From f364fba1828310383178ad0afac64e085b0b568a Mon Sep 17 00:00:00 2001 From: Krisztian Szegi Date: Tue, 14 Sep 2021 08:35:20 +0200 Subject: [PATCH 001/139] Fix tripping on timesync setup --- roles/matrix-base/defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-base/defaults/main.yml b/roles/matrix-base/defaults/main.yml index 31bff1051..172564da6 100644 --- a/roles/matrix-base/defaults/main.yml +++ b/roles/matrix-base/defaults/main.yml @@ -83,8 +83,8 @@ matrix_host_command_openssl: "/usr/bin/env openssl" matrix_host_command_systemctl: "/usr/bin/env systemctl" matrix_host_command_sh: "/usr/bin/env sh" -matrix_ntpd_package: "{{ 'systemd-timesyncd' if ansible_distribution == 'CentOS' and ansible_distribution_major_version > '7' else 'ntp' }}" -matrix_ntpd_service: "{{ 'systemd-timesyncd' if ansible_distribution == 'CentOS' and ansible_distribution_major_version > '7' else ('ntpd' if ansible_os_family == 'RedHat' or ansible_distribution == 'Archlinux' else 'ntp') }}" +matrix_ntpd_package: "{{ 'systemd-timesyncd' if ansible_distribution == 'CentOS' and ansible_distribution_major_version > '7' else ( 'systemd' if ansible_os_family == 'Suse' else 'ntp' ) }}" +matrix_ntpd_service: "{{ 'systemd-timesyncd' if ( (ansible_distribution == 'CentOS' and ansible_distribution_major_version > '7') or ansible_os_family == 'Suse') else ('ntpd' if ansible_os_family == 'RedHat' or ansible_distribution == 'Archlinux' else 'ntp') }}" matrix_homeserver_url: "https://{{ matrix_server_fqn_matrix }}" From d9fa2f7ed45114fdfaaa5c3e205a091a0d8e8191 Mon Sep 17 00:00:00 2001 From: HarHarLinks Date: Mon, 4 Oct 2021 19:53:38 +0200 Subject: [PATCH 002/139] add auto proxy synapse worker metrics when matrix_nginx_proxy_proxy_synapse_metrics is enabled --- roles/matrix-nginx-proxy/defaults/main.yml | 2 +- .../nginx/conf.d/matrix-synapse.conf.j2 | 18 ++++++++++++++++++ 2 files changed, 19 insertions(+), 1 deletion(-) diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index 79211a233..07e84ace1 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -222,7 +222,7 @@ matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_prefix_regexes: | + (['/_synapse/admin'] if matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled else []) + - (['/_synapse/metrics'] if matrix_nginx_proxy_proxy_synapse_metrics else []) + (['/_synapse.*/metrics'] if matrix_nginx_proxy_proxy_synapse_metrics else []) }} # Specifies where requests for the root URI (`/`) on the `matrix.` domain should be redirected. diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 index db111090c..343f04e5b 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 @@ -153,6 +153,24 @@ server { } {% endif %} + {% if matrix_nginx_proxy_enabled and matrix_nginx_proxy_proxy_synapse_metrics %} + {% for worker in matrix_prometheus_scraper_synapse_workers_enabled_list %} + {% if worker.metrics_port != 0 %} + location /_synapse-worker-{{ worker.type }}-{{ worker.instanceId }}/metrics { + resolver 127.0.0.11 valid=5s; + set $backend "matrix-synapse-worker-{{ worker.type }}-{{ worker.instanceId }}:{{ worker.metrics_port }}"; + proxy_pass http://$backend/_synapse/metrics; + proxy_set_header Host $host; + + {% if matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled %} + auth_basic "protected"; + auth_basic_user_file /nginx-data/matrix-synapse-metrics-htpasswd; + {% endif %} + } + {% endif %} + {% endfor %} + {% endif %} + {# Everything else just goes to the API server ##} location / { {% if matrix_nginx_proxy_enabled %} From 1dac525e6320bd1560b79db4e4865125039b754f Mon Sep 17 00:00:00 2001 From: Luke Date: Tue, 12 Oct 2021 11:45:04 +0000 Subject: [PATCH 003/139] Added Mautrix Google Chat --- README.md | 2 + ...ring-playbook-bridge-mautrix-googlechat.md | 58 +++++++ docs/configuring-playbook.md | 2 + docs/container-images.md | 2 + docs/self-building.md | 1 + group_vars/matrix_servers | 47 ++++++ .../defaults/main.yml | 115 ++++++++++++++ .../tasks/init.yml | 69 +++++++++ .../tasks/main.yml | 21 +++ .../tasks/setup_install.yml | 128 ++++++++++++++++ .../tasks/setup_uninstall.yml | 24 +++ .../tasks/validate_config.yml | 14 ++ .../templates/config.yaml.j2 | 145 ++++++++++++++++++ .../matrix-mautrix-googlechat.service.j2 | 43 ++++++ setup.yml | 1 + 15 files changed, 672 insertions(+) create mode 100644 docs/configuring-playbook-bridge-mautrix-googlechat.md create mode 100644 roles/matrix-bridge-mautrix-googlechat/defaults/main.yml create mode 100644 roles/matrix-bridge-mautrix-googlechat/tasks/init.yml create mode 100644 roles/matrix-bridge-mautrix-googlechat/tasks/main.yml create mode 100644 roles/matrix-bridge-mautrix-googlechat/tasks/setup_install.yml create mode 100644 roles/matrix-bridge-mautrix-googlechat/tasks/setup_uninstall.yml create mode 100644 roles/matrix-bridge-mautrix-googlechat/tasks/validate_config.yml create mode 100644 roles/matrix-bridge-mautrix-googlechat/templates/config.yaml.j2 create mode 100644 roles/matrix-bridge-mautrix-googlechat/templates/systemd/matrix-mautrix-googlechat.service.j2 diff --git a/README.md b/README.md index edda6f995..6e1b5c145 100644 --- a/README.md +++ b/README.md @@ -53,6 +53,8 @@ Using this playbook, you can get the following services configured on your serve - (optional) the [mautrix-hangouts](https://github.com/mautrix/hangouts) bridge for bridging your Matrix server to [Google Hangouts](https://en.wikipedia.org/wiki/Google_Hangouts) +- (optional) the [mautrix-googlechat](https://github.com/mautrix/googlechat) bridge for bridging your Matrix server to [Google Chat](https://en.wikipedia.org/wiki/Google_Chat) + - (optional) the [mautrix-instagram](https://github.com/mautrix/instagram) bridge for bridging your Matrix server to [Instagram](https://instagram.com/) - (optional) the [mautrix-signal](https://github.com/mautrix/signal) bridge for bridging your Matrix server to [Signal](https://www.signal.org/) diff --git a/docs/configuring-playbook-bridge-mautrix-googlechat.md b/docs/configuring-playbook-bridge-mautrix-googlechat.md new file mode 100644 index 000000000..381d1f290 --- /dev/null +++ b/docs/configuring-playbook-bridge-mautrix-googlechat.md @@ -0,0 +1,58 @@ +# Setting up Mautrix Google Chat (optional) + +The playbook can install and configure [mautrix-googlechat](https://github.com/mautrix/googlechat) for you. + +See the project's [documentation](https://docs.mau.fi/bridges/python/googlechat/index.html) to learn what it does and why it might be useful to you. + +To enable the [Google Chat](https://chat.google.com/) bridge just use the following playbook configuration: + + +```yaml +matrix_mautrix_googlechat_enabled: true +``` + + +## Set up Double Puppeting + +If you'd like to use [Double Puppeting](https://docs.mau.fi/bridges/general/double-puppeting.html) (hint: you most likely do), you have 2 ways of going about it. + +### Method 1: automatically, by enabling Shared Secret Auth + +The bridge will automatically perform Double Puppeting if you enable [Shared Secret Auth](configuring-playbook-shared-secret-auth.md) for this playbook. + +This is the recommended way of setting up Double Puppeting, as it's easier to accomplish, works for all your users automatically, and has less of a chance of breaking in the future. + + +### Method 2: manually, by asking each user to provide a working access token + +**Note**: This method for enabling Double Puppeting can be configured only after you've already set up bridging (see [Usage](#usage)). + +When using this method, **each user** that wishes to enable Double Puppeting needs to follow the following steps: + +- retrieve a Matrix access token for yourself. You can use the following command: + +``` +curl \ +--data '{"identifier": {"type": "m.id.user", "user": "YOUR_MATRIX_USERNAME" }, "password": "YOUR_MATRIX_PASSWORD", "type": "m.login.password", "device_id": "Mautrix-googlechat", "initial_device_display_name": "Mautrix-googlechat"}' \ +https://matrix.DOMAIN/_matrix/client/r0/login +``` + +- send the access token to the bot. Example: `login-matrix MATRIX_ACCESS_TOKEN_HERE` + +- make sure you don't log out the `Mautrix-googlechat` device some time in the future, as that would break the Double Puppeting feature + + +## Usage + +Once the bot is enabled you need to start a chat with `googlechat bridge bot` with handle `@googlechatbot:YOUR_DOMAIN` (where `YOUR_DOMAIN` is your base domain, not the `matrix.` domain). + +Send `login` to the bridge bot to receive a link to the portal from which you can enable the bridging. Open the link sent by the bot and follow the instructions. + +Automatic login may not work. If it does not, reload the page and select the "Manual login" checkbox before starting. Manual login involves logging into your Google account normally and then manually getting the OAuth token from browser cookies with developer tools. + +Once logged in, recent chats should show up as new conversations automatically. Other chats will get portals as you receive messages. + +You can learn more about authentication from the bridge's [official documentation on Authentication](https://docs.mau.fi/bridges/python/googlechat/authentication.html). + +After successfully enabling bridging, you may wish to [set up Double Puppeting](#set-up-double-puppeting), if you haven't already done so. + diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index 60c7a4bf2..243440ddc 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -98,6 +98,8 @@ When you're done with all the configuration you'd like to do, continue with [Ins - [Setting up Mautrix Hangouts bridging](configuring-playbook-bridge-mautrix-hangouts.md) (optional) +- [Setting up Mautrix Google Chat bridging](configuring-playbook-bridge-mautrix-googlechat.md) (optional) + - [Setting up Mautrix Instagram bridging](configuring-playbook-bridge-mautrix-instagram.md) (optional) - [Setting up Mautrix Signal bridging](configuring-playbook-bridge-mautrix-signal.md) (optional) diff --git a/docs/container-images.md b/docs/container-images.md index 21f055b82..6fbb92054 100644 --- a/docs/container-images.md +++ b/docs/container-images.md @@ -48,6 +48,8 @@ These services are not part of our default installation, but can be enabled by [ - [mautrix/hangouts](https://mau.dev/mautrix/hangouts/container_registry) - the [mautrix-hangouts](https://github.com/mautrix/hangouts) bridge to [Google Hangouts](https://en.wikipedia.org/wiki/Google_Hangouts) (optional) +- [mautrix/googlechat](https://mau.dev/mautrix/googlechat/container_registry) - the [mautrix-googlechat](https://github.com/mautrix/googlechat) bridge to [Google Chat](https://en.wikipedia.org/wiki/Google_Chat) (optional) + - [mautrix/instagram](https://mau.dev/mautrix/instagram/container_registry) - the [mautrix-instagram](https://github.com/mautrix/instagram) bridge to [Instagram](https://instagram.com/) (optional) - [mautrix/signal](https://mau.dev/mautrix/signal/container_registry) - the [mautrix-signal](https://github.com/mautrix/signal) bridge to [Signal](https://www.signal.org/) (optional) diff --git a/docs/self-building.md b/docs/self-building.md index babdeedb4..82726bb78 100644 --- a/docs/self-building.md +++ b/docs/self-building.md @@ -25,6 +25,7 @@ List of roles where self-building the Docker image is currently possible: - `matrix-bridge-appservice-webhooks` - `matrix-bridge-mautrix-facebook` - `matrix-bridge-mautrix-hangouts` +- `matrix-bridge-mautrix-googlechat` - `matrix-bridge-mautrix-telegram` - `matrix-bridge-mautrix-signal` - `matrix-bridge-mautrix-whatsapp` diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index c811df1bb..48146f2b0 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -337,6 +337,47 @@ matrix_mautrix_hangouts_database_password: "{{ matrix_synapse_macaroon_secret_ke ###################################################################### +###################################################################### +# +# matrix-bridge-mautrix-googlechat +# +###################################################################### + +# We don't enable bridges by default. +matrix_mautrix_googlechat_enabled: false + +matrix_mautrix_googlechat_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm64'] }}" + +matrix_mautrix_googlechat_systemd_required_services_list: | + {{ + ['docker.service'] + + + (['matrix-synapse.service'] if matrix_synapse_enabled else []) + + + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + + + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) + }} + +matrix_mautrix_googlechat_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'ho.as.token') | to_uuid }}" + +matrix_mautrix_googlechat_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'ho.hs.token') | to_uuid }}" + +matrix_mautrix_googlechat_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:9007' }}" + +matrix_mautrix_googlechat_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" + +# Postgres is the default, except if not using `matrix_postgres` (internal postgres) +matrix_mautrix_googlechat_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" +matrix_mautrix_googlechat_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mau.googlechat.db') | to_uuid }}" + +###################################################################### +# +# /matrix-bridge-mautrix-googlechat +# +###################################################################### + + ###################################################################### # # matrix-bridge-mautrix-instagram @@ -1430,6 +1471,12 @@ matrix_postgres_additional_databases: | 'password': matrix_mautrix_hangouts_database_password, }] if (matrix_mautrix_hangouts_enabled and matrix_mautrix_hangouts_database_engine == 'postgres' and matrix_mautrix_hangouts_database_hostname == 'matrix-postgres') else []) + + ([{ + 'name': matrix_mautrix_googlechat_database_name, + 'username': matrix_mautrix_googlechat_database_username, + 'password': matrix_mautrix_googlechat_database_password, + }] if (matrix_mautrix_googlechat_enabled and matrix_mautrix_googlechat_database_engine == 'postgres' and matrix_mautrix_googlechat_database_hostname == 'matrix-postgres') else []) + + ([{ 'name': matrix_mautrix_instagram_database_name, 'username': matrix_mautrix_instagram_database_username, diff --git a/roles/matrix-bridge-mautrix-googlechat/defaults/main.yml b/roles/matrix-bridge-mautrix-googlechat/defaults/main.yml new file mode 100644 index 000000000..22f863fff --- /dev/null +++ b/roles/matrix-bridge-mautrix-googlechat/defaults/main.yml @@ -0,0 +1,115 @@ +# mautrix-googlechat is a Matrix <-> googlechat bridge +# See: https://github.com/mautrix/googlechat + +matrix_mautrix_googlechat_enabled: true + +matrix_mautrix_googlechat_container_image_self_build: false +matrix_mautrix_googlechat_container_image_self_build_repo: "https://github.com/mautrix/googlechat.git" + +matrix_mautrix_googlechat_version: latest +# See: https://mau.dev/mautrix/googlechat/container_registry +matrix_mautrix_googlechat_docker_image: "{{ matrix_mautrix_googlechat_docker_image_name_prefix }}mautrix/googlechat:{{ matrix_mautrix_googlechat_version }}" +matrix_mautrix_googlechat_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_googlechat_container_image_self_build else 'dock.mau.dev/' }}" +matrix_mautrix_googlechat_docker_image_force_pull: "{{ matrix_mautrix_googlechat_docker_image.endswith(':latest') }}" + +matrix_mautrix_googlechat_base_path: "{{ matrix_base_data_path }}/mautrix-googlechat" +matrix_mautrix_googlechat_config_path: "{{ matrix_mautrix_googlechat_base_path }}/config" +matrix_mautrix_googlechat_data_path: "{{ matrix_mautrix_googlechat_base_path }}/data" +matrix_mautrix_googlechat_docker_src_files_path: "{{ matrix_mautrix_googlechat_base_path }}/docker-src" + +matrix_mautrix_googlechat_public_endpoint: '/mautrix-googlechat' + +matrix_mautrix_googlechat_homeserver_address: "{{ matrix_homeserver_container_url }}" +matrix_mautrix_googlechat_homeserver_domain: '{{ matrix_domain }}' +matrix_mautrix_googlechat_appservice_address: 'http://matrix-mautrix-googlechat:8080' + +# Controls whether the matrix-mautrix-googlechat container exposes its HTTP port (tcp/8080 in the container). +# +# Takes an ":" or "" value (e.g. "127.0.0.1:9007"), or empty string to not expose. +matrix_mautrix_googlechat_container_http_host_bind_port: '' + +# A list of extra arguments to pass to the container +matrix_mautrix_googlechat_container_extra_arguments: [] + +# List of systemd services that matrix-mautrix-googlechat.service depends on. +matrix_mautrix_googlechat_systemd_required_services_list: ['docker.service'] + +# List of systemd services that matrix-mautrix-googlechat.service wants +matrix_mautrix_googlechat_systemd_wanted_services_list: [] + +matrix_mautrix_googlechat_appservice_token: '' +matrix_mautrix_googlechat_homeserver_token: '' + + +# Database-related configuration fields. +# +# To use SQLite, stick to these defaults. +# +# To use Postgres: +# - change the engine (`matrix_mautrix_googlechat_database_engine: 'postgres'`) +# - adjust your database credentials via the `matrix_mautrix_googlechat_postgres_*` variables +matrix_mautrix_googlechat_database_engine: 'sqlite' + +matrix_mautrix_googlechat_sqlite_database_path_local: "{{ matrix_mautrix_googlechat_data_path }}/mautrix-googlechat.db" +matrix_mautrix_googlechat_sqlite_database_path_in_container: "/data/mautrix-googlechat.db" + +matrix_mautrix_googlechat_database_username: 'matrix_mautrix_googlechat' +matrix_mautrix_googlechat_database_password: 'some-password' +matrix_mautrix_googlechat_database_hostname: 'matrix-postgres' +matrix_mautrix_googlechat_database_port: 5432 +matrix_mautrix_googlechat_database_name: 'matrix_mautrix_googlechat' + +matrix_mautrix_googlechat_database_connection_string: 'postgres://{{ matrix_mautrix_googlechat_database_username }}:{{ matrix_mautrix_googlechat_database_password }}@{{ matrix_mautrix_googlechat_database_hostname }}:{{ matrix_mautrix_googlechat_database_port }}/{{ matrix_mautrix_googlechat_database_name }}' + +matrix_mautrix_googlechat_appservice_database: "{{ + { + 'sqlite': ('sqlite:///' + matrix_mautrix_googlechat_sqlite_database_path_in_container), + 'postgres': matrix_mautrix_googlechat_database_connection_string, + }[matrix_mautrix_googlechat_database_engine] +}}" + + +# Can be set to enable automatic double-puppeting via Shared Secret Auth (https://github.com/devture/matrix-synapse-shared-secret-auth). +matrix_mautrix_googlechat_login_shared_secret: '' + +matrix_mautrix_googlechat_appservice_bot_username: googlechatbot + +# Default configuration template which covers the generic use case. +# You can customize it by controlling the various variables inside it. +# +# For a more advanced customization, you can extend the default (see `matrix_mautrix_googlechat_configuration_extension_yaml`) +# or completely replace this variable with your own template. +matrix_mautrix_googlechat_configuration_yaml: "{{ lookup('template', 'templates/config.yaml.j2') }}" + +matrix_mautrix_googlechat_configuration_extension_yaml: | + # Your custom YAML configuration goes here. + # This configuration extends the default starting configuration (`matrix_mautrix_googlechat_configuration_yaml`). + # + # You can override individual variables from the default configuration, or introduce new ones. + # + # If you need something more special, you can take full control by + # completely redefining `matrix_mautrix_googlechat_configuration_yaml`. + +matrix_mautrix_googlechat_configuration_extension: "{{ matrix_mautrix_googlechat_configuration_extension_yaml|from_yaml if matrix_mautrix_googlechat_configuration_extension_yaml|from_yaml is mapping else {} }}" + +# Holds the final configuration (a combination of the default and its extension). +# You most likely don't need to touch this variable. Instead, see `matrix_mautrix_googlechat_configuration_yaml`. +matrix_mautrix_googlechat_configuration: "{{ matrix_mautrix_googlechat_configuration_yaml|from_yaml|combine(matrix_mautrix_googlechat_configuration_extension, recursive=True) }}" + +matrix_mautrix_googlechat_registration_yaml: | + id: googlechat + as_token: "{{ matrix_mautrix_googlechat_appservice_token }}" + hs_token: "{{ matrix_mautrix_googlechat_homeserver_token }}" + namespaces: + users: + - exclusive: true + regex: '^@googlechat_.