# The bare hostname which represents your identity. # This is something like "example.com". # Note: this playbook does not touch the server referenced here. hostname_identity: "{{ host_specific_hostname_identity|lower }}" # This is where your data lives and what we set up here. # This and the Riot hostname (see below) are expected to be on the same server. hostname_matrix: "matrix.{{ hostname_identity }}" # This is where you access the web UI from and what we set up here. # This and the Matrix hostname (see above) are expected to be on the same server. hostname_riot: "riot.{{ hostname_identity }}" matrix_user_username: "matrix" matrix_user_uid: 991 matrix_user_gid: 991 matrix_base_data_path: "/matrix" matrix_environment_variables_data_path: "{{ matrix_base_data_path }}/environment-variables" matrix_static_files_base_path: "{{ matrix_base_data_path }}/static-files" matrix_homeserver_url: "https://{{ hostname_matrix }}" matrix_identity_server_url: "https://{{ matrix_synapse_trusted_third_party_id_servers[0] }}" # The Docker network that all services would be put into matrix_docker_network: "matrix" matrix_synapse_docker_image: "matrixdotorg/synapse:v0.34.0-py3" matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse" matrix_synapse_config_dir_path: "{{ matrix_synapse_base_path }}/config" matrix_synapse_run_path: "{{ matrix_synapse_base_path }}/run" matrix_synapse_storage_path: "{{ matrix_synapse_base_path }}/storage" matrix_synapse_media_store_path: "{{ matrix_synapse_storage_path }}/media-store" matrix_synapse_ext_path: "{{ matrix_synapse_base_path }}/ext" matrix_synapse_in_container_python_packages_path: "/usr/local/lib/python3.6/site-packages" # Specifies which template files to use when configuring Synapse. # If you'd like to have your own different configuration, feel free to copy and paste # the original files into your inventory (e.g. in `inventory/host_vars//`) # and then change the specific host's `vars.yaml` file like this: # matrix_synapse_template_synapse_homeserver: "{{ playbook_dir }}/inventory/host_vars//homeserver.yaml.j2" matrix_synapse_template_synapse_homeserver: "{{ role_path }}/templates/synapse/homeserver.yaml.j2" matrix_synapse_template_synapse_log: "{{ role_path }}/templates/synapse/synapse.log.config.j2" matrix_synapse_macaroon_secret_key: "" matrix_synapse_registration_shared_secret: "{{ matrix_synapse_macaroon_secret_key }}" matrix_synapse_form_secret: "{{ matrix_synapse_macaroon_secret_key }}" # These are the identity servers that would be trusted by Synapse if mxisd is NOT enabled matrix_synapse_id_servers_public: ['vector.im', 'matrix.org'] # These are the identity servers that would be trusted by Synapse if mxisd IS enabled matrix_synapse_id_servers_own: "['{{ hostname_matrix }}']" # The final list of identity servers to use for Synapse. # The first one would also be used as riot-web's default identity server. matrix_synapse_trusted_third_party_id_servers: "{{ matrix_synapse_id_servers_own if matrix_mxisd_enabled else matrix_synapse_id_servers_public }}" matrix_synapse_max_upload_size_mb: 10 matrix_synapse_max_log_file_size_mb: 100 matrix_synapse_max_log_files_count: 10 # Log levels # Possible options are defined here https://docs.python.org/3/library/logging.html#logging-levels # warning: setting log level to DEBUG will make synapse log sensitive information such # as access tokens matrix_synapse_log_level: "INFO" matrix_synapse_storage_sql_log_level: "INFO" matrix_synapse_root_log_level: "INFO" # Rate limits matrix_synapse_rc_messages_per_second: 0.2 matrix_synapse_rc_message_burst_count: 10.0 # Enable this to allow Synapse to report utilization statistics about your server to matrix.org # (things like number of users, number of messages sent, uptime, load, etc.) matrix_synapse_report_stats: false # Controls whether the Matrix server will track presence status (online, offline, unavailable) for users. # If users