feat: add automatic creation of reverse-proxy routing

(untested change, but unlikely to cause breakage)

group_vars/matrix_servers

@@ -1482,6 +1482,8 @@ matrix_nginx_proxy_systemd_wanted_services_list: |
     (['matrix-jitsi.service'] if matrix_jitsi_enabled else [])
     +
     (['matrix-bot-go-neb.service'] if matrix_bot_go_neb_enabled else [])
+    +
+    (['matrix-etherpad.service'] if matrix_etherpad_enabled and matrix_dimension_enabled else [])
   }}
 
 matrix_ssl_domains_to_obtain_certificates_for: |

roles/matrix-base/tasks/util/ensure_openssl_installed.yml

@@ -0,0 +1,23 @@
+
+# This is for both CentOS 7 and 8
+- name: Ensure openssl installed (CentOS)
+  yum:
+    name:
+      - openssl
+    state: latest
+  when: ansible_distribution == 'CentOS'
+
+# This is for both Debian and Raspbian
+- name: Ensure openssl installed (Debian/Raspbian)
+  apt:
+    name:
+      - openssl
+    state: latest
+  when: ansible_os_family == 'Debian'
+
+- name: Ensure openssl installed (Archlinux)
+  pacman:
+    name:
+      - openssl
+    state: latest
+  when: ansible_distribution == 'Archlinux'

roles/matrix-bot-honoroit/defaults/main.yml

@@ -7,7 +7,7 @@ matrix_bot_honoroit_container_image_self_build: false
 matrix_bot_honoroit_docker_repo: "https://gitlab.com/etke.cc/honoroit.git"
 matrix_bot_honoroit_docker_src_files_path: "{{ matrix_base_data_path }}/honoroit/docker-src"
 
-matrix_bot_honoroit_version: v0.9.2
+matrix_bot_honoroit_version: v0.9.3
 matrix_bot_honoroit_docker_image: "{{ matrix_bot_honoroit_docker_image_name_prefix }}honoroit:{{ matrix_bot_honoroit_version }}"
 matrix_bot_honoroit_docker_image_name_prefix: "{{ 'localhost/' if matrix_bot_honoroit_container_image_self_build else 'registry.gitlab.com/etke.cc/' }}"
 matrix_bot_honoroit_docker_image_force_pull: "{{ matrix_bot_honoroit_docker_image.endswith(':latest') }}"
@@ -83,6 +83,12 @@ matrix_bot_honoroit_sentry: ''
 # Log level
 matrix_bot_honoroit_loglevel: ''
 
+# Text prefix: open
+matrix_bot_honoroit_text_prefix_open: ''
+
+# Text prefix: done
+matrix_bot_honoroit_text_prefix_done: ''
+
 # Text: greetings
 matrix_bot_honoroit_text_greetings: ''
 

roles/matrix-bot-honoroit/templates/env.j2

@@ -7,6 +7,8 @@ HONOROIT_DB_DIALECT={{ matrix_bot_honoroit_database_dialect }}
 HONOROIT_PREFIX={{ matrix_bot_honoroit_prefix }}
 HONOROIT_SENTRY={{ matrix_bot_honoroit_sentry }}
 HONOROIT_LOGLEVEL={{ matrix_bot_honoroit_loglevel }}
+HONOROIT_TEXT_PREFIX_OPEN={{ matrix_bot_honoroit_text_prefix_open }}
+HONOROIT_TEXT_PREFIX_DONE={{ matrix_bot_honoroit_text_prefix_done }}
 HONOROIT_TEXT_GREETINGS={{ matrix_bot_honoroit_text_greetings }}
 HONOROIT_TEXT_ERROR={{ matrix_bot_honoroit_text_error }}
 HONOROIT_TEXT_EMPTYROOM={{ matrix_bot_honoroit_text_emptyroom }}

roles/matrix-bridge-appservice-irc/tasks/setup_install.yml

@@ -1,5 +1,7 @@
 ---
 
+- import_tasks: "{{ role_path }}/../matrix-base/tasks/util/ensure_openssl_installed.yml"
+
 - name: Ensure Appservice IRC paths exist
   file:
     path: "{{ item.path }}"

roles/matrix-bridge-mx-puppet-discord/defaults/main.yml

@@ -27,7 +27,7 @@ matrix_mx_puppet_discord_homeserver_address: "{{ matrix_homeserver_container_url
 matrix_mx_puppet_discord_homeserver_domain: '{{ matrix_domain }}'
 matrix_mx_puppet_discord_appservice_address: 'http://matrix-mx-puppet-discord:{{ matrix_mx_puppet_discord_appservice_port }}'
 
