feat: add automatic creation of reverse-proxy routing

docs/configuring-dns.md

@@ -31,12 +31,12 @@ If you are using Cloudflare DNS, make sure to disable the proxy and set all reco
 | Type  | Host                         | Priority | Weight | Port | Target                 |
 | ----- | ---------------------------- | -------- | ------ | ---- | ---------------------- |
 | SRV   | `_matrix-identity._tcp`      | 10       | 0      | 443  | `matrix.<your-domain>` |
-| CNAME | `dimension`                  | -        | -      | -    | `matrix.<your-domain>` |
-| CNAME | `jitsi`                      | -        | -      | -    | `matrix.<your-domain>` |
-| CNAME | `stats`                      | -        | -      | -    | `matrix.<your-domain>` |
-| CNAME | `goneb`                      | -        | -      | -    | `matrix.<your-domain>` |
-| CNAME | `sygnal`                     | -        | -      | -    | `matrix.<your-domain>` |
-| CNAME | `hydrogen`                   | -        | -      | -    | `matrix.<your-domain>` |
+| CNAME | `dimension` (*)              | -        | -      | -    | `matrix.<your-domain>` |
+| CNAME | `jitsi` (*)                  | -        | -      | -    | `matrix.<your-domain>` |
+| CNAME | `stats` (*)                  | -        | -      | -    | `matrix.<your-domain>` |
+| CNAME | `goneb` (*)                  | -        | -      | -    | `matrix.<your-domain>` |
+| CNAME | `sygnal` (*)                 | -        | -      | -    | `matrix.<your-domain>` |
+| CNAME | `hydrogen` (*)               | -        | -      | -    | `matrix.<your-domain>` |
 
 ## Subdomains setup
 

roles/matrix-bridge-appservice-irc/defaults/main.yml

@@ -7,7 +7,7 @@ matrix_appservice_irc_container_self_build: false
 matrix_appservice_irc_docker_repo: "https://github.com/matrix-org/matrix-appservice-irc.git"
 matrix_appservice_irc_docker_src_files_path: "{{ matrix_base_data_path }}/appservice-irc/docker-src"
 
-matrix_appservice_irc_version: release-0.27.0
+matrix_appservice_irc_version: release-0.26.1
 matrix_appservice_irc_docker_image: "{{ matrix_container_global_registry_prefix }}matrixdotorg/matrix-appservice-irc:{{ matrix_appservice_irc_version }}"
 matrix_appservice_irc_docker_image_force_pull: "{{ matrix_appservice_irc_docker_image.endswith(':latest') }}"
 

roles/matrix-bridge-heisenbridge/tasks/setup_uninstall.yml

@@ -7,7 +7,7 @@
 
 - name: Ensure matrix-heisenbridge is stopped
   service:
-    name: matrix-heisenbridge
+    name: heisenbridge
     state: stopped
     daemon_reload: yes
   when: "matrix_heisenbridge_service_stat.stat.exists"

roles/matrix-client-hydrogen/defaults/main.yml

@@ -5,7 +5,7 @@ matrix_client_hydrogen_enabled: true
 matrix_client_hydrogen_container_image_self_build: true
 matrix_client_hydrogen_container_image_self_build_repo: "https://github.com/vector-im/hydrogen-web.git"
 
-matrix_client_hydrogen_version: v0.2.0
+matrix_client_hydrogen_version: v0.1.57
 matrix_client_hydrogen_docker_image: "{{ matrix_client_hydrogen_docker_image_name_prefix }}vectorim/hydrogen-web:{{ matrix_client_hydrogen_version }}"
 matrix_client_hydrogen_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_hydrogen_container_image_self_build }}"
 matrix_client_hydrogen_docker_image_force_pull: "{{ matrix_client_hydrogen_docker_image.endswith(':latest') }}"

roles/matrix-prometheus/defaults/main.yml

@@ -3,7 +3,7 @@
 
 matrix_prometheus_enabled: false
 
-matrix_prometheus_version: v2.28.0
+matrix_prometheus_version: v2.27.1
 matrix_prometheus_docker_image: "{{ matrix_container_global_registry_prefix }}prom/prometheus:{{ matrix_prometheus_version }}"
 matrix_prometheus_docker_image_force_pull: "{{ matrix_prometheus_docker_image.endswith(':latest') }}"
 

