Compare commits

..

87 Commits

Author SHA1 Message Date
fe3c012906
feat: add automatic creation of reverse-proxy routing 2021-10-07 07:56:21 +02:00
8b34271557
meta: move inventory structure to be more usable 2021-10-07 07:55:19 +02:00
109e38d1ab
meta: add own inventory, add vault-unlock with GPG 2021-10-07 07:55:18 +02:00
Slavi Pantaleev
2bf052369d Upgrade certbot (v1.19.0 -> v1.20.0) 2021-10-06 15:14:38 +03:00
Slavi Pantaleev
278bbae4d5 Upgrade Synapse (1.43.0 -> 1.44.0) 2021-10-05 17:13:21 +03:00
Slavi Pantaleev
bad2c5296e
Merge pull request #1312 from HarHarLinks/patch-4
add how to generate htpasswd
2021-10-05 11:29:44 +03:00
Slavi Pantaleev
6adc028d52
Merge pull request #1313 from GoMatrixHosting/gomatrixhosting-testing
Gomatrixhosting testing
2021-10-05 07:14:42 +03:00
Michael Collins
71b404d9df merge upstream 2021-10-05 11:39:29 +08:00
Michael Collins
e3183ba267 Merge remote-tracking branch 'upstream/master' into gomatrixhosting-testing 2021-10-05 11:39:07 +08:00
Kim Brose
1ba7760ea4
add how to generate htpasswd
for matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key
resolves #1308
2021-10-04 22:18:05 +02:00
Michael Collins
871df86068 simulate update 2021-10-04 21:07:05 +08:00
Michael Collins
56ad50cb97 test update 2021-10-04 20:26:07 +08:00
Michael Collins
01a136692f simulate update 2021-10-04 18:49:41 +08:00
Slavi Pantaleev
d38c0e121b
Merge pull request #1309 from HarHarLinks/patch-3
doc: how to export node and postgres sans grafana
2021-10-04 13:00:55 +03:00
Kim Brose
6b0f739e9a
move advanced metrics exporting to new section 2021-10-04 11:58:27 +02:00
Kim Brose
2e16080f41
doc: how to export node and postgres sans grafana 2021-10-04 00:00:29 +02:00
Michael Collins
40506d5c5a no log 2021-10-02 12:43:14 +08:00
Slavi Pantaleev
b5d8444764 Add self-building support to matrix-bridge-appservice-webhooks 2021-10-01 16:37:37 +03:00
Michael Collins
c8744ef9a9 update deploy role for new awx token authentication method 2021-10-01 18:56:38 +08:00
Slavi Pantaleev
096c960b84 Add support for Postgres v14 2021-10-01 11:27:40 +03:00
Slavi Pantaleev
256d3ffec5
Merge pull request #1304 from apmechev/update-linkedin-0.5.1
Upgrade LinkedIn (0.5.0 -> 0.5.1)
2021-10-01 10:15:08 +03:00
Slavi Pantaleev
3474d0c809
Merge pull request #1303 from hifi/feature/heisenbridge-1.2.1
Upgrade Heisenbridge (1.2.0 -> 1.2.1)
2021-09-30 09:27:08 +03:00
Toni Spets
3119ef4574 Upgrade Heisenbridge (1.2.0 -> 1.2.1) 2021-09-30 08:42:58 +03:00
Slavi Pantaleev
b4b14539a7 Use ntp (instead of systemd-timesyncd) on Ubuntu 18.04
Seems like Ubuntu 18.04 does not have a dedicated `systemd-timesyncd` package, nor
does it include the `systemd-timesyncd` binary in the main `systemd` package.

Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1302

Regression since https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1192
2021-09-28 13:38:27 +03:00
Alexandar Mechev
f02c08dc7f Upgrade LinkedIn (0.5.0 -> 0.5.1) 2021-09-28 11:07:43 +02:00
Slavi Pantaleev
1c8ec8d080
Merge pull request #1301 from gryphius/gryphius-element-1.9.0
Upgrade Element (1.8.5 -> 1.9.0)
2021-09-28 09:04:30 +03:00
Oli
59d4532efb
Upgrade Element (1.8.5 -> 1.9.0) 2021-09-28 07:40:00 +02:00
Slavi Pantaleev
5e867f150e
Merge pull request #1299 from KloolK/patch-2
Archlinux: remove package systemd-timesyncd
2021-09-26 14:50:15 +03:00
Jan
0ed585baa7
Archlinux: remove package systemd-timesyncd
#1192 lead to the following error for me on Archlinux:
`TASK [matrix-base : Install host dependencies] *******************************************************************************************************************************
fatal: [matrix.***.de]: FAILED! => changed=false 
  msg: |-
    failed to install systemd-timesyncd: error: target not found: systemd-timesyncd`

There is no package called `systemd-timesyncd` on Archlinux. The service is installed with the [`systemd`](https://archlinux.org/packages/core/x86_64/systemd/) package itself.

I suggest removing the `systemd-timesyncd` from 2453876eb9/roles/matrix-base/tasks/server_base/setup_archlinux.yml (L7)
2021-09-26 11:48:03 +02:00
Slavi Pantaleev
31396f0615
Merge pull request #1295 from nogweii/feat-support-upstream-https-forwarded
Support trusting the upstream server when it says the protocol is HTTPS
2021-09-26 09:54:15 +03:00
Slavi Pantaleev
4f841a7001
Merge pull request #1192 from sakkiii/patch-1
migrate from ntp to systemd-timesyncd for ubuntu & Archlinux
2021-09-25 10:15:40 +03:00
Slavi Pantaleev
62ce06e28c
Merge pull request #1298 from GoMatrixHosting/gomatrixhosting-testing
GoMatrixHosting v0.6.0
2021-09-25 09:35:53 +03:00
Slavi Pantaleev
72688a49da
Merge pull request #1297 from aaronraimist/fix-hydrogen-typo
Fix hydrogen OCSP typo
2021-09-25 08:58:37 +03:00
Michael Collins
9a4187c852 Merge remote-tracking branch 'upstream/master' into gomatrixhosting-testing 2021-09-25 10:56:26 +08:00
Aaron Raimist
a676b5358c
Fix hydrogen OCSP typo
From 6f80292745
2021-09-24 20:09:06 -05:00
Colin Shea
2578ca4cee rename matrix_nginx_proxy_x_forwarded_header_value -> matrix_nginx_proxy_x_forwarded_proto_value 2021-09-24 05:22:30 -07:00
Colin Shea
120b49a2b2 update docs 2021-09-24 05:18:11 -07:00
Colin Shea
d0cd67044e replace $scheme with X-Forwarded-Proto when enabled 2021-09-24 05:14:38 -07:00
Slavi Pantaleev
11398dc1a6
Merge pull request #1292 from HarHarLinks/patch-2
Fix typo
2021-09-24 09:33:30 +03:00
Slavi Pantaleev
4b500ffb43
Merge pull request #1291 from hifi/feature/heisenbridge-1.2.0
Upgrade Heisenbridge (1.1.1 -> 1.2.0)
2021-09-24 09:31:13 +03:00
Kim Brose
11b215f8ec
Fix typo 2021-09-23 21:39:42 +02:00
Toni Spets
ff63f4efce Upgrade Heisenbridge (1.1.1 -> 1.2.0) 2021-09-23 10:18:46 +03:00
Michael Collins
33c471477f remove commented section 2021-09-22 09:44:52 +08:00
Michael Collins
6902ee5aa7 add rotate ssh module to matrix-awx 2021-09-19 17:12:12 +08:00
Michael Collins
8339103594 revert unneeded changes 2021-09-04 15:08:07 +08:00
Michael Collins
7724247152 Merge branch 'testing' into 'main'
Merge Upstream - Bump Coturn version tag (4.5.2-r2 -> 4.5.2-r3)