-matrix_mx_puppet_discord_bridge_mediaUrl: "https:/{{ matrix_server_fqn_matrix }}"
+matrix_mx_puppet_discord_bridge_mediaUrl: "https://{{ matrix_server_fqn_matrix }}"
 
 # "@user:server.com" to allow specific user
 # "@.*:yourserver.com" to allow users on a specific homeserver

roles/matrix-client-cinny/defaults/main.yml

@@ -3,7 +3,7 @@ matrix_client_cinny_enabled: true
 matrix_client_cinny_container_image_self_build: false
 matrix_client_cinny_container_image_self_build_repo: "https://github.com/ajbura/cinny.git"
 
-matrix_client_cinny_version: v1.6.1
+matrix_client_cinny_version: v1.7.0
 matrix_client_cinny_docker_image: "{{ matrix_client_cinny_docker_image_name_prefix }}ajbura/cinny:{{ matrix_client_cinny_version }}"
 matrix_client_cinny_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_cinny_container_image_self_build else matrix_container_global_registry_prefix }}"
 matrix_client_cinny_docker_image_force_pull: "{{ matrix_client_cinny_docker_image.endswith(':latest') }}"

roles/matrix-jitsi/tasks/setup_jitsi_base.yml

@@ -1,5 +1,7 @@
 ---
 
+- import_tasks: "{{ role_path }}/../matrix-base/tasks/util/ensure_openssl_installed.yml"
+
 #
 # Tasks related to setting up jitsi
 #

roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed.yml

@@ -1,28 +1,7 @@
 ---
 
-- name: Ensure OpenSSL installed (RedHat)
-  yum:
-    name:
-      - openssl
-    state: present
-    update_cache: no
-  when: "matrix_ssl_retrieval_method == 'self-signed' and ansible_os_family == 'RedHat'"
-
-- name: Ensure APT usage dependencies are installed (Debian)
-  apt:
-    name:
-      - openssl
-    state: present
-    update_cache: no
-  when: "matrix_ssl_retrieval_method == 'self-signed' and ansible_os_family == 'Debian'"
-
-- name: Ensure OpenSSL installed (Archlinux)
-  pacman:
-    name:
-      - openssl
-    state: latest
-    update_cache: no
-  when: "matrix_ssl_retrieval_method == 'self-signed' and ansible_distribution == 'Archlinux'"
+- import_tasks: "{{ role_path }}/../matrix-base/tasks/util/ensure_openssl_installed.yml"
+  when: "matrix_ssl_retrieval_method == 'self-signed'"
 
 - name: Generate self-signed certificates
   include_tasks: "{{ role_path }}/tasks/ssl/setup_ssl_self_signed_obtain_for_domain.yml"

roles/matrix-prometheus-postgres-exporter/defaults/main.yml

@@ -3,7 +3,7 @@
 
 matrix_prometheus_postgres_exporter_enabled: false
 
-matrix_prometheus_postgres_exporter_version: v0.10.0
+matrix_prometheus_postgres_exporter_version: v0.10.1
 matrix_prometheus_postgres_exporter_port: 9187
 
 matrix_prometheus_postgres_exporter_docker_image: "quay.io/prometheuscommunity/postgres-exporter:{{ matrix_prometheus_postgres_exporter_version }}"

roles/matrix-synapse/defaults/main.yml

@@ -15,8 +15,8 @@ matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_cont
 # amd64 gets released first.
 # arm32 relies on self-building, so the same version can be built immediately.
 # arm64 users need to wait for a prebuilt image to become available.
-matrix_synapse_version: v1.50.0
-matrix_synapse_version_arm64: v1.50.0
+matrix_synapse_version: v1.51.0
+matrix_synapse_version_arm64: v1.51.0
 matrix_synapse_docker_image_tag: "{{ matrix_synapse_version if matrix_architecture in ['arm32', 'amd64'] else matrix_synapse_version_arm64 }}"
 matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}"
 
