %}
|
||||||
Wants=matrix-corporal.service
|
{% for service in matrix_nginx_proxy_systemd_wanted_services_list %}
|
||||||
{% endif %}
|
Wants={{ service }}
|
||||||
{% if matrix_riot_web_enabled %}
|
{% endfor %}
|
||||||
Wants=matrix-riot-web.service
|
|
||||||
{% endif %}
|
|
||||||
{% if matrix_mxisd_enabled %}
|
|
||||||
Wants=matrix-mxisd.service
|
|
||||||
{% endif %}
|
|
||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
Type=simple
|
Type=simple
|
||||||
|
@ -1,10 +1,9 @@
|
|||||||
# The defaults below cause a postgres server to be configured (running within a container).
|
matrix_postgres_enabled: true
|
||||||
# Using an external server is possible by tweaking all of the parameters below.
|
|
||||||
matrix_postgres_use_external: false
|
matrix_postgres_connection_hostname: ""
|
||||||
matrix_postgres_connection_hostname: "matrix-postgres"
|
matrix_postgres_connection_username: ""
|
||||||
matrix_postgres_connection_username: "synapse"
|
matrix_postgres_connection_password: ""
|
||||||
matrix_postgres_connection_password: "synapse-password"
|
matrix_postgres_db_name: ""
|
||||||
matrix_postgres_db_name: "homeserver"
|
|
||||||
|
|
||||||
matrix_postgres_base_path: "{{ matrix_base_data_path }}/postgres"
|
matrix_postgres_base_path: "{{ matrix_base_data_path }}/postgres"
|
||||||
matrix_postgres_data_path: "{{ matrix_postgres_base_path }}/data"
|
matrix_postgres_data_path: "{{ matrix_postgres_base_path }}/data"
|
||||||
|
@ -2,6 +2,11 @@
|
|||||||
|
|
||||||
# Pre-checks
|
# Pre-checks
|
||||||
|
|
||||||
|
- name: Fail if Postgres not enabled
|
||||||
|
fail:
|
||||||
|
msg: "Postgres via the matrix-postgres role is not enabled (`matrix_postgres_enabled`). Cannot import."
|
||||||
|
when: "not matrix_postgres_enabled"
|
||||||
|
|
||||||
- name: Fail if playbook called incorrectly
|
- name: Fail if playbook called incorrectly
|
||||||
fail:
|
fail:
|
||||||
msg: "The `server_path_postgres_dump` variable needs to be provided to this playbook, via --extra-vars"
|
msg: "The `server_path_postgres_dump` variable needs to be provided to this playbook, via --extra-vars"
|
||||||
|
@ -2,6 +2,11 @@
|
|||||||
|
|
||||||
# Pre-checks
|
# Pre-checks
|
||||||
|
|
||||||
|
- name: Fail if Postgres not enabled
|
||||||
|
fail:
|
||||||
|
msg: "Postgres via the matrix-postgres role is not enabled (`matrix_postgres_enabled`). Cannot import."
|
||||||
|
when: "not matrix_postgres_enabled"
|
||||||
|
|
||||||
- name: Fail if playbook called incorrectly
|
- name: Fail if playbook called incorrectly
|
||||||
fail:
|
fail:
|
||||||
msg: "The `server_path_homeserver_db` variable needs to be provided to this playbook, via --extra-vars"
|
msg: "The `server_path_homeserver_db` variable needs to be provided to this playbook, via --extra-vars"
|
||||||
|
@ -1,3 +1,3 @@
|
|||||||
- set_fact:
|
- set_fact:
|
||||||
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-postgres'] }}"
|
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-postgres'] }}"
|
||||||
when: "not matrix_postgres_use_external"
|
when: matrix_postgres_enabled
|
@ -2,11 +2,17 @@
|
|||||||
tags:
|
tags:
|
||||||
- always
|
- always
|
||||||
|
|
||||||
|
- import_tasks: "{{ role_path }}/tasks/validate_config.yml"
|
||||||
|
when: "run_setup and matrix_postgres_enabled"
|
||||||
|
tags:
|
||||||
|
- setup-all
|
||||||
|
- setup-postgres
|
||||||
|
|
||||||
- import_tasks: "{{ role_path }}/tasks/setup_postgres.yml"
|
- import_tasks: "{{ role_path }}/tasks/setup_postgres.yml"
|
||||||
when: run_setup
|
when: run_setup
|
||||||
tags:
|
tags:
|
||||||
- setup-postgres
|
|
||||||
- setup-all
|
- setup-all
|
||||||
|
- setup-postgres
|
||||||
|
|
||||||
- import_tasks: "{{ role_path }}/tasks/import_postgres.yml"
|
- import_tasks: "{{ role_path }}/tasks/import_postgres.yml"
|
||||||
when: run_import_postgres
|
when: run_import_postgres
|
||||||
|
@ -5,8 +5,10 @@
|
|||||||
#
|
#
|
||||||
|
|
||||||
- import_tasks: "{{ role_path }}/tasks/migrate_postgres_data_directory.yml"
|
- import_tasks: "{{ role_path }}/tasks/migrate_postgres_data_directory.yml"
|
||||||
|
when: matrix_postgres_enabled
|
||||||
|
|
||||||
- import_tasks: "{{ role_path }}/tasks/util/detect_existing_postgres_version.yml"
|
- import_tasks: "{{ role_path }}/tasks/util/detect_existing_postgres_version.yml"
