finallycoffee/matrix-docker-ansible-deploy
finallycoffee/matrix-docker-ansible-deploy
5
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Compare commits

base: finallycoffee:b4f93fdfc390e9d403906a1ffbf87895450397a4
Branches Tags
finallycoffee:master
finallycoffee:transcaffeine/patch-dumb-design-choices
finallycoffee:feat-mx-puppet-instagram
..
compare: finallycoffee:52c3c66a828b797bdaf2d30e2f476b2abc9de5f1
Branches Tags
finallycoffee:master
finallycoffee:transcaffeine/patch-dumb-design-choices
finallycoffee:feat-mx-puppet-instagram

10 Commits
b4f93fdfc3 ... 52c3c66a82

Author SHA1 Message Date
Johanna Dorothea Reichmann
52c3c66a82
chore: update to 1.79.0 2023-03-24 18:19:14 +01:00
Johanna Dorothea Reichmann
9848482651
chore: bump synapse version to 1.73.0 2023-03-24 16:32:42 +01:00
Johanna Dorothea Reichmann
c74d2c45ca
fixup: add appservice worker! 2023-03-24 16:32:37 +01:00
Johanna Dorothea Reichmann
b63ef77827
fixup: update routing for metrics 2023-03-24 16:32:31 +01:00
Johanna Dorothea Reichmann
96eea1d61e
fixup: update worker counts 2023-03-24 16:32:26 +01:00
Johanna Dorothea Reichmann
f08f847ab1
chore(mautrix-whatsapp): update bridge settings 2023-03-24 16:32:21 +01:00
Johanna Dorothea Reichmann
8063792e70
fix: broken rhel/fedora tasks disabled 2023-03-24 16:32:15 +01:00
transcaffeine
213dfeeb37
feat: add automatic creation of reverse-proxy routing 2023-03-24 16:31:14 +01:00
transcaffeine
bb043850ad
meta: move inventory structure to be more usable 2023-03-24 16:30:29 +01:00
jdreichmann
bd70f443d0
meta: add own inventory, add vault-unlock with GPG 2023-03-24 16:28:22 +01:00
125 changed files with 2186 additions and 1090 deletions
Show Stats Expand all files Collapse all files

4
.editorconfig
View File

@ -23,10 +23,6 @@ indent_size = 2
indent_style = space
indent_size = 2
[justfile]
indent_style = space
indent_size = 4
# Markdown Files
#
# Two spaces at the end of a line in Markdown mean "new line",

1
.envrc
View File

@ -1 +0,0 @@
use flake

4
.github/workflows/matrix.yml vendored
View File

@ -13,7 +13,7 @@ jobs:
- name: Check out
uses: actions/checkout@v3
- name: Run yamllint
uses: frenck/action-yamllint@v1.4.1
uses: frenck/action-yamllint@v1.4.0
ansible-lint:
name: ansible-lint
runs-on: ubuntu-latest
@ -21,6 +21,6 @@ jobs:
- name: Check out
uses: actions/checkout@v3
- name: Run ansible-lint
uses: ansible-community/ansible-lint-action@v6.16.0
uses: ansible-community/ansible-lint-action@v6.11.0
with:
path: roles/custom

1
.gitignore vendored
View File

@ -5,7 +5,6 @@
/roles/**/files/scratchpad
.DS_Store
.python-version
flake.lock
# ignore roles pulled by ansible-galaxy
/roles/galaxy/*

49
CHANGELOG.md
View File

@ -1,38 +1,3 @@
# 2023-05-25
## Enabling `forget_rooms_on_leave` by default for Synapse
With the [Synapse v1.84.0 update](https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/2698), we've also **changed the default value** of the `forget_rooms_on_leave` setting of Synapse to a value of `true`.
This way, **when you leave a room, Synapse will now forget it automatically**.
The upstream Synapse default is `false` (disabled), so that you must forget rooms manually after leaving.
**We go against the upstream default** ([somewhat controversially](https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/2700)) in an effort to make Synapse leaner and potentially do what we believe most users would expect their homeserver to be doing.
If you'd like to go back to the old behavior, add the following to your configuration: `matrix_synapse_forget_rooms_on_leave: false`
# 2023-04-03
## The matrix-jitsi role lives independently now
**TLDR**: the `matrix-jitsi` role is now included from the [ansible-role-jitsi](https://github.com/mother-of-all-self-hosting/ansible-role-jitsi) repository, part of the [MASH playbook](https://github.com/mother-of-all-self-hosting/mash-playbook). Some variables have been renamed. All functionality remains intact.
The `matrix-jitsi` role has been relocated in its own repository, part of the [MASH playbook](https://github.com/mother-of-all-self-hosting/mash-playbook) project - an Ansible playbook for self-hosting [a growing list of FOSS software](https://github.com/mother-of-all-self-hosting/mash-playbook/blob/main/docs/supported-services.md). If hosting a Jitsi stack on the Matrix server itself did not stand right with you or you always wanted to host most stuff, you can now use this new playbook to do so.
As part of the extraction process of this role out of the Matrix playbook, a few other things improved:
- **native Traefik support** has been added
- **support for hosting under a subpath** has been added, although it suffers from a few minor issues listed [here](https://github.com/mother-of-all-self-hosting/mash-playbook/blob/main/docs/services/jitsi.md#url)
You need to **update your roles** (`just roles` or `make roles`) regardless of whether you're using Jitsi or not.
If you're making use of Jitsi via this playbook, you will need to update variable references in your `vars.yml` file:
- `matrix_jitsi_*_docker_image_` -> `matrix_jitsi_*_container_image_`
- `matrix_jitsi_` -> `jitsi_`
- some other internal variables have changed, but the playbook will tell you about them
# 2023-03-22
## ntfy Web App is disabled by default
@ -52,7 +17,7 @@ The `matrix-prometheus` role has been relocated in its own repository, part of t
Extracting the Prometheus role out of this Matrix playbook required huge internal refactoring to the way the Prometheus configuration (scraping jobs) is generated. If you notice any breakage after upgrading, let us know.
You need to **update your roles** (`just roles` or `make roles`) regardless of whether you're using Prometheus or not.
You need to **update you roles** (`just roles` or `make roles`) regardless of whether you're using Prometheus or not.
If you're making use of Prometheus via this playbook, you will need to update variable references in your `vars.yml` file:
@ -94,7 +59,7 @@ To get started, see our [Setting up Sliding Sync Proxy](docs/configuring-playboo
**TLDR**: the `matrix-etherpad` role is now included from [another repository](https://gitlab.com/etke.cc/roles/etherpad). Some variables have been renamed. All functionality remains intact.
You need to **update your roles** (`just roles` or `make roles`) regardless of whether you're using Etherpad or not.
You need to **update you roles** (`just roles` or `make roles`) regardless of whether you're using Etherpad or not.
If you're making use of Etherpad via this playbook, you will need to update variable references in your `vars.yml` file:
@ -202,7 +167,7 @@ Additional details are available in the [Customizing templates](docs/configuring
The `matrix-redis` role (which configures [Redis](https://redis.io/)) has been extracted from the playbook and now lives in its [own repository](https://gitlab.com/etke.cc/roles/redis). This makes it possible to easily use it in other Ansible playbooks.
You need to **update your roles** (`just roles` or `make roles`) regardless of whether you're enabling Ntfy or not. If you're making use of Ntfy via this playbook, you will need to update variable references in your `vars.yml` file (`matrix_redis_` -> `redis_`).
You need to **update you roles** (`just roles` or `make roles`) regardless of whether you're enabling Ntfy or not. If you're making use of Ntfy via this playbook, you will need to update variable references in your `vars.yml` file (`matrix_redis_` -> `redis_`).
## The matrix-ntfy role lives independently now
@ -210,7 +175,7 @@ You need to **update your roles** (`just roles` or `make roles`) regardless of w
The `matrix-ntfy` role (which configures [Ntfy](https://ntfy.sh/)) has been extracted from the playbook and now lives in its [own repository](https://gitlab.com/etke.cc/roles/ntfy). This makes it possible to easily use it in other Ansible playbooks.
You need to **update your roles** (`just roles` or `make roles`) regardless of whether you're enabling Ntfy or not. If you're making use of Ntfy via this playbook, you will need to update variable references in your `vars.yml` file (`matrix_ntfy_` -> `ntfy_`).
You need to **update you roles** (`just roles` or `make roles`) regardless of whether you're enabling Ntfy or not. If you're making use of Ntfy via this playbook, you will need to update variable references in your `vars.yml` file (`matrix_ntfy_` -> `ntfy_`).
# 2023-02-15
@ -221,7 +186,7 @@ You need to **update your roles** (`just roles` or `make roles`) regardless of w
The `matrix-grafana` role (which configures [Grafana](docs/configuring-playbook-prometheus-grafana.md)) has been extracted from the playbook and now lives in its [own repository](https://gitlab.com/etke.cc/roles/grafana). This makes it possible to easily use it in other Ansible playbooks.
You need to **update your roles** (`just roles` or `make roles`) regardless of whether you're enabling Grafana or not. If you're making use of Grafana via this playbook, you will need to update variable references in your `vars.yml` file (`matrix_grafana_` -> `grafana_`).
You need to **update you roles** (`just roles` or `make roles`) regardless of whether you're enabling Grafana or not. If you're making use of Grafana via this playbook, you will need to update variable references in your `vars.yml` file (`matrix_grafana_` -> `grafana_`).
# 2023-02-13
@ -232,7 +197,7 @@ You need to **update your roles** (`just roles` or `make roles`) regardless of w
Thanks to [moan0s](https://github.com/moan0s), the `matrix-backup-borg` role (which configures [Borg backups](docs/configuring-playbook-backup-borg.md)) has been extracted from the playbook and now lives in its [own repository](https://gitlab.com/etke.cc/roles/backup_borg). This makes it possible to easily use it in other Ansible playbooks and will become part of [nextcloud-docker-ansible-deploy](https://github.com/spantaleev/nextcloud-docker-ansible-deploy) soon.
You need to **update your roles** (`just roles` or `make roles`) regardless of whether you're enabling Borg backup functionality or not. If you're making use of Borg backups via this playbook, you will need to update variable references in your `vars.yml` file (`matrix_backup_borg_` -> `backup_borg_`).
You need to **update you roles** (`just roles` or `make roles`) regardless of whether you're enabling Borg backup functionality or not. If you're making use of Borg backups via this playbook, you will need to update variable references in your `vars.yml` file (`matrix_backup_borg_` -> `backup_borg_`).
# 2023-02-12
@ -1591,7 +1556,7 @@ People who have [fine-tuned Jitsi](docs/configuring-playbook-jitsi.md#optional-f
The next time you run the playbook [installation](docs/installing.md) command, our validation logic will tell you if you're using some variables like that and will recommend a migration path for each one.
Additionally, we've recently disabled transcriptions (`jitsi_enable_transcriptions: false`) and recording (`jitsi_enable_recording: false`) by default. These features did not work anyway, because we don't install the required dependencies for them (Jigasi and Jibri, respectively). If you've been somehow pointing your Jitsi installation to some manually installed Jigasi/Jibri service, you may need to toggle these flags back to enabled to have transcriptions and recordings working.
Additionally, we've recently disabled transcriptions (`matrix_jitsi_enable_transcriptions: false`) and recording (`matrix_jitsi_enable_recording: false`) by default. These features did not work anyway, because we don't install the required dependencies for them (Jigasi and Jibri, respectively). If you've been somehow pointing your Jitsi installation to some manually installed Jigasi/Jibri service, you may need to toggle these flags back to enabled to have transcriptions and recordings working.
# 2020-11-23

4
docs/configuring-playbook-bot-chatgpt.md
View File

@ -20,12 +20,10 @@ ansible-playbook -i inventory/hosts setup.yml --extra-vars='username=bot.chatgpt
```
## 2. Get an access token and create encryption keys
## 2. Get an access token
Refer to the documentation on [how to obtain an access token](obtaining-access-tokens.md).
To make sure the bot can read encrypted messages, it will need an encryption key, just like any other new user. While obtaining the access token, follow the prompts to setup a backup key. More information can be found in the [element documentation](https://element.io/help#encryption6).
## 3. Adjusting the playbook configuration

24
docs/configuring-playbook-bot-draupnir.md
View File

@ -30,12 +30,30 @@ Refer to the documentation on [how to obtain an access token](obtaining-access-t
## 3. Make sure the account is free from rate limiting
You will need to prevent Synapse from rate limiting the bot's account. This is not an optional step. If you do not do this step draupnir will crash. This can be done using Synapse's [admin API](https://matrix-org.github.io/synapse/latest/admin_api/user_admin_api.html#override-ratelimiting-for-users). Please ask for help if you are uncomfortable with these steps or run into issues.
You will need to prevent Synapse from rate limiting the bot's account. This is not an optional step. If you do not do this step draupnir will crash. This can be done using Synapse's [admin API](https://matrix-org.github.io/synapse/latest/admin_api/user_admin_api.html#override-ratelimiting-for-users). This can also be manually done by editing the Synapse database. Manually editing the Synapse database is rarely a good idea. Please ask for help if you are uncomfortable with these steps.
If your Synapse Admin API is exposed to the internet for some reason like running the Synapse Admin Role [Link](docs/configuring-playbook-synapse-admin.md) or running `matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled: true` in your playbook config. If your API is not externally exposed you should still be able to on the local host for your synapse run these commands.
1. Copy the statement below into a text editor.
The following command works on semi up to date Windows 10 installs and All Windows 11 installations and other systems that ship curl. `curl --header "Authorization: Bearer <access_token>" -X DELETE https://matrix.example.com/_synapse/admin/v1/users/@example:example.com/override_ratelimit` Replace `@example:example.com` with the MXID of your Draupnir and example.com with your homeserver domain. You can easily obtain an access token for a homeserver admin account the same way you can obtain an access token for Draupnir it self. If you made Draupnir Admin you can just use the Draupnir token.
```
INSERT INTO ratelimit_override VALUES ('@bot.draupnir:DOMAIN', 0, 0);
```
1. Change the username (`@bot.draupnir:DOMAIN`) to the username you used when you registered the bot's account. You must change `DOMAIN` to your server's domain.
1. Get a database terminal by following these steps: [maintenance-postgres.md#getting-a-database-terminal](maintenance-postgres.md#getting-a-database-terminal)
1. Connect to Synapse's database by typing `\connect synapse` into the database terminal
1. Paste in the `INSERT INTO` command that you edited and press enter.
You can run `SELECT * FROM ratelimit_override;` to see if it worked. If the output looks like this:
```
user_id | messages_per_second | burst_count
-----------------------+---------------------+-------------
@bot.draupnir:raim.ist | 0 | 0`
```
then you did it correctly.
## 4. Create a management room

4
docs/configuring-playbook-bot-honoroit.md
View File

@ -14,10 +14,6 @@ Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.
```yaml
matrix_bot_honoroit_enabled: true
# Uncomment and adjust if you'd like to change the hostname or path
# matrix_bot_honoroit_hostname: "{{ matrix_server_fqn_matrix }}"
# matrix_bot_honoroit_path_prefix: /honoroit
# Uncomment and adjust this part if you'd like to use a username different than the default
# matrix_bot_honoroit_login: honoroit

26
docs/configuring-playbook-bot-mjolnir.md
View File

@ -29,11 +29,31 @@ Refer to the documentation on [how to obtain an access token](obtaining-access-t
## 3. Make sure the account is free from rate limiting
You will need to prevent Synapse from rate limiting the bot's account. This is not an optional step. If you do not do this step Mjolnir will crash. This can be done using Synapse's [admin API](https://matrix-org.github.io/synapse/latest/admin_api/user_admin_api.html#override-ratelimiting-for-users). Please ask for help if you are uncomfortable with these steps or run into issues.
You will need to prevent Synapse from rate limiting the bot's account. This is not an optional step. If you do not do this step Mjolnir will crash. This can be done using Synapse's [admin API](https://matrix-org.github.io/synapse/latest/admin_api/user_admin_api.html#override-ratelimiting-for-users). This can also be manually done by editing the Synapse database. Manually editing the Synapse database is rarely a good idea. Please ask for help if you are uncomfortable with these steps.
If your Synapse Admin API is exposed to the internet for some reason like running the Synapse Admin Role [Link](docs/configuring-playbook-synapse-admin.md) or running `matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled: true` in your playbook config. If your API is not externally exposed you should still be able to on the local host for your synapse run these commands.
1. Copy the statement below into a text editor.
```
INSERT INTO ratelimit_override VALUES ('@bot.mjolnir:DOMAIN', 0, 0);
```
1. Change the username (`@bot.mjolnir:DOMAIN`) to the username you used when you registered the bot's account. You must change `DOMAIN` to your server's domain.
1. Get a database terminal by following these steps: [maintenance-postgres.md#getting-a-database-terminal](maintenance-postgres.md#getting-a-database-terminal)
1. Connect to Synapse's database by typing `\connect synapse` into the database terminal
1. Paste in the `INSERT INTO` command that you edited and press enter.
You can run `SELECT * FROM ratelimit_override;` to see if it worked. If the output looks like this:
```
user_id | messages_per_second | burst_count
-----------------------+---------------------+-------------
@bot.mjolnir:raim.ist | 0 | 0`
```
then you did it correctly.
The following command works on semi up to date Windows 10 installs and All Windows 11 installations and other systems that ship curl. `curl --header "Authorization: Bearer <access_token>" -X DELETE https://matrix.example.com/_synapse/admin/v1/users/@example:example.com/override_ratelimit` Replace `@example:example.com` with the MXID of your Mjolnir and example.com with your homeserver domain. You can easily obtain an access token for a homeserver admin account the same way you can obtain an access token for Mjolnir it self. If you made Mjolnir Admin you can just use the Mjolnir token.
## 4. Create a management room

