Compare commits

...

87 Commits

Author SHA1 Message Date
fe3c012906
feat: add automatic creation of reverse-proxy routing 2021-10-07 07:56:21 +02:00
8b34271557
meta: move inventory structure to be more usable 2021-10-07 07:55:19 +02:00
109e38d1ab
meta: add own inventory, add vault-unlock with GPG 2021-10-07 07:55:18 +02:00
Slavi Pantaleev
2bf052369d Upgrade certbot (v1.19.0 -> v1.20.0) 2021-10-06 15:14:38 +03:00
Slavi Pantaleev
278bbae4d5 Upgrade Synapse (1.43.0 -> 1.44.0) 2021-10-05 17:13:21 +03:00
Slavi Pantaleev
bad2c5296e
Merge pull request #1312 from HarHarLinks/patch-4
add how to generate htpasswd
2021-10-05 11:29:44 +03:00
Slavi Pantaleev
6adc028d52
Merge pull request #1313 from GoMatrixHosting/gomatrixhosting-testing
Gomatrixhosting testing
2021-10-05 07:14:42 +03:00
Michael Collins
71b404d9df merge upstream 2021-10-05 11:39:29 +08:00
Michael Collins
e3183ba267 Merge remote-tracking branch 'upstream/master' into gomatrixhosting-testing 2021-10-05 11:39:07 +08:00
Kim Brose
1ba7760ea4
add how to generate htpasswd
for matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key
resolves #1308
2021-10-04 22:18:05 +02:00
Michael Collins
871df86068 simulate update 2021-10-04 21:07:05 +08:00
Michael Collins
56ad50cb97 test update 2021-10-04 20:26:07 +08:00
Michael Collins
01a136692f simulate update 2021-10-04 18:49:41 +08:00
Slavi Pantaleev
d38c0e121b
Merge pull request #1309 from HarHarLinks/patch-3
doc: how to export node and postgres sans grafana
2021-10-04 13:00:55 +03:00
Kim Brose
6b0f739e9a
move advanced metrics exporting to new section 2021-10-04 11:58:27 +02:00
Kim Brose
2e16080f41
doc: how to export node and postgres sans grafana 2021-10-04 00:00:29 +02:00
Michael Collins
40506d5c5a no log 2021-10-02 12:43:14 +08:00
Slavi Pantaleev
b5d8444764 Add self-building support to matrix-bridge-appservice-webhooks 2021-10-01 16:37:37 +03:00
Michael Collins
c8744ef9a9 update deploy role for new awx token authentication method 2021-10-01 18:56:38 +08:00
Slavi Pantaleev
096c960b84 Add support for Postgres v14 2021-10-01 11:27:40 +03:00
Slavi Pantaleev
256d3ffec5
Merge pull request #1304 from apmechev/update-linkedin-0.5.1
Upgrade LinkedIn (0.5.0 -> 0.5.1)
2021-10-01 10:15:08 +03:00
Slavi Pantaleev
3474d0c809
Merge pull request #1303 from hifi/feature/heisenbridge-1.2.1
Upgrade Heisenbridge (1.2.0 -> 1.2.1)
2021-09-30 09:27:08 +03:00
Toni Spets
3119ef4574 Upgrade Heisenbridge (1.2.0 -> 1.2.1) 2021-09-30 08:42:58 +03:00
Slavi Pantaleev
b4b14539a7 Use ntp (instead of systemd-timesyncd) on Ubuntu 18.04
Seems like Ubuntu 18.04 does not have a dedicated `systemd-timesyncd` package, nor
does it include the `systemd-timesyncd` binary in the main `systemd` package.

Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1302

Regression since https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1192
2021-09-28 13:38:27 +03:00
Alexandar Mechev
f02c08dc7f Upgrade LinkedIn (0.5.0 -> 0.5.1) 2021-09-28 11:07:43 +02:00
Slavi Pantaleev
1c8ec8d080
Merge pull request #1301 from gryphius/gryphius-element-1.9.0
Upgrade Element (1.8.5 -> 1.9.0)
2021-09-28 09:04:30 +03:00
Oli
59d4532efb
Upgrade Element (1.8.5 -> 1.9.0) 2021-09-28 07:40:00 +02:00
Slavi Pantaleev
5e867f150e
Merge pull request #1299 from KloolK/patch-2
Archlinux: remove package systemd-timesyncd
2021-09-26 14:50:15 +03:00
Jan
0ed585baa7
Archlinux: remove package systemd-timesyncd
#1192 lead to the following error for me on Archlinux:
`TASK [matrix-base : Install host dependencies] *******************************************************************************************************************************
fatal: [matrix.***.de]: FAILED! => changed=false 
  msg: |-
    failed to install systemd-timesyncd: error: target not found: systemd-timesyncd`

There is no package called `systemd-timesyncd` on Archlinux. The service is installed with the [`systemd`](https://archlinux.org/packages/core/x86_64/systemd/) package itself.

I suggest removing the `systemd-timesyncd` from 2453876eb9/roles/matrix-base/tasks/server_base/setup_archlinux.yml (L7)
2021-09-26 11:48:03 +02:00
Slavi Pantaleev
31396f0615
Merge pull request #1295 from nogweii/feat-support-upstream-https-forwarded
Support trusting the upstream server when it says the protocol is HTTPS
2021-09-26 09:54:15 +03:00
Slavi Pantaleev
4f841a7001
Merge pull request #1192 from sakkiii/patch-1
migrate from ntp to systemd-timesyncd for ubuntu & Archlinux
2021-09-25 10:15:40 +03:00
Slavi Pantaleev
62ce06e28c
Merge pull request #1298 from GoMatrixHosting/gomatrixhosting-testing
GoMatrixHosting v0.6.0
2021-09-25 09:35:53 +03:00
Slavi Pantaleev
72688a49da
Merge pull request #1297 from aaronraimist/fix-hydrogen-typo
Fix hydrogen OCSP typo
2021-09-25 08:58:37 +03:00
Michael Collins
9a4187c852 Merge remote-tracking branch 'upstream/master' into gomatrixhosting-testing 2021-09-25 10:56:26 +08:00
Aaron Raimist
a676b5358c
Fix hydrogen OCSP typo
From 6f80292745
2021-09-24 20:09:06 -05:00
Colin Shea
2578ca4cee rename matrix_nginx_proxy_x_forwarded_header_value -> matrix_nginx_proxy_x_forwarded_proto_value 2021-09-24 05:22:30 -07:00
Colin Shea
120b49a2b2 update docs 2021-09-24 05:18:11 -07:00
Colin Shea
d0cd67044e replace $scheme with X-Forwarded-Proto when enabled 2021-09-24 05:14:38 -07:00
Slavi Pantaleev
11398dc1a6
Merge pull request #1292 from HarHarLinks/patch-2
Fix typo
2021-09-24 09:33:30 +03:00
Slavi Pantaleev
4b500ffb43
Merge pull request #1291 from hifi/feature/heisenbridge-1.2.0
Upgrade Heisenbridge (1.1.1 -> 1.2.0)
2021-09-24 09:31:13 +03:00
Kim Brose
11b215f8ec
Fix typo 2021-09-23 21:39:42 +02:00
Toni Spets
ff63f4efce Upgrade Heisenbridge (1.1.1 -> 1.2.0) 2021-09-23 10:18:46 +03:00
Michael Collins
33c471477f remove commented section 2021-09-22 09:44:52 +08:00
Michael Collins
6902ee5aa7 add rotate ssh module to matrix-awx 2021-09-19 17:12:12 +08:00
Michael Collins
8339103594 revert unneeded changes 2021-09-04 15:08:07 +08:00
Michael Collins
7724247152 Merge branch 'testing' into 'main'
Merge Upstream - Bump Coturn version tag (4.5.2-r2 -> 4.5.2-r3)

See merge request GoMatrixHosting/matrix-docker-ansible-deploy!5
2021-09-04 06:30:06 +00:00
Michael Collins
ca705cf9dd Merge remote-tracking branch 'upstream/master' into testing 2021-09-04 14:24:13 +08:00
sakkiii
2453876eb9
Update main.yml 2021-08-31 16:24:26 +05:30
sakkiii
087a5d62f1
systemd-timesyncd for any archlinux version 2021-08-31 15:53:59 +05:30
Michael Collins
6ecd947c72 remove delete subscription section 2021-08-24 19:05:58 +08:00
Michael Collins
463e9a6196 woops bool not bools 2021-08-24 18:48:43 +08:00
Michael Collins
f19856e125 change template name 2021-08-24 18:35:49 +08:00
Michael Collins
c6f8bc5d83 missing one template from deletion section 2021-08-24 18:35:00 +08:00
Michael Collins
a49da05cf9 delegate locally 2021-08-24 18:20:26 +08:00
Michael Collins
ef4b5a187d alter delete_job_template template 2021-08-24 14:33:50 +08:00
Michael Collins
b120b8aeba delay these till the next playbook 2021-08-24 14:27:50 +08:00
Michael Collins
3125ee56e2 add abort_deletion.yml task list 2021-08-20 13:27:10 +08:00
Michael Collins
e75ecd858d launch cleanup job after deleting subscription 2021-08-20 11:14:15 +08:00
Michael Collins
a37e5b6d60 job templates cant delete themselves 2021-08-20 09:58:55 +08:00
Michael Collins
14effd5e2b delegate delete tasks locally 2021-08-20 09:35:12 +08:00
Michael Collins
312bcc444b no log 2021-08-20 09:28:54 +08:00
Michael Collins
92b26ec846 check if matrix_vars.yml file exists 2021-08-19 18:05:47 +08:00
Michael Collins
7203d4ec21 replace module only if file exists 2021-08-19 18:01:26 +08:00
Michael Collins
9ac5ad148a merge upstream 2021-08-19 17:38:38 +08:00
Michael Collins
b2f96df1a9 end play after deleting subscription in AWX 2021-08-19 17:13:34 +08:00
Michael Collins
fa43d04ad7 syntax error 2021-08-19 17:02:28 +08:00
Michael Collins
7b9929e17b add << SUBSCRIPTION DELETION IN PROGRESS >> job template 2021-08-19 16:55:58 +08:00
Michael Collins
517ecbf0d1 move delete-subscription to deploy 2021-08-18 21:07:44 +08:00
Michael Collins
d93b2109f4 ehh? 2021-08-18 06:25:49 +08:00
Michael Collins
bdf10462d2 Merge remote-tracking branch 'upstream/master' 2021-08-17 16:24:34 +08:00
Michael Collins
50441346d3 herp 2021-08-17 16:12:16 +08:00
Michael Collins
41c335b967 merge upstream 2021-08-17 13:20:39 +08:00
Michael Collins
8c17a65e55 testing 2 2021-08-16 15:56:27 +08:00
Michael Collins
8504ad2228 change for testing 2021-08-16 15:31:34 +08:00
Michael Collins
ea4af65ceb herp 2021-08-16 15:20:32 +08:00
Michael Collins
662438ba6e Merge branch 'testing-v0.5.8' into 'main'
comment to trigger update

See merge request GoMatrixHosting/matrix-docker-ansible-deploy!3
2021-08-16 06:08:38 +00:00
Michael Collins
5d77e76e77 comment to trigger update 2021-08-16 14:07:31 +08:00
Michael Collins
157b70673c Merge branch 'testing' into 'main'
revert to previous version

See merge request GoMatrixHosting/matrix-docker-ansible-deploy!2
2021-08-15 10:36:18 +00:00
Michael Collins
59b61f6cc2 revert to previous version 2021-08-15 18:33:29 +08:00
Michael Collins
326802ac21 Merge branch 'testing-v0.5.8' into 'main'
Testing v0.5.8

See merge request GoMatrixHosting/matrix-docker-ansible-deploy!1
2021-08-15 05:21:38 +00:00
Michael Collins
53384b5a97 add comment 2 2021-08-15 12:58:17 +08:00
Michael Collins
7491508d63 add comment 2021-08-14 21:12:47 +08:00
Michael Collins
98e6cd685d sync with previous repo 2021-08-13 16:05:57 +08:00
Michael Collins
83a90f1cd1 Initial commit 2021-08-13 08:00:23 +00:00
sakkiii
4a2b169fc9
systemd-timesyncd for ubuntu 2021-07-22 23:42:53 +05:30
sakkiii
7f0b8fef0a
Merge branch 'spantaleev:master' into patch-1 2021-07-21 23:50:19 +05:30
sakkiii
5209a17da1
migrate from ntp to chrony 2021-07-19 23:11:30 +05:30
64 changed files with 952 additions and 192 deletions

4
.gitignore vendored
View File

@ -1,7 +1,3 @@
/inventory/*
!/inventory/.gitkeep
!/inventory/host_vars/.gitkeep
!/inventory/scripts
/roles/*/files/scratchpad /roles/*/files/scratchpad
.DS_Store .DS_Store
.python-version .python-version

View File

@ -1,6 +1,11 @@
[defaults] [defaults]
vault_password_file = gpg/open_vault.sh
retry_files_enabled = False retry_files_enabled = False
stdout_callback = yaml stdout_callback = yaml
inventory = inventory/hosts
[connection] [connection]
pipelining = True pipelining = True

View File

@ -26,7 +26,7 @@ The following repositories allow you to copy and use this setup:
Updates to this section are trailed here: Updates to this section are trailed here:
[GoMatrixHosting Matrix Docker Ansible Deploy](https://gitlab.com/GoMatrixHosting/gomatrixhosting-matrix-docker-ansible-deploy) [GoMatrixHosting Matrix Docker Ansible Deploy](https://gitlab.com/GoMatrixHosting/matrix-docker-ansible-deploy)
## Does I need an AWX setup to use this? How do I configure it? ## Does I need an AWX setup to use this? How do I configure it?