participate in large rooms with many other servers, # disabling this will decrease server load significantly. matrix_synapse_use_presence: true # Controls whether people with access to the homeserver can register by themselves. matrix_synapse_enable_registration: false # Users who register on this homeserver will automatically be joined to these rooms. # Rooms are to be specified using addresses (e.g. `#address:example.com`) matrix_synapse_auto_join_rooms: [] # Controls whether auto-join rooms (`matrix_synapse_auto_join_rooms`) are to be created # automatically if they don't already exist. matrix_synapse_autocreate_auto_join_rooms: true # Controls password-peppering for Matrix Synapse. Not to be changed after initial setup. matrix_synapse_password_config_pepper: "" # Controls the number of events that Matrix Synapse caches in memory. matrix_synapse_event_cache_size: "100K" # Controls cache sizes for Matrix Synapse via the SYNAPSE_CACHE_FACTOR environment variable. # Raise this to increase cache sizes or lower it to potentially lower memory use. # To learn more, see: # - https://github.com/matrix-org/synapse#help-synapse-eats-all-my-ram # - https://github.com/matrix-org/synapse/issues/3939 matrix_synapse_cache_factor: 0.5 # Controls whether Matrix Synapse will federate at all. # Disable this to completely isolate your server from the rest of the Matrix network. matrix_synapse_federation_enabled: true # A list of domain names that are allowed to federate with the given Matrix Synapse server. # An empty list value (`[]`) will also effectively stop federation, but if that's the desired # result, it's better to accomplish it by changing `matrix_synapse_federation_enabled`. matrix_synapse_federation_domain_whitelist: ~ # A list of additional "volumes" to mount in the container. # This list gets populated dynamically based on Synapse extensions that have been enabled. # Contains definition objects like this: `{"src": "/outside", "dst": "/inside", "options": "rw|ro|slave|.."} matrix_synapse_container_additional_volumes: [] # A list of additional loggers to register in synapse.log.config. # This list gets populated dynamically based on Synapse extensions that have been enabled. # Contains definition objects like this: `{"name": "..", "level": "DEBUG"} matrix_synapse_additional_loggers: [] # A list of service config files # This list gets populated dynamically based on Synapse extensions that have been enabled. # Contains fs paths matrix_synapse_app_service_config_files: [] # This is set dynamically during execution depending on whether # any password providers have been enabled or not. matrix_synapse_password_providers_enabled: false # Enable this to activate the REST auth password provider module. # See: https://github.com/kamax-io/matrix-synapse-rest-auth matrix_synapse_ext_password_provider_rest_auth_enabled: false matrix_synapse_ext_password_provider_rest_auth_download_url: "https://raw.githubusercontent.com/kamax-io/matrix-synapse-rest-auth/v0.1.1/rest_auth_provider.py" matrix_synapse_ext_password_provider_rest_auth_endpoint: "" matrix_synapse_ext_password_provider_rest_auth_registration_enforce_lowercase: false matrix_synapse_ext_password_provider_rest_auth_registration_profile_name_autofill: true matrix_synapse_ext_password_provider_rest_auth_login_profile_name_autofill: false # Enable this to activate the Shared Secret Auth password provider module. # See: https://github.com/devture/matrix-synapse-shared-secret-auth matrix_synapse_ext_password_provider_shared_secret_auth_enabled: false matrix_synapse_ext_password_provider_shared_secret_auth_download_url: "https://raw.githubusercontent.com/devture/matrix-synapse-shared-secret-auth/1.0.1/shared_secret_authenticator.py" matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret: "" # Enable this to activate LDAP password provider matrix_synapse_ext_password_provider_ldap_enabled: false