finallycoffee/matrix-docker-ansible-deploy
finallycoffee/matrix-docker-ansible-deploy
2
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge branch 'master' of https://github.com/spantaleev/matrix-docker-ansible-deploy

Browse Source
This commit is contained in:
p5t2vspoqqw 2019-07-05 16:12:29 +02:00
commit d88e261150
17 changed files with 358 additions and 199 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
CHANGELOG.md
View File

@ -1,3 +1,42 @@
# 2019-07-04
## Synapse no longer logs to text files
Following what the official Synapse Docker image is doing ([#5565](https://github.com/matrix-org/synapse/pull/5565)) and what we've been doing for mostly everything installed by this playbook, **Synapse no longer logs to text files** (`/matrix/synapse/run/homeserver.log*`).
From now on, Synapse would only log to console, which goes to systemd's journald.
To see Synapse's logs, execute: `journalctl -fu matrix-synapse`
Because of this, the following variables have become obsolete and were removed:
- `matrix_synapse_max_log_file_size_mb`
- `matrix_synapse_max_log_files_count`
To prevent confusion, it'd be better if you delete all old files manually after you've upgraded (`rm -f /matrix/synapse/run/homeserver.log*`).
Because Synapse is incredibly chatty when it comes to logging (here's [one such issue](https://github.com/matrix-org/synapse/issues/4751) describing the problem), if you're running an ancient distribution (like CentOS 7.0), be advised that systemd's journald default logging restrictions may not be high enough to capture all log messages generated by Synapse. This is especially true if you've got a busy (Synapse) server. We advise that you manually add `RateLimitInterval=0` and `RateLimitBurst=0` under `[Storage]` in the `/etc/systemd/journald.conf` file, followed by restarting the logging service (`systemctl restart systemd-journald`).
# 2019-06-27
## (BC Break) Discord bridge configuration is now entirely managed by the playbook
Until now, the `config.yaml` file for the [Discord bridge](docs/configuring-playbook-bridge-appservice-discord.md) was managed by the playbook, but the `registration.yaml` file was not.
From now on, the playbook will keep both configuration files sync for you.
This means that if you were making manual changes to the `/matrix/appservice-discord/discord-registration.yaml` configuration file, those would be lost the next time you run the playbook.
The bridge now stores configuration in a subdirectory (`/matrix/appservice-discord/config`).
Likewise, data is now also stored in a subdirectory (`/matrix/appservice-discord/data`). When you run the playbook with an existing database file (`/matrix/appservice-discord/discord.db`), the playbook will stop the bridge and relocate the database file to the `./data` directory. There's no data-loss involved. You'll need to restart the bridge manually though (`--tags=start`).
The main directory (`/matrix/appservice-discord`) may contain some leftover files (`user-store.db`, `room-store.db`, `config.yaml`, `discord-registration.yaml`, `invite_link`). These are no longer necessary and can be deleted manually.
We're now following the default sample configuration for the Discord bridge.
If you need to override some values, define them in `matrix_appservice_discord_configuration_extension_yaml`.
# 2019-06-24
## (BC Break) WhatsApp bridge configuration is now entirely managed by the playbook
@ -15,6 +54,7 @@ Likewise, data is now also stored in a subdirectory (`/matrix/mautrix-whatsapp/d
We're now following the default configuration for the WhatsApp bridge.
# 2019-06-20
## (BC Break) IRC bridge configuration is now entirely managed by the playbook

4
docs/configuring-playbook-bridge-appservice-discord.md
View File

@ -19,8 +19,8 @@ matrix_appservice_discord_bot_token: "YOUR DISCORD APP BOT TOKEN"
```
4. If you've already installed Matrix services using the playbook before, you'll need to re-run it (`--tags=setup-all,start`). If not, proceed with [configuring other playbook services](configuring-playbook.md) and then with [Installing](installing.md). Get back to this guide once ready.
5. Retrieve Discord invitelink from the `{{ matrix_appservice_discord_base_path }}/invite_link` file on the server (this defaults to `/matrix/appservice-discord/invite_link`)
5. Retrieve Discord invite link from the `{{ matrix_appservice_discord_config_path }}/invite_link` file on the server (this defaults to `/matrix/appservice-discord/config/invite_link`)
6. Invite the Bot to Discord servers you wish to bridge. Administrator permission is recommended.
7. Join the rooms by following this syntax `#_discord_guildid_channelid` - can be easily retrieved by logging into Discord in a browser and opening the desired channel. URL will have this format: discordapp.com/channels/guild_id/channel_id
7. Join the rooms by following this syntax `#_discord_guildid_channelid` - can be easily retrieved by logging into Discord in a browser and opening the desired channel. URL will have this format: `discordapp.com/channels/guild_id/channel_id`
Other configuration options are available via the `matrix_appservice_discord_configuration_extension_yaml` variable.

9
docs/configuring-playbook-ldap-auth.md
View File

@ -18,3 +18,12 @@ matrix_synapse_ext_password_provider_ldap_bind_dn: ""
matrix_synapse_ext_password_provider_ldap_bind_password: ""
matrix_synapse_ext_password_provider_ldap_filter: ""
```
## Authenticating only using a password provider
If you wish for users to **authenticate only against configured password providers** (like this one), **without consulting Synapse's local database**, feel free to disable it:
```yaml
matrix_synapse_password_config_localdb_enabled: false
```