See merge request GoMatrixHosting/matrix-docker-ansible-deploy!5
2021-09-04 06:30:06 +00:00
Michael Collins
ca705cf9dd Merge remote-tracking branch 'upstream/master' into testing 2021-09-04 14:24:13 +08:00
sakkiii
2453876eb9
Update main.yml 2021-08-31 16:24:26 +05:30
sakkiii
087a5d62f1
systemd-timesyncd for any archlinux version 2021-08-31 15:53:59 +05:30
Michael Collins
6ecd947c72 remove delete subscription section 2021-08-24 19:05:58 +08:00
Michael Collins
463e9a6196 woops bool not bools 2021-08-24 18:48:43 +08:00
Michael Collins
f19856e125 change template name 2021-08-24 18:35:49 +08:00
Michael Collins
c6f8bc5d83 missing one template from deletion section 2021-08-24 18:35:00 +08:00
Michael Collins
a49da05cf9 delegate locally 2021-08-24 18:20:26 +08:00
Michael Collins
ef4b5a187d alter delete_job_template template 2021-08-24 14:33:50 +08:00
Michael Collins
b120b8aeba delay these till the next playbook 2021-08-24 14:27:50 +08:00
Michael Collins
3125ee56e2 add abort_deletion.yml task list 2021-08-20 13:27:10 +08:00
Michael Collins
e75ecd858d launch cleanup job after deleting subscription 2021-08-20 11:14:15 +08:00
Michael Collins
a37e5b6d60 job templates cant delete themselves 2021-08-20 09:58:55 +08:00
Michael Collins
14effd5e2b delegate delete tasks locally 2021-08-20 09:35:12 +08:00
Michael Collins
312bcc444b no log 2021-08-20 09:28:54 +08:00
Michael Collins
92b26ec846 check if matrix_vars.yml file exists 2021-08-19 18:05:47 +08:00
Michael Collins
7203d4ec21 replace module only if file exists 2021-08-19 18:01:26 +08:00
Michael Collins
9ac5ad148a merge upstream 2021-08-19 17:38:38 +08:00
Michael Collins
b2f96df1a9 end play after deleting subscription in AWX 2021-08-19 17:13:34 +08:00
Michael Collins
fa43d04ad7 syntax error 2021-08-19 17:02:28 +08:00
Michael Collins
7b9929e17b add << SUBSCRIPTION DELETION IN PROGRESS >> job template 2021-08-19 16:55:58 +08:00
Michael Collins
517ecbf0d1 move delete-subscription to deploy 2021-08-18 21:07:44 +08:00
Michael Collins
d93b2109f4 ehh? 2021-08-18 06:25:49 +08:00
Michael Collins
bdf10462d2 Merge remote-tracking branch 'upstream/master' 2021-08-17 16:24:34 +08:00
Michael Collins
50441346d3 herp 2021-08-17 16:12:16 +08:00
Michael Collins
41c335b967 merge upstream 2021-08-17 13:20:39 +08:00
Michael Collins
8c17a65e55 testing 2 2021-08-16 15:56:27 +08:00
Michael Collins
8504ad2228 change for testing 2021-08-16 15:31:34 +08:00
Michael Collins
ea4af65ceb herp 2021-08-16 15:20:32 +08:00
Michael Collins
662438ba6e Merge branch 'testing-v0.5.8' into 'main'
comment to trigger update

See merge request GoMatrixHosting/matrix-docker-ansible-deploy!3
2021-08-16 06:08:38 +00:00
Michael Collins
5d77e76e77 comment to trigger update 2021-08-16 14:07:31 +08:00
Michael Collins
157b70673c Merge branch 'testing' into 'main'
revert to previous version

See merge request GoMatrixHosting/matrix-docker-ansible-deploy!2
2021-08-15 10:36:18 +00:00
Michael Collins
59b61f6cc2 revert to previous version 2021-08-15 18:33:29 +08:00
Michael Collins
326802ac21 Merge branch 'testing-v0.5.8' into 'main'
Testing v0.5.8

See merge request GoMatrixHosting/matrix-docker-ansible-deploy!1
2021-08-15 05:21:38 +00:00
Michael Collins
53384b5a97 add comment 2 2021-08-15 12:58:17 +08:00
Michael Collins
7491508d63 add comment 2021-08-14 21:12:47 +08:00
Michael Collins
98e6cd685d sync with previous repo 2021-08-13 16:05:57 +08:00
Michael Collins
83a90f1cd1 Initial commit 2021-08-13 08:00:23 +00:00
sakkiii
4a2b169fc9
systemd-timesyncd for ubuntu 2021-07-22 23:42:53 +05:30
sakkiii
7f0b8fef0a
Merge branch 'spantaleev:master' into patch-1 2021-07-21 23:50:19 +05:30
sakkiii
5209a17da1
migrate from ntp to chrony 2021-07-19 23:11:30 +05:30
47 changed files with 307 additions and 181 deletions

View File

@ -26,7 +26,7 @@ The following repositories allow you to copy and use this setup:
Updates to this section are trailed here:
[GoMatrixHosting Matrix Docker Ansible Deploy](https://gitlab.com/GoMatrixHosting/gomatrixhosting-matrix-docker-ansible-deploy)
[GoMatrixHosting Matrix Docker Ansible Deploy](https://gitlab.com/GoMatrixHosting/matrix-docker-ansible-deploy)
## Does I need an AWX setup to use this? How do I configure it?

