30f1034767
The variable was necessary when multiple playbooks could have potentially tried to manage a shared `devture-traefik.serivce` systemd service and shared `/devture-traefik` directory. Since adcc6d9723086f65f1a72, we use our own `/matrix/traefik` (`matrix-traefik.service`) installation and no conflicts can arise. It's safe to always enable the role, just like we do with all the other roles.
340 lines
18 KiB
YAML
340 lines
18 KiB
YAML
---
|
|
|
|
# The bare domain name which represents your Matrix identity.
|
|
# Matrix user ids for your server will be of the form (`@user:<matrix-domain>`).
|
|
#
|
|
# Note: this playbook does not touch the server referenced here.
|
|
# Installation happens on another server ("matrix.<matrix-domain>", see `matrix_server_fqn_matrix`).
|
|
#
|
|
# Example value: example.com
|
|
matrix_domain: ~
|
|
|
|
# The optional matrix admin MXID, used in bridges' configs to set bridge admin user
|
|
# Example value: "@someone:{{ matrix_domain }}"
|
|
matrix_admin: ''
|
|
|
|
# matrix_homeserver_enabled controls whether to enable the homeserver systemd service, etc.
|
|
#
|
|
# Unless you're wrapping this playbook in another one
|
|
# where you optionally wish to disable homeserver integration, you don't need to use this.
|
|
#
|
|
# Note: disabling this does not mean that a homeserver won't get installed.
|
|
# Whether homeserver software is installed depends on other (`matrix_HOMESERVER_enabled`) variables - see `group_vars/matrix_servers`.
|
|
matrix_homeserver_enabled: true
|
|
|
|
# Homeserver admin contacts and support page as per MSC 1929
|
|
# See: https://github.com/matrix-org/matrix-spec-proposals/pull/1929
|
|
# Users in form:
|
|
# matrix_homeserver_admin_contacts:
|
|
# - matrix_id: @admin:domain.tld
|
|
# email_address: admin@domain.tld
|
|
# role: admin
|
|
# - email_address: security@domain.tld
|
|
# role: security
|
|
# Also see: `matrix_well_known_matrix_support_enabled`
|
|
matrix_homeserver_admin_contacts: []
|
|
# Url string like https://domain.tld/support.html
|
|
# Also see: `matrix_well_known_matrix_support_enabled`
|
|
matrix_homeserver_support_url: ''
|
|
|
|
# This will contain the homeserver implementation that is in use.
|
|
# Valid values: synapse, dendrite, conduit
|
|
#
|
|
# By default, we use Synapse, because it's the only full-featured Matrix server at the moment.
|
|
#
|
|
# This value automatically influences other variables (`matrix_synapse_enabled`, `matrix_dendrite_enabled`, etc.).
|
|
# The homeserver implementation of an existing server cannot be changed without data loss.
|
|
matrix_homeserver_implementation: synapse
|
|
|
|
# This contains a secret, which is used for generating various other secrets later on.
|
|
matrix_homeserver_generic_secret_key: ''
|
|
|
|
# This is where your data lives and what we set up.
|
|
# This and the Element FQN (see below) are expected to be on the same server.
|
|
matrix_server_fqn_matrix: "matrix.{{ matrix_domain }}"
|
|
|
|
# This is where you access federation API.
|
|
matrix_server_fqn_matrix_federation: '{{ matrix_server_fqn_matrix }}'
|
|
|
|
# This is where you access the Element web UI from (if enabled via matrix_client_element_enabled; enabled by default).
|
|
# This and the Matrix FQN (see above) are expected to be on the same server.
|
|
matrix_server_fqn_element: "element.{{ matrix_domain }}"
|
|
|
|
# This is where you access the Hydrogen web client from (if enabled via matrix_client_hydrogen_enabled; disabled by default).