9
docs/configuring-playbook-rest-auth.md
View File

@ -13,3 +13,12 @@ matrix_synapse_ext_password_provider_rest_auth_registration_enforce_lowercase: f
matrix_synapse_ext_password_provider_rest_auth_registration_profile_name_autofill: true
matrix_synapse_ext_password_provider_rest_auth_login_profile_name_autofill: false
```
## Authenticating only using a password provider
If you wish for users to **authenticate only against configured password providers** (like this one), **without consulting Synapse's local database**, feel free to disable it:
```yaml
matrix_synapse_password_config_localdb_enabled: false
```

9
docs/configuring-playbook-shared-secret-auth.md
View File

@ -10,3 +10,12 @@ If you decide that you'd like to let this playbook install it for you, you need
matrix_synapse_ext_password_provider_shared_secret_auth_enabled: true
matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret: YOUR_SHARED_SECRET_GOES_HERE
```
## Authenticating only using a password provider
If you wish for users to **authenticate only against configured password providers** (like this one), **without consulting Synapse's local database**, feel free to disable it:
```yaml
matrix_synapse_password_config_localdb_enabled: false
```

2
docs/prerequisites.md
View File

@ -2,6 +2,8 @@
- **CentOS** (7.0+), **Debian** (9/Stretch+) or **Ubuntu** (16.04+) server. We only strive to support released stable versions of distributions, not betas or pre-releases. This playbook can take over your whole server or co-exist with other services that you have there.
- for ancient distributions like **CentOS 7.0**, we recommend that you do a manual systemd-journald adjustment. Because the Synapse chat server is incredibly chatty when it comes to logging (here's [one such issue](https://github.com/matrix-org/synapse/issues/4751) describing the problem), be advised that systemd's journald default logging restrictions may not be high enough to capture all log messages generated by Synapse. This is especially true if you've got a busy (Synapse) server. We advise that you manually add `RateLimitInterval=0` and `RateLimitBurst=0` under `[Storage]` in the `/etc/systemd/journald.conf` file, followed by restarting the logging service (`systemctl restart systemd-journald`).
- [Python](https://www.python.org/) being installed on the server. Most distributions install Python by default, but some don't (e.g. Ubuntu 18.04) and require manual installation (something like `apt-get install python`).
- a `cron`-like tool installed on the server such as `cron` or `anacron` to automatically schedule the Let's Encrypt SSL certificates. *This can be ignored if you use your own SSL certificates.*

7
group_vars/matrix_servers
View File

@ -39,6 +39,9 @@ matrix_appservice_discord_enabled: false
# matrix-appservice-discord's client-server port to the local host.
matrix_appservice_discord_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:9005' }}"
# If the homeserver disables presence, it's likely better (less wasteful) to also disable presence on the bridge side.
matrix_appservice_discord_bridge_disablePresence: "{{ matrix_synapse_use_presence }}"
matrix_appservice_discord_systemd_required_services_list: |
{{
['docker.service']
@ -46,6 +49,10 @@ matrix_appservice_discord_systemd_required_services_list: |
(['matrix-synapse.service'] if matrix_synapse_enabled else [])
}}
matrix_appservice_discord_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'discord.as.token') | to_uuid }}"
matrix_appservice_discord_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'discord.hs.token') | to_uuid }}"
######################################################################
#
# /matrix-bridge-appservice-discord