View File

@ -108,6 +108,9 @@ matrix_nginx_proxy_container_federation_host_bind_port: '127.0.0.1:8449'
# Since we don't obtain any certificates (`matrix_ssl_retrieval_method: none` above), it won't work by default. # Since we don't obtain any certificates (`matrix_ssl_retrieval_method: none` above), it won't work by default.
# An alternative is to tweak some of: `matrix_coturn_tls_enabled`, `matrix_coturn_tls_cert_path` and `matrix_coturn_tls_key_path`. # An alternative is to tweak some of: `matrix_coturn_tls_enabled`, `matrix_coturn_tls_cert_path` and `matrix_coturn_tls_key_path`.
matrix_coturn_enabled: false matrix_coturn_enabled: false
# Trust the reverse proxy to send the correct `X-Forwarded-Proto` header as it is handling the SSL connection.
matrix_nginx_proxy_trust_forwarded_proto: true
``` ```
With this, nginx would still be in use, but it would not bother with anything SSL related or with taking up public ports. With this, nginx would still be in use, but it would not bother with anything SSL related or with taking up public ports.

View File

@ -56,8 +56,40 @@ Name | Description
`matrix_nginx_proxy_proxy_synapse_metrics`|Set this to `true` to make matrix-nginx-proxy expose the Synapse metrics at `https://matrix.DOMAIN/_synapse/metrics` `matrix_nginx_proxy_proxy_synapse_metrics`|Set this to `true` to make matrix-nginx-proxy expose the Synapse metrics at `https://matrix.DOMAIN/_synapse/metrics`
`matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled`|Set this to `true` to password-protect (using HTTP Basic Auth) `https://matrix.DOMAIN/_synapse/metrics` (the username is always `prometheus`, the password is defined in `matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key`) `matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled`|Set this to `true` to password-protect (using HTTP Basic Auth) `https://matrix.DOMAIN/_synapse/metrics` (the username is always `prometheus`, the password is defined in `matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key`)
`matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key`|Set this to a password to use for HTTP Basic Auth for protecting `https://matrix.DOMAIN/_synapse/metrics` (the username is always `prometheus` - it's not configurable) `matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key`|Set this to a password to use for HTTP Basic Auth for protecting `https://matrix.DOMAIN/_synapse/metrics` (the username is always `prometheus` - it's not configurable)
`matrix_server_fqn_grafana`|Use this variable to override the domain at which the Grafana web user-interface is at (defaults to `stats.DOMAIN`). `matrix_server_fqn_grafana`|Use this variable to override the domain at which the Grafana web user-interface is at (defaults to `stats.DOMAIN`)
### Collecting system and Postgres metrics to an external Prometheus server (advanced)
When you normally enable the Prometheus and Grafana via the playbook, it will also show general system (via node-exporter) and Postgres (via postgres-exporter) stats. If you are instead collecting your metrics to an external Prometheus server, you can follow this advanced configuration example to also export these stats.
It would be possible to use `matrix_prometheus_node_exporter_container_http_host_bind_port` etc., but that is not always the best choice, for example because your server is on a public network.
Use the following variables in addition to the ones mentioned above:
Name | Description
-----|----------
`matrix_nginx_proxy_proxy_grafana_enabled`|Set this to `true` to make the stats subdomain (`matrix_server_fqn_grafana`) available via the Nginx proxy
`matrix_ssl_additional_domains_to_obtain_certificates_for`|Add `"{{ matrix_server_fqn_grafana }}"` to this list to have letsencrypt fetch a certificate for the stats subdomain
`matrix_prometheus_node_exporter_enabled`|Set this to `true` to enable the node (general system stats) exporter
`matrix_prometheus_postgres_exporter_enabled`|Set this to `true` to enable the Postgres exporter
`matrix_nginx_proxy_proxy_grafana_additional_server_configuration_blocks`|Add locations to this list depending on which of the above exporters you enabled (see below)
```nginx
matrix_nginx_proxy_proxy_grafana_additional_server_configuration_blocks:
- 'location /node-exporter/ {
resolver 127.0.0.11 valid=5s;
proxy_pass http://matrix-prometheus-node-exporter:9100/;
auth_basic "protected";
auth_basic_user_file /nginx-data/matrix-synapse-metrics-htpasswd;
}'
- 'location /postgres-exporter/ {
resolver 127.0.0.11 valid=5s;
proxy_pass http://matrix-prometheus-postgres-exporter:9187/;
auth_basic "protected";
auth_basic_user_file /nginx-data/matrix-synapse-metrics-htpasswd;
}'
```
You can customize the `location`s to your liking, just point your Prometheus to there later (e.g. `stats.DOMAIN/node-exporter/metrics`). Nginx is very picky about the `proxy_pass`syntax: take care to follow the example closely and note the trailing slash as well as absent use of variables. postgres-exporter uses the nonstandard port 9187.
## More information ## More information

View File

@ -60,7 +60,7 @@ ALTER TABLE public.application_services_state OWNER TO synapse_user;
It can be worked around by changing the username to `synapse`, for example by using `sed`: It can be worked around by changing the username to `synapse`, for example by using `sed`:
```Shell ```Shell
$ sed -i "s/synapse_user/synapse/g" homeserver.sql" $ sed -i "s/synapse_user/synapse/g" homeserver.sql
``` ```
This uses sed to perform an 'in-place' (`-i`) replacement globally (`/g`), searching for `synapse user` and replacing with `synapse` (`s/synapse_user/synapse`). If your database username was different, change `synapse_user` to that username instead. This uses sed to perform an 'in-place' (`-i`) replacement globally (`/g`), searching for `synapse user` and replacing with `synapse` (`s/synapse_user/synapse`). If your database username was different, change `synapse_user` to that username instead.

View File

@ -22,6 +22,7 @@ List of roles where self-building the Docker image is currently possible:
- `matrix-mailer` - `matrix-mailer`
- `matrix-bridge-appservice-irc` - `matrix-bridge-appservice-irc`
- `matrix-bridge-appservice-slack` - `matrix-bridge-appservice-slack`
- `matrix-bridge-appservice-webhooks`
- `matrix-bridge-mautrix-facebook` - `matrix-bridge-mautrix-facebook`
- `matrix-bridge-mautrix-hangouts` - `matrix-bridge-mautrix-hangouts`
- `matrix-bridge-mautrix-telegram` - `matrix-bridge-mautrix-telegram`

5
gpg/open_vault.sh Executable file
View File

@ -0,0 +1,5 @@
#!/bin/bash
set -e -u
gpg2 --batch --use-agent --decrypt $(dirname $0)/vault_passphrase.gpg 2>/dev/null

18
gpg/vault_passphrase.gpg Normal file
View File

@ -0,0 +1,18 @@
-----BEGIN PGP MESSAGE-----
hQIMAxEs7W/4x4lxARAAssinIzR2rGs+Qkm0Q2tRdSXSXRx3OhH+2T5p0Rz3YkqU
iyiUtyT/Ll7RMUAlAEDZITvirXe4ZZImDcxQegEzFgO7BowQYJDRdhaRmLKZpiuQ
foRnJAAR12sf49arjJjaBQb91ViOp5MkxAtXiiqWyXwSSII+cV88flMq143cFmfC
C5OdIQd3SqrbFhGRTjUzoIMqnJH8xksjwph9GS811dY14rQv5X1Ybt5zehMJ7/m/
luLNg2zgQgYOUxcovddCVMI54ThXyDubDox/5xLvVjyVOFHgwC/VLn+QXHuPY/r5
+rVzz/30eq0uOLKD3LnDBQskCWRVWGC2ulKaZtlylBq6KRzIM6c6+VPSHCjoFyES
RRpRHeIXGLs31eLkr8dc+VNbPKpMsjm/E/4ZVE2JBpy7S/kh1XYVQxT6ahDKT1tD
4YN9O0JyNXzjiyNaTTLwNGh5+ICEd3ZCfa4O/og2LySGPOw6mX8ukgP029LHVp6+
0tRwSWiIM3US/NIVGA+o9e9I/I5Bp/cnzJgd7faUIlzcVPP+euCbo4GsYWpX3Nca
eRcr7AVY3wwuZtl7/s8KbQKk0ulLxS4Lo2XmdpQl8CPGwASdbMf/H8B256+xiUQ3
ml400ZaCC7Loeduwl1ez1H/dFFzmpUziaxxtWW4aFtOUYhGeSCTu6ZIgxVq3eBnS
jAGv8bt+0Xnrpih3mZWM92cw2VKfzYD9WG+dCB4DtZMKhl1ub2bkeTC/B9F+QuP6
anlonYHs2wmPXzjcx8ajonbYrYXanoNRHDId6OqVAbjYqbua6TG6H9LUFweIj1RV
yhUPejzhA8xEB0nUcKJZKLvuqvwPbr06GODnAKY5TQ4yILMAnBx0pNzfQNzo
=Cecg
-----END PGP MESSAGE-----

View File

@ -104,6 +104,8 @@ matrix_appservice_discord_database_password: "{{ matrix_synapse_macaroon_secret_
# We don't enable bridges by default. # We don't enable bridges by default.
matrix_appservice_webhooks_enabled: false matrix_appservice_webhooks_enabled: false
matrix_appservice_webhooks_container_image_self_build: "{{ matrix_architecture != 'amd64' }}"
# Normally, matrix-nginx-proxy is enabled and nginx can reach matrix-appservice-webhooks over the container network. # Normally, matrix-nginx-proxy is enabled and nginx can reach matrix-appservice-webhooks over the container network.
# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose
# matrix-appservice-webhooks' client-server port to the local host. # matrix-appservice-webhooks' client-server port to the local host.

View File

@ -0,0 +1,339 @@
#
# General config
# Domain of the matrix server and SSL config
#
matrix_domain: finallycoffee.eu
matrix_ssl_retrieval_method: none
matrix_nginx_proxy_enabled: false
matrix_base_data_path: "{{ vault_matrix_base_data_path }}"
matrix_server_fqn_element: "chat.{{ matrix_domain }}"
web_user: "web"
revproxy_autoload_dir: "/vault/services/web/sites.d"
#matrix_client_element_version: v1.8.4
#matrix_synapse_docker_image: "{{ matrix_synapse_docker_image_name_prefix }}matrixdotorg/synapse:v1.37.1"
#matrix_mautrix_telegram_version: v0.10.0
#
# General Synapse config
#
matrix_postgres_connection_password: "{{ vault_matrix_postgres_connection_password }}"
# A secret used to protect access keys issued by the server.
matrix_synapse_macaroon_secret_key: "{{ vault_matrix_synapse_macaroon_secret_key }}"
# Make synapse accept larger media aswell
matrix_synapse_max_upload_size_mb: 100
# Enable metrics at (default) :9100/_synapse/metrics
matrix_synapse_metrics_enabled: true
matrix_synapse_enable_group_creation: true
matrix_synapse_turn_shared_secret: "{{ vault_matrix_coturn_turn_static_auth_secret }}"
matrix_synapse_turn_uris:
- "turns:voip.matrix.finallycoffee.eu?transport=udp"
- "turns:voip.matrix.finallycoffee.eu?transport=tcp"
# Auto-join all users into those rooms
matrix_synapse_auto_join_rooms:
- "#welcome:finallycoffee.eu"
- "#announcements:finallycoffee.eu"
## Synapse rate limits
matrix_synapse_rc_federation:
window_size: 1000
sleep_limit: 25
sleep_delay: 500
reject_limit: 50
concurrent: 5
matrix_synapse_rc_message:
per_second: 0.5
burst_count: 25
## Synapse cache tuning
matrix_synapse_caches_global_factor: 0.7
matrix_synapse_event_cache_size: "200K"
## Synapse workers
matrix_synapse_workers_enabled: true
matrix_synapse_workers_preset: "little-federation-helper"
matrix_synapse_workers_generic_worker_client_server_count: 0
matrix_synapse_workers_media_repository_workers_count: 0
matrix_synapse_workers_federation_sender_workers_count: 1
matrix_synapse_workers_pusher_workers_count: 0
matrix_synapse_workers_appservice_workers_count: 1
# Static secret auth for matrix-synapse-shared-secret-auth
matrix_synapse_ext_password_provider_shared_secret_auth_enabled: true
matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret: "{{ vault_matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret }}"
matrix_synapse_ext_password_provider_rest_auth_enabled: true
matrix_synapse_ext_password_provider_rest_auth_endpoint: "http://matrix-ma1sd:8090"
matrix_synapse_ext_password_provider_rest_auth_registration_enforce_lowercase: false
matrix_synapse_ext_password_provider_rest_auth_registration_profile_name_autofill: true
matrix_synapse_ext_password_provider_rest_auth_login_profile_name_autofill: false
# Enable experimental spaces support
matrix_synapse_configuration_extension_yaml: |
experimental_features:
spaces_enabled: true
#
# synapse-admin tool
#
matrix_synapse_admin_enabled: true
matrix_synapse_admin_container_http_host_bind_port: 8985
#
# VoIP / CoTURN config
#
# A shared secret (between Synapse and Coturn) used for authentication.
matrix_coturn_turn_static_auth_secret: "{{ vault_matrix_coturn_turn_static_auth_secret }}"
# Disable coturn, as we use own instance
matrix_coturn_enabled: false
#
# dimension (integration manager) config
#
matrix_dimension_enabled: true
matrix_dimension_admins: "{{ vault_matrix_dimension_admins }}"
matrix_server_fqn_dimension: "dimension.matrix.{{ matrix_domain }}"
matrix_dimension_access_token: "{{ vault_matrix_dimension_access_token }}"
matrix_dimension_configuration_extension_yaml: |
telegram:
botToken: "{{ vault_matrix_dimension_configuration_telegram_bot_token }}"
#
# mautrix-whatsapp config
#
matrix_mautrix_whatsapp_enabled: true
matrix_mautrix_whatsapp_container_http_monitoring_host_bind_port: 9402
matrix_mautrix_whatsapp_container_extra_arguments:
- "-p 127.0.0.1:{{ matrix_mautrix_whatsapp_container_http_monitoring_host_bind_port }}:{{ matrix_mautrix_whatsapp_container_http_monitoring_host_bind_port }}"
matrix_mautrix_whatsapp_configuration_extension_yaml: |
bridge:
displayname_template: "{% raw %}{{.Name}} ({{if .Notify}}{{.Notify}}{{else}}{{.Jid}}{{end}}) (via WhatsApp){% endraw %}"
max_connection_attempts: 5
connection_timeout: 30
contact_wait_delay: 5
private_chat_portal_meta: true
login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret }}"
