matrix-docker-ansible-deploy/roles/custom/matrix-base/defaults/main.yml

335 lines
19 KiB
YAML
Raw Normal View History

---
2019-02-28 10:51:09 +01:00
# The bare domain name which represents your Matrix identity.
# Matrix user ids for your server will be of the form (`@user:<matrix-domain>`).
#
# Note: this playbook does not touch the server referenced here.
2019-02-28 10:51:09 +01:00
# Installation happens on another server ("matrix.<matrix-domain>", see `matrix_server_fqn_matrix`).
#
# Example value: example.com
matrix_domain: ~
2022-06-27 09:34:04 +02:00
# The optional matrix admin MXID, used in bridges' configs to set bridge admin user
2022-06-27 13:38:21 +02:00
# Example value: "@someone:{{ matrix_domain }}"
2022-06-27 09:34:04 +02:00
matrix_admin: ''
# Global var to enable/disable encryption across all bridges with encryption support
matrix_bridges_encryption_enabled: false
# Global var to make encryption default/optional across all bridges with encryption support
matrix_bridges_encryption_default: "{{ matrix_bridges_encryption_enabled }}"
2023-07-21 12:22:05 +02:00
# Global var to enable/disable relay mode across all bridges with relay mode support
matrix_bridges_relay_enabled: false
# A container network where all addon services (bridges, bots, etc.) would live.
matrix_addons_container_network: matrix-addons
# The container network that the homeserver lives on and addon services (bridges, bots, etc.) should be connected to
matrix_addons_homeserver_container_network: "{{ matrix_homeserver_container_network }}"
# The URL where addon services (bridges, bots, etc.) can reach the homeserver.
# By default, this is configured to go directly to the homeserver, but the playbook may
# override it to go through an intermediary service.
matrix_addons_homeserver_client_api_url: "{{ matrix_homeserver_container_url }}"
# The systemd services (representing the homeserver) that addon services (bridges, bots, etc.) should depend on
matrix_addons_homeserver_systemd_services_list: "{{ matrix_homeserver_systemd_services_list }}"
# A container network where all monitoring services would live.
matrix_monitoring_container_network: matrix-monitoring
# matrix_homeserver_enabled controls whether to enable the homeserver systemd service, etc.
#
# Unless you're wrapping this playbook in another one
# where you optionally wish to disable homeserver integration, you don't need to use this.
#
# Note: disabling this does not mean that a homeserver won't get installed.
# Whether homeserver software is installed depends on other (`matrix_HOMESERVER_enabled`) variables - see `group_vars/matrix_servers`.
matrix_homeserver_enabled: true
# This will contain the homeserver implementation that is in use.
2022-08-04 21:35:41 +02:00
# Valid values: synapse, dendrite, conduit
#
# By default, we use Synapse, because it's the only full-featured Matrix server at the moment.
#
# This value automatically influences other variables (`matrix_synapse_enabled`, `matrix_dendrite_enabled`, etc.).
# The homeserver implementation of an existing server cannot be changed without data loss.
matrix_homeserver_implementation: synapse
# This contains a secret, which is used for generating various other secrets later on.
matrix_homeserver_generic_secret_key: ''
2019-02-28 10:51:09 +01:00
# This is where your data lives and what we set up.
# This and the Element FQN (see below) are expected to be on the same server.
2019-02-28 10:51:09 +01:00
matrix_server_fqn_matrix: "matrix.{{ matrix_domain }}"
2021-06-28 14:30:48 +02:00
# This is where you access federation API.
matrix_server_fqn_matrix_federation: '{{ matrix_server_fqn_matrix }}'
# This is where you access the Element web UI from (if enabled via matrix_client_element_enabled; enabled by default).
2019-02-28 10:51:09 +01:00
# This and the Matrix FQN (see above) are expected to be on the same server.
matrix_server_fqn_element: "element.{{ matrix_domain }}"
2021-05-15 11:23:36 +02:00
# This is where you access the Hydrogen web client from (if enabled via matrix_client_hydrogen_enabled; disabled by default).
matrix_server_fqn_hydrogen: "hydrogen.{{ matrix_domain }}"
2022-01-05 17:33:21 +01:00
# This is where you access the Cinny web client from (if enabled via matrix_client_cinny_enabled; disabled by default).
matrix_server_fqn_cinny: "cinny.{{ matrix_domain }}"
2023-08-30 18:23:52 +02:00
# This is where you access the schildichat web client from (if enabled via matrix_client_schildichat_enabled; disabled by default).
