Commit Graph

622 Commits

Author SHA1 Message Date
ThellraAK
2153c310f7
Update matrix_servers 2023-07-21 05:49:52 -08:00
ThellraAK
eea143e6eb
Shortened gmessages salt
The salts need to be shorter than 16 chars
2023-07-21 05:47:51 -08:00
Shreyas Ajjarapu
5ea6aa3e50
Added Google Messager Bridge (#2794)
* intial commit

* changed

* Reorderd

* merge old changes

* added changes to matrix_servers

* Remove duplicate discord

* Update main.yml

* added google message to configuring-playbook.md

* Changed docs to add new changes

* Changed bug?

* Removed problem j2 values

* Rename a service files

* change how password hash string

* Changed port number

* Change how the local part works

* Revert "Merge pull request #8 from shreyasajj/wsproxy"

This reverts commit bb1b8fc67ca39f63ca77e70077be99cb2b32c4de, reversing
changes made to cce6ba5f9d74f89172488afc8b1ef124031de8c1.

---------

Co-authored-by: Shreyas Ajjarapu <github.tzarina@aleeas.com>
2023-07-21 14:33:52 +03:00
Slavi Pantaleev
60c34d701a Use prebuilt container images for matrix-sliding-sync on ARM64
As mentioned in https://github.com/matrix-org/sliding-sync/issues/31#issuecomment-1640321110
images are available for arm64 already.
2023-07-18 18:16:11 +03:00
Slavi Pantaleev
95bfa4e87e
Put matrix-media-repo.service in the matrix-media-repo group
Making the group match the Ansible task tags allows people to do `just install-service matrix-media-repo` and have that trigger both `--tags=matrix-media-repo` and also restart just that single group (`matrix-media-repo`).
2023-07-17 08:11:23 +03:00
Slavi Pantaleev
bc0b73dd70
Improve if condition for including Postgres in matrix_media_repo_systemd_required_services_list 2023-07-17 08:07:49 +03:00
Michael Hollister
73edde3992 Replaced additional hardcoded service names with identifer variable 2023-07-13 23:12:24 -05:00
Michael Hollister
28fa644c30 Removed redeclration of matrix_media_repo_identifier 2023-07-13 21:19:07 -05:00
Michael Hollister
d565c1607b
Replaced hard coded string with identifier variable
Co-authored-by: Slavi Pantaleev <slavi@devture.com>
2023-07-13 11:06:59 -05:00
Michael Hollister
78bd1dbd1b Added matrix-media-repo role 2023-07-12 01:09:27 -05:00
Slavi Pantaleev
704a9abd9b Fix file path in comment
Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/2746
2023-06-18 08:54:55 +03:00
Slavi Pantaleev
b5d5e49235 Move Honoroit metrics from /honoroit/metrics to /metrics/honoroit
This restores consistency with other services.

Related to 8f903fa621
2023-05-19 19:33:22 +03:00
Slavi Pantaleev
018e620ee8 Default matrix_bot_honoroit_path_prefix to /honoroit to avoid conflicts with Matrix Client-Server API 2023-05-18 10:10:47 +03:00
Slavi Pantaleev
9d77950cd8 Adjust bot group names, so that they match the install/setup tags
Previously `just install-service buscarron` would not fully work,
because:

- the systemd services were indeed tagged with `buscarron`

- however, the actual installation tasks are not
  `install-buscarron`/`setup-buscarron`, but rather
  `install-bot-buscarron`/`setup-bot-buscarron`