41
docs/configuring-playbook-bot-postmoogle.md
View File

@ -4,26 +4,12 @@
The playbook can install and configure [Postmoogle](https://gitlab.com/etke.cc/postmoogle) for you.
It's a bot/bridge you can use to forward emails to Matrix rooms.
Postmoogle runs an SMTP email server and allows you to assign mailbox addresses to Matrix rooms.
It's a bot/bridge you can use to forward emails to Matrix rooms
See the project's [documentation](https://gitlab.com/etke.cc/postmoogle) to learn what it does and why it might be useful to you.
## Prerequisites
### Networking
Open the following ports on your server to be able to receive incoming emails:
- `25/tcp`: SMTP
- `587/tcp`: Submission (TLS-encrypted SMTP)
If you don't open these ports, you will still be able to send emails, but not receive any.
These port numbers are configurable via the `matrix_bot_postmoogle_smtp_host_bind_port` and `matrix_bot_postmoogle_submission_host_bind_port` variables, but other email servers will try to deliver on these default (standard) ports, so changing them is of little use.
### Adjusting the playbook configuration
## Adjusting the playbook configuration
Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file:
@ -35,20 +21,9 @@ matrix_bot_postmoogle_enabled: true
# Generate a strong password here. Consider generating it with `pwgen -s 64 1`
matrix_bot_postmoogle_password: PASSWORD_FOR_THE_BOT
# Uncomment to add one or more admins to this bridge:
#
# matrix_bot_postmoogle_admins:
# - '@yourAdminAccount:domain.com'
#
# .. unless you've made yourself an admin of all bridges like this:
#
# matrix_admin: '@yourAdminAccount:domain.com'
```
### DNS
You will also need to add several DNS records so that Postmoogle can send emails.
You will also need to add several DNS records so that postmoogle can send emails.
See [Configuring DNS](configuring-dns.md).
@ -76,13 +51,3 @@ Then send `!pm mailbox NAME` to expose this Matrix room as an inbox with the ema
Send `!pm help` to the room to see the bot's help menu for additional commands.
You can also refer to the upstream [documentation](https://gitlab.com/etke.cc/postmoogle).
### Debug/Logs
As with all other services, you can find their logs in [systemd-journald](https://www.freedesktop.org/software/systemd/man/systemd-journald.service.html) by running something like `journalctl -fu matrix-bot-postmoogle`
The default logging level for this bridge is `INFO`, but you can increase it to `DEBUG` with the following additional configuration:
```yaml
matrix_bot_postmoogle_loglevel: 'DEBUG'
```

12
docs/configuring-playbook-bridge-hookshot.md
View File

@ -16,7 +16,7 @@ Refer to the [official instructions](https://matrix-org.github.io/matrix-hooksho
1. Enable the bridge by adding `matrix_hookshot_enabled: true` to your `vars.yml` file
2. For each of the services (GitHub, GitLab, Jira, Figma, generic webhooks) fill in the respective variables `matrix_hookshot_service_*` listed in [main.yml](/roles/custom/matrix-bridge-hookshot/defaults/main.yml) as required.
3. Take special note of the `matrix_hookshot_*_enabled` variables. Services that need no further configuration are enabled by default (GitLab, Generic), while you must first add the required configuration and enable the others (GitHub, Jira, Figma).
4. If you're setting up the GitHub bridge, you'll need to generate and download a private key file after you created your GitHub app. Copy the contents of that file to the variable `matrix_hookshot_github_private_key` so the playbook can install it for you, or use one of the [other methods](#manage-github-private-key-with-aux-role) explained below.
4. If you're setting up the GitHub bridge, you'll need to generate and download a private key file after you created your GitHub app. Copy the contents of that file to the variable `matrix_hookshot_github_private_key` so the playbook can install it for you, or use one of the [other methods](#manage-github-private-key-with-matrix-aux-role) explained below.
5. If you've already installed Matrix services using the playbook before, you'll need to re-run it (`--tags=setup-all,start`). If not, proceed with [configuring other playbook services](configuring-playbook.md) and then with [Installing](installing.md). Get back to this guide once ready. Hookshot can be set up individually using the tag `setup-hookshot`.
Other configuration options are available via the `matrix_hookshot_configuration_extension_yaml` and `matrix_hookshot_registration_extension_yaml` variables, see the comments in [main.yml](/roles/custom/matrix-bridge-hookshot/defaults/main.yml) for how to use them.
@ -58,23 +58,23 @@ See also `matrix_hookshot_matrix_nginx_proxy_configuration` in [init.yml](/roles
The different listeners are also reachable *internally* in the docker-network via the container's name (configured by `matrix_hookshot_container_url`) and on different ports (e.g. `matrix_hookshot_appservice_port`). Read [main.yml](/roles/custom/matrix-bridge-hookshot/defaults/main.yml) in detail for more info.
### Manage GitHub Private Key with aux role
### Manage GitHub Private Key with matrix-aux role
The GitHub bridge requires you to install a private key file. This can be done in multiple ways:
- copy the *contents* of the downloaded file and set the variable `matrix_hookshot_github_private_key` to the contents (see example in [main.yml](/roles/custom/matrix-bridge-hookshot/defaults/main.yml)).
- somehow copy the file to the path `{{ matrix_hookshot_base_path }}/{{ matrix_hookshot_github_private_key_file }}` (default: `/matrix/hookshot/private-key.pem`) on the server manually.
- use the [`aux` role](https://github.com/mother-of-all-self-hosting/ansible-role-aux) to copy the file from an arbitrary path on your ansible client to the correct path on the server.
- use the `matrix-aux` role to copy the file from an arbitrary path on your ansible client to the correct path on the server.
To use the `aux` role, make sure the `matrix_hookshot_github_private_key` variable is empty. Then add the following additional configuration:
To use `matrix-aux`, make sure the `matrix_hookshot_github_private_key` variable is empty. Then add to `matrix-aux` configuration like this:
```yaml
aux_file_definitions:
matrix_aux_file_definitions:
- dest: "{{ matrix_hookshot_base_path }}/{{ matrix_hookshot_github_private_key_file }}"
content: "{{ lookup('file', '/path/to/your-github-private-key.pem') }}"
mode: '0400'
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_groupname }}"
```
For more information, see the documentation in the [default configuration of the aux role](https://github.com/mother-of-all-self-hosting/ansible-role-aux/blob/main/defaults/main.yml).
For more info see the documentation in the [matrix-aux base configuration file](/roles/custom/matrix-aux/defaults/main.yml).
### Provisioning API

112
docs/configuring-playbook-jitsi.md
View File

@ -9,12 +9,12 @@ The setup done by the playbook is very similar to [docker-jitsi-meet](https://gi
## Prerequisites
Before installing Jitsi, make sure you've created the `jitsi.DOMAIN` DNS record (unless you've changed `jitsi_hostname`, as described below). See [Configuring DNS](configuring-dns.md) for details about DNS changes.
Before installing Jitsi, make sure you've created the `jitsi.DOMAIN` DNS record. See [Configuring DNS](configuring-dns.md).
You may also need to open the following ports to your server:
- `4443/tcp` - RTP media fallback over TCP
- `10000/udp` - RTP media over UDP. Depending on your firewall/NAT setup, incoming RTP packets on port `10000` may have the external IP of your firewall as destination address, due to the usage of STUN in JVB (see [`jitsi_jvb_stun_servers`](https://github.com/mother-of-all-self-hosting/ansible-role-jitsi/blob/main/defaults/main.yml)).
- `10000/udp` - RTP media over UDP. Depending on your firewall/NAT setup, incoming RTP packets on port `10000` may have the external IP of your firewall as destination address, due to the usage of STUN in JVB (see [`matrix_jitsi_jvb_stun_servers`](../roles/custom/matrix-jitsi/defaults/main.yml)).
## Installation
@ -22,15 +22,17 @@ You may also need to open the following ports to your server:
Add this to your `inventory/host_vars/matrix.DOMAIN/vars.yml` configuration:
```yaml
jitsi_enabled: true
matrix_jitsi_enabled: true
# Uncomment and adjust if you need to use another hostname
# jitsi_hostname: "jitsi.{{ matrix_domain }}"
# Uncomment and possible adjust if you'd like to host under a subpath
# jitsi_path_prefix: /jitsi
# Run `bash inventory/scripts/jitsi-generate-passwords.sh` to generate these passwords,
# or define your own strong passwords manually.
matrix_jitsi_jicofo_auth_password: ""
matrix_jitsi_jvb_auth_password: ""
matrix_jitsi_jibri_recorder_password: ""
matrix_jitsi_jibri_xmpp_password: ""
```
## (Optional) Configure Jitsi authentication and guests mode
By default the Jitsi Meet instance does not require any kind of login and is open to use for anyone without registration.
@ -42,19 +44,19 @@ Currently, there are three supported authentication modes: 'internal' (default),
**Note:** Authentication is not tested via the playbook's self-checks.
We therefore recommend that you manually verify if authentication is required by jitsi.
For this, try to manually create a conference on jitsi.DOMAIN in your browser.
For this, try to manually create a conference on jitsi.DOMAIN in your browser.
### Authenticate using Jitsi accounts (Auth-Type 'internal')
The default authentication mechanism is 'internal' auth, which requires jitsi-accounts to be setup and is the recommended setup, as it also works in federated rooms.
The default authentication mechanism is 'internal' auth, which requires jitsi-accounts to be setup and is the recommended setup, as it also works in federated rooms.
With authentication enabled, all meeting rooms have to be opened by a registered user, after which guests are free to join.
If a registered host is not yet present, guests are put on hold in individual waiting rooms.
Add these lines to your `inventory/host_vars/matrix.DOMAIN/vars.yml` configuration:
```yaml
jitsi_enable_auth: true
jitsi_enable_guests: true
jitsi_prosody_auth_internal_accounts:
matrix_jitsi_enable_auth: true
matrix_jitsi_enable_guests: true
matrix_jitsi_prosody_auth_internal_accounts:
- username: "jitsi-moderator"
password: "secret-password"
- username: "another-user"
@ -67,7 +69,7 @@ jitsi_prosody_auth_internal_accounts:
### Authenticate using Matrix OpenID (Auth-Type 'matrix')
**Attention: Probably breaks Jitsi in federated rooms and does not allow sharing conference links with guests.**
**Attention: Probably breaks jitsi in federated rooms and does not allow sharing conference links with guests.**
Using this authentication type require a [Matrix User Verification Service](https://github.com/matrix-org/matrix-user-verification-service).
By default, this playbook creates and configures a user-verification-service to run locally, see [configuring-user-verification-service](configuring-playbook-user-verification-service.md).
@ -75,8 +77,8 @@ By default, this playbook creates and configures a user-verification-service to
To enable set this configuration at host level:
```yaml
jitsi_enable_auth: true
jitsi_auth_type: matrix
matrix_jitsi_enable_auth: true
matrix_jitsi_auth_type: "matrix"
matrix_user_verification_service_enabled: true
```
@ -87,21 +89,21 @@ For more information see also [https://github.com/matrix-org/prosody-mod-auth-ma
An example LDAP configuration could be:
```yaml
jitsi_enable_auth: true
jitsi_auth_type: ldap
jitsi_ldap_url: "ldap://ldap.DOMAIN"
jitsi_ldap_base: "OU=People,DC=DOMAIN"
#jitsi_ldap_binddn: ""
#jitsi_ldap_bindpw: ""
jitsi_ldap_filter: "uid=%u"
jitsi_ldap_auth_method: "bind"
jitsi_ldap_version: "3"
jitsi_ldap_use_tls: true
jitsi_ldap_tls_ciphers: ""
jitsi_ldap_tls_check_peer: true
jitsi_ldap_tls_cacert_file: "/etc/ssl/certs/ca-certificates.crt"
jitsi_ldap_tls_cacert_dir: "/etc/ssl/certs"
jitsi_ldap_start_tls: false
matrix_jitsi_enable_auth: true
matrix_jitsi_auth_type: ldap
matrix_jitsi_ldap_url: "ldap://ldap.DOMAIN"
matrix_jitsi_ldap_base: "OU=People,DC=DOMAIN"
#matrix_jitsi_ldap_binddn: ""
#matrix_jitsi_ldap_bindpw: ""
matrix_jitsi_ldap_filter: "uid=%u"
matrix_jitsi_ldap_auth_method: "bind"
matrix_jitsi_ldap_version: "3"
matrix_jitsi_ldap_use_tls: true
matrix_jitsi_ldap_tls_ciphers: ""
matrix_jitsi_ldap_tls_check_peer: true
matrix_jitsi_ldap_tls_cacert_file: "/etc/ssl/certs/ca-certificates.crt"
matrix_jitsi_ldap_tls_cacert_dir: "/etc/ssl/certs"
matrix_jitsi_ldap_start_tls: false
```
For more information refer to the [docker-jitsi-meet](https://github.com/jitsi/docker-jitsi-meet#authentication-using-ldap) and the [saslauthd `LDAP_SASLAUTHD`](https://github.com/winlibs/cyrus-sasl/blob/master/saslauthd/LDAP_SASLAUTHD) documentation.
@ -118,7 +120,7 @@ Here is how to do it in the playbook.
Add these two lines to your `inventory/host_vars/matrix.DOMAIN/vars.yml` configuration:
```yaml
jitsi_jvb_container_extra_arguments:
matrix_jitsi_jvb_container_extra_arguments:
- '--env "JVB_ADVERTISE_IPS=<Local IP address of the host>"'
```
@ -127,7 +129,7 @@ jitsi_jvb_container_extra_arguments:
Sample **additional** `inventory/host_vars/matrix.DOMAIN/vars.yml` configuration to save up resources (explained below):
```yaml
jitsi_web_custom_config_extension: |
matrix_jitsi_web_custom_config_extension: |
config.enableLayerSuspension = true;
config.disableAudioLevels = true;
@ -135,12 +137,13 @@ jitsi_web_custom_config_extension: |
// Limit the number of video feeds forwarded to each client
config.channelLastN = 4;
jitsi_web_config_resolution_width_ideal_and_max: 480
jitsi_web_config_resolution_height_ideal_and_max: 240
matrix_jitsi_web_config_resolution_width_ideal_and_max: 480
matrix_jitsi_web_config_resolution_height_ideal_and_max: 240
```
You may want to **suspend unused video layers** until they are requested again, to save up resources on both server and clients.
Read more on this feature [here](https://jitsi.org/blog/new-off-stage-layer-suppression-feature/)
For this add this line to your `inventory/host_vars/matrix.DOMAIN/vars.yml` configuration:
You may wish to **disable audio levels** to avoid excessive refresh of the client-side page and decrease the CPU consumption involved.
@ -154,10 +157,10 @@ You may want to **limit the maximum video resolution**, to save up resources on
The playbook allows a user to set a max number of participants allowed to join a Jitsi conference. By default there is no limit.
In order to set the max number of participants use the following **additional** configuration:
In order to set the max number of participants add the following variable to your `inventory/host_vars/matrix.DOMAIN/vars.yml` configuration:
```yaml
jitsi_prosody_max_participants: 4 # example value
```
matrix_prosody_jitsi_max_participants: <INTEGER OF MAX PARTICPANTS>
```
## (Optional) Additional JVBs
@ -173,18 +176,18 @@ For this role to work you will need an additional section in the ansible hosts f
<your jvb hosts> ansible_host=<ip address of the jvb host>
```
Each JVB will require a server id to be set so that it can be uniquely identified and this allows Jitsi to keep track of which conferences are on which JVB.
The server id is set with the variable `jitsi_jvb_server_id` which ends up as the JVB_WS_SERVER_ID environment variables in the JVB docker container.
Each JVB will require a server id to be set so that it can be uniquely identified and this allows Jitsi to keep track of which conferences are on which JVB.
The server id is set with the variable `matrix_jitsi_jvb_server_id` which ends up as the JVB_WS_SERVER_ID environment variables in the JVB docker container.
This variable can be set via the host file, a parameter to the ansible command or in the `vars.yaml` for the host which will have the additional JVB. For example:
``` yaml
jitsi_jvb_server_id: 'jvb-2'
matrix_jitsi_jvb_server_id: 'jvb-2'
```
``` INI
[jitsi_jvb_servers]
jvb-2.example.com ansible_host=192.168.0.2 jitsi_jvb_server_id=jvb-2
jvb-3.example.com ansible_host=192.168.0.3 jitsi_jvb_server_id=jvb-2
jvb-2.example.com ansible_host=192.168.0.2 matrix_jitsi_jvb_server_id=jvb-2
jvb-3.example.com ansible_host=192.168.0.3 matrix_jitsi_jvb_server_id=jvb-2
```
Note that the server id `jvb-1` is reserved for the JVB instance running on the Matrix host and therefore should not be used as the id of an additional jvb host.
@ -192,20 +195,20 @@ Note that the server id `jvb-1` is reserved for the JVB instance running on the
The additional JVB will also need to expose the colibri web socket port and this can be done with the following variable:
```yaml
jitsi_jvb_container_colibri_ws_host_bind_port: 9090
matrix_jitsi_jvb_container_colibri_ws_host_bind_port: 9090
```
The JVB will also need to know where the prosody xmpp server is located, similar to the server id this can be set in the vars for the JVB by using the variable
`jitsi_xmpp_server`. The Jitsi prosody container is deployed on the matrix server by default so the value can be set to the matrix domain. For example:
The JVB will also need to know where the prosody xmpp server is located, similar to the server id this can be set in the vars for the JVB by using the variable
`matrix_jitsi_xmpp_server`. The Jitsi prosody container is deployed on the matrix server by default so the value can be set to the matrix domain. For example:
```yaml
jitsi_xmpp_server: "{{ matrix_domain }}"
matrix_jitsi_xmpp_server: "{{ matrix_domain }}"
```
However, it can also be set the ip address of the matrix server. This can be useful if you wish to use a private ip. For example:
```yaml
jitsi_xmpp_server: "192.168.0.1"
matrix_jitsi_xmpp_server: "192.168.0.1"
```
The nginx configuration will also need to be updated in order to deal with the additional JVB servers. This is achieved via its own configuration variable
@ -220,7 +223,7 @@ matrix_nginx_proxy_proxy_jitsi_additional_jvbs:
```
Applied together this will allow you to provision extra JVB instances which will register themselves with the prosody service and be available for jicofo
Applied together this will allow you to provision extra JVB instances which will register themselves with the prosody service and be available for jicofo
to route conferences too.
## (Optional) Enable Gravatar
@ -231,7 +234,7 @@ Since element already sends the url of configured Matrix avatars to Jitsi, we di
To enable Gravatar set:
```yaml
jitsi_disable_gravatar: false
matrix_jitsi_disable_gravatar: false
```
**Beware:** This leaks information to a third party, namely the Gravatar-Service (unless configured otherwise: gravatar.com).
@ -259,7 +262,7 @@ You can use the self-hosted Jitsi server in multiple ways:
### Rebuilding your Jitsi installation
**If you ever run into any trouble** or **if you change configuration (`jitsi_*` variables) too much**, we urge you to rebuild your Jitsi setup.
**If you ever run into any trouble** or **if you change configuration (`matrix_jitsi_*` variables) too much**, we urge you to rebuild your Jitsi setup.
We normally don't require such manual intervention for other services, but Jitsi services generate a lot of configuration files on their own.
@ -267,6 +270,7 @@ These files are not all managed by Ansible (at least not yet), so you may someti
To rebuild your Jitsi configuration:
- ask Ansible to stop all Jitsi services: `just run-tags stop-group --extra-vars=group=jitsi`
- SSH into the server and do this and remove all Jitsi configuration & data (`rm -rf /matrix/jitsi`)
- ask Ansible to set up Jitsi anew and restart services (`just install-service jitsi`)
- SSH into the server and do this:
- stop all Jitsi services (`systemctl stop matrix-jitsi-*`).
- remove all Jitsi configuration & data (`rm -rf /matrix/jitsi`)
- ask Ansible to set up Jitsi anew and restart services (`ansible-playbook -i inventory/hosts setup.yml --tags=setup-jitsi,start`)

4
docs/configuring-playbook-ldap-auth.md
View File

@ -8,9 +8,7 @@ If you decide that you'd like to let this playbook install it for you, you need
```yaml
matrix_synapse_ext_password_provider_ldap_enabled: true
matrix_synapse_ext_password_provider_ldap_uri:
- "ldap://ldap-01.mydomain.tld:389"
- "ldap://ldap-02.mydomain.tld:389"
matrix_synapse_ext_password_provider_ldap_uri: "ldap://ldap.mydomain.tld:389"
matrix_synapse_ext_password_provider_ldap_start_tls: true
matrix_synapse_ext_password_provider_ldap_base: "ou=users,dc=example,dc=com"
matrix_synapse_ext_password_provider_ldap_attributes_uid: "uid"

2
docs/configuring-playbook-matrix-corporal.md
View File

@ -91,7 +91,7 @@ matrix_corporal_policy_provider_config: |
}
# Modify the policy below as you see fit
aux_file_definitions:
matrix_aux_file_definitions:
- dest: "{{ matrix_corporal_config_dir_path }}/policy.json"
content: |
{

7
docs/configuring-playbook-mautrix-bridges.md
View File

@ -33,13 +33,6 @@ matrix_mautrix_SERVICENAME_configuration_extension_yaml: |
```
Encryption support is off by default. If you would like to enable encryption, add the following to your `vars.yml` file:
**for all bridges with encryption support**:
```yaml
matrix_bridges_encryption_enabled: true
```
**Alternatively**, for a specific bridge:
```yaml
matrix_mautrix_SERVICENAME_configuration_extension_yaml: |
bridge:

12
docs/configuring-playbook-own-webserver.md
View File

@ -153,14 +153,14 @@ devture_traefik_additional_entrypoints_auto:
port: 8449
host_bind_port: '127.0.0.1:8449'
config: {}
# If your reverse-proxy runs on another machine, remove the config above and use this config instead:
# config:
# forwardedHeaders:
# insecure: true
# # trustedIPs: ['IP-ADDRESS-OF-YOUR-REVERSE-PROXY']
# If your reverse-proxy runs on another machine, remove the config above and use this config instead:
# config:
# forwardedHeaders:
# insecure: true
# # trustedIPs: ['IP-ADDRESS-OF-YOUR-REVERSE-PROXY']
```
For an example where the playbook's Traefik reverse-proxy is fronted by another reverse-proxy running on the same server, see [Nginx reverse-proxy fronting the playbook's Traefik](../examples/nginx/README.md) or [Caddy reverse-proxy fronting the playbook's Traefik](../examples/caddy2/README.md).
For an example where the playbook's Traefik reverse-proxy is fronted by [Nginx](https://nginx.org/) running on the same server, see [Nginx reverse-proxy fronting the playbook's Traefik](../examples/nginx/README.md).
### Using no reverse-proxy on the Matrix side at all

12
docs/configuring-playbook-ssl-certificates.md
View File

@ -40,9 +40,9 @@ If you'd like to use your own SSL certificates, instead of the default (SSL cert
To use your own SSL certificates with Traefik, you need to:
- disable [ACME](https://en.wikipedia.org/wiki/Automatic_Certificate_Management_Environment) / [Let's Encrypt](https://letsencrypt.org/) support
- put a custom Traefik configuration file on the server, with the help of this Ansible playbook (via the [`aux` role](https://github.com/mother-of-all-self-hosting/ansible-role-aux)) or manually
- put a custom Traefik configuration file on the server, with the help of this Ansible playbook (via the `matrix-aux` role) or manually
- register your custom configuration file with Traefik, by adding an extra provider of type [file](https://doc.traefik.io/traefik/providers/file/)
- put the SSL files on the server, with the help of this Ansible playbook (via the [`aux` role](https://github.com/mother-of-all-self-hosting/ansible-role-aux)) or manually
- put the SSL files on the server, with the help of this Ansible playbook (via the `matrix-aux` role) or manually
```yaml
# Disable ACME / Let's Encrypt support.
@ -53,7 +53,7 @@ devture_traefik_config_certificatesResolvers_acme_enabled: false
devture_traefik_ssl_dir_enabled: true
# Tell Traefik to load our custom configuration file (certificates.yml).
# The file is created below, in `aux_file_definitions`.
# The file is created below, in `matrix_aux_file_definitions`.
# The `/config/..` path is an in-container path, not a path on the host (like `/matrix/traefik/config`). Do not change it!
devture_traefik_configuration_extension_yaml: |
providers:
@ -61,9 +61,9 @@ devture_traefik_configuration_extension_yaml: |
filename: /config/certificates.yml
watch: true
# Use the aux role to create our custom files on the server.
# If you'd like to do this manually, you remove this `aux_file_definitions` variable.
aux_file_definitions:
# Use the matrix-aux role to create our custom files on the server.
# If you'd like to do this manually, you remove this `matrix_aux_file_definitions` variable.
matrix_aux_file_definitions:
# Create the privkey.pem file on the server by
# uploading a file from the computer where Ansible is running.
- dest: "{{ devture_traefik_ssl_dir_path }}/privkey.pem"

4
docs/configuring-playbook-sygnal.md
View File

@ -55,7 +55,7 @@ matrix_sygnal_apps:
api_key: your_api_key_for_gcm
# .. more configuration ..
aux_file_definitions:
matrix_aux_file_definitions:
- dest: "{{ matrix_sygnal_data_path }}/my_key.p8"
content: |
some
@ -73,7 +73,7 @@ Configuring [GCM/FCM](https://firebase.google.com/docs/cloud-messaging/) is easi
To configure [APNS](https://developer.apple.com/notifications/) (Apple Push Notification Service), you'd need to provide one or more certificate files.
To do that, the above example configuration:
- makes use of the [`aux` role](https://github.com/mother-of-all-self-hosting/ansible-role-aux) (and its `aux_file_definitions` variable) to make the playbook install files into `/matrix/sygnal/data` (the `matrix_sygnal_data_path` variable). See [`defaults/main.yml` file](https://github.com/mother-of-all-self-hosting/ansible-role-aux/blob/main/defaults/main.yml) of the `aux` role for usage examples. It also makes sure the files are owned by `matrix:matrix`, so that Sygnal can read them. Of course, you can also install these files manually yourself, if you'd rather not use `aux`.
- makes use of the `matrix-aux` role (and its `matrix_aux_file_definitions` variable) to make the playbook install files into `/matrix/sygnal/data` (the `matrix_sygnal_data_path` variable). See `roles/custom/matrix-aux/defaults/main.yml` for usage examples. It also makes sure the files are owned by `matrix:matrix`, so that Sygnal can read them. Of course, you can also install these files manually yourself, if you'd rather not use `matrix-aux`.
- references these files in the Sygnal configuration (`matrix_sygnal_apps`) using a path like `/data/..` (the `/matrix/sygnal/data` directory on the host system is mounted into the `/data` directory inside the container)

