finallycoffee/matrix-docker-ansible-deploy
finallycoffee/matrix-docker-ansible-deploy
5
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Compare commits

base: finallycoffee:a8a15615d5d876f59edfa68f8155403c5f893510
Branches Tags
finallycoffee:master
finallycoffee:transcaffeine/patch-dumb-design-choices
finallycoffee:feat-mx-puppet-instagram
..
compare: finallycoffee:b13a37ac5ae77607b544be5b9a82b5a6330b6679
Branches Tags
finallycoffee:master
finallycoffee:transcaffeine/patch-dumb-design-choices
finallycoffee:feat-mx-puppet-instagram

8 Commits
a8a15615d5 ... b13a37ac5a

Author SHA1 Message Date
Johanna Dorothea Reichmann
b13a37ac5a
fix: broken rhel/fedora tasks disabled 2022-04-15 11:56:03 +02:00
transcaffeine
1f5486144a
feat: add automatic creation of reverse-proxy routing 2022-04-15 11:56:02 +02:00
transcaffeine
196a80afe2
meta: move inventory structure to be more usable 2022-04-15 11:56:00 +02:00
jdreichmann
c20ac50583
meta: add own inventory, add vault-unlock with GPG 2022-04-15 11:55:58 +02:00
Slavi Pantaleev
4b1d5c7de4
Ensure git cloning when self-building is done with the matrix user, not root 
Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1749
 2022-04-15 11:55:57 +02:00
Olivér Falvai
42c3ddbe39
Update configuring-playbook-backup-borg.md 2022-04-15 11:55:56 +02:00
Olivér Falvai
0c7ad822ec
Improve borg backup instructions 2022-04-15 11:55:55 +02:00
Aine
0f1d8d01f6
Update honoroit 0.9.5 -> 0.9.6 
This update brings stable threads support
 2022-04-15 11:55:54 +02:00
5 changed files with 49 additions and 43 deletions
Show Stats Expand all files Collapse all files

24
inventory/host_vars/matrix.finallycoffee.eu/vars.yml
View File

@ -3,10 +3,20 @@
# Domain of the matrix server and SSL config # Domain of the matrix server and SSL config
# #
matrix_domain: finallycoffee.eu matrix_domain: finallycoffee.eu
matrix_ssl_retrieval_method: none matrix_ssl_retrieval_method: none
matrix_nginx_proxy_enabled: false matrix_nginx_proxy_enabled: true
matrix_nginx_proxy_https_enabled: false
matrix_nginx_proxy_container_http_host_bind_port: "127.0.10.1:8080"
matrix_nginx_proxy_container_federation_host_bind_port: "127.0.10.1:8448"
matrix_nginx_proxy_trust_forwarded_proto: true
matrix_nginx_proxy_x_forwarded_for: '$proxy_add_x_forwarded_for'
matrix_nginx_proxy_proxy_synapse_metrics: true
matrix_base_data_path: "{{ vault_matrix_base_data_path }}" matrix_base_data_path: "{{ vault_matrix_base_data_path }}"
matrix_server_fqn_element: "chat.{{ matrix_domain }}" matrix_server_fqn_element: "chat.{{ matrix_domain }}"
matrix_docker_installation_enabled: false
web_user: "web" web_user: "web"
revproxy_autoload_dir: "/vault/services/web/sites.d" revproxy_autoload_dir: "/vault/services/web/sites.d"
@ -22,14 +32,14 @@ matrix_postgres_connection_password: "{{ vault_matrix_postgres_connection_passwo
# A secret used to protect access keys issued by the server. # A secret used to protect access keys issued by the server.
matrix_homeserver_generic_secret_key: "{{ vault_homeserver_generic_secret_key }}" matrix_homeserver_generic_secret_key: "{{ vault_homeserver_generic_secret_key }}"
# Make synapse accept larger media aswell # Make synapse accept larger media aswell
matrix_synapse_max_upload_size_mb: 100 matrix_synapse_max_upload_size_mb: 200
# Enable metrics at (default) :9100/_synapse/metrics # Enable metrics at (default) :9100/_synapse/metrics
matrix_synapse_metrics_enabled: true matrix_synapse_metrics_enabled: true
matrix_synapse_enable_group_creation: true matrix_synapse_enable_group_creation: true
matrix_synapse_turn_shared_secret: "{{ vault_matrix_coturn_turn_static_auth_secret }}" matrix_synapse_turn_shared_secret: "{{ vault_matrix_coturn_turn_static_auth_secret }}"
matrix_synapse_turn_uris: matrix_synapse_turn_uris:
- "turns:voip.matrix.finallycoffee.eu?transport=udp" - "turn:voip.matrix.finallycoffee.eu?transport=udp"
- "turns:voip.matrix.finallycoffee.eu?transport=tcp" - "turn:voip.matrix.finallycoffee.eu?transport=tcp"
# Auto-join all users into those rooms # Auto-join all users into those rooms
matrix_synapse_auto_join_rooms: matrix_synapse_auto_join_rooms:
- "#welcome:finallycoffee.eu" - "#welcome:finallycoffee.eu"
@ -53,8 +63,8 @@ matrix_synapse_event_cache_size: "200K"
## Synapse workers ## Synapse workers
matrix_synapse_workers_enabled: true matrix_synapse_workers_enabled: true
matrix_synapse_workers_preset: "little-federation-helper" matrix_synapse_workers_preset: "little-federation-helper"
matrix_synapse_workers_generic_worker_client_server_count: 0 matrix_synapse_workers_generic_workers_count: 2
matrix_synapse_workers_media_repository_workers_count: 0 matrix_synapse_workers_media_repository_workers_count: 2
matrix_synapse_workers_federation_sender_workers_count: 1 matrix_synapse_workers_federation_sender_workers_count: 1
matrix_synapse_workers_pusher_workers_count: 0 matrix_synapse_workers_pusher_workers_count: 0
matrix_synapse_workers_appservice_workers_count: 1 matrix_synapse_workers_appservice_workers_count: 1
@ -181,6 +191,8 @@ matrix_mautrix_signal_configuration_extension_yaml: |
allow: true allow: true
require_verification: false require_verification: false
delivery_receipts: true delivery_receipts: true
permissions:
"@ilosai:fairydust.space": "user"
logging: logging:
root: root:
level: INFO level: INFO

