Compare commits

..

23 Commits

Author SHA1 Message Date
0b438b92d3
feat: add automatic creation of reverse-proxy routing 2022-01-27 06:12:25 +01:00
cc487f8f9e
meta: move inventory structure to be more usable 2022-01-27 06:12:24 +01:00
aca41213ae
meta: add own inventory, add vault-unlock with GPG 2022-01-27 06:12:23 +01:00
Slavi Pantaleev
11c0dcf2ac Upgrade Cinny (1.6.1 -> 1.7.0)
(untested change, but unlikely to cause breakage)
2022-01-26 15:16:55 +02:00
Slavi Pantaleev
ad082b3b1b Fix self-building for Synapse v1.51.0 (requires BuildKit)
Synapse v1.51.0 requires to be built with BuildKit since
https://github.com/matrix-org/synapse/pull/11691

The `docker_image` Ansible module does not support BuildKit
(https://github.com/ansible-collections/community.general/issues/514),
so we had to switch to a `docker build` call.
2022-01-26 08:41:34 +02:00
Slavi Pantaleev
cf46b7fed5 Upgrade Synapse (1.50.2 -> 1.51.0) 2022-01-25 14:19:40 +02:00
Slavi Pantaleev
6df1d29ab9
Merge pull request #1576 from FSG-Cat/patch-1
Update Synapse from 1.50.1 to 1.50.2
2022-01-24 19:51:51 +02:00
Catalan Lover
f59f903c04
Update Synapse from 1.50.1 to 1.50.2
Fixes a issue with room version 1.

Merging has to wait until ARM images are built ofc.
2022-01-24 14:47:41 +01:00
Slavi Pantaleev
826246867a
Merge pull request #1575 from Thracky/fix-mx-puppet-mediaUrl
Add missing slash in url scheme for mediaUrl
2022-01-24 08:27:40 +02:00
Thracky
b02aa4b799 Add missing slash in url scheme for mediaUrl 2022-01-23 14:09:18 -05:00
Slavi Pantaleev
376f3e0cb2
Merge pull request #1573 from HarHarLinks/patch-7
add etherpad to nginx wanted services
2022-01-23 18:22:12 +02:00
Kim Brose
44ae8d3b92
refine etherpad in nginx wanted services condition 2022-01-23 14:28:11 +01:00
Kim Brose
a9dd397771
add etherpad to nginx wanted services
it's required if enabled by the dimension config here:
6eb8fb8392/roles/matrix-etherpad/tasks/init.yml (L42-L49)

see also #1517
2022-01-22 18:59:16 +01:00
Slavi Pantaleev
6eb8fb8392
Merge pull request #1571 from GoliathLabs/postgres-exporter
Updated: prom-postgres-exporter to v0.10.1
2022-01-20 12:01:13 +02:00
GoliathLabs
c6287083e4
Updated: prom-postgres-exporter to v0.10.1 2022-01-20 10:57:39 +01:00
Slavi Pantaleev
b33ea48803
Merge pull request #1570 from altsalt/install_openssl
only enable openssl if necessary, closes #1510
2022-01-20 08:35:01 +02:00
Wm Salt Hale
88b832a818 updated task names leftover from template used 2022-01-19 22:02:20 -08:00
Wm Salt Hale
3aa8c1f62c only enable openssl if necessary 2022-01-19 21:58:39 -08:00
Slavi Pantaleev
6f1b165567
Merge pull request #1568 from etkecc/master
matrix-bot-honoroit: bugfix commands in reply-to mode, add custom prefixes for thread topics
2022-01-19 19:45:16 +02:00
Aine
51b27de1bb
matrix-bot-honoroit: bugfix commands in reply-to mode, add custom prefixes for thread topics 2022-01-19 18:33:51 +02:00
Slavi Pantaleev
bcfae766a1
Merge pull request #1567 from aaronraimist/antispam
Upgrade synapse-simple-antispam (0.0.3 -> 0.0.7)
2022-01-19 16:56:10 +02:00
Aaron Raimist
ff94d815e1
Upgrade synapse-simple-antispam (0.0.3 -> 0.0.7) 2022-01-19 14:35:55 +00:00
Slavi Pantaleev
4cd44f117d Upgrade Synapse (1.50.0 -> 1.50.1)
v1.50.0 was found to be buggy for people using a `webclient` listener.
This is fixed in v1.50.1.