9
docs/configuring-playbook-synapse.md
View File

@ -42,6 +42,8 @@ devture_postgres_process_extra_arguments: [
]
```
**NOTE**: Disabling `matrix-nginx-proxy` (`matrix_nginx_proxy_enabled: false`) (that is, [using your own other webserver](configuring-playbook-own-webserver.md) when running a Synapse worker setup is likely to cause various troubles (see [this issue](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/2090)).
In case any problems occur, make sure to have a look at the [list of synapse issues about workers](https://github.com/matrix-org/synapse/issues?q=workers+in%3Atitle) and your `journalctl --unit 'matrix-*'`.
@ -117,10 +119,3 @@ matrix_synapse_container_image_customizations_templates_git_repository_ssh_priva
As mentioned in Synapse's Templates documentation, Synapse will fall back to its own templates if a template is not found in that directory.
Due to this, it's recommended to only store and maintain template files in your repository if you need to make custom changes. Other files (which you don't need to change), should not be duplicated, so that you don't need to worry about getting out-of-sync with the original Synapse templates.
## Monitoring Synapse Metrics with Prometheus and Grafana
This playbook allows you to enable Synapse metrics, which can provide insight into the performance and activity of Synapse.
To enable Synapse metrics see [`configuring-playbook-prometheus-grafana.md`](./configuring-playbook-prometheus-grafana.md)

2
docs/configuring-playbook-turn.md
View File

@ -36,7 +36,7 @@ If you have or want to enable [Jitsi](configuring-playbook-jitsi.md), you might
If you do not do it, Jitsi will fall back to an upstream service.
```yaml
jitsi_web_stun_servers:
matrix_jitsi_web_stun_servers:
- stun:HOSTNAME_OR_IP:PORT
```
You can put multiple host/port combinations if you like.

2
docs/configuring-playbook.md
View File

@ -12,7 +12,7 @@ You can then follow these steps inside the playbook directory:
1. copy the sample configuration file (`cp examples/vars.yml inventory/host_vars/matrix.<your-domain>/vars.yml`)
1. edit the configuration file (`inventory/host_vars/matrix.<your-domain>/vars.yml`) to your liking. You may also take a look at the various `roles/*/ROLE_NAME_HERE/defaults/main.yml` files and see if there's something you'd like to copy over and override in your `vars.yml` configuration file.
1. edit the configuration file (`inventory/host_vars/matrix.<your-domain>/vars.yml`) to your liking. You may also take a look at the various `roles/ROLE_NAME_HERE/defaults/main.yml` files and see if there's something you'd like to copy over and override in your `vars.yml` configuration file.
1. copy the sample inventory hosts file (`cp examples/hosts inventory/hosts`)

2
docs/faq.md
View File

@ -262,7 +262,7 @@ matrix_server_fqn_element: "element.YOUR_BASE_DOMAIN"
# Feel free to use `dimension.matrix.YOUR_BASE_DOMAIN`, if you'd prefer that.
matrix_server_fqn_dimension: "dimension.YOUR_BASE_DOMAIN"
# This is where you access Jitsi (if enabled via `jitsi_enabled: true`; NOT enabled by default).
# This is where you access Jitsi (if enabled via `matrix_jitsi_enabled: true`; NOT enabled by default).
#
# Feel free to use `jitsi.matrix.YOUR_BASE_DOMAIN`, if you'd prefer that.
matrix_server_fqn_jitsi: "jitsi.YOUR_BASE_DOMAIN"

16
docs/importing-synapse-sqlite.md
View File

@ -3,28 +3,24 @@
Run this if you'd like to import your database from a previous default installation of Synapse.
(don't forget to import your `media_store` files as well - see [the importing-synapse-media-store guide](importing-synapse-media-store.md)).
While this playbook only supports running Synapse in combination with PostgreSQL, a Synapse instance installed manually usually defaults to using an SQLite database.
While this playbook always sets up PostgreSQL, by default a Synapse installation would run
using an SQLite database.
If you have such a Synapse setup and wish to migrate it to one managed by the playbook (and over to PostgreSQL), this documentation page is for you.
If you have such a Synapse setup and wish to migrate it here (and over to PostgreSQL), this command is for you.
## Prerequisites
Before doing the actual import:
Before doing the actual import, **you need to upload your SQLite database file to the server** (any path is okay).
- **ensure you have NOT started Synapse yet**. That is, make sure you have followed the [Installing step](installing.md), but haven't run the playbook's `start` tag yet. If you had started your new Synapse instance, it may have already initialized your Postgres database and importing onto it may not work. In such cases, you may need to clean up the `synapse` database first.
- **ensure you have uploaded your SQLite database file to the server** (any path is okay)
- if you're using the integrated Postgres server (**by default, you are** using it, unless you've explicitly switched to [Using an external PostgreSQL server](configuring-playbook-external-postgres.md)), **make sure Postgres is started** by running `just start-group postgres`
## Importing
Run this command (make sure to replace `<server-path-to-homeserver.db>` with a file path on your server):
```sh
just run-tags import-synapse-sqlite-db --extra-vars=server_path_homeserver_db=<server-path-to-homeserver.db>
```
ansible-playbook -i inventory/hosts setup.yml --extra-vars='server_path_homeserver_db=<server-path-to-homeserver.db>' --tags=import-synapse-sqlite-db
**Notes**:
- `<server-path-to-homeserver.db>` must be replaced with a file path to a `homeserver.db` **file on the server** (not on your local machine!).
- `<server-path-to-homeserver.db>` must be a file path to a `homeserver.db` **file on the server** (not on your local machine!).
- if the SQLite database is from an older version of Synapse, the **importing procedure may run migrations on it to bring it up to date**. That is, your SQLite database file may get modified and become unusable with your older Synapse version. Keeping a copy of the original is probably wise.

255
examples/caddy2/Caddyfile
View File

@ -1,10 +1,112 @@
matrix.example.tld {
(cors) {
@cors_preflight method OPTIONS
handle @cors_preflight {
header Access-Control-Allow-Origin "{args.0}"
header Access-Control-Allow-Methods "HEAD, GET, POST, PUT, PATCH, DELETE"
header Access-Control-Allow-Headers "Content-Type, Authorization"
header Access-Control-Max-Age "3600"
}
}
matrix.DOMAIN.tld {
# creates letsencrypt certificate
# tls your@email.com
@identity {
path /_matrix/identity/*
}
@noidentity {
not path /_matrix/identity/*
}
@search {
path /_matrix/client/r0/user_directory/search/*
}
@nosearch {
not path /_matrix/client/r0/user_directory/search/*
}
@static {
path /matrix/static-files/*
}
@nostatic {
not path /matrix/static-files/*
}
@wellknown {
path /.well-known/matrix/*
}
header {
# Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
# Enable cross-site filter (XSS) and tell browser to block detected attacks
X-XSS-Protection "1; mode=block"
# Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
X-Content-Type-Options "nosniff"
# Disallow the site to be rendered within a frame (clickjacking protection)
X-Frame-Options "DENY"
# X-Robots-Tag
X-Robots-Tag "noindex, noarchive, nofollow"
}
# Cache
header @static {
# Cache
Cache-Control "public, max-age=31536000"
defer
}
# identity
handle @identity {
reverse_proxy localhost:8090 {
header_up X-Forwarded-Port {http.request.port}
header_up X-Forwarded-Proto {http.request.scheme}
header_up X-Forwarded-TlsProto {tls_protocol}
header_up X-Forwarded-TlsCipher {tls_cipher}
header_up X-Forwarded-HttpsProto {proto}
}
}
# search
handle @search {
reverse_proxy localhost:8090 {
header_up X-Forwarded-Port {http.request.port}
header_up X-Forwarded-Proto {http.request.scheme}
header_up X-Forwarded-TlsProto {tls_protocol}
header_up X-Forwarded-TlsCipher {tls_cipher}
header_up X-Forwarded-HttpsProto {proto}
}
}
handle @wellknown {
encode zstd gzip
root * /matrix/static-files
header Cache-Control max-age=14400
header Content-Type application/json
header Access-Control-Allow-Origin *
file_server
}
# If you have other well-knowns already handled by your base domain, you can replace the above block by this one, along with the replacement suggested in the base domain
#handle @wellknown {
# # .well-known is handled by base domain
# reverse_proxy https://DOMAIN.tld {
# header_up Host {http.reverse_proxy.upstream.hostport}
#}
handle {
encode zstd gzip
reverse_proxy localhost:81 {
reverse_proxy localhost:8008 {
header_up X-Forwarded-Port {http.request.port}
header_up X-Forwarded-Proto {http.request.scheme}
header_up X-Forwarded-TlsProto {tls_protocol}
header_up X-Forwarded-TlsCipher {tls_cipher}
header_up X-Forwarded-HttpsProto {proto}
@ -12,12 +114,13 @@ matrix.example.tld {
}
}
matrix.example.tld:8448 {
matrix.DOMAIN.tld:8448 {
handle {
encode zstd gzip
reverse_proxy 127.0.0.1:8449 {
reverse_proxy 127.0.0.1:8048 {
header_up X-Forwarded-Port {http.request.port}
header_up X-Forwarded-Proto {http.request.scheme}
header_up X-Forwarded-TlsProto {tls_protocol}
header_up X-Forwarded-TlsCipher {tls_cipher}
header_up X-Forwarded-HttpsProto {proto}
@ -25,16 +128,142 @@ matrix.example.tld:8448 {
}
}
element.DOMAIN.tld {
example.tld {
# Uncomment this if you are following "(Option 3): Setting up reverse-proxying of the well-known files from the base domain's server to the Matrix server" of https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/configuring-well-known.md#option-3-setting-up-reverse-proxying-of-the-well-known-files-from-the-base-domains-server-to-the-matrix-server
@wellknown {
path /.well-known/matrix/*
}
# creates letsencrypt certificate
# tls your@email.com
handle @wellknown {
reverse_proxy https://matrix.example.tld {
header_up Host {http.reverse_proxy.upstream.hostport}
import cors https://*.DOMAIN.tld
header {
# Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
# Enable cross-site filter (XSS) and tell browser to block detected attacks
X-XSS-Protection "1; mode=block"
# Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
X-Content-Type-Options "nosniff"
# Disallow the site to be rendered within a frame (clickjacking protection)
X-Frame-Options "DENY"
# If using integrations that add frames to Element, such as Dimension and its integrations running on the same domain, it can be a good idea to limit sources allowed to be rendered
# Content-Security-Policy frame-src https://*.DOMAIN.tld
# X-Robots-Tag
X-Robots-Tag "noindex, noarchive, nofollow"
}
handle {
encode zstd gzip
reverse_proxy localhost:8765 {
header_up X-Forwarded-Port {http.request.port}
header_up X-Forwarded-Proto {http.request.scheme}
header_up X-Forwarded-TlsProto {tls_protocol}
header_up X-Forwarded-TlsCipher {tls_cipher}
header_up X-Forwarded-HttpsProto {proto}
}
}
}
#dimension.DOMAIN.tld {
#
# # creates letsencrypt certificate
# # tls your@email.com
#
# import cors https://*.DOMAIN.tld
#
# header {
# # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS
# Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
# # Enable cross-site filter (XSS) and tell browser to block detected attacks
# X-XSS-Protection "1; mode=block"
# # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
# X-Content-Type-Options "nosniff"
# # Only allow same base domain to render this website in a frame; Can be removed if the client (Element for example) is hosted on another domain (clickjacking protection)
# Content-Security-Policy frame-ancestors https://*.DOMAIN.tld
# # X-Robots-Tag
# X-Robots-Tag "noindex, noarchive, nofollow"
# }
#
# handle {
# encode zstd gzip
#
# reverse_proxy localhost:8184 {
# header_up X-Forwarded-Port {http.request.port}
# header_up X-Forwarded-Proto {http.request.scheme}
# header_up X-Forwarded-TlsProto {tls_protocol}
# header_up X-Forwarded-TlsCipher {tls_cipher}
# header_up X-Forwarded-HttpsProto {proto}
# }
# }
#}
#jitsi.DOMAIN.tld {
#
# creates letsencrypt certificate
# tls your@email.com
#
# import cors https://*.DOMAIN.tld
#
# header {
# # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS
# Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
#
# # Enable cross-site filter (XSS) and tell browser to block detected attacks
# X-XSS-Protection "1; mode=block"
#
# # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
# X-Content-Type-Options "nosniff"
# # Only allow same base domain to render this website in a frame; Can be removed if the client (Element for example) is hosted on another domain
# Content-Security-Policy frame-ancestors https://*.DOMAIN.tld
#
# # Disable some features
# Feature-Policy "accelerometer 'none';ambient-light-sensor 'none'; autoplay 'none';camera 'none';encrypted-media 'none';focus-without-user-activation 'none'; geolocation 'none';gyroscope #'none';magnetometer 'none';microphone 'none';midi 'none';payment 'none';picture-in-picture 'none'; speaker 'none';sync-xhr 'none';usb 'none';vr 'none'"
#
# # Referer
# Referrer-Policy "no-referrer"
#
# # X-Robots-Tag
# X-Robots-Tag "none"
#
# # Remove Server header
# -Server
# }
#
# handle {
# encode zstd gzip
#
# reverse_proxy 127.0.0.1:13080 {
# header_up X-Forwarded-Port {http.request.port}
# header_up X-Forwarded-Proto {http.request.scheme}
# header_up X-Forwarded-TlsProto {tls_protocol}
# header_up X-Forwarded-TlsCipher {tls_cipher}
# header_up X-Forwarded-HttpsProto {proto}
# }
# }
#}
#DOMAIN.com {
# Uncomment this if you are following "(Option 3): Setting up reverse-proxying of the well-known files from the base domain's server to the Matrix server" of https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/configuring-well-known.md#option-3-setting-up-reverse-proxying-of-the-well-known-files-from-the-base-domains-server-to-the-matrix-server
# @wellknown {
# path /.well-known/matrix/*
# }
#
# handle @wellknown {
# reverse_proxy https://matrix.DOMAIN.com {
# header_up Host {http.reverse_proxy.upstream.hostport}
# }
# }
# # If you have other well-knowns already handled by your base domain, you can replace the above block by this one, along with the replacement suggested in the matrix subdomain
# # handle /.well-known/* {
# # encode zstd gzip
# # header Cache-Control max-age=14400
# # header Content-Type application/json
# # header Access-Control-Allow-Origin *
# #}
#
# # Configration for the base domain goes here
# # handle {
# # header -Server
# # encode zstd gzip
# # reverse_proxy localhost:4020
# # }
#}

269
examples/caddy2/Caddyfile.deprecated
View File

@ -1,269 +0,0 @@
(cors) {
@cors_preflight method OPTIONS
handle @cors_preflight {
header Access-Control-Allow-Origin "{args.0}"
header Access-Control-Allow-Methods "HEAD, GET, POST, PUT, PATCH, DELETE"
header Access-Control-Allow-Headers "Content-Type, Authorization"
header Access-Control-Max-Age "3600"
}
}
matrix.DOMAIN.tld {
# creates letsencrypt certificate
# tls your@email.com
@identity {
path /_matrix/identity/*
}
@noidentity {
not path /_matrix/identity/*
}
@search {
path /_matrix/client/r0/user_directory/search/*
}
@nosearch {
not path /_matrix/client/r0/user_directory/search/*
}
@static {
path /matrix/static-files/*
}
@nostatic {
not path /matrix/static-files/*
}
@wellknown {
path /.well-known/matrix/*
}
header {
# Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
# Enable cross-site filter (XSS) and tell browser to block detected attacks
X-XSS-Protection "1; mode=block"
# Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
X-Content-Type-Options "nosniff"
# Disallow the site to be rendered within a frame (clickjacking protection)
X-Frame-Options "DENY"
# X-Robots-Tag
X-Robots-Tag "noindex, noarchive, nofollow"
}
# Cache
header @static {
# Cache
Cache-Control "public, max-age=31536000"
defer
}
# identity
handle @identity {
reverse_proxy localhost:8090 {
header_up X-Forwarded-Port {http.request.port}
header_up X-Forwarded-Proto {http.request.scheme}
header_up X-Forwarded-TlsProto {tls_protocol}
header_up X-Forwarded-TlsCipher {tls_cipher}
header_up X-Forwarded-HttpsProto {proto}
}
}
# search
handle @search {
reverse_proxy localhost:8090 {
header_up X-Forwarded-Port {http.request.port}
header_up X-Forwarded-Proto {http.request.scheme}
header_up X-Forwarded-TlsProto {tls_protocol}
header_up X-Forwarded-TlsCipher {tls_cipher}
header_up X-Forwarded-HttpsProto {proto}
}
}
handle @wellknown {
encode zstd gzip
root * /matrix/static-files
header Cache-Control max-age=14400
header Content-Type application/json
header Access-Control-Allow-Origin *
file_server
}
# If you have other well-knowns already handled by your base domain, you can replace the above block by this one, along with the replacement suggested in the base domain
#handle @wellknown {
# # .well-known is handled by base domain
# reverse_proxy https://DOMAIN.tld {
# header_up Host {http.reverse_proxy.upstream.hostport}
#}
handle {
encode zstd gzip
reverse_proxy localhost:8008 {
header_up X-Forwarded-Port {http.request.port}
header_up X-Forwarded-Proto {http.request.scheme}
header_up X-Forwarded-TlsProto {tls_protocol}
header_up X-Forwarded-TlsCipher {tls_cipher}
header_up X-Forwarded-HttpsProto {proto}
}
}
}
matrix.DOMAIN.tld:8448 {
handle {
encode zstd gzip
reverse_proxy 127.0.0.1:8048 {
header_up X-Forwarded-Port {http.request.port}
header_up X-Forwarded-Proto {http.request.scheme}
header_up X-Forwarded-TlsProto {tls_protocol}
header_up X-Forwarded-TlsCipher {tls_cipher}
header_up X-Forwarded-HttpsProto {proto}
}
}
}
element.DOMAIN.tld {
# creates letsencrypt certificate
# tls your@email.com
import cors https://*.DOMAIN.tld
header {
# Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
# Enable cross-site filter (XSS) and tell browser to block detected attacks
X-XSS-Protection "1; mode=block"
# Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
X-Content-Type-Options "nosniff"
# Disallow the site to be rendered within a frame (clickjacking protection)
X-Frame-Options "DENY"
# If using integrations that add frames to Element, such as Dimension and its integrations running on the same domain, it can be a good idea to limit sources allowed to be rendered
# Content-Security-Policy frame-src https://*.DOMAIN.tld
# X-Robots-Tag
X-Robots-Tag "noindex, noarchive, nofollow"
}
handle {
encode zstd gzip
reverse_proxy localhost:8765 {
header_up X-Forwarded-Port {http.request.port}
header_up X-Forwarded-Proto {http.request.scheme}
header_up X-Forwarded-TlsProto {tls_protocol}
header_up X-Forwarded-TlsCipher {tls_cipher}
header_up X-Forwarded-HttpsProto {proto}
}
}
#dimension.DOMAIN.tld {
#
# # creates letsencrypt certificate
# # tls your@email.com
#
# import cors https://*.DOMAIN.tld
#
# header {
# # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS
# Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
# # Enable cross-site filter (XSS) and tell browser to block detected attacks
# X-XSS-Protection "1; mode=block"
# # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
# X-Content-Type-Options "nosniff"
# # Only allow same base domain to render this website in a frame; Can be removed if the client (Element for example) is hosted on another domain (clickjacking protection)
# Content-Security-Policy frame-ancestors https://*.DOMAIN.tld
# # X-Robots-Tag
# X-Robots-Tag "noindex, noarchive, nofollow"
# }
#
# handle {
# encode zstd gzip
#
# reverse_proxy localhost:8184 {
# header_up X-Forwarded-Port {http.request.port}
# header_up X-Forwarded-Proto {http.request.scheme}
# header_up X-Forwarded-TlsProto {tls_protocol}
# header_up X-Forwarded-TlsCipher {tls_cipher}
# header_up X-Forwarded-HttpsProto {proto}
# }
# }
#}
#jitsi.DOMAIN.tld {
#
# creates letsencrypt certificate
# tls your@email.com
#
# import cors https://*.DOMAIN.tld
#
# header {
# # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS
# Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
#
# # Enable cross-site filter (XSS) and tell browser to block detected attacks
# X-XSS-Protection "1; mode=block"
#
# # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
# X-Content-Type-Options "nosniff"
# # Only allow same base domain to render this website in a frame; Can be removed if the client (Element for example) is hosted on another domain
# Content-Security-Policy frame-ancestors https://*.DOMAIN.tld
#
# # Disable some features
# Feature-Policy "accelerometer 'none';ambient-light-sensor 'none'; autoplay 'none';camera 'none';encrypted-media 'none';focus-without-user-activation 'none'; geolocation 'none';gyroscope #'none';magnetometer 'none';microphone 'none';midi 'none';payment 'none';picture-in-picture 'none'; speaker 'none';sync-xhr 'none';usb 'none';vr 'none'"
#
# # Referer
# Referrer-Policy "no-referrer"
#
# # X-Robots-Tag
# X-Robots-Tag "none"
#
# # Remove Server header
# -Server
# }
#
# handle {
# encode zstd gzip
#
# reverse_proxy 127.0.0.1:13080 {
# header_up X-Forwarded-Port {http.request.port}
# header_up X-Forwarded-Proto {http.request.scheme}
# header_up X-Forwarded-TlsProto {tls_protocol}
# header_up X-Forwarded-TlsCipher {tls_cipher}
# header_up X-Forwarded-HttpsProto {proto}
# }
# }
#}
#DOMAIN.com {
# Uncomment this if you are following "(Option 3): Setting up reverse-proxying of the well-known files from the base domain's server to the Matrix server" of https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/configuring-well-known.md#option-3-setting-up-reverse-proxying-of-the-well-known-files-from-the-base-domains-server-to-the-matrix-server
# @wellknown {
# path /.well-known/matrix/*
# }
#
# handle @wellknown {
# reverse_proxy https://matrix.DOMAIN.com {
# header_up Host {http.reverse_proxy.upstream.hostport}
# }
# }
# # If you have other well-knowns already handled by your base domain, you can replace the above block by this one, along with the replacement suggested in the matrix subdomain
# # handle /.well-known/* {
# # encode zstd gzip
# # header Cache-Control max-age=14400
# # header Content-Type application/json
# # header Access-Control-Allow-Origin *
# #}
#
# # Configration for the base domain goes here
# # handle {
# # header -Server
# # encode zstd gzip
# # reverse_proxy localhost:4020
# # }
#}

26
examples/caddy2/README.md
View File

@ -1,20 +1,12 @@
# Caddy reverse-proxy fronting the playbook's integrated Traefik reverse-proxy
# Caddyfile
This directory contains a sample config that shows you how to front the integrated [Traefik](https://traefik.io/) reverse-proxy webserver with your own [Caddy](https://caddyserver.com/) reverse-proxy.
This directory contains sample files that show you how to do reverse-proxying using Caddy2.
## Config
## Prerequisite configuration
To get started, first follow the [front the integrated reverse-proxy webserver with another reverse-proxy](../../docs/configuring-playbook-own-webserver.md#fronting-the-integrated-reverse-proxy-webserver-with-another-reverse-proxy) instructions and update your playbook's configuration (`inventory/host_vars/matrix.<your-domain>/vars.yml`).
## Using the Caddyfile
You can either just use the [Caddyfile](Caddyfile) directly or append its content to your own Caddyfile.
In both cases make sure to replace all the `example.tld` domains with your own domain.
This example does not include additional services like element, but you should be able copy the first block and replace the matrix subdomain with the additional services subdomain. I have not tested this though.
# Caddyfile.deprecated
This can be used as a [Caddy](https://caddyserver.com/) reverse-proxy without intermediary playbook managed reverse proxy. However, this setup is not supported by the playbook anymore. Instead [front the integrated reverse-proxy webserver with another reverse-proxy](../../docs/configuring-playbook-own-webserver.md#fronting-the-integrated-reverse-proxy-webserver-with-another-reverse-proxy) as described above.
| Variable | Function |
| ------------------ | -------- |
| tls your@email.com | Specify an email address for your [ACME account](https://caddyserver.com/docs/caddyfile/directives/tls) (but if only one email is used for all sites, we recommend the email [global option](https://caddyserver.com/docs/caddyfile/options) instead) |
| tls | To enable [tls](https://caddyserver.com/docs/caddyfile/directives/tls) support uncomment the lines for tls |
| Dimension | To enable Dimension support uncomment the lines for Dimension and set your data |
| Jitsi | To enable Jitsi support uncomment the lines for Jitsi and set your data |

4
examples/nginx/README.md
View File

@ -1,6 +1,6 @@
# Nginx reverse-proxy fronting the playbook's integrated Traefik reverse-proxy
This directory contains a sample config that shows you how to use the [nginx](https://nginx.org/) webserver to front the integrated [Traefik](https://traefik.io/) reverse-proxy webserver with another reverse-proxy.
This directory contains a sample config that shows you how use the [nginx](https://nginx.org/) webserver to front the integrated [Traefik](https://traefik.io/) reverse-proxy webserver with another reverse-proxy.
## Prerequisite configuration
@ -10,7 +10,7 @@ To get started, first follow the [front the integrated reverse-proxy webserver w
## Using the nginx configuration
Copy the [matrix.conf](matrix.conf) file to your nginx server's filesystem, modify it to your needs and include it in your nginx configuration (e.g. `include /path/to/matrix.conf;`).
Copy the [matrix.conf](matrix.conf) file to your nginx server's filesystem, modify it to your needs and include it your nginx configuration (e.g. `include /path/to/matrix.conf;`).
This configuration **disables SSL certificate retrieval**, so you will **need to obtain SSL certificates manually** (e.g. by using [certbot](https://certbot.eff.org/)) and set the appropriate path in `matrix.conf`. In the example nginx configuration, a single certificate is used for all subdomains (`matrix.DOMAIN`, `element.DOMAIN`, etc.). For your setup, may wish to change this and use separate `server` blocks and separate certificate files for each host.