211
roles/matrix-bridge-appservice-discord/defaults/main.yml
View File

@ -7,11 +7,16 @@ matrix_appservice_discord_docker_image: "halfshot/matrix-appservice-discord:late
matrix_appservice_discord_docker_image_force_pull: "{{ matrix_appservice_discord_docker_image.endswith(':latest') }}"
matrix_appservice_discord_base_path: "{{ matrix_base_data_path }}/appservice-discord"
matrix_appservice_discord_config_path: "{{ matrix_base_data_path }}/appservice-discord/config"
matrix_appservice_discord_data_path: "{{ matrix_base_data_path }}/appservice-discord/data"
# Get your own keys at https://discordapp.com/developers/applications/me/create
matrix_appservice_discord_client_id: ''
matrix_appservice_discord_bot_token: ''
matrix_appservice_discord_appservice_token: ''
matrix_appservice_discord_homeserver_token: ''
# Controls whether the matrix-appservice-discord container exposes its HTTP port (tcp/9005 in the container).
#
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:9005"), or empty string to not expose.
@ -26,56 +31,50 @@ matrix_appservice_discord_systemd_required_services_list: ['docker.service']
# List of systemd services that matrix-appservice-discord.service wants
matrix_appservice_discord_systemd_wanted_services_list: []
matrix_appservice_discord_configuration_yaml: |
bridge:
domain: "{{ matrix_domain }}"
homeserverUrl: "{{ matrix_homeserver_url }}"
auth:
clientID: "{{matrix_appservice_discord_client_id}}"
botToken: "{{matrix_appservice_discord_bot_token}}"
database:
filename: "/data/discord.db"
userStorePath: "/data/user-store.db"
roomStorePath: "/data/room-store.db"
matrix_appservice_discord_appservice_url: 'http://matrix-appservice-discord:9005'
matrix_appservice_discord_configuration_extension_yaml: |
# This is a sample of the config file showing all avaliable options.
# Where possible we have documented what they do, and all values are the
# default values.
#
#bridge:
# # Domain part of the bridge, e.g. matrix.org
# domain: "localhost"
# # This should be your publically facing URL because Discord may use it to
# # fetch media from the media store.
# homeserverUrl: "http://localhost:8008"
# # Interval at which to process users in the 'presence queue'. If you have
# # 5 users, one user will be processed every 500 milliseconds according to the
# # value below. This has a minimum value of 250.
# # WARNING: This has a high chance of spamming the homeserver with presence
# # updates since it will send one each time somebody changes state or is online.
# presenceInterval: 500
# # Disable setting presence for 'ghost users' which means Discord users on Matrix
# # will not be shown as away or online.
# disablePresence: false
# # Disable sending typing notifications when somebody on Discord types.
# disableTypingNotifications: false
# # Disable deleting messages on Discord if a message is redacted on Matrix.
# disableDeletionForwarding: false
# # Enable users to bridge rooms using !discord commands. See
# # https://t2bot.io/discord for instructions.
# enableSelfServiceBridging: false
# # Disable sending of read receipts for Matrix events which have been
# # successfully bridged to Discord.
# disableReadReceipts: false
matrix_appservice_discord_bridge_domain: "{{ matrix_domain }}"
# As of right now, the homeserver URL must be a public URL. See below.
matrix_appservice_discord_bridge_homeserverUrl: "{{ matrix_homeserver_url }}"
matrix_appservice_discord_bridge_disablePresence: false
matrix_appservice_discord_configuration_yaml: |
#jinja2: lstrip_blocks: "True"
bridge:
# Domain part of the bridge, e.g. matrix.org
domain: {{ matrix_appservice_discord_bridge_domain }}
# This should be your publically facing URL because Discord may use it to
# fetch media from the media store.
homeserverUrl: {{ matrix_appservice_discord_bridge_homeserverUrl }}
# Interval at which to process users in the 'presence queue'. If you have
# 5 users, one user will be processed every 500 milliseconds according to the
# value below. This has a minimum value of 250.
# WARNING: This has a high chance of spamming the homeserver with presence
# updates since it will send one each time somebody changes state or is online.
presenceInterval: 500
# Disable setting presence for 'ghost users' which means Discord users on Matrix
# will not be shown as away or online.
disablePresence: {{ matrix_appservice_discord_bridge_disablePresence|to_json }}
# Disable sending typing notifications when somebody on Discord types.
disableTypingNotifications: false
# Disable deleting messages on Discord if a message is redacted on Matrix.
disableDeletionForwarding: false
# Enable users to bridge rooms using !discord commands. See
# https://t2bot.io/discord for instructions.
enableSelfServiceBridging: false
# Disable sending of read receipts for Matrix events which have been
# successfully bridged to Discord.
disableReadReceipts: false
# Disable Join Leave echos from matrix
disableJoinLeaveNotifications: false
# Authentication configuration for the discord bot.
#auth:
# clientID: "12345"
# botToken: "foobar"
#logging:
# # What level should the logger output to the console at.
# console: "warn" #silly, verbose, info, http, warn, error, silent
# lineDateFormat: "MMM-D HH:mm:ss.SSS" # This is in moment.js format
auth:
clientID: {{ matrix_appservice_discord_client_id }}
botToken: {{ matrix_appservice_discord_bot_token }}
logging:
# What level should the logger output to the console at.
console: "warn" #silly, verbose, info, http, warn, error, silent
lineDateFormat: "MMM-D HH:mm:ss.SSS" # This is in moment.js format