1
roles/matrix-base/tasks/server_base/setup_fedora.yml
View File

@ -18,6 +18,7 @@
when: matrix_docker_installation_enabled|bool and matrix_docker_package_name == 'docker-ce' when: matrix_docker_installation_enabled|bool and matrix_docker_package_name == 'docker-ce'
- name: Ensure yum packages are installed - name: Ensure yum packages are installed
when: false
yum: yum:
name: name:
- "{{ matrix_ntpd_package }}" - "{{ matrix_ntpd_package }}"

2
roles/matrix-base/tasks/server_base/setup_redhat.yml
View File

@ -28,4 +28,4 @@
- "{{ matrix_docker_package_name }}" - "{{ matrix_docker_package_name }}"
- docker-python - docker-python
state: latest state: latest
when: matrix_docker_installation_enabled|bool when: matrix_docker_installation_enabled|bool and false

5
setup.yml
View File

@ -7,9 +7,10 @@
- roles/matrix-synapse/vars/workers.yml - roles/matrix-synapse/vars/workers.yml
roles: roles:
# - matrix-awx
- matrix-base - matrix-base
- matrix-dynamic-dns # - matrix-dynamic-dns
- matrix-mailer # - matrix-mailer
- matrix-postgres - matrix-postgres
- matrix-redis - matrix-redis
- matrix-corporal - matrix-corporal