19
flake.nix
View File

@ -1,19 +0,0 @@
{
inputs.nixpkgs.url = "github:nixos/nixpkgs/nixpkgs-unstable";
outputs = { self, nixpkgs, ... }:
let
pkgs = import nixpkgs { system = "x86_64-linux"; };
in
{
devShell.x86_64-linux = pkgs.mkShell {
buildInputs = with pkgs; [
just
python311Packages.ansible-core
python311Packages.passlib
];
LC_ALL = "C.UTF-8";
LC_CTYPE = "C.UTF-8";
};
};
}

187
group_vars/matrix_servers
View File

@ -192,7 +192,7 @@ matrix_homeserver_app_service_config_files_auto: |
# This list is not exhaustive and final.
# Synapse workers are still injected into the list at runtime.
# Additional JVB workers (playbooks/jitsi_jvb.yml -- roles/galaxy/jitsi/tasks/init_additional_jvb.yml) override this variable at runtime as well.
# Additional JVB workers (playbooks/jitsi_jvb.yml -- roles/custom/matrix-jitsi/tasks/init_additional_jvb.yml) override this variable at runtime as well.
#
# Priority levels are like this:
# - core services (the homeserver) get a level of ~1000
@ -210,25 +210,25 @@ devture_systemd_service_manager_services_list_auto: |
{{
([{'name': (backup_borg_identifier + '.timer'), 'priority': 5000, 'groups': ['matrix', 'backup', 'borg']}] if backup_borg_enabled else [])
+
([{'name': 'matrix-bot-buscarron.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'buscarron', 'bot-buscarron']}] if matrix_bot_buscarron_enabled else [])
([{'name': 'matrix-bot-buscarron.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'buscarron']}] if matrix_bot_buscarron_enabled else [])
+
([{'name': 'matrix-bot-go-neb.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'go-neb', 'bot-go-neb']}] if matrix_bot_go_neb_enabled else [])
([{'name': 'matrix-bot-go-neb.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'go-neb']}] if matrix_bot_go_neb_enabled else [])
+
([{'name': 'matrix-bot-honoroit.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'honoroit', 'bot-honoroit']}] if matrix_bot_honoroit_enabled else [])
([{'name': 'matrix-bot-honoroit.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'honoroit']}] if matrix_bot_honoroit_enabled else [])
+
([{'name': 'matrix-bot-matrix-registration-bot.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'registration-bot', 'bot-matrix-registration-bot']}] if matrix_bot_matrix_registration_bot_enabled else [])
([{'name': 'matrix-bot-matrix-registration-bot.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'registration-bot']}] if matrix_bot_matrix_registration_bot_enabled else [])
+
([{'name': 'matrix-bot-matrix-reminder-bot.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'reminder-bot', 'bot-matrix-reminder-bot']}] if matrix_bot_matrix_reminder_bot_enabled else [])
([{'name': 'matrix-bot-matrix-reminder-bot.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'reminder-bot']}] if matrix_bot_matrix_reminder_bot_enabled else [])
+
([{'name': 'matrix-bot-maubot.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'maubot', 'bot-maubot']}] if matrix_bot_maubot_enabled else [])
([{'name': 'matrix-bot-maubot.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'maubot']}] if matrix_bot_maubot_enabled else [])
+
([{'name': 'matrix-bot-mjolnir.service', 'priority': 4000, 'groups': ['matrix', 'bots', 'mjolnir', 'bot-mjolnir']}] if matrix_bot_mjolnir_enabled else [])
([{'name': 'matrix-bot-mjolnir.service', 'priority': 4000, 'groups': ['matrix', 'bots', 'mjolnir']}] if matrix_bot_mjolnir_enabled else [])
+
([{'name': 'matrix-bot-draupnir.service', 'priority': 4000, 'groups': ['matrix', 'bots', 'draupnir', 'bot-draupnir']}] if matrix_bot_draupnir_enabled else [])
([{'name': 'matrix-bot-draupnir.service', 'priority': 4000, 'groups': ['matrix', 'bots', 'draupnir']}] if matrix_bot_draupnir_enabled else [])
+
([{'name': 'matrix-bot-postmoogle.service', 'priority': 4000, 'groups': ['matrix', 'bots', 'postmoogle', 'bot-postmoogle']}] if matrix_bot_postmoogle_enabled else [])
([{'name': 'matrix-bot-postmoogle.service', 'priority': 4000, 'groups': ['matrix', 'bots', 'postmoogle']}] if matrix_bot_postmoogle_enabled else [])
+
([{'name': 'matrix-bot-chatgpt.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'chatgpt', 'bot-chatgpt']}] if matrix_bot_chatgpt_enabled else [])
([{'name': 'matrix-bot-chatgpt.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'chatgpt']}] if matrix_bot_chatgpt_enabled else [])
+
([{'name': 'matrix-appservice-discord.service', 'priority': 2000, 'groups': ['matrix', 'bridges', 'appservice-discord']}] if matrix_appservice_discord_enabled else [])
+
@ -288,11 +288,11 @@ devture_systemd_service_manager_services_list_auto: |
+
([{'name': 'matrix-cactus-comments.service', 'priority': 2000, 'groups': ['matrix', 'cactus-comments']}] if matrix_cactus_comments_enabled else [])
+
([{'name': 'matrix-client-cinny.service', 'priority': 2000, 'groups': ['matrix', 'clients', 'cinny', 'client-cinny']}] if matrix_client_cinny_enabled else [])
([{'name': 'matrix-client-cinny.service', 'priority': 2000, 'groups': ['matrix', 'clients', 'cinny']}] if matrix_client_cinny_enabled else [])
+
([{'name': 'matrix-client-element.service', 'priority': 2000, 'groups': ['matrix', 'clients', 'element', 'client-element']}] if matrix_client_element_enabled else [])
([{'name': 'matrix-client-element.service', 'priority': 2000, 'groups': ['matrix', 'clients', 'element']}] if matrix_client_element_enabled else [])
+
([{'name': 'matrix-client-hydrogen.service', 'priority': 2000, 'groups': ['matrix', 'clients', 'hydrogen', 'client-hydrogen']}] if matrix_client_hydrogen_enabled else [])
([{'name': 'matrix-client-hydrogen.service', 'priority': 2000, 'groups': ['matrix', 'clients', 'hydrogen']}] if matrix_client_hydrogen_enabled else [])
+
([{'name': ('matrix-' + matrix_homeserver_implementation + '.service'), 'priority': 1000, 'groups': ['matrix', 'homeservers', matrix_homeserver_implementation]}] if matrix_homeserver_enabled else [])
+
@ -314,13 +314,13 @@ devture_systemd_service_manager_services_list_auto: |
+
([{'name': (grafana_identifier + '.service'), 'priority': 4000, 'groups': ['matrix', 'monitoring', 'grafana']}] if grafana_enabled else [])
+
([{'name': (jitsi_identifier + '-web.service'), 'priority': 4200, 'groups': ['matrix', 'jitsi', 'jitsi-web']}] if jitsi_enabled else [])
([{'name': 'matrix-jitsi-web.service', 'priority': 4200, 'groups': ['matrix', 'jitsi', 'jitsi-web']}] if matrix_jitsi_enabled else [])
+
([{'name': (jitsi_identifier + '-prosody.service'), 'priority': 4000, 'groups': ['matrix', 'jitsi', 'jitsi-prosody']}] if jitsi_enabled else [])
([{'name': 'matrix-jitsi-prosody.service', 'priority': 4000, 'groups': ['matrix', 'jitsi', 'jitsi-prosody']}] if matrix_jitsi_enabled else [])
+
([{'name': (jitsi_identifier + '-jicofo.service'), 'priority': 4100, 'groups': ['matrix', 'jitsi', 'jitsi-jicofo']}] if jitsi_enabled else [])
([{'name': 'matrix-jitsi-jicofo.service', 'priority': 4100, 'groups': ['matrix', 'jitsi', 'jitsi-jicofo']}] if matrix_jitsi_enabled else [])
+
([{'name': (jitsi_identifier + '-jvb.service'), 'priority': 4100, 'groups': ['matrix', 'jitsi', 'jitsi-jvb']}] if jitsi_enabled else [])
([{'name': 'matrix-jitsi-jvb.service', 'priority': 4100, 'groups': ['matrix', 'jitsi', 'jitsi-jvb']}] if matrix_jitsi_enabled else [])
+
([{'name': 'matrix-ldap-registration-proxy.service', 'priority': 2000, 'groups': ['matrix', 'ldap-registration-proxy']}] if matrix_ldap_registration_proxy_enabled else [])
+
@ -1653,15 +1653,8 @@ matrix_bot_maubot_database_password: "{{ '%s' | format(matrix_homeserver_generic
# We don't enable bots by default.
matrix_bot_honoroit_enabled: false
matrix_bot_honoroit_hostname: "{{ matrix_server_fqn_matrix }}"
matrix_bot_honoroit_path_prefix: /honoroit
# For consistency with other things hosted at the matrix FQN, we adjust the metrics endpoint
# so that metrics would be served at `/metrics/SERVICE_NAME`, and not at the default path for the role (`PREFIX/metrics`).
matrix_bot_honoroit_container_labels_traefik_metrics_path: /metrics/honoroit
matrix_bot_honoroit_systemd_required_services_list: |
{{
['docker.service']
@ -2285,7 +2278,7 @@ etherpad_scheme: "{{ 'https' if matrix_playbook_ssl_enabled else 'http' }}"
etherpad_base_path: "{{ matrix_base_data_path }}/etherpad"
etherpad_framing_enabled: "{{ matrix_dimension_enabled or jitsi_enabled }}"
etherpad_framing_enabled: "{{ matrix_dimension_enabled or matrix_jitsi_enabled }}"
etherpad_hostname: "{{ matrix_server_fqn_etherpad }}"
@ -2359,57 +2352,26 @@ matrix_email2matrix_container_image_self_build: "{{ matrix_architecture not in [
######################################################################
#
# jitsi
# matrix-jitsi
#
######################################################################
jitsi_enabled: false
jitsi_architecture: "{{ matrix_architecture }}"
jitsi_hostname: "{{ matrix_server_fqn_jitsi }}"
jitsi_identifier: matrix-jitsi
jitsi_base_path: "{{ matrix_base_data_path }}/jitsi"
jitsi_uid: "{{ matrix_user_uid }}"
jitsi_gid: "{{ matrix_user_gid }}"
matrix_jitsi_enabled: false
# Normally, matrix-nginx-proxy is enabled and nginx can reach jitsi/web over the container network.
# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose
# the Jitsi HTTP port to the local host.
jitsi_web_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '13080') if matrix_playbook_service_host_bind_interface_prefix else '' }}"
matrix_jitsi_web_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '13080') if matrix_playbook_service_host_bind_interface_prefix else '' }}"
jitsi_web_container_additional_networks_auto: |
{{
([matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network else [])
}}
matrix_jitsi_jvb_container_colibri_ws_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '13090') if matrix_playbook_service_host_bind_interface_prefix else '' }}"
jitsi_jvb_container_colibri_ws_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '13090') if matrix_playbook_service_host_bind_interface_prefix else '' }}"
matrix_jitsi_prosody_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '5280') if matrix_playbook_service_host_bind_interface_prefix else '' }}"
jitsi_jvb_container_additional_networks_auto: |
{{
([matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network else [])
}}
matrix_jitsi_jibri_xmpp_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'jibri', rounds=655555) | to_uuid }}"
matrix_jitsi_jicofo_auth_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'jicofo', rounds=655555) | to_uuid }}"
matrix_jitsi_jvb_auth_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'jvb', rounds=655555) | to_uuid }}"
jitsi_prosody_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '5280') if matrix_playbook_service_host_bind_interface_prefix else '' }}"
jitsi_prosody_container_additional_networks_auto: |
{{
([matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network else [])
}}
jitsi_container_labels_traefik_enabled: "{{ matrix_playbook_traefik_labels_enabled }}"
jitsi_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}"
jitsi_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}"
jitsi_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}"
jitsi_jibri_xmpp_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'jibri', rounds=655555) | to_uuid }}"
jitsi_jicofo_auth_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'jicofo', rounds=655555) | to_uuid }}"
jitsi_jvb_auth_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'jvb', rounds=655555) | to_uuid }}"
jitsi_web_stun_servers: |
matrix_jitsi_web_stun_servers: |
{{
[
'stun:' + matrix_server_fqn_matrix + ':5349',
@ -2419,39 +2381,24 @@ jitsi_web_stun_servers: |
else [ 'stun:meet-jit-si-turnrelay.jitsi.net:443']
}}
# The Jitsi instance installed by this playbook is meant for embedding into Matrix clients, so framing is allowed.
jitsi_web_framing_enabled: true
jitsi_turn_credentials: "{{ matrix_coturn_turn_static_auth_secret if matrix_coturn_enabled else '' }}"
jitsi_turn_host: "{{ ('turn.' + matrix_server_fqn_matrix) if matrix_coturn_enabled else '' }}"
jitsi_turns_host: "{{ ('turn.' + matrix_server_fqn_matrix) if matrix_coturn_enabled else '' }}"
jitsi_turn_port: "{{ matrix_coturn_container_stun_plain_host_bind_port if matrix_coturn_enabled else '' }}"
jitsi_turns_port: "{{ matrix_coturn_container_stun_tls_host_bind_port if matrix_coturn_enabled else '' }}"
# If the self-hosted Etherpad instance is available, it will also show up in Jitsi conferences,
# unless explicitly disabled by setting `jitsi_etherpad_enabled` to false.
# Falls back to the scalar.vector.im etherpad in case someone sets `jitsi_etherpad_enabled` to true,
# unless explicitly disabled by setting `matrix_jitsi_etherpad_enabled` to false.
# Falls back to the scalar.vector.im etherpad in case someone sets `matrix_jitsi_etherpad_enabled` to true,
# while also setting `etherpad_enabled` to false.
jitsi_etherpad_enabled: "{{ etherpad_enabled }}"
jitsi_etherpad_base: "{{ etherpad_base_url if etherpad_enabled else 'https://scalar.vector.im/etherpad' }}"
matrix_jitsi_etherpad_enabled: "{{ etherpad_enabled }}"
matrix_jitsi_etherpad_base: "{{ etherpad_base_url if etherpad_enabled else 'https://scalar.vector.im/etherpad' }}"
# Allow verification using JWT and matrix-UVS
jitsi_prosody_auth_matrix_uvs_auth_token: "{{ matrix_user_verification_service_uvs_auth_token }}"
jitsi_prosody_auth_matrix_uvs_location: "{{ matrix_user_verification_service_container_url }}"
matrix_jitsi_prosody_auth_matrix_uvs_auth_token: "{{ matrix_user_verification_service_uvs_auth_token }}"
matrix_jitsi_prosody_auth_matrix_uvs_location: "{{ matrix_user_verification_service_container_url }}"
jitsi_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else true }}"
# Gravatar is enabled by default upstream, but there's no need to leak data there needlessly
# when embedding Jitsi in Matrix rooms.
jitsi_disable_gravatar: true
matrix_jitsi_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else true }}"
######################################################################
#
# /jitsi
# /matrix-jitsi
#
######################################################################
######################################################################
#
# matrix-ldap-registration-proxy
@ -2583,14 +2530,7 @@ matrix_nginx_proxy_container_federation_host_bind_port: "{{ matrix_federation_pu
matrix_nginx_proxy_trust_forwarded_proto: "{{ matrix_playbook_reverse_proxy_type != 'playbook-managed-nginx' }}"
matrix_nginx_proxy_x_forwarded_for: "{{ '$remote_addr' if matrix_playbook_reverse_proxy_type == 'playbook-managed-nginx' else '$proxy_add_x_forwarded_for' }}"
matrix_nginx_proxy_container_additional_networks: |
{{
(
([matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network else [])
+
([jitsi_container_network] if jitsi_enabled and matrix_playbook_reverse_proxy_type == 'playbook-managed-nginx' and jitsi_container_network != matrix_nginx_proxy_container_network else [])
) | unique
}}
matrix_nginx_proxy_container_additional_networks: "{{ [matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network else [] }}"
matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container: "{{ 'matrix-corporal:41080' if matrix_corporal_enabled else 'matrix-nginx-proxy:12080' }}"
matrix_nginx_proxy_proxy_matrix_client_api_addr_sans_container: "{{ '127.0.0.1:41080' if matrix_corporal_enabled else '127.0.0.1:12080' }}"
@ -2617,7 +2557,8 @@ matrix_nginx_proxy_proxy_rageshake_enabled: "{{ matrix_rageshake_enabled and mat
matrix_nginx_proxy_proxy_etherpad_enabled: "{{ etherpad_enabled and not etherpad_nginx_proxy_dimension_integration_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}"
matrix_nginx_proxy_proxy_bot_go_neb_enabled: "{{ matrix_bot_go_neb_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}"
matrix_nginx_proxy_proxy_jitsi_enabled: "{{ jitsi_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}"
matrix_nginx_proxy_proxy_jitsi_enabled: "{{ matrix_jitsi_enabled }}"
matrix_nginx_proxy_proxy_jitsi_manage_wellknown: "{{ matrix_jitsi_require_well_known }}"
matrix_nginx_proxy_proxy_grafana_enabled: "{{ grafana_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}"
matrix_nginx_proxy_proxy_sygnal_enabled: "{{ matrix_sygnal_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}"
@ -2629,6 +2570,7 @@ matrix_nginx_proxy_container_labels_traefik_entrypoints: "{{ devture_traefik_ent
matrix_nginx_proxy_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}"
matrix_nginx_proxy_container_labels_traefik_proxy_matrix_enabled: true
matrix_nginx_proxy_container_labels_traefik_proxy_jitsi_enabled: "{{ matrix_jitsi_enabled }}"
matrix_nginx_proxy_proxy_matrix_corporal_api_enabled: "{{ matrix_corporal_enabled and matrix_corporal_http_api_enabled }}"
matrix_nginx_proxy_proxy_matrix_corporal_api_addr_with_container: "matrix-corporal:41081"
@ -2696,31 +2638,33 @@ matrix_nginx_proxy_systemd_wanted_services_list: |
+
(['matrix-ma1sd.service'] if matrix_ma1sd_enabled else [])
+
(['matrix-client-cinny.service'] if matrix_client_cinny_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] else [])
(['matrix-client-cinny.service'] if matrix_client_cinny_enabled else [])
+
(['matrix-bot-buscarron.service'] if matrix_bot_buscarron_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] else [])
(['matrix-bot-buscarron.service'] if matrix_bot_buscarron_enabled else [])
+
(['matrix-client-element.service'] if matrix_client_element_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] else [])
(['matrix-client-element.service'] if matrix_client_element_enabled else [])
+
(['matrix-client-hydrogen.service'] if matrix_client_hydrogen_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] else [])
(['matrix-client-hydrogen.service'] if matrix_client_hydrogen_enabled else [])
+
([(grafana_identifier + '.service')] if grafana_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] else [])
([(grafana_identifier + '.service')] if grafana_enabled else [])
+
(['matrix-dimension.service'] if matrix_dimension_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] else [])
(['matrix-dimension.service'] if matrix_dimension_enabled else [])
+
(['matrix-rageshake.service'] if matrix_rageshake_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] else [])
(['matrix-rageshake.service'] if matrix_rageshake_enabled else [])
+
(['matrix-sygnal.service'] if matrix_sygnal_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] else [])
(['matrix-sygnal.service'] if matrix_sygnal_enabled else [])
+
([(ntfy_identifier + '.service')] if ntfy_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] else [])
([(ntfy_identifier + '.service')] if ntfy_enabled else [])
+
([(jitsi_identifier + '-web.service')] if jitsi_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] else [])
(['matrix-jitsi.service'] if matrix_jitsi_enabled else [])
+
(['matrix-bot-go-neb.service'] if matrix_bot_go_neb_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] else [])
(['matrix-sliding-sync-proxy.service'] if matrix_sliding_sync_enabled else [])
+
([etherpad_identifier + '.service'] if etherpad_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] else [])
(['matrix-bot-go-neb.service'] if matrix_bot_go_neb_enabled else [])
+
(['matrix-hookshot.service'] if matrix_hookshot_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] else [])
([etherpad_identifier + '.service'] if etherpad_enabled else [])
+
(['matrix-hookshot.service'] if matrix_hookshot_enabled else [])
}}
matrix_ssl_domains_to_obtain_certificates_for: |
@ -2743,7 +2687,7 @@ matrix_ssl_domains_to_obtain_certificates_for: |
+
([matrix_server_fqn_bot_go_neb] if matrix_bot_go_neb_enabled else [])
+
([matrix_server_fqn_jitsi] if jitsi_enabled else [])
([matrix_server_fqn_jitsi] if matrix_jitsi_enabled else [])
+
([matrix_server_fqn_grafana] if grafana_enabled else [])
+
@ -3241,7 +3185,7 @@ matrix_client_element_enable_presence_by_hs_url: |
matrix_client_element_welcome_user_id: ~
matrix_client_element_jitsi_preferredDomain: "{{ matrix_server_fqn_jitsi if jitsi_enabled else '' }}"
matrix_client_element_jitsi_preferredDomain: "{{ matrix_server_fqn_jitsi if matrix_jitsi_enabled else '' }}"
######################################################################
#
@ -4063,7 +4007,7 @@ matrix_user_verification_service_systemd_required_services_list: |
# If Jitsi is not managed by this playbook, or you otherwise have a need for it, you can expose
# matrix-user-verfification-services's client-server port to port 3003.
# By default Matrix-User-Verification-Service binds to port 3000, which collides with grafana, therefore this uses port 3003.
matrix_user_verification_service_container_http_host_bind_port: "{{ '' if (jitsi_enabled | bool and jitsi_enable_auth | bool and jitsi_auth_type == 'matrix') else matrix_playbook_service_host_bind_interface_prefix ~ '3003' }}"
matrix_user_verification_service_container_http_host_bind_port: "{{ '' if (matrix_jitsi_enabled | bool and matrix_jitsi_enable_auth | bool and matrix_jitsi_auth_type == 'matrix') else matrix_playbook_service_host_bind_interface_prefix ~ '3003' }}"
# URL exposed in the docker network
matrix_user_verification_service_container_url: "http://{{ matrix_user_verification_service_container_name }}:3000"
@ -4120,16 +4064,11 @@ devture_traefik_base_path: "{{ matrix_base_data_path }}/traefik"
devture_traefik_uid: "{{ matrix_user_uid }}"
devture_traefik_gid: "{{ matrix_user_gid }}"
devture_traefik_federation_entrypoint:
name: matrix-federation
port: "{{ matrix_federation_public_port }}"
host_bind_port: "{{ matrix_federation_public_port }}"
config: {}
devture_traefik_additional_entrypoints_auto: |
{{
([devture_traefik_federation_entrypoint] if (matrix_federation_public_port != devture_traefik_config_entrypoint_web_port) and (matrix_federation_public_port != devture_traefik_config_entrypoint_web_secure_port) else [])
}}
devture_traefik_additional_entrypoints_auto:
- name: matrix-federation
port: "{{ matrix_federation_public_port }}"
host_bind_port: "{{ matrix_federation_public_port }}"
config: {}
devture_traefik_additional_domains_to_obtain_certificates_for: "{{ matrix_ssl_additional_domains_to_obtain_certificates_for }}"

24
inventory/scripts/jitsi-generate-passwords.sh Executable file
View File

@ -0,0 +1,24 @@
#!/usr/bin/env bash
# This is a bash script for generating strong passwords for the Jitsi role in this ansible project:
# https://github.com/spantaleev/matrix-docker-ansible-deploy
function generatePassword() {
openssl rand -hex 16
}
echo "# If this script fails, it's likely because you don't have the openssl tool installed."
echo "# Install it before using this script, or simply create your own passwords manually."
echo ""
JICOFO_AUTH_PASSWORD=$(generatePassword)
JVB_AUTH_PASSWORD=$(generatePassword)
JIBRI_RECORDER_PASSWORD=$(generatePassword)
JIBRI_XMPP_PASSWORD=$(generatePassword)
echo "# Paste these variables into your inventory/host_vars/matrix.DOMAIN/vars.yml file:"
echo ""
echo "matrix_jitsi_jicofo_auth_password: $JICOFO_AUTH_PASSWORD"
echo "matrix_jitsi_jvb_auth_password: $JVB_AUTH_PASSWORD"
echo "matrix_jitsi_jibri_recorder_password: $JIBRI_RECORDER_PASSWORD"
echo "matrix_jitsi_jibri_xmpp_password: $JIBRI_XMPP_PASSWORD"

32
justfile
View File

@ -1,60 +1,48 @@
# Shows help
default:
@just --list --justfile {{ justfile() }}
@just --list --justfile {{ justfile() }}
# Pulls external Ansible roles
roles:
#!/usr/bin/env sh
if [ -x "$(command -v agru)" ]; then
agru
else
rm -rf roles/galaxy
ansible-galaxy install -r requirements.yml -p roles/galaxy/ --force
fi
# Updates requirements.yml if there are any new tags available. Requires agru
update:
@agru -u
rm -rf roles/galaxy
ansible-galaxy install -r requirements.yml -p roles/galaxy/ --force
# Runs ansible-lint against all roles in the playbook
lint:
ansible-lint
ansible-lint
# Runs the playbook with --tags=install-all,ensure-matrix-users-created,start and optional arguments
install-all *extra_args: (run-tags "install-all,ensure-matrix-users-created,start" extra_args)
# Runs installation tasks for a single service
install-service service *extra_args:
just --justfile {{ justfile() }} run \
--tags=install-{{ service }},start-group \
--extra-vars=group={{ service }} \
--extra-vars=devture_systemd_service_manager_service_restart_mode=one-by-one {{ extra_args }}
just --justfile {{ justfile() }} run --tags=install-{{ service }},start-group --extra-vars=group={{ service }} {{ extra_args }}
# Runs the playbook with --tags=setup-all,ensure-matrix-users-created,start and optional arguments
setup-all *extra_args: (run-tags "setup-all,ensure-matrix-users-created,start" extra_args)
# Runs the playbook with the given list of arguments
run +extra_args:
ansible-playbook -i inventory/hosts setup.yml {{ extra_args }}
time ansible-playbook -i inventory/hosts setup.yml {{ extra_args }}
# Runs the playbook with the given list of comma-separated tags and optional arguments
run-tags tags *extra_args:
just --justfile {{ justfile() }} run --tags={{ tags }} {{ extra_args }}
just --justfile {{ justfile() }} run --tags={{ tags }} {{ extra_args }}
# Runs the playbook in user-registration mode
register-user username password admin_yes_or_no *extra_args:
ansible-playbook -i inventory/hosts setup.yml --tags=register-user --extra-vars="username={{ username }} password={{ password }} admin={{ admin_yes_or_no }}" {{ extra_args }}
time ansible-playbook -i inventory/hosts setup.yml --tags=register-user --extra-vars="username={{ username }} password={{ password }} admin={{ admin_yes_or_no }}" {{ extra_args }}
# Starts all services
start-all *extra_args: (run-tags "start-all" extra_args)
# Starts a specific service group
start-group group *extra_args:
@just --justfile {{ justfile() }} run-tags start-group --extra-vars="group={{ group }}" {{ extra_args }}