matrix_synapse_ext_password_provider_ldap_uri: "ldap://ldap.mydomain.tld:389" matrix_synapse_ext_password_provider_ldap_start_tls: true matrix_synapse_ext_password_provider_ldap_base: "" matrix_synapse_ext_password_provider_ldap_attributes_uid: "uid" matrix_synapse_ext_password_provider_ldap_attributes_mail: "mail" matrix_synapse_ext_password_provider_ldap_attributes_name: "cn" matrix_synapse_ext_password_provider_ldap_bind_dn: "" matrix_synapse_ext_password_provider_ldap_bind_password: "" matrix_synapse_ext_password_provider_ldap_filter: "" # The defaults below cause a postgres server to be configured (running within a container). # Using an external server is possible by tweaking all of the parameters below. matrix_postgres_use_external: false matrix_postgres_connection_hostname: "matrix-postgres" matrix_postgres_connection_username: "synapse" matrix_postgres_connection_password: "synapse-password" matrix_postgres_db_name: "homeserver" matrix_postgres_data_path: "{{ matrix_base_data_path }}/postgres" matrix_postgres_docker_image_v9: "postgres:9.6.11-alpine" matrix_postgres_docker_image_v10: "postgres:10.6-alpine" matrix_postgres_docker_image_v11: "postgres:11.1-alpine" matrix_postgres_docker_image_latest: "{{ matrix_postgres_docker_image_v11 }}" matrix_coturn_docker_image: "instrumentisto/coturn:4.5.0.8" matrix_coturn_base_path: "{{ matrix_base_data_path }}/coturn" matrix_coturn_config_path: "{{ matrix_coturn_base_path }}/turnserver.conf" # A shared secret (between Synapse and Coturn) used for authentication. # You can put any string here, but generating a strong one is preferred (e.g. `pwgen -s 64 1`). matrix_coturn_turn_static_auth_secret: "" # UDP port-range to use for TURN matrix_coturn_turn_udp_min_port: 49152 matrix_coturn_turn_udp_max_port: 49172 matrix_coturn_turn_external_ip_address: "{{ ansible_host }}" matrix_s3_media_store_enabled: false matrix_s3_goofys_docker_image: "ewoutp/goofys:latest" matrix_s3_media_store_bucket_name: "your-bucket-name" matrix_s3_media_store_aws_access_key: "your-aws-access-key" matrix_s3_media_store_aws_secret_key: "your-aws-secret-key" matrix_s3_media_store_region: "eu-central-1" # By default, this playbook sets up a postfix mailer server (running in a container). # This is so that Matrix Synapse can send email reminders for unread messages. # Other services (like mxisd), however, also use that mailer to send emails through it. matrix_mailer_enabled: true matrix_mailer_docker_image: "panubo/postfix:latest" matrix_mailer_sender_address: "matrix@{{ hostname_identity }}" matrix_mailer_relay_use: false matrix_mailer_relay_host_name: "mail.example.com" matrix_mailer_relay_host_port: 587 matrix_mailer_relay_auth: false matrix_mailer_relay_auth_username: "" matrix_mailer_relay_auth_password: "" # By default, this playbook installs the mxisd identity server on the same domain as Synapse (`hostname_matrix`). # If you wish to use the public identity servers (matrix.org, vector.im, riot.im) instead of your own, # you may wish to disable this. matrix_mxisd_enabled: true matrix_mxisd_docker_image: "kamax/mxisd:1.2.2" matrix_mxisd_base_path: "{{ matrix_base_data_path }}/mxisd" matrix_mxisd_config_path: "{{ matrix_mxisd_base_path }}/config" matrix_mxisd_data_path: "{{ matrix_mxisd_base_path }}/data" # Your identity server is private by default. # To ensure maximum discovery, you can make your identity server # also forward lookups to the central matrix.org Identity server # (at the cost of potentially leaking all your contacts information). # Enabling this is discouraged. Learn more here: https://github.com/kamax-io/mxisd/blob/master/docs/features/identity.md#lookups matrix_mxisd_matrixorg_forwarding_enabled: false # mxisd has serveral supported identity stores. # One of them is storing identities directly in Synapse's database. # Learn more here: https://github.com/kamax-matrix/mxisd/blob/master/docs/stores/synapse.md matrix_mxisd_synapsesql_enabled: true matrix_mxisd_synapsesql_type: postgresql matrix_mxisd_synapsesql_connection: //{{ matrix_postgres_connection_hostname }}/{{ matrix_postgres_db_name }}?user={{ matrix_postgres_connection_username }}&password={{ matrix_postgres_connection_password }} # LDAP is another identity store that's supported by mxisd. # Learn more here: https://github.com/kamax-matrix/mxisd/blob/master/docs/stores/ldap.md matrix_mxisd_ldap_enabled: false matrix_mxisd_ldap_connection_host: ldapHostnameOrIp matrix_mxisd_ldap_connection_tls: false matrix_mxisd_ldap_connection_port: 389 matrix_mxisd_ldap_connection_baseDns: ['OU=Users,DC=example,DC=org'] matrix_mxisd_ldap_connection_bindDn: CN=My Mxisd User,OU=Users,DC=example,DC=org matrix_mxisd_ldap_connection_bindPassword: TheUserPassword # The following keys are optional: # matrix_mxisd_ldap_filter: "" # matrix_mxisd_ldap_attribute_uid_type: uid # matrix_mxisd_ldap_attribute_uid_value: sAMAccountName # matrix_mxisd_ldap_attribute_name: cn # matrix_mxisd_ldap_attribute_threepid_email: # - mail # - otherMailAttribute # matrix_mxisd_ldap_attribute_threepid_msisdn: # - phone # - otherPhoneAttribute # matrix_mxisd_ldap_identity_filter: "" # matrix_mxisd_ldap_identity_medium: "" # matrix_mxisd_ldap_auth_filter: "" # matrix_mxisd_ldap_directory_filter: "" # Specifies which template files to use when configuring mxisd. # If you'd like to have your own different configuration, feel free to copy and paste # the original files into your inventory (e.g. in `inventory/host_vars//`) # and then change the specific host's `vars.yaml` file like this: # matrix_mxisd_template_config: "{{ playbook_dir }}/inventory/host_vars//mxisd.yaml.j2" matrix_mxisd_template_config: "{{ role_path }}/templates/mxisd/mxisd.yaml.j2" # Enable this to add support for matrix-corporal. # See: https://github.com/devture/matrix-corporal matrix_corporal_enabled: false matrix_corporal_docker_image: "devture/matrix-corporal:1.2.2" matrix_corporal_base_path: "{{ matrix_base_data_path }}/corporal" matrix_corporal_config_dir_path: "{{ matrix_corporal_base_path }}/config" matrix_corporal_cache_dir_path: "{{ matrix_corporal_base_path }}/cache" matrix_corporal_var_dir_path: "{{ matrix_corporal_base_path }}/var" matrix_corporal_matrix_timeout_milliseconds: 45000 matrix_corporal_reconciliation_retry_interval_milliseconds: 30000 matrix_corporal_reconciliation_user_id_local_part: "matrix-corporal" matrix_corporal_http_api_enabled: false matrix_corporal_http_api_auth_token: "" # Matrix Corporal policy provider configuration (goes directly into the configuration's `PolicyProvider` value) matrix_corporal_policy_provider_config: "" matrix_corporal_debug: false # By default, this playbook installs the Riot.IM web UI on the `hostname_riot` domain. # If you wish to connect to your Matrix server by other means, # you may wish to disable this. matrix_riot_web_enabled: true matrix_riot_web_docker_image: "avhost/docker-matrix-riot:v0.17.8" matrix_riot_web_data_path: "{{ matrix_base_data_path }}/riot-web" # Riot config.json customizations matrix_riot_web_disable_custom_urls: true matrix_riot_web_disable_guests: true matrix_riot_web_integrations_ui_url: "https://scalar.vector.im/" matrix_riot_web_integrations_rest_url: "https://scalar.vector.im/api" matrix_riot_web_integrations_widgets_urls: "https://scalar.vector.im/api" matrix_riot_web_integrations_jitsi_widget_url: "https://scalar.vector.im/api/widgets/jitsi.html" # Riot public room directory server(s) matrix_riot_web_roomdir_servers: ['matrix.org'] matrix_riot_web_welcome_user_id: "@riot-bot:matrix.org" # Riot home.html customizations # Default home.html template file matrix_riot_web_homepage_template: "{{ role_path }}/templates/riot-web/home.html.j2" # Show general discussion about Matrix and Riot row matrix_riot_web_homepage_template_general: true # Show Matrix technical discussions row matrix_riot_web_homepage_template_technical: true # Show building services on Matrix row matrix_riot_web_homepage_template_building: true # Show contributing code to Matrix and Riot row matrix_riot_web_homepage_template_contributing: true # Matrix mautrix is a Matrix <-> Telegram bridge # Enable telegram bridge matrix_mautrix_telegram_enabled: false matrix_mautrix_telegram_docker_image: "tulir/mautrix-telegram:v0.4.0" matrix_mautrix_telegram_base_path: "{{ matrix_base_data_path }}/mautrix-telegram" # Get your own API keys at https://my.telegram.org/apps matrix_mautrix_telegram_api_id: YOUR_TELEGRAM_APP_ID matrix_mautrix_telegram_api_hash: YOUR_TELEGRAM_API_HASH # Mautrix telegram public endpoint to log in to telegram # Use an uuid so it's not easily discoverable matrix_mautrix_telegram_public_endpoint: "/{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'telegram') | to_uuid }}" # Matrix mautrix is a Matrix <-> Whatsapp bridge # Enable whatsapp bridge matrix_mautrix_whatsapp_enabled: false matrix_mautrix_whatsapp_docker_image: "tulir/mautrix-whatsapp:latest" matrix_mautrix_whatsapp_base_path: "{{ matrix_base_data_path }}/mautrix-whatsapp" # By default, this playbook sets up its own nginx proxy server on port 80/443. # This is fine if you're dedicating the whole server to Matrix. # But in case that's not the case, you may wish to prevent that # and take care of proxying by yourself. matrix_nginx_proxy_enabled: true matrix_nginx_proxy_docker_image: "nginx:1.15.7-alpine" matrix_nginx_proxy_data_path: "{{ matrix_base_data_path }}/nginx-proxy" matrix_nginx_proxy_confd_path: "{{ matrix_nginx_proxy_data_path }}/conf.d" # The addresses where the Matrix Client API is. # Certain extensions (like matrix-corporal) may override this in order to capture all traffic. matrix_nginx_proxy_matrix_client_api_addr_with_proxy_container: "matrix-synapse:8008" matrix_nginx_proxy_matrix_client_api_addr_sans_proxy_container: "localhost:8008" # Specifies when to reload the matrix-nginx-proxy service so that # a new SSL certificate could go into effect. matrix_nginx_proxy_reload_cron_time_definition: "20 4 */5 * *" # Specifies which SSL protocols to use when serving Riot and Synapse # Note TLSv1.3 is not yet available in dockerized nginx # See: https://github.com/nginxinc/docker-nginx/issues/190 matrix_nginx_proxy_ssl_protocols: "TLSv1.1 TLSv1.2" # By default, this playbook automatically retrieves and auto-renews # free SSL certificates from Let's Encrypt. # # The following retrieval methods are supported: # - "lets-encrypt" - the playbook obtains free SSL certificates from Let's Encrypt # - "self-signed" - the playbook generates and self-signs certificates # - "manually-managed" - lets you manage certificates by yourself (manually; see below) # # If you decide to manage certificates by yourself (`matrix_ssl_retrieval_method: manually-managed`), # you'd need to drop them into the directory specified by `matrix_ssl_config_dir_path` # obeying the following hierarchy: # - /live//fullchain.pem # - /live//privkey.pem # where refers to the domains that you need (usually `hostname_matrix` and `hostname_riot`). matrix_ssl_retrieval_method: "lets-encrypt" # Controls whether to obtain production or staging certificates from Let's Encrypt. matrix_ssl_lets_encrypt_staging: false matrix_ssl_lets_encrypt_certbot_docker_image: "certbot/certbot:v0.29.1" matrix_ssl_lets_encrypt_certbot_standalone_http_port: 2402 matrix_ssl_lets_encrypt_support_email: "{{ host_specific_matrix_ssl_lets_encrypt_support_email }}" matrix_ssl_base_path: "{{ matrix_base_data_path }}/ssl" matrix_ssl_config_dir_path: "{{ matrix_ssl_base_path }}/config" matrix_ssl_log_dir_path: "{{ matrix_ssl_base_path }}/log" # Variables to Control which parts of the role run. run_setup: true run_import_postgres: true run_upgrade_postgres: true run_start: true run_register_user: true run_import_sqlite_db: true run_import_media_store: true run_self_check: true