|
|
matrix_server_fqn_hydrogen: "hydrogen.{{ matrix_domain }}"
|
|
|
|
# This is where you access the Cinny web client from (if enabled via matrix_client_cinny_enabled; disabled by default).
|
|
matrix_server_fqn_cinny: "cinny.{{ matrix_domain }}"
|
|
|
|
# This is where you access the buscarron bot from (if enabled via matrix_bot_buscarron_enabled; disabled by default).
|
|
matrix_server_fqn_buscarron: "buscarron.{{ matrix_domain }}"
|
|
|
|
# This is where you access the Dimension.
|
|
matrix_server_fqn_dimension: "dimension.{{ matrix_domain }}"
|
|
|
|
# This is where you access the etherpad (if enabled via etherpad_enabled; disabled by default).
|
|
matrix_server_fqn_etherpad: "etherpad.{{ matrix_domain }}"
|
|
|
|
# For use with Go-NEB! (github callback url for example)
|
|
matrix_server_fqn_bot_go_neb: "goneb.{{ matrix_domain }}"
|
|
|
|
# This is where you access Jitsi.
|
|
matrix_server_fqn_jitsi: "jitsi.{{ matrix_domain }}"
|
|
|
|
# This is where you access Grafana.
|
|
matrix_server_fqn_grafana: "stats.{{ matrix_domain }}"
|
|
|
|
# This is where you access the Sygnal push gateway.
|
|
matrix_server_fqn_sygnal: "sygnal.{{ matrix_domain }}"
|
|
|
|
# This is where you access the ntfy push notification service.
|
|
matrix_server_fqn_ntfy: "ntfy.{{ matrix_domain }}"
|
|
|
|
# This is where you access rageshake.
|
|
matrix_server_fqn_rageshake: "rageshake.{{ matrix_domain }}"
|
|
|
|
matrix_federation_public_port: 8448
|
|
|
|
# The name of the Traefik entrypoint for handling Matrix Federation
|
|
matrix_federation_traefik_entrypoint: matrix-federation
|
|
|
|
# The architecture that your server runs.
|
|
# Recognized values by us are 'amd64', 'arm32' and 'arm64'.
|
|
# Not all architectures support all services, so your experience (on non-amd64) may vary.
|
|
# See docs/alternative-architectures.md
|
|
matrix_architecture: "{{ 'amd64' if ansible_architecture == 'x86_64' else ('arm64' if ansible_architecture == 'aarch64' else ('arm32' if ansible_architecture.startswith('armv') else '')) }}"
|
|
|
|
# The architecture for Debian packages.
|
|
# See: https://wiki.debian.org/SupportedArchitectures
|
|
# We just remap from our `matrix_architecture` values to what Debian and possibly other distros call things.
|
|
matrix_debian_arch: "{{ 'armhf' if matrix_architecture == 'arm32' else matrix_architecture }}"
|
|
|
|
matrix_container_global_registry_prefix: "docker.io/"
|
|
|
|
matrix_user_username: "matrix"
|
|
matrix_user_groupname: "matrix"
|
|
|
|
# By default, the playbook creates the user (`matrix_user_username`)
|
|
# and group (`matrix_user_groupname`) with a random id.
|
|
# To use a specific user/group id, override these variables.
|
|
matrix_user_uid: ~
|
|
matrix_user_gid: ~
|
|
|
|
matrix_base_data_path: "/matrix"
|
|
matrix_base_data_path_mode: "750"
|
|
|
|
matrix_bin_path: "{{ matrix_base_data_path }}/bin"
|
|
|
|
matrix_static_files_base_path: "{{ matrix_base_data_path }}/static-files"
|
|
|
|
matrix_host_command_sleep: "/usr/bin/env sleep"
|
|
matrix_host_command_chown: "/usr/bin/env chown"
|
|
matrix_host_command_fusermount: "/usr/bin/env fusermount"
|
|
matrix_host_command_openssl: "/usr/bin/env openssl"
|
|
|
|
matrix_homeserver_url: "https://{{ matrix_server_fqn_matrix }}"
|
|
|
|
# Specifies where the homeserver's Client-Server API is on the container network.
|
|
# Where this is depends on whether there's a reverse-proxy in front of the homeserver, which homeserver it is, etc.
|
|
# This likely gets overriden elsewhere.
|
|
matrix_homeserver_container_url: ""
|
|
|
|
# Specifies where the homeserver's Federation API is on the container network.
|
|
# Where this is depends on whether there's a reverse-proxy in front of the homeserver, which homeserver it is, etc.
|
|
# This likely gets overriden elsewhere.
|
|
matrix_homeserver_container_federation_url: ""
