feat: add automatic creation of reverse-proxy routing

docs/configuring-playbook-jitsi.md

@@ -129,7 +129,7 @@ Until this gets integrated into the playbook, we need to register new users / me
 Please SSH into your matrix host machine and execute the following command targeting the `matrix-jitsi-prosody` container:
 
 ```bash
-docker exec matrix-jitsi-prosody prosodyctl --config /config/prosody.cfg.lua register <USERNAME> meet.jitsi <PASSWORD>
+docker exec matrix-jitsi-prosody prosodyctl --config /config/prosody.cfg.lua register <USERNAME> matrix-jitsi-web <PASSWORD>
 ```
 
 Run this command for each user you would like to create, replacing `<USERNAME>` and `<PASSWORD>` accordingly. After you've finished, please exit the host.

docs/configuring-well-known.md

@@ -69,7 +69,7 @@ It is, however, **a little fragile**, as future updates performed by this playbo
 
 If you don't need the base domain (e.g. `example.com`) for anything else (hosting a website, etc.), you can point it to the Matrix server's IP address and tell the playbook to configure it.
 
-This is the easiest way to set up well-known serving -- letting the playbook handle the whole base domain for you (including SSL certificates, etc.). However, if you need to use the base domain for other things (such as hosting some website, etc.), going with Option 1 or Option 3 might be more suitable.
+This is the easiest way to set up well-known serving -- letting the playbook handle the whole base domain for you (including SSL certificates, etc.). However, if you need to use the base domain for other things (such as hosting some website, etc.), going with Option 1 or Option 2 might be more suitable.
 
 See [Serving the base domain](configuring-playbook-base-domain-serving.md) to learn how the playbook can help you set it up.
 

docs/self-building.md

@@ -25,10 +25,8 @@ List of roles where self-building the Docker image is currently possible:
 - `matrix-bridge-mautrix-facebook`
 - `matrix-bridge-mautrix-hangouts`
 - `matrix-bridge-mautrix-telegram`
-- `matrix-bridge-mautrix-signal`
 - `matrix-bridge-mx-puppet-skype`
 - `matrix-bot-mjolnir`
-- `matrix-bot-matrix-reminder-bot`
 
 Adding self-building support to other roles is welcome. Feel free to contribute!
 

group_vars/matrix_servers

@@ -811,7 +811,6 @@ matrix_bot_matrix_reminder_bot_systemd_required_services_list: |
 # Postgres is the default, except if not using `matrix_postgres` (internal postgres)
 matrix_bot_matrix_reminder_bot_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}"
 matrix_bot_matrix_reminder_bot_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'reminder.bot.db') | to_uuid }}"
-matrix_bot_matrix_reminder_bot_container_self_build: "{{ matrix_architecture != 'amd64' }}"
 
 ######################################################################
 #
@@ -1122,7 +1121,17 @@ matrix_mailer_container_image_self_build: "{{ matrix_architecture != 'amd64'}}"
 # If you wish to use the public identity servers (matrix.org, vector.im) instead of your own you may wish to disable this.
 matrix_ma1sd_enabled: true
 
-matrix_ma1sd_container_image_self_build: "{{ matrix_architecture != 'amd64' }}"
+# There's no prebuilt ma1sd image for the `arm32` architecture.
+# We're relying on self-building there.
+matrix_ma1sd_architecture: "{{
+	{
+		'amd64': 'amd64',
+		'arm32': 'arm32',
+		'arm64': 'arm64',
+	}[matrix_architecture]
+}}"
+
+matrix_ma1sd_container_image_self_build: "{{ matrix_architecture not in ['arm64', 'amd64'] }}"
 