@just --justfile {{ justfile() }} run-tags start-group --extra-vars="group={{ group }}" {{ extra_args }}
# Stops all services
stop-all *extra_args: (run-tags "stop-all" extra_args)
# Stops a specific service group
stop-group group *extra_args:
@just --justfile {{ justfile() }} run-tags stop-group --extra-vars="group={{ group }}" {{ extra_args }}
@just --justfile {{ justfile() }} run-tags stop-group --extra-vars="group={{ group }}" {{ extra_args }}

2
playbooks/jitsi_jvb.yml
View File

@ -8,5 +8,5 @@
- role: galaxy/com.devture.ansible.role.systemd_docker_base
- custom/matrix-base
- galaxy/jitsi
- custom/matrix-jitsi
- custom/matrix-common-after

2
playbooks/matrix.yml
View File

@ -100,7 +100,7 @@
- custom/matrix-client-element
- custom/matrix-client-hydrogen
- custom/matrix-client-cinny
- galaxy/jitsi
- custom/matrix-jitsi
- custom/matrix-user-verification-service
- custom/matrix-ldap-registration-proxy
- custom/matrix-ma1sd

90
requirements.yml
View File

@ -1,53 +1,69 @@
---
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-aux.git
version: v1.0.0-1
name: aux
- src: git+https://gitlab.com/etke.cc/roles/backup_borg.git
version: v1.2.4-1.7.13-0
- src: git+https://github.com/devture/com.devture.ansible.role.container_socket_proxy.git
version: v0.1.1-2
- src: geerlingguy.docker
version: 6.1.0
- src: git+https://github.com/devture/com.devture.ansible.role.docker_sdk_for_python.git
version: 129c8590e106b83e6f4c259649a613c6279e937a
- src: git+https://github.com/devture/com.devture.ansible.role.playbook_help.git
version: c1f40e82b4d6b072b6f0e885239322bdaaaf554f
- src: git+https://github.com/devture/com.devture.ansible.role.playbook_runtime_messages.git
version: 9b4b088c62b528b73a9a7c93d3109b091dd42ec6
- src: git+https://github.com/devture/com.devture.ansible.role.systemd_docker_base.git
version: 327d2e17f5189ac2480d6012f58cf64a2b46efba
- src: git+https://github.com/devture/com.devture.ansible.role.timesync.git
version: 3d5bb2976815958cdce3f368fa34fb51554f899b
- src: git+https://github.com/devture/com.devture.ansible.role.playbook_state_preserver.git
version: ff2fd42e1c1a9e28e3312bbd725395f9c2fc7f16
- src: git+https://github.com/devture/com.devture.ansible.role.postgres.git
version: v15.3-0
version: 38764398bf82b06a1736c3bfedc71dfd229e4b52
- src: git+https://github.com/devture/com.devture.ansible.role.postgres_backup.git
version: 8e9ec48a09284c84704d7a2dce17da35f181574d
- src: git+https://github.com/devture/com.devture.ansible.role.systemd_docker_base.git
version: v1.0.0-0
- src: git+https://github.com/devture/com.devture.ansible.role.systemd_service_manager.git
version: v1.0.0-1
- src: git+https://github.com/devture/com.devture.ansible.role.timesync.git
version: v1.0.0-0
- src: git+https://github.com/devture/com.devture.ansible.role.traefik.git
version: v2.10.1-1
- src: git+https://github.com/devture/com.devture.ansible.role.traefik_certs_dumper.git
version: v2.8.1-0
- src: git+https://gitlab.com/etke.cc/roles/etherpad.git
version: v1.8.18-2
- src: git+https://github.com/geerlingguy/ansible-role-docker
version: 6.1.0
name: geerlingguy.docker
- src: git+https://gitlab.com/etke.cc/roles/grafana.git
version: v9.5.2-0
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-jitsi.git
version: v8615-0
name: jitsi
- src: git+https://gitlab.com/etke.cc/roles/ntfy.git
version: v2.5.0-0
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus.git
version: v2.44.0-0
name: prometheus
version: 6ccb88ac5fc27e1e70afcd48278ade4b564a9096
- src: git+https://github.com/devture/com.devture.ansible.role.playbook_runtime_messages.git
version: 9b4b088c62b528b73a9a7c93d3109b091dd42ec6
- src: git+https://gitlab.com/etke.cc/roles/prometheus_node_exporter.git
version: v1.6.0-0
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus-postgres-exporter.git
version: v1.5.0-7
- src: git+https://gitlab.com/etke.cc/roles/prometheus_postgres_exporter.git
version: v0.12.0-0
name: prometheus_postgres_exporter
- src: git+https://gitlab.com/etke.cc/roles/backup_borg.git
version: v1.2.4-1.7.9-0
- src: git+https://gitlab.com/etke.cc/roles/grafana.git
version: v9.4.7-0
- src: git+https://gitlab.com/etke.cc/roles/ntfy.git
version: v2.2.0-0
- src: git+https://gitlab.com/etke.cc/roles/redis.git
version: v7.0.10-0
- src: git+https://gitlab.com/etke.cc/roles/etherpad.git
version: v1.8.18-2
- src: git+https://github.com/devture/com.devture.ansible.role.container_socket_proxy.git
version: v0.1.1-1
- src: git+https://github.com/devture/com.devture.ansible.role.traefik.git
version: v2.9.9-0
- src: git+https://github.com/devture/com.devture.ansible.role.traefik_certs_dumper.git
version: v2.8.1-0
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-aux.git
name: aux
version: v1.0.0-0
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus.git
name: prometheus
version: v2.43.0-0

3
roles/custom/matrix-base/defaults/main.yml
View File

@ -13,9 +13,6 @@ matrix_domain: ~
# Example value: "@someone:{{ matrix_domain }}"
matrix_admin: ''
# Global var to enable/disable encryption across all bridges with encryption support
matrix_bridges_encryption_enabled: false
# matrix_homeserver_enabled controls whether to enable the homeserver systemd service, etc.
#
# Unless you're wrapping this playbook in another one

15
roles/custom/matrix-bot-buscarron/defaults/main.yml
View File

@ -14,10 +14,6 @@ matrix_bot_buscarron_hostname: ''
# This value must either be `/` or not end with a slash (e.g. `/buscarron`).
matrix_bot_buscarron_path_prefix: /
# The path at which Buscarron will expose metrics
# This value must either be `/` or not end with a slash (e.g. `/metrics`).
matrix_bot_buscarron_metrics_path: /metrics
matrix_bot_buscarron_base_path: "{{ matrix_base_data_path }}/buscarron"
matrix_bot_buscarron_config_path: "{{ matrix_bot_buscarron_base_path }}/config"
matrix_bot_buscarron_data_path: "{{ matrix_bot_buscarron_base_path }}/data"
@ -40,15 +36,6 @@ matrix_bot_buscarron_container_network: matrix-bot-buscarron
# Use this to expose this container to another reverse proxy, which runs in a different container network.
matrix_bot_buscarron_container_additional_networks: []
# enable basic auth for metrics
matrix_bot_buscarron_basicauth_enabled: false
# temporary file name on the host that runs ansible
matrix_bot_buscarron_basicauth_file: "/tmp/matrix_bot_buscarron_htpasswd"
# username
matrix_bot_buscarron_basicauth_user: ''
# password
matrix_bot_buscarron_basicauth_password: ''
# matrix_bot_buscarron_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container.
# See `../templates/labels.j2` for details.
#
@ -59,8 +46,6 @@ matrix_bot_buscarron_container_labels_traefik_hostname: "{{ matrix_bot_buscarron
# The path prefix must either be `/` or not end with a slash (e.g. `/buscarron`).
matrix_bot_buscarron_container_labels_traefik_path_prefix: "{{ matrix_bot_buscarron_path_prefix }}"
matrix_bot_buscarron_container_labels_traefik_rule: "Host(`{{ matrix_bot_buscarron_container_labels_traefik_hostname }}`){% if matrix_bot_buscarron_container_labels_traefik_path_prefix != '/' %} && PathPrefix(`{{ matrix_bot_buscarron_container_labels_traefik_path_prefix }}`){% endif %}"
matrix_bot_buscarron_container_labels_traefik_metrics_path: "{{ matrix_bot_buscarron_metrics_path }}"
matrix_bot_buscarron_container_labels_traefik_metrics_rule: "Host(`{{ matrix_bot_buscarron_container_labels_traefik_hostname }}`) && Path(`{{ matrix_bot_buscarron_container_labels_traefik_metrics_path }}`)"
matrix_bot_buscarron_container_labels_traefik_priority: 0
matrix_bot_buscarron_container_labels_traefik_entrypoints: web-secure
matrix_bot_buscarron_container_labels_traefik_tls: "{{ matrix_bot_buscarron_container_labels_traefik_entrypoints != 'web' }}"

23
roles/custom/matrix-bot-buscarron/tasks/setup_install.yml
View File

@ -40,21 +40,6 @@
- {path: "{{ matrix_bot_buscarron_docker_src_files_path }}", when: true}
when: "item.when | bool"
- name: Determine basicauth filename
ansible.builtin.set_fact:
matrix_bot_buscarron_basicauth_file_tmp: "{{ matrix_bot_buscarron_basicauth_file }}_{{ inventory_hostname }}"
when: matrix_bot_buscarron_basicauth_enabled | bool
- name: Generate basic auth file
community.general.htpasswd:
path: "{{ matrix_bot_buscarron_basicauth_file }}"
name: "{{ matrix_bot_buscarron_basicauth_user }}"
password: "{{ matrix_bot_buscarron_basicauth_password }}"
mode: 0640
become: false
delegate_to: 127.0.0.1
when: matrix_bot_buscarron_basicauth_enabled | bool
- name: Ensure buscarron support files installed
ansible.builtin.template:
src: "{{ role_path }}/templates/{{ item }}.j2"
@ -66,14 +51,6 @@
- env
- labels
- name: Ensure temporary basic auth file is removed
ansible.builtin.file:
path: "{{ matrix_bot_buscarron_basicauth_file }}"
state: absent
become: false
delegate_to: 127.0.0.1
when: matrix_bot_buscarron_basicauth_enabled | bool
- name: Ensure buscarron image is pulled
community.docker.docker_image:
name: "{{ matrix_bot_buscarron_docker_image }}"

23
roles/custom/matrix-bot-buscarron/templates/labels.j2
View File

@ -6,7 +6,6 @@ traefik.docker.network={{ matrix_bot_buscarron_container_labels_traefik_docker_n
{% endif %}
{% set middlewares = [] %}
{% set middlewares_metrics = [] %}
{% if matrix_bot_buscarron_container_labels_traefik_path_prefix != '/' %}
traefik.http.middlewares.matrix-bot-buscarron-slashless-redirect.redirectregex.regex=({{ matrix_bot_buscarron_container_labels_traefik_path_prefix | quote }})$
@ -19,11 +18,6 @@ traefik.http.middlewares.matrix-bot-buscarron-strip-prefix.stripprefix.prefixes=
{% set middlewares = middlewares + ['matrix-bot-buscarron-strip-prefix'] %}
{% endif %}
{% if matrix_bot_buscarron_basicauth_enabled %}
traefik.http.middlewares.matrix-bot-buscarron-auth.basicauth.users={{ lookup('ansible.builtin.file', matrix_bot_buscarron_basicauth_file) }}
{% set middlewares_metrics = middlewares + ['matrix-bot-buscarron-auth'] %}
{% endif %}
{% if matrix_bot_buscarron_container_labels_traefik_additional_response_headers.keys() | length > 0 %}
{% for name, value in matrix_bot_buscarron_container_labels_traefik_additional_response_headers.items() %}
traefik.http.middlewares.matrix-bot-buscarron-add-headers.headers.customresponseheaders.{{ name }}={{ value }}
@ -44,23 +38,8 @@ traefik.http.routers.matrix-bot-buscarron.tls={{ matrix_bot_buscarron_container_
{% if matrix_bot_buscarron_container_labels_traefik_tls %}
traefik.http.routers.matrix-bot-buscarron.tls.certResolver={{ matrix_bot_buscarron_container_labels_traefik_tls_certResolver }}
{% endif %}
traefik.http.services.matrix-bot-buscarron.loadbalancer.server.port=8080
{% if middlewares_metrics | length > 0 %}
traefik.http.routers.matrix-bot-buscarron-metrics.rule={{ matrix_bot_buscarron_container_labels_traefik_metrics_rule }}
{% if matrix_bot_buscarron_container_labels_traefik_priority | int > 0 %}
traefik.http.routers.matrix-bot-buscarron-metrics.priority={{ matrix_bot_buscarron_container_labels_traefik_priority }}
{% endif %}
traefik.http.routers.matrix-bot-buscarron-metrics.service=matrix-bot-buscarron
traefik.http.routers.matrix-bot-buscarron-metrics.middlewares={{ middlewares_metrics | join(',') }}
traefik.http.routers.matrix-bot-buscarron-metrics.entrypoints={{ matrix_bot_buscarron_container_labels_traefik_entrypoints }}
traefik.http.routers.matrix-bot-buscarron-metrics.tls={{ matrix_bot_buscarron_container_labels_traefik_tls | to_json }}
{% if matrix_bot_buscarron_container_labels_traefik_tls %}
traefik.http.routers.matrix-bot-buscarron-metrics.tls.certResolver={{ matrix_bot_buscarron_container_labels_traefik_tls_certResolver }}
{% endif %}
traefik.http.services.matrix-bot-buscarron-metrics.loadbalancer.server.port=8080
{% endif %}
{% endif %}
{{ matrix_bot_buscarron_container_labels_additional_labels }}

2
roles/custom/matrix-bot-chatgpt/defaults/main.yml
View File

@ -4,7 +4,7 @@
matrix_bot_chatgpt_enabled: true
matrix_bot_chatgpt_version: 3.1.2
matrix_bot_chatgpt_version: 3.0.0
matrix_bot_chatgpt_container_image_self_build: false
matrix_bot_chatgpt_container_image_self_build_repo: "https://github.com/matrixgpt/matrix-chatgpt-bot"

2
roles/custom/matrix-bot-draupnir/defaults/main.yml
View File

@ -4,7 +4,7 @@
matrix_bot_draupnir_enabled: true
matrix_bot_draupnir_version: "v1.83.0"
matrix_bot_draupnir_version: "v1.80.1"
matrix_bot_draupnir_container_image_self_build: false
matrix_bot_draupnir_container_image_self_build_repo: "https://github.com/Gnuxie/Draupnir.git"

16
roles/custom/matrix-bot-honoroit/defaults/main.yml
View File

@ -11,10 +11,6 @@ matrix_bot_honoroit_hostname: ''
# This value must either be `/` or not end with a slash (e.g. `/honoroit`).
matrix_bot_honoroit_path_prefix: /
# The path at which honoroit will expose metrics
# This value must either be `/` or not end with a slash (e.g. `/metrics`).
matrix_bot_honoroit_metrics_path: /metrics
matrix_bot_honoroit_container_image_self_build: false
matrix_bot_honoroit_docker_repo: "https://gitlab.com/etke.cc/honoroit.git"
matrix_bot_honoroit_docker_repo_version: "{{ matrix_bot_honoroit_version }}"
@ -38,15 +34,6 @@ matrix_bot_honoroit_container_network: matrix-bot-honoroit
# Use this to expose this container to another reverse proxy, which runs in a different container network.
matrix_bot_honoroit_container_additional_networks: []
# enable basic auth for metrics
matrix_bot_honoroit_basicauth_enabled: false
# temporary file name on the host that runs ansible
matrix_bot_honoroit_basicauth_file: "/tmp/matrix_bot_honoroit_htpasswd"
# username
matrix_bot_honoroit_basicauth_user: ''
# password
matrix_bot_honoroit_basicauth_password: ''
# matrix_bot_honoroit_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container.
# See `../templates/labels.j2` for details.
#
@ -56,8 +43,7 @@ matrix_bot_honoroit_container_labels_traefik_docker_network: "{{ matrix_bot_hono
matrix_bot_honoroit_container_labels_traefik_hostname: "{{ matrix_bot_honoroit_hostname }}"
# The path prefix must either be `/` or not end with a slash (e.g. `/honoroit`).
matrix_bot_honoroit_container_labels_traefik_path_prefix: "{{ matrix_bot_honoroit_path_prefix }}"
matrix_bot_honoroit_container_labels_traefik_metrics_path: "{{ '' if matrix_bot_honoroit_path_prefix == '/' else matrix_bot_honoroit_path_prefix }}{{ matrix_bot_honoroit_metrics_path }}"
matrix_bot_honoroit_container_labels_traefik_metrics_rule: "Host(`{{ matrix_bot_honoroit_container_labels_traefik_hostname }}`) && Path(`{{ matrix_bot_honoroit_container_labels_traefik_metrics_path }}`)"
matrix_bot_honoroit_container_labels_traefik_rule: "Host(`{{ matrix_bot_honoroit_container_labels_traefik_hostname }}`){% if matrix_bot_honoroit_container_labels_traefik_path_prefix != '/' %} && PathPrefix(`{{ matrix_bot_honoroit_container_labels_traefik_path_prefix }}`){% endif %}"
matrix_bot_honoroit_container_labels_traefik_priority: 0
matrix_bot_honoroit_container_labels_traefik_entrypoints: web-secure
matrix_bot_honoroit_container_labels_traefik_tls: "{{ matrix_bot_honoroit_container_labels_traefik_entrypoints != 'web' }}"

28
roles/custom/matrix-bot-honoroit/tasks/setup_install.yml
View File

@ -40,21 +40,6 @@
- {path: "{{ matrix_bot_honoroit_docker_src_files_path }}", when: true}
when: "item.when | bool"
- name: Determine basicauth filename
ansible.builtin.set_fact:
matrix_bot_honoroit_basicauth_file_tmp: "{{ matrix_bot_honoroit_basicauth_file }}_{{ inventory_hostname }}"
when: matrix_bot_honoroit_basicauth_enabled | bool
- name: Generate basic auth file
community.general.htpasswd:
path: "{{ matrix_bot_honoroit_basicauth_file }}"
name: "{{ matrix_bot_honoroit_basicauth_user }}"
password: "{{ matrix_bot_honoroit_basicauth_password }}"
mode: 0640
become: false
delegate_to: 127.0.0.1
when: matrix_bot_honoroit_basicauth_enabled | bool
- name: Ensure honoroit support files installed
ansible.builtin.template:
src: "{{ role_path }}/templates/{{ item }}.j2"
@ -66,14 +51,6 @@
- env
- labels
- name: Ensure temporary basic auth file is removed
ansible.builtin.file:
path: "{{ matrix_bot_honoroit_basicauth_file }}"
state: absent
become: false
delegate_to: 127.0.0.1
when: matrix_bot_honoroit_basicauth_enabled | bool
- name: Ensure honoroit image is pulled
community.docker.docker_image:
name: "{{ matrix_bot_honoroit_docker_image }}"
@ -109,11 +86,6 @@
pull: true
when: "matrix_bot_honoroit_container_image_self_build | bool"
- name: Ensure honoroit container network is created
community.general.docker_network:
name: "{{ matrix_bot_honoroit_container_network }}"
driver: bridge
- name: Ensure matrix-bot-honoroit.service installed
ansible.builtin.template:
src: "{{ role_path }}/templates/systemd/matrix-bot-honoroit.service.j2"

26
roles/custom/matrix-bot-honoroit/templates/labels.j2
View File

@ -6,7 +6,6 @@ traefik.docker.network={{ matrix_bot_honoroit_container_labels_traefik_docker_ne
{% endif %}
{% set middlewares = [] %}
{% set middlewares_metrics = [] %}
{% if matrix_bot_honoroit_container_labels_traefik_path_prefix != '/' %}
traefik.http.middlewares.matrix-bot-honoroit-slashless-redirect.redirectregex.regex=({{ matrix_bot_honoroit_container_labels_traefik_path_prefix | quote }})$
@ -26,26 +25,21 @@ traefik.http.middlewares.matrix-bot-honoroit-add-headers.headers.customresponseh
{% set middlewares = middlewares + ['matrix-bot-honoroit-add-headers'] %}
{% endif %}
{% if matrix_bot_honoroit_basicauth_enabled %}
traefik.http.middlewares.matrix-bot-honoroit-auth.basicauth.users={{ lookup('ansible.builtin.file', matrix_bot_honoroit_basicauth_file) }}
{% set middlewares_metrics = middlewares + ['matrix-bot-honoroit-auth'] %}
{% endif %}
{% if middlewares_metrics | length > 0 %}
traefik.http.routers.matrix-bot-honoroit-metrics.rule={{ matrix_bot_honoroit_container_labels_traefik_metrics_rule }}
traefik.http.routers.matrix-bot-honoroit.rule={{ matrix_bot_honoroit_container_labels_traefik_rule }}
{% if matrix_bot_honoroit_container_labels_traefik_priority | int > 0 %}
traefik.http.routers.matrix-bot-honoroit-metrics.priority={{ matrix_bot_honoroit_container_labels_traefik_priority }}
traefik.http.routers.matrix-bot-honoroit.priority={{ matrix_bot_honoroit_container_labels_traefik_priority }}
{% endif %}
traefik.http.routers.matrix-bot-honoroit-metrics.service=matrix-bot-honoroit-metrics
traefik.http.routers.matrix-bot-honoroit-metrics.middlewares={{ middlewares_metrics | join(',') }}
traefik.http.routers.matrix-bot-honoroit-metrics.entrypoints={{ matrix_bot_honoroit_container_labels_traefik_entrypoints }}
traefik.http.routers.matrix-bot-honoroit-metrics.tls={{ matrix_bot_honoroit_container_labels_traefik_tls | to_json }}
traefik.http.routers.matrix-bot-honoroit.service=matrix-bot-honoroit
{% if middlewares | length > 0 %}
traefik.http.routers.matrix-bot-honoroit.middlewares={{ middlewares | join(',') }}
{% endif %}
traefik.http.routers.matrix-bot-honoroit.entrypoints={{ matrix_bot_honoroit_container_labels_traefik_entrypoints }}
traefik.http.routers.matrix-bot-honoroit.tls={{ matrix_bot_honoroit_container_labels_traefik_tls | to_json }}
{% if matrix_bot_honoroit_container_labels_traefik_tls %}
traefik.http.routers.matrix-bot-honoroit-metrics.tls.certResolver={{ matrix_bot_honoroit_container_labels_traefik_tls_certResolver }}
{% endif %}
traefik.http.services.matrix-bot-honoroit-metrics.loadbalancer.server.port=8080
traefik.http.routers.matrix-bot-honoroit.tls.certResolver={{ matrix_bot_honoroit_container_labels_traefik_tls_certResolver }}
{% endif %}
traefik.http.services.matrix-bot-honoroit.loadbalancer.server.port=8080
{% endif %}
{{ matrix_bot_honoroit_container_labels_additional_labels }}

2
roles/custom/matrix-bot-maubot/defaults/main.yml
View File

@ -10,7 +10,7 @@ matrix_bot_maubot_docker_src_files_path: "{{ matrix_bot_maubot_base_path }}/dock
matrix_bot_maubot_docker_repo_version: "{{ 'master' if matrix_bot_maubot_version == 'latest' else matrix_bot_maubot_version }}"
matrix_bot_maubot_version: v0.4.1
matrix_bot_maubot_version: v0.4.0
matrix_bot_maubot_docker_image: "{{ matrix_bot_maubot_docker_image_name_prefix }}maubot/maubot:{{ matrix_bot_maubot_version }}"
matrix_bot_maubot_docker_image_name_prefix: "{{ 'localhost/' if matrix_bot_maubot_container_image_self_build else 'dock.mau.dev/' }}"
matrix_bot_maubot_docker_image_force_pull: "{{ matrix_bot_maubot_docker_image.endswith(':latest') }}"

8
roles/custom/matrix-bot-postmoogle/defaults/main.yml
View File

@ -81,10 +81,10 @@ matrix_bot_postmoogle_maxsize: '1024'
# A list of admins
# Example set of rules:
# matrix_bot_postmoogle_admins:
# - '@someone:example.com'
# - '@another:example.com'
# - '@bot.*:example.com'
# - '@*:another.com'
# - @someone:example.com
# - @another:example.com
# - @bot.*:example.com
# - @*:another.com
matrix_bot_postmoogle_admins: "{{ [matrix_admin] if matrix_admin else [] }}"
# Sentry DSN. Deprecated, use matrix_bot_postmoogle_monitoring_sentry_dsn

2
roles/custom/matrix-bridge-appservice-irc/defaults/main.yml
View File

@ -11,7 +11,7 @@ matrix_appservice_irc_docker_src_files_path: "{{ matrix_base_data_path }}/appser
# matrix_appservice_irc_version used to contain the full Docker image tag (e.g. `release-X.X.X`).
# It's a bare version number now. We try to somewhat retain compatibility below.
matrix_appservice_irc_version: 0.38.0
matrix_appservice_irc_version: 0.37.0
matrix_appservice_irc_docker_image: "{{ matrix_container_global_registry_prefix }}matrixdotorg/matrix-appservice-irc:{{ matrix_appservice_irc_docker_image_tag }}"
matrix_appservice_irc_docker_image_tag: "{{ 'latest' if matrix_appservice_irc_version == 'latest' else ('release-' + matrix_appservice_irc_version) }}"
matrix_appservice_irc_docker_image_force_pull: "{{ matrix_appservice_irc_docker_image.endswith(':latest') }}"

2
roles/custom/matrix-bridge-appservice-kakaotalk/defaults/main.yml
View File

@ -120,7 +120,7 @@ matrix_appservice_kakaotalk_appservice_bot_username: kakaotalkbot
matrix_appservice_kakaotalk_user_prefix: 'kakaotalk_'
# End-to-bridge encryption configuration
matrix_appservice_kakaotalk_bridge_encryption_allow: "{{ matrix_bridges_encryption_enabled }}"
matrix_appservice_kakaotalk_bridge_encryption_allow: false
matrix_appservice_kakaotalk_bridge_encryption_default: "{{ matrix_appservice_kakaotalk_bridge_encryption_allow }}"
# Specifies the default log level for all bridge loggers.

5
roles/custom/matrix-bridge-beeper-linkedin/defaults/main.yml
View File

@ -83,11 +83,6 @@ matrix_beeper_linkedin_login_shared_secret: ''
# Specifies the default log level for all bridge loggers.
matrix_beeper_linkedin_logging_level: WARNING
# Enable End-to-bridge encryption
matrix_beeper_linkedin_bridge_encryption_allow: "{{ matrix_bridges_encryption_enabled }}"
matrix_beeper_linkedin_bridge_encryption_default: "{{ matrix_beeper_linkedin_bridge_encryption_allow }}"
matrix_beeper_linkedin_bridge_encryption_key_sharing_allow: "{{ matrix_beeper_linkedin_bridge_encryption_allow }}"
# Default beeper-linkedin configuration template which covers the generic use case.
# You can customize it by controlling the various variables inside it.
#

6
roles/custom/matrix-bridge-beeper-linkedin/templates/config.yaml.j2
View File

@ -156,15 +156,15 @@ bridge:
# application service.
encryption:
# Allow encryption, work in group chat rooms with e2ee enabled
allow: {{ matrix_beeper_linkedin_bridge_encryption_allow|to_json }}
allow: false
# Default to encryption, force-enable encryption in all portals the bridge creates
# This will cause the bridge bot to be in private chats for the encryption to work properly.
default: {{ matrix_beeper_linkedin_bridge_encryption_default|to_json }}
default: false
# Options for automatic key sharing.
key_sharing:
# Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled.
# You must use a client that supports requesting keys from other users to use this feature.
allow: {{ matrix_beeper_linkedin_bridge_encryption_key_sharing_allow|to_json }}
allow: false
# Require the requesting device to have a valid cross-signing signature?
# This doesn't require that the bridge has verified the device, only that the user has verified it.
# Not yet implemented.

2
roles/custom/matrix-bridge-go-skype-bridge/defaults/main.yml
View File

@ -86,7 +86,7 @@ matrix_go_skype_bridge_bridge_double_puppet_server_map:
"{{ matrix_go_skype_bridge_homeserver_domain : matrix_go_skype_bridge_homeserver_address }}"
# Enable End-to-bridge encryption
matrix_go_skype_bridge_bridge_encryption_allow: "{{ matrix_bridges_encryption_enabled }}"
matrix_go_skype_bridge_bridge_encryption_allow: false
matrix_go_skype_bridge_bridge_encryption_default: "{{ matrix_go_skype_bridge_bridge_encryption_allow }}"
# Minimum severity of journal log messages.

2
roles/custom/matrix-bridge-hookshot/defaults/main.yml
View File

@ -10,7 +10,7 @@ matrix_hookshot_container_image_self_build: false
matrix_hookshot_container_image_self_build_repo: "https://github.com/matrix-org/matrix-hookshot.git"
matrix_hookshot_container_image_self_build_branch: "{{ 'main' if matrix_hookshot_version == 'latest' else matrix_hookshot_version }}"
matrix_hookshot_version: 4.1.0
matrix_hookshot_version: 3.0.1
matrix_hookshot_docker_image: "{{ matrix_hookshot_docker_image_name_prefix }}halfshot/matrix-hookshot:{{ matrix_hookshot_version }}"
matrix_hookshot_docker_image_name_prefix: "{{ 'localhost/' if matrix_hookshot_container_image_self_build else matrix_container_global_registry_prefix }}"

2
roles/custom/matrix-bridge-hookshot/tasks/setup_install.yml
View File

@ -81,7 +81,7 @@
--user={{ matrix_user_uid }}:{{ matrix_user_gid }}
--cap-drop=ALL
-v {{ matrix_hookshot_base_path }}/config.yml:/config.yml
{{ matrix_hookshot_docker_image }} node config/Config.js /config.yml
{{ matrix_hookshot_docker_image }} node Config/Config.js /config.yml
register: hookshot_config_validation_result
changed_when: false

4
roles/custom/matrix-bridge-mautrix-discord/defaults/main.yml
View File