View File

@ -108,6 +108,9 @@ matrix_nginx_proxy_container_federation_host_bind_port: '127.0.0.1:8449'
# Since we don't obtain any certificates (`matrix_ssl_retrieval_method: none` above), it won't work by default.
# An alternative is to tweak some of: `matrix_coturn_tls_enabled`, `matrix_coturn_tls_cert_path` and `matrix_coturn_tls_key_path`.
matrix_coturn_enabled: false
# Trust the reverse proxy to send the correct `X-Forwarded-Proto` header as it is handling the SSL connection.
matrix_nginx_proxy_trust_forwarded_proto: true
```
With this, nginx would still be in use, but it would not bother with anything SSL related or with taking up public ports.

View File

@ -56,8 +56,40 @@ Name | Description
`matrix_nginx_proxy_proxy_synapse_metrics`|Set this to `true` to make matrix-nginx-proxy expose the Synapse metrics at `https://matrix.DOMAIN/_synapse/metrics`
`matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled`|Set this to `true` to password-protect (using HTTP Basic Auth) `https://matrix.DOMAIN/_synapse/metrics` (the username is always `prometheus`, the password is defined in `matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key`)
`matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key`|Set this to a password to use for HTTP Basic Auth for protecting `https://matrix.DOMAIN/_synapse/metrics` (the username is always `prometheus` - it's not configurable)
`matrix_server_fqn_grafana`|Use this variable to override the domain at which the Grafana web user-interface is at (defaults to `stats.DOMAIN`).
`matrix_server_fqn_grafana`|Use this variable to override the domain at which the Grafana web user-interface is at (defaults to `stats.DOMAIN`)
### Collecting system and Postgres metrics to an external Prometheus server (advanced)
When you normally enable the Prometheus and Grafana via the playbook, it will also show general system (via node-exporter) and Postgres (via postgres-exporter) stats. If you are instead collecting your metrics to an external Prometheus server, you can follow this advanced configuration example to also export these stats.
It would be possible to use `matrix_prometheus_node_exporter_container_http_host_bind_port` etc., but that is not always the best choice, for example because your server is on a public network.
Use the following variables in addition to the ones mentioned above:
Name | Description
-----|----------
`matrix_nginx_proxy_proxy_grafana_enabled`|Set this to `true` to make the stats subdomain (`matrix_server_fqn_grafana`) available via the Nginx proxy
`matrix_ssl_additional_domains_to_obtain_certificates_for`|Add `"{{ matrix_server_fqn_grafana }}"` to this list to have letsencrypt fetch a certificate for the stats subdomain
`matrix_prometheus_node_exporter_enabled`|Set this to `true` to enable the node (general system stats) exporter
`matrix_prometheus_postgres_exporter_enabled`|Set this to `true` to enable the Postgres exporter
`matrix_nginx_proxy_proxy_grafana_additional_server_configuration_blocks`|Add locations to this list depending on which of the above exporters you enabled (see below)
```nginx
matrix_nginx_proxy_proxy_grafana_additional_server_configuration_blocks:
- 'location /node-exporter/ {
resolver 127.0.0.11 valid=5s;
proxy_pass http://matrix-prometheus-node-exporter:9100/;
auth_basic "protected";
auth_basic_user_file /nginx-data/matrix-synapse-metrics-htpasswd;
}'
- 'location /postgres-exporter/ {
resolver 127.0.0.11 valid=5s;
proxy_pass http://matrix-prometheus-postgres-exporter:9187/;
auth_basic "protected";
auth_basic_user_file /nginx-data/matrix-synapse-metrics-htpasswd;
}'
```
You can customize the `location`s to your liking, just point your Prometheus to there later (e.g. `stats.DOMAIN/node-exporter/metrics`). Nginx is very picky about the `proxy_pass`syntax: take care to follow the example closely and note the trailing slash as well as absent use of variables. postgres-exporter uses the nonstandard port 9187.
## More information

View File

@ -60,7 +60,7 @@ ALTER TABLE public.application_services_state OWNER TO synapse_user;
It can be worked around by changing the username to `synapse`, for example by using `sed`:
```Shell
$ sed -i "s/synapse_user/synapse/g" homeserver.sql"
$ sed -i "s/synapse_user/synapse/g" homeserver.sql
```
This uses sed to perform an 'in-place' (`-i`) replacement globally (`/g`), searching for `synapse user` and replacing with `synapse` (`s/synapse_user/synapse`). If your database username was different, change `synapse_user` to that username instead.

View File

@ -22,6 +22,7 @@ List of roles where self-building the Docker image is currently possible:
- `matrix-mailer`
- `matrix-bridge-appservice-irc`
- `matrix-bridge-appservice-slack`
- `matrix-bridge-appservice-webhooks`
- `matrix-bridge-mautrix-facebook`
- `matrix-bridge-mautrix-hangouts`
- `matrix-bridge-mautrix-telegram`

View File

@ -104,6 +104,8 @@ matrix_appservice_discord_database_password: "{{ matrix_synapse_macaroon_secret_
# We don't enable bridges by default.
matrix_appservice_webhooks_enabled: false
matrix_appservice_webhooks_container_image_self_build: "{{ matrix_architecture != 'amd64' }}"
# Normally, matrix-nginx-proxy is enabled and nginx can reach matrix-appservice-webhooks over the container network.
# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose
# matrix-appservice-webhooks' client-server port to the local host.

View File

@ -24,14 +24,6 @@
mode: '0660'
tags: use-survey
- name: Collect AWX admin token the hard way!
delegate_to: 127.0.0.1
shell: |
curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g'
register: tower_token
no_log: True
tags: use-survey
- name: Recreate 'Backup Server' job template
delegate_to: 127.0.0.1
awx.awx.tower_job_template:
@ -49,8 +41,8 @@
become_enabled: yes
state: present
verbosity: 1
tower_host: "https://{{ tower_host }}"
tower_oauthtoken: "{{ tower_token.stdout }}"
tower_host: "https://{{ awx_host }}"
tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
validate_certs: yes
tags: use-survey
@ -90,6 +82,15 @@
command: borgmatic -c /root/.config/borgmatic/config_2.yaml
when: matrix_awx_backup_enabled|bool
- name: Delete the AWX session token for executing modules
awx.awx.tower_token:
description: 'AWX Session Token'
scope: "write"
state: absent
existing_token_id: "{{ awx_session_token.ansible_facts.tower_token.id }}"
tower_host: "https://{{ awx_host }}"
tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
- name: Set boolean value to exit playbook
set_fact:
end_playbook: true

View File

@ -0,0 +1,10 @@
- name: Create a AWX session token for executing modules
awx.awx.tower_token:
description: 'AWX Session Token'
scope: "write"
state: present
tower_host: "https://{{ awx_host }}"