 # Normally, matrix-nginx-proxy is enabled and nginx can reach ma1sd over the container network.
 # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose

roles/matrix-awx/tasks/set_variables_ma1sd.yml

@@ -29,7 +29,12 @@
     insertafter: '# Synapse Extension Start'
   with_dict:
     'matrix_synapse_ext_password_provider_rest_auth_enabled': 'true'
-    'matrix_synapse_ext_password_provider_rest_auth_endpoint': '"http://matrix-ma1sd:8090"'
+    'matrix_synapse_ext_password_provider_rest_auth_endpoint': 'http://matrix-ma1sd:8090'
+  when: ext_matrix_ma1sd_auth_store == 'LDAP/AD'
+
+- name: Strip header from ma1sd configuration extension if using internal auth
+  set_fact:
+    ext_matrix_ma1sd_configuration_extension_yaml_parsed: "{{ ext_matrix_ma1sd_configuration_extension_yaml.splitlines() | reject('search', '^matrix_client_element_configuration_extension_json:') | list }}"
   when: ext_matrix_ma1sd_auth_store == 'LDAP/AD'
 
 - name: Remove entire ma1sd configuration extension
@@ -47,13 +52,22 @@
     regexp: '^# Start ma1sd Extension# End ma1sd Extension'
     replace: '# Start ma1sd Extension\n# End ma1sd Extension'
 
-- name: Insert/Update ma1sd configuration extension variables
+- name: Insert ma1sd configuration extension header if using external LDAP/AD with ma1sd
   delegate_to: 127.0.0.1
-  blockinfile:
+  lineinfile:
     path: '{{ awx_cached_matrix_vars }}'
-    marker: "# {mark} ma1sd ANSIBLE MANAGED BLOCK"
+    line: "matrix_ma1sd_configuration_extension_yaml: |"
     insertafter: '# Start ma1sd Extension'
-    block: '{{ ext_matrix_ma1sd_configuration_extension_yaml }}'
+  when: ext_matrix_ma1sd_auth_store == 'LDAP/AD'
+
+- name: Set ma1sd configuration extension if using external LDAP/AD with ma1sd
+  delegate_to: 127.0.0.1
+  lineinfile:
+    path: '{{ awx_cached_matrix_vars }}'
+    insertbefore: '# End ma1sd Extension'
+    line: '{{ item }}'
+  with_items: "{{ ext_matrix_ma1sd_configuration_extension_yaml_parsed }}"
+  when: ext_matrix_ma1sd_auth_store == 'LDAP/AD'
 
 - name: Record ma1sd Custom variables locally on AWX
   delegate_to: 127.0.0.1
@@ -65,7 +79,6 @@
   with_dict:
     'ext_matrix_ma1sd_auth_store': '{{ ext_matrix_ma1sd_auth_store }}'
     'ext_matrix_ma1sd_configuration_extension_yaml': '{{ ext_matrix_ma1sd_configuration_extension_yaml.splitlines() | to_json }}'
-  no_log: True
 
 - name: Save new 'Configure ma1sd' survey.json to the AWX tower, template
   delegate_to: 127.0.0.1

roles/matrix-awx/tasks/set_variables_synapse.yml

@@ -154,6 +154,17 @@
   with_items: "{{ ext_federation_whitelist_raw.splitlines() }}"
   when: ext_federation_whitelist_raw|length > 0
 
+- name: Record Synapse Custom variables locally on AWX
+  delegate_to: 127.0.0.1
+  lineinfile:
+    path: '{{ awx_cached_matrix_vars }}'
+    regexp: "^#? *{{ item.key | regex_escape() }}:"
+    line: "{{ item.key }}: {{ item.value }}"
+    insertafter: '# Custom Settings Start'
+  with_dict:
+    'ext_federation_whitelist_raw': '{{ ext_federation_whitelist_raw.splitlines() | to_json }}'
+    'ext_url_preview_accept_language_default': '{{ ext_url_preview_accept_language_default.splitlines() | to_json }}'
+
 - name: Set ext_recaptcha_public_key to a 'public-key' if undefined
   set_fact: ext_recaptcha_public_key="public-key"
   when: (ext_recaptcha_public_key is not defined) or (ext_recaptcha_public_key|length == 0)
@@ -174,20 +185,6 @@
     '  recaptcha_public_key': '{{ ext_recaptcha_public_key }}'
     '  recaptcha_private_key': '{{ ext_recaptcha_private_key }}'
 