# files:
# - file: "debug.log"
# disable:
@ -86,49 +85,81 @@ matrix_appservice_discord_configuration_extension_yaml: |
# level: "info"
# enable:
# - "DiscordBot"
#database:
# userStorePath: "user-store.db"
# roomStorePath: "room-store.db"
# # You may either use SQLite or Postgresql for the bridge database, which contains
# # important mappings for events and user puppeting configurations.
# # Use the filename option for SQLite, or connString for Postgresql.
# # If you are migrating, see https://github.com/Half-Shot/matrix-appservice-discord/blob/master/docs/howto.md#migrate-to-postgres-from-sqlite
# # WARNING: You will almost certainly be fine with sqlite unless your bridge
# # is in heavy demand and you suffer from IO slowness.
# filename: "discord.db"
# # connString: "postgresql://user:password@localhost/database_name"
#room:
# # Set the default visibility of alias rooms, defaults to "public".
# # One of: "public", "private"
# defaultVisibility: "public"
#channel:
# # Pattern of the name given to bridged rooms.
# # Can use :guild for the guild name and :name for the channel name.
# namePattern: "[Discord] :guild :name"
# # Changes made to rooms when a channel is deleted.
# deleteOptions:
# # Prefix the room name with a string.
# #namePrefix: "[Deleted]"
# # Prefix the room topic with a string.
# #topicPrefix: "This room has been deleted"
# # Disable people from talking in the room by raising the event PL to 50
# disableMessaging: false
# # Remove the discord alias from the room.
# unsetRoomAlias: true
# # Remove the room from the directory.
# unlistFromDirectory: true
# # Set the room to be unavaliable for joining without an invite.
# setInviteOnly: true
# # Make all the discord users leave the room.
# ghostsLeave: true
#limits:
# # Delay in milliseconds between discord users joining a room.
# roomGhostJoinDelay: 6000
# # Delay in milliseconds before sending messages to discord to avoid echos.
# # (Copies of a sent message may arrive from discord before we've
# # fininished handling it, causing us to echo it back to the room)
# discordSendDelay: 750
database:
# You may either use SQLite or Postgresql for the bridge database, which contains
# important mappings for events and user puppeting configurations.
# Use the filename option for SQLite, or connString for Postgresql.
# If you are migrating, see https://github.com/Half-Shot/matrix-appservice-discord/blob/master/docs/howto.md#migrate-to-postgres-from-sqlite
# WARNING: You will almost certainly be fine with sqlite unless your bridge
# is in heavy demand and you suffer from IO slowness.
filename: "/data/discord.db"
# connString: "postgresql://user:password@localhost/database_name"
room:
# Set the default visibility of alias rooms, defaults to "public".
# One of: "public", "private"
defaultVisibility: "public"
channel:
# Pattern of the name given to bridged rooms.
# Can use :guild for the guild name and :name for the channel name.
namePattern: "[Discord] :guild :name"
# Changes made to rooms when a channel is deleted.
deleteOptions:
# Prefix the room name with a string.
#namePrefix: "[Deleted]"
# Prefix the room topic with a string.
#topicPrefix: "This room has been deleted"
# Disable people from talking in the room by raising the event PL to 50
disableMessaging: false
# Remove the discord alias from the room.
unsetRoomAlias: true
# Remove the room from the directory.
unlistFromDirectory: true
# Set the room to be unavaliable for joining without an invite.
setInviteOnly: true
# Make all the discord users leave the room.
ghostsLeave: true
limits:
# Delay in milliseconds between discord users joining a room.
roomGhostJoinDelay: 6000
# Delay in milliseconds before sending messages to discord to avoid echos.
# (Copies of a sent message may arrive from discord before we've
# fininished handling it, causing us to echo it back to the room)
discordSendDelay: 750
ghosts:
# Pattern for the ghosts nick, available is :nick, :username, :tag and :id
nickPattern: ":nick"
# Pattern for the ghosts username, available is :username, :tag and :id
usernamePattern: ":username#:tag"
matrix_appservice_discord_configuration_extension_yaml: |
# Your custom YAML configuration goes here.
# This configuration extends the default starting configuration (`matrix_appservice_discord_configuration_yaml`).
#
# You can override individual variables from the default configuration, or introduce new ones.
#
# If you need something more special, you can take full control by
# completely redefining `matrix_appservice_discord_configuration_yaml`.
matrix_appservice_discord_configuration_extension: "{{ matrix_appservice_discord_configuration_extension_yaml|from_yaml if matrix_appservice_discord_configuration_extension_yaml|from_yaml is mapping else {} }}"
matrix_appservice_discord_configuration: "{{ matrix_appservice_discord_configuration_yaml|from_yaml|combine(matrix_appservice_discord_configuration_extension, recursive=True) }}"
matrix_appservice_discord_registration_yaml: |
#jinja2: lstrip_blocks: "True"
id: appservice-discord
as_token: "{{ matrix_appservice_discord_appservice_token }}"
hs_token: "{{ matrix_appservice_discord_homeserver_token }}"
namespaces:
users:
- exclusive: true
regex: '^@_discord_.*'
aliases:
- exclusive: true
regex: '^#_discord_.*'
url: {{ matrix_appservice_discord_appservice_url }}
sender_localpart: _discord_bot
rate_limited: false
protocols:
- discord
matrix_appservice_discord_registration: "{{ matrix_appservice_discord_registration_yaml|from_yaml }}"