tower_oauthtoken: "{{ awx_master_token }}"
register: awx_session_token
no_log: True

View File

@ -23,6 +23,15 @@
/usr/local/bin/matrix-synapse-register-user {{ new_username | quote }} {{ new_password | quote }} {{ admin_bool }}
register: cmd
- name: Delete the AWX session token for executing modules
awx.awx.tower_token:
description: 'AWX Session Token'
scope: "write"
state: absent
existing_token_id: "{{ awx_session_token.ansible_facts.tower_token.id }}"
tower_host: "https://{{ awx_host }}"
tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
- name: Result
debug: msg="{{ cmd.stdout }}"

View File

@ -77,13 +77,6 @@
mode: '0660'
when: customise_base_domain_website is undefined
- name: Collect AWX admin token the hard way!
delegate_to: 127.0.0.1
shell: |
curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g'
register: tower_token
no_log: True
- name: Recreate 'Configure Website + Access Export' job template
delegate_to: 127.0.0.1
awx.awx.tower_job_template:
@ -101,8 +94,8 @@
become_enabled: yes
state: present
verbosity: 1
tower_host: "https://{{ tower_host }}"
tower_oauthtoken: "{{ tower_token.stdout }}"
tower_host: "https://{{ awx_host }}"
tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
validate_certs: yes
when: customise_base_domain_website is defined
@ -123,8 +116,8 @@
become_enabled: yes
state: present
verbosity: 1
tower_host: "https://{{ tower_host }}"
tower_oauthtoken: "{{ tower_token.stdout }}"
tower_host: "https://{{ awx_host }}"
tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
validate_certs: yes
when: customise_base_domain_website is undefined

View File

@ -0,0 +1,9 @@
- name: Delete the AWX session token for executing modules
awx.awx.tower_token:
description: 'AWX Session Token'
scope: "write"
state: absent
existing_token_id: "{{ awx_session_token.ansible_facts.tower_token.id }}"
tower_host: "https://{{ awx_host }}"
tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"

View File

@ -24,6 +24,15 @@
units: days
unique: yes
- name: Delete the AWX session token for executing modules
awx.awx.tower_token:
description: 'AWX Session Token'
scope: "write"
state: absent
existing_token_id: "{{ awx_session_token.ansible_facts.tower_token.id }}"
tower_host: "https://{{ awx_host }}"
tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
- name: Set boolean value to exit playbook
set_fact:
end_playbook: true

View File

@ -9,3 +9,7 @@
file: '/var/lib/awx/projects/hosting/hosting_vars.yml'
no_log: True
- name: Include AWX master token from awx_tokens.yml
include_vars:
file: /var/lib/awx/projects/hosting/awx_tokens.yml
no_log: True

View File

@ -17,6 +17,15 @@
tags:
- always
# Create AWX session token
- include_tasks:
file: "create_session_token.yml"
apply:
tags: always
when: run_setup|bool and matrix_awx_enabled|bool
tags:
- always
# Perform a backup of the server
- include_tasks:
file: "backup_server.yml"
@ -25,7 +34,7 @@
when: run_setup|bool and matrix_awx_enabled|bool
tags:
- backup-server
# Perform a export of the server
- include_tasks:
file: "export_server.yml"
@ -62,6 +71,15 @@
tags:
- purge-database
# Rotate SSH key if called
- include_tasks:
file: "rotate_ssh.yml"
apply:
tags: rotate-ssh
when: run_setup|bool and matrix_awx_enabled|bool
tags:
- rotate-ssh
# Import configs, media repo from /chroot/backup import
- include_tasks:
file: "import_awx.yml"
@ -179,6 +197,15 @@
tags:
- setup-synapse-admin
# Delete AWX session token
- include_tasks:
file: "delete_session_token.yml"
apply:
tags: always
when: run_setup|bool and matrix_awx_enabled|bool
tags:
- always
# Load newly formed matrix variables from AWX volume
- include_tasks:
file: "load_matrix_variables.yml"

View File

@ -5,18 +5,18 @@
name: dateutils
state: latest
- name: Ensure dateutils, curl and jq intalled on target machine
- name: Include vars in matrix_vars.yml
include_vars:
file: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
no_log: True
- name: Ensure curl and jq intalled on target machine
apt:
pkg:
- curl
- jq
state: present
- name: Include vars in matrix_vars.yml
include_vars:
file: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
no_log: True
- name: Collect before shrink size of Synapse database
shell: du -sh /matrix/postgres/data
register: db_size_before_stat
@ -144,13 +144,6 @@
loop: "{{ room_list_state_events.splitlines() | flatten(levels=1) }}"
when: purge_mode.find("Number of events [slower]") != -1
- name: Collect AWX admin token the hard way!
delegate_to: 127.0.0.1
shell: |
curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g'
register: tower_token
no_log: True
- name: Adjust 'Deploy/Update a Server' job template
delegate_to: 127.0.0.1
awx.awx.tower_job_template:
@ -165,8 +158,8 @@
credential: "{{ member_id }} - AWX SSH Key"
state: present
verbosity: 1
tower_host: "https://{{ tower_host }}"
tower_oauthtoken: "{{ tower_token.stdout }}"
tower_host: "https://{{ awx_host }}"
tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
validate_certs: yes
when: (purge_mode.find("No local users [recommended]") != -1) or (purge_mode.find("Number of users [slower]") != -1) or (purge_mode.find("Number of events [slower]") != -1) or (purge_mode.find("Skip purging rooms [faster]") != -1)
@ -175,8 +168,8 @@
awx.awx.tower_job_launch:
job_template: "{{ matrix_domain }} - 0 - Deploy/Update a Server"
wait: yes
tower_host: "https://{{ tower_host }}"
tower_oauthtoken: "{{ tower_token.stdout }}"
tower_host: "https://{{ awx_host }}"
tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
validate_certs: yes
when: (purge_mode.find("No local users [recommended]") != -1) or (purge_mode.find("Number of users [slower]") != -1) or (purge_mode.find("Number of events [slower]") != -1) or (purge_mode.find("Skip purging rooms [faster]") != -1)
@ -194,8 +187,8 @@
credential: "{{ member_id }} - AWX SSH Key"
state: present
verbosity: 1
tower_host: "https://{{ tower_host }}"
tower_oauthtoken: "{{ tower_token.stdout }}"
tower_host: "https://{{ awx_host }}"
tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
validate_certs: yes
when: (purge_mode.find("No local users [recommended]") != -1) or (purge_mode.find("Number of users [slower]") != -1) or (purge_mode.find("Number of events [slower]") != -1) or (purge_mode.find("Skip purging rooms [faster]") != -1)
@ -231,8 +224,8 @@
credential: "{{ member_id }} - AWX SSH Key"
state: present
verbosity: 1
tower_host: "https://{{ tower_host }}"
tower_oauthtoken: "{{ tower_token.stdout }}"
tower_host: "https://{{ awx_host }}"
tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
validate_certs: yes
when: (purge_mode.find("Perform final shrink") != -1)
@ -241,8 +234,8 @@
awx.awx.tower_job_launch:
job_template: "{{ matrix_domain }} - 0 - Deploy/Update a Server"
wait: yes