-- name: Record Synapse Custom variables locally on AWX
-  delegate_to: 127.0.0.1
-  lineinfile:
-    path: '{{ awx_cached_matrix_vars }}'
-    regexp: "^#? *{{ item.key | regex_escape() }}:"
-    line: "{{ item.key }}: {{ item.value }}"
-    insertafter: '# Custom Settings Start'
-  with_dict:
-    'ext_federation_whitelist_raw': '{{ ext_federation_whitelist_raw.splitlines() | to_json }}'
-    'ext_url_preview_accept_language_default': '{{ ext_url_preview_accept_language_default.splitlines() | to_json }}'
-    'ext_enable_registration_captcha': '{{ ext_enable_registration_captcha }}'
-    'ext_recaptcha_public_key': '"{{ ext_recaptcha_public_key }}"'
-    'ext_recaptcha_private_key': '"{{ ext_recaptcha_private_key }}"'
-
 - name: Save new 'Configure Synapse' survey.json to the AWX tower, template
   delegate_to: 127.0.0.1
   template:

roles/matrix-bot-matrix-reminder-bot/defaults/main.yml

@@ -2,11 +2,6 @@
 # See: https://github.com/anoadragon453/matrix-reminder-bot
 
 matrix_bot_matrix_reminder_bot_enabled: true
-
-matrix_bot_matrix_reminder_bot_container_self_build: false
-matrix_bot_matrix_reminder_bot_docker_repo: "https://github.com/anoadragon453/matrix-reminder-bot.git"
-matrix_bot_matrix_reminder_bot_docker_src_files_path: "{{ matrix_base_data_path }}/matrix-reminder-bot/docker-src"
-
 matrix_bot_matrix_reminder_bot_version: release-v0.2.1
 matrix_bot_matrix_reminder_bot_docker_image: "{{ matrix_container_global_registry_prefix }}anoa/matrix-reminder-bot:{{ matrix_bot_matrix_reminder_bot_version }}"
 matrix_bot_matrix_reminder_bot_docker_image_force_pull: "{{ matrix_bot_matrix_reminder_bot_docker_image.endswith(':latest') }}"

roles/matrix-bot-matrix-reminder-bot/tasks/setup_install.yml

@@ -37,7 +37,6 @@
     - { path: "{{ matrix_bot_matrix_reminder_bot_config_path }}", when: true }
     - { path: "{{ matrix_bot_matrix_reminder_bot_data_path }}", when: true }
     - { path: "{{ matrix_bot_matrix_reminder_bot_data_store_path }}", when: true }
-    - { path: "{{ matrix_bot_matrix_reminder_bot_docker_src_files_path }}", when: true}
   when: "item.when|bool"
 
 - name: Ensure matrix-reminder-bot image is pulled
@@ -46,27 +45,6 @@
     source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
     force_source: "{{ matrix_bot_matrix_reminder_bot_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
     force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_bot_matrix_reminder_bot_docker_image_force_pull }}"
-  when: "not matrix_bot_matrix_reminder_bot_container_self_build|bool"
-
-- name: Ensure matrix-reminder-bot repository is present on self-build
-  git:
-    repo: "{{ matrix_bot_matrix_reminder_bot_docker_repo }}"
-    dest: "{{ matrix_bot_matrix_reminder_bot_docker_src_files_path }}"
-    force: "yes"
-  register: matrix_bot_matrix_reminder_bot_git_pull_results
-  when: "matrix_bot_matrix_reminder_bot_container_self_build|bool"
-
-- name: Ensure matrix-reminder-bot image is built
-  docker_image:
-    name: "{{ matrix_bot_matrix_reminder_bot_docker_image }}"
-    source: build
-    force_source: "{{ matrix_bot_matrix_reminder_bot_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
-    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mailer_git_pull_results.changed }}"
-    build:
-      dockerfile: docker/Dockerfile
-      path: "{{ matrix_bot_matrix_reminder_bot_docker_src_files_path }}"
-      pull: yes
-  when: "matrix_bot_matrix_reminder_bot_container_self_build|bool"
 