logging:
print_level: info
metrics:
enabled: true
listen: 0.0.0.0:{{ matrix_mautrix_whatsapp_container_http_monitoring_host_bind_port }}
whatsapp:
os_name: Linux mautrix-whatsapp
browser_name: Chrome
#
# mautrix-telegram config
#
matrix_mautrix_telegram_enabled: true
matrix_mautrix_telegram_api_id: "{{ vault_matrix_mautrix_telegram_api_id }}"
matrix_mautrix_telegram_api_hash: "{{ vault_matrix_mautrix_telegram_api_hash }}"
matrix_mautrix_telegram_public_endpoint: '/bridge/telegram'
matrix_mautrix_telegram_container_http_monitoring_host_bind_port: 9401
matrix_mautrix_telegram_container_http_host_bind_port_public: 8980
matrix_mautrix_telegram_container_extra_arguments:
- "-p 127.0.0.1:{{ matrix_mautrix_telegram_container_http_monitoring_host_bind_port }}:{{ matrix_mautrix_telegram_container_http_monitoring_host_bind_port }}"
- "-p 127.0.0.1:{{ matrix_mautrix_telegram_container_http_host_bind_port_public }}:80"
matrix_mautrix_telegram_configuration_extension_yaml: |
bridge:
displayname_template: "{displayname} (via Telegram)"
parallel_file_transfer: false
inline_images: false
image_as_file_size: 20
delivery_receipts: true
login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret }}"
animated_sticker:
target: webm
encryption:
allow: true
default: true
permissions:
"@transcaffeine:finallycoffee.eu": "admin"
"gruenhage.xyz": "full"
logging:
root:
level: INFO
metrics:
enabled: true
listen_port: {{ matrix_mautrix_telegram_container_http_monitoring_host_bind_port }}
# permissions: "{{ vault_matrix_mautrix_telegram_permission_map | from_yaml }}"
#
# mautrix-signal config
#
matrix_mautrix_signal_enabled: true
matrix_mautrix_signal_container_http_monitoring_host_bind_port: 9408
matrix_mautrix_signal_container_extra_arguments:
- "-p 127.0.0.1:{{ matrix_mautrix_signal_container_http_monitoring_host_bind_port }}:{{ matrix_mautrix_signal_container_http_monitoring_host_bind_port }}"
matrix_mautrix_signal_configuration_extension_yaml: |
bridge:
displayname_template: "{displayname} (via Signal)"
community_id: "+signal:finallycoffee.eu"
encryption:
allow: true
default: true
key_sharing:
allow: true
require_verification: false
delivery_receipts: true
logging:
root:
level: INFO
metrics:
enabled: true
listen_port: {{ matrix_mautrix_signal_container_http_monitoring_host_bind_port }}
#
# mx-puppet-instagram configuration
#
matrix_mx_puppet_instagram_enabled: true
matrix_mx_puppet_instagram_container_http_monitoring_host_bind_port: 9403
matrix_mx_puppet_instagram_container_extra_arguments:
- "-p 127.0.0.1:{{ matrix_mx_puppet_instagram_container_http_monitoring_host_bind_port }}:{{ matrix_mx_puppet_instagram_container_http_monitoring_host_bind_port }}"
matrix_mx_puppet_instagram_configuration_extension_yaml: |
bridge:
enableGroupSync: true
avatarUrl: mxc://finallycoffee.eu/acmiSAinuHDOULofFFeolTvr
metrics:
enabled: true
port: {{ matrix_mx_puppet_instagram_container_http_monitoring_host_bind_port }}
path: /metrics
presence:
enabled: true
interval: 3000
#
# mx-puppet-skype configuration
#
matrix_mx_puppet_skype_enabled: true
matrix_mx_puppet_skype_container_http_monitoring_host_bind_port: 9405
matrix_mx_puppet_skype_container_extra_arguments:
- "-p 127.0.0.1:{{ matrix_mx_puppet_skype_container_http_monitoring_host_bind_port }}:{{ matrix_mx_puppet_skype_container_http_monitoring_host_bind_port }}"
matrix_mx_puppet_skype_configuration_extension_yaml: |
bridge:
enableGroupSync: true
avatarUrl: mxc://finallycoffee.eu/jjXDuFqtpFOBOnywoHgzTuYt
metrics:
enabled: true
port: {{ matrix_mx_puppet_skype_container_http_monitoring_host_bind_port }}
path: /metrics
#
# mx-puppet-discord configuration
#
matrix_mx_puppet_discord_enabled: true
matrix_mx_puppet_discord_client_id: "{{ vault_matrix_mx_puppet_discord_client_id }}"
matrix_mx_puppet_discord_client_secret: "{{ vault_matrix_mx_puppet_discord_client_secret }}"
matrix_mx_puppet_discord_container_http_monitoring_host_bind_port: 9404
matrix_mx_puppet_discord_container_extra_arguments:
- "-p 127.0.0.1:{{ matrix_mx_puppet_discord_container_http_monitoring_host_bind_port }}:{{ matrix_mx_puppet_discord_container_http_monitoring_host_bind_port }}"
matrix_mx_puppet_discord_configuration_extension_yaml: |
bridge:
enableGroupSync: true
avatarUrl: mxc://finallycoffee.eu/BxcAAhjXmglMbtthStEHtCzd
metrics:
enabled: true
port: {{ matrix_mx_puppet_discord_container_http_monitoring_host_bind_port }}
path: /metrics
limits:
maxAutojoinUsers: 500
roomUserAutojoinDelay: 50
presence:
enabled: true
interval: 3000
#
# mx-puppet-slack configuration
#
matrix_mx_puppet_slack_enabled: true
matrix_mx_puppet_slack_client_id: "{{ vault_matrix_mx_puppet_slack_client_id }}"
matrix_mx_puppet_slack_client_secret: "{{ vault_matrix_mx_puppet_slack_client_secret }}"
matrix_mx_puppet_slack_redirect_path: '/bridge/slack/oauth'
matrix_mx_puppet_slack_container_http_auth_host_bind_port: 8981
matrix_mx_puppet_slack_container_http_monitoring_host_bind_port: 9406
matrix_mx_puppet_slack_container_extra_arguments:
- "-p 127.0.0.1:{{ matrix_mx_puppet_slack_container_http_monitoring_host_bind_port }}:{{ matrix_mx_puppet_slack_container_http_monitoring_host_bind_port }}"
- "-p 127.0.0.1:{{ matrix_mx_puppet_slack_container_http_auth_host_bind_port }}:8008"
matrix_mx_puppet_slack_configuration_extension_yaml: |
bridge:
enableGroupSync: true
metrics:
enabled: true
port: {{ matrix_mx_puppet_slack_container_http_monitoring_host_bind_port }}
path: /metrics
limits:
maxAutojoinUsers: 500
roomUserAutojoinDelay: 50
presence:
enabled: true
interval: 3000
#
# Element web configuration
#
# Branding config
matrix_client_element_brand: "Chat"
matrix_client_element_default_theme: "dark"
matrix_client_element_themes_enabled: true
matrix_client_element_welcome_headline: "Welcome to chat.finallycoffee.eu"
matrix_client_element_welcome_text: |
Decentralised, encrypted chat &amp; collaboration,<br />
hosted on finallycoffee.eu, powered by element.io &amp;
<a href="https://matrix.org" target="_blank" rel="noreferrer noopener">
<img width="79" height="34" alt="[matrix]" style="padding-left: 1px;vertical-align: middle" src="welcome/images/matrix.svg" />
</a>
matrix_client_element_welcome_logo: "welcome/images/logo.png"
matrix_client_element_welcome_logo_link: "https://{{ matrix_domain }}"
matrix_client_element_branding_authHeaderLogoUrl: "welcome/images/logo.png"
matrix_client_element_branding_welcomeBackgroundUrl: "welcome/images/background.jpg"
matrix_client_element_container_extra_arguments:
- "-v {{ matrix_client_element_data_path }}/background.jpg:/app/{{ matrix_client_element_branding_welcomeBackgroundUrl }}:ro"
- "-v {{ matrix_client_element_data_path }}/logo.png:/app/{{ matrix_client_element_branding_authHeaderLogoUrl }}:ro"
# Integration and capabilites config
matrix_client_element_integrations_ui_url: "https://{{ matrix_server_fqn_dimension }}/element"
matrix_client_element_integrations_rest_url: "https://{{ matrix_server_fqn_dimension }}/api/v1/scalar"
matrix_client_element_integrations_widgets_urls:
- "https://{{ matrix_server_fqn_dimension }}/widgets"
- "https://scalar.vector.im/api"
matrix_client_element_integrations_jitsi_widget_url: "https://{{ matrix_server_fqn_dimension }}/widgets/jitsi"
matrix_client_element_disable_custom_urls: false
matrix_client_element_roomdir_servers:
- "matrix.org"
- "finallycoffee.eu"
- "entropia.de"
matrix_client_element_enable_presence_by_hs_url:
https://matrix.org: false
# Matrix ma1sd extended configuration
matrix_ma1sd_configuration_extension_yaml: |
hashing:
enabled: true
pepperLength: 20
rotationPolicy: per_requests
requests: 10
hashStorageType: sql
algorithms:
- none
- sha256
# Matrix mail notification relay setup
matrix_mailer_enabled: true
matrix_mailer_sender_address: "Matrix on finallycoffee.eu <system-matrix@{{ matrix_domain }}>"
matrix_mailer_relay_use: true
matrix_mailer_relay_host_name: "{{ vault_matrix_mailer_relay_host_name }}"
matrix_mailer_relay_host_port: 587
matrix_mailer_relay_auth: true
matrix_mailer_relay_auth_username: "{{ vault_matrix_mailer_relay_auth_username }}"
matrix_mailer_relay_auth_password: "{{ vault_matrix_mailer_relay_auth_password }}"

View File

@ -0,0 +1,100 @@
$ANSIBLE_VAULT;1.1;AES256
64343261653838626666353837393238353033353632393763363634303466613033376235386235
6333386536323034643139656232636133386463393264300a663333333237656337343562366336
66663064393930656566396636333430373233373362346339383866623066316133323366663961
3732666162363238300a636230346163656334393063343030333064393962663431326461653239
36653030393234623335313335383832646463663835653035303765633064666435373464653336
31323433373734633531353562333065623039623633633163376235353737343935623133326663
65333761383130336165356439623066363964313033666433316231663533393532333738333430
36633463343335366364343565353862363531376539626237613263303331323631333366363830
33613937346531323139343166613839366233383663363732353561643238383362353964373135
61633430353037316266343962376238383238366562323764373135646365383030626130383433
32313263663165656366313633653431663332636532656465623465353062643934343738633434
63346333326331633830363663666631326466353138646233383235313532383864633233613134
39363734353165653065343938643861646630376334303832613163663265373839323765396234
38633336393739666565346565343865346233373639363530383533386533616337373033613865
66353434653262663263326237626265636430646630313866383532376264383933343933326264
65316337323863343935306138343462336666313332396439656234613831356262663630663038
31376539653638333263333933633134303734656662343039396563343636366433396130653830
33326539636432646438613236356430343435623539333062666630373265306635343233646333
39653934323738303239643834663463396165656235393437396635623131316532333465316231
65373130393463383932383837383830656637653963666638653665356437303239376262613062
34613830613164323365636461303035616136636330323531383164376334363862383762366665
62643839333662373461363038326436616639326264633735316139346536373839666236653634
30376536386137636336363562376339393261373739333162373461656364353139626339346637
30366431336534663037653438376330346238636562383932653561306134626566333861333630
39633536653233393161333136316564623631313839633461333438633166363064303238663464
65353338353464313635333934623833303965393462373530303666643537336662376266613434
37356664616539323631373535316434383361323935376638666437646538316537613030653231
62636263663935646466383663306535626465633239366562373038356366366331333537333663
64363130386535306362646533393161643737366662313631623132356465636565313530353363
35366165383837326564623363636632616331393834313130303937303664353436363266323033
61373532383962393937666261626263666631346235646237656337363831633734623733633835
39613736373031633263396530626566303665343039663866333632636565633034376366356635
35383633336465636331306232353434653739653339396437363163313630393035366665383263
34353238656563306366336466376363316430636666353965356535653334343630633532313034
64626436643030656335616337653564653331326463383461643739333163613361333133633639
66656137313937356134646362623536363065633564633166343766356436313130373663663334
63626138356562303761323336646332383761646663383032386261623936633661653735343637
35326137343532333635353436376665326633633135656537623631326336353138346136636239
37396135326362613039663136333964626237353562343966383764613231363061333534316233
38636130313261643061613138656235396530656366313132346362383430333734663866383666
61633631353830643565313437306664636262666135353133656531623563616335643737373438
63633235363566616466663262333466383939373336383139643362376365623763386137666332
39353363636437393236303764343337633233386236303563636634353836363537383632306434
33653632373064646361616364323133343138363437373436636232373261663639616330666465
37333130393435613134366437396361363830656137663963643132303334633331633661363061
38356439666161643431356532353334383539353566386333666461663562613231383331623063
33336435636239343663663937353864306363363264663033303539616434333436353134383034
64663533366134306462366565333236383235373233656132396538663437616333343534333166
66646566623734636532666230326530633538656639353262343665316235386534376534386634
65663032303930353661363162373533363762353237393030346238306532326264303636383264
63363063326265396166313533663362346539333532386665316466386131623161313738623239
66386236656561396539356634636234393436323239396330366237333539343761393431336138
66396230656435356365356530343132373861376336346532653063666331343366393761373131
66313864373362326139316461666232386132306535616561663566623963353034313961666266
34373534363834626334386139653532656564333863323363343165643538336430386434613235
64386564643564636530313565326433623365303738386433323463396437653066636134313564
33383035393436393163373864353331376163653137316136376564643066636335313735396664
33623735353438643237333734353766363863313763653737633135353332363066336232363131