|
|
|
|
matrix_identity_server_url: ~
|
|
|
|
matrix_integration_manager_rest_url: ~
|
|
matrix_integration_manager_ui_url: ~
|
|
|
|
# The domain name where a Jitsi server is self-hosted.
|
|
# If set, `/.well-known/matrix/client` will suggest Element clients to use that Jitsi server.
|
|
# See: https://github.com/vector-im/element-web/blob/develop/docs/jitsi.md#configuring-element-to-use-your-self-hosted-jitsi-server
|
|
matrix_client_element_jitsi_preferredDomain: '' # noqa var-naming
|
|
|
|
# Controls whether Element should use End-to-End Encryption by default.
|
|
# Setting this to false will update `/.well-known/matrix/client` and tell Element clients to avoid E2EE.
|
|
# See: https://github.com/vector-im/element-web/blob/develop/docs/e2ee.md
|
|
matrix_well_known_matrix_client_io_element_e2ee_default: true
|
|
|
|
# Controls whether Element should require a secure backup set up before Element can be used.
|
|
# Setting this to true will update `/.well-known/matrix/client` and tell Element require a secure backup.
|
|
# See: https://github.com/vector-im/element-web/blob/develop/docs/e2ee.md
|
|
matrix_well_known_matrix_client_io_element_e2ee_secure_backup_required: false
|
|
|
|
# Controls which backup methods from ["key", "passphrase"] should be used, both is the default.
|
|
# Setting this to other then empty will update `/.well-known/matrix/client` and tell Element which method to use
|
|
# See: https://github.com/vector-im/element-web/blob/develop/docs/e2ee.md
|
|
matrix_well_known_matrix_client_io_element_e2ee_secure_backup_setup_methods: []
|
|
|
|
# Controls whether element related entries should be added to the client well-known. Override this to false to hide
|
|
# element related well-known entries.
|
|
# By default if any of the following change from their default this is set to true:
|
|
# `matrix_well_known_matrix_client_io_element_e2ee_default`
|
|
# `matrix_well_known_matrix_client_io_element_e2ee_secure_backup_required`
|
|
# `matrix_well_known_matrix_client_io_element_e2ee_secure_backup_setup_methods`
|
|
matrix_well_known_matrix_client_io_element_e2ee_entries_enabled: "{{ not matrix_well_known_matrix_client_io_element_e2ee_default or matrix_well_known_matrix_client_io_element_e2ee_secure_backup_required or matrix_well_known_matrix_client_io_element_e2ee_secure_backup_setup_methods | length > 0 }}"
|
|
|
|
# Default `/.well-known/matrix/client` configuration - it covers the generic use case.
|
|
# You can customize it by controlling the various variables inside the template file that it references.
|
|
#
|
|
# For a more advanced customization, you can extend the default (see `matrix_well_known_matrix_client_configuration_extension_json`)
|
|
# or completely replace this variable with your own template.
|
|
#
|
|
# The side-effect of this lookup is that Ansible would even parse the JSON for us, returning a dict.
|
|
# This is unlike what it does when looking up YAML template files (no automatic parsing there).
|
|
matrix_well_known_matrix_client_configuration_default: "{{ lookup('template', 'templates/static-files/well-known/matrix-client.j2') }}"
|
|
|
|
# Your custom JSON configuration for `/.well-known/matrix/client` should go to `matrix_well_known_matrix_client_configuration_extension_json`.
|
|
# This configuration extends the default starting configuration (`matrix_well_known_matrix_client_configuration_default`).
|
|
#
|
|
# You can override individual variables from the default configuration, or introduce new ones.
|
|
#
|
|
# If you need something more special, you can take full control by
|
|
# completely redefining `matrix_well_known_matrix_client_configuration`.
|
|
#
|
|
# Example configuration extension follows:
|
|
#
|
|
# matrix_well_known_matrix_client_configuration_extension_json: |
|
|
# {
|
|
# "io.element.call_behaviour": {
|
|
# "widget_build_url": "https://dimension.example.com/api/v1/dimension/bigbluebutton/widget_state"
|
|
# }
|
|
# }
|
|
matrix_well_known_matrix_client_configuration_extension_json: '{}'
|
|
|
|
matrix_well_known_matrix_client_configuration_extension: "{{ matrix_well_known_matrix_client_configuration_extension_json | from_json if matrix_well_known_matrix_client_configuration_extension_json | from_json is mapping else {} }}"
|
|
|
|
# Holds the final `/.well-known/matrix/client` configuration (a combination of the default and its extension).
|
|
# You most likely don't need to touch this variable. Instead, see `matrix_well_known_matrix_client_configuration_default` and `matrix_well_known_matrix_client_configuration_extension_json`.
