253 lines
12 KiB
YAML
253 lines
12 KiB
YAML
---
|
|
|
|
# The bare domain name which represents your Matrix identity.
|
|
# Matrix user ids for your server will be of the form (`@user:<matrix-domain>`).
|
|
#
|
|
# Note: this playbook does not touch the server referenced here.
|
|
# Installation happens on another server ("matrix.<matrix-domain>", see `matrix_server_fqn_matrix`).
|
|
#
|
|
# Example value: example.com
|
|
matrix_domain: ~
|
|
|
|
# The optional matrix admin MXID, used in bridges' configs to set bridge admin user
|
|
# Example value: "@someone:{{ matrix_domain }}"
|
|
matrix_admin: ''
|
|
|
|
# Global var to enable/disable encryption across all bridges with encryption support
|
|
matrix_bridges_encryption_enabled: false
|
|
|
|
# Global var to enable/disable relay mode across all bridges with relay mode support
|
|
matrix_bridges_relay_enabled: false
|
|
|
|
# A container network where all addon services (bridges, bots, etc.) would live.
|
|
matrix_addons_container_network: matrix-addons
|
|
|
|
# The container network that the homeserver lives on and addon services (bridges, bots, etc.) should be connected to
|
|
matrix_addons_homeserver_container_network: "{{ matrix_homeserver_container_network }}"
|
|
|
|
# The URL where addon services (bridges, bots, etc.) can reach the homeserver.
|
|
matrix_addons_homeserver_client_api_url: "{{ matrix_homeserver_container_url }}"
|
|
|
|
# The systemd services (representing the homeserver) that addon services (bridges, bots, etc.) should depend on
|
|
matrix_addons_homeserver_systemd_services_list: "{{ matrix_homeserver_systemd_services_list }}"
|
|
|
|
# A container network where all monitoring services would live.
|
|
matrix_monitoring_container_network: matrix-monitoring
|
|
|
|
# matrix_homeserver_enabled controls whether to enable the homeserver systemd service, etc.
|
|
#
|
|
# Unless you're wrapping this playbook in another one
|
|
# where you optionally wish to disable homeserver integration, you don't need to use this.
|
|
#
|
|
# Note: disabling this does not mean that a homeserver won't get installed.
|
|
# Whether homeserver software is installed depends on other (`matrix_HOMESERVER_enabled`) variables - see `group_vars/matrix_servers`.
|
|
matrix_homeserver_enabled: true
|
|
|
|
# This will contain the homeserver implementation that is in use.
|
|
# Valid values: synapse, dendrite, conduit
|
|
#
|
|
# By default, we use Synapse, because it's the only full-featured Matrix server at the moment.
|
|
#
|
|
# This value automatically influences other variables (`matrix_synapse_enabled`, `matrix_dendrite_enabled`, etc.).
|
|
# The homeserver implementation of an existing server cannot be changed without data loss.
|
|
matrix_homeserver_implementation: synapse
|
|
|
|
# This contains a secret, which is used for generating various other secrets later on.
|
|
matrix_homeserver_generic_secret_key: ''
|
|
|
|
# This is where your data lives and what we set up.
|
|
# This and the Element FQN (see below) are expected to be on the same server.
|
|
matrix_server_fqn_matrix: "matrix.{{ matrix_domain }}"
|
|
|
|
# This is where you access federation API.
|
|
matrix_server_fqn_matrix_federation: '{{ matrix_server_fqn_matrix }}'
|
|
|
|
# This is where you access the Element web UI from (if enabled via matrix_client_element_enabled; enabled by default).
|
|
# This and the Matrix FQN (see above) are expected to be on the same server.
|
|
matrix_server_fqn_element: "element.{{ matrix_domain }}"
|
|
|
|
# This is where you access the Hydrogen web client from (if enabled via matrix_client_hydrogen_enabled; disabled by default).
|
|
matrix_server_fqn_hydrogen: "hydrogen.{{ matrix_domain }}"
|
|
|
|
# This is where you access the Cinny web client from (if enabled via matrix_client_cinny_enabled; disabled by default).
|
|
matrix_server_fqn_cinny: "cinny.{{ matrix_domain }}"
|
|
|
|
# This is where you access the schildichat web client from (if enabled via matrix_client_schildichat_enabled; disabled by default).