|
||||||
|
when: matrix_postgres_enabled
|
||||||
|
|
||||||
# If we have found an existing version (installed from before), we use its corresponding Docker image.
|
# If we have found an existing version (installed from before), we use its corresponding Docker image.
|
||||||
# If not, we install using the latest Postgres.
|
# If not, we install using the latest Postgres.
|
||||||
@ -14,16 +16,18 @@
|
|||||||
# Upgrading is supposed to be performed separately and explicitly (see `upgrade_postgres.yml`).
|
# Upgrading is supposed to be performed separately and explicitly (see `upgrade_postgres.yml`).
|
||||||
- set_fact:
|
- set_fact:
|
||||||
matrix_postgres_docker_image_to_use: "{{ matrix_postgres_docker_image_latest if matrix_postgres_detected_version_corresponding_docker_image == '' else matrix_postgres_detected_version_corresponding_docker_image }}"
|
matrix_postgres_docker_image_to_use: "{{ matrix_postgres_docker_image_latest if matrix_postgres_detected_version_corresponding_docker_image == '' else matrix_postgres_detected_version_corresponding_docker_image }}"
|
||||||
|
when: matrix_postgres_enabled
|
||||||
|
|
||||||
- name: Warn if on an old version of Postgres
|
- name: Warn if on an old version of Postgres
|
||||||
debug:
|
debug:
|
||||||
msg: "NOTE: Your setup is on an old Postgres version ({{ matrix_postgres_docker_image_to_use }}), while {{ matrix_postgres_docker_image_latest }} is supported. You can upgrade using --tags=upgrade-postgres"
|
msg: "NOTE: Your setup is on an old Postgres version ({{ matrix_postgres_docker_image_to_use }}), while {{ matrix_postgres_docker_image_latest }} is supported. You can upgrade using --tags=upgrade-postgres"
|
||||||
when: "matrix_postgres_docker_image_to_use != matrix_postgres_docker_image_latest"
|
when: "matrix_postgres_enabled and matrix_postgres_docker_image_to_use != matrix_postgres_docker_image_latest"
|
||||||
|
|
||||||
# Even if we don't run the internal server, we still need this for running the CLI
|
# Even if we don't run the internal server, we still need this for running the CLI
|
||||||
- name: Ensure postgres Docker image is pulled
|
- name: Ensure postgres Docker image is pulled
|
||||||
docker_image:
|
docker_image:
|
||||||
name: "{{ matrix_postgres_docker_image_to_use }}"
|
name: "{{ matrix_postgres_docker_image_to_use }}"
|
||||||
|
when: matrix_postgres_enabled
|
||||||
|
|
||||||
# We always create these directories, even if an external Postgres is used,
|
# We always create these directories, even if an external Postgres is used,
|
||||||
# because we store environment variable files there.
|
# because we store environment variable files there.
|
||||||
@ -37,6 +41,7 @@
|
|||||||
with_items:
|
with_items:
|
||||||
- "{{ matrix_postgres_base_path }}"
|
- "{{ matrix_postgres_base_path }}"
|
||||||
- "{{ matrix_postgres_data_path }}"
|
- "{{ matrix_postgres_data_path }}"
|
||||||
|
when: matrix_postgres_enabled
|
||||||
|
|
||||||
- name: Ensure Postgres environment variables file created
|
- name: Ensure Postgres environment variables file created
|
||||||
template:
|
template:
|
||||||
@ -46,18 +51,21 @@
|
|||||||
with_items:
|
with_items:
|
||||||
- "env-postgres-psql"
|
- "env-postgres-psql"
|
||||||
- "env-postgres-server"
|
- "env-postgres-server"
|
||||||
|
when: matrix_postgres_enabled
|
||||||
|
|
||||||
- name: Ensure matrix-postgres-cli script created
|
- name: Ensure matrix-postgres-cli script created
|
||||||
template:
|
template:
|
||||||
src: "{{ role_path }}/templates/usr-local-bin/matrix-postgres-cli.j2"
|
src: "{{ role_path }}/templates/usr-local-bin/matrix-postgres-cli.j2"
|
||||||
dest: "/usr/local/bin/matrix-postgres-cli"
|
dest: "/usr/local/bin/matrix-postgres-cli"
|
||||||
mode: 0750
|
mode: 0750
|
||||||
|
when: matrix_postgres_enabled
|
||||||
|
|
||||||
- name: Ensure matrix-make-user-admin script created
|
- name: Ensure matrix-make-user-admin script created
|
||||||
template:
|
template:
|
||||||
src: "{{ role_path }}/templates/usr-local-bin/matrix-make-user-admin.j2"
|
src: "{{ role_path }}/templates/usr-local-bin/matrix-make-user-admin.j2"
|
||||||
dest: "/usr/local/bin/matrix-make-user-admin"
|
dest: "/usr/local/bin/matrix-make-user-admin"
|
||||||
mode: 0750
|
mode: 0750
|
||||||
|
when: matrix_postgres_enabled
|
||||||
|
|
||||||
#
|
#
|
||||||