@@ -517,7 +517,7 @@ matrix_synapse_ext_password_provider_ldap_default_domain: ""
 # See: https://github.com/t2bot/synapse-simple-antispam
 matrix_synapse_ext_spam_checker_synapse_simple_antispam_enabled: false
 matrix_synapse_ext_spam_checker_synapse_simple_antispam_git_repository_url: "https://github.com/t2bot/synapse-simple-antispam"
-matrix_synapse_ext_spam_checker_synapse_simple_antispam_git_version: "923ca5c85b08f157181721abbae50dd89c31e4b5"
+matrix_synapse_ext_spam_checker_synapse_simple_antispam_git_version: "5ab711971e3a4541a7a40310ff85e17f8262cc05"
 matrix_synapse_ext_spam_checker_synapse_simple_antispam_config_blocked_homeservers: []
 
 # Enable this to activate the Mjolnir Antispam spam-checker module.
@@ -580,6 +580,8 @@ matrix_synapse_default_room_version: "6"
 # If not, you can also control its value manually.
 matrix_synapse_spam_checker: []
 
+matrix_synapse_modules: []
+
 matrix_synapse_encryption_enabled_by_default_for_room_type: off
 
 matrix_synapse_trusted_key_servers:

roles/matrix-synapse/tasks/ext/synapse-simple-antispam/setup_install.yml

@@ -38,8 +38,8 @@
   become_user: "{{ matrix_user_username }}"
 
 - set_fact:
-    matrix_synapse_spam_checker: >
-      {{ matrix_synapse_spam_checker }}
+    matrix_synapse_modules: >
+      {{ matrix_synapse_modules }}
       +
       [{
         "module": "synapse_simple_antispam.AntiSpamInvites",

roles/matrix-synapse/tasks/synapse/setup_install.yml

@@ -18,25 +18,33 @@
     group: "{{ matrix_user_groupname }}"
   when: "not local_path_media_store_stat.failed and not local_path_media_store_stat.stat.exists"
 
-- name: Ensure Synapse repository is present on self-build
+- block:
+  - name: Ensure Synapse repository is present on self-build
     git:
       repo: "{{ matrix_synapse_container_image_self_build_repo }}"
       dest: "{{ matrix_synapse_docker_src_files_path }}"
       version: "{{ matrix_synapse_docker_image.split(':')[1] }}"
       force: "yes"
     register: matrix_synapse_git_pull_results
-  when: "matrix_synapse_container_image_self_build|bool"
 
-- name: Ensure Synapse Docker image is built
-  docker_image:
-    name: "{{ matrix_synapse_docker_image }}"
-    source: build
-    force_source: "{{ matrix_synapse_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
-    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_synapse_git_pull_results.changed }}"
-    build:
-      dockerfile: docker/Dockerfile
-      path: "{{ matrix_synapse_docker_src_files_path }}"
-      pull: yes
+  - name: Check if Synapse Docker image exists
+    command: "{{ matrix_host_command_docker }} images --quiet --filter 'reference={{ matrix_synapse_docker_image }}'"
+    register: matrix_synapse_docker_image_check_result
+
+  # Invoking the `docker build` command here, instead of calling the `docker_image` Ansible module,
+  # because the latter does not support BuildKit.
+  # See: https://github.com/ansible-collections/community.general/issues/514
+  - name: Ensure Synapse Docker image is built
+    shell:
+      chdir: "{{ matrix_synapse_docker_src_files_path }}"
+      cmd: |
+        {{ matrix_host_command_docker }} build \
+        -t "{{ matrix_synapse_docker_image }}" \
+        -f docker/Dockerfile \
+        .
+    environment:
+      DOCKER_BUILDKIT: 1
+    when: "matrix_synapse_git_pull_results.changed|bool or matrix_synapse_docker_image_check_result.stdout == ''"
   when: "matrix_synapse_container_image_self_build|bool"
 