Services are now tagged with the `bot-` prefix to match the tags.
2023-05-18 09:43:19 +03:00
Slavi Pantaleev
4546410f6a Restore matrix-nginx-proxy connectivity to the Jitsi container network
Regression since 1d00d15482
2023-04-10 15:15:32 +03:00
Kabir Kwatra
fdab05fa0a
fix(traefik): only include federation endpoint if port is new 2023-04-04 02:31:49 +00:00
Slavi Pantaleev
812b395aa9 Remove various systemd services from matrix-nginx-proxy Wanted list when not proxied via nginx
If Traefik is used, these are not Wanted services.
2023-04-03 08:59:43 +03:00
Slavi Pantaleev
1d00d15482 Switch to exported Jitsi role 2023-04-03 08:53:46 +03:00
Slavi Pantaleev
76197df3bc Add some additional groups to client systemd services
This allows for doing `just install-service client-element` to get only
Element rebuilt and restarted.
2023-03-28 16:57:50 +03:00
Aine
15ce377235
honoroit - add matrix_bot_honoroit_hostname into group vars 2023-03-23 19:09:34 +02:00
Aine
0b18f03195
honoroit - add proper networking configuration and traefik labels 2023-03-23 19:06:16 +02:00
Slavi Pantaleev
14b8efcad2 Replace matrix-prometheus with an external Prometheus role 2023-03-21 07:38:12 +02:00
Slavi Pantaleev
1b6a85e485 Do not consider prometheus-exporters as part of the prometheus group
This makes us rebuild/restart exporters when running `just install-service prometheus`,
which we don't like.
2023-03-20 15:09:04 +02:00
Slavi Pantaleev
220d80ac3a Move matrix-aux outside of this playbook 2023-03-20 11:06:27 +02:00
Aine
88dc5e0de0
migrate prometheus-node-exporter's var 2023-03-18 10:26:29 +02:00
Array in a Matrix
dd1712d457
fix typo
i was sleepy lol
2023-03-18 03:43:12 -04:00
array-in-a-matrix
f1c0321a8c add relay api database for dendrite 2023-03-18 03:22:30 -04:00
Slavi Pantaleev
4c1db32ef9 Rename some Dendrite variables to improve consistency 2023-03-14 08:52:15 +02:00
Slavi Pantaleev
7422337c26 Add missing matrix-synapse-auto-compressor.timer in systemd service list 2023-03-12 10:18:33 +02:00
Slavi Pantaleev
26d5719df4 Make matrix-synapse-auto-compressor live in its own container network
It will, additionally, be connected to the devture-postgres network, if
devture-postgres is enabled.
2023-03-12 10:18:33 +02:00
Slavi Pantaleev
ca69fce648 Add missing group vars for matrix-synapse-auto-compressor 2023-03-12 10:18:33 +02:00
Slavi Pantaleev
b28d779c6c Add matrix-synapse-auto-compressor section in group_vars/matrix_servers 2023-03-12 09:48:46 +02:00
Slavi Pantaleev
023fe3ea08 Add sliding-sync support
This allows people to try out the new Element X clients, which need to
run against the sliding-sync proxy (https://github.com/matrix-org/sliding-sync).

Supersedes https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/2515

The code is based on the existing PR (#2515), but heavily reworked. Major changes:

- lots of internal refactoring and variable renaming

- fixed self-building to support non-amd64 architectures

- changed to talk to the homeserver locally, over the container network (not
  publicly)

- no more matrix-nginx-proxy support due to complexity (see below)

- no more `matrix_server_fqn_sliding_sync_proxy` in favor of
  `matrix_sliding_sync_hostname` and `matrix_sliding_sync_path_prefix`

- runs on `matrix.DOMAIN/sliding-sync` by default, so it can tried
  easily without having to create new DNS records
2023-03-07 11:57:56 +02:00
Slavi Pantaleev
30f1034767 Remove matrix_playbook_traefik_role_enabled variable and devture-traefik references
The variable was necessary when multiple playbooks could have
potentially tried to manage a shared `devture-traefik.serivce` systemd service
and shared `/devture-traefik` directory.

Since adcc6d9723, we use our own `/matrix/traefik`
(`matrix-traefik.service`) installation and no conflicts can arise.
It's safe to always enable the role, just like we do with all the other roles.
2023-03-06 09:51:14 +02:00
Slavi Pantaleev
adcc6d9723 Relocate Traefik (to matrix-traefik.service && /matrix/traefik base path)
The migration is automatic. Existing users should experience a bit of
downtime until the playbook runs to completion, but don't need to do
anything manually.

This change is provoked by https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/2535

While my statements there ("Traefik is a shared component among
sibling/related playbooks and should retain its global
non-matrix-prefixed name and path") do make sense, there's another point
of view as well.

With the addition of docker-socket-proxy support in bf2b540807,
we potentially introduced another non-`matrix-`-prefixed systemd service
and global path (`/devture-container-socket-proxy`). It would have
started to become messy.

Traefik always being called `devture-traefik.service` and using the `/devture-traefik` path
has the following downsides:

- different playbooks may write to the same place, unintentionally,
  before you disable the Traefik role in some of them.
  If each playbook manages its own installation, no such conflicts
  arise and you'll learn about the conflict when one of them starts its
  Traefik service and fails because the ports are already in use

- the data is scattered - backing up `/matrix` is no longer enough when
  some stuff lives in `/devture-traefik` or `/devture-container-socket-proxy` as well;
  similarly, deleting `/matrix` is no longer enough to clean up

For this reason, the Traefik instance managed by this playbook
will now be called `matrix-traefik` and live under `/matrix/traefik`.