# Tasks related to setting up an internal postgres server
|
# Tasks related to setting up an internal postgres server
|
||||||
@ -68,7 +76,7 @@
|
|||||||
src: "{{ role_path }}/templates/systemd/matrix-postgres.service.j2"
|
src: "{{ role_path }}/templates/systemd/matrix-postgres.service.j2"
|
||||||
dest: "/etc/systemd/system/matrix-postgres.service"
|
dest: "/etc/systemd/system/matrix-postgres.service"
|
||||||
mode: 0644
|
mode: 0644
|
||||||
when: "not matrix_postgres_use_external"
|
when: matrix_postgres_enabled
|
||||||
|
|
||||||
#
|
#
|
||||||
# Tasks related to getting rid of the internal postgres server (if it was previously enabled)
|
# Tasks related to getting rid of the internal postgres server (if it was previously enabled)
|
||||||
@ -78,29 +86,29 @@
|
|||||||
stat:
|
stat:
|
||||||
path: "/etc/systemd/system/matrix-postgres.service"
|
path: "/etc/systemd/system/matrix-postgres.service"
|
||||||
register: matrix_postgres_service_stat
|
register: matrix_postgres_service_stat
|
||||||
when: matrix_postgres_use_external
|
when: "not matrix_postgres_enabled"
|
||||||
|
|
||||||
- name: Ensure matrix-postgres is stopped
|
- name: Ensure matrix-postgres is stopped
|
||||||
service:
|
service:
|
||||||
name: matrix-postgres
|
name: matrix-postgres
|
||||||
state: stopped
|
state: stopped
|
||||||
daemon_reload: yes
|
daemon_reload: yes
|
||||||
when: "matrix_postgres_use_external and matrix_postgres_service_stat.stat.exists"
|
when: "not matrix_postgres_enabled and matrix_postgres_service_stat.stat.exists"
|
||||||
|
|
||||||
- name: Ensure matrix-postgres.service doesn't exist
|
- name: Ensure matrix-postgres.service doesn't exist
|
||||||
file:
|
file:
|
||||||
path: "/etc/systemd/system/matrix-postgres.service"
|
path: "/etc/systemd/system/matrix-postgres.service"
|
||||||
state: absent
|
state: absent
|
||||||
when: "matrix_postgres_use_external and matrix_postgres_service_stat.stat.exists"
|
when: "not matrix_postgres_enabled and matrix_postgres_service_stat.stat.exists"
|
||||||
|
|
||||||
- name: Check existence of matrix-postgres local data path
|
- name: Check existence of matrix-postgres local data path
|
||||||
stat:
|
stat:
|
||||||
path: "{{ matrix_postgres_data_path }}"
|
path: "{{ matrix_postgres_data_path }}"
|
||||||
register: matrix_postgres_data_path_stat
|
register: matrix_postgres_data_path_stat
|
||||||
when: matrix_postgres_use_external
|
when: "not matrix_postgres_enabled"
|
||||||
|
|
||||||
# We just want to notify the user. Deleting data is too destructive.
|
# We just want to notify the user. Deleting data is too destructive.
|
||||||
- name: Notify if matrix-postgres local data remains
|
- name: Notify if matrix-postgres local data remains
|
||||||
debug:
|
debug:
|
||||||
msg: "Note: You are not using a local PostgreSQL database, but some old data remains from before in {{ matrix_postgres_data_path }}. Feel free to delete it."
|
msg: "Note: You are not using a local PostgreSQL database, but some old data remains from before in `{{ matrix_postgres_data_path }}`. Feel free to delete it."
|
||||||
when: "matrix_postgres_use_external and matrix_postgres_data_path_stat.stat.exists"
|
when: "not matrix_postgres_enabled and matrix_postgres_data_path_stat.stat.exists"
|
||||||
|
@ -22,8 +22,8 @@
|
|||||||
|
|
||||||
- name: Fail, if trying to upgrade external Postgres database
|
- name: Fail, if trying to upgrade external Postgres database
|
||||||
fail:
|
fail:
|
||||||
msg: "Your configuration indicates that you're using an external Postgres database. Refusing to try and upgrade that."
|
msg: "Your configuration indicates that you're not using Postgres from this role. There is nothing to upgrade."
|
||||||
when: "matrix_postgres_use_external"
|
when: "not matrix_postgres_enabled"
|
||||||
|
|
||||||
- name: Check Postgres auto-upgrade backup data directory
|
- name: Check Postgres auto-upgrade backup data directory
|
||||||
stat:
|
stat:
|
||||||
|
22
roles/matrix-postgres/tasks/validate_config.yml
Normal file
22
roles/matrix-postgres/tasks/validate_config.yml
Normal file
@ -0,0 +1,22 @@
|
|||||||
|
---
|
||||||
|
|
||||||
|
- name: (Deprecation) Warn about matrix_postgres_use_external usage
|
||||||
|
fail:
|
||||||
|
msg: >
|
||||||
|
The `matrix_postgres_use_external` variable defined in your configuration is not used by this playbook anymore!