33333532653737633033666336326331376561636330643935323636626562303439346338633135
33663035366461336339666665663835373235633338613664636439393837303932643363643830
63333862643430383235663836653161376637373265646463313538386531666362376532663738
62333536383537613562336235666431393164616263303863323834343735326133646131303063
62623836313730363832313764363562306666383337396561633865336561396632303539333166
35623063336534653531303134653630666264333133393864626665623564313466363731316339
36646666653062326665346332373963376439396538396663656130616333316533623331346461
39643862356663316338333662646464353233356635303931626366323831303136366462366133
34303234343064393265303866636137646461336530653733623264383261653864633332346435
62383065353662303564633239326664356364366365626466666266326466333834316437383134
35383261373437643261623533623533326335393932356632653634326432376235393038333464
33626361366565316533663537343237316563343730363632663639623930313963316665663965
33386435663462626435383733383336343064333935356364623436626632356535333430343262
62363136353562633631613965353062363231343037626166363035376530646537646136363730
35303530343361616230383662333139333533333138613834323437636238656538656436623433
38353363336665346637643631663934633061626532376330633731316565336166313936393533
35323535376539633937376532333536323234376632306362633438626565376234353235353836
37663735366165393963313536356437653361306232313736356164656635616333306332356637
39353465633536313539366264646364343231653466346165313863623365333465623336376635
37396663333638356565306439636365653438623935363361356464316663613465303933346537
61303863323631343264613665323866363935383265323562326364346364343133393965333135
33306434646533333662613930666337646330303439333938326433376161613836663237303534
63636139636338656664333034356635653330666362633563366663616661303266326135643036
34383939613035323331366261356531343961303239626365383332313633393561623963643134
30353239356234336635616663313830396133643035663838653837613262616364623637616237
37363662663466396330323830343963366262643339316162643164353430663763613634346233
62303539336433313066346339363163336236373334613938613061613038613466636632336335
35326133373061323164623436623338316466396261393630623466313164393736353566356237
34396530383361613464643461313336663331643438313136353039386263633134616534666464
33373536326637316635326461656130383333613832386662643431666435663565343565616266
35303738656362663266653735373833613765356366626436336437326665396635636335616566
32663733396432656430356335383262613133623066636238623166613839393833616436653936
34306536343664643732356262663435623834313732373564613337373765373130653734386632
35623038623639346564393466393463613238363231663965633037353337353332663464336539
33616131353734663463336436303866306334336339316364313962346430383338306161636462
64303064313135346236346434316333346434303764356237636530663239633631383561393537
66383836326634666362613661353533363432303437663235393336396331356465633031326430
35333263633731626564326430613937343136633562386432396537363663653438333333366135
33333339376165303736643661343535356561353938346131653662363966643839653262363537
38373331353539313463363236383633326138366534313064303739626337343962653830653663
626263633730663932376165333438323835

22
inventory/hosts Normal file
View File

@ -0,0 +1,22 @@
$ANSIBLE_VAULT;1.1;AES256
31336566376336626265653165306635633033376662656164383037383834653239656136333734
3833666339393037323035343565343235396163636166370a643933333933386133366564396465
30393637613164356564393337633361653432333232383664303739363736633435363764343530
3532313739363963660a343434356534316230623133636366386334323465376139363162616238
39396638366262313531653635326361616537396338363533303961623165343931373939306239
31336632643166633662653765333231393461643933306464303165633037343061323636313034
34376631656563646665373566633431366638383863666130323264316337663237343135306236
66323536346164663239343139623430303230333466633437643337343930363530653964626163
38336363633730393136333637383631636266396636646533356262376630646139303636666538
32366437353163663865623234643061313639646162643965393535353938313133326237313265
66646163333535396539646461356334633532313530653834623263386265383765356130333466
30373531306137393935363030313739666536363138363962646565306439393239303030643162
33333166663430393866666439653532623034396130313066383035396535646633366237303264
36356665366461323664373038366364623937386233313039323837666333653764616462333365
31326264633236373937313537633961633164323138356135633765663639323537656263633766
38653836323263386333376131333330326237393666363064326463663961633839393039323835
61306265333232623037356465393133323733363634646364336261326333366239346565366338
61646132333033373866623739343830336164316461646366666237313565626639323537623732
38323830656136323137323530343764666433633432366136643538323832653130376363653135
64376261386635636533353961613335663962306337353866616464613636303735336230623962
3336

View File

@ -24,14 +24,6 @@
mode: '0660' mode: '0660'
tags: use-survey tags: use-survey
- name: Collect AWX admin token the hard way!
delegate_to: 127.0.0.1
shell: |
curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g'
register: tower_token
no_log: True
tags: use-survey
- name: Recreate 'Backup Server' job template - name: Recreate 'Backup Server' job template
delegate_to: 127.0.0.1 delegate_to: 127.0.0.1
awx.awx.tower_job_template: awx.awx.tower_job_template:
@ -49,8 +41,8 @@
become_enabled: yes become_enabled: yes
state: present state: present
verbosity: 1 verbosity: 1
tower_host: "https://{{ tower_host }}" tower_host: "https://{{ awx_host }}"
tower_oauthtoken: "{{ tower_token.stdout }}" tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
validate_certs: yes validate_certs: yes
tags: use-survey tags: use-survey
@ -90,6 +82,15 @@
command: borgmatic -c /root/.config/borgmatic/config_2.yaml command: borgmatic -c /root/.config/borgmatic/config_2.yaml
when: matrix_awx_backup_enabled|bool when: matrix_awx_backup_enabled|bool
- name: Delete the AWX session token for executing modules
awx.awx.tower_token:
description: 'AWX Session Token'
scope: "write"
state: absent
existing_token_id: "{{ awx_session_token.ansible_facts.tower_token.id }}"
tower_host: "https://{{ awx_host }}"
tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
- name: Set boolean value to exit playbook - name: Set boolean value to exit playbook
set_fact: set_fact:
end_playbook: true end_playbook: true

View File

@ -0,0 +1,10 @@
- name: Create a AWX session token for executing modules
awx.awx.tower_token:
description: 'AWX Session Token'
scope: "write"
state: present
tower_host: "https://{{ awx_host }}"
tower_oauthtoken: "{{ awx_master_token }}"
register: awx_session_token
no_log: True

View File

@ -23,6 +23,15 @@
/usr/local/bin/matrix-synapse-register-user {{ new_username | quote }} {{ new_password | quote }} {{ admin_bool }} /usr/local/bin/matrix-synapse-register-user {{ new_username | quote }} {{ new_password | quote }} {{ admin_bool }}
register: cmd register: cmd
- name: Delete the AWX session token for executing modules
awx.awx.tower_token:
description: 'AWX Session Token'
scope: "write"
state: absent
existing_token_id: "{{ awx_session_token.ansible_facts.tower_token.id }}"
tower_host: "https://{{ awx_host }}"
tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
- name: Result - name: Result
debug: msg="{{ cmd.stdout }}" debug: msg="{{ cmd.stdout }}"

View File

@ -77,13 +77,6 @@
mode: '0660' mode: '0660'
when: customise_base_domain_website is undefined when: customise_base_domain_website is undefined
- name: Collect AWX admin token the hard way!
delegate_to: 127.0.0.1
shell: |
curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g'
register: tower_token
no_log: True
- name: Recreate 'Configure Website + Access Export' job template - name: Recreate 'Configure Website + Access Export' job template
delegate_to: 127.0.0.1 delegate_to: 127.0.0.1
awx.awx.tower_job_template: awx.awx.tower_job_template:
@ -101,8 +94,8 @@
become_enabled: yes become_enabled: yes
state: present state: present
verbosity: 1 verbosity: 1
tower_host: "https://{{ tower_host }}" tower_host: "https://{{ awx_host }}"
tower_oauthtoken: "{{ tower_token.stdout }}" tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
validate_certs: yes validate_certs: yes
when: customise_base_domain_website is defined when: customise_base_domain_website is defined
@ -123,8 +116,8 @@
become_enabled: yes become_enabled: yes
state: present state: present
verbosity: 1 verbosity: 1
tower_host: "https://{{ tower_host }}" tower_host: "https://{{ awx_host }}"
tower_oauthtoken: "{{ tower_token.stdout }}" tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
validate_certs: yes validate_certs: yes
when: customise_base_domain_website is undefined when: customise_base_domain_website is undefined

View File

@ -0,0 +1,9 @@
- name: Delete the AWX session token for executing modules
awx.awx.tower_token:
description: 'AWX Session Token'
scope: "write"
state: absent
existing_token_id: "{{ awx_session_token.ansible_facts.tower_token.id }}"
tower_host: "https://{{ awx_host }}"
tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"

View File

@ -24,6 +24,15 @@
units: days units: days
unique: yes unique: yes
- name: Delete the AWX session token for executing modules
awx.awx.tower_token:
description: 'AWX Session Token'
scope: "write"
state: absent
existing_token_id: "{{ awx_session_token.ansible_facts.tower_token.id }}"
tower_host: "https://{{ awx_host }}"
tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
- name: Set boolean value to exit playbook - name: Set boolean value to exit playbook
set_fact: set_fact:
end_playbook: true end_playbook: true

View File

@ -9,3 +9,7 @@
file: '/var/lib/awx/projects/hosting/hosting_vars.yml' file: '/var/lib/awx/projects/hosting/hosting_vars.yml'
no_log: True no_log: True
- name: Include AWX master token from awx_tokens.yml
include_vars:
file: /var/lib/awx/projects/hosting/awx_tokens.yml
no_log: True

View File

@ -17,6 +17,15 @@
tags: tags:
- always - always
# Create AWX session token
- include_tasks:
file: "create_session_token.yml"
apply:
tags: always
when: run_setup|bool and matrix_awx_enabled|bool
tags:
- always
# Perform a backup of the server # Perform a backup of the server
- include_tasks: - include_tasks:
file: "backup_server.yml" file: "backup_server.yml"
@ -25,7 +34,7 @@
when: run_setup|bool and matrix_awx_enabled|bool when: run_setup|bool and matrix_awx_enabled|bool
tags: tags:
- backup-server - backup-server
# Perform a export of the server # Perform a export of the server
- include_tasks: - include_tasks:
file: "export_server.yml" file: "export_server.yml"
@ -62,6 +71,15 @@
tags: tags:
- purge-database - purge-database
# Rotate SSH key if called
- include_tasks:
file: "rotate_ssh.yml"
apply:
tags: rotate-ssh
when: run_setup|bool and matrix_awx_enabled|bool
tags:
- rotate-ssh
# Import configs, media repo from /chroot/backup import # Import configs, media repo from /chroot/backup import
- include_tasks: - include_tasks:
file: "import_awx.yml" file: "import_awx.yml"
@ -179,6 +197,15 @@
tags: tags:
- setup-synapse-admin - setup-synapse-admin
# Delete AWX session token
- include_tasks:
file: "delete_session_token.yml"
apply:
tags: always
when: run_setup|bool and matrix_awx_enabled|bool
tags:
- always
# Load newly formed matrix variables from AWX volume # Load newly formed matrix variables from AWX volume
- include_tasks: - include_tasks:
file: "load_matrix_variables.yml" file: "load_matrix_variables.yml"

View File

@ -5,18 +5,18 @@
name: dateutils name: dateutils
state: latest state: latest
- name: Ensure dateutils, curl and jq intalled on target machine - name: Include vars in matrix_vars.yml
include_vars:
file: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
no_log: True
- name: Ensure curl and jq intalled on target machine
apt: apt:
pkg: pkg:
- curl - curl
- jq - jq
state: present state: present
- name: Include vars in matrix_vars.yml
include_vars:
file: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
no_log: True
- name: Collect before shrink size of Synapse database - name: Collect before shrink size of Synapse database
shell: du -sh /matrix/postgres/data shell: du -sh /matrix/postgres/data
register: db_size_before_stat register: db_size_before_stat
@ -144,13 +144,6 @@
loop: "{{ room_list_state_events.splitlines() | flatten(levels=1) }}" loop: "{{ room_list_state_events.splitlines() | flatten(levels=1) }}"
when: purge_mode.find("Number of events [slower]") != -1 when: purge_mode.find("Number of events [slower]") != -1
- name: Collect AWX admin token the hard way!
delegate_to: 127.0.0.1
shell: |
curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g'
register: tower_token
no_log: True