+:{{ matrix_mautrix_googlechat_homeserver_domain|regex_escape }}$' + - exclusive: true + regex: '^@{{ matrix_mautrix_googlechat_appservice_bot_username|regex_escape }}:{{ matrix_mautrix_googlechat_homeserver_domain|regex_escape }}$' + url: {{ matrix_mautrix_googlechat_appservice_address }} + # See https://github.com/mautrix/signal/issues/43 + sender_localpart: _bot_{{ matrix_mautrix_googlechat_appservice_bot_username }} + rate_limited: false + de.sorunome.msc2409.push_ephemeral: true + +matrix_mautrix_googlechat_registration: "{{ matrix_mautrix_googlechat_registration_yaml|from_yaml }}" diff --git a/roles/matrix-bridge-mautrix-googlechat/tasks/init.yml b/roles/matrix-bridge-mautrix-googlechat/tasks/init.yml new file mode 100644 index 000000000..c12fcd3cc --- /dev/null +++ b/roles/matrix-bridge-mautrix-googlechat/tasks/init.yml @@ -0,0 +1,69 @@ +# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 +# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 +- name: Fail if trying to self-build on Ansible < 2.8 + fail: + msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mautrix_googlechat_container_image_self_build and matrix_mautrix_googlechat_enabled" + +- set_fact: + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-googlechat.service'] }}" + when: matrix_mautrix_googlechat_enabled|bool + +# If the matrix-synapse role is not used, these variables may not exist. +- set_fact: + matrix_synapse_container_extra_arguments: > + {{ matrix_synapse_container_extra_arguments|default([]) }} + + + ["--mount type=bind,src={{ matrix_mautrix_googlechat_config_path }}/registration.yaml,dst=/matrix-mautrix-googlechat-registration.yaml,ro"] + + matrix_synapse_app_service_config_files: > + {{ matrix_synapse_app_service_config_files|default([]) }} + + + {{ ["/matrix-mautrix-googlechat-registration.yaml"] }} + when: matrix_mautrix_googlechat_enabled|bool + +- block: + - name: Fail if matrix-nginx-proxy role already executed + fail: + msg: >- + Trying to append Mautrix googlechat's reverse-proxying configuration to matrix-nginx-proxy, + but it's pointless since the matrix-nginx-proxy role had already executed. + To fix this, please change the order of roles in your plabook, + so that the matrix-nginx-proxy role would run after the matrix-bridge-mautrix-googlechat role. + when: matrix_nginx_proxy_role_executed|default(False)|bool + + - name: Generate Mautrix googlechat proxying configuration for matrix-nginx-proxy + set_fact: + matrix_mautrix_googlechat_matrix_nginx_proxy_configuration: | + location {{ matrix_mautrix_googlechat_public_endpoint }} { + {% if matrix_nginx_proxy_enabled|default(False) %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "matrix-mautrix-googlechat:8080"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://127.0.0.1:9007; + {% endif %} + } + - name: Register Mautrix googlechat proxying configuration with matrix-nginx-proxy + set_fact: + matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: | + {{ + matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks|default([]) + + + [matrix_mautrix_googlechat_matrix_nginx_proxy_configuration] + }} + tags: + - always + when: matrix_mautrix_googlechat_enabled|bool + +- name: Warn about reverse-proxying if matrix-nginx-proxy not used + debug: + msg: >- + NOTE: You've enabled the Mautrix googlechat bridge but are not using the matrix-nginx-proxy + reverse proxy. + Please make sure that you're proxying the `{{ matrix_mautrix_googlechat_public_endpoint }}` + URL endpoint to the matrix-mautrix-googlechat container. + You can expose the container's port using the `matrix_mautrix_googlechat_container_http_host_bind_port` variable. + when: "matrix_mautrix_googlechat_enabled|bool and (matrix_nginx_proxy_enabled is not defined or matrix_nginx_proxy_enabled|bool == false)" diff --git a/roles/matrix-bridge-mautrix-googlechat/tasks/main.yml b/roles/matrix-bridge-mautrix-googlechat/tasks/main.yml new file mode 100644 index 000000000..defcd58ac --- /dev/null +++ b/roles/matrix-bridge-mautrix-googlechat/tasks/main.yml @@ -0,0 +1,21 @@ +- import_tasks: "{{ role_path }}/tasks/init.yml" + tags: + - always + +- import_tasks: "{{ role_path }}/tasks/validate_config.yml" + when: "run_setup|bool and matrix_mautrix_googlechat_enabled|bool" + tags: + - setup-all + - setup-mautrix-googlechat + +- import_tasks: "{{ role_path }}/tasks/setup_install.yml" + when: "run_setup|bool and matrix_mautrix_googlechat_enabled|bool" + tags: + - setup-all + - setup-mautrix-googlechat + +- import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" + when: "run_setup|bool and not matrix_mautrix_googlechat_enabled|bool" + tags: + - setup-all + - setup-mautrix-googlechat diff --git a/roles/matrix-bridge-mautrix-googlechat/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-googlechat/tasks/setup_install.yml new file mode 100644 index 000000000..f68ee505e --- /dev/null +++ b/roles/matrix-bridge-mautrix-googlechat/tasks/setup_install.yml @@ -0,0 +1,128 @@ +--- + +# If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist. +# We don't want to fail in such cases. +- name: Fail if matrix-synapse role already executed + fail: + msg: >- + The matrix-bridge-mautrix-googlechat role needs to execute before the matrix-synapse role. + when: "matrix_synapse_role_executed|default(False)" + +- set_fact: + matrix_mautrix_googlechat_requires_restart: false + +- block: + - name: Check if an SQLite database already exists + stat: + path: "{{ matrix_mautrix_googlechat_sqlite_database_path_local }}" + register: matrix_mautrix_googlechat_sqlite_database_path_local_stat_result + + - block: + - set_fact: + matrix_postgres_db_migration_request: + src: "{{ matrix_mautrix_googlechat_sqlite_database_path_local }}" + dst: "{{ matrix_mautrix_googlechat_database_connection_string }}" + caller: "{{ role_path|basename }}" + engine_variable_name: 'matrix_mautrix_googlechat_database_engine' + engine_old: 'sqlite' + systemd_services_to_stop: ['matrix-mautrix-googlechat.service'] + + - import_tasks: "{{ role_path }}/../matrix-postgres/tasks/util/migrate_db_to_postgres.yml" + + - set_fact: + matrix_mautrix_googlechat_requires_restart: true + when: "matrix_mautrix_googlechat_sqlite_database_path_local_stat_result.stat.exists|bool" + when: "matrix_mautrix_googlechat_database_engine == 'postgres'" + +- name: Ensure Mautrix googlechat image is pulled + docker_image: + name: "{{ matrix_mautrix_googlechat_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_mautrix_googlechat_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_googlechat_docker_image_force_pull }}" + when: not matrix_mautrix_googlechat_container_image_self_build + +- name: Ensure Mautrix googlechat paths exist + file: + path: "{{ item.path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - { path: "{{ matrix_mautrix_googlechat_base_path }}", when: true } + - { path: "{{ matrix_mautrix_googlechat_config_path }}", when: true } + - { path: "{{ matrix_mautrix_googlechat_data_path }}", when: true } + - { path: "{{ matrix_mautrix_googlechat_docker_src_files_path }}", when: "{{ matrix_mautrix_googlechat_container_image_self_build }}" } + when: "item.when|bool" + +- name: Ensure Mautrix Hangots repository is present on self build + git: + repo: "{{ matrix_mautrix_googlechat_container_image_self_build_repo }}" + dest: "{{ matrix_mautrix_googlechat_docker_src_files_path }}" + force: "yes" + register: matrix_mautrix_googlechat_git_pull_results + when: "matrix_mautrix_googlechat_container_image_self_build|bool" + +- name: Ensure Mautrix googlechat Docker image is built + docker_image: + name: "{{ matrix_mautrix_googlechat_docker_image }}" + source: build + force_source: "{{ matrix_mautrix_googlechat_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_googlechat_git_pull_results.changed }}" + build: + dockerfile: Dockerfile + path: "{{ matrix_mautrix_googlechat_docker_src_files_path }}" + pull: yes + when: "matrix_mautrix_googlechat_container_image_self_build|bool" + +- name: Check if an old database file already exists + stat: + path: "{{ matrix_mautrix_googlechat_base_path }}/mautrix-googlechat.db" + register: matrix_mautrix_googlechat_stat_database + +- name: (Data relocation) Ensure matrix-mautrix-googlechat.service is stopped + service: + name: matrix-mautrix-googlechat + state: stopped + daemon_reload: yes + failed_when: false + when: "matrix_mautrix_googlechat_stat_database.stat.exists" + +- name: (Data relocation) Move mautrix-googlechat database file to ./data directory + command: "mv {{ matrix_mautrix_googlechat_base_path }}/mautrix-googlechat.db {{ matrix_mautrix_googlechat_data_path }}/mautrix-googlechat.db" + when: "matrix_mautrix_googlechat_stat_database.stat.exists" + +- name: Ensure mautrix-googlechat config.yaml installed + copy: + content: "{{ matrix_mautrix_googlechat_configuration|to_nice_yaml }}" + dest: "{{ matrix_mautrix_googlechat_config_path }}/config.yaml" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure mautrix-googlechat registration.yaml installed + copy: + content: "{{ matrix_mautrix_googlechat_registration|to_nice_yaml }}" + dest: "{{ matrix_mautrix_googlechat_config_path }}/registration.yaml" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure matrix-mautrix-googlechat.service installed + template: + src: "{{ role_path }}/templates/systemd/matrix-mautrix-googlechat.service.j2" + dest: "{{ matrix_systemd_path }}/matrix-mautrix-googlechat.service" + mode: 0644 + register: matrix_mautrix_googlechat_systemd_service_result + +- name: Ensure systemd reloaded after matrix-mautrix-googlechat.service installation + service: + daemon_reload: yes + when: "matrix_mautrix_googlechat_systemd_service_result.changed" + +- name: Ensure matrix-mautrix-googlechat.service restarted, if necessary + service: + name: "matrix-mautrix-googlechat.service" + state: restarted + when: "matrix_mautrix_googlechat_requires_restart|bool" diff --git a/roles/matrix-bridge-mautrix-googlechat/tasks/setup_uninstall.yml b/roles/matrix-bridge-mautrix-googlechat/tasks/setup_uninstall.yml new file mode 100644 index 000000000..d3adb7e2b --- /dev/null +++ b/roles/matrix-bridge-mautrix-googlechat/tasks/setup_uninstall.yml @@ -0,0 +1,24 @@ +--- + +- name: Check existence of matrix-mautrix-googlechat service + stat: + path: "{{ matrix_systemd_path }}/matrix-mautrix-googlechat.service" + register: matrix_mautrix_googlechat_service_stat + +- name: Ensure matrix-mautrix-googlechat is stopped + service: + name: matrix-mautrix-googlechat + state: stopped + daemon_reload: yes + when: "matrix_mautrix_googlechat_service_stat.stat.exists" + +- name: Ensure matrix-mautrix-googlechat.service doesn't exist + file: + path: "{{ matrix_systemd_path }}/matrix-mautrix-googlechat.service" + state: absent + when: "matrix_mautrix_googlechat_service_stat.stat.exists" + +- name: Ensure systemd reloaded after matrix-mautrix-googlechat.service removal + service: + daemon_reload: yes + when: "matrix_mautrix_googlechat_service_stat.stat.exists" diff --git a/roles/matrix-bridge-mautrix-googlechat/tasks/validate_config.yml b/roles/matrix-bridge-mautrix-googlechat/tasks/validate_config.yml new file mode 100644 index 000000000..7aa428708 --- /dev/null +++ b/roles/matrix-bridge-mautrix-googlechat/tasks/validate_config.yml @@ -0,0 +1,14 @@ +--- + +- name: Fail if required settings not defined + fail: + msg: >- + You need to define a required configuration setting (`{{ item }}`). + when: "vars[item] == ''" + with_items: + - "matrix_mautrix_googlechat_public_endpoint" + - "matrix_mautrix_googlechat_appservice_token" + - "matrix_mautrix_googlechat_homeserver_token" +- debug: + msg: + - '`matrix_mautrix_googlechat_homeserver_domain` == {{ matrix_mautrix_googlechat_homeserver_domain }}' diff --git a/roles/matrix-bridge-mautrix-googlechat/templates/config.yaml.j2 b/roles/matrix-bridge-mautrix-googlechat/templates/config.yaml.j2 new file mode 100644 index 000000000..c54ffac2c --- /dev/null +++ b/roles/matrix-bridge-mautrix-googlechat/templates/config.yaml.j2 @@ -0,0 +1,145 @@ +#jinja2: lstrip_blocks: "True" +# Homeserver details +homeserver: + # The address that this appservice can use to connect to the homeserver. + address: {{ matrix_mautrix_googlechat_homeserver_address }} + # The domain of the homeserver (for MXIDs, etc). + domain: {{ matrix_mautrix_googlechat_homeserver_domain }} + # Whether or not to verify the SSL certificate of the homeserver. + # Only applies if address starts with https:// + verify_ssl: true + +# Application service host/registration related details +# Changing these values requires regeneration of the registration. +appservice: + # The address that the homeserver can use to connect to this appservice. + address: {{ matrix_mautrix_googlechat_appservice_address }} + + # The hostname and port where this appservice should listen. + hostname: 0.0.0.0 + port: 8080 + # The maximum body size of appservice API requests (from the homeserver) in mebibytes + # Usually 1 is enough, but on high-traffic bridges you might need to increase this to avoid 413s + max_body_size: 1 + + # The full URI to the database. SQLite and Postgres are fully supported. + # Other DBMSes supported by SQLAlchemy may or may not work. + # Format examples: + # SQLite: sqlite:///filename.db + # Postgres: postgres://username:password@hostname/dbname + database: {{ matrix_mautrix_googlechat_appservice_database|to_json }} + + # The unique ID of this appservice. + id: googlechat + # Username of the appservice bot. + bot_username: {{ matrix_mautrix_googlechat_appservice_bot_username|to_json }} + # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty + # to leave display name/avatar as-is. + bot_displayname: googlechat bridge bot + bot_avatar: mxc://maunium.net/FBXZnpfORkBEruORbikmleAy + + # Authentication tokens for AS <-> HS communication. + as_token: "{{ matrix_mautrix_googlechat_appservice_token }}" + hs_token: "{{ matrix_mautrix_googlechat_homeserver_token }}" + +# Bridge config +bridge: + # Localpart template of MXIDs for googlechat users. + # {userid} is replaced with the user ID of the googlechat user. + username_template: "googlechat_{userid}" + # Displayname template for googlechat users. + # {displayname} is replaced with the display name of the googlechat user + # as defined below in displayname_preference. + # Keys available for displayname_preference are also available here. + displayname_template: '{full_name} (googlechat)' + # Available keys: + # "name" (full name) + # "first_name" + # "last_name" + # "nickname" + # "own_nickname" (user-specific!) + displayname_preference: + - name + + # The prefix for commands. Only required in non-management rooms. + command_prefix: "!HO" + + # Number of chats to sync (and create portals for) on startup/login. + # Maximum 20, set 0 to disable automatic syncing. + initial_chat_sync: 20 + # Whether or not the googlechat users of logged in Matrix users should be + # invited to private chats when the user sends a message from another client. + invite_own_puppet_to_pm: false + # Whether or not to use /sync to get presence, read receipts and typing notifications when using + # your own Matrix account as the Matrix puppet for your googlechat account. + sync_with_custom_puppets: true + # Shared secret for https://github.com/devture/matrix-synapse-shared-secret-auth + # + # If set, custom puppets will be enabled automatically for local users + # instead of users having to find an access token and run `login-matrix` + # manually. + login_shared_secret: {{ matrix_mautrix_googlechat_login_shared_secret|to_json }} + # Whether or not to update avatars when syncing all contacts at startup. + update_avatar_initial_sync: true + # End-to-bridge encryption support options. These require matrix-nio to be installed with pip + # and login_shared_secret to be configured in order to get a device for the bridge bot. + # + # Additionally, https://github.com/matrix-org/synapse/pull/5758 is required if using a normal + # application service. + encryption: + # Allow encryption, work in group chat rooms with e2ee enabled + allow: false + # Default to encryption, force-enable encryption in all portals the bridge creates + # This will cause the bridge bot to be in private chats for the encryption to work properly. + default: false + + # Public website and API configs + web: + # Auth server config + auth: + # Publicly accessible base URL for the login endpoints. + # The prefix below is not implicitly added. This URL and all subpaths should be proxied + # or otherwise pointed to the appservice's webserver to the path specified below (prefix). + # This path should usually include a trailing slash. + # Internal prefix in the appservice web server for the login endpoints. + public: "{{ matrix_homeserver_url }}{{ matrix_mautrix_googlechat_public_endpoint }}/login" + prefix: "{{ matrix_mautrix_googlechat_public_endpoint }}/login" + + + # Permissions for using the bridge. + # Permitted values: + # user - Use the bridge with puppeting. + # admin - Use and administrate the bridge. + # Permitted keys: + # * - All Matrix users + # domain - All users on that homeserver + # mxid - Specific user + permissions: + '{{ matrix_mautrix_googlechat_homeserver_domain }}': user + +# Python logging configuration. +# +# See section 16.7.2 of the Python documentation for more info: +# https://docs.python.org/3.6/library/logging.config.html#configuration-dictionary-schema +logging: + version: 1 + formatters: + colored: + (): mautrix_googlechat.util.ColorFormatter + format: "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s" + normal: + format: "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s" + handlers: + console: + class: logging.StreamHandler + formatter: colored + loggers: + mau: + level: DEBUG + hangups: + level: DEBUG + aiohttp: + level: INFO + root: + level: DEBUG + handlers: [console] diff --git a/roles/matrix-bridge-mautrix-googlechat/templates/systemd/matrix-mautrix-googlechat.service.j2 b/roles/matrix-bridge-mautrix-googlechat/templates/systemd/matrix-mautrix-googlechat.service.j2 new file mode 100644 index 000000000..c56473bed --- /dev/null +++ b/roles/matrix-bridge-mautrix-googlechat/templates/systemd/matrix-mautrix-googlechat.service.j2 @@ -0,0 +1,43 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=Matrix Mautrix googlechat bridge +{% for service in matrix_mautrix_googlechat_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +{% for service in matrix_mautrix_googlechat_systemd_wanted_services_list %} +Wants={{ service }} +{% endfor %} +DefaultDependencies=no + +[Service] +Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" + +# Intentional delay, so that the homeserver (we likely depend on) can manage to start. +ExecStartPre={{ matrix_host_command_sleep }} 5 + +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-googlechat \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --network={{ matrix_docker_network }} \ + {% if matrix_mautrix_googlechat_container_http_host_bind_port %} + -p {{ matrix_mautrix_googlechat_container_http_host_bind_port }}:8080 \ + {% endif %} + -v {{ matrix_mautrix_googlechat_config_path }}:/config:z \ + -v {{ matrix_mautrix_googlechat_data_path }}:/data:z \ + {% for arg in matrix_mautrix_googlechat_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + {{ matrix_mautrix_googlechat_docker_image }} \ + python3 -m mautrix_googlechat -c /config/config.yaml --no-update + +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mautrix-googlechat 2>/dev/null' +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mautrix-googlechat 2>/dev/null' +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-mautrix-googlechat + +[Install] +WantedBy=multi-user.target diff --git a/setup.yml b/setup.yml index 282df2e15..42613d96f 100755 --- a/setup.yml +++ b/setup.yml @@ -21,6 +21,7 @@ - matrix-bridge-beeper-linkedin - matrix-bridge-mautrix-facebook - matrix-bridge-mautrix-hangouts + - matrix-bridge-mautrix-googlechat - matrix-bridge-mautrix-instagram - matrix-bridge-mautrix-signal - matrix-bridge-mautrix-telegram From 459ee6f1e071608c4774c4e64efc45b1276c7e4a Mon Sep 17 00:00:00 2001 From: Luke Date: Tue, 12 Oct 2021 17:08:17 +0000 Subject: [PATCH 004/139] Updated Hangouts configuration readme. Also indicates that the Mautrix googlechat bridge is a replacement for hangouts. --- docs/configuring-playbook-bridge-mautrix-hangouts.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/configuring-playbook-bridge-mautrix-hangouts.md b/docs/configuring-playbook-bridge-mautrix-hangouts.md index 1b31e75aa..f6129777d 100644 --- a/docs/configuring-playbook-bridge-mautrix-hangouts.md +++ b/docs/configuring-playbook-bridge-mautrix-hangouts.md @@ -1,3 +1,5 @@ +# The [Mautrix Hangouts Bridge](https://mau.dev/mautrix/hangouts) is no longer maintained. It has changed to a [Google Chat Bridge](https://github.com/mautrix/googlechat). Setup instructions for the Google Chat Bridge can be [found here](configuring-playbook-bridge-mautrix-googlechat.md). + # Setting up Mautrix Hangouts (optional) The playbook can install and configure [mautrix-hangouts](https://github.com/mautrix/hangouts) for you. From 6937a2c0a950a4e0ce8a9b1eec0be3cdb23a21bb Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 13 Oct 2021 07:48:59 +0300 Subject: [PATCH 005/139] Ensure password_hash salt is less than 16 chars Also fixes the appservice and homeserver tokens for the Googlechat bridge, so that they're not the same as the ones for the Hangouts bridge. --- group_vars/matrix_servers | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 48146f2b0..4905a222e 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -359,9 +359,9 @@ matrix_mautrix_googlechat_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mautrix_googlechat_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'ho.as.token') | to_uuid }}" +matrix_mautrix_googlechat_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'gc.as.token') | to_uuid }}" -matrix_mautrix_googlechat_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'ho.hs.token') | to_uuid }}" +matrix_mautrix_googlechat_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'gc.hs.token') | to_uuid }}" matrix_mautrix_googlechat_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:9007' }}" @@ -369,7 +369,7 @@ matrix_mautrix_googlechat_login_shared_secret: "{{ matrix_synapse_ext_password_p # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mautrix_googlechat_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mautrix_googlechat_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mau.googlechat.db') | to_uuid }}" +matrix_mautrix_googlechat_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mau.gc.db') | to_uuid }}" ###################################################################### # From c69ea4cbcda795f9bd5ae0b5bf752cb06c305ca8 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 13 Oct 2021 07:58:30 +0300 Subject: [PATCH 006/139] Update changelog Related to: - https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1323 - https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1328 - https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1329 --- CHANGELOG.