|
||||||
|
You'll need to adapt to the new way of using an external Postgres server.
|
||||||
|
It's a combination of `matrix_postgres_enabled: false` and specifying Postgres connection
|
||||||
|
details in a few `matrix_synapse_database_` variables.
|
||||||
|
See the "Using an external PostgreSQL server (optional)" documentation page.
|
||||||
|
when: "'matrix_postgres_use_external' in vars"
|
||||||
|
|
||||||
|
- name: Fail if required Postgres settings not defined
|
||||||
|
fail:
|
||||||
|
msg: >
|
||||||
|
You need to define a required configuration setting (`{{ item }}`) for using mxisd.
|
||||||
|
when: "vars[item] == ''"
|
||||||
|
with_items:
|
||||||
|
- "matrix_postgres_connection_hostname"
|
||||||
|
- "matrix_postgres_connection_username"
|
||||||
|
- "matrix_postgres_connection_password"
|
||||||
|
- "matrix_postgres_db_name"
|
@ -1,13 +1,17 @@
|
|||||||
# By default, this playbook installs the Riot.IM web UI on the `hostname_riot` domain.
|
|
||||||
# If you wish to connect to your Matrix server by other means,
|
|
||||||
# you may wish to disable this.
|
|
||||||
matrix_riot_web_enabled: true
|
matrix_riot_web_enabled: true
|
||||||
|
|
||||||
matrix_riot_web_docker_image: "bubuntux/riot-web:v0.17.8"
|
matrix_riot_web_docker_image: "bubuntux/riot-web:v0.17.8"
|
||||||
|
|
||||||
matrix_riot_web_data_path: "{{ matrix_base_data_path }}/riot-web"
|
matrix_riot_web_data_path: "{{ matrix_base_data_path }}/riot-web"
|
||||||
|
|
||||||
|
matrix_riot_web_container_expose_port: false
|
||||||
|
|
||||||
|
# List of systemd services that matrix-riot-web.service depends on
|
||||||
|
matrix_riot_web_systemd_required_services_list: ['docker.service']
|
||||||
|
|
||||||
# Riot config.json customizations
|
# Riot config.json customizations
|
||||||
|
matrix_riot_web_default_hs_url: ""
|
||||||
|
matrix_riot_web_default_is_url: ~
|
||||||
matrix_riot_web_disable_custom_urls: true
|
matrix_riot_web_disable_custom_urls: true
|
||||||
matrix_riot_web_disable_guests: true
|
matrix_riot_web_disable_guests: true
|
||||||
matrix_riot_web_integrations_ui_url: "https://scalar.vector.im/"
|
matrix_riot_web_integrations_ui_url: "https://scalar.vector.im/"
|
||||||
@ -18,7 +22,6 @@ matrix_riot_web_integrations_jitsi_widget_url: "https://scalar.vector.im/api/wid
|
|||||||
matrix_riot_web_roomdir_servers: ['matrix.org']
|
matrix_riot_web_roomdir_servers: ['matrix.org']
|
||||||
matrix_riot_web_welcome_user_id: "@riot-bot:matrix.org"
|
matrix_riot_web_welcome_user_id: "@riot-bot:matrix.org"
|
||||||
|
|
||||||
|
|
||||||
# Riot home.html customizations
|
# Riot home.html customizations
|
||||||
# Default home.html template file
|
# Default home.html template file
|
||||||
matrix_riot_web_homepage_template: "{{ role_path }}/templates/home.html.j2"
|
matrix_riot_web_homepage_template: "{{ role_path }}/templates/home.html.j2"
|
||||||
|
@ -2,6 +2,12 @@
|
|||||||
tags:
|
tags:
|
||||||
- always
|
- always
|
||||||
|
|
||||||
|
- import_tasks: "{{ role_path }}/tasks/validate_config.yml"
|
||||||
|
when: "run_setup and matrix_riot_web_enabled"
|
||||||
|
tags:
|
||||||
|
- setup-all
|
||||||
|
- setup-riot-web
|
||||||
|
|
||||||
- import_tasks: "{{ role_path }}/tasks/setup_riot_web.yml"
|
- import_tasks: "{{ role_path }}/tasks/setup_riot_web.yml"
|
||||||
when: run_setup
|
when: run_setup
|
||||||
tags:
|
tags:
|
||||||
|
9
roles/matrix-riot-web/tasks/validate_config.yml
Normal file
9
roles/matrix-riot-web/tasks/validate_config.yml
Normal file
@ -0,0 +1,9 @@
|
|||||||
|
---
|
||||||
|
|
||||||
|
- name: Fail if required riot-web settings not defined
|
||||||
|
fail:
|
||||||
|
msg: >
|
||||||
|
You need to define a required configuration setting (`{{ item }}`) for using riot-web.