@ -8,7 +8,7 @@ matrix_mautrix_discord_container_image_self_build: false
matrix_mautrix_discord_container_image_self_build_repo: "https://mau.dev/mautrix/discord.git"
matrix_mautrix_discord_container_image_self_build_branch: "{{ 'main' if matrix_mautrix_discord_version == 'latest' else matrix_mautrix_discord_version }}"
matrix_mautrix_discord_version: v0.4.0
matrix_mautrix_discord_version: v0.2.0
# See: https://mau.dev/mautrix/discord/container_registry
matrix_mautrix_discord_docker_image: "{{ matrix_mautrix_discord_docker_image_name_prefix }}mautrix/discord:{{ matrix_mautrix_discord_version }}"
matrix_mautrix_discord_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_discord_container_image_self_build else 'dock.mau.dev/' }}"
@ -137,7 +137,7 @@ matrix_mautrix_discord_registration_yaml: |
matrix_mautrix_discord_registration: "{{ matrix_mautrix_discord_registration_yaml | from_yaml }}"
# Enable End-to-bridge encryption
matrix_mautrix_discord_bridge_encryption_allow: "{{ matrix_bridges_encryption_enabled }}"
matrix_mautrix_discord_bridge_encryption_allow: false
matrix_mautrix_discord_bridge_encryption_default: "{{ matrix_mautrix_discord_bridge_encryption_allow }}"
matrix_mautrix_discord_bridge_encryption_key_sharing_allow: "{{ matrix_mautrix_discord_bridge_encryption_allow }}"

7
roles/custom/matrix-bridge-mautrix-facebook/defaults/main.yml
View File

@ -7,7 +7,7 @@ matrix_mautrix_facebook_enabled: true
matrix_mautrix_facebook_container_image_self_build: false
matrix_mautrix_facebook_container_image_self_build_repo: "https://mau.dev/mautrix/facebook.git"
matrix_mautrix_facebook_version: v0.5.0
matrix_mautrix_facebook_version: v0.4.1
matrix_mautrix_facebook_docker_image: "{{ matrix_mautrix_facebook_docker_image_name_prefix }}mautrix/facebook:{{ matrix_mautrix_facebook_version }}"
matrix_mautrix_facebook_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_facebook_container_image_self_build else 'dock.mau.dev/' }}"
matrix_mautrix_facebook_docker_image_force_pull: "{{ matrix_mautrix_facebook_docker_image.endswith(':latest') }}"
@ -149,8 +149,3 @@ matrix_mautrix_facebook_registration_yaml: |
de.sorunome.msc2409.push_ephemeral: true
matrix_mautrix_facebook_registration: "{{ matrix_mautrix_facebook_registration_yaml | from_yaml }}"
# Enable End-to-bridge encryption
matrix_mautrix_facebook_bridge_encryption_allow: "{{ matrix_bridges_encryption_enabled }}"
matrix_mautrix_facebook_bridge_encryption_default: "{{ matrix_mautrix_facebook_bridge_encryption_allow }}"
matrix_mautrix_facebook_bridge_encryption_key_sharing_allow: "{{ matrix_mautrix_facebook_bridge_encryption_allow }}"

6
roles/custom/matrix-bridge-mautrix-facebook/templates/config.yaml.j2
View File

@ -126,15 +126,15 @@ bridge:
# application service.
encryption:
# Allow encryption, work in group chat rooms with e2ee enabled
allow: {{ matrix_mautrix_facebook_bridge_encryption_allow|to_json }}
allow: false
# Default to encryption, force-enable encryption in all portals the bridge creates
# This will cause the bridge bot to be in private chats for the encryption to work properly.
default: {{ matrix_mautrix_facebook_bridge_encryption_default|to_json }}
default: false
# Options for automatic key sharing.
key_sharing:
# Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled.
# You must use a client that supports requesting keys from other users to use this feature.
allow_key_sharing: {{ matrix_mautrix_facebook_bridge_encryption_key_sharing_allow|to_json }}
allow: false
# Require the requesting device to have a valid cross-signing signature?
# This doesn't require that the bridge has verified the device, only that the user has verified it.
# Not yet implemented.

4
roles/custom/matrix-bridge-mautrix-googlechat/defaults/main.yml
View File

@ -129,7 +129,3 @@ matrix_mautrix_googlechat_registration_yaml: |
de.sorunome.msc2409.push_ephemeral: true
matrix_mautrix_googlechat_registration: "{{ matrix_mautrix_googlechat_registration_yaml | from_yaml }}"
# Enable End-to-bridge encryption
matrix_mautrix_googlechat_bridge_encryption_allow: "{{ matrix_bridges_encryption_enabled }}"
matrix_mautrix_googlechat_bridge_encryption_default: "{{ matrix_mautrix_googlechat_bridge_encryption_allow }}"

4
roles/custom/matrix-bridge-mautrix-googlechat/templates/config.yaml.j2
View File

@ -88,10 +88,10 @@ bridge:
# application service.
encryption:
# Allow encryption, work in group chat rooms with e2ee enabled
allow: {{ matrix_mautrix_googlechat_bridge_encryption_allow|to_json }}
allow: false
# Default to encryption, force-enable encryption in all portals the bridge creates
# This will cause the bridge bot to be in private chats for the encryption to work properly.
default: {{ matrix_mautrix_googlechat_bridge_encryption_default|to_json }}
default: false
# Whether or not created rooms should have federation enabled.
# If false, created portal rooms will never be federated.

4
roles/custom/matrix-bridge-mautrix-hangouts/defaults/main.yml
View File

@ -126,7 +126,3 @@ matrix_mautrix_hangouts_registration_yaml: |
de.sorunome.msc2409.push_ephemeral: true
matrix_mautrix_hangouts_registration: "{{ matrix_mautrix_hangouts_registration_yaml | from_yaml }}"
# Enable End-to-bridge encryption
matrix_mautrix_hangouts_bridge_encryption_allow: "{{ matrix_bridges_encryption_enabled }}"
matrix_mautrix_hangouts_bridge_encryption_default: "{{ matrix_mautrix_hangouts_bridge_encryption_allow }}"

4
roles/custom/matrix-bridge-mautrix-hangouts/templates/config.yaml.j2
View File

@ -88,10 +88,10 @@ bridge:
# application service.
encryption:
# Allow encryption, work in group chat rooms with e2ee enabled
allow: {{ matrix_mautrix_hangouts_bridge_encryption_allow|to_json }}
allow: false
# Default to encryption, force-enable encryption in all portals the bridge creates
# This will cause the bridge bot to be in private chats for the encryption to work properly.
default: {{ matrix_mautrix_hangouts_bridge_encryption_default|to_json }}
default: false
# Public website and API configs
web:

7
roles/custom/matrix-bridge-mautrix-instagram/defaults/main.yml
View File

@ -8,7 +8,7 @@ matrix_mautrix_instagram_container_image_self_build: false
matrix_mautrix_instagram_container_image_self_build_repo: "https://github.com/mautrix/instagram.git"
matrix_mautrix_instagram_container_image_self_build_repo_version: "{{ 'master' if matrix_mautrix_instagram_version == 'latest' else matrix_mautrix_instagram_version }}"
matrix_mautrix_instagram_version: v0.3.0
matrix_mautrix_instagram_version: v0.2.3
# See: https://mau.dev/tulir/mautrix-instagram/container_registry
matrix_mautrix_instagram_docker_image: "{{ matrix_mautrix_instagram_docker_image_name_prefix }}mautrix/instagram:{{ matrix_mautrix_instagram_version }}"
matrix_mautrix_instagram_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_instagram_container_image_self_build else 'dock.mau.dev/' }}"
@ -129,8 +129,3 @@ matrix_mautrix_instagram_registration_yaml: |
de.sorunome.msc2409.push_ephemeral: true
matrix_mautrix_instagram_registration: "{{ matrix_mautrix_instagram_registration_yaml | from_yaml }}"
# Enable End-to-bridge encryption
matrix_mautrix_instagram_bridge_encryption_allow: "{{ matrix_bridges_encryption_enabled }}"
matrix_mautrix_instagram_bridge_encryption_default: "{{ matrix_mautrix_instagram_bridge_encryption_allow }}"
matrix_mautrix_instagram_bridge_encryption_key_sharing_allow: "{{ matrix_mautrix_instagram_bridge_encryption_allow }}"

6
roles/custom/matrix-bridge-mautrix-instagram/templates/config.yaml.j2
View File

@ -143,15 +143,15 @@ bridge:
# application service.
encryption:
# Allow encryption, work in group chat rooms with e2ee enabled
allow: {{ matrix_mautrix_discord_bridge_encryption_allow|to_json }}
allow: false
# Default to encryption, force-enable encryption in all portals the bridge creates
# This will cause the bridge bot to be in private chats for the encryption to work properly.
default: {{ matrix_mautrix_discord_bridge_encryption_default|to_json }}
default: false
# Options for automatic key sharing.
key_sharing:
# Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled.
# You must use a client that supports requesting keys from other users to use this feature.
allow: {{ matrix_mautrix_discord_bridge_encryption_key_sharing_allow|to_json }}
allow: false
# Require the requesting device to have a valid cross-signing signature?
# This doesn't require that the bridge has verified the device, only that the user has verified it.
# Not yet implemented.

6
roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml
View File

@ -9,8 +9,8 @@ matrix_mautrix_signal_docker_repo: "https://mau.dev/mautrix/signal.git"
matrix_mautrix_signal_docker_repo_version: "{{ 'master' if matrix_mautrix_signal_version == 'latest' else matrix_mautrix_signal_version }}"
matrix_mautrix_signal_docker_src_files_path: "{{ matrix_base_data_path }}/mautrix-signal/docker-src"
matrix_mautrix_signal_version: v0.4.3
matrix_mautrix_signal_daemon_version: 0.23.2
matrix_mautrix_signal_version: v0.4.2
matrix_mautrix_signal_daemon_version: 0.23.1
# See: https://mau.dev/mautrix/signal/container_registry
matrix_mautrix_signal_docker_image: "{{ matrix_mautrix_signal_docker_image_name_prefix }}mautrix/signal:{{ matrix_mautrix_signal_version }}"
matrix_mautrix_signal_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_signal_container_image_self_build else 'dock.mau.dev/' }}"
@ -152,7 +152,7 @@ matrix_mautrix_signal_registration: "{{ matrix_mautrix_signal_registration_yaml
matrix_mautrix_signal_log_level: 'DEBUG'
matrix_mautrix_signal_bridge_encryption_allow: "{{ matrix_bridges_encryption_enabled }}"
matrix_mautrix_signal_bridge_encryption_allow: false
matrix_mautrix_signal_bridge_encryption_default: "{{ matrix_mautrix_signal_bridge_encryption_allow }}"
matrix_mautrix_signal_bridge_encryption_key_sharing_allow: "{{ matrix_mautrix_signal_bridge_encryption_allow }}"

2
roles/custom/matrix-bridge-mautrix-slack/defaults/main.yml
View File

@ -133,6 +133,6 @@ matrix_mautrix_slack_registration_yaml: |
matrix_mautrix_slack_registration: "{{ matrix_mautrix_slack_registration_yaml | from_yaml }}"
# Enable End-to-bridge encryption
matrix_mautrix_slack_bridge_encryption_allow: "{{ matrix_bridges_encryption_enabled }}"
matrix_mautrix_slack_bridge_encryption_allow: false
matrix_mautrix_slack_bridge_encryption_default: "{{ matrix_mautrix_slack_bridge_encryption_allow }}"
matrix_mautrix_slack_bridge_encryption_key_sharing_allow: "{{ matrix_mautrix_slack_bridge_encryption_allow }}"

4
roles/custom/matrix-bridge-mautrix-telegram/defaults/main.yml
View File

@ -17,7 +17,7 @@ matrix_mautrix_telegram_docker_repo: "https://mau.dev/mautrix/telegram.git"
matrix_mautrix_telegram_docker_repo_version: "{{ 'master' if matrix_mautrix_telegram_version == 'latest' else matrix_mautrix_telegram_version }}"
matrix_mautrix_telegram_docker_src_files_path: "{{ matrix_base_data_path }}/mautrix-telegram/docker-src"
matrix_mautrix_telegram_version: v0.14.0
matrix_mautrix_telegram_version: v0.13.0
# See: https://mau.dev/mautrix/telegram/container_registry
matrix_mautrix_telegram_docker_image: "{{ matrix_mautrix_telegram_docker_image_name_prefix }}mautrix/telegram:{{ matrix_mautrix_telegram_version }}"
matrix_mautrix_telegram_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_telegram_container_image_self_build else 'dock.mau.dev/' }}"
@ -166,6 +166,6 @@ matrix_mautrix_telegram_alias_template: 'telegram_{groupname}'
matrix_mautrix_telegram_displayname_template: '{displayname} (Telegram)'
# Enable End-to-bridge encryption
matrix_mautrix_telegram_bridge_encryption_allow: "{{ matrix_bridges_encryption_enabled }}"
matrix_mautrix_telegram_bridge_encryption_allow: false
matrix_mautrix_telegram_bridge_encryption_default: "{{ matrix_mautrix_telegram_bridge_encryption_allow }}"
matrix_mautrix_telegram_bridge_encryption_key_sharing_allow: "{{ matrix_mautrix_telegram_bridge_encryption_allow }}"

7
roles/custom/matrix-bridge-mautrix-twitter/defaults/main.yml
View File

@ -8,7 +8,7 @@ matrix_mautrix_twitter_container_image_self_build: false
matrix_mautrix_twitter_container_image_self_build_repo: "https://github.com/mautrix/twitter.git"
matrix_mautrix_twitter_container_image_self_build_repo_version: "{{ 'master' if matrix_mautrix_twitter_version == 'latest' else matrix_mautrix_twitter_version }}"
matrix_mautrix_twitter_version: v0.1.6
matrix_mautrix_twitter_version: v0.1.5
# See: https://mau.dev/tulir/mautrix-twitter/container_registry
matrix_mautrix_twitter_docker_image: "{{ matrix_mautrix_twitter_docker_image_name_prefix }}mautrix/twitter:{{ matrix_mautrix_twitter_version }}"
matrix_mautrix_twitter_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_twitter_container_image_self_build else 'dock.mau.dev/' }}"
@ -127,8 +127,3 @@ matrix_mautrix_twitter_registration_yaml: |
de.sorunome.msc2409.push_ephemeral: true
matrix_mautrix_twitter_registration: "{{ matrix_mautrix_twitter_registration_yaml | from_yaml }}"
# Enable End-to-bridge encryption
matrix_mautrix_twitter_bridge_encryption_allow: "{{ matrix_bridges_encryption_enabled }}"
matrix_mautrix_twitter_bridge_encryption_default: "{{ matrix_mautrix_twitter_bridge_encryption_allow }}"
matrix_mautrix_twitter_bridge_encryption_key_sharing_allow: "{{ matrix_mautrix_twitter_bridge_encryption_allow }}"

6
roles/custom/matrix-bridge-mautrix-twitter/templates/config.yaml.j2
View File

@ -126,15 +126,15 @@ bridge:
# this to work. See https://github.com/tulir/mautrix-telegram/wiki/Endtobridge-encryption
encryption:
# Allow encryption, work in group chat rooms with e2ee enabled
allow: {{ matrix_mautrix_twitter_bridge_encryption_allow|to_json }}
allow: false
# Default to encryption, force-enable encryption in all portals the bridge creates
# This will cause the bridge bot to be in private chats for the encryption to work properly.
default: {{ matrix_mautrix_twitter_bridge_encryption_default|to_json }}
default: false
# Options for automatic key sharing.
key_sharing:
# Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled.
# You must use a client that supports requesting keys from other users to use this feature.
allow: {{ matrix_mautrix_twitter_bridge_encryption_key_sharing_allow|to_json }}
allow: false
# Require the requesting device to have a valid cross-signing signature?
# This doesn't require that the bridge has verified the device, only that the user has verified it.
# Not yet implemented.

4
roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml
View File

@ -8,7 +8,7 @@ matrix_mautrix_whatsapp_container_image_self_build: false
matrix_mautrix_whatsapp_container_image_self_build_repo: "https://mau.dev/mautrix/whatsapp.git"
matrix_mautrix_whatsapp_container_image_self_build_branch: "{{ 'master' if matrix_mautrix_whatsapp_version == 'latest' else matrix_mautrix_whatsapp_version }}"
matrix_mautrix_whatsapp_version: v0.8.5
matrix_mautrix_whatsapp_version: v0.8.3
# See: https://mau.dev/mautrix/whatsapp/container_registry
matrix_mautrix_whatsapp_docker_image: "{{ matrix_mautrix_whatsapp_docker_image_name_prefix }}mautrix/whatsapp:{{ matrix_mautrix_whatsapp_version }}"
matrix_mautrix_whatsapp_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_whatsapp_container_image_self_build else 'dock.mau.dev/' }}"
@ -97,7 +97,7 @@ matrix_mautrix_whatsapp_bridge_login_shared_secret_map:
"{{ {matrix_mautrix_whatsapp_homeserver_domain: matrix_mautrix_whatsapp_login_shared_secret} if matrix_mautrix_whatsapp_login_shared_secret else {} }}"
# Enable End-to-bridge encryption
matrix_mautrix_whatsapp_bridge_encryption_allow: "{{ matrix_bridges_encryption_enabled }}"
matrix_mautrix_whatsapp_bridge_encryption_allow: false
matrix_mautrix_whatsapp_bridge_encryption_default: "{{ matrix_mautrix_whatsapp_bridge_encryption_allow }}"
matrix_mautrix_whatsapp_bridge_encryption_key_sharing_allow: "{{ matrix_mautrix_whatsapp_bridge_encryption_allow }}"

2
roles/custom/matrix-client-cinny/defaults/main.yml
View File

@ -6,7 +6,7 @@ matrix_client_cinny_enabled: true
matrix_client_cinny_container_image_self_build: false
matrix_client_cinny_container_image_self_build_repo: "https://github.com/ajbura/cinny.git"
matrix_client_cinny_version: v2.2.6
matrix_client_cinny_version: v2.2.4
matrix_client_cinny_docker_image: "{{ matrix_client_cinny_docker_image_name_prefix }}ajbura/cinny:{{ matrix_client_cinny_version }}"
matrix_client_cinny_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_cinny_container_image_self_build else matrix_container_global_registry_prefix }}"
matrix_client_cinny_docker_image_force_pull: "{{ matrix_client_cinny_docker_image.endswith(':latest') }}"

2
roles/custom/matrix-client-element/defaults/main.yml
View File

@ -10,7 +10,7 @@ matrix_client_element_container_image_self_build_repo: "https://github.com/vecto
# - https://github.com/vector-im/element-web/issues/19544
matrix_client_element_container_image_self_build_low_memory_system_patch_enabled: "{{ ansible_memtotal_mb < 4096 }}"
matrix_client_element_version: v1.11.31
matrix_client_element_version: v1.11.25
matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}"
matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_container_global_registry_prefix }}"
matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}"

2
roles/custom/matrix-client-hydrogen/templates/config.json.j2
View File

@ -3,7 +3,7 @@
"defaultHomeServer": {{ matrix_client_hydrogen_default_hs_url | string | to_json }},
"bugReportEndpointUrl": {{ matrix_client_hydrogen_bugReportEndpointUrl | to_json }},
"themeManifests": [
"{{ '' if matrix_client_hydrogen_path_prefix == '/' else matrix_client_hydrogen_path_prefix }}/assets/theme-element.json"
"{{ matrix_client_hydrogen_path_prefix }}assets/theme-element.json"
],
"defaultTheme": {
"light": "element-light",

2
roles/custom/matrix-coturn/defaults/main.yml
View File

@ -8,7 +8,7 @@ matrix_coturn_container_image_self_build_repo: "https://github.com/coturn/coturn
matrix_coturn_container_image_self_build_repo_version: "docker/{{ matrix_coturn_version }}"
matrix_coturn_container_image_self_build_repo_dockerfile_path: "docker/coturn/alpine/Dockerfile"
matrix_coturn_version: 4.6.1-r3
matrix_coturn_version: 4.6.1-r2
matrix_coturn_docker_image: "{{ matrix_coturn_docker_image_name_prefix }}coturn/coturn:{{ matrix_coturn_version }}-alpine"
matrix_coturn_docker_image_name_prefix: "{{ 'localhost/' if matrix_coturn_container_image_self_build else matrix_container_global_registry_prefix }}"
matrix_coturn_docker_image_force_pull: "{{ matrix_coturn_docker_image.endswith(':latest') }}"

8
roles/custom/matrix-coturn/tasks/setup_install.yml
View File

@ -73,6 +73,7 @@
src: "{{ role_path }}/templates/systemd/matrix-coturn.service.j2"
dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-coturn.service"
mode: 0644
register: matrix_coturn_systemd_service_change_results
# This may be unnecessary when more long-lived certificates are used.
# We optimize for the common use-case though (short-lived Let's Encrypt certificates).
@ -82,6 +83,7 @@
src: "{{ role_path }}/templates/systemd/{{ item }}.j2"
dest: "{{ devture_systemd_docker_base_systemd_path }}/{{ item }}"
mode: 0644
register: "matrix_coturn_systemd_service_change_results"
when: "matrix_coturn_tls_enabled | bool"
with_items:
- matrix-coturn-reload.service
@ -92,7 +94,13 @@
ansible.builtin.file:
path: "{{ item }}"
state: absent
register: "matrix_coturn_systemd_service_change_results"
when: "not matrix_coturn_tls_enabled | bool"
with_items:
- matrix-coturn-reload.service
- matrix-coturn-reload.timer
- name: Ensure systemd reloaded if systemd units changed
ansible.builtin.service:
daemon_reload: true
when: "matrix_coturn_systemd_service_change_results.changed"

16
roles/custom/matrix-dendrite/defaults/main.yml
View File

@ -4,12 +4,8 @@
matrix_dendrite_enabled: true
matrix_dendrite_container_image_self_build: false
matrix_dendrite_container_image_self_build_repo: "https://github.com/matrix-org/dendrite.git"
matrix_dendrite_docker_image_path: "matrixdotorg/dendrite-monolith"
matrix_dendrite_docker_image: "{{ matrix_dendrite_docker_image_name_prefix }}{{ matrix_dendrite_docker_image_path }}:{{ matrix_dendrite_docker_image_tag }}"
matrix_dendrite_docker_image_name_prefix: "{{ 'localhost/' if matrix_dendrite_container_image_self_build else matrix_container_global_registry_prefix }}"
matrix_dendrite_docker_image: "{{ matrix_dendrite_docker_image_name_prefix }}matrixdotorg/dendrite-monolith:{{ matrix_dendrite_docker_image_tag }}"
matrix_dendrite_docker_image_name_prefix: "docker.io/"
matrix_dendrite_docker_image_tag: "v0.12.0"
matrix_dendrite_docker_image_force_pull: "{{ matrix_dendrite_docker_image.endswith(':latest') }}"
@ -21,8 +17,6 @@ matrix_dendrite_nats_storage_path: "{{ matrix_dendrite_base_path }}/nats"
matrix_dendrite_bin_path: "{{ matrix_dendrite_base_path }}/bin"
matrix_dendrite_ext_path: "{{ matrix_dendrite_base_path }}/ext"
matrix_dendrite_docker_src_files_path: "{{ matrix_dendrite_base_path }}/docker-src"
# By default, we make Dendrite only serve HTTP (not HTTPS).
# HTTPS is usually served at the reverse-proxy side (usually via `matrix-nginx-proxy`).
#
@ -91,14 +85,14 @@ matrix_dendrite_systemd_wanted_services_list: []
# matrix_dendrite_template_dendrite_config: "{{ playbook_dir }}/inventory/host_vars/<host>/dendrite.yaml.j2"
matrix_dendrite_template_dendrite_config: "{{ role_path }}/templates/dendrite/dendrite.yaml.j2"
matrix_dendrite_client_api_registration_shared_secret: ""
matrix_dendrite_client_api_registration_shared_secret: ''
matrix_dendrite_allow_guest_access: false
matrix_dendrite_max_file_size_bytes: 10485760
# Controls which HTTP header (e.g. 'X-Forwarded-For', 'X-Real-IP') to inspect to find the real remote IP address of the client.
# This is likely required if Dendrite is running behind a reverse proxy server.
matrix_dendrite_sync_api_real_ip_header: "X-Forwarded-For"
matrix_dendrite_sync_api_real_ip_header: 'X-Forwarded-For'
# The tmpfs at /tmp needs to be large enough to handle multiple concurrent file uploads.
matrix_dendrite_tmp_directory_size_mb: 500
@ -153,7 +147,7 @@ matrix_dendrite_metrics_password: "metrics"
# Postgres database information
matrix_dendrite_database_str: "postgresql://{{ matrix_dendrite_database_user }}:{{ matrix_dendrite_database_password }}@{{ matrix_dendrite_database_hostname }}"
matrix_dendrite_database_hostname: ""
matrix_dendrite_database_hostname: ''
matrix_dendrite_database_user: "dendrite"
matrix_dendrite_database_password: "itsasecret"
matrix_dendrite_federation_api_database: "dendrite_federationapi"

47
roles/custom/matrix-dendrite/tasks/setup_install.yml
View File

@ -1,23 +1,17 @@
---
- name: Ensure Dendrite paths exist
ansible.builtin.file:
path: "{{ item.path }}"
path: "{{ item }}"
state: directory
mode: 0750
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_groupname }}"
with_items:
- path: "{{ matrix_dendrite_config_dir_path }}"
when: true
- path: "{{ matrix_dendrite_bin_path }}"
when: true
- path: "{{ matrix_dendrite_ext_path }}"
when: true
- path: "{{ matrix_dendrite_nats_storage_path }}"
when: true
- path: "{{ matrix_dendrite_docker_src_files_path }}"
when: "{{ matrix_dendrite_container_image_self_build }}"
when: "item.when | bool"
- "{{ matrix_dendrite_config_dir_path }}"
- "{{ matrix_dendrite_bin_path }}"
- "{{ matrix_dendrite_ext_path }}"
- "{{ matrix_dendrite_nats_storage_path }}"
# This will throw a Permission Denied error if already mounted using fuse
- name: Check Dendrite media store path
@ -43,7 +37,6 @@
source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
force_source: "{{ matrix_dendrite_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_dendrite_docker_image_force_pull }}"
when: "not matrix_dendrite_container_image_self_build | bool"
register: result
retries: "{{ devture_playbook_help_container_retries_count }}"
delay: "{{ devture_playbook_help_container_retries_delay }}"
@ -79,34 +72,6 @@
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_groupname }}"
- when: "matrix_dendrite_container_image_self_build | bool"
block:
- name: Ensure Dendrite repository is present on self-build
ansible.builtin.git:
repo: "{{ matrix_dendrite_container_image_self_build_repo }}"
dest: "{{ matrix_dendrite_docker_src_files_path }}"
version: "{{ matrix_dendrite_docker_image.split(':')[1] }}"
force: "yes"
become: true
become_user: "{{ matrix_user_username }}"
register: matrix_dendrite_git_pull_results
- name: Check if Dendrite Docker image exists
ansible.builtin.command: "{{ devture_systemd_docker_base_host_command_docker }} images --quiet --filter 'reference={{ matrix_dendrite_docker_image }}'"
register: matrix_dendrite_docker_image_check_result
changed_when: false
# Invoking the `docker build` command here, instead of calling the `docker_image` Ansible module,
# because the latter does not support BuildKit.
# See: https://github.com/ansible-collections/community.general/issues/514
- name: Ensure Dendrite Docker image is built
ansible.builtin.command:
cmd: "{{ devture_systemd_docker_base_host_command_docker }} build -t {{ matrix_dendrite_docker_image }} {{ matrix_dendrite_docker_src_files_path }}"
environment:
DOCKER_BUILDKIT: 1
changed_when: true
when: "matrix_dendrite_git_pull_results.changed | bool or matrix_dendrite_docker_image_check_result.stdout == ''"
- name: Ensure Dendrite container network is created
community.general.docker_network:
name: "{{ matrix_dendrite_container_network }}"

320
roles/custom/matrix-jitsi/defaults/main.yml Normal file
View File

@ -0,0 +1,320 @@
---
# Project source code URL: https://github.com/jitsi/docker-jitsi-meet
matrix_jitsi_enabled: true
matrix_jitsi_base_path: "{{ matrix_base_data_path }}/jitsi"
matrix_jitsi_enable_auth: false
matrix_jitsi_enable_guests: false
matrix_jitsi_enable_recording: false
matrix_jitsi_enable_transcriptions: false
matrix_jitsi_enable_jaas_components: false
matrix_jitsi_enable_p2p: true