This also makes it obvious to users running multiple playbooks, which
Traefik instance (powered by which playbook) is the active one.
Previously, you'd look at `devture-traefik.service` and wonder which
role was managing it.
2023-03-06 09:34:31 +02:00
Slavi Pantaleev
bf2b540807 Harden Traefik security by accessing the Docker API through docker-socket-proxy
With these changes, we:

- install https://github.com/Tecnativa/docker-socket-proxy via the
  https://github.com/devture/com.devture.ansible.role.container_socket_proxy Ansible role

- make Traefik access the Docker API via TCP by connecting to this
  socket proxy

- .. which allows us to run the Traefik container with less privileges
  (non-`root`, dropped capabilities)
2023-03-06 09:11:02 +02:00
Slavi Pantaleev
10b5350370 Add Traefik support to Go-NEB bot
Completely untested.
2023-03-03 10:40:45 +02:00
Slavi Pantaleev
f8966cd8da Default etherpad_hostname to matrix_server_fqn_etherpad for backward compatibility 2023-03-03 09:47:13 +02:00
Slavi Pantaleev
124fbeda04 Switch to using an external Etherpad role
This new role also adds native Traefik support and support for other
(non-`amd64`) architectures via self-building.
2023-03-02 22:50:13 +02:00
Slavi Pantaleev
b0845984b3 Only enable Traefik certs dumper if the ACME certificate resolver for Traefik is enabled
If someone disables ACME, then they're using their own certificates
somehow. There's nothing to dump from an `acme.json` file.
2023-03-01 09:45:16 +02:00
Slavi Pantaleev
f7149103e4 Remove matrix_playbook_traefik_certs_dumper_role_enabled in favor of just devture_traefik_certs_dumper_enabled
We don't need these 2 roughly-the-same settings related to the
traefik-certs-dumper role.

For Traefik, it makes sense, because it's a component used by the
various related playbooks and they could step onto each other's toes
if the role is enabled, but Traefik is disabled (in that case, uninstall
tasks will run).

As for Traefik certs dumper, the other related playbooks don't have it,
so there's no conflict. Even if they used it, each one would use its own
instance (different `devture_traefik_certs_dumper_identifier`), so there
wouldn't be a conflict and uninstall tasks can run without any danger.
2023-03-01 09:31:48 +02:00
Slavi Pantaleev
b388a01ab7 Wire all certResolver variables to devture_traefik_certResolver_primary
This allows people wishing to change or unset the resolver,
to have a single variable which they can toggle.

Unsetting the resolver is useful for using your own certificates
(not coming from a certificate resolver).
2023-02-27 17:09:19 +02:00
Slavi Pantaleev
9e7415afa2 Ensure Buscarron is part of the Postgres network 2023-02-27 17:07:44 +02:00
Slavi Pantaleev
058a54fd05 Add native Traefik support to Dimension 2023-02-26 23:06:36 +02:00
Slavi Pantaleev
b84f25309b Add matrix_homeserver_container_network 2023-02-26 22:09:37 +02:00
Slavi Pantaleev
d20ff688db Add native Traefik support to Sygnal 2023-02-26 11:03:42 +02:00
Slavi Pantaleev
348dd8e76b Remove double space 2023-02-25 19:37:35 +02:00
Slavi Pantaleev
725b2beed7 Add native Traefik support to Buscarron 2023-02-25 15:50:48 +02:00
Slavi Pantaleev
bc5dda2b3a Reorder some Buscarron default variables and fix some typos
Fixes a regression introduced in 0220c851e8
2023-02-25 15:11:23 +02:00
Slavi Pantaleev
0220c851e8 Add multiple container networks support to Buscarron 2023-02-25 15:03:03 +02:00
Slavi Pantaleev
233e253264 Add native Traefik support to rageshake 2023-02-25 13:46:42 +02:00
Slavi Pantaleev
306679103b Require self-building of rageshake for arm64
There are no arm64 images published.. yet
2023-02-25 12:32:19 +02:00
Slavi Pantaleev
55f43dcc6d Fixup matrix-rageshake section in group vars 2023-02-25 12:09:23 +02:00
Benjamin Kampmann
40f037b36d Add rageshake server 2023-02-24 16:55:49 +01:00
Slavi Pantaleev
5e7f30a129 Fix appservice-discord/appservice-slack/appservice-webhooks port troubles with external reverse-proxy
Continuation of 6cda711
2023-02-19 11:20:58 +02:00
Slavi Pantaleev
632026513e Add matrix_synapse_uid, matrix_synapse_gid and matrix_synapse_username 2023-02-17 17:16:50 +02:00
Slavi Pantaleev
990a6369e1 Switch to using an external Redis role 2023-02-17 16:23:59 +02:00
Slavi Pantaleev
964aa0e84d Switch to using an external Ntfy role
The newly extracted role also has native Traefik support,
so we no longer need to rely on `matrix-nginx-proxy` for
reverse-proxying to Ntfy.