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9c48f483a..c706b4a67 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,14 @@ +# 2021-10-23 + +## Hangouts bridge no longer updated, superseded by a Googlechat bridge + +The mautrix-hangouts bridge is no longer receiving updates upstream and is likely to stop working in the future. +We still retain support for this bridge in the playbook, but you're encouraged to switch away from it. + +There's a new [mautrix-googlechat](https://github.com/mautrix/googlechat) bridge that you can [install using the playbook](docs/configuring-playbook-bridge-mautrix-googlechat.md). +Your **Hangouts bridge data will not be migrated**, however. You need to start fresh with the new bridge. + + # 2021-08-23 ## LinkedIn bridging support via beeper-linkedin From 8c15555d007b6fa2bcfbf6feeda44ca30994c08b Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 15 Oct 2021 09:27:26 +0300 Subject: [PATCH 007/139] Upgrade Element (1.9.0 -> 1.9.2) --- roles/matrix-client-element/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-client-element/defaults/main.yml b/roles/matrix-client-element/defaults/main.yml index e2540315b..614cdf24e 100644 --- a/roles/matrix-client-element/defaults/main.yml +++ b/roles/matrix-client-element/defaults/main.yml @@ -3,7 +3,7 @@ matrix_client_element_enabled: true matrix_client_element_container_image_self_build: false matrix_client_element_container_image_self_build_repo: "https://github.com/vector-im/riot-web.git" -matrix_client_element_version: v1.9.0 +matrix_client_element_version: v1.9.2 matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}" matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}" From 18395e73d3962d5108cfe24b801e3fcb358eec6a Mon Sep 17 00:00:00 2001 From: PC-Admin Date: Tue, 19 Oct 2021 17:45:15 +0800 Subject: [PATCH 008/139] GMH v0.6.3 --- .../surveys/bridge_discord_appservice.json.j2 | 66 +++++++++++++++++++ .../surveys/configure_corporal.json.j2 | 6 +- .../tasks/bridge_discord_appservice.yml | 62 +++++++++++++++++ roles/matrix-awx/tasks/main.yml | 9 +++ .../matrix-awx/tasks/purge_database_main.yml | 6 +- .../tasks/set_variables_corporal.yml | 8 ++- .../tasks/set_variables_synapse.yml | 4 +- roles/matrix-common-after/tasks/awx_post.yml | 5 ++ 8 files changed, 155 insertions(+), 11 deletions(-) create mode 100644 roles/matrix-awx/surveys/bridge_discord_appservice.json.j2 create mode 100644 roles/matrix-awx/tasks/bridge_discord_appservice.yml diff --git a/roles/matrix-awx/surveys/bridge_discord_appservice.json.j2 b/roles/matrix-awx/surveys/bridge_discord_appservice.json.j2 new file mode 100644 index 000000000..7252cc2c0 --- /dev/null +++ b/roles/matrix-awx/surveys/bridge_discord_appservice.json.j2 @@ -0,0 +1,66 @@ +{ + "name": "Bridge Discord Appservice", + "description": "Enables a private bridge you can use to connect Matrix rooms to Discord.", + "spec": [ + { + "question_name": "Enable Discord AppService Bridge", + "question_description": "Enables a private bridge you can use to connect Matrix rooms to Discord.", + "required": true, + "min": null, + "max": null, + "default": "{{ matrix_appservice_discord_enabled | string | lower }}", + "choices": "true\nfalse", + "new_question": true, + "variable": "matrix_appservice_discord_enabled", + "type": "multiplechoice" + }, + { + "question_name": "Discord Client ID", + "question_description": "The OAuth2 'CLIENT ID' which can be found in the 'OAuth2' tab of your new discord application: https://discord.com/developers/applications", + "required": true, + "min": 0, + "max": 128, + "default": "{{ matrix_appservice_discord_client_id | trim }}", + "choices": "", + "new_question": true, + "variable": "matrix_appservice_discord_client_id", + "type": "text" + }, + { + "question_name": "Discord Bot Token", + "question_description": "The Bot 'TOKEN' which can be found in the 'Bot' tab of your new discord application: https://discord.com/developers/applications", + "required": true, + "min": 0, + "max": 256, + "default": "{{ matrix_appservice_discord_bot_token | trim }}", + "choices": "", + "new_question": true, + "variable": "matrix_appservice_discord_bot_token", + "type": "password" + }, + { + "question_name": "Auto-Admin Matrix User", + "question_description": "The username you would like to be automatically joined and promoted to administrator (PL100) in bridged rooms. Exclude the '@' and server name postfix. So to create @stevo:example.org just enter 'stevo'.", + "required": false, + "min": 0, + "max": 1024, + "default": "", + "choices": "", + "new_question": true, + "variable": "awx_appservice_discord_admin_user", + "type": "text" + }, + { + "question_name": "Auto-Admin Rooms", + "question_description": "A list of rooms you want the user to be automatically joined and promoted to administrator (PL100) in. These should be the internal IDs (for example '!axfBUsKhfAjSMBdjKX:example.org') separated by newlines.", + "required": false, + "min": 0, + "max": 4096, + "default": "", + "choices": "", + "new_question": true, + "variable": "awx_appservice_discord_admin_rooms", + "type": "textarea" + } + ] +} diff --git a/roles/matrix-awx/surveys/configure_corporal.json.j2 b/roles/matrix-awx/surveys/configure_corporal.json.j2 index 7b782fd07..dc8cd4fdb 100755 --- a/roles/matrix-awx/surveys/configure_corporal.json.j2 +++ b/roles/matrix-awx/surveys/configure_corporal.json.j2 @@ -66,10 +66,10 @@ "required": false, "min": 0, "max": 256, - "default": "{{ awx_corporal_http_api_auth_token }}", + "default": "{{ matrix_corporal_http_api_auth_token }}", "choices": "", "new_question": true, - "variable": "awx_corporal_http_api_auth_token", + "variable": "matrix_corporal_http_api_auth_token", "type": "password" }, { @@ -81,7 +81,7 @@ "default": "{{ awx_corporal_raise_ratelimits }}", "choices": "Normal\nRaised", "new_question": true, - "variable": "matrix_corporal_raise_ratelimits", + "variable": "awx_corporal_raise_ratelimits", "type": "multiplechoice" } ] diff --git a/roles/matrix-awx/tasks/bridge_discord_appservice.yml b/roles/matrix-awx/tasks/bridge_discord_appservice.yml new file mode 100644 index 000000000..ed1daa960 --- /dev/null +++ b/roles/matrix-awx/tasks/bridge_discord_appservice.yml @@ -0,0 +1,62 @@ + +- name: Record Bridge Discord AppService variables locally on AWX + delegate_to: 127.0.0.1 + lineinfile: + path: '{{ awx_cached_matrix_vars }}' + regexp: "^#? *{{ item.key | regex_escape() }}:" + line: "{{ item.key }}: {{ item.value }}" + insertafter: '# Bridge Discord AppService Start' + with_dict: + 'matrix_appservice_discord_enabled': '{{ matrix_appservice_discord_enabled }}' + 'matrix_appservice_discord_client_id': '{{ matrix_appservice_discord_client_id }}' + 'matrix_appservice_discord_bot_token': '{{ matrix_appservice_discord_bot_token }}' + +- name: Collect discord bot invite link + shell: + cat /matrix/appservice-discord/config/invite_link + register: awx_discord_appservice_link + +- name: If the raw inputs is not empty start constructing parsed awx_appservice_discord_admin_rooms list + set_fact: + awx_appservice_discord_admin_rooms_array: |- + {{ awx_appservice_discord_admin_rooms.splitlines() | to_json }} + when: awx_appservice_discord_admin_rooms | trim | length > 0 + +- name: Promote user to administer (PL100) of each room + command: | + docker exec -i matrix-appservice-discord /bin/sh -c 'cp /cfg/registration.yaml /tmp/discord-registration.yaml && cd /tmp && node /build/tools/adminme.js -c /cfg/config.yaml -m "{{ item.1 }}" -u "@{{ awx_appservice_discord_admin_user }}:{{ matrix_domain }}" -p 100' + with_indexed_items: + - "{{ awx_appservice_discord_admin_rooms_array }}" + when: ( awx_appservice_discord_admin_rooms | trim | length > 0 ) and ( awx_appservice_discord_admin_user is defined ) + +- name: Save new 'Bridge Discord Appservice' survey.json to the AWX tower, template + delegate_to: 127.0.0.1 + template: + src: 'roles/matrix-awx/surveys/bridge_discord_appservice.json.j2' + dest: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}//bridge_discord_appservice.json' + +- name: Copy new 'Bridge Discord Appservice' survey.json to target machine + copy: + src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/bridge_discord_appservice.json' + dest: '/matrix/awx/bridge_discord_appservice.json' + mode: '0660' + +- name: Recreate 'Bridge Discord Appservice' job template + delegate_to: 127.0.0.1 + awx.awx.tower_job_template: + name: "{{ matrix_domain }} - 3 - Bridge Discord AppService" + description: "Enables a private bridge you can use to connect Matrix rooms to Discord." + extra_vars: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/extra_vars.json') }}" + job_type: run + job_tags: "start,setup-all,bridge-discord-appservice" + inventory: "{{ member_id }}" + project: "{{ member_id }} - Matrix Docker Ansible Deploy" + playbook: setup.yml + credential: "{{ member_id }} - AWX SSH Key" + survey_enabled: true + survey_spec: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/bridge_discord_appservice.json') }}" + state: present + verbosity: 1 + tower_host: "https://{{ awx_host }}" + tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}" + validate_certs: yes diff --git a/roles/matrix-awx/tasks/main.yml b/roles/matrix-awx/tasks/main.yml index ceb697ecd..adc158c7a 100755 --- a/roles/matrix-awx/tasks/main.yml +++ b/roles/matrix-awx/tasks/main.yml @@ -197,6 +197,15 @@ tags: - setup-synapse-admin +# Additional playbook to set the variable file during Discord Appservice Bridge configuration +- include_tasks: + file: "bridge_discord_appservice.yml" + apply: + tags: bridge-discord-appservice + when: run_setup|bool and matrix_awx_enabled|bool + tags: + - bridge-discord-appservice + # Delete AWX session token - include_tasks: file: "delete_session_token.yml" diff --git a/roles/matrix-awx/tasks/purge_database_main.yml b/roles/matrix-awx/tasks/purge_database_main.yml index c64a54ddd..6b132091b 100644 --- a/roles/matrix-awx/tasks/purge_database_main.yml +++ b/roles/matrix-awx/tasks/purge_database_main.yml @@ -84,7 +84,7 @@ when: (awx_purge_mode.find("No local users [recommended]") != -1) or (awx_purge_mode.find("Number of users [slower]") != -1) or (awx_purge_mode.find("Number of events [slower]") != -1) - name: Purge all rooms with no local users - include_tasks: awx_purge_database_no_local.yml + include_tasks: purge_database_no_local.yml loop: "{{ awx_room_list_no_local_users.splitlines() | flatten(levels=1) }}" when: (awx_purge_mode.find("No local users [recommended]") != -1) or (awx_purge_mode.find("Number of users [slower]") != -1) or (awx_purge_mode.find("Number of events [slower]") != -1) @@ -116,7 +116,7 @@ no_log: True - name: Purge all rooms with more then N users - include_tasks: awx_purge_database_users.yml + include_tasks: purge_database_users.yml loop: "{{ awx_room_list_joined_members.splitlines() | flatten(levels=1) }}" when: awx_purge_mode.find("Number of users [slower]") != -1 @@ -141,7 +141,7 @@ no_log: True - name: Purge all rooms with more then N events - include_tasks: awx_purge_database_events.yml + include_tasks: purge_database_events.yml loop: "{{ awx_room_list_state_events.splitlines() | flatten(levels=1) }}" when: awx_purge_mode.find("Number of events [slower]") != -1 diff --git a/roles/matrix-awx/tasks/set_variables_corporal.yml b/roles/matrix-awx/tasks/set_variables_corporal.yml index 3558f717b..e911144dd 100755 --- a/roles/matrix-awx/tasks/set_variables_corporal.yml +++ b/roles/matrix-awx/tasks/set_variables_corporal.yml @@ -84,14 +84,16 @@ line: "{{ item.key }}: {{ item.value }}" insertafter: '# Corporal Settings Start' with_dict: - 'awx_corporal_http_api_auth_token': '{{ awx_corporal_http_api_auth_token }}' - when: awx_corporal_http_api_auth_token|length > 0 + 'matrix_corporal_http_api_auth_token': '{{ matrix_corporal_http_api_auth_token }}' + when: ( matrix_corporal_http_api_auth_token|length > 0 ) and ( awx_corporal_policy_provider_mode != "Simple Static File" ) - name: Record 'Simple Static File' configuration variables in matrix_vars.yml delegate_to: 127.0.0.1 blockinfile: path: '{{ awx_cached_matrix_vars }}' - insertafter: "# Corporal Policy Provider Settings Start" + insertbefore: "# Corporal Policy Provider Settings End" + marker_begin: "Corporal" + marker_end: "Corporal" block: | matrix_corporal_policy_provider_config: | { diff --git a/roles/matrix-awx/tasks/set_variables_synapse.yml b/roles/matrix-awx/tasks/set_variables_synapse.yml index df6b27988..f0fe23693 100755 --- a/roles/matrix-awx/tasks/set_variables_synapse.yml +++ b/roles/matrix-awx/tasks/set_variables_synapse.yml @@ -38,7 +38,7 @@ set_fact: awx_synapse_auto_join_rooms_array: |- {{ awx_synapse_auto_join_rooms.splitlines() | to_json }} - when: awx_synapse_auto_join_rooms|length > 0 + when: awx_synapse_auto_join_rooms | length > 0 - name: Record Synapse variable 'matrix_synapse_auto_join_rooms' locally on AWX, if it's not blank delegate_to: 127.0.0.1 @@ -49,7 +49,7 @@ insertafter: '# Synapse Settings Start' with_dict: "matrix_synapse_auto_join_rooms": "{{ awx_synapse_auto_join_rooms_array }}" - when: awx_synapse_auto_join_rooms|length > 0 + when: awx_synapse_auto_join_rooms | length > 0 - name: Record Synapse Shared Secret if it's defined delegate_to: 127.0.0.1 diff --git a/roles/matrix-common-after/tasks/awx_post.yml b/roles/matrix-common-after/tasks/awx_post.yml index 8175267d6..8dae00b49 100644 --- a/roles/matrix-common-after/tasks/awx_post.yml +++ b/roles/matrix-common-after/tasks/awx_post.yml @@ -62,3 +62,8 @@ group: matrix mode: '0770' when: awx_customise_base_domain_website is defined + +- name: Print Discord AppService Bot Link for user + debug: + msg: "{{ awx_discord_appservice_link.stdout }}" + when: awx_discord_appservice_link is defined From 1dab178a446570863e2d33b5739c5de7d5de2d58 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 19 Oct 2021 16:25:00 +0300 Subject: [PATCH 009/139] Upgrade Synapse (1.44.0 -> 1.45.0) --- roles/matrix-synapse/defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index 460483e07..6c52452d0 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -15,8 +15,8 @@ matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_cont # amd64 gets released first. # arm32 relies on self-building, so the same version can be built immediately. # arm64 users need to wait for a prebuilt image to become available. -matrix_synapse_version: v1.44.0 -matrix_synapse_version_arm64: v1.44.0 +matrix_synapse_version: v1.45.0 +matrix_synapse_version_arm64: v1.45.0 matrix_synapse_docker_image_tag: "{{ matrix_synapse_version if matrix_architecture in ['arm32', 'amd64'] else matrix_synapse_version_arm64 }}" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" From a8556fb8beedfd3869e3b26ea02abed3c9b37ae2 Mon Sep 17 00:00:00 2001 From: Aaron R Date: Tue, 19 Oct 2021 22:57:01 -0500 Subject: [PATCH 010/139] Update installing.md to be a bit more clear This change should make it more obvious which order the steps must be done --- docs/installing.md | 30 ++++++++++++++++-------------- 1 file changed, 16 insertions(+), 14 deletions(-) diff --git a/docs/installing.md b/docs/installing.md index 0e9dadd19..8b1b51aa5 100644 --- a/docs/installing.md +++ b/docs/installing.md @@ -1,25 +1,25 @@ # Installing +## 1. Installing the Matrix services + If you've [configured your DNS](configuring-dns.md) and have [configured the playbook](configuring-playbook.md), you can start the installation procedure. -Run this as-is to set up a server: +Run this command to install the Matrix services: ```bash ansible-playbook -i inventory/hosts setup.yml --tags=setup-all ``` -**Note**: if you don't use SSH keys for authentication, but rather a regular password, you may need to add `--ask-pass` to the above (and all other) Ansible commands. +The above command **doesn't start any services just yet** (another step does this later - below). Feel free to **re-run this setup command any time** you think something is off with the server configuration. -**Note**: if you **do** use SSH keys for authentication, **and** use a non-root user to *become* root (sudo), you may need to add `-K` (`--ask-become-pass`) to the above (and all other) Ansible commands. - -The above command **doesn't start any services just yet** (another step does this later - below). - -Feel free to **re-run this setup command any time** you think something is off with the server configuration. +**Notes**: +- if you **don't** use SSH keys for authentication, but rather a regular password, you may need to add `--ask-pass` to the above (and all other) Ansible commands. +- if you **do** use SSH keys for authentication, **and** use a non-root user to *become* root (sudo), you may need to add `-K` (`--ask-become-pass`) to the above (and all other) Ansible commands. -## Things you might want to do after installing +## 2. Things you might want to do after installing -After installing, but before starting the services, you may want to do additional things like: +**Before starting the services**, you may want to do additional things like: - [Importing an existing SQLite database (from another Synapse installation)](importing-synapse-sqlite.md) (optional) @@ -28,20 +28,22 @@ After installing, but before starting the services, you may want to do additiona - [Importing `media_store` data files from an existing Synapse installation](importing-synapse-media-store.md) (optional) -## Starting the services +## 3. Starting the services -When you're ready to start the Matrix services (and set them up to auto-start in the future): +When you're ready to start the Matrix services (and set them up to auto-start in the future), run this command: ```bash ansible-playbook -i inventory/hosts setup.yml --tags=start ``` -Now that services are running, you need to **finalize the installation process** (required for federation to work!) by [Configuring Service Discovery via .well-known](configuring-well-known.md) +## 4. Finalize the installation + +Now that services are running, you need to **finalize the installation process** (required for federation to work!) by [Configuring Service Discovery via .well-known](configuring-well-known.md). -## Things to do next +## 5. Things to do next -If you have started services and **finalized the installation process** (required for federation to work!) by [Configuring Service Discovery via .well-known](configuring-well-known.md), you can: +After you have started the services and **finalized the installation process** (required for federation to work!) by [Configuring Service Discovery via .well-known](configuring-well-known.md), you can: - [check if services work](maintenance-checking-services.md) - or [create your first Matrix user account](registering-users.md) From db81fa34151b7aa9179e0ae8f3f4f131d1b8ac67 Mon Sep 17 00:00:00 2001 From: Aaron R Date: Wed, 20 Oct 2021 01:33:03 -0500 Subject: [PATCH 011/139] Fix link to nginx files in configuring-playbook-own-webserver.md --- docs/configuring-playbook-own-webserver.