|
|
matrix_server_fqn_schildichat: "schildichat.{{ matrix_domain }}"
|
|
|
|
# This is where you access the buscarron bot from (if enabled via matrix_bot_buscarron_enabled; disabled by default).
|
|
matrix_server_fqn_buscarron: "buscarron.{{ matrix_domain }}"
|
|
|
|
# This is where you access the Dimension.
|
|
matrix_server_fqn_dimension: "dimension.{{ matrix_domain }}"
|
|
|
|
# This is where you access the etherpad (if enabled via etherpad_enabled; disabled by default).
|
|
matrix_server_fqn_etherpad: "etherpad.{{ matrix_domain }}"
|
|
|
|
# For use with Go-NEB! (github callback url for example)
|
|
matrix_server_fqn_bot_go_neb: "goneb.{{ matrix_domain }}"
|
|
|
|
# This is where you access Jitsi.
|
|
matrix_server_fqn_jitsi: "jitsi.{{ matrix_domain }}"
|
|
|
|
# This is where you access Grafana.
|
|
matrix_server_fqn_grafana: "stats.{{ matrix_domain }}"
|
|
|
|
# This is where you access the Sygnal push gateway.
|
|
matrix_server_fqn_sygnal: "sygnal.{{ matrix_domain }}"
|
|
|
|
# This is where you access the mautrix wsproxy push gateway.
|
|
matrix_server_fqn_mautrix_wsproxy: "wsproxy.{{ matrix_domain }}"
|
|
|
|
# This is where you access the ntfy push notification service.
|
|
matrix_server_fqn_ntfy: "ntfy.{{ matrix_domain }}"
|
|
|
|
# This is where you access rageshake.
|
|
matrix_server_fqn_rageshake: "rageshake.{{ matrix_domain }}"
|
|
|
|
matrix_federation_public_port: 8448
|
|
|
|
# The name of the Traefik entrypoint for handling Matrix Federation
|
|
matrix_federation_traefik_entrypoint: matrix-federation
|
|
|
|
# The architecture that your server runs.
|
|
# Recognized values by us are 'amd64', 'arm32' and 'arm64'.
|
|
# Not all architectures support all services, so your experience (on non-amd64) may vary.
|
|
# See docs/alternative-architectures.md
|
|
matrix_architecture: "{{ 'amd64' if ansible_architecture == 'x86_64' else ('arm64' if ansible_architecture == 'aarch64' else ('arm32' if ansible_architecture.startswith('armv') else '')) }}"
|
|
|
|
# The architecture for Debian packages.
|
|
# See: https://wiki.debian.org/SupportedArchitectures
|
|
# We just remap from our `matrix_architecture` values to what Debian and possibly other distros call things.
|
|
matrix_debian_arch: "{{ 'armhf' if matrix_architecture == 'arm32' else matrix_architecture }}"
|
|
|
|
matrix_container_global_registry_prefix: "docker.io/"
|
|
|
|
matrix_user_username: "matrix"
|
|
matrix_user_groupname: "matrix"
|
|
|
|
# By default, the playbook creates the user (`matrix_user_username`)
|
|
# and group (`matrix_user_groupname`) with a random id.
|
|
# To use a specific user/group id, override these variables.
|
|
matrix_user_uid: ~
|
|
matrix_user_gid: ~
|
|
|
|
matrix_base_data_path: "/matrix"
|
|
matrix_base_data_path_mode: "750"
|
|
|
|
matrix_bin_path: "{{ matrix_base_data_path }}/bin"
|
|
|
|
matrix_host_command_sleep: "/usr/bin/env sleep"
|
|
matrix_host_command_chown: "/usr/bin/env chown"
|
|
matrix_host_command_fusermount: "/usr/bin/env fusermount"
|
|
matrix_host_command_openssl: "/usr/bin/env openssl"
|
|
|
|
matrix_homeserver_url: "https://{{ matrix_server_fqn_matrix }}"
|
|
|
|
# Specifies on which container network the homeserver is.
|
|
matrix_homeserver_container_network: "matrix-homeserver"
|
|
|
|
# Specifies which systemd services are responsible for the homeserver
|
|
matrix_homeserver_systemd_services_list: []
|
|
|
|
# Specifies where the homeserver's Client-Server API is on the container network (matrix_homeserver_container_network).
|
|
matrix_homeserver_container_url: "http://{{ matrix_homeserver_container_client_api_endpoint }}"
|
|
|
|
# Specifies where the homeserver's Client-Server API is on the container network (matrix_homeserver_container_network).
|
|
# Where this is depends on whether there's a reverse-proxy in front of the homeserver, which homeserver it is, etc.
|
|
# This likely gets overriden elsewhere.
|
|
matrix_homeserver_container_client_api_endpoint: ""
|
|
|
|
# Specifies where the homeserver's Federation API is on the container network (matrix_homeserver_container_network).
|
|
matrix_homeserver_container_federation_url: "http://{{ matrix_homeserver_container_federation_api_endpoint }}"
|
|
|
|
# Specifies where the homeserver's Federation API is on the container network (matrix_homeserver_container_network).
|
|
# Where this is depends on whether there's a reverse-proxy in front of the homeserver, which homeserver it is, etc.
|
|
# This likely gets overriden elsewhere.
|
|
matrix_homeserver_container_federation_api_endpoint: ""