The new role uses port `80` inside the container (not `8080`, like
before), because that's the default assumption of the officially
published container image. Using a custom port (like `8080`), means the
default healthcheck command (which hardcodes port `80`) doesn't work.
Instead of fiddling to override the healthcheck command, we've decided
to stick to the default port instead. This only affects the
inside-the-container port, not any external ports.

The new role also supports adding the network ranges of the container's
multiple additional networks as "exempt hosts". Previously, only one
network's address range was added to "exempt hosts".
2023-02-17 09:54:33 +02:00
Slavi Pantaleev
e80b98c3ad Do not mount SSL certificates into Coturn if TLS is disabled for it 2023-02-16 09:22:29 +02:00
Slavi Pantaleev
bb7895678c Fix typo 2023-02-15 11:48:27 +02:00
Slavi Pantaleev
7c5826f1c3 Break dependency between matrix-prometheus-nginxlog-exporter and the Grafana role
Wiring happens via `group_vars/matrix_servers` now.
2023-02-15 10:52:25 +02:00
Slavi Pantaleev
1006b8d899 Replace matrix-grafana with an external role 2023-02-15 10:32:24 +02:00
Slavi Pantaleev
94124263a7 Add matrix_prometheus_container_network/matrix_prometheus_container_additional_networks 2023-02-15 08:56:11 +02:00
Slavi Pantaleev
c85d48c45c Remove Traefik labels for Hydrogen & Cinny from matrix-nginx-proxy
Related to 6a52be7987 and 28e7ef9c71f02
2023-02-14 22:46:34 +02:00
Slavi Pantaleev
f28e7ef9c7 Add (native) Traefik support to matrix-client-cinny
Previously, it had to go through matrix-nginx-proxy.
It's exposed to Traefik directly via container labels now
2023-02-14 11:29:53 +02:00
Slavi Pantaleev
6a52be7987 Add (native) Traefik support to matrix-client-hydrogen
Previously, it had to go through matrix-nginx-proxy.
It's exposed to Traefik directly via container labels now

Serving at a path other than `/` doesn't work well yet.
2023-02-14 09:58:35 +02:00
Slavi Pantaleev
e51e4eec09 Add (native) Traefik support to matrix-client-element
Previously, it had to go through matrix-nginx-proxy.
It's exposed to Traefik directly via container labels now
2023-02-13 19:03:20 +02:00
Slavi Pantaleev
b2d8718233 Fix synapse-admin reverse-proxying regression for "playbook-managed-nginx"
Regression since 3d9aa8387e
2023-02-13 16:08:59 +02:00
Slavi Pantaleev
6cda711c0b Fix incorrect host_bind_port syntax (extra :) affecting certain deployments
Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/2474

Seems like this affected all "own webserver" deployments, which required
port exposure.