- name: Adjust 'Deploy/Update a Server' job template - name: Adjust 'Deploy/Update a Server' job template
delegate_to: 127.0.0.1 delegate_to: 127.0.0.1
awx.awx.tower_job_template: awx.awx.tower_job_template:
@ -165,8 +158,8 @@
credential: "{{ member_id }} - AWX SSH Key" credential: "{{ member_id }} - AWX SSH Key"
state: present state: present
verbosity: 1 verbosity: 1
tower_host: "https://{{ tower_host }}" tower_host: "https://{{ awx_host }}"
tower_oauthtoken: "{{ tower_token.stdout }}" tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
validate_certs: yes validate_certs: yes
when: (purge_mode.find("No local users [recommended]") != -1) or (purge_mode.find("Number of users [slower]") != -1) or (purge_mode.find("Number of events [slower]") != -1) or (purge_mode.find("Skip purging rooms [faster]") != -1) when: (purge_mode.find("No local users [recommended]") != -1) or (purge_mode.find("Number of users [slower]") != -1) or (purge_mode.find("Number of events [slower]") != -1) or (purge_mode.find("Skip purging rooms [faster]") != -1)
@ -175,8 +168,8 @@
awx.awx.tower_job_launch: awx.awx.tower_job_launch:
job_template: "{{ matrix_domain }} - 0 - Deploy/Update a Server" job_template: "{{ matrix_domain }} - 0 - Deploy/Update a Server"
wait: yes wait: yes
tower_host: "https://{{ tower_host }}" tower_host: "https://{{ awx_host }}"
tower_oauthtoken: "{{ tower_token.stdout }}" tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
validate_certs: yes validate_certs: yes
when: (purge_mode.find("No local users [recommended]") != -1) or (purge_mode.find("Number of users [slower]") != -1) or (purge_mode.find("Number of events [slower]") != -1) or (purge_mode.find("Skip purging rooms [faster]") != -1) when: (purge_mode.find("No local users [recommended]") != -1) or (purge_mode.find("Number of users [slower]") != -1) or (purge_mode.find("Number of events [slower]") != -1) or (purge_mode.find("Skip purging rooms [faster]") != -1)
@ -194,8 +187,8 @@
credential: "{{ member_id }} - AWX SSH Key" credential: "{{ member_id }} - AWX SSH Key"
state: present state: present
verbosity: 1 verbosity: 1
tower_host: "https://{{ tower_host }}" tower_host: "https://{{ awx_host }}"
tower_oauthtoken: "{{ tower_token.stdout }}" tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
validate_certs: yes validate_certs: yes
when: (purge_mode.find("No local users [recommended]") != -1) or (purge_mode.find("Number of users [slower]") != -1) or (purge_mode.find("Number of events [slower]") != -1) or (purge_mode.find("Skip purging rooms [faster]") != -1) when: (purge_mode.find("No local users [recommended]") != -1) or (purge_mode.find("Number of users [slower]") != -1) or (purge_mode.find("Number of events [slower]") != -1) or (purge_mode.find("Skip purging rooms [faster]") != -1)
@ -231,8 +224,8 @@
credential: "{{ member_id }} - AWX SSH Key" credential: "{{ member_id }} - AWX SSH Key"
state: present state: present
verbosity: 1 verbosity: 1
tower_host: "https://{{ tower_host }}" tower_host: "https://{{ awx_host }}"
tower_oauthtoken: "{{ tower_token.stdout }}" tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
validate_certs: yes validate_certs: yes
when: (purge_mode.find("Perform final shrink") != -1) when: (purge_mode.find("Perform final shrink") != -1)
@ -241,8 +234,8 @@
awx.awx.tower_job_launch: awx.awx.tower_job_launch:
job_template: "{{ matrix_domain }} - 0 - Deploy/Update a Server" job_template: "{{ matrix_domain }} - 0 - Deploy/Update a Server"
wait: yes wait: yes
tower_host: "https://{{ tower_host }}" tower_host: "https://{{ awx_host }}"
tower_oauthtoken: "{{ tower_token.stdout }}" tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
validate_certs: yes validate_certs: yes
when: (purge_mode.find("Perform final shrink") != -1) when: (purge_mode.find("Perform final shrink") != -1)
@ -260,8 +253,8 @@
credential: "{{ member_id }} - AWX SSH Key" credential: "{{ member_id }} - AWX SSH Key"
state: present state: present
verbosity: 1 verbosity: 1
tower_host: "https://{{ tower_host }}" tower_host: "https://{{ awx_host }}"
tower_oauthtoken: "{{ tower_token.stdout }}" tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
validate_certs: yes validate_certs: yes
when: (purge_mode.find("Perform final shrink") != -1) when: (purge_mode.find("Perform final shrink") != -1)
@ -308,6 +301,15 @@
msg: "{{ db_size_after_stat.stdout.split('\n') }}" msg: "{{ db_size_after_stat.stdout.split('\n') }}"
when: (db_size_after_stat is defined) and (purge_mode.find("Perform final shrink") != -1) when: (db_size_after_stat is defined) and (purge_mode.find("Perform final shrink") != -1)
- name: Delete the AWX session token for executing modules
awx.awx.tower_token:
description: 'AWX Session Token'
scope: "write"
state: absent
existing_token_id: "{{ awx_session_token.ansible_facts.tower_token.id }}"
tower_host: "https://{{ awx_host }}"
tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
- name: Set boolean value to exit playbook - name: Set boolean value to exit playbook
set_fact: set_fact:
end_playbook: true end_playbook: true

View File

@ -1,5 +1,5 @@
- name: Ensure dateutils and curl is installed in AWX - name: Ensure dateutils is installed in AWX
delegate_to: 127.0.0.1 delegate_to: 127.0.0.1
yum: yum:
name: dateutils name: dateutils
@ -90,6 +90,15 @@
msg: "{{ remote_media_size_after.stdout.split('\n') }}" msg: "{{ remote_media_size_after.stdout.split('\n') }}"
when: matrix_purge_media_type == "Remote Media" when: matrix_purge_media_type == "Remote Media"
- name: Delete the AWX session token for executing modules
awx.awx.tower_token:
description: 'AWX Session Token'
scope: "write"
state: absent
existing_token_id: "{{ awx_session_token.ansible_facts.tower_token.id }}"
tower_host: "https://{{ awx_host }}"
tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
- name: Set boolean value to exit playbook - name: Set boolean value to exit playbook
set_fact: set_fact:
end_playbook: true end_playbook: true

View File

@ -5,4 +5,3 @@
path: "/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml" path: "/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml"
regexp: 'matrix_synapse_use_presence' regexp: 'matrix_synapse_use_presence'
replace: 'matrix_synapse_presence_enabled' replace: 'matrix_synapse_presence_enabled'

View File

@ -0,0 +1,24 @@
- name: Set the new authorized key taken from file
authorized_key:
user: root
state: present
exclusive: yes
key: "{{ lookup('file', '/var/lib/awx/projects/hosting/client_public.key') }}"
- name: Delete the AWX session token for executing modules
awx.awx.tower_token:
description: 'AWX Session Token'
scope: "write"
state: absent
existing_token_id: "{{ awx_session_token.ansible_facts.tower_token.id }}"
tower_host: "https://{{ awx_host }}"
tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
- name: Set boolean value to exit playbook
set_fact:
end_playbook: true
- name: End playbook if this task list is called.
meta: end_play
when: end_playbook is defined and end_playbook|bool

View File

@ -218,13 +218,6 @@
- debug: - debug:
msg: "matrix_corporal_matrix_registration_shared_secret: {{ matrix_corporal_matrix_registration_shared_secret }}" msg: "matrix_corporal_matrix_registration_shared_secret: {{ matrix_corporal_matrix_registration_shared_secret }}"
- name: Collect AWX admin token the hard way!
delegate_to: 127.0.0.1
shell: |
curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g'
register: tower_token
no_log: True
- name: Recreate 'Configure Corporal (Advanced)' job template - name: Recreate 'Configure Corporal (Advanced)' job template
delegate_to: 127.0.0.1 delegate_to: 127.0.0.1
awx.awx.tower_job_template: awx.awx.tower_job_template:
@ -242,6 +235,6 @@
become_enabled: yes become_enabled: yes
state: present state: present
verbosity: 1 verbosity: 1
tower_host: "https://{{ tower_host }}" tower_host: "https://{{ awx_host }}"
tower_oauthtoken: "{{ tower_token.stdout }}" tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
validate_certs: yes validate_certs: yes

View File

@ -82,13 +82,6 @@
dest: '/matrix/awx/configure_dimension.json' dest: '/matrix/awx/configure_dimension.json'
mode: '0660' mode: '0660'
- name: Collect AWX admin token the hard way!
delegate_to: 127.0.0.1
shell: |
curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g'
register: tower_token
no_log: True
- name: Recreate 'Configure Dimension' job template - name: Recreate 'Configure Dimension' job template
delegate_to: 127.0.0.1 delegate_to: 127.0.0.1
awx.awx.tower_job_template: awx.awx.tower_job_template:
@ -106,6 +99,6 @@
become_enabled: yes become_enabled: yes
state: present state: present
verbosity: 1 verbosity: 1
tower_host: "https://{{ tower_host }}" tower_host: "https://{{ awx_host }}"
tower_oauthtoken: "{{ tower_token.stdout }}" tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
validate_certs: yes validate_certs: yes

View File

@ -40,13 +40,6 @@
dest: '/matrix/awx/configure_element.json' dest: '/matrix/awx/configure_element.json'
mode: '0660' mode: '0660'
- name: Collect AWX admin token the hard way!
delegate_to: 127.0.0.1
shell: |
curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g'
register: tower_token
no_log: True
- name: Recreate 'Configure Element' job template - name: Recreate 'Configure Element' job template
delegate_to: 127.0.0.1 delegate_to: 127.0.0.1
awx.awx.tower_job_template: awx.awx.tower_job_template:
@ -64,6 +57,6 @@
become_enabled: yes become_enabled: yes
state: present state: present
verbosity: 1 verbosity: 1
tower_host: "https://{{ tower_host }}" tower_host: "https://{{ awx_host }}"
tower_oauthtoken: "{{ tower_token.stdout }}" tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
validate_certs: yes validate_certs: yes

View File

@ -21,13 +21,6 @@
dest: '/matrix/awx/configure_element_subdomain.json' dest: '/matrix/awx/configure_element_subdomain.json'
mode: '0660' mode: '0660'
- name: Collect AWX admin token the hard way!
delegate_to: 127.0.0.1
shell: |
curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g'
register: tower_token
no_log: True
- name: Recreate 'Configure Element Subdomain' job template - name: Recreate 'Configure Element Subdomain' job template
delegate_to: 127.0.0.1 delegate_to: 127.0.0.1
awx.awx.tower_job_template: awx.awx.tower_job_template:
@ -44,6 +37,6 @@
survey_spec: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_element_subdomain.json') }}" survey_spec: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_element_subdomain.json') }}"
state: present state: present
verbosity: 1 verbosity: 1
tower_host: "https://{{ tower_host }}" tower_host: "https://{{ awx_host }}"
tower_oauthtoken: "{{ tower_token.stdout }}" tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
validate_certs: yes validate_certs: yes

View File

@ -22,13 +22,6 @@
dest: '/matrix/awx/configure_jitsi.json' dest: '/matrix/awx/configure_jitsi.json'
mode: '0660' mode: '0660'
- name: Collect AWX admin token the hard way!
delegate_to: 127.0.0.1
shell: |
curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g'
register: tower_token
no_log: True
- name: Recreate 'Configure Jitsi' job template - name: Recreate 'Configure Jitsi' job template
delegate_to: 127.0.0.1 delegate_to: 127.0.0.1
awx.awx.tower_job_template: awx.awx.tower_job_template:
@ -46,6 +39,6 @@
become_enabled: yes become_enabled: yes
state: present state: present
verbosity: 1 verbosity: 1
tower_host: "https://{{ tower_host }}" tower_host: "https://{{ awx_host }}"
tower_oauthtoken: "{{ tower_token.stdout }}" tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
validate_certs: yes validate_certs: yes

View File

@ -79,13 +79,6 @@
dest: '/matrix/awx/configure_ma1sd.json' dest: '/matrix/awx/configure_ma1sd.json'
mode: '0660' mode: '0660'
- name: Collect AWX admin token the hard way!
delegate_to: 127.0.0.1
shell: |
curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g'
register: tower_token
no_log: True
- name: Recreate 'Configure ma1sd (Advanced)' job template - name: Recreate 'Configure ma1sd (Advanced)' job template
delegate_to: 127.0.0.1 delegate_to: 127.0.0.1
awx.awx.tower_job_template: awx.awx.tower_job_template:
@ -103,7 +96,7 @@
become_enabled: yes become_enabled: yes
state: present state: present
verbosity: 1 verbosity: 1
tower_host: "https://{{ tower_host }}" tower_host: "https://{{ awx_host }}"
tower_oauthtoken: "{{ tower_token.stdout }}" tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
validate_certs: yes validate_certs: yes

View File

@ -21,13 +21,6 @@
dest: '/matrix/awx/configure_email_relay.json' dest: '/matrix/awx/configure_email_relay.json'
mode: '0660' mode: '0660'
- name: Collect AWX admin token the hard way!
delegate_to: 127.0.0.1
shell: |
curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g'
register: tower_token
no_log: True
- name: Recreate 'Configure Email Relay' job template - name: Recreate 'Configure Email Relay' job template
delegate_to: 127.0.0.1 delegate_to: 127.0.0.1