10
roles/matrix-bridge-appservice-discord/tasks/init.yml
View File

@ -1,3 +1,11 @@
# If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist.
# We don't want to fail in such cases.
- name: Fail if matrix-synapse role already executed
fail:
msg: >-
The matrix-bridge-appservice-discord role needs to execute before the matrix-synapse role.
when: "matrix_appservice_discord_enabled and matrix_synapse_role_executed|default(False)"
- set_fact:
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-appservice-discord'] }}"
when: matrix_appservice_discord_enabled|bool
@ -7,7 +15,7 @@
matrix_synapse_container_extra_arguments: >
{{ matrix_synapse_container_extra_arguments|default([]) }}
+
{{ ["--mount type=bind,src={{ matrix_appservice_discord_base_path }}/discord-registration.yaml,dst=/matrix-appservice-discord-registration.yaml,ro"] }}
{{ ["--mount type=bind,src={{ matrix_appservice_discord_config_path }}/registration.yaml,dst=/matrix-appservice-discord-registration.yaml,ro"] }}
matrix_synapse_app_service_config_files: >
{{ matrix_synapse_app_service_config_files|default([]) }}

96
roles/matrix-bridge-appservice-discord/tasks/setup_install.yml
View File

@ -1,13 +1,5 @@
---
# If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist.
# We don't want to fail in such cases.
- name: Fail if matrix-synapse role already executed
fail:
msg: >-
The matrix-bridge-appservice-discord role needs to execute before the matrix-synapse role.
when: "matrix_synapse_role_executed|default(False)"
- name: Ensure Appservice Discord image is pulled
docker_image:
name: "{{ matrix_appservice_discord_docker_image }}"
@ -15,22 +7,66 @@
force_source: "{{ matrix_appservice_discord_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_appservice_discord_docker_image_force_pull }}"
- name: Ensure Appservice Discord base directory exists
- name: Ensure AppService Discord paths exist
file:
path: "{{ matrix_appservice_discord_base_path }}"
path: "{{ item }}"
state: directory
mode: 0750
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_username }}"
with_items:
- "{{ matrix_appservice_discord_base_path }}"
- "{{ matrix_appservice_discord_config_path }}"
- "{{ matrix_appservice_discord_data_path }}"
- name: Ensure Matrix Appservice Discord config installed
- name: Check if an old database file already exists
stat:
path: "{{ matrix_appservice_discord_base_path }}/discord.db"
register: matrix_appservice_discord_stat_db
- name: (Data relocation) Ensure matrix-appservice-discord.service is stopped
service:
name: matrix-appservice-discord
state: stopped
daemon_reload: yes
failed_when: false
when: "matrix_appservice_discord_stat_db.stat.exists"
# In addition to this, there used to be some `user-store-db` and `room-store.db` files.
# They're no longer in use, so we're not relocating them in an effort to point them out as neither `./data`, nor `./config`.
- name: (Data relocation) Move AppService Discord discord.db file to ./data directory
command: "mv {{ matrix_appservice_discord_base_path }}/discord.db {{ matrix_appservice_discord_data_path }}/discord.db"
when: "matrix_appservice_discord_stat_db.stat.exists"
- name: Ensure AppService Discord config.yaml installed
copy:
content: "{{ matrix_appservice_discord_configuration|to_nice_yaml }}"
dest: "{{ matrix_appservice_discord_base_path }}/config.yaml"
dest: "{{ matrix_appservice_discord_config_path }}/config.yaml"
mode: 0644
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_username }}"
- name: Ensure AppService Discord registration.yaml installed
copy:
content: "{{ matrix_appservice_discord_registration|to_nice_yaml }}"
dest: "{{ matrix_appservice_discord_config_path }}/registration.yaml"
mode: 0644
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_username }}"
# If `matrix_appservice_discord_client_id` hasn't changed, the same invite link would be generated.
# We intentionally suppress Ansible changes.
- name: Generate AppService Discord invite link
shell: >-
/usr/bin/docker run --rm --name matrix-appservice-discord-link-gen
--user={{ matrix_user_uid }}:{{ matrix_user_gid }}
--cap-drop=ALL
-v {{ matrix_appservice_discord_config_path }}:/cfg
-w /cfg
{{ matrix_appservice_discord_docker_image }}
/bin/sh -c "node /build/tools/addbot.js > /cfg/invite_link"
changed_when: false
- name: Ensure matrix-appservice-discord.service installed
template:
src: "{{ role_path }}/templates/systemd/matrix-appservice-discord.service.j2"
@ -42,39 +78,3 @@
service:
daemon_reload: yes
when: "matrix_appservice_discord_systemd_service_result.changed"
- name: Check if a matrix-appservice-discord registration file exists
stat:
path: "{{ matrix_appservice_discord_base_path }}/discord-registration.yaml"
register: appservice_discord_registration_file
- name: Generate matrix-appservice-discord discord-registration.yaml if it doesn't exist
shell: >-
/usr/bin/docker run --rm --name matrix-appservice-discord-gen
--user={{ matrix_user_uid }}:{{ matrix_user_gid }}
--cap-drop=ALL
-v {{ matrix_appservice_discord_base_path }}:/data:z
{{ matrix_appservice_discord_docker_image }}
node build/src/discordas.js
-r
-u "http://matrix-appservice-discord:9005"
-c /data/config.yaml
-f /data/discord-registration.yaml
-l discord_bot
when: "not appservice_discord_registration_file.stat.exists"
- name: Check if a matrix-appservice-discord invite_link file exists
stat:
path: "{{ matrix_appservice_discord_base_path }}/invite_link"
register: appservice_discord_link_generated
- name: Generate your discord invite link
shell: >-
/usr/bin/docker run --rm --name matrix-appservice-discord-link-gen
--user={{ matrix_user_uid }}:{{ matrix_user_gid }}
--cap-drop=ALL
-v {{ matrix_appservice_discord_base_path }}:/data
-w /data
{{ matrix_appservice_discord_docker_image }}
/bin/sh -c "node .././build/tools/addbot.js > invite_link"
when: "not appservice_discord_link_generated.stat.exists"