roles/matrix-redis/templates/systemd/matrix-redis.service.j2

@@ -19,8 +19,7 @@ ExecStart=/usr/bin/docker run --rm --name matrix-redis \
 			{% if matrix_redis_container_redis_bind_port %}
 			-p {{ matrix_redis_container_redis_bind_port }}:6379 \
 			{% endif %}
-			--mount type=bind,src={{ matrix_redis_base_path }}/redis.conf,dst=/usr/local/etc/redis/redis.conf,ro \
-			--mount type=bind,src={{ matrix_redis_data_path }},dst=/data \
+			-v {{ matrix_redis_base_path }}/redis.conf:/usr/local/etc/redis/redis.conf \
 			{% for arg in matrix_redis_container_extra_arguments %}
 			{{ arg }} \
 			{% endfor %}

roles/matrix-synapse/defaults/main.yml

@@ -15,8 +15,8 @@ matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_cont
 # amd64 gets released first.
 # arm32 relies on self-building, so the same version can be built immediately.
 # arm64 users need to wait for a prebuilt image to become available.
-matrix_synapse_version: v1.37.0
-matrix_synapse_version_arm64: v1.37.0
+matrix_synapse_version: v1.36.0
+matrix_synapse_version_arm64: v1.36.0
 matrix_synapse_docker_image_tag: "{{ matrix_synapse_version if matrix_architecture in ['arm32', 'amd64'] else matrix_synapse_version_arm64 }}"
 matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}"
 

roles/matrix-synapse/templates/synapse/homeserver.yaml.j2

@@ -7,22 +7,6 @@
 #
 # [1] https://docs.ansible.com/ansible/latest/reference_appendices/YAMLSyntax.html
 
-
-## Modules ##
-
-# Server admins can expand Synapse's functionality with external modules.
-#
-# See https://matrix-org.github.io/synapse/develop/modules.html for more
-# documentation on how to configure or create custom modules for Synapse.
-#
-modules:
-    # - module: my_super_module.MySuperClass
-    #   config:
-    #       do_thing: true
-    # - module: my_other_super_module.SomeClass
-    #   config: {}
-
-
 ## Server ##
 
 # The public-facing domain of the server
@@ -590,9 +574,13 @@ retention:
 # This certificate, as of Synapse 1.0, will need to be a valid and verifiable
 # certificate, signed by a recognised Certificate Authority.
 #
-# Be sure to use a `.pem` file that includes the full certificate chain including
-# any intermediate certificates (for instance, if using certbot, use
-# `fullchain.pem` as your certificate, not `cert.pem`).
+# See 'ACME support' below to enable auto-provisioning this certificate via
+# Let's Encrypt.
+#
+# If supplying your own, be sure to use a `.pem` file that includes the
+# full certificate chain including any intermediate certificates (for
+# instance, if using certbot, use `fullchain.pem` as your certificate,
+# not `cert.pem`).
 #
 tls_certificate_path: {{ matrix_synapse_tls_certificate_path|to_json }}
 
@@ -643,6 +631,80 @@ tls_private_key_path: {{ matrix_synapse_tls_private_key_path|to_json }}
 #  - myCA2.pem
 #  - myCA3.pem
 