We don't use such a listener, so we weren't affected anyway.
2022-01-18 20:45:12 +02:00
14 changed files with 101 additions and 64 deletions

View File

@ -1482,6 +1482,8 @@ matrix_nginx_proxy_systemd_wanted_services_list: |
(['matrix-jitsi.service'] if matrix_jitsi_enabled else []) (['matrix-jitsi.service'] if matrix_jitsi_enabled else [])
+ +
(['matrix-bot-go-neb.service'] if matrix_bot_go_neb_enabled else []) (['matrix-bot-go-neb.service'] if matrix_bot_go_neb_enabled else [])
+
(['matrix-etherpad.service'] if matrix_etherpad_enabled and matrix_dimension_enabled else [])
}} }}
matrix_ssl_domains_to_obtain_certificates_for: | matrix_ssl_domains_to_obtain_certificates_for: |

View File

@ -0,0 +1,23 @@
# This is for both CentOS 7 and 8
- name: Ensure openssl installed (CentOS)
yum:
name:
- openssl
state: latest
when: ansible_distribution == 'CentOS'
# This is for both Debian and Raspbian
- name: Ensure openssl installed (Debian/Raspbian)
apt:
name:
- openssl
state: latest
when: ansible_os_family == 'Debian'
- name: Ensure openssl installed (Archlinux)
pacman:
name:
- openssl
state: latest
when: ansible_distribution == 'Archlinux'

View File

@ -7,7 +7,7 @@ matrix_bot_honoroit_container_image_self_build: false
matrix_bot_honoroit_docker_repo: "https://gitlab.com/etke.cc/honoroit.git" matrix_bot_honoroit_docker_repo: "https://gitlab.com/etke.cc/honoroit.git"
matrix_bot_honoroit_docker_src_files_path: "{{ matrix_base_data_path }}/honoroit/docker-src" matrix_bot_honoroit_docker_src_files_path: "{{ matrix_base_data_path }}/honoroit/docker-src"
matrix_bot_honoroit_version: v0.9.2 matrix_bot_honoroit_version: v0.9.3
matrix_bot_honoroit_docker_image: "{{ matrix_bot_honoroit_docker_image_name_prefix }}honoroit:{{ matrix_bot_honoroit_version }}" matrix_bot_honoroit_docker_image: "{{ matrix_bot_honoroit_docker_image_name_prefix }}honoroit:{{ matrix_bot_honoroit_version }}"
matrix_bot_honoroit_docker_image_name_prefix: "{{ 'localhost/' if matrix_bot_honoroit_container_image_self_build else 'registry.gitlab.com/etke.cc/' }}" matrix_bot_honoroit_docker_image_name_prefix: "{{ 'localhost/' if matrix_bot_honoroit_container_image_self_build else 'registry.gitlab.com/etke.cc/' }}"
matrix_bot_honoroit_docker_image_force_pull: "{{ matrix_bot_honoroit_docker_image.endswith(':latest') }}" matrix_bot_honoroit_docker_image_force_pull: "{{ matrix_bot_honoroit_docker_image.endswith(':latest') }}"
@ -83,6 +83,12 @@ matrix_bot_honoroit_sentry: ''
# Log level # Log level
matrix_bot_honoroit_loglevel: '' matrix_bot_honoroit_loglevel: ''
# Text prefix: open
matrix_bot_honoroit_text_prefix_open: ''
# Text prefix: done
matrix_bot_honoroit_text_prefix_done: ''
# Text: greetings # Text: greetings
matrix_bot_honoroit_text_greetings: '' matrix_bot_honoroit_text_greetings: ''