|
|
|
|
# Specifies the public url of the Sync v3 (sliding-sync) API.
|
|
# This will be used to set the `org.matrix.msc3575.proxy` property in `/.well-known/matrix/client`.
|
|
# Once the API is stabilized, this will no longer be required.
|
|
# See MSC3575: https://github.com/matrix-org/matrix-spec-proposals/blob/kegan/sync-v3/proposals/3575-sync.md
|
|
matrix_homeserver_sliding_sync_url: ""
|
|
|
|
matrix_identity_server_url: ~
|
|
|
|
matrix_integration_manager_rest_url: ~
|
|
matrix_integration_manager_ui_url: ~
|
|
|
|
matrix_homeserver_container_extra_arguments_auto: []
|
|
matrix_homeserver_app_service_config_files_auto: []
|
|
|
|
# Controls whether various services should expose metrics publicly.
|
|
# If Prometheus is operating on the same machine, exposing metrics publicly is not necessary.
|
|
matrix_metrics_exposure_enabled: false
|
|
matrix_metrics_exposure_hostname: "{{ matrix_server_fqn_matrix }}"
|
|
matrix_metrics_exposure_path_prefix: /metrics
|
|
matrix_metrics_exposure_http_basic_auth_enabled: false
|
|
# See https://doc.traefik.io/traefik/middlewares/http/basicauth/#users
|
|
matrix_metrics_exposure_http_basic_auth_users: ''
|
|
|
|
# Specifies the type of reverse-proxy used by the playbook.
|
|
#
|
|
# Changing this has an effect on whether a reverse-proxy is installed at all and what its type is,
|
|
# as well as how all other services are configured.
|
|
#
|
|
# Valid options and a description of their behavior:
|
|
#
|
|
# - `playbook-managed-traefik`
|
|
# - the playbook will run a managed Traefik instance (matrix-traefik)
|
|
# - Traefik will do SSL termination, unless you disable it (e.g. `devture_traefik_config_entrypoint_web_secure_enabled: false`)
|
|
# - if SSL termination is enabled (as it is by default), you need to populate: `devture_traefik_config_certificatesResolvers_acme_email`
|
|
# - it will also install matrix-nginx-proxy in local-only mode, while we migrate the rest of the services to a Traefik-native mode of working
|
|
#
|
|
# - `playbook-managed-nginx`
|
|
# - the playbook will install matrix-nginx-proxy
|
|
# - matrix-nginx-proxy will do SSL termination with Certbot, unless you change that (see `matrix_ssl_retrieval_method`)
|
|
# - if SSL termination is enabled (as it is by default), you need to populate: `matrix_ssl_lets_encrypt_support_email`
|
|
#
|
|
# - `other-traefik-container`
|
|
# - this playbook will not install Traefik
|
|
# - nevertheless, the playbook expects that you would install Traefik yourself via other means
|
|
# - you should make sure your Traefik configuration is compatible with what the playbook would have configured (web, web-secure, matrix-federation entrypoints, etc.)
|
|
# - you need to set `matrix_playbook_reverse_proxyable_services_additional_network` to the name of your Traefik network
|
|
# - Traefik certs dumper will be enabled by default (`devture_traefik_certs_dumper_enabled`). You need to point it to your Traefik's SSL certificates (`devture_traefik_certs_dumper_ssl_dir_path`)
|
|
#
|
|
# - `other-nginx-non-container`
|
|
# - the playbook will not install matrix-nginx-proxy
|
|
# - however, it will still dump some nginx configuration in /matrix/nginx/conf.d
|
|
# - these configs are meant to be included into a locally-installed (without a container) nginx server
|
|
# - all container services are exposed locally (e.g. `-p 127.0.0.1:8080:8080`)
|
|
#
|
|
# - `other-on-same-host`
|
|
# - like other-nginx-non-container, but supposedly won't generate useless configuration in /matrix/nginx/conf.d in the future
|
|
#
|
|
# - `other-on-another-host`
|
|
# - like other-on-same-host, but services are exposed on all interfaces (e.g. `-p 0.0.0.0:8080:8080`)
|
|
# - configurable via `matrix_playbook_service_host_bind_interface_prefix`
|
|
#
|
|
# - `none`
|
|
# - no reverse-proxy will be installed
|
|
# - no nginx configuration will be dumped in /matrix/nginx/conf.d
|
|
# - no port exposure will be done for any of the container services
|
|
# - it's up to you to expose the ports you want, etc.
|
|
matrix_playbook_reverse_proxy_type: ''
|
|
|
|
matrix_playbook_service_host_bind_interface_prefix: "{{ '' if matrix_playbook_reverse_proxy_type not in ['other-nginx-non-container', 'other-on-same-host', 'other-on-another-host'] else ('0.0.0.0:' if matrix_playbook_reverse_proxy_type == 'other-on-another-host' else '127.0.0.1:') }}"
|
|
|
|
# Variables to Control which parts of our roles run.
|
|
run_postgres_import: true
|
|
run_postgres_upgrade: true
|
|
run_postgres_import_sqlite_db: true
|
|
run_postgres_vacuum: true
|
|
run_synapse_register_user: true
|
|
run_synapse_update_user_password: true
|
|
run_synapse_import_media_store: true
|
|
run_synapse_rust_synapse_compress_state: true
|
|
run_dendrite_register_user: true
|
|
run_setup: true
|
|
run_self_check: true
|
|
run_start: true
|
|
run_stop: true
|