|
|
matrix_well_known_matrix_client_configuration: "{{ matrix_well_known_matrix_client_configuration_default | combine(matrix_well_known_matrix_client_configuration_extension, recursive=True) }}"
|
|
|
|
# Default `/.well-known/matrix/server` configuration - it covers the generic use case.
|
|
# You can customize it by controlling the various variables inside the template file that it references.
|
|
#
|
|
# For a more advanced customization, you can extend the default (see `matrix_well_known_matrix_server_configuration_extension_json`)
|
|
# or completely replace this variable with your own template.
|
|
#
|
|
# The side-effect of this lookup is that Ansible would even parse the JSON for us, returning a dict.
|
|
# This is unlike what it does when looking up YAML template files (no automatic parsing there).
|
|
matrix_well_known_matrix_server_configuration_default: "{{ lookup('template', 'templates/static-files/well-known/matrix-server.j2') }}"
|
|
|
|
# Your custom JSON configuration for `/.well-known/matrix/server` should go to `matrix_well_known_matrix_server_configuration_extension_json`.
|
|
# This configuration extends the default starting configuration (`matrix_well_known_matrix_server_configuration_default`).
|
|
#
|
|
# You can override individual variables from the default configuration, or introduce new ones.
|
|
#
|
|
# If you need something more special, you can take full control by
|
|
# completely redefining `matrix_well_known_matrix_server_configuration`.
|
|
#
|
|
# Example configuration extension follows:
|
|
#
|
|
# matrix_well_known_matrix_server_configuration_extension_json: |
|
|
# {
|
|
# "something": "another"
|
|
# }
|
|
matrix_well_known_matrix_server_configuration_extension_json: '{}'
|
|
|
|
matrix_well_known_matrix_server_configuration_extension: "{{ matrix_well_known_matrix_server_configuration_extension_json | from_json if matrix_well_known_matrix_server_configuration_extension_json | from_json is mapping else {} }}"
|
|
|
|
# Holds the final `/.well-known/matrix/server` configuration (a combination of the default and its extension).
|
|
# You most likely don't need to touch this variable. Instead, see `matrix_well_known_matrix_server_configuration_default` and `matrix_well_known_matrix_server_configuration_extension_json`.
|
|
matrix_well_known_matrix_server_configuration: "{{ matrix_well_known_matrix_server_configuration_default | combine(matrix_well_known_matrix_server_configuration_extension, recursive=True) }}"
|
|
|
|
# The side-effect of this lookup is that Ansible would even parse the JSON for us, returning a dict.
|
|
# This is unlike what it does when looking up YAML template files (no automatic parsing there).
|
|
matrix_well_known_matrix_support_configuration_default: "{{ lookup('template', 'templates/static-files/well-known/matrix-support.j2') }}"
|
|
|
|
matrix_well_known_matrix_support_configuration_extension_json: '{}'
|
|
|
|
matrix_well_known_matrix_support_configuration_extension: "{{ matrix_well_known_matrix_support_configuration_extension_json | from_json if matrix_well_known_matrix_support_configuration_extension_json | from_json is mapping else {} }}"
|
|
|
|
# Holds the final `/.well-known/matrix/support` configuration (a combination of the default and its extension).
|
|
# You most likely don't need to touch this variable. Instead, see `matrix_well_known_matrix_support_configuration_default` and `matrix_well_known_matrix_support_configuration_extension_json`.
|
|
matrix_well_known_matrix_support_configuration: "{{ matrix_well_known_matrix_support_configuration_default | combine(matrix_well_known_matrix_support_configuration_extension, recursive=True) }}"
|
|
|
|
# The Docker network that all services would be put into
|
|
matrix_docker_network: "matrix"