|
||||||
|
when: "vars[item] == ''"
|
||||||
|
with_items:
|
||||||
|
- "matrix_riot_web_default_hs_url"
|
@ -1,13 +1,13 @@
|
|||||||
{
|
{
|
||||||
"default_hs_url": "{{ matrix_homeserver_url }}",
|
"default_hs_url": {{ matrix_riot_web_default_hs_url|to_json }},
|
||||||
"default_is_url": "{{ matrix_identity_server_url }}",
|
"default_is_url": {{ matrix_riot_web_default_is_url|to_json }},
|
||||||
"disable_custom_urls": {{ matrix_riot_web_disable_custom_urls|lower }},
|
"disable_custom_urls": {{ matrix_riot_web_disable_custom_urls|to_json }},
|
||||||
"disable_guests": {{ matrix_riot_web_disable_guests|lower }},
|
"disable_guests": {{ matrix_riot_web_disable_guests|to_json }},
|
||||||
"brand": "Riot",
|
"brand": "Riot",
|
||||||
"integrations_ui_url": "{{ matrix_riot_web_integrations_ui_url }}",
|
"integrations_ui_url": {{ matrix_riot_web_integrations_ui_url|to_json }},
|
||||||
"integrations_rest_url": "{{ matrix_riot_web_integrations_rest_url }}",
|
"integrations_rest_url": {{ matrix_riot_web_integrations_rest_url|to_json }},
|
||||||
"integrations_widgets_urls": {{ matrix_riot_web_integrations_widgets_urls|to_json }},
|
"integrations_widgets_urls": {{ matrix_riot_web_integrations_widgets_urls|to_json }},
|
||||||
"integrations_jitsi_widget_url": "{{ matrix_riot_web_integrations_jitsi_widget_url }}",
|
"integrations_jitsi_widget_url": {{ matrix_riot_web_integrations_jitsi_widget_url|to_json }},
|
||||||
"bug_report_endpoint_url": "https://riot.im/bugreports/submit",
|
"bug_report_endpoint_url": "https://riot.im/bugreports/submit",
|
||||||
"enableLabs": true,
|
"enableLabs": true,
|
||||||
"roomDirectory": {
|
"roomDirectory": {
|
||||||
|
@ -1,7 +1,9 @@
|
|||||||
[Unit]
|
[Unit]
|
||||||
Description=Matrix Riot web server
|
Description=Matrix riot-web server
|
||||||
After=docker.service
|
{% for service in matrix_riot_web_systemd_required_services_list %}
|
||||||
Requires=docker.service
|
Requires={{ service }}
|
||||||
|
After={{ service }}
|
||||||
|
{% endfor %}
|
||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
Type=simple
|
Type=simple
|
||||||
@ -12,7 +14,7 @@ ExecStart=/usr/bin/docker run --rm --name matrix-riot-web \
|
|||||||
-v {{ matrix_riot_web_data_path }}/config.json:/etc/riot-web/config.json:ro \
|
-v {{ matrix_riot_web_data_path }}/config.json:/etc/riot-web/config.json:ro \
|
||||||
-v {{ matrix_riot_web_data_path }}/home.html:/etc/riot-web/home.html:ro \
|
-v {{ matrix_riot_web_data_path }}/home.html:/etc/riot-web/home.html:ro \
|
||||||
--network={{ matrix_docker_network }} \
|
--network={{ matrix_docker_network }} \
|
||||||
{% if not matrix_nginx_proxy_enabled %}
|
{% if matrix_riot_web_container_expose_port %}
|
||||||
-p 127.0.0.1:8765:80 \
|
-p 127.0.0.1:8765:80 \
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{{ matrix_riot_web_docker_image }}
|
{{ matrix_riot_web_docker_image }}
|
||||||
|
@ -8,10 +8,13 @@ matrix_synapse_media_store_path: "{{ matrix_synapse_storage_path }}/media-store"
|
|||||||
matrix_synapse_ext_path: "{{ matrix_synapse_base_path }}/ext"
|
matrix_synapse_ext_path: "{{ matrix_synapse_base_path }}/ext"