awx.awx.tower_job_template: awx.awx.tower_job_template:
@ -45,6 +38,6 @@
become_enabled: yes become_enabled: yes
state: present state: present
verbosity: 1 verbosity: 1
tower_host: "https://{{ tower_host }}" tower_host: "https://{{ awx_host }}"
tower_oauthtoken: "{{ tower_token.stdout }}" tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
validate_certs: yes validate_certs: yes

View File

@ -200,13 +200,6 @@
dest: '/matrix/awx/configure_synapse.json' dest: '/matrix/awx/configure_synapse.json'
mode: '0660' mode: '0660'
- name: Collect AWX admin token the hard way!
delegate_to: 127.0.0.1
shell: |
curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g'
register: tower_token
no_log: True
- name: Recreate 'Configure Synapse' job template - name: Recreate 'Configure Synapse' job template
delegate_to: 127.0.0.1 delegate_to: 127.0.0.1
awx.awx.tower_job_template: awx.awx.tower_job_template:
@ -224,6 +217,6 @@
become_enabled: yes become_enabled: yes
state: present state: present
verbosity: 1 verbosity: 1
tower_host: "https://{{ tower_host }}" tower_host: "https://{{ awx_host }}"
tower_oauthtoken: "{{ tower_token.stdout }}" tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
validate_certs: yes validate_certs: yes

View File

@ -21,13 +21,6 @@
dest: '/matrix/awx/configure_synapse_admin.json' dest: '/matrix/awx/configure_synapse_admin.json'
mode: '0660' mode: '0660'
- name: Collect AWX admin token the hard way!
delegate_to: 127.0.0.1
shell: |
curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g'
register: tower_token
no_log: True
- name: Recreate 'Configure Synapse Admin' job template - name: Recreate 'Configure Synapse Admin' job template
delegate_to: 127.0.0.1 delegate_to: 127.0.0.1
awx.awx.tower_job_template: awx.awx.tower_job_template:
@ -45,6 +38,6 @@
become_enabled: yes become_enabled: yes
state: present state: present
verbosity: 1 verbosity: 1
tower_host: "https://{{ tower_host }}" tower_host: "https://{{ awx_host }}"
tower_oauthtoken: "{{ tower_token.stdout }}" tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
validate_certs: yes validate_certs: yes

View File

@ -83,8 +83,8 @@ matrix_host_command_openssl: "/usr/bin/env openssl"
matrix_host_command_systemctl: "/usr/bin/env systemctl" matrix_host_command_systemctl: "/usr/bin/env systemctl"
matrix_host_command_sh: "/usr/bin/env sh" matrix_host_command_sh: "/usr/bin/env sh"
matrix_ntpd_package: "{{ 'systemd-timesyncd' if ansible_distribution == 'CentOS' and ansible_distribution_major_version > '7' else 'ntp' }}" matrix_ntpd_package: "{{ 'systemd-timesyncd' if (ansible_distribution == 'CentOS' and ansible_distribution_major_version > '7') or (ansible_distribution == 'Ubuntu' and ansible_distribution_major_version > '18') else 'ntp' }}"
matrix_ntpd_service: "{{ 'systemd-timesyncd' if ansible_distribution == 'CentOS' and ansible_distribution_major_version > '7' else ('ntpd' if ansible_os_family == 'RedHat' or ansible_distribution == 'Archlinux' else 'ntp') }}" matrix_ntpd_service: "{{ 'systemd-timesyncd' if (ansible_distribution == 'CentOS' and ansible_distribution_major_version > '7') or (ansible_distribution == 'Ubuntu' and ansible_distribution_major_version > '18') or ansible_distribution == 'Archlinux' else ('ntpd' if ansible_os_family == 'RedHat' else 'ntp') }}"
matrix_homeserver_url: "https://{{ matrix_server_fqn_matrix }}" matrix_homeserver_url: "https://{{ matrix_server_fqn_matrix }}"

View File

@ -4,7 +4,6 @@
pacman: pacman:
name: name:
- python-docker - python-docker
- "{{ matrix_ntpd_package }}"
# TODO This needs to be verified. Which version do we need? # TODO This needs to be verified. Which version do we need?
- fuse3 - fuse3
- python-dnspython - python-dnspython

View File

@ -3,13 +3,20 @@
matrix_appservice_webhooks_enabled: true matrix_appservice_webhooks_enabled: true
matrix_appservice_webhooks_container_image_self_build: false
matrix_appservice_webhooks_container_image_self_build_repo: "https://github.com/turt2live/matrix-appservice-webhooks"
matrix_appservice_webhooks_container_image_self_build_repo_version: "{{ 'master' if matrix_appservice_webhooks_version == 'latest' else matrix_appservice_webhooks_version }}"
matrix_appservice_webhooks_container_image_self_build_repo_dockerfile_path: "Dockerfile"
matrix_appservice_webhooks_version: latest matrix_appservice_webhooks_version: latest
matrix_appservice_webhooks_docker_image: "{{ matrix_container_global_registry_prefix }}turt2live/matrix-appservice-webhooks:{{ matrix_appservice_webhooks_version }}" matrix_appservice_webhooks_docker_image: "{{ matrix_appservice_webhooks_docker_image_name_prefix }}turt2live/matrix-appservice-webhooks:{{ matrix_appservice_webhooks_version }}"
matrix_appservice_webhooks_docker_image_name_prefix: "{{ 'localhost/' if matrix_appservice_webhooks_container_image_self_build else matrix_container_global_registry_prefix }}"
matrix_appservice_webhooks_docker_image_force_pull: "{{ matrix_appservice_webhooks_docker_image.endswith(':latest') }}" matrix_appservice_webhooks_docker_image_force_pull: "{{ matrix_appservice_webhooks_docker_image.endswith(':latest') }}"
matrix_appservice_webhooks_base_path: "{{ matrix_base_data_path }}/appservice-webhooks" matrix_appservice_webhooks_base_path: "{{ matrix_base_data_path }}/appservice-webhooks"
matrix_appservice_webhooks_config_path: "{{ matrix_appservice_webhooks_base_path }}/config" matrix_appservice_webhooks_config_path: "{{ matrix_appservice_webhooks_base_path }}/config"
matrix_appservice_webhooks_data_path: "{{ matrix_appservice_webhooks_base_path }}/data" matrix_appservice_webhooks_data_path: "{{ matrix_appservice_webhooks_base_path }}/data"
matrix_appservice_webhooks_docker_src_files_path: "{{ matrix_appservice_webhooks_base_path }}/docker-src"
# If nginx-proxy is disabled, the bridge itself expects its endpoint to be on its own domain (e.g. "localhost:6789") # If nginx-proxy is disabled, the bridge itself expects its endpoint to be on its own domain (e.g. "localhost:6789")
matrix_appservice_webhooks_public_endpoint: /appservice-webhooks matrix_appservice_webhooks_public_endpoint: /appservice-webhooks

View File

@ -1,23 +1,47 @@
--- ---
- name: Ensure AppService webhooks paths exist
file:
path: "{{ item.path }}"
state: directory
mode: 0750
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_groupname }}"
with_items:
- { path: "{{ matrix_appservice_webhooks_base_path }}", when: true }
- { path: "{{ matrix_appservice_webhooks_config_path }}", when: true }
- { path: "{{ matrix_appservice_webhooks_data_path }}", when: true }
- { path: "{{ matrix_appservice_webhooks_docker_src_files_path }}", when: "{{ matrix_appservice_webhooks_container_image_self_build }}"}
when: "item.when|bool"
- name: Ensure Appservice webhooks image is pulled - name: Ensure Appservice webhooks image is pulled
docker_image: docker_image:
name: "{{ matrix_appservice_webhooks_docker_image }}" name: "{{ matrix_appservice_webhooks_docker_image }}"
source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
force_source: "{{ matrix_appservice_webhooks_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" force_source: "{{ matrix_appservice_webhooks_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_appservice_webhooks_docker_image_force_pull }}" force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_appservice_webhooks_docker_image_force_pull }}"
when: "not matrix_appservice_webhooks_container_image_self_build|bool"
- name: Ensure AppService webhooks paths exist - block:
file: - name: Ensure Appservice webhooks repository is present on self-build
path: "{{ item }}" git:
state: directory repo: "{{ matrix_appservice_webhooks_container_image_self_build_repo }}"
mode: 0750 dest: "{{ matrix_appservice_webhooks_docker_src_files_path }}"
owner: "{{ matrix_user_username }}" version: "{{ matrix_appservice_webhooks_container_image_self_build_repo_version }}"
group: "{{ matrix_user_groupname }}" force: "yes"
with_items: register: matrix_appservice_webhooks_git_pull_results
- "{{ matrix_appservice_webhooks_base_path }}"
- "{{ matrix_appservice_webhooks_config_path }}" - name: Ensure Appservice webhooks Docker image is built
- "{{ matrix_appservice_webhooks_data_path }}" docker_image:
name: "{{ matrix_appservice_webhooks_docker_image }}"
source: build
force_source: "{{ matrix_appservice_webhooks_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_appservice_webhooks_git_pull_results.changed }}"
build:
dockerfile: "{{ matrix_appservice_webhooks_container_image_self_build_repo_dockerfile_path }}"
path: "{{ matrix_appservice_webhooks_docker_src_files_path }}"
pull: yes
when: "matrix_appservice_webhooks_container_image_self_build|bool"
- name: Ensure Matrix Appservice webhooks config is installed - name: Ensure Matrix Appservice webhooks config is installed
copy: copy:

View File

@ -3,7 +3,7 @@
matrix_beeper_linkedin_enabled: true matrix_beeper_linkedin_enabled: true
matrix_beeper_linkedin_version: v0.5.0 matrix_beeper_linkedin_version: v0.5.1
# See: https://gitlab.com/beeper/linkedin/container_registry # See: https://gitlab.com/beeper/linkedin/container_registry
matrix_beeper_linkedin_docker_image: "registry.gitlab.com/beeper/linkedin:{{ matrix_beeper_linkedin_version }}-amd64" matrix_beeper_linkedin_docker_image: "registry.gitlab.com/beeper/linkedin:{{ matrix_beeper_linkedin_version }}-amd64"
matrix_beeper_linkedin_docker_image_force_pull: "{{ matrix_beeper_linkedin_docker_image.endswith(':latest-amd64') }}" matrix_beeper_linkedin_docker_image_force_pull: "{{ matrix_beeper_linkedin_docker_image.endswith(':latest-amd64') }}"

View File

@ -3,7 +3,7 @@
matrix_heisenbridge_enabled: true matrix_heisenbridge_enabled: true
matrix_heisenbridge_version: 1.1.1 matrix_heisenbridge_version: 1.2.1
matrix_heisenbridge_docker_image: "{{ matrix_container_global_registry_prefix }}hif1/heisenbridge:{{ matrix_heisenbridge_version }}" matrix_heisenbridge_docker_image: "{{ matrix_container_global_registry_prefix }}hif1/heisenbridge:{{ matrix_heisenbridge_version }}"
matrix_heisenbridge_docker_image_force_pull: "{{ matrix_heisenbridge_docker_image.endswith(':latest') }}" matrix_heisenbridge_docker_image_force_pull: "{{ matrix_heisenbridge_docker_image.endswith(':latest') }}"

View File

@ -110,6 +110,8 @@ matrix_mautrix_telegram_configuration_extension: "{{ matrix_mautrix_telegram_con
# You most likely don't need to touch this variable. Instead, see `matrix_mautrix_telegram_configuration_yaml`. # You most likely don't need to touch this variable. Instead, see `matrix_mautrix_telegram_configuration_yaml`.
matrix_mautrix_telegram_configuration: "{{ matrix_mautrix_telegram_configuration_yaml|from_yaml|combine(matrix_mautrix_telegram_configuration_extension, recursive=True) }}" matrix_mautrix_telegram_configuration: "{{ matrix_mautrix_telegram_configuration_yaml|from_yaml|combine(matrix_mautrix_telegram_configuration_extension, recursive=True) }}"
matrix_mautrix_telegram_sender_localpart: "telegrambot"
matrix_mautrix_telegram_registration_yaml: | matrix_mautrix_telegram_registration_yaml: |
id: telegram id: telegram
as_token: "{{ matrix_mautrix_telegram_appservice_token }}" as_token: "{{ matrix_mautrix_telegram_appservice_token }}"
@ -123,10 +125,10 @@ matrix_mautrix_telegram_registration_yaml: |
aliases: aliases:
- exclusive: true - exclusive: true
regex: '^#telegram_.+:{{ matrix_mautrix_telegram_homeserver_domain|regex_escape }}$' regex: '^#telegram_.+:{{ matrix_mautrix_telegram_homeserver_domain|regex_escape }}$'
# See https://github.com/mautrix/signal/issues/43
sender_localpart: _bot_{{ matrix_mautrix_telegram_appservice_bot_username }} sender_localpart: _bot_{{ matrix_mautrix_telegram_appservice_bot_username }}
url: {{ matrix_mautrix_telegram_appservice_address }} url: {{ matrix_mautrix_telegram_appservice_address }}
rate_limited: false rate_limited: false
de.sorunome.msc2409.push_ephemeral: true de.sorunome.msc2409.push_ephemeral: true
# sender_localpart: "bridges_{{ matrix_mautrix_telegram_sender_localpart }}"
matrix_mautrix_telegram_registration: "{{ matrix_mautrix_telegram_registration_yaml|from_yaml }}" matrix_mautrix_telegram_registration: "{{ matrix_mautrix_telegram_registration_yaml|from_yaml }}"

View File

@ -25,7 +25,7 @@ presence:
# Bridge Discord online/offline status # Bridge Discord online/offline status
enabled: true enabled: true
# How often to send status to the homeserver in milliseconds # How often to send status to the homeserver in milliseconds
interval: 500 interval: 10000
provisioning: provisioning:
# Regex of Matrix IDs allowed to use the puppet bridge # Regex of Matrix IDs allowed to use the puppet bridge
@ -70,7 +70,7 @@ namePatterns:
# #
# name: username of the user # name: username of the user
# discriminator: hashtag of the user (ex. #1234) # discriminator: hashtag of the user (ex. #1234)
user: :name user: ":name (#:discriminator) (via Discord)"