60
templates/Caddyfile.j2
View File

@ -6,41 +6,36 @@ https://{{ matrix_server_fqn_matrix }} {
X-Frame-Options "DENY" X-Frame-Options "DENY"
X-XSS-Protection "1; mode=block" X-XSS-Protection "1; mode=block"
} }
# matrix-ma1sd
reverse_proxy /_matrix/identity/* {{ matrix_ma1sd_container_http_host_bind_port }} {
header_down Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"
header_down Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization"
}
reverse_proxy /_matrix/client/r0/user_directory/search/* {{ matrix_ma1sd_container_http_host_bind_port }} {
header_down Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"
header_down Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization"
}
reverse_proxy /_matrix/federation/* http://{{ matrix_synapse_container_federation_api_plain_host_bind_port }}
reverse_proxy /_matrix/key/* http://{{ matrix_synapse_container_federation_api_plain_host_bind_port }}
reverse_proxy /_matrix/* {{ matrix_synapse_container_client_api_host_bind_port }} {
import proxyheaders
header_down Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"
header_down Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization"
}
route /synapse-admin/* {
uri strip_prefix /synapse-admin
reverse_proxy http://127.0.0.1{{ matrix_synapse_admin_container_http_host_bind_port }}
}
reverse_proxy /_synapse/* http://{{ matrix_synapse_container_client_api_host_bind_port }}
basicauth /metrics/* bcrypt monitoring { basicauth /metrics/* bcrypt monitoring {
monitoring JDJhJDE0JGdQRlNHVFpSQmRiaWlPem9LdXlkS09HN2E3LklZS05YZmtXTEY1NlFXbkMxd3hBUmwwbVZl monitoring JDJhJDE0JGdQRlNHVFpSQmRiaWlPem9LdXlkS09HN2E3LklZS05YZmtXTEY1NlFXbkMxd3hBUmwwbVZl
} }
route /metrics/synapse { route /metrics/synapse {
uri replace /metrics/synapse /_synapse/metrics uri replace /metrics/synapse /_synapse/metrics
reverse_proxy http://{{ matrix_synapse_container_metrics_api_host_bind_port }} reverse_proxy * http://{{ matrix_nginx_proxy_container_http_host_bind_port }}
} }
route /metrics/synapse/worker/appservice { route /metrics/synapse/worker/appservice {
uri replace /metrics/synapse/worker/appservice /_synapse/metrics uri replace /metrics/synapse/worker/appservice /_synapse-worker-appservice-0/metrics
reverse_proxy http://127.0.0.1:{{ matrix_synapse_workers_appservice_workers_metrics_range_start }} reverse_proxy * http://{{ matrix_nginx_proxy_container_http_host_bind_port }}
} }
route /metrics/synapse/worker/federation-sender { route /metrics/synapse/worker/federation-sender {
uri replace /metrics/synapse/worker/federation-sender /_synapse/metrics uri replace /metrics/synapse/worker/federation-sender /_synapse-worker-federation_sender-0/metrics
reverse_proxy http://127.0.0.1:{{ matrix_synapse_workers_federation_sender_workers_metrics_range_start }} reverse_proxy * http://{{ matrix_nginx_proxy_container_http_host_bind_port }}
}
route /metrics/synapse/worker/generic-0 {
uri replace /metrics/synapse/worker/generic-0 /_synapse-worker-generic_worker-{{ (matrix_synapse_workers_generic_workers_port_range_start)|int}}/metrics
reverse_proxy * http://{{ matrix_nginx_proxy_container_http_host_bind_port }}
}
route /metrics/synapse/worker/generic-1 {
uri replace /metrics/synapse/worker/generic-1 /_synapse-worker-generic_worker-{{ (matrix_synapse_workers_generic_workers_port_range_start + 1)|int}}/metrics
reverse_proxy * http://{{ matrix_nginx_proxy_container_http_host_bind_port }}
}
route /metrics/synapse/worker/media-0 {
uri replace /metrics/synapse/worker/media-0 /_synapse-worker-media_repository-{{ (matrix_synapse_workers_media_repository_workers_port_range_start)|int }}/metrics
reverse_proxy * http://{{ matrix_nginx_proxy_container_http_host_bind_port }}
}
route /metrics/synapse/worker/media-1 {
uri replace /metrics/synapse/worker/media-1 /_synapse-worker-media_repository-{{ (matrix_synapse_workers_media_repository_workers_port_range_start + 1)|int }}/metrics
reverse_proxy * http://{{ matrix_nginx_proxy_container_http_host_bind_port }}
} }
route /metrics/bridge/* { route /metrics/bridge/* {
uri strip_prefix /metrics/bridge uri strip_prefix /metrics/bridge
@ -73,24 +68,21 @@ https://{{ matrix_server_fqn_matrix }} {
reverse_proxy http://127.0.0.1:{{ matrix_mx_puppet_slack_container_http_monitoring_host_bind_port }} reverse_proxy http://127.0.0.1:{{ matrix_mx_puppet_slack_container_http_monitoring_host_bind_port }}
} }
} }
reverse_proxy /bridge/telegram/* http://127.0.0.1:{{ matrix_mautrix_telegram_container_http_host_bind_port_public }} reverse_proxy /_matrix/federation/* http://{{ matrix_nginx_proxy_container_federation_host_bind_port }}
reverse_proxy /bridge/slack/* http://127.0.0.1:{{ matrix_mx_puppet_slack_container_http_auth_host_bind_port }} reverse_proxy /_matrix/key/* http://{{ matrix_nginx_proxy_container_federation_host_bind_port }}
reverse_proxy * http://{{ matrix_nginx_proxy_container_http_host_bind_port }}
} }
https://{{ matrix_server_fqn_dimension }} { https://{{ matrix_server_fqn_dimension }} {
tls /tls_certs/finallycoffee.eu/fullchain.pem /tls_certs/finallycoffee.eu/privkey.pem tls /tls_certs/finallycoffee.eu/fullchain.pem /tls_certs/finallycoffee.eu/privkey.pem
encode zstd gzip encode zstd gzip
reverse_proxy http://{{ matrix_dimension_container_http_host_bind_port }} { reverse_proxy * http://{{ matrix_nginx_proxy_container_http_host_bind_port }}
#header_up X-Forwarded-For {remote}
import proxyheaders
#header_up Host {host}
}
} }
https://{{ matrix_server_fqn_element }} { https://{{ matrix_server_fqn_element }} {
tls /tls_certs/chat.finallycoffee.eu/fullchain.pem /tls_certs/chat.finallycoffee.eu/privkey.pem tls /tls_certs/chat.finallycoffee.eu/fullchain.pem /tls_certs/chat.finallycoffee.eu/privkey.pem
encode zstd gzip encode zstd gzip
reverse_proxy http://{{ matrix_client_element_container_http_host_bind_port }} reverse_proxy * http://{{ matrix_nginx_proxy_container_http_host_bind_port }}
} }
https://{{ matrix_domain }}/.well-known/matrix/* { https://{{ matrix_domain }}/.well-known/matrix/* {