View File

@ -7,6 +7,8 @@ HONOROIT_DB_DIALECT={{ matrix_bot_honoroit_database_dialect }}
HONOROIT_PREFIX={{ matrix_bot_honoroit_prefix }} HONOROIT_PREFIX={{ matrix_bot_honoroit_prefix }}
HONOROIT_SENTRY={{ matrix_bot_honoroit_sentry }} HONOROIT_SENTRY={{ matrix_bot_honoroit_sentry }}
HONOROIT_LOGLEVEL={{ matrix_bot_honoroit_loglevel }} HONOROIT_LOGLEVEL={{ matrix_bot_honoroit_loglevel }}
HONOROIT_TEXT_PREFIX_OPEN={{ matrix_bot_honoroit_text_prefix_open }}
HONOROIT_TEXT_PREFIX_DONE={{ matrix_bot_honoroit_text_prefix_done }}
HONOROIT_TEXT_GREETINGS={{ matrix_bot_honoroit_text_greetings }} HONOROIT_TEXT_GREETINGS={{ matrix_bot_honoroit_text_greetings }}
HONOROIT_TEXT_ERROR={{ matrix_bot_honoroit_text_error }} HONOROIT_TEXT_ERROR={{ matrix_bot_honoroit_text_error }}
HONOROIT_TEXT_EMPTYROOM={{ matrix_bot_honoroit_text_emptyroom }} HONOROIT_TEXT_EMPTYROOM={{ matrix_bot_honoroit_text_emptyroom }}

View File

@ -1,5 +1,7 @@
--- ---
- import_tasks: "{{ role_path }}/../matrix-base/tasks/util/ensure_openssl_installed.yml"
- name: Ensure Appservice IRC paths exist - name: Ensure Appservice IRC paths exist
file: file:
path: "{{ item.path }}" path: "{{ item.path }}"

View File

@ -27,7 +27,7 @@ matrix_mx_puppet_discord_homeserver_address: "{{ matrix_homeserver_container_url
matrix_mx_puppet_discord_homeserver_domain: '{{ matrix_domain }}' matrix_mx_puppet_discord_homeserver_domain: '{{ matrix_domain }}'
matrix_mx_puppet_discord_appservice_address: 'http://matrix-mx-puppet-discord:{{ matrix_mx_puppet_discord_appservice_port }}' matrix_mx_puppet_discord_appservice_address: 'http://matrix-mx-puppet-discord:{{ matrix_mx_puppet_discord_appservice_port }}'
matrix_mx_puppet_discord_bridge_mediaUrl: "https:/{{ matrix_server_fqn_matrix }}" matrix_mx_puppet_discord_bridge_mediaUrl: "https://{{ matrix_server_fqn_matrix }}"
# "@user:server.com" to allow specific user # "@user:server.com" to allow specific user
# "@.*:yourserver.com" to allow users on a specific homeserver # "@.*:yourserver.com" to allow users on a specific homeserver

View File

@ -3,7 +3,7 @@ matrix_client_cinny_enabled: true
matrix_client_cinny_container_image_self_build: false matrix_client_cinny_container_image_self_build: false
matrix_client_cinny_container_image_self_build_repo: "https://github.com/ajbura/cinny.git" matrix_client_cinny_container_image_self_build_repo: "https://github.com/ajbura/cinny.git"
matrix_client_cinny_version: v1.6.1 matrix_client_cinny_version: v1.7.0
matrix_client_cinny_docker_image: "{{ matrix_client_cinny_docker_image_name_prefix }}ajbura/cinny:{{ matrix_client_cinny_version }}" matrix_client_cinny_docker_image: "{{ matrix_client_cinny_docker_image_name_prefix }}ajbura/cinny:{{ matrix_client_cinny_version }}"
matrix_client_cinny_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_cinny_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_client_cinny_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_cinny_container_image_self_build else matrix_container_global_registry_prefix }}"
matrix_client_cinny_docker_image_force_pull: "{{ matrix_client_cinny_docker_image.endswith(':latest') }}" matrix_client_cinny_docker_image_force_pull: "{{ matrix_client_cinny_docker_image.endswith(':latest') }}"