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuring-playbook-own-webserver.md b/docs/configuring-playbook-own-webserver.md index 9a27e0b7b..6a33ffbe1 100644 --- a/docs/configuring-playbook-own-webserver.md +++ b/docs/configuring-playbook-own-webserver.md @@ -71,7 +71,7 @@ After following the [Preparation](#preparation) guide above, you can take a loo ### Using another external webserver -Feel free to look at the [examples/apache](../examples/apache) directory, or the [template files in the matrix-nginx-proxy role](../roles/matrix-nginx-proxy/templates/conf.d/). +Feel free to look at the [examples/apache](../examples/apache) directory, or the [template files in the matrix-nginx-proxy role](../roles/matrix-nginx-proxy/templates/nginx/conf.d/). ## Method 2: Fronting the integrated nginx reverse-proxy webserver with another reverse-proxy From 75cfad57ca5d4477bf2e3b6cce9baa3ac1c050db Mon Sep 17 00:00:00 2001 From: PC-Admin Date: Wed, 20 Oct 2021 18:00:55 +0800 Subject: [PATCH 012/139] GoMatrixHosting v0.6.3 hotfix --- .../matrix-awx/tasks/bridge_discord_appservice.yml | 5 ----- roles/matrix-common-after/tasks/awx_post.yml | 14 +++++++++++++- 2 files changed, 13 insertions(+), 6 deletions(-) diff --git a/roles/matrix-awx/tasks/bridge_discord_appservice.yml b/roles/matrix-awx/tasks/bridge_discord_appservice.yml index ed1daa960..7cb24028e 100644 --- a/roles/matrix-awx/tasks/bridge_discord_appservice.yml +++ b/roles/matrix-awx/tasks/bridge_discord_appservice.yml @@ -11,11 +11,6 @@ 'matrix_appservice_discord_client_id': '{{ matrix_appservice_discord_client_id }}' 'matrix_appservice_discord_bot_token': '{{ matrix_appservice_discord_bot_token }}' -- name: Collect discord bot invite link - shell: - cat /matrix/appservice-discord/config/invite_link - register: awx_discord_appservice_link - - name: If the raw inputs is not empty start constructing parsed awx_appservice_discord_admin_rooms list set_fact: awx_appservice_discord_admin_rooms_array: |- diff --git a/roles/matrix-common-after/tasks/awx_post.yml b/roles/matrix-common-after/tasks/awx_post.yml index 8dae00b49..e98afb603 100644 --- a/roles/matrix-common-after/tasks/awx_post.yml +++ b/roles/matrix-common-after/tasks/awx_post.yml @@ -63,7 +63,19 @@ mode: '0770' when: awx_customise_base_domain_website is defined -- name: Print Discord AppService Bot Link for user +- name: Check if Discord AppService invite file exists + stat: + path: /matrix/appservice-discord/config/invite_link + register: awx_discord_appservice_link_file + when: ( awx_appservice_discord_admin_user is defined ) + +- name: Collect Discord AppService bot invite link if file exists + command: + cat /matrix/appservice-discord/config/invite_link + register: awx_discord_appservice_link + when: ( awx_discord_appservice_link_file.stat.exists == true ) and ( awx_appservice_discord_admin_user is defined ) + +- name: Print Discord AppService bot link for user debug: msg: "{{ awx_discord_appservice_link.stdout }}" when: awx_discord_appservice_link is defined From 4209c4208c1d6ae5f1fa4a6c064d991e060972d5 Mon Sep 17 00:00:00 2001 From: HarHarLinks Date: Tue, 19 Oct 2021 23:14:14 +0200 Subject: [PATCH 013/139] add own variable for worker metrics https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1311#issuecomment-945718866 --- group_vars/matrix_servers | 2 ++ roles/matrix-nginx-proxy/defaults/main.yml | 1 + .../templates/nginx/conf.d/matrix-synapse.conf.j2 | 2 +- 3 files changed, 4 insertions(+), 1 deletion(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index acdb7b752..23833875e 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1296,6 +1296,8 @@ matrix_nginx_proxy_synapse_media_repository_locations: "{{matrix_synapse_workers matrix_nginx_proxy_synapse_user_dir_locations: "{{ matrix_synapse_workers_user_dir_endpoints|default([]) }}" matrix_nginx_proxy_synapse_frontend_proxy_locations: "{{ matrix_synapse_workers_frontend_proxy_endpoints|default([]) }}" +matrix_nginx_proxy_proxy_synapse_workers_enabled_list: "{{ matrix_synapse_workers_enabled_list }}" + matrix_nginx_proxy_systemd_wanted_services_list: | {{ (['matrix-synapse.service'] if matrix_synapse_enabled else []) diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index 07e84ace1..8e6338758 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -182,6 +182,7 @@ matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container: "127.0.0.1:809 # Controls whether proxying for metrics (`/_synapse/metrics`) should be done (on the matrix domain) matrix_nginx_proxy_proxy_synapse_metrics: false +matrix_nginx_proxy_synapse_workers_enabled_list: [] matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled: false matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key: "" diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 index 343f04e5b..6933e9671 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 @@ -154,7 +154,7 @@ server { {% endif %} {% if matrix_nginx_proxy_enabled and matrix_nginx_proxy_proxy_synapse_metrics %} - {% for worker in matrix_prometheus_scraper_synapse_workers_enabled_list %} + {% for worker in matrix_nginx_proxy_proxy_synapse_workers_enabled_list %} {% if worker.metrics_port != 0 %} location /_synapse-worker-{{ worker.type }}-{{ worker.instanceId }}/metrics { resolver 127.0.0.11 valid=5s; From dd4dc22619ea15319e0335d704b05251d5b77a70 Mon Sep 17 00:00:00 2001 From: HarHarLinks Date: Tue, 19 Oct 2021 23:32:28 +0200 Subject: [PATCH 014/139] add worker metrics documentation --- docs/configuring-playbook-prometheus-grafana.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/docs/configuring-playbook-prometheus-grafana.md b/docs/configuring-playbook-prometheus-grafana.md index b7f3caae4..529104d2a 100644 --- a/docs/configuring-playbook-prometheus-grafana.md +++ b/docs/configuring-playbook-prometheus-grafana.md @@ -58,6 +58,10 @@ Name | Description `matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key`|Set this to a password to use for HTTP Basic Auth for protecting `https://matrix.DOMAIN/_synapse/metrics` (the username is always `prometheus` - it's not configurable) `matrix_server_fqn_grafana`|Use this variable to override the domain at which the Grafana web user-interface is at (defaults to `stats.DOMAIN`) +### Collecting worker metrics to an external Prometheus server + +If you are using workers (`matrix_synapse_workers_enabled`) and have enabled `matrix_nginx_proxy_proxy_synapse_metrics` as described above, the playbook will also automatically proxy the all worker threads's metrics to `https://matrix.DOMAIN/_synapse-worker-TYPE-ID/metrics`, where `TYPE` corresponds to the type and `ID` to the instanceId of a worker as exemplified in `matrix_synapse_workers_enabled_list`. + ### Collecting system and Postgres metrics to an external Prometheus server (advanced) When you normally enable the Prometheus and Grafana via the playbook, it will also show general system (via node-exporter) and Postgres (via postgres-exporter) stats. If you are instead collecting your metrics to an external Prometheus server, you can follow this advanced configuration example to also export these stats. From ce41674e611917dcd608fb67d5ec9379b0926cf1 Mon Sep 17 00:00:00 2001 From: HarHarLinks Date: Wed, 20 Oct 2021 12:31:49 +0200 Subject: [PATCH 015/139] auto-generate prometheus.yml for workers metrics --- ...configuring-playbook-prometheus-grafana.md | 28 +++++++++++++ .../tasks/setup_nginx_proxy.yml | 15 +++++++ .../external_prometheus.yml.example.j2 | 40 +++++++++++++++++++ 3 files changed, 83 insertions(+) create mode 100644 roles/matrix-nginx-proxy/templates/prometheus/external_prometheus.yml.example.j2 diff --git a/docs/configuring-playbook-prometheus-grafana.md b/docs/configuring-playbook-prometheus-grafana.md index 529104d2a..4edc2a81f 100644 --- a/docs/configuring-playbook-prometheus-grafana.md +++ b/docs/configuring-playbook-prometheus-grafana.md @@ -62,6 +62,34 @@ Name | Description If you are using workers (`matrix_synapse_workers_enabled`) and have enabled `matrix_nginx_proxy_proxy_synapse_metrics` as described above, the playbook will also automatically proxy the all worker threads's metrics to `https://matrix.DOMAIN/_synapse-worker-TYPE-ID/metrics`, where `TYPE` corresponds to the type and `ID` to the instanceId of a worker as exemplified in `matrix_synapse_workers_enabled_list`. +The playbook also generates an exemplary prometheus.yml config file (`matrix_base_data_path/external_prometheus.yml.template`) with all the correct paths which you can copy to your Prometheus server and adapt to your needs, especially edit the specified `password_file` path and contents and path to your `synapse-v2.rules`. +It will look a bit like this: +```yaml +scrape_configs: + - job_name: 'synapse' + metrics_path: /_synapse/metrics + scheme: https + basic_auth: + username: prometheus + password_file: /etc/prometheus/password.pwd + static_configs: + - targets: ['matrix.DOMAIN:443'] + labels: + job: "master" + index: 1 + - job_name: 'synapse-generic_worker-1' + metrics_path: /_synapse-worker-generic_worker-18111/metrics + scheme: https + basic_auth: + username: prometheus + password_file: /etc/prometheus/password.pwd + static_configs: + - targets: ['matrix.DOMAIN:443'] + labels: + job: "generic_worker" + index: 18111 +``` + ### Collecting system and Postgres metrics to an external Prometheus server (advanced) When you normally enable the Prometheus and Grafana via the playbook, it will also show general system (via node-exporter) and Postgres (via postgres-exporter) stats. If you are instead collecting your metrics to an external Prometheus server, you can follow this advanced configuration example to also export these stats. diff --git a/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml b/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml index 149fadab7..3dd828d25 100644 --- a/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml +++ b/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml @@ -38,6 +38,15 @@ mode: 0400 when: "matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled|bool and matrix_nginx_proxy_proxy_synapse_metrics|bool" +- name: Generate sample prometheus.yml for external scraping + template: + src: "{{ role_path }}/templates/prometheus/external_prometheus.yml.example.j2" + dest: "{{ matrix_base_data_path }}/external_prometheus.yml.example" + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + mode: 0400 + when: matrix_nginx_proxy_proxy_synapse_metrics|bool + - name: Ensure Matrix nginx-proxy configured (generic) template: src: "{{ role_path }}/templates/nginx/conf.d/nginx-http.conf.j2" @@ -270,3 +279,9 @@ path: "{{ matrix_nginx_proxy_data_path }}/matrix-synapse-metrics-htpasswd" state: absent when: "not matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled|bool or not matrix_nginx_proxy_proxy_synapse_metrics|bool" + +- name: Ensure sample prometheus.yml for external scraping is deleted + file: + path: "{{ matrix_base_data_path }}/external_prometheus.yml.example" + state: absent + when: "not matrix_nginx_proxy_proxy_synapse_metrics|bool" diff --git a/roles/matrix-nginx-proxy/templates/prometheus/external_prometheus.yml.example.j2 b/roles/matrix-nginx-proxy/templates/prometheus/external_prometheus.yml.example.j2 new file mode 100644 index 000000000..36d61c05e --- /dev/null +++ b/roles/matrix-nginx-proxy/templates/prometheus/external_prometheus.yml.example.j2 @@ -0,0 +1,40 @@ +global: + scrape_interval: 5s + + # Attach these labels to any time series or alerts when communicating with + # external systems (federation, remote storage, Alertmanager). + external_labels: + monitor: 'synapse-{{ matrix_domain }}' + +rule_files: + - /etc/prometheus/synapse-v2.rules + +scrape_configs: + - job_name: 'synapse' + metrics_path: /_synapse/metrics + scheme: {{ 'https' if matrix_nginx_proxy_https_enabled else 'http' }} +{% if matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled %} + basic_auth: + username: prometheus + password_file: /path/to/your/passwordfile.pwd +{% endif %} + static_configs: + - targets: ['{{ matrix_server_fqn_matrix }}:{{ matrix_nginx_proxy_container_https_host_bind_port if matrix_nginx_proxy_https_enabled else matrix_nginx_proxy_container_http_host_bind_port }}'] + labels: + job: "master" + index: 1 +{% for worker in matrix_nginx_proxy_proxy_synapse_workers_enabled_list %} + - job_name: 'synapse-{{ worker.type }}-{{ worker.instanceId }}' + metrics_path: /_synapse-worker-{{ worker.type }}-{{ worker.instanceId }}/metrics + scheme: {{ 'https' if matrix_nginx_proxy_https_enabled else 'http' }} +{% if matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled %} + basic_auth: + username: prometheus + password_file: /path/to/your/passwordfile.pwd +{% endif %} + static_configs: + - targets: [{{ matrix_server_fqn_matrix }:{{ matrix_nginx_proxy_container_https_host_bind_port if matrix_nginx_proxy_https_enabled else matrix_nginx_proxy_container_http_host_bind_port }}'] + labels: + job: "{{ worker.type }}" + index: {{ worker.instanceId }} +{% endfor %} From 7b33fc8e1971a509e5aaee1af8d9781dab677e40 Mon Sep 17 00:00:00 2001 From: HarHarLinks Date: Wed, 20 Oct 2021 12:57:55 +0200 Subject: [PATCH 016/139] fixup! auto-generate prometheus.yml for workers metrics --- roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml | 2 +- .../templates/prometheus/external_prometheus.yml.example.j2 | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml b/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml index 3dd828d25..e577491b8 100644 --- a/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml +++ b/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml @@ -44,7 +44,7 @@ dest: "{{ matrix_base_data_path }}/external_prometheus.yml.example" owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" - mode: 0400 + mode: 0644 when: matrix_nginx_proxy_proxy_synapse_metrics|bool - name: Ensure Matrix nginx-proxy configured (generic) diff --git a/roles/matrix-nginx-proxy/templates/prometheus/external_prometheus.yml.example.j2 b/roles/matrix-nginx-proxy/templates/prometheus/external_prometheus.yml.example.j2 index 36d61c05e..01a39ffa5 100644 --- a/roles/matrix-nginx-proxy/templates/prometheus/external_prometheus.yml.example.j2 +++ b/roles/matrix-nginx-proxy/templates/prometheus/external_prometheus.yml.example.j2 @@ -33,7 +33,7 @@ scrape_configs: password_file: /path/to/your/passwordfile.pwd {% endif %} static_configs: - - targets: [{{ matrix_server_fqn_matrix }:{{ matrix_nginx_proxy_container_https_host_bind_port if matrix_nginx_proxy_https_enabled else matrix_nginx_proxy_container_http_host_bind_port }}'] + - targets: ['{{ matrix_server_fqn_matrix }}:{{ matrix_nginx_proxy_container_https_host_bind_port if matrix_nginx_proxy_https_enabled else matrix_nginx_proxy_container_http_host_bind_port }}'] labels: job: "{{ worker.type }}" index: {{ worker.instanceId }} From 5dc28682696a4e5f9a0ae17c3b786b025c73575e Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 20 Oct 2021 15:08:07 +0300 Subject: [PATCH 017/139] Upgrade Synapse (1.45.0 -> 1.45.1) --- roles/matrix-synapse/defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index 6c52452d0..d0df4f8d1 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -15,8 +15,8 @@ matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_cont # amd64 gets released first. # arm32 relies on self-building, so the same version can be built immediately. # arm64 users need to wait for a prebuilt image to become available. -matrix_synapse_version: v1.45.0 -matrix_synapse_version_arm64: v1.45.0 +matrix_synapse_version: v1.45.1 +matrix_synapse_version_arm64: v1.45.1 matrix_synapse_docker_image_tag: "{{ matrix_synapse_version if matrix_architecture in ['arm32', 'amd64'] else matrix_synapse_version_arm64 }}" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" From 725150565a8231beba29a500912123aacbbf74d6 Mon Sep 17 00:00:00 2001 From: PC-Admin Date: Thu, 21 Oct 2021 09:47:07 +0800 Subject: [PATCH 018/139] GoMatrixHosting v0.6.3 hotfix2 --- roles/matrix-common-after/tasks/awx_post.yml | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/roles/matrix-common-after/tasks/awx_post.yml b/roles/matrix-common-after/tasks/awx_post.yml index e98afb603..4fbd5e557 100644 --- a/roles/matrix-common-after/tasks/awx_post.yml +++ b/roles/matrix-common-after/tasks/awx_post.yml @@ -63,19 +63,15 @@ mode: '0770' when: awx_customise_base_domain_website is defined -- name: Check if Discord AppService invite file exists - stat: - path: /matrix/appservice-discord/config/invite_link - register: awx_discord_appservice_link_file - when: ( awx_appservice_discord_admin_user is defined ) - - name: Collect Discord AppService bot invite link if file exists command: cat /matrix/appservice-discord/config/invite_link register: awx_discord_appservice_link - when: ( awx_discord_appservice_link_file.stat.exists == true ) and ( awx_appservice_discord_admin_user is defined ) + when: awx_appservice_discord_admin_user is defined + args: + removes: /matrix/appservice-discord/config/invite_link - name: Print Discord AppService bot link for user debug: msg: "{{ awx_discord_appservice_link.stdout }}" - when: awx_discord_appservice_link is defined + when: awx_discord_appservice_link.stdout is defined From 09ac950d170794e8d975e1a46a62ee8122d95317 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 21 Oct 2021 16:32:05 +0300 Subject: [PATCH 019/139] Fix dump importing (backup restore) into Postgres v14 In short, the problem is that older Postgres versions store passwords hashed as md5. When you dump such a database, the dump naturally also contains md5-hashed passwords. Restoring from that dump used to create users and updates their passwords with these md5 hashes. However, Postgres v14 prefers does not like md5-hashed passwords now (by default), which breaks connectivity. Postgres v14 prefers `scram-sha-256` for authentication. Our solution is to just ignore setting passwords (`ALTER ROLE ..` statements) when restoring dumps. We don't need to set passwords as defined in the dump anyway, because the playbook creates users and manages their passwords by itself. Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1340 --- roles/matrix-postgres/defaults/main.yml | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/roles/matrix-postgres/defaults/main.yml b/roles/matrix-postgres/defaults/main.yml index 53b1c0f4c..91a31d997 100644 --- a/roles/matrix-postgres/defaults/main.yml +++ b/roles/matrix-postgres/defaults/main.yml @@ -63,7 +63,16 @@ matrix_postgres_additional_databases: [] # We either need to not create them or to ignore the `CREATE ROLE` statements in the dump. matrix_postgres_import_roles_to_ignore: [matrix_postgres_connection_username] -matrix_postgres_import_roles_ignore_regex: "^CREATE ROLE ({{ matrix_postgres_import_roles_to_ignore|join('|') }});" +# When importing an existing Postgres database (when restoring a backup) or when doing a Postgres upgrade (which dumps & restores), we'd like to avoid: +# - creating users (`CREATE ROLE ..`) +# - updating passwords for users (`ALTER ROLE matrix WITH SUPERUSER INHERIT NOCREATEROLE NOCREATEDB LOGIN NOREPLICATION NOBYPASSRLS PASSWORD 'md5...`) +# +# Both of these operations are done by the playbook anyway. +# Updating passwords is especially undesirable, because older versions hash passwords using md5 and export them as md5 hashes in the dump file, +# which is unsupported by default by newer Postgres versions (v14+). +# When users are created and passwords are set by the playbook, they end up hashed as `scram-sha-256` on Postgres v14+. +# If an md5-hashed password is restored on top, Postgres v14+ will refuse to authenticate users with it by default. +matrix_postgres_import_roles_ignore_regex: "^(CREATE|ALTER) ROLE ({{ matrix_postgres_import_roles_to_ignore|join('|') }})(;| WITH)" # A list of databases to avoid creating when importing (or upgrading) the database. # If a dump file contains the databases and they've also been created beforehand (see `matrix_postgres_additional_databases`), From d7af78066b1b81e890093863440a6d1bd768f35c Mon Sep 17 00:00:00 2001 From: Toni Spets Date: Fri, 3 Sep 2021 07:58:48 +0300 Subject: [PATCH 020/139] Upgrade Heisenbridge (1.2.1 -> 1.3.0) --- roles/matrix-bridge-heisenbridge/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-heisenbridge/defaults/main.yml b/roles/matrix-bridge-heisenbridge/defaults/main.yml index 2f9380dfe..a8c6db96b 100644 --- a/roles/matrix-bridge-heisenbridge/defaults/main.yml +++ b/roles/matrix-bridge-heisenbridge/defaults/main.yml @@ -3,7 +3,7 @@ matrix_heisenbridge_enabled: true -matrix_heisenbridge_version: 1.2.1 +matrix_heisenbridge_version: 1.3.0 matrix_heisenbridge_docker_image: "{{ matrix_container_global_registry_prefix }}hif1/heisenbridge:{{ matrix_heisenbridge_version }}" matrix_heisenbridge_docker_image_force_pull: "{{ matrix_heisenbridge_docker_image.endswith(':latest') }}" From 5f6bbafa17731eed8148cff5c22d99af3014b224 Mon Sep 17 00:00:00 2001 From: Kim Brose Date: Sun, 24 Oct 2021 16:00:42 +0200 Subject: [PATCH 021/139] fix space before tab in indent --- .../templates/nginx/conf.d/matrix-synapse.conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 index 6933e9671..6f569327d 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 @@ -168,7 +168,7 @@ server { {% endif %} } {% endif %} - {% endfor %} + {% endfor %} {% endif %} {# Everything else just goes to the API server ##} From d31cdb071ab226864434520706c83f6922c26a3e Mon Sep 17 00:00:00 2001 From: throwawayay Date: Mon, 25 Oct 2021 12:44:58 -0400 Subject: [PATCH 022/139] Upgrade Element (v1.9.3) https://github.com/vector-im/element-web/releases/tag/v1.9.3 --- roles/matrix-client-element/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-client-element/defaults/main.yml b/roles/matrix-client-element/defaults/main.yml index 614cdf24e..527b17e5e 100644 --- a/roles/matrix-client-element/defaults/main.yml +++ b/roles/matrix-client-element/defaults/main.yml @@ -3,7 +3,7 @@ matrix_client_element_enabled: true matrix_client_element_container_image_self_build: false matrix_client_element_container_image_self_build_repo: "https://github.com/vector-im/riot-web.git" -matrix_client_element_version: v1.9.2 +matrix_client_element_version: v1.9.3 matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}" matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}" From feda83abf08e51ed7aa36cfcb4fc4341ee56f197 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 27 Oct 2021 14:00:40 +0300 Subject: [PATCH 023/139] Mention that Hydrogen always undergoes self-building --- docs/alternative-architectures.