|
|
|
|
# Controls whether a `/.well-known/matrix/server` file is generated and used at all.
|
|
#
|
|
# If you wish to rely on DNS SRV records only, you can disable this.
|
|
# Using DNS SRV records implies that you'll be handling Matrix Federation API traffic (tcp/8448)
|
|
# using certificates for the base domain (`matrix_domain`) and not for the
|
|
# matrix domain (`matrix_server_fqn_matrix`).
|
|
matrix_well_known_matrix_server_enabled: true
|
|
|
|
# Controls whether a `/.well-known/matrix/support` file is generated and used at all.
|
|
#
|
|
# This is not enabled by default, until the MSC gets accepted: https://github.com/matrix-org/matrix-spec-proposals/pull/1929
|
|
#
|
|
# See `matrix_homeserver_admin_contacts`, `matrix_homeserver_support_url`, etc.
|
|
matrix_well_known_matrix_support_enabled: false
|
|
|
|
matrix_homeserver_container_extra_arguments_auto: []
|
|
matrix_homeserver_app_service_config_files_auto: []
|
|
|
|
# Specifies the type of reverse-proxy used by the playbook.
|
|
#
|
|
# Changing this has an effect on whether a reverse-proxy is installed at all and what its type is,
|
|
# as well as how all other services are configured.
|
|
#
|
|
# Valid options and a description of their behavior:
|
|
#
|
|
# - `playbook-managed-traefik`
|
|
# - the playbook will run a managed Traefik instance (matrix-traefik)
|
|
# - Traefik will do SSL termination, unless you disable it (e.g. `devture_traefik_config_entrypoint_web_secure_enabled: false`)
|
|
# - if SSL termination is enabled (as it is by default), you need to populate: `devture_traefik_config_certificatesResolvers_acme_email`
|
|
# - it will also install matrix-nginx-proxy in local-only mode, while we migrate the rest of the services to a Traefik-native mode of working
|
|
#
|
|
# - `playbook-managed-nginx`
|
|
# - the playbook will install matrix-nginx-proxy
|
|
# - matrix-nginx-proxy will do SSL termination with Certbot, unless you change that (see `matrix_ssl_retrieval_method`)
|
|
# - if SSL termination is enabled (as it is by default), you need to populate: `matrix_ssl_lets_encrypt_support_email`
|
|
#
|
|
# - `other-traefik-container`
|
|
# - this playbook will not install Traefik
|
|
# - nevertheless, the playbook expects that you would install Traefik yourself via other means
|
|
# - you should make sure your Traefik configuration is compatible with what the playbook would have configured (web, web-secure, matrix-federation entrypoints, etc.)
|
|
# - you need to set `matrix_playbook_reverse_proxyable_services_additional_network` to the name of your Traefik network
|
|
# - Traefik certs dumper will be enabled by default (`devture_traefik_certs_dumper_enabled`). You need to point it to your Traefik's SSL certificates (`devture_traefik_certs_dumper_ssl_dir_path`)
|
|
#
|
|
# - `other-nginx-non-container`
|
|
# - the playbook will not install matrix-nginx-proxy
|
|
# - however, it will still dump some nginx configuration in /matrix/nginx/conf.d
|
|
# - these configs are meant to be included into a locally-installed (without a container) nginx server
|
|
# - all container services are exposed locally (e.g. `-p 127.0.0.1:8080:8080`)
|
|
#
|
|
# - `other-on-same-host`
|
|
# - like other-nginx-non-container, but supposedly won't generate useless configuration in /matrix/nginx/conf.d in the future
|
|
#
|
|
# - `other-on-another-host`
|
|
# - like other-on-same-host, but services are exposed on all interfaces (e.g. `-p 0.0.0.0:8080:8080`)
|
|
# - configurable via `matrix_playbook_service_host_bind_interface_prefix`
|
|
#
|
|
# - `none`
|
|
# - no reverse-proxy will be installed
|
|
# - no nginx configuration will be dumped in /matrix/nginx/conf.d
|
|
# - no port exposure will be done for any of the container services
|
|
# - it's up to you to expose the ports you want, etc.
|
|
matrix_playbook_reverse_proxy_type: ''
|
|
|
|
matrix_playbook_service_host_bind_interface_prefix: "{{ '' if matrix_playbook_reverse_proxy_type not in ['other-nginx-non-container', 'other-on-same-host', 'other-on-another-host'] else ('0.0.0.0:' if matrix_playbook_reverse_proxy_type == 'other-on-another-host' else '127.0.0.1:') }}"
|
|
|
|
# Variables to Control which parts of our roles run.
|
|
run_postgres_import: true
|
|
run_postgres_upgrade: true
|
|
run_postgres_import_sqlite_db: true
|
|
run_postgres_vacuum: true
|
|
run_synapse_register_user: true
|
|
run_synapse_update_user_password: true
|
|
run_synapse_import_media_store: true
|
|
run_synapse_rust_synapse_compress_state: true
|
|
run_dendrite_register_user: true
|
|
run_setup: true
|
|
run_self_check: true
|
|
run_start: true
|
|
run_stop: true
|