 - name: Ensure Synapse Docker image is pulled

roles/matrix-synapse/templates/synapse/homeserver.yaml.j2

@@ -15,12 +15,13 @@
 # See https://matrix-org.github.io/synapse/latest/modules/index.html for more
 # documentation on how to configure or create custom modules for Synapse.
 #
-modules:
+#modules:
     # - module: my_super_module.MySuperClass
     #   config:
     #       do_thing: true
     # - module: my_other_super_module.SomeClass
     #   config: {}
+modules: {{ matrix_synapse_modules|to_json }}
 
 
 ## Server ##
@@ -49,13 +50,7 @@ server_name: "{{ matrix_domain }}"
 #
 pid_file: /homeserver.pid
 
-# The absolute URL to the web client which /_matrix/client will redirect
-# to if 'webclient' is configured under the 'listeners' configuration.
-#
-# This option can be also set to the filesystem path to the web client
-# which will be served at /_matrix/client/ if 'webclient' is configured
-# under the 'listeners' configuration, however this is a security risk:
-# https://github.com/matrix-org/synapse#security-note
+# The absolute URL to the web client which / will redirect to.
 #
 #web_client_location: https://riot.example.com/
 
@@ -139,7 +134,7 @@ allow_public_rooms_over_federation: {{ matrix_synapse_allow_public_rooms_over_fe
 # The default room version for newly created rooms.
 #
 # Known room versions are listed here:
-# https://matrix.org/docs/spec/#complete-list-of-room-versions
+# https://spec.matrix.org/latest/rooms/#complete-list-of-room-versions
 #
 # For example, for room version 1, default_room_version should be set
 # to "1".
@@ -284,8 +279,6 @@ default_room_version: {{ matrix_synapse_default_room_version|to_json }}
 #   static: static resources under synapse/static (/_matrix/static). (Mostly
 #       useful for 'fallback authentication'.)
 #
-#   webclient: A web client. Requires web_client_location to be set.
-#
 listeners:
 {% if matrix_synapse_metrics_enabled %}
   - type: metrics
@@ -1534,6 +1527,21 @@ room_prejoin_state:
    #additional_event_types:
    #  - org.example.custom.event.type
 
+# We record the IP address of clients used to access the API for various
+# reasons, including displaying it to the user in the "Where you're signed in"
+# dialog.
+#
+# By default, when puppeting another user via the admin API, the client IP
+# address is recorded against the user who created the access token (ie, the
+# admin user), and *not* the puppeted user.
+#
+# Uncomment the following to also record the IP address against the puppeted
+# user. (This also means that the puppeted user will count as an "active" user
+# for the purpose of monthly active user tracking - see 'limit_usage_by_mau' etc
+# above.)
+#
+#track_puppeted_user_ips: true
+
 
 # A list of application service config files to use
 #
@@ -1899,10 +1907,13 @@ saml2_config:
 #       Defaults to false. Avoid this in production.
 #
 #   user_profile_method: Whether to fetch the user profile from the userinfo
-#       endpoint. Valid values are: 'auto' or 'userinfo_endpoint'.
+#       endpoint, or to rely on the data returned in the id_token from the
+#       token_endpoint.
 #
-#       Defaults to 'auto', which fetches the userinfo endpoint if 'openid' is
-#       included in 'scopes'. Set to 'userinfo_endpoint' to always fetch the
+#       Valid values are: 'auto' or 'userinfo_endpoint'.
+#
+#       Defaults to 'auto', which uses the userinfo endpoint if 'openid' is
+#       not included in 'scopes'. Set to 'userinfo_endpoint' to always use the
 #       userinfo endpoint.
 #
 #   allow_existing_users: set to 'true' to allow a user logging in via OIDC to