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/alternative-architectures.md b/docs/alternative-architectures.md index 80749adfe..a6c2a02a3 100644 --- a/docs/alternative-architectures.md +++ b/docs/alternative-architectures.md @@ -21,6 +21,6 @@ matrix_architecture: "arm32" ## Implementation details -For `amd64`, prebuilt container images (see the [container images we use](container-images.md)) are used everywhere, because all images are available for this architecture. +For `amd64`, prebuilt container images (see the [container images we use](container-images.md)) are used for all components (except [Hydrogen](configuring-playbook-client-hydrogen.md), which goes through self-building). For other architectures, components which have a prebuilt image make use of it. If the component is not available for the specific architecture, [self-building](self-building.md) will be used. Not all components support self-building though, so your mileage may vary. From d09609b3bddf0898f3a617bad66d9cff12d36c7b Mon Sep 17 00:00:00 2001 From: sakkiii Date: Wed, 27 Oct 2021 23:11:01 +0530 Subject: [PATCH 024/139] Update prometheus (2.29.2 -> 2.30.3) --- roles/matrix-prometheus/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-prometheus/defaults/main.yml b/roles/matrix-prometheus/defaults/main.yml index dc43eb487..1cbeed8bb 100644 --- a/roles/matrix-prometheus/defaults/main.yml +++ b/roles/matrix-prometheus/defaults/main.yml @@ -3,7 +3,7 @@ matrix_prometheus_enabled: false -matrix_prometheus_version: v2.29.2 +matrix_prometheus_version: v2.30.3 matrix_prometheus_docker_image: "{{ matrix_container_global_registry_prefix }}prom/prometheus:{{ matrix_prometheus_version }}" matrix_prometheus_docker_image_force_pull: "{{ matrix_prometheus_docker_image.endswith(':latest') }}" From 0231302db9f0895c3f4cbc67f8a902b86426d1f5 Mon Sep 17 00:00:00 2001 From: sakkiii Date: Wed, 27 Oct 2021 23:14:14 +0530 Subject: [PATCH 025/139] Upgrade grafana (8.1.4 -> 8.2.2) --- roles/matrix-grafana/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-grafana/defaults/main.yml b/roles/matrix-grafana/defaults/main.yml index 8df73e2d7..8e4bd7bb1 100644 --- a/roles/matrix-grafana/defaults/main.yml +++ b/roles/matrix-grafana/defaults/main.yml @@ -3,7 +3,7 @@ matrix_grafana_enabled: false -matrix_grafana_version: 8.1.4 +matrix_grafana_version: 8.2.2 matrix_grafana_docker_image: "{{ matrix_container_global_registry_prefix }}grafana/grafana:{{ matrix_grafana_version }}" matrix_grafana_docker_image_force_pull: "{{ matrix_grafana_docker_image.endswith(':latest') }}" From 0a10077c6319eba362f8d35cade309b076975a2f Mon Sep 17 00:00:00 2001 From: jariz Date: Thu, 28 Oct 2021 11:16:43 +0200 Subject: [PATCH 026/139] caddy example fixes - caddy v1 requires a path in the header directive - msisd has been replaced in favour of ma1sd --- examples/caddy/matrix-synapse | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/examples/caddy/matrix-synapse b/examples/caddy/matrix-synapse index 4202c7592..c1893ebbf 100644 --- a/examples/caddy/matrix-synapse +++ b/examples/caddy/matrix-synapse @@ -5,7 +5,7 @@ https://matrix.DOMAIN { root /matrix/static-files - header { + header / { Access-Control-Allow-Origin * Strict-Transport-Security "mag=age=31536000;" X-Frame-Options "DENY" @@ -13,10 +13,10 @@ https://matrix.DOMAIN { } # Identity server traffic - proxy /_matrix/identity matrix-msisd:8090 { + proxy /_matrix/identity matrix-ma1sd:8090 { transparent } - proxy /_matrix/client/r0/user_directory/search matrix-msisd:8090 { + proxy /_matrix/client/r0/user_directory/search matrix-ma1sd:8090 { transparent } From 32f15e9bf0edd4407169c412294d8915f5ec81be Mon Sep 17 00:00:00 2001 From: Thom Wiggers Date: Thu, 28 Oct 2021 15:21:58 +0200 Subject: [PATCH 027/139] update IRC appservice https://github.com/matrix-org/matrix-appservice-irc/releases/tag/0.32.1 --- roles/matrix-bridge-appservice-irc/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-appservice-irc/defaults/main.yml b/roles/matrix-bridge-appservice-irc/defaults/main.yml index 35432aa06..57604b199 100644 --- a/roles/matrix-bridge-appservice-irc/defaults/main.yml +++ b/roles/matrix-bridge-appservice-irc/defaults/main.yml @@ -7,7 +7,7 @@ matrix_appservice_irc_container_self_build: false matrix_appservice_irc_docker_repo: "https://github.com/matrix-org/matrix-appservice-irc.git" matrix_appservice_irc_docker_src_files_path: "{{ matrix_base_data_path }}/appservice-irc/docker-src" -matrix_appservice_irc_version: release-0.31.0 +matrix_appservice_irc_version: release-0.32.1 matrix_appservice_irc_docker_image: "{{ matrix_container_global_registry_prefix }}matrixdotorg/matrix-appservice-irc:{{ matrix_appservice_irc_version }}" matrix_appservice_irc_docker_image_force_pull: "{{ matrix_appservice_irc_docker_image.endswith(':latest') }}" From 124b9608fcfab7ac43bfc74d568eaaa9e6711e1b Mon Sep 17 00:00:00 2001 From: Toni Spets Date: Fri, 3 Sep 2021 07:58:48 +0300 Subject: [PATCH 028/139] Upgrade Heisenbridge (1.3.0 -> 1.4.0) --- roles/matrix-bridge-heisenbridge/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-heisenbridge/defaults/main.yml b/roles/matrix-bridge-heisenbridge/defaults/main.yml index a8c6db96b..2be75e20f 100644 --- a/roles/matrix-bridge-heisenbridge/defaults/main.yml +++ b/roles/matrix-bridge-heisenbridge/defaults/main.yml @@ -3,7 +3,7 @@ matrix_heisenbridge_enabled: true -matrix_heisenbridge_version: 1.3.0 +matrix_heisenbridge_version: 1.4.0 matrix_heisenbridge_docker_image: "{{ matrix_container_global_registry_prefix }}hif1/heisenbridge:{{ matrix_heisenbridge_version }}" matrix_heisenbridge_docker_image_force_pull: "{{ matrix_heisenbridge_docker_image.endswith(':latest') }}" From 63f5a88fa01f6d8497f7308074fe9cb8d64ad70b Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 29 Oct 2021 10:29:54 +0300 Subject: [PATCH 029/139] Separate install/uninstall tasks for Element and Hydrogen --- roles/matrix-client-element/tasks/main.yml | 10 ++++- .../tasks/{setup.yml => setup_install.yml} | 45 ------------------- .../tasks/setup_uninstall.yml | 38 ++++++++++++++++ roles/matrix-client-hydrogen/tasks/main.yml | 10 ++++- .../tasks/{setup.yml => setup_install.yml} | 45 ------------------- .../tasks/setup_uninstall.yml | 38 ++++++++++++++++ 6 files changed, 92 insertions(+), 94 deletions(-) rename roles/matrix-client-element/tasks/{setup.yml => setup_install.yml} (73%) create mode 100644 roles/matrix-client-element/tasks/setup_uninstall.yml rename roles/matrix-client-hydrogen/tasks/{setup.yml => setup_install.yml} (70%) create mode 100644 roles/matrix-client-hydrogen/tasks/setup_uninstall.yml diff --git a/roles/matrix-client-element/tasks/main.yml b/roles/matrix-client-element/tasks/main.yml index cdc5fa97a..f020382ad 100644 --- a/roles/matrix-client-element/tasks/main.yml +++ b/roles/matrix-client-element/tasks/main.yml @@ -20,8 +20,14 @@ - setup-all - setup-client-element -- import_tasks: "{{ role_path }}/tasks/setup.yml" - when: run_setup|bool +- import_tasks: "{{ role_path }}/tasks/setup_install.yml" + when: "run_setup|bool and matrix_client_element_enabled|bool" + tags: + - setup-all + - setup-client-element + +- import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" + when: "run_setup|bool and not matrix_client_element_enabled|bool" tags: - setup-all - setup-client-element diff --git a/roles/matrix-client-element/tasks/setup.yml b/roles/matrix-client-element/tasks/setup_install.yml similarity index 73% rename from roles/matrix-client-element/tasks/setup.yml rename to roles/matrix-client-element/tasks/setup_install.yml index 117a09f48..908dfa00d 100644 --- a/roles/matrix-client-element/tasks/setup.yml +++ b/roles/matrix-client-element/tasks/setup_install.yml @@ -1,9 +1,5 @@ --- -# -# Tasks related to setting up Element -# - - name: Ensure Element paths exists file: path: "{{ item.path }}" @@ -87,44 +83,3 @@ service: daemon_reload: yes when: "matrix_client_element_enabled and matrix_client_element_systemd_service_result.changed" - -# -# Tasks related to getting rid of Element (if it was previously enabled) -# - -- name: Check existence of matrix-client-element.service - stat: - path: "{{ matrix_systemd_path }}/matrix-client-element.service" - register: matrix_client_element_service_stat - when: "not matrix_client_element_enabled|bool" - -- name: Ensure matrix-client-element is stopped - service: - name: matrix-client-element - state: stopped - daemon_reload: yes - register: stopping_result - when: "not matrix_client_element_enabled|bool and matrix_client_element_service_stat.stat.exists" - -- name: Ensure matrix-client-element.service doesn't exist - file: - path: "{{ matrix_systemd_path }}/matrix-client-element.service" - state: absent - when: "not matrix_client_element_enabled|bool and matrix_client_element_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-client-element.service removal - service: - daemon_reload: yes - when: "not matrix_client_element_enabled|bool and matrix_client_element_service_stat.stat.exists" - -- name: Ensure Element paths doesn't exist - file: - path: "{{ matrix_client_element_data_path }}" - state: absent - when: "not matrix_client_element_enabled|bool" - -- name: Ensure Element Docker image doesn't exist - docker_image: - name: "{{ matrix_client_element_docker_image }}" - state: absent - when: "not matrix_client_element_enabled|bool" diff --git a/roles/matrix-client-element/tasks/setup_uninstall.yml b/roles/matrix-client-element/tasks/setup_uninstall.yml new file mode 100644 index 000000000..398a17e29 --- /dev/null +++ b/roles/matrix-client-element/tasks/setup_uninstall.yml @@ -0,0 +1,38 @@ +--- + +- name: Check existence of matrix-client-element.service + stat: + path: "{{ matrix_systemd_path }}/matrix-client-element.service" + register: matrix_client_element_service_stat + when: "not matrix_client_element_enabled|bool" + +- name: Ensure matrix-client-element is stopped + service: + name: matrix-client-element + state: stopped + daemon_reload: yes + register: stopping_result + when: "not matrix_client_element_enabled|bool and matrix_client_element_service_stat.stat.exists" + +- name: Ensure matrix-client-element.service doesn't exist + file: + path: "{{ matrix_systemd_path }}/matrix-client-element.service" + state: absent + when: "not matrix_client_element_enabled|bool and matrix_client_element_service_stat.stat.exists" + +- name: Ensure systemd reloaded after matrix-client-element.service removal + service: + daemon_reload: yes + when: "not matrix_client_element_enabled|bool and matrix_client_element_service_stat.stat.exists" + +- name: Ensure Element paths doesn't exist + file: + path: "{{ matrix_client_element_data_path }}" + state: absent + when: "not matrix_client_element_enabled|bool" + +- name: Ensure Element Docker image doesn't exist + docker_image: + name: "{{ matrix_client_element_docker_image }}" + state: absent + when: "not matrix_client_element_enabled|bool" diff --git a/roles/matrix-client-hydrogen/tasks/main.yml b/roles/matrix-client-hydrogen/tasks/main.yml index 6534db05d..8d5c493f5 100644 --- a/roles/matrix-client-hydrogen/tasks/main.yml +++ b/roles/matrix-client-hydrogen/tasks/main.yml @@ -8,8 +8,14 @@ - setup-all - setup-client-hydrogen -- import_tasks: "{{ role_path }}/tasks/setup.yml" - when: run_setup|bool +- import_tasks: "{{ role_path }}/tasks/setup_install.yml" + when: "run_setup|bool and matrix_client_hydrogen_enabled|bool" + tags: + - setup-all + - setup-client-hydrogen + +- import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" + when: "run_setup|bool and not matrix_client_hydrogen_enabled|bool" tags: - setup-all - setup-client-hydrogen diff --git a/roles/matrix-client-hydrogen/tasks/setup.yml b/roles/matrix-client-hydrogen/tasks/setup_install.yml similarity index 70% rename from roles/matrix-client-hydrogen/tasks/setup.yml rename to roles/matrix-client-hydrogen/tasks/setup_install.yml index a4ff7c3cc..0c0dcf3b5 100644 --- a/roles/matrix-client-hydrogen/tasks/setup.yml +++ b/roles/matrix-client-hydrogen/tasks/setup_install.yml @@ -1,9 +1,5 @@ --- -# -# Tasks related to setting up Hydrogen -# - - name: Ensure Hydrogen paths exists file: path: "{{ item.path }}" @@ -78,44 +74,3 @@ service: daemon_reload: yes when: "matrix_client_hydrogen_enabled and matrix_client_hydrogen_systemd_service_result.changed" - -# -# Tasks related to getting rid of Hydrogen (if it was previously enabled) -# - -- name: Check existence of matrix-client-hydrogen.service - stat: - path: "{{ matrix_systemd_path }}/matrix-client-hydrogen.service" - register: matrix_client_hydrogen_service_stat - when: "not matrix_client_hydrogen_enabled|bool" - -- name: Ensure matrix-client-hydrogen is stopped - service: - name: matrix-client-hydrogen - state: stopped - daemon_reload: yes - register: stopping_result - when: "not matrix_client_hydrogen_enabled|bool and matrix_client_hydrogen_service_stat.stat.exists" - -- name: Ensure matrix-client-hydrogen.service doesn't exist - file: - path: "{{ matrix_systemd_path }}/matrix-client-hydrogen.service" - state: absent - when: "not matrix_client_hydrogen_enabled|bool and matrix_client_hydrogen_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-client-hydrogen.service removal - service: - daemon_reload: yes - when: "not matrix_client_hydrogen_enabled|bool and matrix_client_hydrogen_service_stat.stat.exists" - -- name: Ensure Hydrogen paths doesn't exist - file: - path: "{{ matrix_client_hydrogen_data_path }}" - state: absent - when: "not matrix_client_hydrogen_enabled|bool" - -- name: Ensure Hydrogen Docker image doesn't exist - docker_image: - name: "{{ matrix_client_hydrogen_docker_image }}" - state: absent - when: "not matrix_client_hydrogen_enabled|bool" diff --git a/roles/matrix-client-hydrogen/tasks/setup_uninstall.yml b/roles/matrix-client-hydrogen/tasks/setup_uninstall.yml new file mode 100644 index 000000000..455b5a8d9 --- /dev/null +++ b/roles/matrix-client-hydrogen/tasks/setup_uninstall.yml @@ -0,0 +1,38 @@ +--- + +- name: Check existence of matrix-client-hydrogen.service + stat: + path: "{{ matrix_systemd_path }}/matrix-client-hydrogen.service" + register: matrix_client_hydrogen_service_stat + when: "not matrix_client_hydrogen_enabled|bool" + +- name: Ensure matrix-client-hydrogen is stopped + service: + name: matrix-client-hydrogen + state: stopped + daemon_reload: yes + register: stopping_result + when: "not matrix_client_hydrogen_enabled|bool and matrix_client_hydrogen_service_stat.stat.exists" + +- name: Ensure matrix-client-hydrogen.service doesn't exist + file: + path: "{{ matrix_systemd_path }}/matrix-client-hydrogen.service" + state: absent + when: "not matrix_client_hydrogen_enabled|bool and matrix_client_hydrogen_service_stat.stat.exists" + +- name: Ensure systemd reloaded after matrix-client-hydrogen.service removal + service: + daemon_reload: yes + when: "not matrix_client_hydrogen_enabled|bool and matrix_client_hydrogen_service_stat.stat.exists" + +- name: Ensure Hydrogen paths doesn't exist + file: + path: "{{ matrix_client_hydrogen_data_path }}" + state: absent + when: "not matrix_client_hydrogen_enabled|bool" + +- name: Ensure Hydrogen Docker image doesn't exist + docker_image: + name: "{{ matrix_client_hydrogen_docker_image }}" + state: absent + when: "not matrix_client_hydrogen_enabled|bool" From 39fa852ed615dbd7e347b12787227f7caf5239df Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 29 Oct 2021 10:41:11 +0300 Subject: [PATCH 030/139] Remove unnecessary if checks Should have been done in 63f5a88fa01f6d8. --- .../tasks/setup_install.yml | 16 +++++++--------- .../tasks/setup_uninstall.yml | 9 +++------ .../tasks/setup_install.yml | 15 +++++++-------- .../tasks/setup_uninstall.yml | 9 +++------ 4 files changed, 20 insertions(+), 29 deletions(-) diff --git a/roles/matrix-client-element/tasks/setup_install.yml b/roles/matrix-client-element/tasks/setup_install.yml index 908dfa00d..44124039a 100644 --- a/roles/matrix-client-element/tasks/setup_install.yml +++ b/roles/matrix-client-element/tasks/setup_install.yml @@ -10,7 +10,7 @@ with_items: - { path: "{{ matrix_client_element_data_path }}", when: true } - { path: "{{ matrix_client_element_docker_src_files_path }}", when: "{{ matrix_client_element_container_image_self_build }}" } - when: matrix_client_element_enabled|bool and item.when + when: "item.when|bool" - name: Ensure Element Docker image is pulled docker_image: @@ -18,7 +18,7 @@ source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" force_source: "{{ matrix_client_element_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_client_element_docker_image_force_pull }}" - when: matrix_client_element_enabled|bool and not matrix_client_element_container_image_self_build + when: "not matrix_client_element_container_image_self_build|bool" - name: Ensure Element repository is present on self-build git: @@ -27,7 +27,7 @@ version: "{{ matrix_client_element_docker_image.split(':')[1] }}" force: "yes" register: matrix_client_element_git_pull_results - when: "matrix_client_element_enabled|bool and matrix_client_element_container_image_self_build|bool" + when: "matrix_client_element_container_image_self_build|bool" - name: Ensure Element Docker image is built docker_image: @@ -39,7 +39,7 @@ dockerfile: Dockerfile path: "{{ matrix_client_element_docker_src_files_path }}" pull: yes - when: "matrix_client_element_enabled|bool and matrix_client_element_container_image_self_build|bool" + when: "matrix_client_element_container_image_self_build|bool" - name: Ensure Element configuration installed copy: @@ -48,7 +48,6 @@ mode: 0644 owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" - when: matrix_client_element_enabled|bool - name: Ensure Element config files installed template: @@ -61,7 +60,7 @@ - {src: "{{ role_path }}/templates/nginx.conf.j2", name: "nginx.conf"} - {src: "{{ matrix_client_element_page_template_welcome_path }}", name: "welcome.html"} - {src: "{{ matrix_client_element_embedded_pages_home_path }}", name: "home.html"} - when: "matrix_client_element_enabled|bool and item.src is not none" + when: "item.src is not none" - name: Ensure Element config files removed file: @@ -69,7 +68,7 @@ state: absent with_items: - {src: "{{ matrix_client_element_embedded_pages_home_path }}", name: "home.html"} - when: "matrix_client_element_enabled|bool and item.src is none" + when: "item.src is none" - name: Ensure matrix-client-element.service installed template: @@ -77,9 +76,8 @@ dest: "{{ matrix_systemd_path }}/matrix-client-element.service" mode: 0644 register: matrix_client_element_systemd_service_result - when: matrix_client_element_enabled|bool - name: Ensure systemd reloaded after matrix-client-element.service installation service: daemon_reload: yes - when: "matrix_client_element_enabled and matrix_client_element_systemd_service_result.changed" + when: "matrix_client_element_systemd_service_result.changed|bool" diff --git a/roles/matrix-client-element/tasks/setup_uninstall.yml b/roles/matrix-client-element/tasks/setup_uninstall.yml index 398a17e29..74a4720e4 100644 --- a/roles/matrix-client-element/tasks/setup_uninstall.yml +++ b/roles/matrix-client-element/tasks/setup_uninstall.yml @@ -4,7 +4,6 @@ stat: path: "{{ matrix_systemd_path }}/matrix-client-element.service" register: matrix_client_element_service_stat - when: "not matrix_client_element_enabled|bool" - name: Ensure matrix-client-element is stopped service: @@ -12,27 +11,25 @@ state: stopped daemon_reload: yes register: stopping_result - when: "not matrix_client_element_enabled|bool and matrix_client_element_service_stat.stat.exists" + when: "matrix_client_element_service_stat.stat.exists|bool" - name: Ensure matrix-client-element.service doesn't exist file: path: "{{ matrix_systemd_path }}/matrix-client-element.service" state: absent - when: "not matrix_client_element_enabled|bool and matrix_client_element_service_stat.stat.exists" + when: "matrix_client_element_service_stat.stat.exists|bool" - name: Ensure systemd reloaded after matrix-client-element.service removal service: daemon_reload: yes - when: "not matrix_client_element_enabled|bool and matrix_client_element_service_stat.stat.exists" + when: "matrix_client_element_service_stat.stat.exists|bool" - name: Ensure Element paths doesn't exist file: path: "{{ matrix_client_element_data_path }}" state: absent - when: "not matrix_client_element_enabled|bool" - name: Ensure Element Docker image doesn't exist docker_image: name: "{{ matrix_client_element_docker_image }}" state: absent - when: "not matrix_client_element_enabled|bool" diff --git a/roles/matrix-client-hydrogen/tasks/setup_install.yml b/roles/matrix-client-hydrogen/tasks/setup_install.yml index 0c0dcf3b5..b512a1a81 100644 --- a/roles/matrix-client-hydrogen/tasks/setup_install.yml +++ b/roles/matrix-client-hydrogen/tasks/setup_install.yml @@ -10,7 +10,7 @@ with_items: - { path: "{{ matrix_client_hydrogen_data_path }}", when: true } - { path: "{{ matrix_client_hydrogen_docker_src_files_path }}", when: "{{ matrix_client_hydrogen_container_image_self_build }}" } - when: matrix_client_hydrogen_enabled|bool and item.when + when: "item.when|bool" - name: Ensure Hydrogen Docker image is pulled docker_image: @@ -18,7 +18,7 @@ source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" force_source: "{{ matrix_client_hydrogen_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_client_hydrogen_docker_image_force_pull }}" - when: matrix_client_hydrogen_enabled|bool and not matrix_client_hydrogen_container_image_self_build + when: "not matrix_client_hydrogen_container_image_self_build|bool" - name: Ensure Hydrogen repository is present on self-build git: @@ -27,7 +27,7 @@ version: "{{ matrix_client_hydrogen_docker_image.split(':')[1] }}" force: "yes" register: matrix_client_hydrogen_git_pull_results - when: "matrix_client_hydrogen_enabled|bool and matrix_client_hydrogen_container_image_self_build|bool" + when: "matrix_client_hydrogen_container_image_self_build|bool" - name: Ensure Hydrogen configuration installed copy: @@ -36,7 +36,7 @@ mode: 0644 owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" - when: "matrix_client_hydrogen_enabled|bool and matrix_client_hydrogen_container_image_self_build|bool" + when: "matrix_client_hydrogen_container_image_self_build|bool" - name: Ensure Hydrogen additional config files installed template: @@ -47,7 +47,7 @@ group: "{{ matrix_user_groupname }}" with_items: - {src: "{{ role_path }}/templates/nginx.conf.j2", name: "nginx.conf"} - when: "matrix_client_hydrogen_enabled|bool and item.src is not none" + when: "item.src is not none" # This step MUST come after the steps to install the configuration files because the config files # are currently only read at build time, not at run time like most other components in the playbook @@ -60,7 +60,7 @@ dockerfile: Dockerfile path: "{{ matrix_client_hydrogen_docker_src_files_path }}" pull: yes - when: "matrix_client_hydrogen_enabled|bool and matrix_client_hydrogen_container_image_self_build|bool" + when: "matrix_client_hydrogen_container_image_self_build|bool" - name: Ensure matrix-client-hydrogen.service