matrix_server_fqn_schildichat: "schildichat.{{ matrix_domain }}"
2022-04-23 15:19:24 +02:00
# This is where you access the buscarron bot from (if enabled via matrix_bot_buscarron_enabled; disabled by default).
matrix_server_fqn_buscarron: "buscarron.{{ matrix_domain }}"
2019-03-07 06:22:08 +01:00
# This is where you access the Dimension.
matrix_server_fqn_dimension: "dimension.{{ matrix_domain }}"
# This is where you access the etherpad (if enabled via etherpad_enabled; disabled by default).
2022-11-04 10:36:10 +01:00
matrix_server_fqn_etherpad: "etherpad.{{ matrix_domain }}"
2021-03-11 19:23:01 +01:00
# For use with Go-NEB! (github callback url for example)
matrix_server_fqn_bot_go_neb: "goneb.{{ matrix_domain }}"
2020-03-23 16:19:15 +01:00
# This is where you access Jitsi.
matrix_server_fqn_jitsi: "jitsi.{{ matrix_domain }}"
2021-01-29 10:30:04 +01:00
# This is where you access Grafana.
matrix_server_fqn_grafana: "stats.{{ matrix_domain }}"
# This is where you access the Sygnal push gateway.
matrix_server_fqn_sygnal: "sygnal.{{ matrix_domain }}"
wsproxy for Android SMS (#2261) * Inital work, copeid from mautrix-amp PR * Some fixes leftover code copeid over from whatsapp * Got it to run and register * Fixed service issue with docker image * I now realize I need 2 roles wsproxy and imessage * Got someting working, still rough * Closer to working but still not working * reverting ports * Update main.yml * Add matrix-nginx-proxy config for mautrix-wsproxy * Changed * Add back file * fix for error hopefully * Changed the the way nginx was recieved * basically did not add anything ugh * Added some arguments * just trying stuff now * Ugh i messed up port number * Changed docs * Change dns config * changed generic secret key * Testing new nginx proxy * test * Fix linting errors * Add mautrix syncproxy to wsproxy for Android SMS * WIP * Move wsproxy to custom * Squashed commit of the following: commit 943189a9aa163f9fbcb795636b4cc0fd3c0d2877 Merge: 4a229d68 f5a09f30 Author: Slavi Pantaleev <slavi@devture.com> Date: Sun Nov 13 08:54:32 2022 +0200 Merge pull request #2259 from throny/patch-3 warn users about upgrading to pg15 when using borg commit 4a229d68700536491ee3bec611f62568dbe7c442 Merge: 9b326e08 c68def08 Author: Slavi Pantaleev <slavi@devture.com> Date: Sun Nov 13 08:53:13 2022 +0200 Merge pull request #2260 from etkecc/patch-117 Update ntfy 1.28.0 -> 1.29.0 commit f5a09f30b746f1c19dbec3b077f9d3a612ba15e7 Author: throny <m.throne12@gmail.com> Date: Sat Nov 12 23:48:57 2022 +0100 Update maintenance-postgres.md commit b12cdbd99d381acc587cef7b895cd3ac814a230c Author: throny <m.throne12@gmail.com> Date: Sat Nov 12 23:40:46 2022 +0100 Update maintenance-postgres.md commit c68def0809aa68cf8a7c0c70b1e3ddad39db105a Author: Aine <97398200+etkecc@users.noreply.github.com> Date: Sat Nov 12 22:01:31 2022 +0000 Update ntfy 1.28.0 -> 1.29.0 commit adbc09f152c390af8f272a0580a1810983ae592f Author: throny <m.throne12@gmail.com> Date: Sat Nov 12 11:20:43 2022 +0100 warn users about upgrading to pg15 when using borg * Fix linting errors * Cleanup after merge * Correct outdated variable names * Enable both Android and iMessage with wsproxy * Restructure wsproxy service defs and nginx config * Fix linter errors * Apply suggestions from code review Co-authored-by: Slavi Pantaleev <slavi@devture.com> * Fix comments for documentation, volumes and ports * Correct mount syntax * Complete network and traefik support for wsproxy * Remove wsproxy data_path * Fix wsproxy service definitions * Actually include syncproxy service * Remove wsproxy PathPrefix, it needs a subdomain There's no setting in the iMessage bridge that allows a path. Also don't bind port by default, wsproxy has no TLS. Syncproxy should never expose a port, it's only internal. --------- Co-authored-by: hanthor <jreilly112@gmail.com> Co-authored-by: Miguel Alatzar <miguel@natrx.io> Co-authored-by: Shreyas Ajjarapu <github.tzarina@aleeas.com> Co-authored-by: Slavi Pantaleev <slavi@devture.com>