matrix_jitsi_enable_av_moderation: true
matrix_jitsi_enable_breakout_rooms: true
matrix_jitsi_disable_gravatar: true
# Authentication type, must be one of internal, jwt, matrix or ldap.
# Currently, only internal, matrix and ldap mechanisms are supported by this playbook.
# matrix auth verifies against matrix openID, and requires a user-verification-service to run.
matrix_jitsi_auth_type: internal
# A list of Jitsi (Prosody) accounts to create using the internal authentication mechanism.
#
# Accounts added here and subsequently removed will not be automatically removed
# from the Prosody server until user account cleaning is integrated into the playbook.
#
# Example:
# matrix_jitsi_prosody_auth_internal_accounts:
# - username: "jitsi-moderator"
# password: "secret-password"
# - username: "another-user"
# password: "another-password"
matrix_jitsi_prosody_auth_internal_accounts: []
# Configuration options for LDAP authentication. For details see upstream:
# https://github.com/jitsi/docker-jitsi-meet#authentication-using-ldap.
# Defaults are taken from:
# https://github.com/jitsi/docker-jitsi-meet/blob/master/prosody/rootfs/defaults/saslauthd.conf
matrix_jitsi_ldap_url: ""
matrix_jitsi_ldap_base: ""
matrix_jitsi_ldap_binddn: ""
matrix_jitsi_ldap_bindpw: ""
matrix_jitsi_ldap_filter: "uid=%u"
matrix_jitsi_ldap_auth_method: "bind"
matrix_jitsi_ldap_version: "3"
matrix_jitsi_ldap_use_tls: false
matrix_jitsi_ldap_tls_ciphers: ""
matrix_jitsi_ldap_tls_check_peer: false
matrix_jitsi_ldap_tls_cacert_file: "/etc/ssl/certs/ca-certificates.crt"
matrix_jitsi_ldap_tls_cacert_dir: "/etc/ssl/certs"
matrix_jitsi_ldap_start_tls: false
# Auth type: matrix
matrix_jitsi_prosody_auth_matrix_user_verification_repo_location: "https://github.com/matrix-org/prosody-mod-auth-matrix-user-verification"
matrix_jitsi_prosody_auth_matrix_user_verification_repo_target: "{{ matrix_jitsi_prosody_ext_path }}/prosody_auth_matrix_user_verification"
matrix_jitsi_prosody_auth_matrix_user_verification_repo_version: "2839499cb03894d8cfc3e5b2219441427cb133d8" # v1.8.0
matrix_jitsi_prosody_auth_matrix_uvs_sync_power_levels: true
matrix_jitsi_prosody_auth_matrix_uvs_location: ""
# Should match domain, see https://github.com/vector-im/element-web/pull/15114/commits/0410a6b3be82a41457275e4d1ce879dea146e092
matrix_jitsi_prosody_auth_matrix_jwt_app_id: "{{ matrix_server_fqn_jitsi }}"
matrix_jitsi_prosody_auth_matrix_files:
- path: "mod_auth_matrix_user_verification.lua"
when: true
- path: "mod_matrix_power_sync.lua"
when: "{{ matrix_jitsi_prosody_auth_matrix_uvs_sync_power_levels }}"
# Plugged in group_vars
matrix_jitsi_prosody_auth_matrix_uvs_auth_token: ''
matrix_jitsi_timezone: UTC
matrix_jitsi_xmpp_domain: meet.jitsi
matrix_jitsi_xmpp_server: xmpp.meet.jitsi
matrix_jitsi_xmpp_auth_domain: auth.meet.jitsi
matrix_jitsi_xmpp_bosh_url_base: http://{{ matrix_jitsi_xmpp_server }}:5280
matrix_jitsi_xmpp_guest_domain: guest.meet.jitsi
matrix_jitsi_xmpp_muc_domain: muc.meet.jitsi
matrix_jitsi_xmpp_internal_muc_domain: internal-muc.meet.jitsi
matrix_jitsi_xmpp_modules: ''
matrix_jitsi_recorder_domain: recorder.meet.jitsi
matrix_jitsi_jibri_brewery_muc: jibribrewery
matrix_jitsi_jibri_pending_timeout: 90
matrix_jitsi_jibri_xmpp_user: jibri
matrix_jitsi_jibri_xmpp_password: ''
matrix_jitsi_jibri_recorder_user: recorder
matrix_jitsi_jibri_recorder_password: ''
matrix_jitsi_enable_lobby: false
matrix_jitsi_version: stable-8319
matrix_jitsi_container_image_tag: "{{ matrix_jitsi_version }}" # for backward-compatibility
matrix_jitsi_web_docker_image: "{{ matrix_container_global_registry_prefix }}jitsi/web:{{ matrix_jitsi_container_image_tag }}"
matrix_jitsi_web_docker_image_force_pull: "{{ matrix_jitsi_web_docker_image.endswith(':latest') }}"
matrix_jitsi_web_base_path: "{{ matrix_base_data_path }}/jitsi/web"
matrix_jitsi_web_config_path: "{{ matrix_jitsi_web_base_path }}/config"
matrix_jitsi_web_transcripts_path: "{{ matrix_jitsi_web_base_path }}/transcripts"
matrix_jitsi_web_crontabs_path: "{{ matrix_jitsi_web_base_path }}/crontabs"
matrix_jitsi_web_public_url: "https://{{ matrix_server_fqn_jitsi }}"
# STUN servers used in the web UI. Feel free to point them to your own STUN server.
# Addresses need to be prefixed with one of `stun:`, `turn:` or `turns:`.
matrix_jitsi_web_stun_servers: ['stun:meet-jit-si-turnrelay.jitsi.net:443']
# Setting up TURN
# Default set with Coturn container
matrix_jitsi_turn_credentials: "{{ matrix_coturn_turn_static_auth_secret }}"
matrix_jitsi_turn_host: "turn.{{ matrix_server_fqn_matrix }}"
matrix_jitsi_turns_host: "turn.{{ matrix_server_fqn_matrix }}"
matrix_jitsi_turn_port: "{{ matrix_coturn_container_stun_plain_host_bind_port }}"
matrix_jitsi_turns_port: "{{ matrix_coturn_container_stun_tls_host_bind_port }}"
matrix_jitsi_turn_transport: tcp
# Controls whether Etherpad will be available within Jitsi
matrix_jitsi_etherpad_enabled: false
# Controls whether the matrix-jitsi-web container exposes its HTTP port (tcp/80 in the container).
#
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:13080"), or empty string to not expose.
matrix_jitsi_web_container_http_host_bind_port: ''
# A list of extra arguments to pass to the container
matrix_jitsi_web_container_extra_arguments: []
# List of systemd services that matrix-jitsi-web.service depends on
matrix_jitsi_web_systemd_required_services_list: ['docker.service']
# Custom configuration to be appended to `interface_config.js`, passed to Jitsi Web.
#
# Note: not to be confused with `matrix_jitsi_web_custom_config_extension`.
#
# For interface configuration, the flow is like this:
# - a default `interface_config.js` is generated from within the docker image
# - the contents of `matrix_jitsi_web_custom_interface_config_extension` is appended and can define new settings or override defaults.
#
# Example:
# matrix_jitsi_web_custom_interface_config_extension: |
# interfaceConfig.LANG_DETECTION = false;
# interfaceConfig.SHOW_JITSI_WATERMARK = false;
# interfaceConfig.DISABLE_VIDEO_BACKGROUND = true;
matrix_jitsi_web_custom_interface_config_extension: ''
# Controls after which participant audio will be muted. If not specified, defaults to Jitsi's default value (likely 10)
matrix_jitsi_web_config_start_audio_muted_after_nth_participant: ~
# Controls after which participant video will be muted. If not specified, defaults to Jitsi's default value (likely 10)
matrix_jitsi_web_config_start_video_muted_after_nth_participant: ~
matrix_jitsi_web_config_defaultLanguage: 'en' # noqa var-naming
# Ideal and also maximum resolution width. If not specified, defaults to Jitsi's default value (likely 1280)
matrix_jitsi_web_config_resolution_width_ideal_and_max: ~
# Minimum resolution width. If not specified, defaults to Jitsi's default value (likely 320)
matrix_jitsi_web_config_resolution_width_min: ~
# Ideal and also maximum resolution height. If not specified, defaults to Jitsi's default value (likely 720)
matrix_jitsi_web_config_resolution_height_ideal_and_max: ~
# Minimum resolution height. If not specified, defaults to Jitsi's default value (likely 180)
matrix_jitsi_web_config_resolution_height_min: ~
# Custom configuration to be injected into `custom-config.js`, passed to Jitsi Web.
# This configuration gets appended to the final configuration that Jitsi Web uses.
#
# Note: not to be confused with `matrix_jitsi_web_custom_interface_config_extension`.
#
# The flow is like this:
# - some default configuration is automatically generated based on the environment variables passed to the Jitsi Web container
# - the contents of `custom-config.js` is appended to it (see `templates/web/custom-config.js.j2`)
# - said `custom-config.js` contains your custom contents specified in `matrix_jitsi_web_custom_config_extension`.
#
# Example:
# matrix_jitsi_web_custom_config_extension: |
# if (!config.hasOwnProperty('testing')) config.testing = {};
# config.testing.p2pTestMode = true
matrix_jitsi_web_custom_config_extension: ''
# Additional environment variables to pass to the Jitsi Web container.
# You can use this to further influence the default configuration generated by the Jitsi Web container on every startup.
# Besides influencing the final configuration by passing environment variables, you can also inject custom configuration
# by using `matrix_jitsi_web_custom_config_extension`.
#
# Example:
# matrix_jitsi_web_environment_variables_extension: |
# ENABLE_FILE_RECORDING_SERVICE=1
# DROPBOX_APPKEY=something
# DROPBOX_REDIRECT_URI=something
matrix_jitsi_web_environment_variables_extension: ''
matrix_jitsi_prosody_docker_image: "{{ matrix_container_global_registry_prefix }}jitsi/prosody:{{ matrix_jitsi_container_image_tag }}"
matrix_jitsi_prosody_docker_image_force_pull: "{{ matrix_jitsi_prosody_docker_image.endswith(':latest') }}"
matrix_jitsi_prosody_base_path: "{{ matrix_base_data_path }}/jitsi/prosody"
matrix_jitsi_prosody_config_path: "{{ matrix_jitsi_prosody_base_path }}/config"
matrix_jitsi_prosody_plugins_path: "{{ matrix_jitsi_prosody_base_path }}/prosody-plugins-custom"
matrix_jitsi_prosody_ext_path: "{{ matrix_jitsi_prosody_base_path }}/ext"
# well known is currently only needed for auth type "matrix"
matrix_jitsi_require_well_known: "{{ matrix_jitsi_enable_auth | bool and matrix_jitsi_auth_type == 'matrix' }}"
matrix_jitsi_wellknown_element_jitsi_json: '{"auth": "openidtoken-jwt"}'
#
matrix_jitsi_muc_modules: |
{{
(['matrix_power_sync'] if matrix_jitsi_prosody_auth_matrix_uvs_sync_power_levels | bool else [])
}}
# A list of extra arguments to pass to the container
matrix_jitsi_prosody_container_extra_arguments: []
# List of systemd services that matrix-jitsi-prosody.service depends on
matrix_jitsi_prosody_systemd_required_services_list: ['docker.service']
# Neccessary Port binding for those disabling the integrated nginx proxy
matrix_jitsi_prosody_container_http_host_bind_port: ''
matrix_jitsi_prosody_container_jvb_host_bind_port: 5222
matrix_jitsi_jicofo_docker_image: "{{ matrix_container_global_registry_prefix }}jitsi/jicofo:{{ matrix_jitsi_container_image_tag }}"
matrix_jitsi_jicofo_docker_image_force_pull: "{{ matrix_jitsi_jicofo_docker_image.endswith(':latest') }}"
matrix_jitsi_jicofo_base_path: "{{ matrix_base_data_path }}/jitsi/jicofo"
matrix_jitsi_jicofo_config_path: "{{ matrix_jitsi_jicofo_base_path }}/config"
# A list of extra arguments to pass to the container
matrix_jitsi_jicofo_container_extra_arguments: []
# List of systemd services that matrix-jitsi-jicofo.service depends on
matrix_jitsi_jicofo_systemd_required_services_list: ['docker.service', 'matrix-jitsi-prosody.service']
matrix_jitsi_jicofo_component_secret: ''
matrix_jitsi_jicofo_auth_user: focus
matrix_jitsi_jicofo_auth_password: ''
# To enable Sentry integration for Jicofo, specify a valid DSN connection string
matrix_jitsi_jicofo_sentry_dsn: ''
matrix_jitsi_jvb_docker_image: "{{ matrix_container_global_registry_prefix }}jitsi/jvb:{{ matrix_jitsi_container_image_tag }}"
matrix_jitsi_jvb_docker_image_force_pull: "{{ matrix_jitsi_jvb_docker_image.endswith(':latest') }}"
matrix_jitsi_jvb_base_path: "{{ matrix_base_data_path }}/jitsi/jvb"
matrix_jitsi_jvb_config_path: "{{ matrix_jitsi_jvb_base_path }}/config"
# A list of extra arguments to pass to the container
matrix_jitsi_jvb_container_extra_arguments: []
# List of systemd services that matrix-jitsi-jvb.service depends on
matrix_jitsi_jvb_systemd_required_services_list: ['docker.service']
matrix_jitsi_jvb_auth_user: jvb
matrix_jitsi_jvb_auth_password: ''
# To enable Sentry integration for JVB, specify a valid DSN connection string
matrix_jitsi_jvb_sentry_dsn: ''
# STUN servers used by JVB on the server-side, so it can discover its own external IP address.
# Pointing this to a STUN server running on the same Docker network may lead to incorrect IP address discovery.
matrix_jitsi_jvb_stun_servers: ['meet-jit-si-turnrelay.jitsi.net:443']
matrix_jitsi_jvb_brewery_muc: jvbbrewery
matrix_jitsi_jvb_rtp_udp_port: 10000
matrix_jitsi_jvb_rtp_tcp_port: 4443
matrix_jitsi_jvb_server_id: 'jvb-1'
# Custom configuration to be injected into `custom-sip-communicator.properties`, passed to Jitsi JVB.
# This configuration gets appended to the final configuration that Jitsi JVB uses.
#
# The flow is like this:
# - some default configuration is automatically generated based on the environment variables passed to the Jitsi JVB container
# - the contents of `custom-sip-communicator.properties` is appended to it (see `templates/jvb/custom-sip-communicator.properties.j2`)
# - said `custom-sip-communicator.properties` contains your custom contents specified in `matrix_jitsi_jvb_custom_config_extension`.
#
# Example:
# matrix_jitsi_jvb_custom_config_extension: |
# org.jitsi.videobridge.xmpp.user.shard.DISABLE_CERTIFICATE_VERIFICATION=false
# org.jitsi.videobridge.ENABLE_STATISTICS=false
matrix_jitsi_jvb_custom_config_extension: ''
# Additional environment variables to pass to the Jitsi JVB container.
# You can use this to further influence the default configuration generated by the Jitsi JVB container on every startup.
# Besides influencing the final configuration by passing environment variables, you can also inject custom configuration
# by using `matrix_jitsi_jvb_custom_config_extension`.
#
# Example:
# matrix_jitsi_jvb_environment_variables_extension: |
# SOME_VARIABLE=1
# ANOTHER_VARIABLE=something
matrix_jitsi_jvb_environment_variables_extension: ''
# Controls whether the matrix-jitsi-jvb container exposes its RTP UDP port (udp/10000 in the container).
#
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:10000"), or empty string to not expose.
matrix_jitsi_jvb_container_rtp_udp_host_bind_port: "{{ matrix_jitsi_jvb_rtp_udp_port }}"
# Controls whether the matrix-jitsi-jvb container exposes its RTP UDP port (udp/4443 in the container).
#
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:4443"), or empty string to not expose.
matrix_jitsi_jvb_container_rtp_tcp_host_bind_port: "{{ matrix_jitsi_jvb_rtp_tcp_port }}"
# Controls whether the matrix-jitsi-jvb container exposes its Colibri WebSocket port (tcp/9090 in the container).
#
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:12090"), or empty string to not expose.
matrix_jitsi_jvb_container_colibri_ws_host_bind_port: ''
# Default max participants to the empty string
#
# The setting requires an integer to be set for usage and allows a user to specify the max number of particpants on a conference.
matrix_prosody_jitsi_max_participants: ''
# Allows abailty to set XMPP AUTH user if using JIGASI
matrix_jitsi_jigasi_xmpp_user: ''
# Allows abailty to set XMPP AUTH pasword if using JIGASI
matrix_jitsi_jigasi_xmpp_password: ''

5
roles/custom/matrix-jitsi/tasks/init_additional_jvb.yml Normal file
View File

@ -0,0 +1,5 @@
---
- ansible.builtin.set_fact:
devture_systemd_service_manager_services_list_auto: "{{ [{'name': 'matrix-jitsi-jvb.service', 'priority': 1000, 'groups': ['matrix', 'jitsi', 'jitsi-jvb']}] }}"
when: matrix_jitsi_enabled | bool

75
roles/custom/matrix-jitsi/tasks/main.yml Normal file
View File

@ -0,0 +1,75 @@
---
- tags:
- setup-additional-jitsi-jvb
- install-additional-jitsi-jvb
block:
- when: matrix_jitsi_enabled | bool
ansible.builtin.include_tasks: "{{ role_path }}/tasks/init_additional_jvb.yml"
- tags:
- setup-all
- setup-jitsi
- setup-additional-jitsi-jvb
- install-all
- install-jitsi
- install-additional-jitsi-jvb
block:
- when: matrix_jitsi_enabled | bool
ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml"
- when: matrix_jitsi_enabled | bool
ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_jitsi_base.yml"
- tags:
- setup-all
- setup-jitsi
- install-all
- install-jitsi
block:
- when: matrix_jitsi_enabled | bool
ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_jitsi_web_install.yml"
- when: matrix_jitsi_enabled | bool
ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_jitsi_prosody_install.yml"
- when: matrix_jitsi_enabled | bool
ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_jitsi_jicofo_install.yml"
- tags:
- setup-all
- setup-jitsi
block:
- when: not matrix_jitsi_enabled | bool
ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_jitsi_web_uninstall.yml"
- when: not matrix_jitsi_enabled | bool
ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_jitsi_prosody_uninstall.yml"
- when: not matrix_jitsi_enabled | bool
ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_jitsi_jicofo_uninstall.yml"
- tags:
- setup-all
- setup-jitsi
- setup-additional-jitsi-jvb
- install-all
- install-jitsi
- install-additional-jitsi-jvb
block:
- when: matrix_jitsi_enabled | bool
ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_jitsi_jvb_install.yml"
- tags:
- setup-all
- setup-jitsi
- setup-additional-jitsi-jvb
block:
- when: not matrix_jitsi_enabled | bool
ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_jitsi_jvb_uninstall.yml"
- tags:
- self-check
block:
- when: matrix_jitsi_enable_auth | bool and matrix_jitsi_auth_type == 'matrix'
ansible.builtin.include_tasks: "{{ role_path }}/tasks/self_check_matrix_auth.yml"

63
roles/custom/matrix-jitsi/tasks/self_check_matrix_auth.yml Normal file
View File

@ -0,0 +1,63 @@
---
- ansible.builtin.set_fact:
matrix_jitsi_prosody_self_check_uvs_health_url: "{{ matrix_jitsi_prosody_auth_matrix_uvs_location }}/health"
matrix_jitsi_element_jitsi_well_known_url: "{{ matrix_jitsi_web_public_url }}/.well-known/element/jitsi"
- name: Check if jitsi serves the .well-known/element/jitsi
ansible.builtin.uri:
url: "{{ matrix_jitsi_element_jitsi_well_known_url }}"
follow_redirects: none
return_content: true
validate_certs: "{{ matrix_jitsi_self_check_validate_certificates }}"
headers:
Origin: example.com
check_mode: false
register: result_well_known_jitsi_element_jitsi
ignore_errors: true
- name: Fail if .well-known not working
ansible.builtin.fail:
msg: |
Failed checking that the Jitsi well-known file for Element auth is configured at `{{ matrix_jitsi_element_jitsi_well_known_url }}`
Full error: {{ result_well_known_jitsi_element_jitsi }}
when: "result_well_known_jitsi_element_jitsi.failed"
- name: Parse JSON for well-known payload at the matrix hostname
ansible.builtin.set_fact:
well_known_matrix_payload: "{{ result_well_known_jitsi_element_jitsi.content | from_json }}"
- name: Fail if .well-known not CORS-aware
ansible.builtin.fail:
msg: "The well-known file on `{{ matrix_jitsi_element_jitsi_well_known_url }}` is not CORS-aware. The file needs to be served with an Access-Control-Allow-Origin header set."
when: "'access_control_allow_origin' not in result_well_known_jitsi_element_jitsi"
- name: Report working .well-known
ansible.builtin.debug:
msg: "well-known is configured correctly at `{{ matrix_jitsi_element_jitsi_well_known_url }}`"
- name: Check if we can reach the user verification service and if it's healthy
ansible.builtin.command:
argv:
- "docker"
- "exec"
- "matrix-jitsi-prosody"
- "wget"
- "-O"
- "-"
- "--quiet"
- "{{ matrix_jitsi_prosody_self_check_uvs_health_url | quote }}"
register: matrix_jitsi_prosody_self_check_uvs_result
changed_when: false
ignore_errors: true
- name: Fail if user verification service is not (reachable and healthy)
ansible.builtin.fail:
msg: |
Failed checking user verification service is up (checked endpoint: `{{ matrix_jitsi_prosody_self_check_uvs_health_url }}`).
Full error: {{ matrix_jitsi_prosody_self_check_uvs_result }}
when: "matrix_jitsi_prosody_self_check_uvs_result.failed"
- name: Report healthy user verification service
ansible.builtin.debug:
msg: "User verification service is working (checked endpoint: `{{ matrix_jitsi_prosody_self_check_uvs_health_url }}`)"

16
roles/custom/matrix-jitsi/tasks/setup_jitsi_base.yml Normal file
View File

@ -0,0 +1,16 @@
---
- ansible.builtin.include_role:
name: custom/matrix-base
tasks_from: ensure_openssl_installed
- name: Ensure Matrix jitsi base path exists
ansible.builtin.file:
path: "{{ item.path }}"
state: directory
mode: 0750
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_groupname }}"
with_items:
- {path: "{{ matrix_jitsi_base_path }}", when: true}
when: item.when | bool

51
roles/custom/matrix-jitsi/tasks/setup_jitsi_jicofo_install.yml Normal file
View File

@ -0,0 +1,51 @@
---
- name: Ensure Matrix jitsi-jicofo path exists
ansible.builtin.file:
path: "{{ item.path }}"
state: directory
mode: 0777
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_groupname }}"
with_items:
- {path: "{{ matrix_jitsi_jicofo_base_path }}", when: true}
- {path: "{{ matrix_jitsi_jicofo_config_path }}", when: true}
when: item.when | bool
- name: Ensure jitsi-jicofo Docker image is pulled
community.docker.docker_image:
name: "{{ matrix_jitsi_jicofo_docker_image }}"
source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
force_source: "{{ matrix_jitsi_jicofo_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_jitsi_jicofo_docker_image_force_pull }}"
register: result
retries: "{{ devture_playbook_help_container_retries_count }}"
delay: "{{ devture_playbook_help_container_retries_delay }}"
until: result is not failed
- name: Ensure jitsi-jicofo environment variables file created
ansible.builtin.template:
src: "{{ role_path }}/templates/jicofo/env.j2"
dest: "{{ matrix_jitsi_jicofo_base_path }}/env"
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_groupname }}"
mode: 0640
when: matrix_jitsi_enabled | bool
- name: Ensure jitsi-jicofo configuration files created
ansible.builtin.template:
src: "{{ role_path }}/templates/jicofo/{{ item }}.j2"
dest: "{{ matrix_jitsi_jicofo_config_path }}/{{ item }}"
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_groupname }}"
mode: 0644
with_items:
- sip-communicator.properties
- logging.properties
- name: Ensure matrix-jitsi-jicofo.service installed
ansible.builtin.template:
src: "{{ role_path }}/templates/jicofo/matrix-jitsi-jicofo.service.j2"
dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-jitsi-jicofo.service"
mode: 0644
register: matrix_jitsi_jicofo_systemd_service_result

25
roles/custom/matrix-jitsi/tasks/setup_jitsi_jicofo_uninstall.yml Normal file
View File

@ -0,0 +1,25 @@
---
- name: Check existence of matrix-jitsi-jicofo service
ansible.builtin.stat:
path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-jitsi-jicofo.service"
register: matrix_jitsi_jicofo_service_stat
- when: matrix_jitsi_jicofo_service_stat.stat.exists | bool
block:
- name: Ensure matrix-jitsi-jicofo is stopped
ansible.builtin.service:
name: matrix-jitsi-jicofo
state: stopped
enabled: false
daemon_reload: true
- name: Ensure matrix-jitsi-jicofo.service doesn't exist
ansible.builtin.file:
path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-jitsi-jicofo.service"
state: absent
- name: Ensure Matrix jitsi-jicofo paths doesn't exist
ansible.builtin.file:
path: "{{ matrix_jitsi_jicofo_base_path }}"
state: absent

49
roles/custom/matrix-jitsi/tasks/setup_jitsi_jvb_install.yml Normal file
View File

@ -0,0 +1,49 @@
---
- name: Ensure Matrix jitsi-jvb path exists
ansible.builtin.file:
path: "{{ item.path }}"
state: directory
mode: 0777
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_groupname }}"
with_items:
- {path: "{{ matrix_jitsi_jvb_base_path }}", when: true}
- {path: "{{ matrix_jitsi_jvb_config_path }}", when: true}
when: item.when | bool
- name: Ensure jitsi-jvb Docker image is pulled
community.docker.docker_image:
name: "{{ matrix_jitsi_jvb_docker_image }}"
source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
force_source: "{{ matrix_jitsi_jvb_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_jitsi_jvb_docker_image_force_pull }}"
register: result
retries: "{{ devture_playbook_help_container_retries_count }}"
delay: "{{ devture_playbook_help_container_retries_delay }}"
until: result is not failed
- name: Ensure jitsi-jvb configuration files created
ansible.builtin.template:
src: "{{ role_path }}/templates/jvb/{{ item }}.j2"
dest: "{{ matrix_jitsi_jvb_config_path }}/{{ item }}"
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_groupname }}"
mode: 0644
with_items:
- custom-sip-communicator.properties
- logging.properties
- name: Ensure jitsi-jvb environment variables file created
ansible.builtin.template:
src: "{{ role_path }}/templates/jvb/env.j2"
dest: "{{ matrix_jitsi_jvb_base_path }}/env"
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_groupname }}"
mode: 0640
- name: Ensure matrix-jitsi-jvb.service installed
ansible.builtin.template:
src: "{{ role_path }}/templates/jvb/matrix-jitsi-jvb.service.j2"
dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-jitsi-jvb.service"
mode: 0644

25
roles/custom/matrix-jitsi/tasks/setup_jitsi_jvb_uninstall.yml Normal file
View File

@ -0,0 +1,25 @@
---
- name: Check existence of matrix-jitsi-jvb service
ansible.builtin.stat:
path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-jitsi-jvb.service"
register: matrix_jitsi_jvb_service_stat
- when: matrix_jitsi_jvb_service_stat.stat.exists | bool
block:
- name: Ensure matrix-jitsi-jvb is stopped
ansible.builtin.service:
name: matrix-jitsi-jvb
state: stopped
enabled: false
daemon_reload: true
- name: Ensure matrix-jitsi-jvb.service doesn't exist
ansible.builtin.file:
path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-jitsi-jvb.service"
state: absent
- name: Ensure Matrix jitsi-jvb paths doesn't exist
ansible.builtin.file:
path: "{{ matrix_jitsi_jvb_base_path }}"
state: absent

85
roles/custom/matrix-jitsi/tasks/setup_jitsi_prosody_install.yml Normal file
View File

@ -0,0 +1,85 @@
---
- name: Ensure Matrix jitsi-prosody environment exists
ansible.builtin.file:
path: "{{ item.path }}"
state: directory
mode: 0777
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_groupname }}"
with_items:
- {path: "{{ matrix_jitsi_prosody_base_path }}", when: true}
- {path: "{{ matrix_jitsi_prosody_config_path }}", when: true}
- {path: "{{ matrix_jitsi_prosody_plugins_path }}", when: true}