2
roles/matrix-bridge-appservice-discord/tasks/validate_config.yml
View File

@ -8,6 +8,8 @@
with_items:
- "matrix_appservice_discord_client_id"
- "matrix_appservice_discord_bot_token"
- "matrix_appservice_discord_appservice_token"
- "matrix_appservice_discord_homeserver_token"
- name: (Deprecation) Catch and report renamed appservice-discord variables
fail:

6
roles/matrix-bridge-appservice-discord/templates/systemd/matrix-appservice-discord.service.j2
View File

@ -25,11 +25,13 @@ ExecStart=/usr/bin/docker run --rm --name matrix-appservice-discord \
{% if matrix_appservice_discord_container_http_host_bind_port %}
-p {{ matrix_appservice_discord_container_http_host_bind_port }}:9005 \
{% endif %}
-v {{ matrix_appservice_discord_base_path }}:/data \
-v {{ matrix_appservice_discord_config_path }}:/cfg \
-v {{ matrix_appservice_discord_data_path }}:/data \
{% for arg in matrix_appservice_discord_container_extra_arguments %}
{{ arg }} \
{% endfor %}
{{ matrix_appservice_discord_docker_image }}
{{ matrix_appservice_discord_docker_image }} \
node /build/src/discordas.js -p 9005 -c /cfg/config.yaml -f /cfg/registration.yaml
ExecStop=-/usr/bin/docker kill matrix-appservice-discord
ExecStop=-/usr/bin/docker rm matrix-appservice-discord

2
roles/matrix-bridge-appservice-irc/tasks/setup_install.yml
View File

@ -36,7 +36,7 @@
command: "mv {{ matrix_appservice_irc_base_path }}/passkey.pem {{ matrix_appservice_irc_data_path }}/passkey.pem"
when: "matrix_appservice_irc_stat_passkey.stat.exists"
- name: (Data relocation) Move AppService database files to ./data directory
- name: (Data relocation) Move AppService IRC database files to ./data directory
command: "mv {{ matrix_appservice_irc_base_path }}/{{ item }} {{ matrix_appservice_irc_data_path }}/{{ item }}"
with_items:
- rooms.db

2
roles/matrix-nginx-proxy/defaults/main.yml
View File

@ -3,7 +3,7 @@ matrix_nginx_proxy_enabled: true
# We use an official nginx image, which we fix-up to run unprivileged.
# An alternative would be an `nginxinc/nginx-unprivileged` image, but
# that is frequently out of date.
matrix_nginx_proxy_docker_image: "nginx:1.17.0-alpine"
matrix_nginx_proxy_docker_image: "nginx:1.17.1-alpine"
matrix_nginx_proxy_docker_image_force_pull: "{{ matrix_nginx_proxy_docker_image.endswith(':latest') }}"
matrix_nginx_proxy_base_path: "{{ matrix_base_data_path }}/nginx-proxy"