tower_host: "https://{{ tower_host }}"
tower_oauthtoken: "{{ tower_token.stdout }}"
tower_host: "https://{{ awx_host }}"
tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
validate_certs: yes
when: (purge_mode.find("Perform final shrink") != -1)
@ -260,8 +253,8 @@
credential: "{{ member_id }} - AWX SSH Key"
state: present
verbosity: 1
tower_host: "https://{{ tower_host }}"
tower_oauthtoken: "{{ tower_token.stdout }}"
tower_host: "https://{{ awx_host }}"
tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
validate_certs: yes
when: (purge_mode.find("Perform final shrink") != -1)
@ -308,6 +301,15 @@
msg: "{{ db_size_after_stat.stdout.split('\n') }}"
when: (db_size_after_stat is defined) and (purge_mode.find("Perform final shrink") != -1)
- name: Delete the AWX session token for executing modules
awx.awx.tower_token:
description: 'AWX Session Token'
scope: "write"
state: absent
existing_token_id: "{{ awx_session_token.ansible_facts.tower_token.id }}"
tower_host: "https://{{ awx_host }}"
tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
- name: Set boolean value to exit playbook
set_fact:
end_playbook: true

View File

@ -1,5 +1,5 @@
- name: Ensure dateutils and curl is installed in AWX
- name: Ensure dateutils is installed in AWX
delegate_to: 127.0.0.1
yum:
name: dateutils
@ -90,6 +90,15 @@
msg: "{{ remote_media_size_after.stdout.split('\n') }}"
when: matrix_purge_media_type == "Remote Media"
- name: Delete the AWX session token for executing modules
awx.awx.tower_token:
description: 'AWX Session Token'
scope: "write"
state: absent
existing_token_id: "{{ awx_session_token.ansible_facts.tower_token.id }}"
tower_host: "https://{{ awx_host }}"
tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
- name: Set boolean value to exit playbook
set_fact:
end_playbook: true

View File

@ -5,4 +5,3 @@
path: "/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml"
regexp: 'matrix_synapse_use_presence'
replace: 'matrix_synapse_presence_enabled'

View File

@ -0,0 +1,24 @@
- name: Set the new authorized key taken from file
authorized_key:
user: root
state: present
exclusive: yes
key: "{{ lookup('file', '/var/lib/awx/projects/hosting/client_public.key') }}"
- name: Delete the AWX session token for executing modules
awx.awx.tower_token:
description: 'AWX Session Token'
scope: "write"
state: absent
existing_token_id: "{{ awx_session_token.ansible_facts.tower_token.id }}"
tower_host: "https://{{ awx_host }}"
tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
- name: Set boolean value to exit playbook
set_fact:
end_playbook: true
- name: End playbook if this task list is called.
meta: end_play
when: end_playbook is defined and end_playbook|bool

View File

@ -218,13 +218,6 @@
- debug:
msg: "matrix_corporal_matrix_registration_shared_secret: {{ matrix_corporal_matrix_registration_shared_secret }}"
- name: Collect AWX admin token the hard way!
delegate_to: 127.0.0.1
shell: |
curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g'
register: tower_token
no_log: True
- name: Recreate 'Configure Corporal (Advanced)' job template
delegate_to: 127.0.0.1
awx.awx.tower_job_template:
@ -242,6 +235,6 @@
become_enabled: yes
state: present
verbosity: 1
tower_host: "https://{{ tower_host }}"
tower_oauthtoken: "{{ tower_token.stdout }}"
tower_host: "https://{{ awx_host }}"
tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
validate_certs: yes

View File

@ -82,13 +82,6 @@
dest: '/matrix/awx/configure_dimension.json'
mode: '0660'
- name: Collect AWX admin token the hard way!
delegate_to: 127.0.0.1
shell: |
curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g'
register: tower_token
no_log: True
- name: Recreate 'Configure Dimension' job template
delegate_to: 127.0.0.1
awx.awx.tower_job_template:
@ -106,6 +99,6 @@
become_enabled: yes
state: present
verbosity: 1
tower_host: "https://{{ tower_host }}"
tower_oauthtoken: "{{ tower_token.stdout }}"
tower_host: "https://{{ awx_host }}"
tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
validate_certs: yes

View File

@ -40,13 +40,6 @@
dest: '/matrix/awx/configure_element.json'
mode: '0660'
- name: Collect AWX admin token the hard way!
delegate_to: 127.0.0.1
shell: |
curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g'
register: tower_token
no_log: True
- name: Recreate 'Configure Element' job template
delegate_to: 127.0.0.1
awx.awx.tower_job_template:
@ -64,6 +57,6 @@
become_enabled: yes
state: present
verbosity: 1
tower_host: "https://{{ tower_host }}"
tower_oauthtoken: "{{ tower_token.stdout }}"
tower_host: "https://{{ awx_host }}"
tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
validate_certs: yes

View File

@ -21,13 +21,6 @@
dest: '/matrix/awx/configure_element_subdomain.json'
mode: '0660'
- name: Collect AWX admin token the hard way!
delegate_to: 127.0.0.1
shell: |
curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g'
register: tower_token
no_log: True
- name: Recreate 'Configure Element Subdomain' job template
delegate_to: 127.0.0.1
awx.awx.tower_job_template:
@ -44,6 +37,6 @@
survey_spec: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_element_subdomain.json') }}"
state: present
verbosity: 1
tower_host: "https://{{ tower_host }}"
tower_oauthtoken: "{{ tower_token.stdout }}"
tower_host: "https://{{ awx_host }}"
tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
validate_certs: yes

View File

@ -22,13 +22,6 @@
dest: '/matrix/awx/configure_jitsi.json'
mode: '0660'
- name: Collect AWX admin token the hard way!
delegate_to: 127.0.0.1
shell: |
curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g'
register: tower_token
no_log: True
- name: Recreate 'Configure Jitsi' job template
delegate_to: 127.0.0.1
awx.awx.tower_job_template:
@ -46,6 +39,6 @@
become_enabled: yes
state: present
verbosity: 1
tower_host: "https://{{ tower_host }}"
tower_oauthtoken: "{{ tower_token.stdout }}"
tower_host: "https://{{ awx_host }}"
tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
validate_certs: yes

View File

@ -79,13 +79,6 @@
dest: '/matrix/awx/configure_ma1sd.json'
mode: '0660'
- name: Collect AWX admin token the hard way!
delegate_to: 127.0.0.1
shell: |
curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g'
register: tower_token
no_log: True
- name: Recreate 'Configure ma1sd (Advanced)' job template
delegate_to: 127.0.0.1
awx.awx.tower_job_template:
@ -103,7 +96,7 @@
become_enabled: yes
state: present
verbosity: 1
tower_host: "https://{{ tower_host }}"
tower_oauthtoken: "{{ tower_token.stdout }}"
tower_host: "https://{{ awx_host }}"
tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
validate_certs: yes

View File

@ -21,13 +21,6 @@
dest: '/matrix/awx/configure_email_relay.json'
mode: '0660'
- name: Collect AWX admin token the hard way!