 - name: Ensure matrix-reminder-bot config installed
   copy:

roles/matrix-jitsi/templates/jicofo/env.j2

@@ -1,7 +1,7 @@
 AUTH_TYPE={{ matrix_jitsi_auth_type }}
 BRIDGE_AVG_PARTICIPANT_STRESS
 BRIDGE_STRESS_THRESHOLD
-ENABLE_AUTH={{ 1 if matrix_jitsi_enable_auth else 0 }}
+ENABLE_AUTH
 ENABLE_AUTO_OWNER
 ENABLE_CODEC_VP8
 ENABLE_CODEC_VP9

roles/matrix-ma1sd/defaults/main.yml

@@ -7,9 +7,11 @@ matrix_ma1sd_container_image_self_build: false
 matrix_ma1sd_container_image_self_build_repo: "https://github.com/ma1uta/ma1sd.git"
 matrix_ma1sd_container_image_self_build_branch: "{{ matrix_ma1sd_version }}"
 
-matrix_ma1sd_version: "2.5.0"
+matrix_ma1sd_architecture: "amd64"
 
-matrix_ma1sd_docker_image: "{{ matrix_ma1sd_docker_image_name_prefix }}ma1uta/ma1sd:{{ matrix_ma1sd_version }}"
+matrix_ma1sd_version: "2.4.0"
+
+matrix_ma1sd_docker_image: "{{ matrix_ma1sd_docker_image_name_prefix }}ma1uta/ma1sd:{{ matrix_ma1sd_version }}-{{ matrix_ma1sd_architecture }}"
 matrix_ma1sd_docker_image_name_prefix: "{{ 'localhost/' if matrix_ma1sd_container_image_self_build else matrix_container_global_registry_prefix }}"
 matrix_ma1sd_docker_image_force_pull: "{{ matrix_ma1sd_docker_image.endswith(':latest') }}"
 

roles/matrix-ma1sd/tasks/validate_config.yml

@@ -28,7 +28,6 @@
     - 'matrix_ma1sd_ldap_auth_filter'
     - 'matrix_ma1sd_ldap_directory_filter'
     - 'matrix_ma1sd_template_config'
-    - 'matrix_ma1sd_architecture'
 
 - name: Ensure ma1sd configuration does not contain any dot-notation keys
   fail:

roles/matrix-prometheus-node-exporter/defaults/main.yml

@@ -3,7 +3,7 @@
 
 matrix_prometheus_node_exporter_enabled: false
 
-matrix_prometheus_node_exporter_version: v1.2.0
+matrix_prometheus_node_exporter_version: v1.1.2
 matrix_prometheus_node_exporter_docker_image: "{{ matrix_container_global_registry_prefix }}prom/node-exporter:{{ matrix_prometheus_node_exporter_version }}"
 matrix_prometheus_node_exporter_docker_image_force_pull: "{{ matrix_prometheus_node_exporter_docker_image.endswith(':latest') }}"
 

roles/matrix-synapse/defaults/main.yml

@@ -15,8 +15,8 @@ matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_cont
 # amd64 gets released first.
 # arm32 relies on self-building, so the same version can be built immediately.
 # arm64 users need to wait for a prebuilt image to become available.
-matrix_synapse_version: v1.39.0
-matrix_synapse_version_arm64: v1.39.0
+matrix_synapse_version: v1.38.1
+matrix_synapse_version_arm64: v1.38.1
 matrix_synapse_docker_image_tag: "{{ matrix_synapse_version if matrix_architecture in ['arm32', 'amd64'] else matrix_synapse_version_arm64 }}"
 matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}"
 

roles/matrix-synapse/templates/synapse/homeserver.yaml.j2

@@ -1314,6 +1314,91 @@ autocreate_auto_join_rooms: {{ matrix_synapse_autocreate_auto_join_rooms|to_json
 #auto_join_rooms_for_guests: false
 