11
roles/matrix-synapse/defaults/main.yml
View File

@ -3,7 +3,7 @@
matrix_synapse_enabled: true
matrix_synapse_docker_image: "matrixdotorg/synapse:v1.0.0"
matrix_synapse_docker_image: "matrixdotorg/synapse:v1.1.0"
matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}"
matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse"
@ -49,7 +49,7 @@ matrix_synapse_systemd_required_services_list: ['docker.service']
# List of systemd services that matrix-synapse.service wants
matrix_synapse_systemd_wanted_services_list: []
matrix_synapse_in_container_python_packages_path: "/usr/local/lib/python3.6/site-packages"
matrix_synapse_in_container_python_packages_path: "/usr/local/lib/python3.7/site-packages"
# Specifies which template files to use when configuring Synapse.
# If you'd like to have your own different configuration, feel free to copy and paste
@ -69,8 +69,6 @@ matrix_synapse_form_secret: "{{ matrix_synapse_macaroon_secret_key }}"
matrix_synapse_trusted_third_party_id_servers: "{{ matrix_synapse_id_servers_public }}"
matrix_synapse_max_upload_size_mb: 10
matrix_synapse_max_log_file_size_mb: 100
matrix_synapse_max_log_files_count: 10
# The tmpfs at /tmp needs to be large enough to handle multiple concurrent file uploads.
matrix_synapse_tmp_directory_size_mb: "{{ matrix_synapse_max_upload_size_mb * 50 }}"
@ -147,6 +145,11 @@ matrix_synapse_autocreate_auto_join_rooms: true
# Controls password-peppering for Synapse. Not to be changed after initial setup.
matrix_synapse_password_config_pepper: ""
# Controls if Synapse allows people to authenticate against its local database.
# It may be useful to disable this if you've configured additional password providers
# and only wish authentication to happen through them.
matrix_synapse_password_config_localdb_enabled: true
# Controls the number of events that Synapse caches in memory.
matrix_synapse_event_cache_size: "100K"