|
||||||
|
|
||||||
# Controls whether the Synapse container exposes the Client/Server API port (tcp/8008).
|
# Controls whether the Synapse container exposes the Client/Server API port (tcp/8008).
|
||||||
# Normally, matrix-nginx-proxy is enabled and nginx can reach Synapse over the container network.
|
matrix_synapse_container_expose_client_server_api_port: false
|
||||||
# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose
|
|
||||||
# the Client/Server API's port to the local host (`127.0.0.1:8008`).
|
# List of systemd services that matrix-synapse.service depends on
|
||||||
matrix_synapse_container_expose_client_server_api_port: "{{ not matrix_nginx_proxy_enabled }}"
|
matrix_synapse_systemd_required_services_list: ['docker.service']
|
||||||
|
|
||||||
|
# List of systemd services that matrix-synapse.service wants
|
||||||
|
matrix_synapse_systemd_wanted_services_list: []
|
||||||
|
|
||||||
matrix_synapse_in_container_python_packages_path: "/usr/local/lib/python3.6/site-packages"
|
matrix_synapse_in_container_python_packages_path: "/usr/local/lib/python3.6/site-packages"
|
||||||
|
|
||||||
@ -27,15 +30,10 @@ matrix_synapse_macaroon_secret_key: ""
|
|||||||
matrix_synapse_registration_shared_secret: "{{ matrix_synapse_macaroon_secret_key }}"
|
matrix_synapse_registration_shared_secret: "{{ matrix_synapse_macaroon_secret_key }}"
|
||||||
matrix_synapse_form_secret: "{{ matrix_synapse_macaroon_secret_key }}"
|
matrix_synapse_form_secret: "{{ matrix_synapse_macaroon_secret_key }}"
|
||||||
|
|
||||||
# These are the identity servers that would be trusted by Synapse if mxisd is NOT enabled
|
# The list of identity servers to use for Synapse.
|
||||||
matrix_synapse_id_servers_public: ['vector.im', 'matrix.org']
|
# We assume this role runs standalone without a local Identity server, so we point Synapse to public ones.
|
||||||
|
# This most likely gets overwritten later, so that a local Identity server is used.
|
||||||
# These are the identity servers that would be trusted by Synapse if mxisd IS enabled
|
matrix_synapse_trusted_third_party_id_servers: "{{ matrix_synapse_id_servers_public }}"
|
||||||
matrix_synapse_id_servers_own: "['{{ hostname_matrix }}']"
|
|
||||||
|
|
||||||
# The final list of identity servers to use for Synapse.
|
|
||||||
# The first one would also be used as riot-web's default identity server.
|
|
||||||
matrix_synapse_trusted_third_party_id_servers: "{{ matrix_synapse_id_servers_own if matrix_mxisd_enabled else matrix_synapse_id_servers_public }}"
|
|
||||||
|
|
||||||
matrix_synapse_max_upload_size_mb: 10
|
matrix_synapse_max_upload_size_mb: 10
|
||||||
matrix_synapse_max_log_file_size_mb: 100
|
matrix_synapse_max_log_file_size_mb: 100
|
||||||
@ -114,6 +112,22 @@ matrix_synapse_app_service_config_files: []
|
|||||||
# any password providers have been enabled or not.
|
# any password providers have been enabled or not.
|
||||||
matrix_synapse_password_providers_enabled: false
|
matrix_synapse_password_providers_enabled: false
|
||||||
|
|
||||||
|
# Postgres database information
|
||||||
|
matrix_synapse_database_host: ""
|
||||||
|
matrix_synapse_database_user: ""
|
||||||
|
matrix_synapse_database_password: ""
|
||||||
|
matrix_synapse_database_database: ""
|
||||||
|
|
||||||
|
matrix_synapse_turn_uris: []
|
||||||
|
matrix_synapse_turn_shared_secret: ""
|
||||||
|
|
||||||
|
matrix_synapse_email_enabled: false
|
||||||
|
matrix_synapse_email_smtp_host: ""
|
||||||
|
matrix_synapse_email_smtp_port: 587
|
||||||
|
matrix_synapse_email_smtp_require_transport_security: false
|
||||||
|
matrix_synapse_email_notif_from: "Matrix <matrix@{{ hostname_identity }}>"
|
||||||
|
matrix_synapse_email_riot_base_url: "https://{{ hostname_riot }}"