+# ACME support: This will configure Synapse to request a valid TLS certificate
+# for your configured `server_name` via Let's Encrypt.
+#
+# Note that ACME v1 is now deprecated, and Synapse currently doesn't support
+# ACME v2. This means that this feature currently won't work with installs set
+# up after November 2019. For more info, and alternative solutions, see
+# https://github.com/matrix-org/synapse/blob/master/docs/ACME.md#deprecation-of-acme-v1
+#
+# Note that provisioning a certificate in this way requires port 80 to be
+# routed to Synapse so that it can complete the http-01 ACME challenge.
+# By default, if you enable ACME support, Synapse will attempt to listen on
+# port 80 for incoming http-01 challenges - however, this will likely fail
+# with 'Permission denied' or a similar error.
+#
+# There are a couple of potential solutions to this:
+#
+#  * If you already have an Apache, Nginx, or similar listening on port 80,
+#    you can configure Synapse to use an alternate port, and have your web
+#    server forward the requests. For example, assuming you set 'port: 8009'
+#    below, on Apache, you would write:
+#
+#    ProxyPass /.well-known/acme-challenge http://localhost:8009/.well-known/acme-challenge
+#
+#  * Alternatively, you can use something like `authbind` to give Synapse
+#    permission to listen on port 80.
+#
+acme:
+    # ACME support is disabled by default. Uncomment the following line
+    # (and tls_certificate_path and tls_private_key_path above) to enable it.
+    #
+    #enabled: true
+
+    # Endpoint to use to request certificates. If you only want to test,
+    # use Let's Encrypt's staging url:
+    #     https://acme-staging.api.letsencrypt.org/directory
+    #
+    #url: https://acme-v01.api.letsencrypt.org/directory
+
+    # Port number to listen on for the HTTP-01 challenge. Change this if
+    # you are forwarding connections through Apache/Nginx/etc.
+    #
+    #port: 80
+
+    # Local addresses to listen on for incoming connections.
+    # Again, you may want to change this if you are forwarding connections
+    # through Apache/Nginx/etc.
+    #
+    #bind_addresses: ['::', '0.0.0.0']
+
+    # How many days remaining on a certificate before it is renewed.
+    #
+    #reprovision_threshold: 30
+
+    # The domain that the certificate should be for. Normally this
+    # should be the same as your Matrix domain (i.e., 'server_name'), but,
+    # by putting a file at 'https://<server_name>/.well-known/matrix/server',
+    # you can delegate incoming traffic to another server. If you do that,
+    # you should give the target of the delegation here.
+    #
+    # For example: if your 'server_name' is 'example.com', but
+    # 'https://example.com/.well-known/matrix/server' delegates to
+    # 'matrix.example.com', you should put 'matrix.example.com' here.
+    #
+    # If not set, defaults to your 'server_name'.
+    #
+    #domain: matrix.example.com
+
+    # file to use for the account key. This will be generated if it doesn't
+    # exist.
+    #
+    # If unspecified, we will use CONFDIR/client.key.
+    #
+    #account_key_file: /data/acme_account.key
+
 
 ## Federation ##
 
@@ -895,10 +957,6 @@ media_store_path: "/matrix-media-store-parent/{{ matrix_synapse_media_store_dire
 
 # The largest allowed upload size in bytes
 #
-# If you are using a reverse proxy you may also need to set this value in
-# your reverse proxy's config. Notably Nginx has a small max body size by default.
-# See https://matrix-org.github.io/synapse/develop/reverse_proxy.html.
-#
 max_upload_size: "{{ matrix_synapse_max_upload_size_mb }}M"
 
 # Maximum number of pixels that will be thumbnailed
@@ -1987,17 +2045,6 @@ sso:
     #  - https://riot.im/develop
     #  - https://my.custom.client/
 
-    # Uncomment to keep a user's profile fields in sync with information from
-    # the identity provider. Currently only syncing the displayname is
-    # supported. Fields are checked on every SSO login, and are updated
-    # if necessary.
-    #
-    # Note that enabling this option will override user profile information,
-    # regardless of whether users have opted-out of syncing that
-    # information when first signing in. Defaults to false.
-    #
-    #update_profile_information: true
-
     # Directory in which Synapse will try to find the template files below.
     # If not set, or the files named below are not found within the template
     # directory, default templates from within the Synapse package will be used.
@@ -2279,10 +2326,6 @@ ui_auth:
     # the user-interactive authentication process, by allowing for multiple
     # (and potentially different) operations to use the same validation session.
     #
-    # This is ignored for potentially "dangerous" operations (including
-    # deactivating an account, modifying an account password, and
-    # adding a 3PID).
-    #
     # Uncomment below to allow for credential validation to last for 15
     # seconds.
     #