delegate_to: 127.0.0.1
shell: |
curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g'
register: tower_token
no_log: True
- name: Recreate 'Configure Email Relay' job template
delegate_to: 127.0.0.1
awx.awx.tower_job_template:
@ -45,6 +38,6 @@
become_enabled: yes
state: present
verbosity: 1
tower_host: "https://{{ tower_host }}"
tower_oauthtoken: "{{ tower_token.stdout }}"
tower_host: "https://{{ awx_host }}"
tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
validate_certs: yes

View File

@ -200,13 +200,6 @@
dest: '/matrix/awx/configure_synapse.json'
mode: '0660'
- name: Collect AWX admin token the hard way!
delegate_to: 127.0.0.1
shell: |
curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g'
register: tower_token
no_log: True
- name: Recreate 'Configure Synapse' job template
delegate_to: 127.0.0.1
awx.awx.tower_job_template:
@ -224,6 +217,6 @@
become_enabled: yes
state: present
verbosity: 1
tower_host: "https://{{ tower_host }}"
tower_oauthtoken: "{{ tower_token.stdout }}"
tower_host: "https://{{ awx_host }}"
tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
validate_certs: yes

View File

@ -21,13 +21,6 @@
dest: '/matrix/awx/configure_synapse_admin.json'
mode: '0660'
- name: Collect AWX admin token the hard way!
delegate_to: 127.0.0.1
shell: |
curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g'
register: tower_token
no_log: True
- name: Recreate 'Configure Synapse Admin' job template
delegate_to: 127.0.0.1
awx.awx.tower_job_template:
@ -45,6 +38,6 @@
become_enabled: yes
state: present
verbosity: 1
tower_host: "https://{{ tower_host }}"
tower_oauthtoken: "{{ tower_token.stdout }}"
tower_host: "https://{{ awx_host }}"
tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}"
validate_certs: yes

View File

@ -83,8 +83,8 @@ matrix_host_command_openssl: "/usr/bin/env openssl"
matrix_host_command_systemctl: "/usr/bin/env systemctl"
matrix_host_command_sh: "/usr/bin/env sh"
matrix_ntpd_package: "{{ 'systemd-timesyncd' if ansible_distribution == 'CentOS' and ansible_distribution_major_version > '7' else 'ntp' }}"
matrix_ntpd_service: "{{ 'systemd-timesyncd' if ansible_distribution == 'CentOS' and ansible_distribution_major_version > '7' else ('ntpd' if ansible_os_family == 'RedHat' or ansible_distribution == 'Archlinux' else 'ntp') }}"
matrix_ntpd_package: "{{ 'systemd-timesyncd' if (ansible_distribution == 'CentOS' and ansible_distribution_major_version > '7') or (ansible_distribution == 'Ubuntu' and ansible_distribution_major_version > '18') else 'ntp' }}"
matrix_ntpd_service: "{{ 'systemd-timesyncd' if (ansible_distribution == 'CentOS' and ansible_distribution_major_version > '7') or (ansible_distribution == 'Ubuntu' and ansible_distribution_major_version > '18') or ansible_distribution == 'Archlinux' else ('ntpd' if ansible_os_family == 'RedHat' else 'ntp') }}"
matrix_homeserver_url: "https://{{ matrix_server_fqn_matrix }}"

View File

@ -4,7 +4,6 @@
pacman:
name:
- python-docker
- "{{ matrix_ntpd_package }}"
# TODO This needs to be verified. Which version do we need?
- fuse3
- python-dnspython

View File

@ -3,13 +3,20 @@
matrix_appservice_webhooks_enabled: true
matrix_appservice_webhooks_container_image_self_build: false
matrix_appservice_webhooks_container_image_self_build_repo: "https://github.com/turt2live/matrix-appservice-webhooks"
matrix_appservice_webhooks_container_image_self_build_repo_version: "{{ 'master' if matrix_appservice_webhooks_version == 'latest' else matrix_appservice_webhooks_version }}"
matrix_appservice_webhooks_container_image_self_build_repo_dockerfile_path: "Dockerfile"
matrix_appservice_webhooks_version: latest
matrix_appservice_webhooks_docker_image: "{{ matrix_container_global_registry_prefix }}turt2live/matrix-appservice-webhooks:{{ matrix_appservice_webhooks_version }}"
matrix_appservice_webhooks_docker_image: "{{ matrix_appservice_webhooks_docker_image_name_prefix }}turt2live/matrix-appservice-webhooks:{{ matrix_appservice_webhooks_version }}"
matrix_appservice_webhooks_docker_image_name_prefix: "{{ 'localhost/' if matrix_appservice_webhooks_container_image_self_build else matrix_container_global_registry_prefix }}"
matrix_appservice_webhooks_docker_image_force_pull: "{{ matrix_appservice_webhooks_docker_image.endswith(':latest') }}"
matrix_appservice_webhooks_base_path: "{{ matrix_base_data_path }}/appservice-webhooks"
matrix_appservice_webhooks_config_path: "{{ matrix_appservice_webhooks_base_path }}/config"
matrix_appservice_webhooks_data_path: "{{ matrix_appservice_webhooks_base_path }}/data"
matrix_appservice_webhooks_docker_src_files_path: "{{ matrix_appservice_webhooks_base_path }}/docker-src"
# If nginx-proxy is disabled, the bridge itself expects its endpoint to be on its own domain (e.g. "localhost:6789")
matrix_appservice_webhooks_public_endpoint: /appservice-webhooks

View File

@ -1,23 +1,47 @@
---
- name: Ensure AppService webhooks paths exist
file:
path: "{{ item.path }}"
state: directory
mode: 0750
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_groupname }}"
with_items:
- { path: "{{ matrix_appservice_webhooks_base_path }}", when: true }
- { path: "{{ matrix_appservice_webhooks_config_path }}", when: true }
- { path: "{{ matrix_appservice_webhooks_data_path }}", when: true }
- { path: "{{ matrix_appservice_webhooks_docker_src_files_path }}", when: "{{ matrix_appservice_webhooks_container_image_self_build }}"}
when: "item.when|bool"
- name: Ensure Appservice webhooks image is pulled
docker_image:
name: "{{ matrix_appservice_webhooks_docker_image }}"
source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
force_source: "{{ matrix_appservice_webhooks_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_appservice_webhooks_docker_image_force_pull }}"
when: "not matrix_appservice_webhooks_container_image_self_build|bool"
- name: Ensure AppService webhooks paths exist
file:
path: "{{ item }}"
state: directory
mode: 0750
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_groupname }}"
with_items:
- "{{ matrix_appservice_webhooks_base_path }}"
- "{{ matrix_appservice_webhooks_config_path }}"
- "{{ matrix_appservice_webhooks_data_path }}"
- block:
- name: Ensure Appservice webhooks repository is present on self-build
git:
repo: "{{ matrix_appservice_webhooks_container_image_self_build_repo }}"
dest: "{{ matrix_appservice_webhooks_docker_src_files_path }}"
version: "{{ matrix_appservice_webhooks_container_image_self_build_repo_version }}"
force: "yes"
register: matrix_appservice_webhooks_git_pull_results
- name: Ensure Appservice webhooks Docker image is built
docker_image:
name: "{{ matrix_appservice_webhooks_docker_image }}"
source: build