|
||||||
|
|
||||||
|
|
||||||
# Enable this to activate the REST auth password provider module.
|
# Enable this to activate the REST auth password provider module.
|
||||||
# See: https://github.com/kamax-io/matrix-synapse-rest-auth
|
# See: https://github.com/kamax-io/matrix-synapse-rest-auth
|
||||||
|
@ -2,6 +2,12 @@
|
|||||||
tags:
|
tags:
|
||||||
- always
|
- always
|
||||||
|
|
||||||
|
- import_tasks: "{{ role_path }}/tasks/validate_config.yml"
|
||||||
|
when: run_setup
|
||||||
|
tags:
|
||||||
|
- setup-all
|
||||||
|
- setup-synapse
|
||||||
|
|
||||||
- import_tasks: "{{ role_path }}/tasks/setup_synapse_entrypoint.yml"
|
- import_tasks: "{{ role_path }}/tasks/setup_synapse_entrypoint.yml"
|
||||||
when: run_setup
|
when: run_setup
|
||||||
tags:
|
tags:
|
||||||
|
@ -1,20 +1,17 @@
|
|||||||
---
|
---
|
||||||
|
|
||||||
- set_fact:
|
|
||||||
matrix_client_api_url_endpoint_public: "https://{{ hostname_matrix }}/_matrix/client/versions"
|
|
||||||
|
|
||||||
- name: Check Matrix Client API
|
- name: Check Matrix Client API
|
||||||
uri:
|
uri:
|
||||||
url: "{{ matrix_client_api_url_endpoint_public }}"
|
url: "{{ matrix_synapse_client_api_url_endpoint_public }}"
|
||||||
follow_redirects: false
|
follow_redirects: false
|
||||||
register: result_matrix_client_api
|
register: result_matrix_synapse_client_api
|
||||||
ignore_errors: true
|
ignore_errors: true
|
||||||
|
|
||||||
- name: Fail if Matrix Client API not working
|
- name: Fail if Matrix Client API not working
|
||||||
fail:
|
fail:
|
||||||
msg: "Failed checking Matrix Client API is up at `{{ hostname_matrix }}` (checked endpoint: `{{ matrix_client_api_url_endpoint_public }}`). Is Synapse running? Is port 443 open in your firewall? Full error: {{ result_matrix_client_api }}"
|
msg: "Failed checking Matrix Client API is up at `{{ hostname_matrix }}` (checked endpoint: `{{ matrix_synapse_client_api_url_endpoint_public }}`). Is Synapse running? Is port 443 open in your firewall? Full error: {{ result_matrix_synapse_client_api }}"
|
||||||
when: "result_matrix_client_api.failed or 'json' not in result_matrix_client_api"
|
when: "result_matrix_synapse_client_api.failed or 'json' not in result_matrix_synapse_client_api"
|
||||||
|
|
||||||
- name: Report working Matrix Client API
|
- name: Report working Matrix Client API
|
||||||
debug:
|
debug:
|
||||||
msg: "The Matrix Client API at `{{ hostname_matrix }}` (checked endpoint: `{{ matrix_client_api_url_endpoint_public }}`) is working"
|
msg: "The Matrix Client API at `{{ hostname_matrix }}` (checked endpoint: `{{ matrix_synapse_client_api_url_endpoint_public }}`) is working"
|
@ -1,21 +1,18 @@
|
|||||||
---
|
---
|
||||||
|
|
||||||
- set_fact:
|
|
||||||
matrix_federation_api_url_endpoint_public: "https://{{ hostname_matrix }}:8448/_matrix/federation/v1/version"
|
|
||||||
|
|
||||||
- name: Check Matrix Federation API
|
- name: Check Matrix Federation API
|
||||||
uri:
|
uri:
|
||||||
url: "{{ matrix_federation_api_url_endpoint_public }}"
|
url: "{{ matrix_synapse_federation_api_url_endpoint_public }}"
|
||||||
follow_redirects: false
|
follow_redirects: false
|
||||||
validate_certs: false
|
validate_certs: false
|
||||||
register: result_matrix_federation_api
|
register: result_matrix_synapse_federation_api
|
||||||
ignore_errors: true
|
ignore_errors: true
|
||||||
|
|
||||||
- name: Fail if Matrix Federation API not working
|
- name: Fail if Matrix Federation API not working
|
||||||
fail:
|
fail:
|
||||||
msg: "Failed checking Matrix Federation API is up at `{{ hostname_matrix }}` (checked endpoint: `{{ matrix_federation_api_url_endpoint_public }}`). Is Synapse running? Is port 8448 open in your firewall? Full error: {{ result_matrix_federation_api }}"
|
msg: "Failed checking Matrix Federation API is up at `{{ hostname_matrix }}` (checked endpoint: `{{ matrix_synapse_federation_api_url_endpoint_public }}`). Is Synapse running? Is port 8448 open in your firewall? Full error: {{ result_matrix_synapse_federation_api }}"
|
||||||
when: "result_matrix_federation_api.failed or 'json' not in result_matrix_federation_api"
|
when: "result_matrix_synapse_federation_api.failed or 'json' not in result_matrix_synapse_federation_api"
|
||||||
|
|
||||||
- name: Report working Matrix Federation API
|
- name: Report working Matrix Federation API
|
||||||
debug:
|
debug:
|
||||||
msg: "The Matrix Federation API at `{{ hostname_matrix }}` (checked endpoint: `{{ matrix_federation_api_url_endpoint_public }}`) is working"
|
msg: "The Matrix Federation API at `{{ hostname_matrix }}` (checked endpoint: `{{ matrix_synapse_federation_api_url_endpoint_public }}`) is working"
|
9
roles/matrix-synapse/tasks/validate_config.yml
Normal file
9
roles/matrix-synapse/tasks/validate_config.yml
Normal file
@ -0,0 +1,9 @@
|
|||||||
|
---
|
||||||
|
|
||||||
|
- name: Fail if required Synapse settings not defined
|
||||||
|
fail:
|
||||||
|
msg: >
|
||||||
|
You need to define a required configuration setting (`{{ item }}`) for using Synapse.