`playbook-managed-traefik` and `playbook-managed-nginx` were not affected.
2023-02-13 15:38:24 +02:00
Slavi Pantaleev
3d9aa8387e Add (native) Traefik support to synapse-admin
Previously, it had to go through matrix-nginx-proxy.
It's exposed to Traefik directly via container labels now.
2023-02-13 15:08:42 +02:00
Aine
33b4f7031b
restore borg prefixes 2023-02-13 10:44:42 +00:00
Slavi Pantaleev
266195ab45 Upgrade backup_borg (v1.2.3-1.7.5-1 -> v1.2.3-1.7.6-0)
Supersedes https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/2472
2023-02-13 12:26:49 +02:00
Slavi Pantaleev
23f7720247 Add missing backup_borg_base_path override 2023-02-13 11:44:19 +02:00
Slavi Pantaleev
38904c08b0 Wire backup_borg_username
It's probably unnecessary, as this user is only used in the borg container
internally, but.. It doesn't hurt to set it to `matrix`.
2023-02-13 11:01:54 +02:00
Slavi Pantaleev
78c35136b2 Replace matrix-backup-borg with an external role 2023-02-13 10:53:11 +02:00
Slavi Pantaleev
972043cfaf Fix trying to start devture-traefik when not necessarily enabled
Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/2465
2023-02-12 17:14:25 +02:00
Slavi Pantaleev
f1a1ce8a91
Merge pull request #2464 from spantaleev/traefik
Reverse-proxy configuration changes and initial Traefik support
2023-02-12 16:05:56 +02:00
Slavi Pantaleev
b3f6436a0d Do not enable the Traefik role when reverse-proxy = other-traefik-container 2023-02-12 15:50:18 +02:00
Catalan Lover
be471250dd
Move services that crash without hs connectivity to after proxy. 2023-02-11 17:58:19 +01:00
Slavi Pantaleev
94be74e633 Improve traefik-certs-dumper defaults for other-traefik-container setups
We'd like to auto-enable traefik-certs-dumper for these setups.

`devture_traefik_certs_dumper_ssl_dir_path` will be empty though,
so the role's validation will point people in the right direction.
2023-02-11 08:54:07 +02:00
Slavi Pantaleev
f37a7a21f1 Delay Postmoogle startup to help Traefik-based setups 2023-02-11 08:53:32 +02:00
Slavi Pantaleev
8309a21303 Rename reverse proxy types and fix Hookshot http/https urlPrefix issue 2023-02-11 08:44:11 +02:00
Slavi Pantaleev
97f65e8dff Minor fixes to allow for Traefik without SSL 2023-02-10 19:36:06 +02:00
Slavi Pantaleev
28d2eb593c Add matrix_playbook_reverse_proxy_type variable which influences all other services 2023-02-10 16:04:34 +02:00
Slavi Pantaleev
06ccd71edc Merge branch 'master' into traefik 2023-02-10 14:37:59 +02:00
Slavi Pantaleev
01ccec2dbe Merge branch 'master' into pr-jitsi-matrix-authentication 2023-02-10 14:12:47 +02:00
Slavi Pantaleev
7cdf59d79b
Merge pull request #2451 from FSG-Cat/draupnir
Add Draupnir support to the project.
2023-02-10 11:43:30 +02:00
Slavi Pantaleev
a5683a6449 Upgrade com.devture.ansible.role.traefik and rename some variables 2023-02-09 10:12:09 +02:00
Catalan Lover
7b42ff4b75
Finalise moving draupnir to a fully testable state. 2023-02-08 18:55:08 +01:00
Slavi Pantaleev
88a26758e1 Merge branch 'master' into traefik 2023-02-08 18:48:10 +02:00
Slavi Pantaleev
c71567477a Stop using deprecated matrix_bot_postmoogle_domain variable in group vars 2023-02-08 18:48:01 +02:00
Slavi Pantaleev
1338963b6c Add support for obtaining additional SSL certificates via Traefik 2023-02-08 18:47:19 +02:00
Slavi Pantaleev
9a71a5696b Allow Postmoogle to work with SSL certificates extracted from Traefik 2023-02-08 16:45:03 +02:00
Slavi Pantaleev
ddf6b2d4ee Handle matrix_playbook_reverse_proxy_type being "none" when deciding on Coturn certificate parameters 2023-02-08 16:24:43 +02:00
Slavi Pantaleev
d44d4b637f Allow Coturn to work with SSL certificates extracted from Traefik 2023-02-08 16:06:46 +02:00
Slavi Pantaleev
c07630ed51 Add com.devture.ansible.role.traefik_certs_dumper role
With this, other roles (like Coturn, Postmoogle) will be able
to use SSL certificates extracted from Traefik
via https://github.com/ldez/traefik-certs-dumper
2023-02-08 16:05:38 +02:00
Paul N
96dd86d33b Set default values where sensible and remove unnecessary conditionals in .env.j2.
Check for empty string instead of Null to verify if an openid_server_name is pinned.
2023-02-06 15:26:08 +01:00
Paul N
d67d8c07f5 Remove remnant comment. 2023-02-06 15:26:08 +01:00
jakicoll
6499b6536a Decoupling: Do not use variables user-verification-service role inside the jitsi role. 2023-02-06 15:18:25 +01:00
Paul N
1d99f17b4a Disable matrix-user-verification-service in group_vars and update docs accordingly. 2023-02-06 13:23:11 +01:00