force_source: "{{ matrix_appservice_webhooks_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_appservice_webhooks_git_pull_results.changed }}"
build:
dockerfile: "{{ matrix_appservice_webhooks_container_image_self_build_repo_dockerfile_path }}"
path: "{{ matrix_appservice_webhooks_docker_src_files_path }}"
pull: yes
when: "matrix_appservice_webhooks_container_image_self_build|bool"
- name: Ensure Matrix Appservice webhooks config is installed
copy:

View File

@ -3,7 +3,7 @@
matrix_beeper_linkedin_enabled: true
matrix_beeper_linkedin_version: v0.5.0
matrix_beeper_linkedin_version: v0.5.1
# See: https://gitlab.com/beeper/linkedin/container_registry
matrix_beeper_linkedin_docker_image: "registry.gitlab.com/beeper/linkedin:{{ matrix_beeper_linkedin_version }}-amd64"
matrix_beeper_linkedin_docker_image_force_pull: "{{ matrix_beeper_linkedin_docker_image.endswith(':latest-amd64') }}"

View File

@ -3,7 +3,7 @@
matrix_heisenbridge_enabled: true
matrix_heisenbridge_version: 1.1.1
matrix_heisenbridge_version: 1.2.1
matrix_heisenbridge_docker_image: "{{ matrix_container_global_registry_prefix }}hif1/heisenbridge:{{ matrix_heisenbridge_version }}"
matrix_heisenbridge_docker_image_force_pull: "{{ matrix_heisenbridge_docker_image.endswith(':latest') }}"

View File

@ -3,7 +3,7 @@ matrix_client_element_enabled: true
matrix_client_element_container_image_self_build: false
matrix_client_element_container_image_self_build_repo: "https://github.com/vector-im/riot-web.git"
matrix_client_element_version: v1.8.5
matrix_client_element_version: v1.9.0
matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}"
matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_container_global_registry_prefix }}"
matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}"

View File

@ -15,7 +15,7 @@
- name: Generate Etherpad proxying configuration for matrix-nginx-proxy
set_fact:
matrix_etherpad_matrix_nginx_proxy_configuration: |
rewrite ^{{ matrix_etherpad_public_endpoint }}$ $scheme://$server_name{{ matrix_etherpad_public_endpoint }}/ permanent;
rewrite ^{{ matrix_etherpad_public_endpoint }}$ {{ matrix_nginx_proxy_x_forwarded_proto_value }}://$server_name{{ matrix_etherpad_public_endpoint }}/ permanent;
location {{ matrix_etherpad_public_endpoint }}/ {
{% if matrix_nginx_proxy_enabled|default(False) %}
@ -27,7 +27,7 @@
proxy_http_version 1.1; # recommended with keepalive connections
proxy_pass_header Server;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto $scheme; # for EP to set secure cookie flag when https is used
proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }}; # for EP to set secure cookie flag when https is used
# WebSocket proxying - from http://nginx.org/en/docs/http/websocket.html
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;

View File

@ -40,6 +40,12 @@ matrix_nginx_proxy_container_extra_arguments: []
# - services are served directly from the HTTP vhost
matrix_nginx_proxy_https_enabled: true
# Controls whether matrix-nginx-proxy trusts an upstream server's X-Forwarded-Proto header
#
# Required if you disable HTTPS for the container (see `matrix_nginx_proxy_https_enabled`) and have an upstream server handle it instead.
matrix_nginx_proxy_trust_forwarded_proto: false
matrix_nginx_proxy_x_forwarded_proto_value: "{{ '$http_x_forwarded_proto' if matrix_nginx_proxy_trust_forwarded_proto else '$scheme' }}"
# Controls whether the matrix-nginx-proxy container exposes its HTTP port (tcp/8080 in the container).
#
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:80"), or empty string to not expose.
@ -177,6 +183,10 @@ matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container: "127.0.0.1:809
# Controls whether proxying for metrics (`/_synapse/metrics`) should be done (on the matrix domain)
matrix_nginx_proxy_proxy_synapse_metrics: false
matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled: false
# The following value will be written verbatim to the htpasswd file that stores the password for nginx to check against and needs to be encoded appropriately.
# Read the manpage at `man 1 htpasswd` to learn more, then encrypt your password, and paste the encrypted value here.
# e.g. `htpasswd -c mypass.htpasswd prometheus` and enter `mysecurepw` when prompted yields `prometheus:$apr1$wZhqsn.U$7LC3kMmjUbjNAZjyMyvYv/`
# The part after `prometheus:` is needed here. matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key: "$apr1$wZhqsn.U$7LC3kMmjUbjNAZjyMyvYv/"
matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key: ""
# The addresses where the Matrix Client API is.
@ -426,7 +436,7 @@ matrix_ssl_additional_domains_to_obtain_certificates_for: []
# Controls whether to obtain production or staging certificates from Let's Encrypt.
matrix_ssl_lets_encrypt_staging: false
matrix_ssl_lets_encrypt_certbot_docker_image: "{{ matrix_container_global_registry_prefix }}certbot/certbot:{{ matrix_ssl_architecture }}-v1.19.0"
matrix_ssl_lets_encrypt_certbot_docker_image: "{{ matrix_container_global_registry_prefix }}certbot/certbot:{{ matrix_ssl_architecture }}-v1.20.0"
matrix_ssl_lets_encrypt_certbot_docker_image_force_pull: "{{ matrix_ssl_lets_encrypt_certbot_docker_image.endswith(':latest') }}"
matrix_ssl_lets_encrypt_certbot_standalone_http_port: 2402
matrix_ssl_lets_encrypt_support_email: ~

View File

@ -88,7 +88,7 @@ server {
{% if matrix_nginx_proxy_ocsp_stapling_enabled %}
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_element_hostname }}/chain.pem;
ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_hydrogen_hostname }}/chain.pem;
{% endif %}
{% if matrix_nginx_proxy_ssl_session_tickets_off %}

View File

@ -20,13 +20,13 @@
{% if matrix_nginx_proxy_floc_optout_enabled %}
add_header Permissions-Policy interest-cohort=() always;
{% endif %}
{% if matrix_nginx_proxy_hsts_preload_enabled %}
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
{% else %}
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
{% endif %}
add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}";
location /.well-known/matrix {
@ -59,7 +59,7 @@
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }};
}
{% endif %}
@ -77,7 +77,7 @@
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }};
}
{% endif %}
@ -112,7 +112,7 @@
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }};
}
{% endif %}
@ -137,7 +137,7 @@
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }};
client_body_buffer_size 25M;
client_max_body_size {{ matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb }}M;
@ -152,7 +152,7 @@
#}
location ~* ^/$ {
{% if matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain %}
return 302 $scheme://{{ matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain }}$request_uri;