2023-08-23 14:05:32 +02:00
# This is where you access the mautrix wsproxy push gateway.
matrix_server_fqn_mautrix_wsproxy: "wsproxy.{{ matrix_domain }}"
# This is where you access the ntfy push notification service.
matrix_server_fqn_ntfy: "ntfy.{{ matrix_domain }}"
2023-02-20 22:34:16 +01:00
# This is where you access rageshake.
matrix_server_fqn_rageshake: "rageshake.{{ matrix_domain }}"
matrix_federation_public_port: 8448
# The name of the Traefik entrypoint for handling Matrix Federation
# Also see the `matrix_playbook_public_matrix_federation_api_traefik_entrypoint_*` variables.
matrix_federation_traefik_entrypoint_name: matrix-federation
# Controls whether the federation entrypoint supports TLS.
# TLS is force-enabled here, because the spec (https://spec.matrix.org/v1.9/server-server-api/#tls) says that the federation API must use HTTPS.
# This may be changed at the playbook level for setups explicitly disabling TLS.
# `matrix_playbook_ssl_enabled` has no influence over this.
matrix_federation_traefik_entrypoint_tls: true
# The architecture that your server runs.
# Recognized values by us are 'amd64', 'arm32' and 'arm64'.
# Not all architectures support all services, so your experience (on non-amd64) may vary.
# See docs/alternative-architectures.md
matrix_architecture: "{{ 'amd64' if ansible_architecture == 'x86_64' else ('arm64' if ansible_architecture == 'aarch64' else ('arm32' if ansible_architecture.startswith('armv') else '')) }}"
# The architecture for Debian packages.
# See: https://wiki.debian.org/SupportedArchitectures
# We just remap from our `matrix_architecture` values to what Debian and possibly other distros call things.
matrix_debian_arch: "{{ 'armhf' if matrix_architecture == 'arm32' else matrix_architecture }}"
matrix_container_global_registry_prefix: "docker.io/"
matrix_user_username: "matrix"
matrix_user_groupname: "matrix"
# By default, the playbook creates the user (`matrix_user_username`)
# and group (`matrix_user_groupname`) with a random id.
# To use a specific user/group id, override these variables.
matrix_user_uid: ~
matrix_user_gid: ~
matrix_base_data_path: "/matrix"
matrix_base_data_path_mode: "750"
matrix_bin_path: "{{ matrix_base_data_path }}/bin"
matrix_host_command_sleep: "/usr/bin/env sleep"
matrix_host_command_chown: "/usr/bin/env chown"
matrix_host_command_fusermount: "/usr/bin/env fusermount"
matrix_host_command_openssl: "/usr/bin/env openssl"
2020-04-05 08:42:52 +02:00
matrix_homeserver_url: "{{ ('https' if matrix_playbook_ssl_enabled else 'http') }}://{{ matrix_server_fqn_matrix }}"
# Specifies on which container network the homeserver is.
matrix_homeserver_container_network: "matrix-homeserver"
# Specifies whether the homeserver will federate at all.
# Disable this to completely isolate your server from the rest of the Matrix network.
matrix_homeserver_federation_enabled: true
# Specifies which systemd services are responsible for the homeserver
matrix_homeserver_systemd_services_list: []
# Specifies where the homeserver's Client-Server API is on the container network (matrix_homeserver_container_network).
# Most services that need to reach the homeserver do not use `matrix_homeserver_container_url`, but
# rather `matrix_addons_homeserver_client_api_url`.
matrix_homeserver_container_url: "http://{{ matrix_homeserver_container_client_api_endpoint }}"
# Specifies where the homeserver's Client-Server API is on the container network (matrix_homeserver_container_network).
# Where this is depends on whether there's a reverse-proxy in front of the homeserver, which homeserver it is, etc.
# This likely gets overriden elsewhere.
matrix_homeserver_container_client_api_endpoint: ""
# Specifies where the homeserver's Federation API is on the container network (matrix_homeserver_container_network).
matrix_homeserver_container_federation_url: "http://{{ matrix_homeserver_container_federation_api_endpoint }}"