View File

@ -1,5 +1,7 @@
--- ---
- import_tasks: "{{ role_path }}/../matrix-base/tasks/util/ensure_openssl_installed.yml"
# #
# Tasks related to setting up jitsi # Tasks related to setting up jitsi
# #

View File

@ -1,28 +1,7 @@
--- ---
- name: Ensure OpenSSL installed (RedHat) - import_tasks: "{{ role_path }}/../matrix-base/tasks/util/ensure_openssl_installed.yml"
yum: when: "matrix_ssl_retrieval_method == 'self-signed'"
name:
- openssl
state: present
update_cache: no
when: "matrix_ssl_retrieval_method == 'self-signed' and ansible_os_family == 'RedHat'"
- name: Ensure APT usage dependencies are installed (Debian)
apt:
name:
- openssl
state: present
update_cache: no
when: "matrix_ssl_retrieval_method == 'self-signed' and ansible_os_family == 'Debian'"
- name: Ensure OpenSSL installed (Archlinux)
pacman:
name:
- openssl
state: latest
update_cache: no
when: "matrix_ssl_retrieval_method == 'self-signed' and ansible_distribution == 'Archlinux'"
- name: Generate self-signed certificates - name: Generate self-signed certificates
include_tasks: "{{ role_path }}/tasks/ssl/setup_ssl_self_signed_obtain_for_domain.yml" include_tasks: "{{ role_path }}/tasks/ssl/setup_ssl_self_signed_obtain_for_domain.yml"

View File

@ -3,7 +3,7 @@
matrix_prometheus_postgres_exporter_enabled: false matrix_prometheus_postgres_exporter_enabled: false
matrix_prometheus_postgres_exporter_version: v0.10.0 matrix_prometheus_postgres_exporter_version: v0.10.1
matrix_prometheus_postgres_exporter_port: 9187 matrix_prometheus_postgres_exporter_port: 9187
matrix_prometheus_postgres_exporter_docker_image: "quay.io/prometheuscommunity/postgres-exporter:{{ matrix_prometheus_postgres_exporter_version }}" matrix_prometheus_postgres_exporter_docker_image: "quay.io/prometheuscommunity/postgres-exporter:{{ matrix_prometheus_postgres_exporter_version }}"

View File

@ -15,8 +15,8 @@ matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_cont
# amd64 gets released first. # amd64 gets released first.
# arm32 relies on self-building, so the same version can be built immediately. # arm32 relies on self-building, so the same version can be built immediately.
# arm64 users need to wait for a prebuilt image to become available. # arm64 users need to wait for a prebuilt image to become available.
matrix_synapse_version: v1.50.0 matrix_synapse_version: v1.51.0
matrix_synapse_version_arm64: v1.50.0 matrix_synapse_version_arm64: v1.51.0
matrix_synapse_docker_image_tag: "{{ matrix_synapse_version if matrix_architecture in ['arm32', 'amd64'] else matrix_synapse_version_arm64 }}" matrix_synapse_docker_image_tag: "{{ matrix_synapse_version if matrix_architecture in ['arm32', 'amd64'] else matrix_synapse_version_arm64 }}"
matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}"
@ -517,7 +517,7 @@ matrix_synapse_ext_password_provider_ldap_default_domain: ""
# See: https://github.com/t2bot/synapse-simple-antispam # See: https://github.com/t2bot/synapse-simple-antispam
matrix_synapse_ext_spam_checker_synapse_simple_antispam_enabled: false matrix_synapse_ext_spam_checker_synapse_simple_antispam_enabled: false
matrix_synapse_ext_spam_checker_synapse_simple_antispam_git_repository_url: "https://github.com/t2bot/synapse-simple-antispam" matrix_synapse_ext_spam_checker_synapse_simple_antispam_git_repository_url: "https://github.com/t2bot/synapse-simple-antispam"
matrix_synapse_ext_spam_checker_synapse_simple_antispam_git_version: "923ca5c85b08f157181721abbae50dd89c31e4b5" matrix_synapse_ext_spam_checker_synapse_simple_antispam_git_version: "5ab711971e3a4541a7a40310ff85e17f8262cc05"
matrix_synapse_ext_spam_checker_synapse_simple_antispam_config_blocked_homeservers: [] matrix_synapse_ext_spam_checker_synapse_simple_antispam_config_blocked_homeservers: []
# Enable this to activate the Mjolnir Antispam spam-checker module. # Enable this to activate the Mjolnir Antispam spam-checker module.
@ -580,6 +580,8 @@ matrix_synapse_default_room_version: "6"
# If not, you can also control its value manually. # If not, you can also control its value manually.
matrix_synapse_spam_checker: [] matrix_synapse_spam_checker: []
matrix_synapse_modules: []
matrix_synapse_encryption_enabled_by_default_for_room_type: off matrix_synapse_encryption_enabled_by_default_for_room_type: off
matrix_synapse_trusted_key_servers: matrix_synapse_trusted_key_servers:

View File

@ -38,8 +38,8 @@
become_user: "{{ matrix_user_username }}" become_user: "{{ matrix_user_username }}"
- set_fact: - set_fact:
matrix_synapse_spam_checker: > matrix_synapse_modules: >
{{ matrix_synapse_spam_checker }} {{ matrix_synapse_modules }}
+ +
[{ [{
"module": "synapse_simple_antispam.AntiSpamInvites", "module": "synapse_simple_antispam.AntiSpamInvites",

View File

@ -18,6 +18,7 @@
group: "{{ matrix_user_groupname }}" group: "{{ matrix_user_groupname }}"
when: "not local_path_media_store_stat.failed and not local_path_media_store_stat.stat.exists" when: "not local_path_media_store_stat.failed and not local_path_media_store_stat.stat.exists"
- block:
- name: Ensure Synapse repository is present on self-build - name: Ensure Synapse repository is present on self-build
git: git:
repo: "{{ matrix_synapse_container_image_self_build_repo }}" repo: "{{ matrix_synapse_container_image_self_build_repo }}"
@ -25,18 +26,25 @@
version: "{{ matrix_synapse_docker_image.split(':')[1] }}" version: "{{ matrix_synapse_docker_image.split(':')[1] }}"
force: "yes" force: "yes"
register: matrix_synapse_git_pull_results register: matrix_synapse_git_pull_results
when: "matrix_synapse_container_image_self_build|bool"
- name: Check if Synapse Docker image exists
command: "{{ matrix_host_command_docker }} images --quiet --filter 'reference={{ matrix_synapse_docker_image }}'"
register: matrix_synapse_docker_image_check_result
# Invoking the `docker build` command here, instead of calling the `docker_image` Ansible module,
# because the latter does not support BuildKit.
# See: https://github.com/ansible-collections/community.general/issues/514
- name: Ensure Synapse Docker image is built - name: Ensure Synapse Docker image is built
docker_image: shell:
name: "{{ matrix_synapse_docker_image }}" chdir: "{{ matrix_synapse_docker_src_files_path }}"
source: build cmd: |
force_source: "{{ matrix_synapse_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" {{ matrix_host_command_docker }} build \
force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_synapse_git_pull_results.changed }}" -t "{{ matrix_synapse_docker_image }}" \
build: -f docker/Dockerfile \
dockerfile: docker/Dockerfile .
path: "{{ matrix_synapse_docker_src_files_path }}" environment:
pull: yes DOCKER_BUILDKIT: 1
when: "matrix_synapse_git_pull_results.changed|bool or matrix_synapse_docker_image_check_result.stdout == ''"
when: "matrix_synapse_container_image_self_build|bool" when: "matrix_synapse_container_image_self_build|bool"
- name: Ensure Synapse Docker image is pulled - name: Ensure Synapse Docker image is pulled