installed template: @@ -68,9 +68,8 @@ dest: "{{ matrix_systemd_path }}/matrix-client-hydrogen.service" mode: 0644 register: matrix_client_hydrogen_systemd_service_result - when: matrix_client_hydrogen_enabled|bool - name: Ensure systemd reloaded after matrix-client-hydrogen.service installation service: daemon_reload: yes - when: "matrix_client_hydrogen_enabled and matrix_client_hydrogen_systemd_service_result.changed" + when: "matrix_client_hydrogen_systemd_service_result.changed|bool" diff --git a/roles/matrix-client-hydrogen/tasks/setup_uninstall.yml b/roles/matrix-client-hydrogen/tasks/setup_uninstall.yml index 455b5a8d9..d72f9e3ff 100644 --- a/roles/matrix-client-hydrogen/tasks/setup_uninstall.yml +++ b/roles/matrix-client-hydrogen/tasks/setup_uninstall.yml @@ -4,7 +4,6 @@ stat: path: "{{ matrix_systemd_path }}/matrix-client-hydrogen.service" register: matrix_client_hydrogen_service_stat - when: "not matrix_client_hydrogen_enabled|bool" - name: Ensure matrix-client-hydrogen is stopped service: @@ -12,27 +11,25 @@ state: stopped daemon_reload: yes register: stopping_result - when: "not matrix_client_hydrogen_enabled|bool and matrix_client_hydrogen_service_stat.stat.exists" + when: "matrix_client_hydrogen_service_stat.stat.exists|bool" - name: Ensure matrix-client-hydrogen.service doesn't exist file: path: "{{ matrix_systemd_path }}/matrix-client-hydrogen.service" state: absent - when: "not matrix_client_hydrogen_enabled|bool and matrix_client_hydrogen_service_stat.stat.exists" + when: "matrix_client_hydrogen_service_stat.stat.exists|bool" - name: Ensure systemd reloaded after matrix-client-hydrogen.service removal service: daemon_reload: yes - when: "not matrix_client_hydrogen_enabled|bool and matrix_client_hydrogen_service_stat.stat.exists" + when: "matrix_client_hydrogen_service_stat.stat.exists|bool" - name: Ensure Hydrogen paths doesn't exist file: path: "{{ matrix_client_hydrogen_data_path }}" state: absent - when: "not matrix_client_hydrogen_enabled|bool" - name: Ensure Hydrogen Docker image doesn't exist docker_image: name: "{{ matrix_client_hydrogen_docker_image }}" state: absent - when: "not matrix_client_hydrogen_enabled|bool" From c8a8035de45e72f187fdd4f3736a57f3fa2f592b Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 29 Oct 2021 11:13:01 +0300 Subject: [PATCH 031/139] Make it possible to self-build Element on low-memory devices (<4G RAM) Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1357 --- .../matrix-client-element/tasks/setup_install.yml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/roles/matrix-client-element/tasks/setup_install.yml b/roles/matrix-client-element/tasks/setup_install.yml index 44124039a..c8f1900f8 100644 --- a/roles/matrix-client-element/tasks/setup_install.yml +++ b/roles/matrix-client-element/tasks/setup_install.yml @@ -29,6 +29,20 @@ register: matrix_client_element_git_pull_results when: "matrix_client_element_container_image_self_build|bool" +# See: +# - https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1357 +# - https://github.com/vector-im/element-web/issues/19544 +- name: Patch webpack.config.js to support building on low-memory (<4G RAM) devices + lineinfile: + path: "{{ matrix_client_element_docker_src_files_path }}/webpack.config.js" + regexp: '(\s+)splitChunks: \{' + line: '\1splitChunks: { maxSize: 100000,' + backrefs: yes + owner: root + group: root + mode: '0644' + when: "matrix_client_element_container_image_self_build|bool and ansible_memtotal_mb < 4096" + - name: Ensure Element Docker image is built docker_image: name: "{{ matrix_client_element_docker_image }}" From fc593bc8ab58c0430eea75da4df157ece5451bc9 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 30 Oct 2021 09:53:56 +0300 Subject: [PATCH 032/139] Increase shm-size for Postgres container to fix VACUUM Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1268 Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1364 Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1362 --- .../templates/systemd/matrix-postgres.service.j2 | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/roles/matrix-postgres/templates/systemd/matrix-postgres.service.j2 b/roles/matrix-postgres/templates/systemd/matrix-postgres.service.j2 index 6d1b1c6ff..81d99fe79 100644 --- a/roles/matrix-postgres/templates/systemd/matrix-postgres.service.j2 +++ b/roles/matrix-postgres/templates/systemd/matrix-postgres.service.j2 @@ -11,6 +11,10 @@ Environment="HOME={{ matrix_systemd_unit_home_path }}" ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-postgres 2>/dev/null' ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-postgres 2>/dev/null' +# We need /dev/shm to be larger than the default to allow VACUUM to work. +# See: +# - https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1362 +# - https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1268 ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-postgres \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ @@ -18,6 +22,7 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-postgres \ --read-only \ --tmpfs=/tmp:rw,noexec,nosuid,size=100m \ --tmpfs=/run/postgresql:rw,noexec,nosuid,size=100m \ + --shm-size="256m" \ --network={{ matrix_docker_network }} \ {% if matrix_postgres_container_postgres_bind_port %} -p {{ matrix_postgres_container_postgres_bind_port }}:5432 \ From 65182ea0f2958a07df79474a337309827f3bb8de Mon Sep 17 00:00:00 2001 From: "Patrick C. F. Ernzer" Date: Sat, 30 Oct 2021 13:10:39 +0200 Subject: [PATCH 033/139] fixes #1365 docker-ce does not like quotes around the shm-size value --- .../templates/systemd/matrix-postgres.service.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-postgres/templates/systemd/matrix-postgres.service.j2 b/roles/matrix-postgres/templates/systemd/matrix-postgres.service.j2 index 81d99fe79..d62a689a9 100644 --- a/roles/matrix-postgres/templates/systemd/matrix-postgres.service.j2 +++ b/roles/matrix-postgres/templates/systemd/matrix-postgres.service.j2 @@ -22,7 +22,7 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-postgres \ --read-only \ --tmpfs=/tmp:rw,noexec,nosuid,size=100m \ --tmpfs=/run/postgresql:rw,noexec,nosuid,size=100m \ - --shm-size="256m" \ + --shm-size=256m \ --network={{ matrix_docker_network }} \ {% if matrix_postgres_container_postgres_bind_port %} -p {{ matrix_postgres_container_postgres_bind_port }}:5432 \ From c6c68e00a42b6fa54477d80a209444f2fdc6b461 Mon Sep 17 00:00:00 2001 From: PC-Admin Date: Sun, 31 Oct 2021 08:56:48 +0800 Subject: [PATCH 034/139] merge upstream --- roles/matrix-awx/surveys/bridge_discord_appservice.json.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-awx/surveys/bridge_discord_appservice.json.j2 b/roles/matrix-awx/surveys/bridge_discord_appservice.json.j2 index 7252cc2c0..85b00a5f5 100644 --- a/roles/matrix-awx/surveys/bridge_discord_appservice.json.j2 +++ b/roles/matrix-awx/surveys/bridge_discord_appservice.json.j2 @@ -15,7 +15,7 @@ "type": "multiplechoice" }, { - "question_name": "Discord Client ID", + "question_name": "Discord OAuth2 Client ID", "question_description": "The OAuth2 'CLIENT ID' which can be found in the 'OAuth2' tab of your new discord application: https://discord.com/developers/applications", "required": true, "min": 0, From 17fc055d53f79f4cb8a9fc914419d0a9518729ba Mon Sep 17 00:00:00 2001 From: Toni Spets Date: Sun, 31 Oct 2021 18:31:31 +0200 Subject: [PATCH 035/139] Upgrade Heisenbridge (1.4.0 -> 1.4.1) --- roles/matrix-bridge-heisenbridge/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-heisenbridge/defaults/main.yml b/roles/matrix-bridge-heisenbridge/defaults/main.yml index 2be75e20f..2cb6e4919 100644 --- a/roles/matrix-bridge-heisenbridge/defaults/main.yml +++ b/roles/matrix-bridge-heisenbridge/defaults/main.yml @@ -3,7 +3,7 @@ matrix_heisenbridge_enabled: true -matrix_heisenbridge_version: 1.4.0 +matrix_heisenbridge_version: 1.4.1 matrix_heisenbridge_docker_image: "{{ matrix_container_global_registry_prefix }}hif1/heisenbridge:{{ matrix_heisenbridge_version }}" matrix_heisenbridge_docker_image_force_pull: "{{ matrix_heisenbridge_docker_image.endswith(':latest') }}" From dcda17595ade9a077bb84b1474d8869e8845a4d3 Mon Sep 17 00:00:00 2001 From: b Date: Sun, 31 Oct 2021 21:06:22 +0200 Subject: [PATCH 036/139] change port 8090 to matrix_ma1sd_default_port --- group_vars/matrix_servers | 10 +++++----- roles/matrix-awx/tasks/set_variables_ma1sd.yml | 2 +- roles/matrix-ma1sd/defaults/main.yml | 3 ++- .../templates/systemd/matrix-ma1sd.service.j2 | 2 +- roles/matrix-nginx-proxy/defaults/main.yml | 12 ++++++------ 5 files changed, 15 insertions(+), 14 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 6d56307ec..b5976bfaf 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1212,7 +1212,7 @@ matrix_ma1sd_container_image_self_build: "{{ matrix_architecture != 'amd64' }}" # Normally, matrix-nginx-proxy is enabled and nginx can reach ma1sd over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose # ma1sd's web-server port. -matrix_ma1sd_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:8090' }}" +matrix_ma1sd_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:' + matrix_ma1sd_default_port|string }}" # We enable Synapse integration via its Postgres database by default. # When using another Identity store, you might wish to disable this and define @@ -1294,8 +1294,8 @@ matrix_nginx_proxy_proxy_matrix_corporal_api_addr_with_container: "matrix-corpor matrix_nginx_proxy_proxy_matrix_corporal_api_addr_sans_container: "127.0.0.1:41081" matrix_nginx_proxy_proxy_matrix_identity_api_enabled: "{{ matrix_ma1sd_enabled }}" -matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container: "matrix-ma1sd:8090" -matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container: "127.0.0.1:8090" +matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container: "matrix-ma1sd:{{ matrix_ma1sd_default_port }}" +matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container: "127.0.0.1:{{ matrix_ma1sd_default_port }}" # By default, we do TLS termination for the Matrix Federation API (port 8448) at matrix-nginx-proxy. # Unless this is handled there OR Synapse's federation listener port is disabled, we'll reverse-proxy. @@ -1709,8 +1709,8 @@ matrix_synapse_container_image_self_build: "{{ matrix_architecture not in ['arm6 # When ma1sd is enabled, we can use it to validate email addresses and phone numbers. # Synapse can validate email addresses by itself as well, but it's probably not what we want by default when we have an identity server. -matrix_synapse_account_threepid_delegates_email: "{{ 'http://matrix-ma1sd:8090' if matrix_ma1sd_enabled else '' }}" -matrix_synapse_account_threepid_delegates_msisdn: "{{ 'http://matrix-ma1sd:8090' if matrix_ma1sd_enabled else '' }}" +matrix_synapse_account_threepid_delegates_email: "{{ 'http://matrix-ma1sd:{{ matrix_ma1sd_default_port }}' if matrix_ma1sd_enabled else '' }}" +matrix_synapse_account_threepid_delegates_msisdn: "{{ 'http://matrix-ma1sd:{{ matrix_ma1sd_default_port }}' if matrix_ma1sd_enabled else '' }}" # Normally, matrix-nginx-proxy is enabled and nginx can reach Synapse over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, diff --git a/roles/matrix-awx/tasks/set_variables_ma1sd.yml b/roles/matrix-awx/tasks/set_variables_ma1sd.yml index 0f4234f18..81012d285 100755 --- a/roles/matrix-awx/tasks/set_variables_ma1sd.yml +++ b/roles/matrix-awx/tasks/set_variables_ma1sd.yml @@ -30,7 +30,7 @@ insertafter: '# Synapse Extension Start' with_dict: 'matrix_synapse_awx_password_provider_rest_auth_enabled': 'true' - 'matrix_synapse_awx_password_provider_rest_auth_endpoint': '"http://matrix-ma1sd:8090"' + 'matrix_synapse_awx_password_provider_rest_auth_endpoint': '"http://matrix-ma1sd:{{ matrix_ma1sd_default_port }}"' when: awx_matrix_ma1sd_auth_store == 'LDAP/AD' - name: Remove entire ma1sd configuration extension diff --git a/roles/matrix-ma1sd/defaults/main.yml b/roles/matrix-ma1sd/defaults/main.yml index f91189f59..adee0b447 100644 --- a/roles/matrix-ma1sd/defaults/main.yml +++ b/roles/matrix-ma1sd/defaults/main.yml @@ -19,7 +19,8 @@ matrix_ma1sd_docker_src_files_path: "{{ matrix_ma1sd_base_path }}/docker-src/ma1 matrix_ma1sd_config_path: "{{ matrix_ma1sd_base_path }}/config" matrix_ma1sd_data_path: "{{ matrix_ma1sd_base_path }}/data" -# Controls whether the matrix-ma1sd container exposes its HTTP port (tcp/8090 in the container). +matrix_ma1sd_default_port: 8090 +# Controls whether the matrix-ma1sd container exposes its HTTP port (tcp/{{ matrix_ma1sd_default_port }} in the container). # # Takes an ":" or "" value (e.g. "127.0.0.1:8090"), or empty string to not expose. matrix_ma1sd_container_http_host_bind_port: '' diff --git a/roles/matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2 b/roles/matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2 index c2adffc08..696e8008f 100644 --- a/roles/matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2 +++ b/roles/matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2 @@ -26,7 +26,7 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-ma1sd \ --tmpfs=/tmp:rw,exec,nosuid,size=10m \ --network={{ matrix_docker_network }} \ {% if matrix_ma1sd_container_http_host_bind_port %} - -p {{ matrix_ma1sd_container_http_host_bind_port }}:8090 \ + -p {{ matrix_ma1sd_container_http_host_bind_port }}:{{ matrix_ma1sd_default_port }} \ {% endif %} {% if matrix_ma1sd_verbose_logging %} -e MA1SD_LOG_LEVEL=debug \ diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index 3bd273cf5..ff917c90f 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -165,20 +165,20 @@ matrix_nginx_proxy_proxy_matrix_corporal_api_addr_sans_container: "127.0.0.1:410 # This can be used to forward the API endpoint to another service, augmenting the functionality of Synapse's own User Directory Search. # To learn more, see: https://github.com/ma1uta/ma1sd/blob/master/docs/features/directory.md matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled: false -matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container: "matrix-ma1sd:8090" -matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container: "127.0.0.1:8090" +matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container: "matrix-ma1sd:{{ matrix_ma1sd_default_port }}" +matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container: "127.0.0.1:{{ matrix_ma1sd_default_port }}" # Controls whether proxying for 3PID-based registration (`/_matrix/client/r0/register/(email|msisdn)/requestToken`) should be done (on the matrix domain). # This allows another service to control registrations involving 3PIDs. # To learn more, see: https://github.com/ma1uta/ma1sd/blob/master/docs/features/registration.md matrix_nginx_proxy_proxy_matrix_3pid_registration_enabled: false -matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_with_container: "matrix-ma1sd:8090" -matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_sans_container: "127.0.0.1:8090" +matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_with_container: "matrix-ma1sd:{{ matrix_ma1sd_default_port }}" +matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_sans_container: "127.0.0.1:{{ matrix_ma1sd_default_port }}" # Controls whether proxying for the Identity API (`/_matrix/identity`) should be done (on the matrix domain) matrix_nginx_proxy_proxy_matrix_identity_api_enabled: false -matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container: "matrix-ma1sd:8090" -matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container: "127.0.0.1:8090" +matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container: "matrix-ma1sd:{{ matrix_ma1sd_default_port }}" +matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container: "127.0.0.1:{{ matrix_ma1sd_default_port }}" # Controls whether proxying for metrics (`/_synapse/metrics`) should be done (on the matrix domain) matrix_nginx_proxy_proxy_synapse_metrics: false From 0434e3bf8f37144f725b52cc2801db7c4a6f369a Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 1 Nov 2021 09:06:58 +0200 Subject: [PATCH 037/139] Allow force-patching webpack.config.js when self-building Element We were applying the low-memory system patch to webpack.config.js on systems with < 4GB memory. From now on, we also let people force-enable patching by toggling the `matrix_client_element_container_image_self_build_low_memory_system_patch_enabled` variable. Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1357 --- roles/matrix-client-element/defaults/main.yml | 4 ++++ roles/matrix-client-element/tasks/setup_install.yml | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/roles/matrix-client-element/defaults/main.yml b/roles/matrix-client-element/defaults/main.yml index 527b17e5e..104b778f7 100644 --- a/roles/matrix-client-element/defaults/main.yml +++ b/roles/matrix-client-element/defaults/main.yml @@ -2,6 +2,10 @@ matrix_client_element_enabled: true matrix_client_element_container_image_self_build: false matrix_client_element_container_image_self_build_repo: "https://github.com/vector-im/riot-web.git" +# Controls whether to patch webpack.config.js when self-building, so that building can pass on low-memory systems (< 4 GB RAM): +# - https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1357 +# - https://github.com/vector-im/element-web/issues/19544 +matrix_client_element_container_image_self_build_low_memory_system_patch_enabled: "{{ ansible_memtotal_mb < 4096 }}" matrix_client_element_version: v1.9.3 matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}" diff --git a/roles/matrix-client-element/tasks/setup_install.yml b/roles/matrix-client-element/tasks/setup_install.yml index c8f1900f8..b14a0dd55 100644 --- a/roles/matrix-client-element/tasks/setup_install.yml +++ b/roles/matrix-client-element/tasks/setup_install.yml @@ -41,7 +41,7 @@ owner: root group: root mode: '0644' - when: "matrix_client_element_container_image_self_build|bool and ansible_memtotal_mb < 4096" + when: "matrix_client_element_container_image_self_build|bool and matrix_client_element_container_image_self_build_low_memory_system_patch_enabled|bool" - name: Ensure Element Docker image is built docker_image: From ff3bd12015aaf0205eebba0c8241cc9ae9607b82 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 1 Nov 2021 10:48:17 +0200 Subject: [PATCH 038/139] Upgrade devture/ansible (2.9.14-r0 -> 2.10.7-r0) --- docs/ansible.