# Specifies where the homeserver's Federation API is on the container network (matrix_homeserver_container_network).
# Where this is depends on whether there's a reverse-proxy in front of the homeserver, which homeserver it is, etc.
# This likely gets overriden elsewhere.
matrix_homeserver_container_federation_api_endpoint: ""
# Specifies the public url of the Sync v3 (sliding-sync) API.
# This will be used to set the `org.matrix.msc3575.proxy` property in `/.well-known/matrix/client`.
# Once the API is stabilized, this will no longer be required.
# See MSC3575: https://github.com/matrix-org/matrix-spec-proposals/blob/kegan/sync-v3/proposals/3575-sync.md
matrix_homeserver_sliding_sync_url: ""
matrix_identity_server_url: ~
2019-12-10 05:23:56 +01:00
matrix_integration_manager_rest_url: ~
matrix_integration_manager_ui_url: ~
matrix_homeserver_container_extra_arguments_auto: []
matrix_homeserver_app_service_config_files_auto: []
# Controls whether various services should expose metrics publicly.
# If Prometheus is operating on the same machine, exposing metrics publicly is not necessary.
matrix_metrics_exposure_enabled: false
matrix_metrics_exposure_hostname: "{{ matrix_server_fqn_matrix }}"
matrix_metrics_exposure_path_prefix: /metrics
matrix_metrics_exposure_http_basic_auth_enabled: false
# See https://doc.traefik.io/traefik/middlewares/http/basicauth/#users
matrix_metrics_exposure_http_basic_auth_users: ''
# Specifies the type of reverse-proxy used by the playbook.
#
# Changing this has an effect on whether a reverse-proxy is installed at all and what its type is,
# as well as how all other services are configured.
#
# Valid options and a description of their behavior:
#
# - `playbook-managed-traefik`
# - the playbook will run a managed Traefik instance (matrix-traefik)
# - Traefik will do SSL termination, unless you disable it (e.g. `devture_traefik_config_entrypoint_web_secure_enabled: false`)
# - if SSL termination is enabled (as it is by default), you need to populate: `devture_traefik_config_certificatesResolvers_acme_email`
#
# - `other-traefik-container`
# - this playbook will not install Traefik
# - nevertheless, the playbook expects that you would install Traefik yourself via other means
# - you should make sure your Traefik configuration is compatible with what the playbook would have configured (web, web-secure, matrix-federation entrypoints, etc.)
# - you need to set `matrix_playbook_reverse_proxyable_services_additional_network` to the name of your Traefik network
# - Traefik certs dumper will be enabled by default (`devture_traefik_certs_dumper_enabled`). You need to point it to your Traefik's SSL certificates (`devture_traefik_certs_dumper_ssl_dir_path`)
#
# - `none`
# - no reverse-proxy will be installed
# - no port exposure will be done for any of the container services
# - it's up to you to expose the ports you want, etc.
# - this is unlikely to work well (if at all)
matrix_playbook_reverse_proxy_type: ''
# Specifies the network that the reverse-proxy is operating at
matrix_playbook_reverse_proxy_container_network: 'traefik'
# Specifies the hostname that the reverse-proxy is available at
matrix_playbook_reverse_proxy_hostname: 'matrix-traefik'
# Controls the additional network that reverse-proxyable services will be connected to.
matrix_playbook_reverse_proxyable_services_additional_network: "{{ matrix_playbook_reverse_proxy_container_network }}"
# Controls if various services think if SSL is enabled or not.
# Disabling this does not actually disable Treafik's web-secure entrypoint and TLS termination settings.
# For that, you'd need to use another variable (`devture_traefik_config_entrypoint_web_secure_enabled`).
# This variable merely serves as an indicator if SSL is used or not.
matrix_playbook_ssl_enabled: true
# Controls on which network interface services are exposed.
# You can use this to tell all services to expose themselves on the loopback interface, on a local network IP or or publicly.
# Possibly not all services support exposure via this variable.
# We recommend not using it.
#
# Example value: `127.0.0.1:` (note the trailing `:`).
matrix_playbook_service_host_bind_interface_prefix: ""
# Controls whether to enable an additional Traefik entrypoint for the purpose of serving Matrix Federation.
# By default, federation is served on a special port (8448), so a separate entrypoint is necessary.
# Group variables may influence whether this is enabled based on the port number and on the default entrypoints of the Traefik reverse-proxy.