# A user's guild-specific displayname - if they've set a custom nick in # A user's guild-specific displayname - if they've set a custom nick in
# a guild # a guild
@ -82,7 +82,7 @@ namePatterns:
# displayname: the user's custom group-specific nick # displayname: the user's custom group-specific nick
# channel: the name of the channel # channel: the name of the channel
# guild: the name of the guild # guild: the name of the guild
userOverride: :name userOverride: ":displayname (:name#:discriminator) (via Discord)"
# Room names for bridged Discord channels # Room names for bridged Discord channels
# #
@ -90,7 +90,7 @@ namePatterns:
# #
# name: name of the channel # name: name of the channel
# guild: name of the guild # guild: name of the guild
room: :name room: "#:name (:guild on Discord)"
# Group names for bridged Discord servers # Group names for bridged Discord servers
# #

View File

@ -3,7 +3,7 @@ matrix_client_element_enabled: true
matrix_client_element_container_image_self_build: false matrix_client_element_container_image_self_build: false
matrix_client_element_container_image_self_build_repo: "https://github.com/vector-im/riot-web.git" matrix_client_element_container_image_self_build_repo: "https://github.com/vector-im/riot-web.git"
matrix_client_element_version: v1.8.5 matrix_client_element_version: v1.9.0
matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}" matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}"
matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_container_global_registry_prefix }}"
matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}" matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}"

Binary file not shown.

After

Width:  |  Height:  |  Size: 188 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 2.1 MiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 747 KiB

View File

@ -67,6 +67,18 @@
- {src: "{{ matrix_client_element_embedded_pages_home_path }}", name: "home.html"} - {src: "{{ matrix_client_element_embedded_pages_home_path }}", name: "home.html"}
when: "matrix_client_element_enabled|bool and item.src is not none" when: "matrix_client_element_enabled|bool and item.src is not none"
- name: Copy Element costum files
copy:
src: "{{ item.src }}"
dest: "{{ matrix_client_element_data_path }}/{{ item.name }}"
mode: 0644
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_groupname }}"
with_items:
- {src: "{{ role_path }}/files/background.jpg", name: "background.jpg"}
- {src: "{{ role_path }}/files/antifa_coffee_cups.png", name: "logo.png"}
when: "matrix_client_element_enabled|bool and item.src is not none"
- name: Ensure Element config files removed - name: Ensure Element config files removed
file: file:
path: "{{ matrix_client_element_data_path }}/{{ item.name }}" path: "{{ matrix_client_element_data_path }}/{{ item.name }}"

View File

@ -33,7 +33,7 @@ h1::after {
} }
.mx_Logo { .mx_Logo {
height: 54px; height: 92px;
margin-top: 2px; margin-top: 2px;
} }

View File

@ -15,7 +15,7 @@
- name: Generate Etherpad proxying configuration for matrix-nginx-proxy - name: Generate Etherpad proxying configuration for matrix-nginx-proxy
set_fact: set_fact:
matrix_etherpad_matrix_nginx_proxy_configuration: | matrix_etherpad_matrix_nginx_proxy_configuration: |
rewrite ^{{ matrix_etherpad_public_endpoint }}$ $scheme://$server_name{{ matrix_etherpad_public_endpoint }}/ permanent; rewrite ^{{ matrix_etherpad_public_endpoint }}$ {{ matrix_nginx_proxy_x_forwarded_proto_value }}://$server_name{{ matrix_etherpad_public_endpoint }}/ permanent;
location {{ matrix_etherpad_public_endpoint }}/ { location {{ matrix_etherpad_public_endpoint }}/ {
{% if matrix_nginx_proxy_enabled|default(False) %} {% if matrix_nginx_proxy_enabled|default(False) %}
@ -27,7 +27,7 @@
proxy_http_version 1.1; # recommended with keepalive connections proxy_http_version 1.1; # recommended with keepalive connections
proxy_pass_header Server; proxy_pass_header Server;
proxy_set_header Host $host; proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto $scheme; # for EP to set secure cookie flag when https is used proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }}; # for EP to set secure cookie flag when https is used
# WebSocket proxying - from http://nginx.org/en/docs/http/websocket.html # WebSocket proxying - from http://nginx.org/en/docs/http/websocket.html
proxy_set_header Upgrade $http_upgrade; proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade; proxy_set_header Connection $connection_upgrade;

View File

@ -40,6 +40,12 @@ matrix_nginx_proxy_container_extra_arguments: []
# - services are served directly from the HTTP vhost # - services are served directly from the HTTP vhost
matrix_nginx_proxy_https_enabled: true matrix_nginx_proxy_https_enabled: true
# Controls whether matrix-nginx-proxy trusts an upstream server's X-Forwarded-Proto header
#
# Required if you disable HTTPS for the container (see `matrix_nginx_proxy_https_enabled`) and have an upstream server handle it instead.
matrix_nginx_proxy_trust_forwarded_proto: false
matrix_nginx_proxy_x_forwarded_proto_value: "{{ '$http_x_forwarded_proto' if matrix_nginx_proxy_trust_forwarded_proto else '$scheme' }}"
# Controls whether the matrix-nginx-proxy container exposes its HTTP port (tcp/8080 in the container). # Controls whether the matrix-nginx-proxy container exposes its HTTP port (tcp/8080 in the container).
# #
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:80"), or empty string to not expose. # Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:80"), or empty string to not expose.
@ -177,6 +183,10 @@ matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container: "127.0.0.1:809
# Controls whether proxying for metrics (`/_synapse/metrics`) should be done (on the matrix domain) # Controls whether proxying for metrics (`/_synapse/metrics`) should be done (on the matrix domain)
matrix_nginx_proxy_proxy_synapse_metrics: false matrix_nginx_proxy_proxy_synapse_metrics: false
matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled: false matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled: false
# The following value will be written verbatim to the htpasswd file that stores the password for nginx to check against and needs to be encoded appropriately.
# Read the manpage at `man 1 htpasswd` to learn more, then encrypt your password, and paste the encrypted value here.
# e.g. `htpasswd -c mypass.htpasswd prometheus` and enter `mysecurepw` when prompted yields `prometheus:$apr1$wZhqsn.U$7LC3kMmjUbjNAZjyMyvYv/`
# The part after `prometheus:` is needed here. matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key: "$apr1$wZhqsn.U$7LC3kMmjUbjNAZjyMyvYv/"
matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key: "" matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key: ""
# The addresses where the Matrix Client API is. # The addresses where the Matrix Client API is.
@ -426,7 +436,7 @@ matrix_ssl_additional_domains_to_obtain_certificates_for: []
# Controls whether to obtain production or staging certificates from Let's Encrypt. # Controls whether to obtain production or staging certificates from Let's Encrypt.
matrix_ssl_lets_encrypt_staging: false matrix_ssl_lets_encrypt_staging: false
matrix_ssl_lets_encrypt_certbot_docker_image: "{{ matrix_container_global_registry_prefix }}certbot/certbot:{{ matrix_ssl_architecture }}-v1.19.0" matrix_ssl_lets_encrypt_certbot_docker_image: "{{ matrix_container_global_registry_prefix }}certbot/certbot:{{ matrix_ssl_architecture }}-v1.20.0"
matrix_ssl_lets_encrypt_certbot_docker_image_force_pull: "{{ matrix_ssl_lets_encrypt_certbot_docker_image.endswith(':latest') }}" matrix_ssl_lets_encrypt_certbot_docker_image_force_pull: "{{ matrix_ssl_lets_encrypt_certbot_docker_image.endswith(':latest') }}"
matrix_ssl_lets_encrypt_certbot_standalone_http_port: 2402 matrix_ssl_lets_encrypt_certbot_standalone_http_port: 2402
matrix_ssl_lets_encrypt_support_email: ~ matrix_ssl_lets_encrypt_support_email: ~

View File

@ -88,7 +88,7 @@ server {
{% if matrix_nginx_proxy_ocsp_stapling_enabled %} {% if matrix_nginx_proxy_ocsp_stapling_enabled %}
ssl_stapling on; ssl_stapling on;
ssl_stapling_verify on; ssl_stapling_verify on;
ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_element_hostname }}/chain.pem; ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_hydrogen_hostname }}/chain.pem;
{% endif %} {% endif %}
{% if matrix_nginx_proxy_ssl_session_tickets_off %} {% if matrix_nginx_proxy_ssl_session_tickets_off %}

View File

@ -20,13 +20,13 @@
{% if matrix_nginx_proxy_floc_optout_enabled %} {% if matrix_nginx_proxy_floc_optout_enabled %}
add_header Permissions-Policy interest-cohort=() always; add_header Permissions-Policy interest-cohort=() always;
{% endif %} {% endif %}
{% if matrix_nginx_proxy_hsts_preload_enabled %} {% if matrix_nginx_proxy_hsts_preload_enabled %}
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
{% else %} {% else %}
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
{% endif %} {% endif %}
add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}"; add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}";
location /.well-known/matrix { location /.well-known/matrix {
@ -59,7 +59,7 @@
proxy_set_header Host $host; proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }};
} }
{% endif %} {% endif %}
@ -77,7 +77,7 @@
proxy_set_header Host $host; proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }};
} }
{% endif %} {% endif %}
@ -112,7 +112,7 @@
proxy_set_header Host $host; proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }};
} }
{% endif %} {% endif %}
@ -137,7 +137,7 @@
proxy_set_header Host $host; proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }};
client_body_buffer_size 25M; client_body_buffer_size 25M;
client_max_body_size {{ matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb }}M; client_max_body_size {{ matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb }}M;
@ -152,7 +152,7 @@
#} #}
location ~* ^/$ { location ~* ^/$ {
{% if matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain %} {% if matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain %}
return 302 $scheme://{{ matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain }}$request_uri; return 302 {{ matrix_nginx_proxy_x_forwarded_proto_value }}://{{ matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain }}$request_uri;
{% else %} {% else %}
rewrite ^/$ /_matrix/static/ last; rewrite ^/$ /_matrix/static/ last;
{% endif %} {% endif %}
@ -215,12 +215,12 @@ server {
ssl_stapling_verify on; ssl_stapling_verify on;
ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/chain.pem; ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/chain.pem;
{% endif %} {% endif %}
{% if matrix_nginx_proxy_ssl_session_tickets_off %} {% if matrix_nginx_proxy_ssl_session_tickets_off %}
ssl_session_tickets off; ssl_session_tickets off;
{% endif %} {% endif %}
ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }}; ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }};
ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }}; ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }};
{{ render_vhost_directives() }} {{ render_vhost_directives() }}
} }
@ -262,7 +262,7 @@ server {
ssl_stapling_verify on; ssl_stapling_verify on;
ssl_trusted_certificate {{ matrix_nginx_proxy_proxy_matrix_federation_api_ssl_trusted_certificate }}; ssl_trusted_certificate {{ matrix_nginx_proxy_proxy_matrix_federation_api_ssl_trusted_certificate }};
{% endif %} {% endif %}
{% if matrix_nginx_proxy_ssl_session_tickets_off %} {% if matrix_nginx_proxy_ssl_session_tickets_off %}
ssl_session_tickets off; ssl_session_tickets off;
{% endif %} {% endif %}
@ -283,7 +283,7 @@ server {
proxy_set_header Host $host; proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }};
client_body_buffer_size 25M; client_body_buffer_size 25M;
client_max_body_size {{ matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb }}M; client_max_body_size {{ matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb }}M;

View File

@ -71,7 +71,7 @@
proxy_set_header Connection "upgrade"; proxy_set_header Connection "upgrade";
proxy_set_header Upgrade $http_upgrade; proxy_set_header Upgrade $http_upgrade;
proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }};
tcp_nodelay on; tcp_nodelay on;
} }
{% endmacro %} {% endmacro %}
@ -128,7 +128,7 @@ server {
ssl_stapling_verify on; ssl_stapling_verify on;
ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_jitsi_hostname }}/chain.pem; ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_jitsi_hostname }}/chain.pem;
{% endif %} {% endif %}
{% if matrix_nginx_proxy_ssl_session_tickets_off %} {% if matrix_nginx_proxy_ssl_session_tickets_off %}
ssl_session_tickets off; ssl_session_tickets off;
{% endif %} {% endif %}

View File

@ -29,7 +29,7 @@