 
+## Account Validity ##
+
+# Optional account validity configuration. This allows for accounts to be denied
+# any request after a given period.
+#
+# Once this feature is enabled, Synapse will look for registered users without an
+# expiration date at startup and will add one to every account it found using the
+# current settings at that time.
+# This means that, if a validity period is set, and Synapse is restarted (it will
+# then derive an expiration date from the current validity period), and some time
+# after that the validity period changes and Synapse is restarted, the users'
+# expiration dates won't be updated unless their account is manually renewed. This
+# date will be randomly selected within a range [now + period - d ; now + period],
+# where d is equal to 10% of the validity period.
+#
+account_validity:
+  # The account validity feature is disabled by default. Uncomment the
+  # following line to enable it.
+  #
+  #enabled: true
+
+  # The period after which an account is valid after its registration. When
+  # renewing the account, its validity period will be extended by this amount
+  # of time. This parameter is required when using the account validity
+  # feature.
+  #
+  #period: 6w
+
+  # The amount of time before an account's expiry date at which Synapse will
+  # send an email to the account's email address with a renewal link. By
+  # default, no such emails are sent.
+  #
+  # If you enable this setting, you will also need to fill out the 'email' and
+  # 'public_baseurl' configuration sections.
+  #
+  #renew_at: 1w
+
+  # The subject of the email sent out with the renewal link. '%(app)s' can be
+  # used as a placeholder for the 'app_name' parameter from the 'email'
+  # section.
+  #
+  # Note that the placeholder must be written '%(app)s', including the
+  # trailing 's'.
+  #
+  # If this is not set, a default value is used.
+  #
+  #renew_email_subject: "Renew your %(app)s account"
+
+  # Directory in which Synapse will try to find templates for the HTML files to
+  # serve to the user when trying to renew an account. If not set, default
+  # templates from within the Synapse package will be used.
+  #
+  # The currently available templates are:
+  #
+  # * account_renewed.html: Displayed to the user after they have successfully
+  #       renewed their account.
+  #
+  # * account_previously_renewed.html: Displayed to the user if they attempt to
+  #       renew their account with a token that is valid, but that has already
+  #       been used. In this case the account is not renewed again.
+  #
+  # * invalid_token.html: Displayed to the user when they try to renew an account
+  #       with an unknown or invalid renewal token.
+  #
+  # See https://github.com/matrix-org/synapse/tree/master/synapse/res/templates for
+  # default template contents.
+  #
+  # The file name of some of these templates can be configured below for legacy
+  # reasons.
+  #
+  #template_dir: "res/templates"
+
+  # A custom file name for the 'account_renewed.html' template.
+  #
+  # If not set, the file is assumed to be named "account_renewed.html".
+  #
+  #account_renewed_html_path: "account_renewed.html"
+
+  # A custom file name for the 'invalid_token.html' template.
+  #
+  # If not set, the file is assumed to be named "invalid_token.html".
+  #
+  #invalid_token_html_path: "invalid_token.html"
+
+
 ## Metrics ###
 
 # Enable collection and rendering of performance metrics
@@ -2625,6 +2710,11 @@ stats:
   #
   #enabled: false
 
+  # The size of each timeslice in the room_stats_historical and
+  # user_stats_historical tables, as a time period. Defaults to "1d".
+  #
+  #bucket_size: 1h
+
 
 # Server Notices room configuration
 #
@@ -2717,6 +2807,19 @@ alias_creation_rules: {{ matrix_synapse_alias_creation_rules|to_json }}
 room_list_publication_rules: {{ matrix_synapse_room_list_publication_rules|to_json }}
 
 
+# Server admins can define a Python module that implements extra rules for
+# allowing or denying incoming events. In order to work, this module needs to
+# override the methods defined in synapse/events/third_party_rules.py.
+#
+# This feature is designed to be used in closed federations only, where each
+# participating server enforces the same rules.
+#
+#third_party_event_rules:
+#  module: "my_custom_project.SuperRulesSet"
+#  config:
+#    example_option: 'things'
+
+
 ## Opentracing ##
 
 # These settings enable opentracing, which implements distributed tracing.