|
||||||
|
when: "vars[item] == ''"
|
||||||
|
with_items:
|
||||||
|
- "matrix_synapse_macaroon_secret_key"
|
@ -216,10 +216,10 @@ database:
|
|||||||
# The database engine name
|
# The database engine name
|
||||||
name: "psycopg2"
|
name: "psycopg2"
|
||||||
args:
|
args:
|
||||||
user: {{ matrix_postgres_connection_username|to_json }}
|
user: {{ matrix_synapse_database_user|to_json }}
|
||||||
password: {{ matrix_postgres_connection_password|to_json }}
|
password: {{ matrix_synapse_database_password|to_json }}
|
||||||
database: "{{ matrix_postgres_db_name }}"
|
database: "{{ matrix_synapse_database_database }}"
|
||||||
host: "{{ matrix_postgres_connection_hostname }}"
|
host: "{{ matrix_synapse_database_host }}"
|
||||||
cp_min: 5
|
cp_min: 5
|
||||||
cp_max: 10
|
cp_max: 10
|
||||||
|
|
||||||
@ -409,10 +409,10 @@ recaptcha_siteverify_api: "https://www.google.com/recaptcha/api/siteverify"
|
|||||||
## Turn ##
|
## Turn ##
|
||||||
|
|
||||||
# The public URIs of the TURN server to give to clients
|
# The public URIs of the TURN server to give to clients
|
||||||
turn_uris: ["turn:{{ hostname_matrix }}:3478?transport=udp", "turn:{{ hostname_matrix }}:3478?transport=tcp"]
|
turn_uris: {{ matrix_synapse_turn_uris|to_json }}
|
||||||
|
|
||||||
# The shared secret used to compute passwords for the TURN server
|
# The shared secret used to compute passwords for the TURN server
|
||||||
turn_shared_secret: {{ matrix_coturn_turn_static_auth_secret|to_json }}
|
turn_shared_secret: {{ matrix_synapse_turn_shared_secret|to_json }}
|
||||||
|
|
||||||
# The Username and password if the TURN server needs them and
|
# The Username and password if the TURN server needs them and
|
||||||
# does not use a token
|
# does not use a token
|
||||||
@ -600,18 +600,18 @@ password_config:
|
|||||||
# If your SMTP server requires authentication, the optional smtp_user &
|
# If your SMTP server requires authentication, the optional smtp_user &
|
||||||
# smtp_pass variables should be used
|
# smtp_pass variables should be used
|
||||||
#
|
#
|
||||||
{% if matrix_mailer_enabled %}
|
{% if matrix_synapse_email_enabled %}
|
||||||
email:
|
email:
|
||||||
enable_notifs: true
|
enable_notifs: true
|
||||||
smtp_host: "matrix-mailer"
|
smtp_host: {{ matrix_synapse_email_smtp_host|to_json }}
|
||||||
smtp_port: 587
|
smtp_port: {{ matrix_synapse_email_smtp_port|to_json }}
|
||||||
require_transport_security: false
|
require_transport_security: {{ matrix_synapse_email_smtp_require_transport_security|to_json }}
|
||||||
notif_from: "Matrix <{{ matrix_mailer_sender_address }}>"
|
notif_from: {{ matrix_synapse_email_notif_from|to_json }}
|
||||||
app_name: Matrix
|
app_name: Matrix
|
||||||
notif_template_html: notif_mail.html
|
notif_template_html: notif_mail.html
|
||||||
notif_template_text: notif_mail.txt
|
notif_template_text: notif_mail.txt
|
||||||
notif_for_new_users: True
|
notif_for_new_users: True
|
||||||
riot_base_url: "https://{{ hostname_riot }}"
|
riot_base_url: {{ matrix_synapse_email_riot_base_url|to_json }}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
|
|
||||||
|
@ -1,19 +1,12 @@
|
|||||||
[Unit]
|
[Unit]
|
||||||
Description=Matrix Synapse server
|
Description=Matrix Synapse server
|
||||||
After=docker.service
|
{% for service in matrix_synapse_systemd_required_services_list %}
|
||||||
Requires=docker.service
|
Requires={{ service }}
|
||||||
{% if not matrix_postgres_use_external %}
|
After={{ service }}
|
||||||
Requires=matrix-postgres.service
|
{% endfor %}
|
||||||
After=matrix-postgres.service
|
{% for service in matrix_synapse_systemd_wanted_services_list %}
|
||||||
{% endif %}
|
Wants={{ service }}
|
||||||
{% if matrix_s3_media_store_enabled %}
|
{% endfor %}
|
||||||
After=matrix-goofys.service
|
|
||||||
Requires=matrix-goofys.service
|
|
||||||
{% endif %}
|
|
||||||
{% if matrix_mailer_enabled %}
|
|
||||||
Wants=matrix-mailer.service
|
|
||||||
{% endif %}
|
|
||||||
Wants=matrix-coturn.service
|
|
||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
Type=simple
|
Type=simple
|
||||||
|
6
roles/matrix-synapse/vars/main.yml
Normal file
6
roles/matrix-synapse/vars/main.yml
Normal file
@ -0,0 +1,6 @@
|
|||||||
|
---
|
||||||
|
|
||||||
|
matrix_synapse_id_servers_public: ['vector.im', 'matrix.org']
|
||||||
|
|
||||||
|
matrix_synapse_client_api_url_endpoint_public: "https://{{ hostname_matrix }}/_matrix/client/versions"
|
||||||
|
matrix_synapse_federation_api_url_endpoint_public: "https://{{ hostname_matrix }}:8448/_matrix/federation/v1/version"
|
Loading…
Reference in New Issue
Block a user