return 302 {{ matrix_nginx_proxy_x_forwarded_proto_value }}://{{ matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain }}$request_uri;
{% else %}
rewrite ^/$ /_matrix/static/ last;
{% endif %}
@ -215,12 +215,12 @@ server {
ssl_stapling_verify on;
ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/chain.pem;
{% endif %}
{% if matrix_nginx_proxy_ssl_session_tickets_off %}
ssl_session_tickets off;
{% endif %}
ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }};
ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }};
ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }};
{{ render_vhost_directives() }}
}
@ -262,7 +262,7 @@ server {
ssl_stapling_verify on;
ssl_trusted_certificate {{ matrix_nginx_proxy_proxy_matrix_federation_api_ssl_trusted_certificate }};
{% endif %}
{% if matrix_nginx_proxy_ssl_session_tickets_off %}
ssl_session_tickets off;
{% endif %}
@ -283,7 +283,7 @@ server {
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }};
client_body_buffer_size 25M;
client_max_body_size {{ matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb }}M;

View File

@ -71,7 +71,7 @@
proxy_set_header Connection "upgrade";
proxy_set_header Upgrade $http_upgrade;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }};
tcp_nodelay on;
}
{% endmacro %}
@ -128,7 +128,7 @@ server {
ssl_stapling_verify on;
ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_jitsi_hostname }}/chain.pem;
{% endif %}
{% if matrix_nginx_proxy_ssl_session_tickets_off %}
ssl_session_tickets off;
{% endif %}

View File

@ -29,7 +29,7 @@
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }};
}
{% endmacro %}
@ -85,7 +85,7 @@ server {
ssl_stapling_verify on;
ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_sygnal_hostname }}/chain.pem;
{% endif %}
{% if matrix_nginx_proxy_ssl_session_tickets_off %}
ssl_session_tickets off;
{% endif %}

View File

@ -22,7 +22,8 @@ matrix_postgres_docker_image_v10: "{{ matrix_container_global_registry_prefix }}
matrix_postgres_docker_image_v11: "{{ matrix_container_global_registry_prefix }}postgres:11.13{{ matrix_postgres_docker_image_suffix }}"
matrix_postgres_docker_image_v12: "{{ matrix_container_global_registry_prefix }}postgres:12.8{{ matrix_postgres_docker_image_suffix }}"
matrix_postgres_docker_image_v13: "{{ matrix_container_global_registry_prefix }}postgres:13.4{{ matrix_postgres_docker_image_suffix }}"
matrix_postgres_docker_image_latest: "{{ matrix_postgres_docker_image_v13 }}"
matrix_postgres_docker_image_v14: "{{ matrix_container_global_registry_prefix }}postgres:14.0{{ matrix_postgres_docker_image_suffix }}"
matrix_postgres_docker_image_latest: "{{ matrix_postgres_docker_image_v14 }}"
# This variable is assigned at runtime. Overriding its value has no effect.
matrix_postgres_docker_image_to_use: '{{ matrix_postgres_docker_image_latest }}'

View File

@ -54,3 +54,8 @@
set_fact:
matrix_postgres_detected_version_corresponding_docker_image: "{{ matrix_postgres_docker_image_v12 }}"
when: "matrix_postgres_detected_version == '12' or matrix_postgres_detected_version.startswith('12.')"
- name: Determine corresponding Docker image to detected version (use 13.x, if detected)
set_fact:
matrix_postgres_detected_version_corresponding_docker_image: "{{ matrix_postgres_docker_image_v13 }}"
when: "matrix_postgres_detected_version == '13' or matrix_postgres_detected_version.startswith('13.')"

View File

@ -22,8 +22,8 @@
- name: Generate matrix-registration proxying configuration for matrix-nginx-proxy
set_fact:
matrix_registration_matrix_nginx_proxy_configuration: |
rewrite ^{{ matrix_registration_public_endpoint }}$ $scheme://$server_name{{ matrix_registration_public_endpoint }}/ permanent;
rewrite ^{{ matrix_registration_public_endpoint }}/$ $scheme://$server_name{{ matrix_registration_public_endpoint }}/register redirect;
rewrite ^{{ matrix_registration_public_endpoint }}$ {{ matrix_nginx_proxy_x_forwarded_proto_value }}://$server_name{{ matrix_registration_public_endpoint }}/ permanent;
rewrite ^{{ matrix_registration_public_endpoint }}/$ {{ matrix_nginx_proxy_x_forwarded_proto_value }}://$server_name{{ matrix_registration_public_endpoint }}/register redirect;
location ~ ^{{ matrix_registration_public_endpoint }}/(.*) {
{% if matrix_nginx_proxy_enabled|default(False) %}

View File

@ -22,7 +22,7 @@
- name: Generate Synapse Admin proxying configuration for matrix-nginx-proxy
set_fact:
matrix_synapse_admin_matrix_nginx_proxy_configuration: |
rewrite ^{{ matrix_synapse_admin_public_endpoint }}$ $scheme://$server_name{{ matrix_synapse_admin_public_endpoint }}/ permanent;
rewrite ^{{ matrix_synapse_admin_public_endpoint }}$ {{ matrix_nginx_proxy_x_forwarded_proto_value }}://$server_name{{ matrix_synapse_admin_public_endpoint }}/ permanent;
location ~ ^{{ matrix_synapse_admin_public_endpoint }}/(.*) {
{% if matrix_nginx_proxy_enabled|default(False) %}

View File

@ -15,8 +15,8 @@ matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_cont
# amd64 gets released first.
# arm32 relies on self-building, so the same version can be built immediately.
# arm64 users need to wait for a prebuilt image to become available.
matrix_synapse_version: v1.43.0
matrix_synapse_version_arm64: v1.43.0
matrix_synapse_version: v1.44.0
matrix_synapse_version_arm64: v1.44.0
matrix_synapse_docker_image_tag: "{{ matrix_synapse_version if matrix_architecture in ['arm32', 'amd64'] else matrix_synapse_version_arm64 }}"
matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}"

View File

@ -2612,12 +2612,16 @@ user_directory:
#enabled: false
# Defines whether to search all users visible to your HS when searching
# the user directory, rather than limiting to users visible in public
# rooms. Defaults to false.
# the user directory. If false, search results will only contain users
# visible in public rooms and users sharing a room with the requester.
# Defaults to false.
#
# If you set it true, you'll have to rebuild the user_directory search
# indexes, see:
# https://github.com/matrix-org/synapse/blob/master/docs/user_directory.md
# NB. If you set this to true, and the last time the user_directory search
# indexes were (re)built was before Synapse 1.44, you'll have to
# rebuild the indexes in order to search through all known users.
# These indexes are built the first time Synapse starts; admins can
# manually trigger a rebuild following the instructions at
# https://matrix-org.github.io/synapse/latest/user_directory.html
#
# Uncomment to return search results containing all known users, even if that
# user does not share a room with the requester.

View File

@ -82,3 +82,8 @@
group: "{{ web_user_res.group }}"
mode: 0640
tags: [ setup-caddy, setup-all, start ]
- name: Restart reverse proxy
docker_container:
name: web
state: started
restart: yes