- {path: "{{ matrix_jitsi_prosody_ext_path }}", when: true}
when: item.when | bool
- name: Ensure jitsi-prosody Docker image is pulled
community.docker.docker_image:
name: "{{ matrix_jitsi_prosody_docker_image }}"
source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
force_source: "{{ matrix_jitsi_prosody_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_jitsi_prosody_docker_image_force_pull }}"
register: result
retries: "{{ devture_playbook_help_container_retries_count }}"
delay: "{{ devture_playbook_help_container_retries_delay }}"
until: result is not failed
- name: Ensure jitsi-prosody environment variables file is created
ansible.builtin.template:
src: "{{ role_path }}/templates/prosody/env.j2"
dest: "{{ matrix_jitsi_prosody_base_path }}/env"
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_groupname }}"
mode: 0640
# Configure matrix authentication.
- name: Install user verification plugin
ansible.builtin.include_tasks:
file: "{{ role_path }}/tasks/util/setup_jitsi_auth_uvs_install.yml"
when: matrix_jitsi_enable_auth | bool and matrix_jitsi_auth_type == "matrix"
- name: Manage Jitsi .well-known
when: matrix_jitsi_require_well_known | bool
block:
- name: Ensure .well-known directories exist
ansible.builtin.file:
path: "{{ item.path }}"
state: directory
mode: 0775
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_groupname }}"
with_items:
- {path: "{{ matrix_static_files_base_path }}/.well-known/element", when: "{{ matrix_jitsi_enable_auth | bool and matrix_jitsi_auth_type == 'matrix' }}"}
when: item.when | bool
# Create .well-known/element/jitsi in the static file directory for nginx-proxy.
- name: Ensure Jitsi /.well-known/element/jitsi configured
ansible.builtin.copy:
content: "{{ matrix_jitsi_wellknown_element_jitsi_json }}"
dest: "{{ matrix_static_files_base_path }}/.well-known/element/jitsi"
mode: 0644
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_groupname }}"
when: matrix_jitsi_enable_auth | bool and matrix_jitsi_auth_type == "matrix"
# END Block
# Remove matrix authentication if disabled
- name: Ensure user verification plugin is not present if matrix auth is disabled
ansible.builtin.include_tasks:
file: "{{ role_path }}/tasks/util/setup_jitsi_auth_uvs_uninstall.yml"
when: (not matrix_jitsi_enable_auth | bool) or (matrix_jitsi_auth_type != "matrix")
- name: Ensure matrix-jitsi-prosody.service file is installed
ansible.builtin.template:
src: "{{ role_path }}/templates/prosody/matrix-jitsi-prosody.service.j2"
dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-jitsi-prosody.service"
mode: 0644
register: matrix_jitsi_prosody_systemd_service_result
# Tasks that require a running prosody container are called in this file.
- name: Run prosody related tasks, that require a running container.
ansible.builtin.include_tasks:
file: "{{ role_path }}/tasks/util/setup_jitsi_prosody_post_setup_hooks.yml"
when:
- matrix_jitsi_enable_auth | bool and matrix_jitsi_auth_type == "internal"

25
roles/custom/matrix-jitsi/tasks/setup_jitsi_prosody_uninstall.yml Normal file
View File

@ -0,0 +1,25 @@
---
- name: Check if matrix-jitsi-prosody.service file exists
ansible.builtin.stat:
path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-jitsi-prosody.service"
register: matrix_jitsi_prosody_service_stat
- when: matrix_jitsi_prosody_service_stat.stat.exists | bool
block:
- name: Ensure matrix-jitsi-prosody is stopped
ansible.builtin.service:
name: matrix-jitsi-prosody
state: stopped
enabled: false
daemon_reload: true
- name: Ensure matrix-jitsi-prosody.service file doesn't exist
ansible.builtin.file:
path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-jitsi-prosody.service"
state: absent
- name: Ensure Matrix jitsi-prosody paths doesn't exist
ansible.builtin.file:
path: "{{ matrix_jitsi_prosody_base_path }}"
state: absent

52
roles/custom/matrix-jitsi/tasks/setup_jitsi_web_install.yml Normal file
View File

@ -0,0 +1,52 @@
---
- name: Ensure Matrix jitsi-web path exists
ansible.builtin.file:
path: "{{ item.path }}"
state: directory
mode: 0777
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_groupname }}"
with_items:
- {path: "{{ matrix_jitsi_web_base_path }}", when: true}
- {path: "{{ matrix_jitsi_web_config_path }}", when: true}
- {path: "{{ matrix_jitsi_web_transcripts_path }}", when: true}
- {path: "{{ matrix_jitsi_web_crontabs_path }}", when: true}
when: item.when | bool
- name: Ensure jitsi-web Docker image is pulled
community.docker.docker_image:
name: "{{ matrix_jitsi_web_docker_image }}"
source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
force_source: "{{ matrix_jitsi_web_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_jitsi_web_docker_image_force_pull }}"
register: result
retries: "{{ devture_playbook_help_container_retries_count }}"
delay: "{{ devture_playbook_help_container_retries_delay }}"
until: result is not failed
- name: Ensure jitsi-web environment variables file created
ansible.builtin.template:
src: "{{ role_path }}/templates/web/env.j2"
dest: "{{ matrix_jitsi_web_base_path }}/env"
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_groupname }}"
mode: 0640
- name: Ensure jitsi-web configuration files created
ansible.builtin.template:
src: "{{ role_path }}/templates/web/{{ item }}.j2"
dest: "{{ matrix_jitsi_web_config_path }}/{{ item }}"
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_groupname }}"
mode: 0644
with_items:
- custom-config.js
- custom-interface_config.js
- name: Ensure matrix-jitsi-web.service installed
ansible.builtin.template:
src: "{{ role_path }}/templates/web/matrix-jitsi-web.service.j2"
dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-jitsi-web.service"
mode: 0644
register: matrix_jitsi_web_systemd_service_result

25
roles/custom/matrix-jitsi/tasks/setup_jitsi_web_uninstall.yml Normal file
View File

@ -0,0 +1,25 @@
---
- name: Check existence of matrix-jitsi-web service
ansible.builtin.stat:
path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-jitsi-web.service"
register: matrix_jitsi_web_service_stat
- when: matrix_jitsi_web_service_stat.stat.exists | bool
block:
- name: Ensure matrix-jitsi-web is stopped
ansible.builtin.service:
name: matrix-jitsi-web
state: stopped
enabled: false
daemon_reload: true
- name: Ensure matrix-jitsi-web.service doesn't exist
ansible.builtin.file:
path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-jitsi-web.service"
state: absent
- name: Ensure Matrix jitsi-web paths doesn't exist
ansible.builtin.file:
path: "{{ matrix_jitsi_web_base_path }}"
state: absent

17
roles/custom/matrix-jitsi/tasks/util/prosody_post_setup_hooks/setup_jitsi_auth_internal.yml Normal file
View File

@ -0,0 +1,17 @@
---
#
# Tasks related to configuring Jitsi internal authentication on a running prosody instance.
#
- name: Ensure Jitsi internal authentication users are configured
ansible.builtin.shell: "{{ devture_systemd_docker_base_host_command_docker }} exec matrix-jitsi-prosody prosodyctl --config /config/prosody.cfg.lua register {{ item.username | quote }} meet.jitsi {{ item.password | quote }}"
with_items: "{{ matrix_jitsi_prosody_auth_internal_accounts }}"
when:
- matrix_jitsi_prosody_auth_internal_accounts|length > 0
register: matrix_jitsi_user_configuration_result
changed_when: matrix_jitsi_user_configuration_result.rc == 0
no_log: true
#
# Tasks related to clean up after configuring internal authentication.
#

20
roles/custom/matrix-jitsi/tasks/util/setup_jitsi_auth_uvs_install.yml Normal file
View File

@ -0,0 +1,20 @@
---
- name: Checkout Prosody Auth Matrix User Verification Plugin Repo
ansible.builtin.git:
repo: "{{ matrix_jitsi_prosody_auth_matrix_user_verification_repo_location }}"
dest: "{{ matrix_jitsi_prosody_auth_matrix_user_verification_repo_target }}"
version: "{{ matrix_jitsi_prosody_auth_matrix_user_verification_repo_version }}"
become: true
become_user: "{{ matrix_user_username }}"
- name: Install Prosody Auth Matrix User Verification Plugin
ansible.builtin.copy:
remote_src: true
src: "{{ matrix_jitsi_prosody_auth_matrix_user_verification_repo_target }}/{{ item.path }}"
dest: "{{ matrix_jitsi_prosody_plugins_path }}/{{ item.path }}"
mode: 0644
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_groupname }}"
with_items: "{{ matrix_jitsi_prosody_auth_matrix_files }}"
when: item.when | bool

20
roles/custom/matrix-jitsi/tasks/util/setup_jitsi_auth_uvs_uninstall.yml Normal file
View File

@ -0,0 +1,20 @@
---
- name: Remove all files regarding prosody mod auth_matrix_user_verification and .well-known/element/jitsi
ansible.builtin.file:
path: "{{ item }}"
state: absent
with_flattened:
- "{{ matrix_static_files_base_path }}/.well-known/element/jitsi"
- "{{ matrix_jitsi_prosody_auth_matrix_user_verification_repo_target }}"
- "{{ matrix_jitsi_prosody_auth_matrix_files | map(attribute='path') | map('regex_replace', '^', matrix_jitsi_prosody_plugins_path+'/') | list }}"
register: matrix_jitsi_prosody_auth_matrix_user_verification_uninstalled
- when: matrix_jitsi_prosody_auth_matrix_user_verification_uninstalled.changed
block:
- name: Populate service facts
ansible.builtin.service_facts:
- name: Ensure prosody is restarted later on if currently running
ansible.builtin.set_fact:
matrix_jitsi_prosody_require_restart: "{{ true if ansible_facts.services['matrix-jitsi-prosody.service']['state'] == 'running' else false }}"

49
roles/custom/matrix-jitsi/tasks/util/setup_jitsi_prosody_post_setup_hooks.yml Normal file
View File

@ -0,0 +1,49 @@
---
#####
#
# This tasks file starts and stops (if state before was stopped) a prosody container during setup to run commands,
# that require a running prosody container.
# The task is called in ../setup_jitsi_prosody_install.yml.
#
# Important: The task is called conditionally, as to only start if really needed.
# So if you add or change anything - remember to also change the 'when' in: ../setup_jitsi_prosody_install.yml
#
#####
#
# Start Necessary Services
#
- name: Ensure matrix-jitsi-prosody container is running
ansible.builtin.systemd:
state: "{{ 'restarted' if matrix_jitsi_prosody_require_restart | default(false) | bool else 'started' }}"
name: matrix-jitsi-prosody
register: matrix_jitsi_prosody_start_result
# If the flag was set, we can safely disable now.
- name: Disable require restart flag
ansible.builtin.set_fact:
matrix_jitsi_prosody_require_restart: false
#
# Tasks related to configuring Jitsi internal authentication
#
- name: Ensure internal authentication is properly configured
ansible.builtin.include_tasks:
file: "{{ role_path }}/tasks/util/prosody_post_setup_hooks/setup_jitsi_auth_internal.yml"
when: matrix_jitsi_enable_auth | bool and matrix_jitsi_auth_type == "internal"
#
# Tasks related to ...
#
#
# Stop Necessary Services
#
- name: Ensure matrix-jitsi-prosody container is stopped if necessary
ansible.builtin.systemd:
state: stopped
name: matrix-jitsi-prosody
when: matrix_jitsi_prosody_start_result.changed | bool

81
roles/custom/matrix-jitsi/tasks/validate_config.yml Normal file
View File

@ -0,0 +1,81 @@
---
- name: Fail if on an unsupported architecture
ansible.builtin.fail:
msg: "Jitsi only supports the amd64 architecture right now. See https://github.com/jitsi/docker-jitsi-meet/issues/1069 and https://github.com/jitsi/docker-jitsi-meet/issues/1214"
when: matrix_jitsi_enabled | bool and matrix_architecture not in ['amd64', 'arm64']
- name: Fail if required Jitsi settings not defined
ansible.builtin.fail:
msg: >-
You need to define a required configuration setting (`{{ item }}`) to properly configure Jitsi.
If you're setting up Jitsi for the first time, you may have missed a step.
Refer to our setup instructions (docs/configuring-playbook-jitsi.md).
If you had previously setup Jitsi successfully and are only now facing this error,
it means that your installation is most likely using default passwords previously defined by the playbook.
These defaults are insecure. Jitsi should be rebuilt with secure values.
Refer to the "Rebuilding your Jitsi installation" section in our setup instructions (docs/configuring-playbook-jitsi.md).
when: "vars[item] == ''"
with_items:
- "matrix_jitsi_jibri_xmpp_password"
- "matrix_jitsi_jibri_recorder_password"
- "matrix_jitsi_jicofo_auth_password"
- "matrix_jitsi_jvb_auth_password"
- name: Fail if authentication is enabled, but not properly configured.
ansible.builtin.fail:
msg: >-
You have enabled authentication, but the configured auth type is missing required configuration.
Auth type 'internal':
At least one Jitsi user needs to be defined in `matrix_jitsi_prosody_auth_internal_accounts` when using internal authentication.
If you're setting up Jitsi for the first time, you may have missed a step.
Refer to our setup instructions (docs/configuring-playbook-jitsi.md).
Auth type 'matrix':
If you want to enable matrix_user_verification in jitsi,
please provide an auth token for the user verification service (uvs) using `matrix_jitsi_prosody_auth_matrix_uvs_auth_token`.
If the user-verfication-service is also managed by this playbook the token is derived from `matrix_homeserver_generic_secret_key` in the group vars.
when:
- matrix_jitsi_enable_auth | bool
- ((matrix_jitsi_auth_type == 'internal' and matrix_jitsi_prosody_auth_internal_accounts|length == 0)
or (matrix_jitsi_auth_type == 'matrix' and matrix_jitsi_prosody_auth_matrix_uvs_auth_token|length == 0))
- name: (Deprecation) Catch and report renamed settings
ansible.builtin.fail:
msg: >-
Your configuration contains a variable, which now has a different name.
Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`).
when: "item.old in vars"
with_items:
- {'old': 'matrix_jitsi_web_config_constraints_enabled', 'new': '<Now unnecessary. Constraints are always applied automatically>'}
- {'old': 'matrix_jitsi_web_config_constraints_video_aspectRatio', 'new': '<Not applicable anymore>'}
- {'old': 'matrix_jitsi_web_config_constraints_video_height_ideal', 'new': 'matrix_jitsi_web_config_resolution_height_ideal_and_max'}
- {'old': 'matrix_jitsi_web_config_constraints_video_height_max', 'new': 'matrix_jitsi_web_config_resolution_height_ideal_and_max'}
- {'old': 'matrix_jitsi_web_config_constraints_video_height_min', 'new': 'matrix_jitsi_web_config_resolution_height_min'}
- {'old': 'matrix_jitsi_web_config_disableAudioLevels', 'new': '<Can be set by using matrix_jitsi_web_custom_config_extension. Example in docs/configuring-playbook-jitsi.md>'}
- {'old': 'matrix_jitsi_web_config_enableLayerSuspension', 'new': '<Can be set by using matrix_jitsi_web_custom_config_extension. Example in docs/configuring-playbook-jitsi.md>'}
- {'old': 'matrix_jitsi_web_config_channelLastN', 'new': '<Can be set by using matrix_jitsi_web_custom_config_extension. Example in docs/configuring-playbook-jitsi.md>'}
- {'old': 'matrix_jitsi_web_config_testing_p2pTestMode', 'new': '<Can be set by using matrix_jitsi_web_custom_config_extension>'}
- {'old': 'matrix_jitsi_web_config_start_with_audio_muted', 'new': '<Superseded by matrix_jitsi_web_config_start_audio_muted_after_nth_participant>'}
- {'old': 'matrix_jitsi_web_config_start_with_video_muted', 'new': '<Superseded by matrix_jitsi_web_config_start_video_muted_after_nth_participant>'}
- {'old': 'matrix_jitsi_web_interface_config_show_watermark_for_guests', 'new': '<Not applicable anymore>'}
- {'old': 'matrix_jitsi_web_interface_config_invitation_powered_by', 'new': '<Not applicable anymore>'}
- {'old': 'matrix_jisti_web_interface_config_show_deep_linking_image', 'new': 'matrix_jitsi_web_interface_config_show_deep_linking_image'}
- {'old': 'matrix_jitsi_web_interface_config_lang_detection', 'new': '<Deprecated, use matrix_jitsi_web_custom_interface_config_extension instead'}
- {'old': 'matrix_jitsi_web_interface_config_show_jitsi_watermark', 'new': '<Deprecated, use matrix_jitsi_web_custom_interface_config_extension instead'}
- {'old': 'matrix_jitsi_web_interface_config_jitsi_watermark_link', 'new': '<Deprecated, use matrix_jitsi_web_custom_interface_config_extension instead'}
- {'old': 'matrix_jitsi_web_interface_config_show_brand_watermark', 'new': '<Deprecated, use matrix_jitsi_web_custom_interface_config_extension instead'}
- {'old': 'matrix_jitsi_web_interface_config_brand_watermark_link', 'new': '<Deprecated, use matrix_jitsi_web_custom_interface_config_extension instead'}
- {'old': 'matrix_jitsi_web_interface_config_generate_room_names_on_welcome_page', 'new': '<Deprecated, use matrix_jitsi_web_custom_interface_config_extension instead'}
- {'old': 'matrix_jitsi_web_interface_config_display_welcome_page_content', 'new': '<Deprecated, use matrix_jitsi_web_custom_interface_config_extension instead'}
- {'old': 'matrix_jitsi_web_interface_config_app_name', 'new': '<Deprecated, use matrix_jitsi_web_custom_interface_config_extension instead'}
- {'old': 'matrix_jitsi_web_interface_config_native_app_name', 'new': '<Deprecated, use matrix_jitsi_web_custom_interface_config_extension instead'}
- {'old': 'matrix_jitsi_web_interface_config_provider_name', 'new': '<Deprecated, use matrix_jitsi_web_custom_interface_config_extension instead'}
- {'old': 'matrix_jitsi_web_interface_config_show_powered_by', 'new': '<Deprecated, use matrix_jitsi_web_custom_interface_config_extension instead'}
- {'old': 'matrix_jitsi_web_interface_config_disable_transcription_subtitles', 'new': '<Deprecated, use matrix_jitsi_web_custom_interface_config_extension instead'}
- {'old': 'matrix_jitsi_web_interface_config_show_deep_linking_image', 'new': '<Deprecated, use matrix_jitsi_web_custom_interface_config_extension instead'}

38
roles/custom/matrix-jitsi/templates/jicofo/env.j2 Normal file
View File

@ -0,0 +1,38 @@
AUTH_TYPE={{ matrix_jitsi_auth_type }}
BRIDGE_AVG_PARTICIPANT_STRESS
BRIDGE_STRESS_THRESHOLD
ENABLE_AUTH={{ 1 if matrix_jitsi_enable_auth else 0 }}
ENABLE_AUTO_OWNER
ENABLE_CODEC_VP8
ENABLE_CODEC_VP9
ENABLE_CODEC_H264
ENABLE_OCTO
ENABLE_RECORDING
ENABLE_SCTP
ENABLE_AUTO_LOGIN
JICOFO_AUTH_USER={{ matrix_jitsi_jicofo_auth_user }}
JICOFO_AUTH_PASSWORD={{ matrix_jitsi_jicofo_auth_password }}
JICOFO_ENABLE_BRIDGE_HEALTH_CHECKS
JICOFO_CONF_INITIAL_PARTICIPANT_WAIT_TIMEOUT
JICOFO_CONF_SINGLE_PARTICIPANT_TIMEOUT
JICOFO_ENABLE_HEALTH_CHECKS
JICOFO_SHORT_ID
JICOFO_RESERVATION_ENABLED
JICOFO_RESERVATION_REST_BASE_URL
JIBRI_BREWERY_MUC={{ matrix_jitsi_jibri_brewery_muc }}
JIBRI_REQUEST_RETRIES
JIBRI_PENDING_TIMEOUT={{ matrix_jitsi_jibri_pending_timeout }}
JIGASI_BREWERY_MUC
JIGASI_SIP_URI
JVB_BREWERY_MUC={{ matrix_jitsi_jvb_brewery_muc }}
MAX_BRIDGE_PARTICIPANTS
OCTO_BRIDGE_SELECTION_STRATEGY
SENTRY_DSN={{ matrix_jitsi_jicofo_sentry_dsn }}
SENTRY_ENVIRONMENT
SENTRY_RELEASE
TZ={{ matrix_jitsi_timezone }}
XMPP_DOMAIN={{ matrix_jitsi_xmpp_domain }}
XMPP_AUTH_DOMAIN={{ matrix_jitsi_xmpp_auth_domain }}
XMPP_INTERNAL_MUC_DOMAIN={{ matrix_jitsi_xmpp_internal_muc_domain }}
XMPP_MUC_DOMAIN={{ matrix_jitsi_xmpp_muc_domain }}
XMPP_SERVER={{ matrix_jitsi_xmpp_server }}

27
roles/custom/matrix-jitsi/templates/jicofo/logging.properties.j2 Normal file
View File

@ -0,0 +1,27 @@
{% raw %}
{{ if .Env.SENTRY_DSN | default "0" | toBool }}
handlers=java.util.logging.ConsoleHandler,io.sentry.jul.SentryHandler
{{ else }}
handlers= java.util.logging.ConsoleHandler
{{ end }}
{% endraw %}
java.util.logging.ConsoleHandler.level = ALL
java.util.logging.ConsoleHandler.formatter = net.java.sip.communicator.util.ScLogFormatter
net.java.sip.communicator.util.ScLogFormatter.programname=Jicofo
.level=INFO
net.sf.level=SEVERE
net.java.sip.communicator.plugin.reconnectplugin.level=FINE
org.ice4j.level=SEVERE
org.jitsi.impl.neomedia.level=SEVERE
io.sentry.jul.SentryHandler.level=WARNING
# Do not worry about missing strings
net.java.sip.communicator.service.resources.AbstractResourcesService.level=SEVERE
#net.java.sip.communicator.service.protocol.level=ALL
# Enable debug packets logging
#org.jitsi.impl.protocol.xmpp.level=FINE

33
roles/custom/matrix-jitsi/templates/jicofo/matrix-jitsi-jicofo.service.j2 Normal file
View File

@ -0,0 +1,33 @@
#jinja2: lstrip_blocks: "True"
[Unit]
Description=Matrix jitsi-jicofo server
{% for service in matrix_jitsi_jicofo_systemd_required_services_list %}
Requires={{ service }}
After={{ service }}
{% endfor %}
DefaultDependencies=no
[Service]
Type=simple
Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}"
ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-jitsi-jicofo 2>/dev/null || true'
ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-jitsi-jicofo 2>/dev/null || true'
ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-jitsi-jicofo \
--log-driver=none \
--network={{ matrix_docker_network }} \
--env-file={{ matrix_jitsi_jicofo_base_path }}/env \
--mount type=bind,src={{ matrix_jitsi_jicofo_config_path }},dst=/config \
{% for arg in matrix_jitsi_jicofo_container_extra_arguments %}
{{ arg }} \
{% endfor %}
{{ matrix_jitsi_jicofo_docker_image }}
ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-jitsi-jicofo 2>/dev/null || true'
ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-jitsi-jicofo 2>/dev/null || true'
Restart=always
RestartSec=30
SyslogIdentifier=matrix-jitsi-jicofo
[Install]
WantedBy=multi-user.target

9
roles/custom/matrix-jitsi/templates/jicofo/sip-communicator.properties.j2 Normal file
View File

@ -0,0 +1,9 @@
org.jitsi.jicofo.ALWAYS_TRUST_MODE_ENABLED=true
org.jitsi.jicofo.BRIDGE_MUC={{ matrix_jitsi_jvb_brewery_muc }}@{{ matrix_jitsi_xmpp_internal_muc_domain }}
org.jitsi.jicofo.jibri.BREWERY={{ matrix_jitsi_jibri_brewery_muc }}@{{ matrix_jitsi_xmpp_internal_muc_domain }}
org.jitsi.jicofo.jibri.PENDING_TIMEOUT=90
{% if matrix_jitsi_enable_auth %}
org.jitsi.jicofo.auth.URL=XMPP:{{ matrix_jitsi_xmpp_domain }}
{% endif %}

7
roles/custom/matrix-jitsi/templates/jvb/custom-sip-communicator.properties.j2 Normal file
View File

@ -0,0 +1,7 @@
org.jitsi.videobridge.xmpp.user.shard.DISABLE_CERTIFICATE_VERIFICATION=true
org.jitsi.videobridge.ENABLE_STATISTICS=true
org.jitsi.videobridge.STATISTICS_TRANSPORT=muc
org.jitsi.videobridge.STATISTICS_INTERVAL=5000
{{ matrix_jitsi_jvb_custom_config_extension }}

31
roles/custom/matrix-jitsi/templates/jvb/env.j2 Normal file
View File

@ -0,0 +1,31 @@
DOCKER_HOST_ADDRESS
ENABLE_COLIBRI_WEBSOCKET
ENABLE_OCTO
JVB_AUTH_USER={{ matrix_jitsi_jvb_auth_user }}
JVB_AUTH_PASSWORD={{ matrix_jitsi_jvb_auth_password }}
JVB_BREWERY_MUC={{ matrix_jitsi_jvb_brewery_muc }}
JVB_PORT={{ matrix_jitsi_jvb_rtp_udp_port }}
JVB_TCP_HARVESTER_DISABLED=true
JVB_TCP_PORT={{ matrix_jitsi_jvb_rtp_tcp_port }}
JVB_TCP_MAPPED_PORT={{ matrix_jitsi_jvb_rtp_tcp_port }}
{% if matrix_jitsi_jvb_stun_servers|length > 0 %}
JVB_STUN_SERVERS={{ matrix_jitsi_jvb_stun_servers|join(',') }}
{% endif %}
JVB_OCTO_BIND_ADDRESS
JVB_OCTO_PUBLIC_ADDRESS
JVB_OCTO_BIND_PORT
JVB_OCTO_REGION
JVB_WS_DOMAIN
JVB_WS_SERVER_ID={{ matrix_jitsi_jvb_server_id }}
PUBLIC_URL={{ matrix_jitsi_web_public_url }}
SENTRY_DSN={{ matrix_jitsi_jvb_sentry_dsn }}
SENTRY_ENVIRONMENT
SENTRY_RELEASE
COLIBRI_REST_ENABLED
SHUTDOWN_REST_ENABLED
TZ={{ matrix_jitsi_timezone }}
XMPP_AUTH_DOMAIN={{ matrix_jitsi_xmpp_auth_domain }}
XMPP_INTERNAL_MUC_DOMAIN={{ matrix_jitsi_xmpp_internal_muc_domain }}
XMPP_SERVER={{ matrix_jitsi_xmpp_server }}
{{ matrix_jitsi_jvb_environment_variables_extension }}

20
roles/custom/matrix-jitsi/templates/jvb/logging.properties.j2 Normal file
View File

@ -0,0 +1,20 @@
{% raw %}
{{ if .Env.SENTRY_DSN | default "0" | toBool }}
handlers=java.util.logging.ConsoleHandler,io.sentry.jul.SentryHandler
{{ else }}
handlers= java.util.logging.ConsoleHandler
{{ end }}
{% endraw %}
java.util.logging.ConsoleHandler.level = ALL
java.util.logging.ConsoleHandler.formatter = net.java.sip.communicator.util.ScLogFormatter
net.java.sip.communicator.util.ScLogFormatter.programname=JVB
.level=INFO
org.jitsi.videobridge.xmpp.ComponentImpl.level=FINE
io.sentry.jul.SentryHandler.level=WARNING
# All of the INFO level logs from MediaStreamImpl are unnecessary in the context of jitsi-videobridge.
org.jitsi.impl.neomedia.MediaStreamImpl.level=WARNING

43
roles/custom/matrix-jitsi/templates/jvb/matrix-jitsi-jvb.service.j2 Normal file
View File

@ -0,0 +1,43 @@
#jinja2: lstrip_blocks: "True"
[Unit]
Description=Matrix jitsi-jvb server
{% for service in matrix_jitsi_jvb_systemd_required_services_list %}
Requires={{ service }}
After={{ service }}
{% endfor %}
DefaultDependencies=no
[Service]
Type=simple
Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}"
ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-jitsi-jvb 2>/dev/null || true'
ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-jitsi-jvb 2>/dev/null || true'
ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-jitsi-jvb \
--log-driver=none \
--network={{ matrix_docker_network }} \
--network-alias=jvb.meet.jitsi \
--env-file={{ matrix_jitsi_jvb_base_path }}/env \
{% if matrix_jitsi_jvb_container_rtp_udp_host_bind_port %}
-p {{ matrix_jitsi_jvb_container_rtp_udp_host_bind_port }}:{{ matrix_jitsi_jvb_rtp_udp_port }}/udp \
{% endif %}
{% if matrix_jitsi_jvb_container_rtp_tcp_host_bind_port %}
-p {{ matrix_jitsi_jvb_container_rtp_tcp_host_bind_port }}:{{ matrix_jitsi_jvb_rtp_tcp_port }} \
{% endif %}
{% if matrix_jitsi_jvb_container_colibri_ws_host_bind_port %}
-p {{ matrix_jitsi_jvb_container_colibri_ws_host_bind_port }}:9090 \
{% endif %}
--mount type=bind,src={{ matrix_jitsi_jvb_config_path }},dst=/config \
{% for arg in matrix_jitsi_jvb_container_extra_arguments %}
{{ arg }} \
{% endfor %}
{{ matrix_jitsi_jvb_docker_image }}
ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-jitsi-jvb 2>/dev/null || true'
ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-jitsi-jvb 2>/dev/null || true'
Restart=always
RestartSec=30
SyslogIdentifier=matrix-jitsi-jvb
[Install]
WantedBy=multi-user.target

Some files were not shown because too many files have changed in this diff Show More