proxy_set_header Host $host; proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }};
} }
{% endmacro %} {% endmacro %}
@ -85,7 +85,7 @@ server {
ssl_stapling_verify on; ssl_stapling_verify on;
ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_sygnal_hostname }}/chain.pem; ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_sygnal_hostname }}/chain.pem;
{% endif %} {% endif %}
{% if matrix_nginx_proxy_ssl_session_tickets_off %} {% if matrix_nginx_proxy_ssl_session_tickets_off %}
ssl_session_tickets off; ssl_session_tickets off;
{% endif %} {% endif %}

View File

@ -22,7 +22,8 @@ matrix_postgres_docker_image_v10: "{{ matrix_container_global_registry_prefix }}
matrix_postgres_docker_image_v11: "{{ matrix_container_global_registry_prefix }}postgres:11.13{{ matrix_postgres_docker_image_suffix }}" matrix_postgres_docker_image_v11: "{{ matrix_container_global_registry_prefix }}postgres:11.13{{ matrix_postgres_docker_image_suffix }}"
matrix_postgres_docker_image_v12: "{{ matrix_container_global_registry_prefix }}postgres:12.8{{ matrix_postgres_docker_image_suffix }}" matrix_postgres_docker_image_v12: "{{ matrix_container_global_registry_prefix }}postgres:12.8{{ matrix_postgres_docker_image_suffix }}"
matrix_postgres_docker_image_v13: "{{ matrix_container_global_registry_prefix }}postgres:13.4{{ matrix_postgres_docker_image_suffix }}" matrix_postgres_docker_image_v13: "{{ matrix_container_global_registry_prefix }}postgres:13.4{{ matrix_postgres_docker_image_suffix }}"
matrix_postgres_docker_image_latest: "{{ matrix_postgres_docker_image_v13 }}" matrix_postgres_docker_image_v14: "{{ matrix_container_global_registry_prefix }}postgres:14.0{{ matrix_postgres_docker_image_suffix }}"
matrix_postgres_docker_image_latest: "{{ matrix_postgres_docker_image_v14 }}"
# This variable is assigned at runtime. Overriding its value has no effect. # This variable is assigned at runtime. Overriding its value has no effect.
matrix_postgres_docker_image_to_use: '{{ matrix_postgres_docker_image_latest }}' matrix_postgres_docker_image_to_use: '{{ matrix_postgres_docker_image_latest }}'

View File

@ -54,3 +54,8 @@
set_fact: set_fact:
matrix_postgres_detected_version_corresponding_docker_image: "{{ matrix_postgres_docker_image_v12 }}" matrix_postgres_detected_version_corresponding_docker_image: "{{ matrix_postgres_docker_image_v12 }}"
when: "matrix_postgres_detected_version == '12' or matrix_postgres_detected_version.startswith('12.')" when: "matrix_postgres_detected_version == '12' or matrix_postgres_detected_version.startswith('12.')"
- name: Determine corresponding Docker image to detected version (use 13.x, if detected)
set_fact:
matrix_postgres_detected_version_corresponding_docker_image: "{{ matrix_postgres_docker_image_v13 }}"
when: "matrix_postgres_detected_version == '13' or matrix_postgres_detected_version.startswith('13.')"

View File

@ -22,8 +22,8 @@
- name: Generate matrix-registration proxying configuration for matrix-nginx-proxy - name: Generate matrix-registration proxying configuration for matrix-nginx-proxy
set_fact: set_fact:
matrix_registration_matrix_nginx_proxy_configuration: | matrix_registration_matrix_nginx_proxy_configuration: |
rewrite ^{{ matrix_registration_public_endpoint }}$ $scheme://$server_name{{ matrix_registration_public_endpoint }}/ permanent; rewrite ^{{ matrix_registration_public_endpoint }}$ {{ matrix_nginx_proxy_x_forwarded_proto_value }}://$server_name{{ matrix_registration_public_endpoint }}/ permanent;
rewrite ^{{ matrix_registration_public_endpoint }}/$ $scheme://$server_name{{ matrix_registration_public_endpoint }}/register redirect; rewrite ^{{ matrix_registration_public_endpoint }}/$ {{ matrix_nginx_proxy_x_forwarded_proto_value }}://$server_name{{ matrix_registration_public_endpoint }}/register redirect;
location ~ ^{{ matrix_registration_public_endpoint }}/(.*) { location ~ ^{{ matrix_registration_public_endpoint }}/(.*) {
{% if matrix_nginx_proxy_enabled|default(False) %} {% if matrix_nginx_proxy_enabled|default(False) %}

Binary file not shown.

After

Width:  |  Height:  |  Size: 188 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 2.1 MiB

View File

@ -22,7 +22,7 @@
- name: Generate Synapse Admin proxying configuration for matrix-nginx-proxy - name: Generate Synapse Admin proxying configuration for matrix-nginx-proxy
set_fact: set_fact:
matrix_synapse_admin_matrix_nginx_proxy_configuration: | matrix_synapse_admin_matrix_nginx_proxy_configuration: |
rewrite ^{{ matrix_synapse_admin_public_endpoint }}$ $scheme://$server_name{{ matrix_synapse_admin_public_endpoint }}/ permanent; rewrite ^{{ matrix_synapse_admin_public_endpoint }}$ {{ matrix_nginx_proxy_x_forwarded_proto_value }}://$server_name{{ matrix_synapse_admin_public_endpoint }}/ permanent;
location ~ ^{{ matrix_synapse_admin_public_endpoint }}/(.*) { location ~ ^{{ matrix_synapse_admin_public_endpoint }}/(.*) {
{% if matrix_nginx_proxy_enabled|default(False) %} {% if matrix_nginx_proxy_enabled|default(False) %}

View File

@ -15,8 +15,8 @@ matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_cont
# amd64 gets released first. # amd64 gets released first.
# arm32 relies on self-building, so the same version can be built immediately. # arm32 relies on self-building, so the same version can be built immediately.
# arm64 users need to wait for a prebuilt image to become available. # arm64 users need to wait for a prebuilt image to become available.
matrix_synapse_version: v1.43.0 matrix_synapse_version: v1.44.0
matrix_synapse_version_arm64: v1.43.0 matrix_synapse_version_arm64: v1.44.0
matrix_synapse_docker_image_tag: "{{ matrix_synapse_version if matrix_architecture in ['arm32', 'amd64'] else matrix_synapse_version_arm64 }}" matrix_synapse_docker_image_tag: "{{ matrix_synapse_version if matrix_architecture in ['arm32', 'amd64'] else matrix_synapse_version_arm64 }}"
matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}"

View File

@ -2612,12 +2612,16 @@ user_directory:
#enabled: false #enabled: false
# Defines whether to search all users visible to your HS when searching # Defines whether to search all users visible to your HS when searching
# the user directory, rather than limiting to users visible in public # the user directory. If false, search results will only contain users
# rooms. Defaults to false. # visible in public rooms and users sharing a room with the requester.
# Defaults to false.
# #
# If you set it true, you'll have to rebuild the user_directory search # NB. If you set this to true, and the last time the user_directory search
# indexes, see: # indexes were (re)built was before Synapse 1.44, you'll have to
# https://github.com/matrix-org/synapse/blob/master/docs/user_directory.md # rebuild the indexes in order to search through all known users.
# These indexes are built the first time Synapse starts; admins can
# manually trigger a rebuild following the instructions at
# https://matrix-org.github.io/synapse/latest/user_directory.html
# #
# Uncomment to return search results containing all known users, even if that # Uncomment to return search results containing all known users, even if that
# user does not share a room with the requester. # user does not share a room with the requester.

View File

@ -56,4 +56,34 @@
- matrix-aux - matrix-aux
- matrix-postgres-backup - matrix-postgres-backup
- matrix-prometheus-postgres-exporter - matrix-prometheus-postgres-exporter
- matrix-common-after - matrix-common-after
tasks:
- name: Ensure web-user is present
user:
name: "{{ web_user }}"
state: present
system: yes
register: web_user_res
tags: [ setup-caddy, setup-all, start ]
- name: Ensure directory for revproxy config is present
file:
path: "{{ revproxy_autoload_dir }}/matrix"
state: directory
owner: "{{ web_user_res.uid }}"
group: "{{ web_user_res.group }}"
mode: 0750
tags: [ setup-caddy, setup-all, start ]
- name: Template reverse proxy configuration
template:
src: Caddyfile.j2
dest: "{{ revproxy_autoload_dir }}/matrix/Caddyfile"
owner: "{{ web_user_res.uid }}"
group: "{{ web_user_res.group }}"
mode: 0640
tags: [ setup-caddy, setup-all, start ]
- name: Restart reverse proxy
docker_container:
name: web
state: started
restart: yes

110
templates/Caddyfile.j2 Normal file
View File

@ -0,0 +1,110 @@
https://{{ matrix_server_fqn_matrix }} {
tls /tls_certs/finallycoffee.eu/fullchain.pem /tls_certs/finallycoffee.eu/privkey.pem
encode zstd gzip
header {
Strict-Transport-Security "max-age=31536000;"
X-Frame-Options "DENY"
X-XSS-Protection "1; mode=block"
}
# matrix-ma1sd
reverse_proxy /_matrix/identity/* {{ matrix_ma1sd_container_http_host_bind_port }} {
header_down Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"
header_down Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization"
}
reverse_proxy /_matrix/client/r0/user_directory/search/* {{ matrix_ma1sd_container_http_host_bind_port }} {
header_down Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"
header_down Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization"
}
reverse_proxy /_matrix/federation/* http://{{ matrix_synapse_container_federation_api_plain_host_bind_port }}
reverse_proxy /_matrix/key/* http://{{ matrix_synapse_container_federation_api_plain_host_bind_port }}
reverse_proxy /_matrix/* {{ matrix_synapse_container_client_api_host_bind_port }} {
import proxyheaders
header_down Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"
header_down Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization"
}
route /synapse-admin/* {
uri strip_prefix /synapse-admin
reverse_proxy http://127.0.0.1{{ matrix_synapse_admin_container_http_host_bind_port }}
}
reverse_proxy /_synapse/* http://{{ matrix_synapse_container_client_api_host_bind_port }}
basicauth /metrics/* bcrypt monitoring {
monitoring JDJhJDE0JGdQRlNHVFpSQmRiaWlPem9LdXlkS09HN2E3LklZS05YZmtXTEY1NlFXbkMxd3hBUmwwbVZl
}
route /metrics/synapse {
uri replace /metrics/synapse /_synapse/metrics
reverse_proxy http://{{ matrix_synapse_container_metrics_api_host_bind_port }}
}
route /metrics/synapse/worker/appservice {
uri replace /metrics/synapse/worker/appservice /_synapse/metrics
reverse_proxy http://127.0.0.1:{{ matrix_synapse_workers_appservice_workers_metrics_range_start }}
}
route /metrics/synapse/worker/federation-sender {
uri replace /metrics/synapse/worker/federation-sender /_synapse/metrics
reverse_proxy http://127.0.0.1:{{ matrix_synapse_workers_federation_sender_workers_metrics_range_start }}
}
route /metrics/bridge/* {
uri strip_prefix /metrics/bridge
route /mautrix-telegram {
uri replace /mautrix-telegram /metrics
reverse_proxy http://127.0.0.1:{{ matrix_mautrix_telegram_container_http_monitoring_host_bind_port }}
}
route /mautrix-whatsapp {
uri replace /mautrix-whatsapp /metrics
reverse_proxy http://127.0.0.1:{{ matrix_mautrix_whatsapp_container_http_monitoring_host_bind_port }}
}
route /mautrix-signal {
uri replace /mautrix-signal /metrics
reverse_proxy http://127.0.0.1:{{ matrix_mautrix_signal_container_http_monitoring_host_bind_port }}
}
route /mx-puppet-instagram {
uri replace /mx-puppet-instagram /metrics
reverse_proxy http://127.0.0.1:{{ matrix_mx_puppet_instagram_container_http_monitoring_host_bind_port }}
}
route /mx-puppet-discord {
uri replace /mx-puppet-discord /metrics
reverse_proxy http://127.0.0.1:{{ matrix_mx_puppet_discord_container_http_monitoring_host_bind_port }}
}
route /mx-puppet-skype {
uri replace /mx-puppet-skype /metrics
reverse_proxy http://127.0.0.1:{{ matrix_mx_puppet_skype_container_http_monitoring_host_bind_port }}
}
route /mx-puppet-slack {
uri replace /mx-puppet-slack /metrics
reverse_proxy http://127.0.0.1:{{ matrix_mx_puppet_slack_container_http_monitoring_host_bind_port }}
}
}
reverse_proxy /bridge/telegram/* http://127.0.0.1:{{ matrix_mautrix_telegram_container_http_host_bind_port_public }}
reverse_proxy /bridge/slack/* http://127.0.0.1:{{ matrix_mx_puppet_slack_container_http_auth_host_bind_port }}
}
https://{{ matrix_server_fqn_dimension }} {
tls /tls_certs/finallycoffee.eu/fullchain.pem /tls_certs/finallycoffee.eu/privkey.pem
encode zstd gzip
reverse_proxy http://{{ matrix_dimension_container_http_host_bind_port }} {
#header_up X-Forwarded-For {remote}
import proxyheaders
#header_up Host {host}
}
}
https://{{ matrix_server_fqn_element }} {
tls /tls_certs/chat.finallycoffee.eu/fullchain.pem /tls_certs/chat.finallycoffee.eu/privkey.pem
encode zstd gzip
reverse_proxy http://{{ matrix_client_element_container_http_host_bind_port }}
}
https://{{ matrix_domain }}/.well-known/matrix/* {
tls /tls_certs/finallycoffee.eu/fullchain.pem /tls_certs/finallycoffee.eu/privkey.pem
route {
uri strip_prefix /.well-known/matrix
root * /matrix_static
file_server
}
header {
Content-Type "application/json"
X-Content-Type-Options "nosniff"
Access-Control-Allow-Origin *
Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"
Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization"
}
}