105
roles/matrix-synapse/templates/synapse/homeserver.yaml.j2
View File

@ -14,29 +14,6 @@ server_name: "{{ matrix_domain }}"
#
pid_file: /homeserver.pid
# CPU affinity mask. Setting this restricts the CPUs on which the
# process will be scheduled. It is represented as a bitmask, with the
# lowest order bit corresponding to the first logical CPU and the
# highest order bit corresponding to the last logical CPU. Not all CPUs
# may exist on a given system but a mask may specify more CPUs than are
# present.
#
# For example:
# 0x00000001 is processor #0,
# 0x00000003 is processors #0 and #1,
# 0xFFFFFFFF is all processors (#0 through #31).
#
# Pinning a Python process to a single CPU is desirable, because Python
# is inherently single-threaded due to the GIL, and can suffer a
# 30-40% slowdown due to cache blow-out and thread context switching
# if the scheduler happens to schedule the underlying threads across
# different cores. See
# https://www.mirantis.com/blog/improve-performance-python-programs-restricting-single-cpu/.
#
# This setting requires the affinity package to be installed!
#
#cpu_affinity: 0xFFFFFFFF
# The path to the web client which will be served at /_matrix/client/
# if 'webclient' is configured under the 'listeners' configuration.
#
@ -68,11 +45,15 @@ use_presence: {{ matrix_synapse_use_presence|to_json }}
#
#require_auth_for_profile_requests: true
# If set to 'true', requires authentication to access the server's
# public rooms directory through the client API, and forbids any other
# homeserver to fetch it via federation. Defaults to 'false'.
# If set to 'false', requires authentication to access the server's public rooms
# directory through the client API. Defaults to 'true'.
#
#restrict_public_rooms_to_local_users: true
#allow_public_rooms_without_auth: false
# If set to 'false', forbids any other homeserver to fetch the server's public
# rooms directory via federation. Defaults to 'true'.
#
#allow_public_rooms_over_federation: false
# The default room version for newly created rooms.
#
@ -338,6 +319,15 @@ tls_private_key_path: {{ matrix_synapse_tls_private_key_path|to_json }}
#
#federation_verify_certificates: false
# The minimum TLS version that will be used for outbound federation requests.
#
# Defaults to `1`. Configurable to `1`, `1.1`, `1.2`, or `1.3`. Note
# that setting this value higher than `1.2` will prevent federation to most
# of the public Matrix network: only configure it to `1.3` if you have an
# entirely private federation setup and you can ensure TLS 1.3 support.
#
#federation_client_minimum_tls_version: 1.2
# Skip federation certificate verification on the following whitelist
# of domains.
#
@ -427,6 +417,13 @@ acme:
#
#domain: matrix.example.com
# file to use for the account key. This will be generated if it doesn't
# exist.
#
# If unspecified, we will use CONFDIR/client.key.
#
account_key_file: /data/acme_account.key
# List of allowed TLS fingerprints for this server to publish along
# with the signing keys for this server. Other matrix servers that
# make HTTPS requests to this server will check that the TLS
@ -696,7 +693,7 @@ url_preview_ip_range_blacklist:
# - netloc: '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$'
# The largest allowed URL preview spidering size in bytes
#
max_spider_size: 10M
@ -1020,6 +1017,12 @@ signing_key_path: "/data/{{ matrix_server_fqn_matrix }}.signing.key"
# so it is not normally necessary to specify them unless you need to
# override them.
#
# Once SAML support is enabled, a metadata file will be exposed at
# https://<server>:<port>/_matrix/saml2/metadata.xml, which you may be able to
# use to configure your SAML IdP with. Alternatively, you can manually configure
# the IdP to use an ACS location of
# https://<server>:<port>/_matrix/saml2/authn_response.
#
#saml2_config:
# sp_config:
# # point this to the IdP's metadata. You can use either a local file or
@ -1029,7 +1032,15 @@ signing_key_path: "/data/{{ matrix_server_fqn_matrix }}.signing.key"
# remote:
# - url: https://our_idp/metadata.xml
#
# # The rest of sp_config is just used to generate our metadata xml, and you
# # By default, the user has to go to our login page first. If you'd like to
# # allow IdP-initiated login, set 'allow_unsolicited: True' in a
# # 'service.sp' section:
# #
# #service:
# # sp:
# # allow_unsolicited: True
#
# # The examples below are just used to generate our metadata xml, and you
# # may well not need it, depending on your setup. Alternatively you
# # may need a whole lot more detail - see the pysaml2 docs!
#
@ -1052,6 +1063,12 @@ signing_key_path: "/data/{{ matrix_server_fqn_matrix }}.signing.key"
# # separate pysaml2 configuration file:
# #
# config_path: "/data/sp_conf.py"
#
# # the lifetime of a SAML session. This defines how long a user has to
# # complete the authentication process, if allow_unsolicited is unset.
# # The default is 5 minutes.
# #
# # saml_session_lifetime: 5m
@ -1078,6 +1095,12 @@ password_config:
#
#enabled: false
# Uncomment to disable authentication against the local password
# database. This is ignored if `enabled` is false, and is only useful
# if you have other password_providers.
#
localdb_enabled: {{ matrix_synapse_password_config_localdb_enabled|to_json }}
# Uncomment and change to a secret random string for extra security.
# DO NOT CHANGE THIS AFTER INITIAL SETUP!
#
@ -1102,11 +1125,13 @@ password_config:
# app_name: Matrix
#
# # Enable email notifications by default
# #
# notif_for_new_users: True
#
# # Defining a custom URL for Riot is only needed if email notifications
# # should contain links to a self-hosted installation of Riot; when set
# # the "app_name" setting is ignored
# #
# riot_base_url: "http://localhost/riot"
#
# # Enable sending password reset emails via the configured, trusted
@ -1119,16 +1144,22 @@ password_config:
# #
# # If this option is set to false and SMTP options have not been
# # configured, resetting user passwords via email will be disabled
# #
# #trust_identity_server_for_password_resets: false
#
# # Configure the time that a validation email or text message code
# # will expire after sending
# #
# # This is currently used for password resets
# #
# #validation_token_lifetime: 1h
#
# # Template directory. All template files should be stored within this
# # directory
# # directory. If not set, default templates from within the Synapse
# # package will be used
# #
# # For the list of default templates, please see
# # https://github.com/matrix-org/synapse/tree/master/synapse/res/templates
# #
# #template_dir: res/templates
#
@ -1325,6 +1356,7 @@ push:
#
# Local statistics collection. Used in populating the room directory.
#
# 'bucket_size' controls how large each statistics timeslice is. It can
@ -1429,3 +1461,16 @@ alias_creation_rules: {{ matrix_synapse_alias_creation_rules|to_json }}
# action: allow
room_list_publication_rules: {{ matrix_synapse_room_list_publication_rules|to_json }}
# Server admins can define a Python module that implements extra rules for
# allowing or denying incoming events. In order to work, this module needs to
# override the methods defined in synapse/events/third_party_rules.py.
#
# This feature is designed to be used in closed federations only, where each
# participating server enforces the same rules.
#
#third_party_event_rules:
# module: "my_custom_project.SuperRulesSet"
# config:
# example_option: 'things'

10
roles/matrix-synapse/templates/synapse/synapse.log.config.j2
View File

@ -12,14 +12,6 @@ filters:
request: ""
handlers:
file:
class: logging.handlers.RotatingFileHandler
formatter: precise
filename: /matrix-run/homeserver.log
maxBytes: {{ matrix_synapse_max_log_file_size_mb * 1024 * 1024 }}
backupCount: {{ matrix_synapse_max_log_files_count }}
filters: [context]
encoding: utf8
console:
class: logging.StreamHandler
formatter: precise
@ -41,4 +33,4 @@ loggers:
root:
level: {{ matrix_synapse_root_log_level }}
handlers: [file, console]
handlers: [console]