matrix_playbook_public_matrix_federation_api_traefik_entrypoint_enabled: true
matrix_playbook_public_matrix_federation_api_traefik_entrypoint_name: "{{ matrix_federation_traefik_entrypoint_name }}"
matrix_playbook_public_matrix_federation_api_traefik_entrypoint_port: "{{ matrix_federation_public_port }}"
matrix_playbook_public_matrix_federation_api_traefik_entrypoint_host_bind_port: "{{ matrix_federation_public_port }}"
matrix_playbook_public_matrix_federation_api_traefik_entrypoint_host_bind_port_udp: "{{ matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http3_advertisedPort if matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http3_enabled else '' }}"
matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config: "{{ (matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_default | combine (matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_auto)) | combine(matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_custom, recursive=True) }}"
matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http3_enabled: true
matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http3_advertisedPort: "{{ matrix_playbook_public_matrix_federation_api_traefik_entrypoint_port }}"
matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_default: |
{{
({'http3': {'advertisedPort': matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http3_advertisedPort | int}})
if matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http3_enabled
else {}
}}
matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_auto: {}
matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_custom: {}
matrix_playbook_public_matrix_federation_api_traefik_entrypoint_definition:
name: "{{ matrix_playbook_public_matrix_federation_api_traefik_entrypoint_name }}"
port: "{{ matrix_playbook_public_matrix_federation_api_traefik_entrypoint_port }}"
host_bind_port: "{{ matrix_playbook_public_matrix_federation_api_traefik_entrypoint_host_bind_port }}"
host_bind_port_udp: "{{ matrix_playbook_public_matrix_federation_api_traefik_entrypoint_host_bind_port_udp }}"
config: "{{ matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config }}"
# Controls whether to enable an additional Traefik entrypoint for the purpose of serving the homeserver's Client-Server API internally.
#
# Homeserver software and other core components which are part of the homeserver's Client-Server API
# may wish to register their routes with this additional entrypoint and provide their services on it for internal (no-public-network and non-TLS) use.
#
# This entrypoint provides local addons (e.g. bridges, bots, etc.) with the ability to easily & quickly communicate with the homeserver and/or related software.
# Such services can reach the homeserver over the public internet (e.g. https://matrix.DOMAIN), but this is slow due to networking and SSL-termination.
# Talking directly to the homeserver (e.g. `http://matrix-synapse:8008`) is another option, but does not allow other homeserver-related software
# (e.g. identity servers like ma1sd, media repository servers like matrix-media-repo, firewalls like matrix-corporal)
# to register itself for certain homeserver routes.
#
# For example: when matrix-media-repo is enabled, it wishes to handle `/_matrix/media` both publicly and internally.
# Bots/bridges that try to upload media should not hit `/_matrix/media` on the homeserver directly, but actually go through matrix-media-repo.
#
# This entrypoint gives us a layer of indirection, so that all these homeserver-related services can register themselves on this entrypoint
# the same way they register themselves for the public (e.g. `web-secure`) entrypoint.
#
# Routers enabled on this entrypoint should use Traefik rules which do NOT do Host-matching (Host/HostRegexp),
# because addon services (e.g. bridges, bots) cannot properly pass a `Host` HTTP header when making
# requests to the endpoint's address (e.g. `http://devture-traefik:8008/`).
# This entrypoint only aims to handle a single "virtual host" - one dealing with the homeserver's Client-Server API.
matrix_playbook_internal_matrix_client_api_traefik_entrypoint_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}"
matrix_playbook_internal_matrix_client_api_traefik_entrypoint_name: matrix-internal-matrix-client-api
matrix_playbook_internal_matrix_client_api_traefik_entrypoint_port: 8008
matrix_playbook_internal_matrix_client_api_traefik_entrypoint_host_bind_port: ''
matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config: "{{ matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_auto | combine(matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_custom, recursive=True) }}"
matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_auto: {}
matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_custom: {}
matrix_playbook_internal_matrix_client_api_traefik_entrypoint_definition:
name: "{{ matrix_playbook_internal_matrix_client_api_traefik_entrypoint_name }}"
port: "{{ matrix_playbook_internal_matrix_client_api_traefik_entrypoint_port }}"
host_bind_port: "{{ matrix_playbook_internal_matrix_client_api_traefik_entrypoint_host_bind_port }}"
config: "{{ matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config }}"
# Variables to Control which parts of our roles run.
run_postgres_import: true
run_postgres_upgrade: true
run_postgres_import_sqlite_db: true
run_postgres_vacuum: true
run_synapse_register_user: true
run_synapse_update_user_password: true
run_synapse_import_media_store: true
run_synapse_rust_synapse_compress_state: true
run_dendrite_register_user: true
run_setup: true
run_self_check: true
run_start: true
2022-10-31 23:44:47 +01:00
run_stop: true