View File

@ -15,12 +15,13 @@
# See https://matrix-org.github.io/synapse/latest/modules/index.html for more # See https://matrix-org.github.io/synapse/latest/modules/index.html for more
# documentation on how to configure or create custom modules for Synapse. # documentation on how to configure or create custom modules for Synapse.
# #
modules: #modules:
# - module: my_super_module.MySuperClass # - module: my_super_module.MySuperClass
# config: # config:
# do_thing: true # do_thing: true
# - module: my_other_super_module.SomeClass # - module: my_other_super_module.SomeClass
# config: {} # config: {}
modules: {{ matrix_synapse_modules|to_json }}
## Server ## ## Server ##
@ -49,13 +50,7 @@ server_name: "{{ matrix_domain }}"
# #
pid_file: /homeserver.pid pid_file: /homeserver.pid
# The absolute URL to the web client which /_matrix/client will redirect # The absolute URL to the web client which / will redirect to.
# to if 'webclient' is configured under the 'listeners' configuration.
#
# This option can be also set to the filesystem path to the web client
# which will be served at /_matrix/client/ if 'webclient' is configured
# under the 'listeners' configuration, however this is a security risk:
# https://github.com/matrix-org/synapse#security-note
# #
#web_client_location: https://riot.example.com/ #web_client_location: https://riot.example.com/
@ -139,7 +134,7 @@ allow_public_rooms_over_federation: {{ matrix_synapse_allow_public_rooms_over_fe
# The default room version for newly created rooms. # The default room version for newly created rooms.
# #
# Known room versions are listed here: # Known room versions are listed here:
# https://matrix.org/docs/spec/#complete-list-of-room-versions # https://spec.matrix.org/latest/rooms/#complete-list-of-room-versions
# #
# For example, for room version 1, default_room_version should be set # For example, for room version 1, default_room_version should be set
# to "1". # to "1".
@ -284,8 +279,6 @@ default_room_version: {{ matrix_synapse_default_room_version|to_json }}
# static: static resources under synapse/static (/_matrix/static). (Mostly # static: static resources under synapse/static (/_matrix/static). (Mostly
# useful for 'fallback authentication'.) # useful for 'fallback authentication'.)
# #
# webclient: A web client. Requires web_client_location to be set.
#
listeners: listeners:
{% if matrix_synapse_metrics_enabled %} {% if matrix_synapse_metrics_enabled %}
- type: metrics - type: metrics
@ -1534,6 +1527,21 @@ room_prejoin_state:
#additional_event_types: #additional_event_types:
# - org.example.custom.event.type # - org.example.custom.event.type
# We record the IP address of clients used to access the API for various
# reasons, including displaying it to the user in the "Where you're signed in"
# dialog.
#
# By default, when puppeting another user via the admin API, the client IP
# address is recorded against the user who created the access token (ie, the
# admin user), and *not* the puppeted user.
#
# Uncomment the following to also record the IP address against the puppeted
# user. (This also means that the puppeted user will count as an "active" user
# for the purpose of monthly active user tracking - see 'limit_usage_by_mau' etc
# above.)
#
#track_puppeted_user_ips: true
# A list of application service config files to use # A list of application service config files to use
# #
@ -1899,10 +1907,13 @@ saml2_config:
# Defaults to false. Avoid this in production. # Defaults to false. Avoid this in production.
# #
# user_profile_method: Whether to fetch the user profile from the userinfo # user_profile_method: Whether to fetch the user profile from the userinfo
# endpoint. Valid values are: 'auto' or 'userinfo_endpoint'. # endpoint, or to rely on the data returned in the id_token from the
# token_endpoint.
# #
# Defaults to 'auto', which fetches the userinfo endpoint if 'openid' is # Valid values are: 'auto' or 'userinfo_endpoint'.
# included in 'scopes'. Set to 'userinfo_endpoint' to always fetch the #
# Defaults to 'auto', which uses the userinfo endpoint if 'openid' is
# not included in 'scopes'. Set to 'userinfo_endpoint' to always use the
# userinfo endpoint. # userinfo endpoint.
# #
# allow_existing_users: set to 'true' to allow a user logging in via OIDC to # allow_existing_users: set to 'true' to allow a user logging in via OIDC to