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/ansible.md b/docs/ansible.md index ff513bbf3..502515403 100644 --- a/docs/ansible.md +++ b/docs/ansible.md @@ -51,7 +51,7 @@ docker run -it --rm \ -v `pwd`:/work \ -v $HOME/.ssh/id_rsa:/root/.ssh/id_rsa:ro \ --entrypoint=/bin/sh \ -docker.io/devture/ansible:2.9.14-r0 +docker.io/devture/ansible:2.10.7-r0 ``` The above command tries to mount an SSH key (`$HOME/.ssh/id_rsa`) into the container (at `/root/.ssh/id_rsa`). From 9688d071a8966a316c385b15f2406225ce1a5653 Mon Sep 17 00:00:00 2001 From: borisrunakov <93043305+borisrunakov@users.noreply.github.com> Date: Mon, 1 Nov 2021 12:02:02 +0200 Subject: [PATCH 039/139] fix matrix_synapse_account_threepid_delegates_email and matrix_synapse_account_threepid_delegates_msisdn (#1370) * fix for string concatenation on matrix_synapse_account_threepid_delegates_email and matrix_synapse_account_threepid_delegates_msisdn * .editorconfig should not be ignored * Restore .gitignore Co-authored-by: b Co-authored-by: Slavi Pantaleev --- group_vars/matrix_servers | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index b5976bfaf..d58f4dda3 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1709,8 +1709,8 @@ matrix_synapse_container_image_self_build: "{{ matrix_architecture not in ['arm6 # When ma1sd is enabled, we can use it to validate email addresses and phone numbers. # Synapse can validate email addresses by itself as well, but it's probably not what we want by default when we have an identity server. -matrix_synapse_account_threepid_delegates_email: "{{ 'http://matrix-ma1sd:{{ matrix_ma1sd_default_port }}' if matrix_ma1sd_enabled else '' }}" -matrix_synapse_account_threepid_delegates_msisdn: "{{ 'http://matrix-ma1sd:{{ matrix_ma1sd_default_port }}' if matrix_ma1sd_enabled else '' }}" +matrix_synapse_account_threepid_delegates_email: "{{ 'http://matrix-ma1sd:' + matrix_ma1sd_default_port|string if matrix_ma1sd_enabled else '' }}" +matrix_synapse_account_threepid_delegates_msisdn: "{{ 'http://matrix-ma1sd:' + matrix_ma1sd_default_port|string if matrix_ma1sd_enabled else '' }}" # Normally, matrix-nginx-proxy is enabled and nginx can reach Synapse over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, From dae117c91bc1c17081b7b68e1cd3673d3af6c8c4 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 2 Nov 2021 15:57:18 +0200 Subject: [PATCH 040/139] Bump Hydrogen (0.2.7 -> 0.2.19) --- roles/matrix-client-hydrogen/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-client-hydrogen/defaults/main.yml b/roles/matrix-client-hydrogen/defaults/main.yml index e84d56cf3..3cfb2337d 100644 --- a/roles/matrix-client-hydrogen/defaults/main.yml +++ b/roles/matrix-client-hydrogen/defaults/main.yml @@ -5,7 +5,7 @@ matrix_client_hydrogen_enabled: true matrix_client_hydrogen_container_image_self_build: true matrix_client_hydrogen_container_image_self_build_repo: "https://github.com/vector-im/hydrogen-web.git" -matrix_client_hydrogen_version: v0.2.7 +matrix_client_hydrogen_version: v0.2.19 matrix_client_hydrogen_docker_image: "{{ matrix_client_hydrogen_docker_image_name_prefix }}vectorim/hydrogen-web:{{ matrix_client_hydrogen_version }}" matrix_client_hydrogen_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_hydrogen_container_image_self_build }}" matrix_client_hydrogen_docker_image_force_pull: "{{ matrix_client_hydrogen_docker_image.endswith(':latest') }}" From 7b8b595e81f9f49b233ece86f0d9b254d5b9411d Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 2 Nov 2021 17:42:13 +0200 Subject: [PATCH 041/139] Upgrade Synapse (1.45.1 -> 1.46.0) --- roles/matrix-synapse/defaults/main.yml | 4 +- .../templates/synapse/homeserver.yaml.j2 | 83 ++++++++++--------- 2 files changed, 44 insertions(+), 43 deletions(-) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index d0df4f8d1..ce596c6bb 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -15,8 +15,8 @@ matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_cont # amd64 gets released first. # arm32 relies on self-building, so the same version can be built immediately. # arm64 users need to wait for a prebuilt image to become available. -matrix_synapse_version: v1.45.1 -matrix_synapse_version_arm64: v1.45.1 +matrix_synapse_version: v1.46.0 +matrix_synapse_version_arm64: v1.46.0 matrix_synapse_docker_image_tag: "{{ matrix_synapse_version if matrix_architecture in ['arm32', 'amd64'] else matrix_synapse_version_arm64 }}" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index 9e5586321..cebe7a1f6 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -492,6 +492,48 @@ redaction_retention_period: {{ matrix_synapse_redaction_retention_period }} user_ips_max_age: {{ matrix_synapse_user_ips_max_age }} +# Inhibits the /requestToken endpoints from returning an error that might leak +# information about whether an e-mail address is in use or not on this +# homeserver. +# Note that for some endpoints the error situation is the e-mail already being +# used, and for others the error is entering the e-mail being unused. +# If this option is enabled, instead of returning an error, these endpoints will +# act as if no error happened and return a fake session ID ('sid') to clients. +# +#request_token_inhibit_3pid_errors: true + +# A list of domains that the domain portion of 'next_link' parameters +# must match. +# +# This parameter is optionally provided by clients while requesting +# validation of an email or phone number, and maps to a link that +# users will be automatically redirected to after validation +# succeeds. Clients can make use this parameter to aid the validation +# process. +# +# The whitelist is applied whether the homeserver or an +# identity server is handling validation. +# +# The default value is no whitelist functionality; all domains are +# allowed. Setting this value to an empty list will instead disallow +# all domains. +# +#next_link_domain_whitelist: ["matrix.org"] + +# Templates to use when generating email or HTML page contents. +# +templates: + # Directory in which Synapse will try to find template files to use to generate + # email or HTML page contents. + # If not set, or a file is not found within the template directory, a default + # template from within the Synapse package will be used. + # + # See https://matrix-org.github.io/synapse/latest/templates.html for more + # information about using custom templates. + # + #custom_template_directory: /path/to/custom/templates/ + + # Message retention policy at the server level. # # Room admins and mods can define a retention period for their rooms using the @@ -561,47 +603,6 @@ retention: # - shortest_max_lifetime: 3d # interval: 1d -# Inhibits the /requestToken endpoints from returning an error that might leak -# information about whether an e-mail address is in use or not on this -# homeserver. -# Note that for some endpoints the error situation is the e-mail already being -# used, and for others the error is entering the e-mail being unused. -# If this option is enabled, instead of returning an error, these endpoints will -# act as if no error happened and return a fake session ID ('sid') to clients. -# -#request_token_inhibit_3pid_errors: true - -# A list of domains that the domain portion of 'next_link' parameters -# must match. -# -# This parameter is optionally provided by clients while requesting -# validation of an email or phone number, and maps to a link that -# users will be automatically redirected to after validation -# succeeds. Clients can make use this parameter to aid the validation -# process. -# -# The whitelist is applied whether the homeserver or an -# identity server is handling validation. -# -# The default value is no whitelist functionality; all domains are -# allowed. Setting this value to an empty list will instead disallow -# all domains. -# -#next_link_domain_whitelist: ["matrix.org"] - -# Templates to use when generating email or HTML page contents. -# -templates: - # Directory in which Synapse will try to find template files to use to generate - # email or HTML page contents. - # If not set, or a file is not found within the template directory, a default - # template from within the Synapse package will be used. - # - # See https://matrix-org.github.io/synapse/latest/templates.html for more - # information about using custom templates. - # - #custom_template_directory: /path/to/custom/templates/ - ## TLS ## From 967e5d6f37141da141fbd1c57544d5663cce06f9 Mon Sep 17 00:00:00 2001 From: Luca Di Carlo Date: Wed, 3 Nov 2021 21:12:06 +0100 Subject: [PATCH 042/139] chore: adding some explanations about setting prometheus password --- docs/configuring-playbook-prometheus-grafana.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuring-playbook-prometheus-grafana.md b/docs/configuring-playbook-prometheus-grafana.md index 4edc2a81f..2bb88a3c8 100644 --- a/docs/configuring-playbook-prometheus-grafana.md +++ b/docs/configuring-playbook-prometheus-grafana.md @@ -55,7 +55,7 @@ Name | Description `matrix_synapse_metrics_enabled`|Set this to `true` to make Synapse expose metrics (locally, on the container network) `matrix_nginx_proxy_proxy_synapse_metrics`|Set this to `true` to make matrix-nginx-proxy expose the Synapse metrics at `https://matrix.DOMAIN/_synapse/metrics` `matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled`|Set this to `true` to password-protect (using HTTP Basic Auth) `https://matrix.DOMAIN/_synapse/metrics` (the username is always `prometheus`, the password is defined in `matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key`) -`matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key`|Set this to a password to use for HTTP Basic Auth for protecting `https://matrix.DOMAIN/_synapse/metrics` (the username is always `prometheus` - it's not configurable) +`matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key`|Set this to a password to use for HTTP Basic Auth for protecting `https://matrix.DOMAIN/_synapse/metrics` (the username is always `prometheus` - it's not configurable).Do not write the password in plain text. See `man 1 htpasswd` or use `htpasswd -c mypass.htpasswd prometheus` to generate the expected hash for nginx. `matrix_server_fqn_grafana`|Use this variable to override the domain at which the Grafana web user-interface is at (defaults to `stats.DOMAIN`) ### Collecting worker metrics to an external Prometheus server From 12be1033e5fda4c8e32e96022e7bf5c977695e9d Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 4 Nov 2021 00:28:58 +0200 Subject: [PATCH 043/139] Add missing space --- docs/configuring-playbook-prometheus-grafana.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuring-playbook-prometheus-grafana.md b/docs/configuring-playbook-prometheus-grafana.md index 2bb88a3c8..892bffb2c 100644 --- a/docs/configuring-playbook-prometheus-grafana.md +++ b/docs/configuring-playbook-prometheus-grafana.md @@ -55,7 +55,7 @@ Name | Description `matrix_synapse_metrics_enabled`|Set this to `true` to make Synapse expose metrics (locally, on the container network) `matrix_nginx_proxy_proxy_synapse_metrics`|Set this to `true` to make matrix-nginx-proxy expose the Synapse metrics at `https://matrix.DOMAIN/_synapse/metrics` `matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled`|Set this to `true` to password-protect (using HTTP Basic Auth) `https://matrix.DOMAIN/_synapse/metrics` (the username is always `prometheus`, the password is defined in `matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key`) -`matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key`|Set this to a password to use for HTTP Basic Auth for protecting `https://matrix.DOMAIN/_synapse/metrics` (the username is always `prometheus` - it's not configurable).Do not write the password in plain text. See `man 1 htpasswd` or use `htpasswd -c mypass.htpasswd prometheus` to generate the expected hash for nginx. +`matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key`|Set this to a password to use for HTTP Basic Auth for protecting `https://matrix.DOMAIN/_synapse/metrics` (the username is always `prometheus` - it's not configurable). Do not write the password in plain text. See `man 1 htpasswd` or use `htpasswd -c mypass.htpasswd prometheus` to generate the expected hash for nginx. `matrix_server_fqn_grafana`|Use this variable to override the domain at which the Grafana web user-interface is at (defaults to `stats.DOMAIN`) ### Collecting worker metrics to an external Prometheus server From 2d2e6986a1f35a6ca5b3d5cdbc474d18b0efb3a6 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 4 Nov 2021 00:28:58 +0200 Subject: [PATCH 044/139] Add missing space --- docs/configuring-playbook-prometheus-grafana.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuring-playbook-prometheus-grafana.md b/docs/configuring-playbook-prometheus-grafana.md index 2bb88a3c8..892bffb2c 100644 --- a/docs/configuring-playbook-prometheus-grafana.md +++ b/docs/configuring-playbook-prometheus-grafana.md @@ -55,7 +55,7 @@ Name | Description `matrix_synapse_metrics_enabled`|Set this to `true` to make Synapse expose metrics (locally, on the container network) `matrix_nginx_proxy_proxy_synapse_metrics`|Set this to `true` to make matrix-nginx-proxy expose the Synapse metrics at `https://matrix.DOMAIN/_synapse/metrics` `matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled`|Set this to `true` to password-protect (using HTTP Basic Auth) `https://matrix.DOMAIN/_synapse/metrics` (the username is always `prometheus`, the password is defined in `matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key`) -`matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key`|Set this to a password to use for HTTP Basic Auth for protecting `https://matrix.DOMAIN/_synapse/metrics` (the username is always `prometheus` - it's not configurable).Do not write the password in plain text. See `man 1 htpasswd` or use `htpasswd -c mypass.htpasswd prometheus` to generate the expected hash for nginx. +`matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key`|Set this to a password to use for HTTP Basic Auth for protecting `https://matrix.DOMAIN/_synapse/metrics` (the username is always `prometheus` - it's not configurable). Do not write the password in plain text. See `man 1 htpasswd` or use `htpasswd -c mypass.htpasswd prometheus` to generate the expected hash for nginx. `matrix_server_fqn_grafana`|Use this variable to override the domain at which the Grafana web user-interface is at (defaults to `stats.DOMAIN`) ### Collecting worker metrics to an external Prometheus server From 09ac6a0e8cbc5eab3e7522f24f53b72bb82ff17f Mon Sep 17 00:00:00 2001 From: Toni Spets Date: Fri, 5 Nov 2021 10:31:31 +0200 Subject: [PATCH 045/139] Upgrade Heisenbridge (1.4.1 -> 1.5.0) --- roles/matrix-bridge-heisenbridge/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-heisenbridge/defaults/main.yml b/roles/matrix-bridge-heisenbridge/defaults/main.yml index 2cb6e4919..f25f502fe 100644 --- a/roles/matrix-bridge-heisenbridge/defaults/main.yml +++ b/roles/matrix-bridge-heisenbridge/defaults/main.yml @@ -3,7 +3,7 @@ matrix_heisenbridge_enabled: true -matrix_heisenbridge_version: 1.4.1 +matrix_heisenbridge_version: 1.5.0 matrix_heisenbridge_docker_image: "{{ matrix_container_global_registry_prefix }}hif1/heisenbridge:{{ matrix_heisenbridge_version }}" matrix_heisenbridge_docker_image_force_pull: "{{ matrix_heisenbridge_docker_image.endswith(':latest') }}" From 6eaa8ac65a79a3076c60b139aabfc8e382326a57 Mon Sep 17 00:00:00 2001 From: b Date: Fri, 5 Nov 2021 15:31:10 +0200 Subject: [PATCH 046/139] add server_name to matrix-synapsel.conf only if matrix_nginx_proxy_enabled --- .../templates/nginx/conf.d/matrix-synapse.conf.j2 | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 index 6f569327d..30f4877c1 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 @@ -62,7 +62,9 @@ server { listen 12080; - server_name {{ matrix_nginx_proxy_proxy_synapse_hostname }}; + {% if matrix_nginx_proxy_enabled %} + server_name {{ matrix_nginx_proxy_proxy_synapse_hostname }}; + {% endif %} server_tokens off; root /dev/null; @@ -194,8 +196,10 @@ server { {% if matrix_nginx_proxy_proxy_synapse_federation_api_enabled %} server { listen 12088; + {% if matrix_nginx_proxy_enabled %} + server_name {{ matrix_nginx_proxy_proxy_synapse_hostname }}; + {% endif %} - server_name {{ matrix_nginx_proxy_proxy_synapse_hostname }}; server_tokens off; root /dev/null; From 143b0f26d97b1f6ec4351434e7c2e3e3c64dadac Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 8 Nov 2021 10:34:09 +0200 Subject: [PATCH 047/139] Restore usage of some _environment_variables_extension Jitsi variables Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1377 Regresion since https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1139 --- roles/matrix-jitsi/templates/jvb/env.j2 | 4 +++- roles/matrix-jitsi/templates/web/env.j2 | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/roles/matrix-jitsi/templates/jvb/env.j2 b/roles/matrix-jitsi/templates/jvb/env.j2 index a927314e6..6edae6d45 100644 --- a/roles/matrix-jitsi/templates/jvb/env.j2 +++ b/roles/matrix-jitsi/templates/jvb/env.j2 @@ -22,4 +22,6 @@ JVB_OCTO_BIND_ADDRESS JVB_OCTO_PUBLIC_ADDRESS JVB_OCTO_BIND_PORT JVB_OCTO_REGION -TZ={{ matrix_jitsi_timezone }} \ No newline at end of file +TZ={{ matrix_jitsi_timezone }} + +{{ matrix_jitsi_jvb_environment_variables_extension }} diff --git a/roles/matrix-jitsi/templates/web/env.j2 b/roles/matrix-jitsi/templates/web/env.j2 index c4faa5baf..2ff6befc5 100644 --- a/roles/matrix-jitsi/templates/web/env.j2 +++ b/roles/matrix-jitsi/templates/web/env.j2 @@ -91,4 +91,6 @@ XMPP_DOMAIN={{ matrix_jitsi_xmpp_domain }} XMPP_GUEST_DOMAIN={{ matrix_jitsi_xmpp_guest_domain }} XMPP_MUC_DOMAIN={{ matrix_jitsi_xmpp_muc_domain }} XMPP_RECORDER_DOMAIN={{ matrix_jitsi_recorder_domain }} -TOKEN_AUTH_URL \ No newline at end of file +TOKEN_AUTH_URL + +{{ matrix_jitsi_web_environment_variables_extension }} From 367cddb715dcd75cb5e1bb9eca2cce997b69fc25 Mon Sep 17 00:00:00 2001 From: teutat3s <10206665+teutat3s@users.noreply.github.com> Date: Tue, 9 Nov 2021 15:01:18 +0100 Subject: [PATCH 048/139] Upgrade Element (v1.9.4) --- roles/matrix-client-element/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-client-element/defaults/main.yml b/roles/matrix-client-element/defaults/main.yml index 104b778f7..1273859d1 100644 --- a/roles/matrix-client-element/defaults/main.yml +++ b/roles/matrix-client-element/defaults/main.yml @@ -7,7 +7,7 @@ matrix_client_element_container_image_self_build_repo: "https://github.com/vecto # - https://github.com/vector-im/element-web/issues/19544 matrix_client_element_container_image_self_build_low_memory_system_patch_enabled: "{{ ansible_memtotal_mb < 4096 }}" -matrix_client_element_version: v1.9.3 +matrix_client_element_version: v1.9.4 matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}" matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}" From 735c966ab69cc8aa141a341426ad401631417dac Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 10 Nov 2021 17:39:21 +0200 Subject: [PATCH 049/139] Disable systemd services when stopping to uninstall them Until now, we were leaving services "enabled" (symlinks in /etc/systemd/system/multi-user.target.wants/). We clean these up now. Broken symlinks may still exist in older installations that enabled/disabled services. We're not taking care to fix these up. It's just a cosmetic defect anyway. --- roles/matrix-bot-go-neb/tasks/setup_uninstall.yml | 1 + roles/matrix-bot-matrix-reminder-bot/tasks/setup_uninstall.yml | 1 + roles/matrix-bot-mjolnir/tasks/setup_uninstall.yml | 1 + roles/matrix-bridge-appservice-discord/tasks/setup_install.yml | 1 + .../matrix-bridge-appservice-discord/tasks/setup_uninstall.yml | 1 + roles/matrix-bridge-appservice-irc/tasks/setup_uninstall.yml | 1 + roles/matrix-bridge-appservice-slack/tasks/setup_uninstall.yml | 1 + .../tasks/setup_uninstall.yml | 1 + roles/matrix-bridge-beeper-linkedin/tasks/setup_uninstall.yml | 1 + roles/matrix-bridge-heisenbridge/tasks/setup_uninstall.yml | 1 + roles/matrix-bridge-mautrix-facebook/tasks/setup_install.yml | 1 + roles/matrix-bridge-mautrix-facebook/tasks/setup_uninstall.yml | 1 + roles/matrix-bridge-mautrix-googlechat/tasks/setup_install.yml | 1 + .../matrix-bridge-mautrix-googlechat/tasks/setup_uninstall.yml | 1 + roles/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml | 1 + roles/matrix-bridge-mautrix-hangouts/tasks/setup_uninstall.yml | 1 + .../matrix-bridge-mautrix-instagram/tasks/setup_uninstall.yml | 1 + roles/matrix-bridge-mautrix-signal/tasks/setup_uninstall.yml | 2 ++ roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml | 1 + roles/matrix-bridge-mautrix-telegram/tasks/setup_uninstall.yml | 1 + roles/matrix-bridge-mautrix-whatsapp/tasks/setup_install.yml | 1 + roles/matrix-bridge-mautrix-whatsapp/tasks/setup_uninstall.yml | 1 + .../matrix-bridge-mx-puppet-discord/tasks/setup_uninstall.yml | 1 + roles/matrix-bridge-mx-puppet-groupme/tasks/setup_install.yml | 1 + .../matrix-bridge-mx-puppet-groupme/tasks/setup_uninstall.yml | 1 + .../tasks/setup_uninstall.yml | 1 + roles/matrix-bridge-mx-puppet-skype/tasks/setup_install.yml | 1 + roles/matrix-bridge-mx-puppet-skype/tasks/setup_uninstall.yml | 1 + roles/matrix-bridge-mx-puppet-slack/tasks/setup_install.yml | 1 + roles/matrix-bridge-mx-puppet-slack/tasks/setup_uninstall.yml | 1 + roles/matrix-bridge-mx-puppet-steam/tasks/setup_install.yml | 1 + roles/matrix-bridge-mx-puppet-steam/tasks/setup_uninstall.yml | 1 + roles/matrix-bridge-mx-puppet-twitter/tasks/setup_install.yml | 1 + .../matrix-bridge-mx-puppet-twitter/tasks/setup_uninstall.yml | 1 + roles/matrix-bridge-sms/tasks/setup_uninstall.yml | 3 ++- roles/matrix-client-element/tasks/migrate_riot_web.yml | 1 + roles/matrix-client-element/tasks/setup_uninstall.yml | 1 + roles/matrix-client-hydrogen/tasks/setup_uninstall.yml | 1 + roles/matrix-corporal/tasks/setup_corporal.yml | 1 + roles/matrix-coturn/tasks/setup_uninstall.yml | 2 ++ roles/matrix-dimension/tasks/setup_uninstall.yml | 1 + roles/matrix-dynamic-dns/tasks/uninstall.yml | 1 + roles/matrix-email2matrix/tasks/setup_uninstall.yml | 1 + roles/matrix-etherpad/tasks/setup_uninstall.yml | 1 + roles/matrix-grafana/tasks/setup.yml | 1 + roles/matrix-jitsi/tasks/setup_jitsi_jicofo.yml | 1 + roles/matrix-jitsi/tasks/setup_jitsi_jvb.yml | 1 + roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml | 1 + roles/matrix-jitsi/tasks/setup_jitsi_web.yml | 1 + roles/matrix-ma1sd/tasks/migrate_mxisd.yml | 1 + roles/matrix-ma1sd/tasks/setup_uninstall.yml | 1 + roles/matrix-mailer/tasks/setup_mailer.yml | 1 + roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml | 1 + roles/matrix-postgres-backup/tasks/setup_postgres_backup.yml | 1 + .../matrix-postgres/tasks/migrate_postgres_data_directory.yml | 2 +- roles/matrix-prometheus-node-exporter/tasks/setup.yml | 1 + roles/matrix-prometheus-postgres-exporter/tasks/setup.yml | 1 + roles/matrix-prometheus/tasks/setup_uninstall.yml | 1 + roles/matrix-redis/tasks/setup_redis.yml | 1 + roles/matrix-registration/tasks/setup_uninstall.yml | 1 + roles/matrix-sygnal/tasks/setup_uninstall.yml | 1 + roles/matrix-synapse-admin/tasks/setup.yml | 1 + roles/matrix-synapse/tasks/goofys/setup_uninstall.yml | 1 + roles/matrix-synapse/tasks/import_media_store.yml | 1 + roles/matrix-synapse/tasks/synapse/setup_uninstall.yml | 1 + 65 files changed, 68 insertions(+), 2 deletions(-) diff --git a/roles/matrix-bot-go-neb/tasks/setup_uninstall.yml b/roles/matrix-bot-go-neb/tasks/setup_uninstall.yml index 49ad1fe75..3610eb44b 100644 --- a/roles/matrix-bot-go-neb/tasks/setup_uninstall.yml +++ b/roles/matrix-bot-go-neb/tasks/setup_uninstall.yml @@ -9,6 +9,7 @@ service: name: matrix-bot-go-neb state: stopped + enabled: no daemon_reload: yes register: stopping_result when: "matrix_bot_go_neb_service_stat.stat.exists|bool" diff --git a/roles/matrix-bot-matrix-reminder-bot/tasks/setup_uninstall.yml b/roles/matrix-bot-matrix-reminder-bot/tasks/setup_uninstall.yml index 141e61ba7..d7e41201b 100644 --- a/roles/matrix-bot-matrix-reminder-bot/tasks/setup_uninstall.yml +++ b/roles/matrix-bot-matrix-reminder-bot/tasks/setup_uninstall.yml @@ -9,6 +9,7 @@ service: name: matrix-bot-matrix-reminder-bot state: stopped + enabled: no daemon_reload: yes register: stopping_result when: "matrix_bot_matrix_reminder_bot_service_stat.stat.exists|bool" diff --git a/roles/matrix-bot-mjolnir/tasks/setup_uninstall.yml b/roles/matrix-bot-mjolnir/tasks/setup_uninstall.yml index 7127543e5..7fff5e13f 100644 --- a/roles/matrix-bot-mjolnir/tasks/setup_uninstall.yml +++ b/roles/matrix-bot-mjolnir/tasks/setup_uninstall.yml @@ -9,6 +9,7 @@ service: name: matrix-bot-mjolnir state: stopped + enabled: no daemon_reload: yes register: stopping_result when: "matrix_bot_mjolnir_service_stat.stat.exists|bool" diff --git a/roles/matrix-bridge-appservice-discord/tasks/setup_install.yml b/roles/matrix-bridge-appservice-discord/tasks/setup_install.yml index 6d3fdd0ff..546e5043a 100644 --- a/roles/matrix-bridge-appservice-discord/tasks/setup_install.yml +++ b/roles/matrix-bridge-appservice-discord/tasks/setup_install.yml @@ -54,6 +54,7 @@ service: name: matrix-appservice-discord state: stopped + enabled: no daemon_reload: yes failed_when: false when: "matrix_appservice_discord_stat_db.stat.exists" diff --git a/roles/matrix-bridge-appservice-discord/tasks/setup_uninstall.yml b/roles/matrix-bridge-appservice-discord/tasks/setup_uninstall.yml index 4e8c1fdc3..5dd8075d1 100644 --- a/roles/matrix-bridge-appservice-discord/tasks/setup_uninstall.yml +++ b/roles/matrix-bridge-appservice-discord/tasks/setup_uninstall.yml @@ -9,6 +9,7 @@ service: name: matrix-appservice-discord state: stopped + enabled: no daemon_reload: yes when: "matrix_appservice_discord_service_stat.stat.exists" diff --git a/roles/matrix-bridge-appservice-irc/tasks/setup_uninstall.yml b/roles/matrix-bridge-appservice-irc/tasks/setup_uninstall.yml index 2b5e5dfd3..515078177 100644 --- a/roles/matrix-bridge-appservice-irc/tasks/setup_uninstall.yml +++ b/roles/matrix-bridge-appservice-irc/tasks/setup_uninstall.yml @@ -9,6 +9,7 @@ service: name: matrix-appservice-irc state: stopped + enabled: no daemon_reload: yes when: "matrix_appservice_irc_service_stat.stat.exists" diff --git a/roles/matrix-bridge-appservice-slack/tasks/setup_uninstall.yml b/roles/matrix-bridge-appservice-slack/tasks/setup_uninstall.yml index 0b83d02e8..2dfe1c7b3 100644 --- a/roles/matrix-bridge-appservice-slack/tasks/setup_uninstall.yml +++ b/roles/matrix-bridge-appservice-slack/tasks/setup_uninstall.yml @@ -9,6 +9,7 @@ service: name: matrix-appservice-slack state: stopped + enabled: no daemon_reload: yes when: "matrix_appservice_slack_service_stat.stat.exists" diff --git a/roles/matrix-bridge-appservice-webhooks/tasks/setup_uninstall.yml b/roles/matrix-bridge-appservice-webhooks/tasks/setup_uninstall.yml index d8e973ce5..81440b887 100644 --- a/roles/matrix-bridge-appservice-webhooks/tasks/setup_uninstall.yml +++ b/roles/matrix-bridge-appservice-webhooks/tasks/setup_uninstall.yml @@ -9,6 +9,7 @@ service: name: matrix-appservice-webhooks state: stopped + enabled: no daemon_reload: yes when: "matrix_appservice_webhooks_service_stat.stat.exists" diff --git a/roles/matrix-bridge-beeper-linkedin/tasks/setup_uninstall.yml b/roles/matrix-bridge-beeper-linkedin/tasks/setup_uninstall.yml index 004b788ec..175613f0d 100644 --- a/roles/matrix-bridge-beeper-linkedin/tasks/setup_uninstall.yml +++ b/roles/matrix-bridge-beeper-linkedin/tasks/setup_uninstall.yml @@ -9,6 +9,7 @@ service: name: matrix-beeper-linkedin state: stopped + enabled: no daemon_reload: yes when: "matrix_beeper_linkedin_service_stat.stat.exists" diff --git a/roles/matrix-bridge-heisenbridge/tasks/setup_uninstall.yml b/roles/matrix-bridge-heisenbridge/tasks/setup_uninstall.yml index 853faf7a2..cf100a895 100644 --- a/roles/matrix-bridge-heisenbridge/tasks/setup_uninstall.yml +++ b/roles/matrix-bridge-heisenbridge/tasks/setup_uninstall.yml @@ -9,6 +9,7 @@ service: name: matrix-heisenbridge state: stopped + enabled: no daemon_reload: yes when: "matrix_heisenbridge_service_stat.stat.exists" diff --git a/roles/matrix-bridge-mautrix-facebook/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-facebook/tasks/setup_install.yml index fb9dcca48..d5230bca9 100644 --- a/roles/matrix-bridge-mautrix-facebook/tasks/setup_install.yml +++ b/roles/matrix-bridge-mautrix-facebook/tasks/setup_install.yml @@ -86,6 +86,7 @@ service: name: matrix-mautrix-facebook state: stopped + enabled: no daemon_reload: yes failed_when: false when: "matrix_mautrix_facebook_stat_database.stat.exists" diff --git a/roles/matrix-bridge-mautrix-facebook/tasks/setup_uninstall.yml b/roles/matrix-bridge-mautrix-facebook/tasks/setup_uninstall.yml index efc8aa748..abbce3501 100644 --- a/roles/matrix-bridge-mautrix-facebook/tasks/setup_uninstall.yml +++ b/roles/matrix-bridge-mautrix-facebook/tasks/setup_uninstall.yml @@ -9,6 +9,7 @@ service: name: matrix-mautrix-facebook state: stopped + enabled: no daemon_reload: yes when: "matrix_mautrix_facebook_service_stat.stat.exists" diff --git a/roles/matrix-bridge-mautrix-googlechat/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-googlechat/tasks/setup_install.yml index f68ee505e..293e8817f 100644 --- a/roles/matrix-bridge-mautrix-googlechat/tasks/setup_install.yml +++ b/roles/matrix-bridge-mautrix-googlechat/tasks/setup_install.yml @@ -85,6 +85,7 @@ service: name: matrix-mautrix-googlechat state: stopped + enabled: no daemon_reload: yes failed_when: false when: "matrix_mautrix_googlechat_stat_database.stat.exists" diff --git a/roles/matrix-bridge-mautrix-googlechat/tasks/setup_uninstall.yml b/roles/matrix-bridge-mautrix-googlechat/tasks/setup_uninstall.yml index d3adb7e2b..bdcaa6e71 100644 --- a/roles/matrix-bridge-mautrix-googlechat/tasks/setup_uninstall.yml +++ b/roles/matrix-bridge-mautrix-googlechat/tasks/setup_uninstall.yml @@ -9,6 +9,7 @@ service: name: matrix-mautrix-googlechat state: stopped + enabled: no daemon_reload: yes when: "matrix_mautrix_googlechat_service_stat.stat.exists" diff --git a/roles/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml index d5373134c..fb5236fd5 100644 --- a/roles/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml +++ b/roles/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml @@ -85,6 +85,7 @@ service: name: matrix-mautrix-hangouts state: stopped + enabled: no daemon_reload: yes failed_when: false when: "matrix_mautrix_hangouts_stat_database.stat.exists" diff --git a/roles/matrix-bridge-mautrix-hangouts/tasks/setup_uninstall.yml b/roles/matrix-bridge-mautrix-hangouts/tasks/setup_uninstall.yml index 14413e946..34348cfd4 100644 --- a/roles/matrix-bridge-mautrix-hangouts/tasks/setup_uninstall.yml +++ b/roles/matrix-bridge-mautrix-hangouts/tasks/setup_uninstall.yml @@ -9,6 +9,7 @@ service: name: matrix-mautrix-hangouts state: stopped + enabled: no daemon_reload: yes when: "matrix_mautrix_hangouts_service_stat.stat.exists" diff --git a/roles/matrix-bridge-mautrix-instagram/tasks/setup_uninstall.yml b/roles/matrix-bridge-mautrix-instagram/tasks/setup_uninstall.yml index c5c8a3e67..02e20b619 100644 --- a/roles/matrix-bridge-mautrix-instagram/tasks/setup_uninstall.yml +++ b/roles/matrix-bridge-mautrix-instagram/tasks/setup_uninstall.yml @@ -8,6 +8,7 @@ service: name: matrix-mautrix-instagram state: stopped + enabled: no daemon_reload: yes when: "matrix_mautrix_instagram_service_stat.stat.exists" diff --git a/roles/matrix-bridge-mautrix-signal/tasks/setup_uninstall.yml b/roles/matrix-bridge-mautrix-signal/tasks/setup_uninstall.yml index 2ca6a9a9f..b36ef81d9 100644 --- a/roles/matrix-bridge-mautrix-signal/tasks/setup_uninstall.yml +++ b/roles/matrix-bridge-mautrix-signal/tasks/setup_uninstall.yml @@ -10,6 +10,7 @@ service: name: matrix-mautrix-signal-daemon state: stopped + enabled: no daemon_reload: yes when: "matrix_mautrix_signal_daemon_service_stat.stat.exists" @@ -29,6 +30,7 @@ service: name: matrix-mautrix-signal state: stopped + enabled: no daemon_reload: yes when: "matrix_mautrix_signal_service_stat.stat.exists" diff --git a/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml index e2e583f23..1e87f1aec 100644 --- a/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml +++ b/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml @@ -107,6 +107,7 @@ service: name: matrix-mautrix-telegram state: stopped + enabled: no daemon_reload: yes failed_when: false when: "matrix_mautrix_telegram_stat_database.stat.exists" diff --git a/roles/matrix-bridge-mautrix-telegram/tasks/setup_uninstall.yml b/roles/matrix-bridge-mautrix-telegram/tasks/setup_uninstall.yml index b14bd737e..bc84edbba 100644 --- a/roles/matrix-bridge-mautrix-telegram/tasks/setup_uninstall.yml +++ b/roles/matrix-bridge-mautrix-telegram/tasks/setup_uninstall.yml @@ -9,6 +9,7 @@ service: name: matrix-mautrix-telegram state: stopped + enabled: no daemon_reload: yes when: "matrix_mautrix_telegram_service_stat.stat.exists" diff --git a/roles/matrix-bridge-mautrix-whatsapp/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-whatsapp/tasks/setup_install.yml index f3dd05705..ddd49dd0d 100644 --- a/roles/matrix-bridge-mautrix-whatsapp/tasks/setup_install.yml +++ b/roles/matrix-bridge-mautrix-whatsapp/tasks/setup_install.yml @@ -93,6 +93,7 @@ service: name: matrix-mautrix-whatsapp state: stopped + enabled: no daemon_reload: yes failed_when: false when: "matrix_mautrix_whatsapp_stat_database.stat.exists" diff --git a/roles/matrix-bridge-mautrix-whatsapp/tasks/setup_uninstall.yml b/roles/matrix-bridge-mautrix-whatsapp/tasks/setup_uninstall.yml index 93f5c4c8d..7dd4b4028 100644 --- a/roles/matrix-bridge-mautrix-whatsapp/tasks/setup_uninstall.yml +++ b/roles/matrix-bridge-mautrix-whatsapp/tasks/setup_uninstall.yml @@ -9,6 +9,7 @@ service: name: matrix-mautrix-whatsapp state: stopped + enabled: no daemon_reload: yes when: "matrix_mautrix_whatsapp_service_stat.stat.exists" diff --git a/roles/matrix-bridge-mx-puppet-discord/tasks/setup_uninstall.yml b/roles/matrix-bridge-mx-puppet-discord/tasks/setup_uninstall.yml index b5b83c98f..a0298ad9f 100644 --- a/roles/matrix-bridge-mx-puppet-discord/tasks/setup_uninstall.yml +++ b/roles/matrix-bridge-mx-puppet-discord/tasks/setup_uninstall.yml @@ -9,6 +9,7 @@ service: name: matrix-mx-puppet-discord state: stopped + enabled: no daemon_reload: yes when: "matrix_mx_puppet_discord_service_stat.stat.exists" diff --git a/roles/matrix-bridge-mx-puppet-groupme/tasks/setup_install.yml b/roles/matrix-bridge-mx-puppet-groupme/tasks/setup_install.yml index b1d5f0b50..3ed4867c5 100644 --- a/roles/matrix-bridge-mx-puppet-groupme/tasks/setup_install.yml +++ b/roles/matrix-bridge-mx-puppet-groupme/tasks/setup_install.yml @@ -31,6 +31,7 @@ service: name: matrix-mx-puppet-groupme state: stopped + enabled: no daemon_reload: yes failed_when: false when: "matrix_mx_puppet_groupme_stat_database.stat.exists" diff --git a/roles/matrix-bridge-mx-puppet-groupme/tasks/setup_uninstall.yml b/roles/matrix-bridge-mx-puppet-groupme/tasks/setup_uninstall.yml index cc4fdfa5e..f9ecce58b 100644 --- a/roles/matrix-bridge-mx-puppet-groupme/tasks/setup_uninstall.yml +++ b/roles/matrix-bridge-mx-puppet-groupme/tasks/setup_uninstall.yml @@ -9,6 +9,7 @@ service: name: matrix-mx-puppet-groupme state: stopped + enabled: no daemon_reload: yes when: "matrix_mx_puppet_groupme_service_stat.stat.exists" diff --git a/roles/matrix-bridge-mx-puppet-instagram/tasks/setup_uninstall.yml b/roles/matrix-bridge-mx-puppet-instagram/tasks/setup_uninstall.yml index 4b5e67ac8..9ad4e13d9 100644 --- a/roles/matrix-bridge-mx-puppet-instagram/tasks/setup_uninstall.yml +++ b/roles/matrix-bridge-mx-puppet-instagram/tasks/setup_uninstall.yml @@ -9,6 +9,7 @@ service: name: matrix-mx-puppet-instagram state: stopped + enabled: no daemon_reload: yes when: "matrix_mx_puppet_instagram_service_stat.stat.exists" diff --git a/roles/matrix-bridge-mx-puppet-skype/tasks/setup_install.yml b/roles/matrix-bridge-mx-puppet-skype/tasks/setup_install.yml index 997a63174..a39e7acf2 100644 --- a/roles/matrix-bridge-mx-puppet-skype/tasks/setup_install.yml +++ b/roles/matrix-bridge-mx-puppet-skype/tasks/setup_install.yml @@ -31,6 +31,7 @@ service: name: matrix-mx-puppet-skype state: stopped + enabled: no daemon_reload: yes failed_when: false when: "matrix_mx_puppet_skype_stat_database.stat.exists" diff --git a/roles/matrix-bridge-mx-puppet-skype/tasks/setup_uninstall.yml b/roles/matrix-bridge-mx-puppet-skype/tasks/setup_uninstall.yml index 72b3a945a..a1af7e337 100644 --- a/roles/matrix-bridge-mx-puppet-skype/tasks/setup_uninstall.yml +++ b/roles/matrix-bridge-mx-puppet-skype/tasks/setup_uninstall.yml @@ -9,6 +9,7 @@ service: name: matrix-mx-puppet-skype state: stopped + enabled: no daemon_reload: yes when: "matrix_mx_puppet_skype_service_stat.stat.exists" diff --git a/roles/matrix-bridge-mx-puppet-slack/tasks/setup_install.yml b/roles/matrix-bridge-mx-puppet-slack/tasks/setup_install.yml index d816ceeba..8ef8ac4e9 100644 --- a/roles/matrix-bridge-mx-puppet-slack/tasks/setup_install.yml +++ b/roles/matrix-bridge-mx-puppet-slack/tasks/setup_install.yml @@ -31,6 +31,7 @@ service: name: matrix-mx-puppet-slack state: stopped + enabled: no daemon_reload: yes failed_when: false when: "matrix_mx_puppet_slack_stat_database.stat.exists" diff --git a/roles/matrix-bridge-mx-puppet-slack/tasks/setup_uninstall.yml b/roles/matrix-bridge-mx-puppet-slack/tasks/setup_uninstall.yml index 73314a66e..f6e7d33ed 100644 --- a/roles/matrix-bridge-mx-puppet-slack/tasks/setup_uninstall.yml +++ b/roles/matrix-bridge-mx-puppet-slack/tasks/setup_uninstall.yml @@ -9,6 +9,7 @@ service: name: matrix-mx-puppet-slack state: stopped + enabled: no daemon_reload: yes when: "matrix_mx_puppet_slack_service_stat.stat.exists" diff --git a/roles/matrix-bridge-mx-puppet-steam/tasks/setup_install.yml b/roles/matrix-bridge-mx-puppet-steam/tasks/setup_install.yml index 3bcef36e9..a92d63fb4 100644 --- a/roles/matrix-bridge-mx-puppet-steam/tasks/setup_install.yml +++ b/roles/matrix-bridge-mx-puppet-steam/tasks/setup_install.yml @@ -31,6 +31,7 @@ service: name: matrix-mx-puppet-steam state: stopped + enabled: no daemon_reload: yes failed_when: false when: "matrix_mx_puppet_steam_stat_database.stat.exists" diff --git a/roles/matrix-bridge-mx-puppet-steam/tasks/setup_uninstall.yml b/roles/matrix-bridge-mx-puppet-steam/tasks/setup_uninstall.yml index 1ee95eb33..608bde73b 100644 --- a/roles/matrix-bridge-mx-puppet-steam/tasks/setup_uninstall.yml +++ b/roles/matrix-bridge-mx-puppet-steam/tasks/setup_uninstall.yml @@ -9,6 +9,7 @@ service: name: matrix-mx-puppet-steam state: stopped + enabled: no daemon_reload: yes when: "matrix_mx_puppet_steam_service_stat.stat.exists" diff --git a/roles/matrix-bridge-mx-puppet-twitter/tasks/setup_install.yml b/roles/matrix-bridge-mx-puppet-twitter/tasks/setup_install.yml index 5767ed172..a6250a16f 100644 --- a/roles/matrix-bridge-mx-puppet-twitter/tasks/setup_install.yml +++ b/roles/matrix-bridge-mx-puppet-twitter/tasks/setup_install.yml @@ -31,6 +31,7 @@ service: name: matrix-mx-puppet-twitter state: stopped + enabled: no daemon_reload: yes failed_when: false when: "matrix_mx_puppet_twitter_stat_database.stat.exists" diff --git a/roles/matrix-bridge-mx-puppet-twitter/tasks/setup_uninstall.yml b/roles/matrix-bridge-mx-puppet-twitter/tasks/setup_uninstall.yml index 1d663531b..1382ee58c 100644 --- a/roles/matrix-bridge-mx-puppet-twitter/tasks/setup_uninstall.yml +++ b/roles/matrix-bridge-mx-puppet-twitter/tasks/setup_uninstall.yml @@ -9,6 +9,7 @@ service: name: matrix-mx-puppet-twitter state: stopped + enabled: no daemon_reload: yes when: "matrix_mx_puppet_twitter_service_stat.stat.exists" diff --git a/roles/matrix-bridge-sms/tasks/setup_uninstall.yml b/roles/matrix-bridge-sms/tasks/setup_uninstall.yml index 03ddaad07..ad8442bc3 100644 --- a/roles/matrix-bridge-sms/tasks/setup_uninstall.yml +++ b/roles/matrix-bridge-sms/tasks/setup_uninstall.yml @@ -9,6 +9,7 @@ service: name: matrix-sms-bridge state: stopped + enabled: no daemon_reload: yes when: "matrix_sms_bridge_service_stat.stat.exists" @@ -16,4 +17,4 @@ file: path: "{{ matrix_systemd_path }}/matrix-sms-bridge.service" state: absent - when: "matrix_sms_bridge_service_stat.stat.exists" \ No newline at end of file + when: "matrix_sms_bridge_service_stat.stat.exists" diff --git a/roles/matrix-client-element/tasks/migrate_riot_web.yml b/roles/matrix-client-element/tasks/migrate_riot_web.yml index dd0eb0f8f..304e9fbf9 100644 --- a/roles/matrix-client-element/tasks/migrate_riot_web.yml +++ b/roles/matrix-client-element/tasks/migrate_riot_web.yml @@ -10,6 +10,7 @@ service: name: matrix-riot-web state: stopped + enabled: no daemon_reload: yes register: stopping_result when: "matrix_client_element_enabled|bool and matrix_client_riot_web_service_stat.stat.exists" diff --git a/roles/matrix-client-element/tasks/setup_uninstall.yml b/roles/matrix-client-element/tasks/setup_uninstall.yml index 74a4720e4..82805b785 100644 --- a/roles/matrix-client-element/tasks/setup_uninstall.yml +++ b/roles/matrix-client-element/tasks/setup_uninstall.yml @@ -9,6 +9,7 @@ service: name: matrix-client-element state: stopped + enabled: no daemon_reload: yes register: stopping_result when: "matrix_client_element_service_stat.stat.exists|bool" diff --git a/roles/matrix-client-hydrogen/tasks/setup_uninstall.yml b/roles/matrix-client-hydrogen/tasks/setup_uninstall.yml index d72f9e3ff..64d201660 100644 --- a/roles/matrix-client-hydrogen/tasks/setup_uninstall.yml +++ b/roles/matrix-client-hydrogen/tasks/setup_uninstall.yml @@ -9,6 +9,7 @@ service: name: matrix-client-hydrogen state: stopped + enabled: no daemon_reload: yes register: stopping_result when: "matrix_client_hydrogen_service_stat.stat.exists|bool" diff --git a/roles/matrix-corporal/tasks/setup_corporal.yml b/roles/matrix-corporal/tasks/setup_corporal.yml index e668de273..8e007c4f8 100644 --- a/roles/matrix-corporal/tasks/setup_corporal.yml +++ b/roles/matrix-corporal/tasks/setup_corporal.yml @@ -83,6 +83,7 @@ service: name: matrix-corporal state: stopped + enabled: no daemon_reload: yes register: stopping_result when: "not matrix_corporal_enabled|bool and matrix_corporal_service_stat.stat.exists" diff --git a/roles/matrix-coturn/tasks/setup_uninstall.yml b/roles/matrix-coturn/tasks/setup_uninstall.yml index 4674903f8..b642c6d09 100644 --- a/roles/matrix-coturn/tasks/setup_uninstall.yml +++ b/roles/matrix-coturn/tasks/setup_uninstall.yml @@ -10,6 +10,7 @@ service: name: matrix-coturn state: stopped + enabled: no daemon_reload: yes when: "matrix_coturn_service_stat.stat.exists|bool" @@ -17,6 +18,7 @@ service: name: matrix-coturn state: stopped + enabled: no daemon_reload: yes failed_when: false when: "matrix_coturn_service_stat.stat.exists|bool" diff --git a/roles/matrix-dimension/tasks/setup_uninstall.yml b/roles/matrix-dimension/tasks/setup_uninstall.yml index 9bc4ac8b9..21f34df05 100644 --- a/roles/matrix-dimension/tasks/setup_uninstall.yml +++ b/roles/matrix-dimension/tasks/setup_uninstall.yml @@ -9,6 +9,7 @@ service: name: matrix-dimension state: stopped + enabled: no daemon_reload: yes register: stopping_result when: "matrix_dimension_service_stat.stat.exists|bool" diff --git a/roles/matrix-dynamic-dns/tasks/uninstall.yml b/roles/matrix-dynamic-dns/tasks/uninstall.yml index f3caba256..9d511051a 100644 --- a/roles/matrix-dynamic-dns/tasks/uninstall.yml +++ b/roles/matrix-dynamic-dns/tasks/uninstall.yml @@ -9,6 +9,7 @@ service: name: matrix-dynamic-dns state: stopped + enabled: no daemon_reload: yes when: "matrix_dynamic_dns_service_stat.stat.exists" diff --git a/roles/matrix-email2matrix/tasks/setup_uninstall.yml b/roles/matrix-email2matrix/tasks/setup_uninstall.yml index b0b44cca6..270b92505 100644 --- a/roles/matrix-email2matrix/tasks/setup_uninstall.yml +++ b/roles/matrix-email2matrix/tasks/setup_uninstall.yml @@ -9,6 +9,7 @@ service: name: matrix-email2matrix state: stopped + enabled: no daemon_reload: yes register: stopping_result when: "matrix_email2matrix_service_stat.stat.exists|bool" diff --git a/roles/matrix-etherpad/tasks/setup_uninstall.yml b/roles/matrix-etherpad/tasks/setup_uninstall.yml index 8f40f420e..a63d3fb1e 100644 --- a/roles/matrix-etherpad/tasks/setup_uninstall.yml +++ b/roles/matrix-etherpad/tasks/setup_uninstall.yml @@ -9,6 +9,7 @@ service: name: matrix-etherpad state: stopped + enabled: no daemon_reload: yes register: stopping_result when: "matrix_etherpad_service_stat.stat.exists|bool" diff --git a/roles/matrix-grafana/tasks/setup.yml b/roles/matrix-grafana/tasks/setup.yml index 00d2e230d..c5cee64cc 100644 --- a/roles/matrix-grafana/tasks/setup.yml +++ b/roles/matrix-grafana/tasks/setup.yml @@ -93,6 +93,7 @@ service: name: matrix-grafana state: stopped + enabled: no daemon_reload: yes register: stopping_result when: "not matrix_grafana_enabled|bool and matrix_grafana_service_stat.stat.exists" diff --git a/roles/matrix-jitsi/tasks/setup_jitsi_jicofo.yml b/roles/matrix-jitsi/tasks/setup_jitsi_jicofo.yml index dd2a7bd24..4e2be6960 100644 --- a/roles/matrix-jitsi/tasks/setup_jitsi_jicofo.yml +++ b/roles/matrix-jitsi/tasks/setup_jitsi_jicofo.yml @@ -68,6 +68,7 @@ service: name: matrix-jitsi-jicofo state: stopped + enabled: no daemon_reload: yes register: stopping_result when: "not matrix_jitsi_enabled|bool and matrix_jitsi_jicofo_service_stat.stat.exists" diff --git a/roles/matrix-jitsi/tasks/setup_jitsi_jvb.yml b/roles/matrix-jitsi/tasks/setup_jitsi_jvb.yml index b73426db7..558a6cf1f 100644 --- a/roles/matrix-jitsi/tasks/setup_jitsi_jvb.yml +++ b/roles/matrix-jitsi/tasks/setup_jitsi_jvb.yml @@ -68,6 +68,7 @@ service: name: matrix-jitsi-jvb state: stopped + enabled: no daemon_reload: yes register: stopping_result when: "not matrix_jitsi_enabled|bool and matrix_jitsi_jvb_service_stat.stat.exists" diff --git a/roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml b/roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml index fd051fdad..39a571ae6 100644 --- a/roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml +++ b/roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml @@ -59,6 +59,7 @@ service: name: matrix-jitsi-prosody state: stopped + enabled: no daemon_reload: yes register: stopping_result when: "not matrix_jitsi_enabled|bool and matrix_jitsi_prosody_service_stat.stat.exists" diff --git a/roles/matrix-jitsi/tasks/setup_jitsi_web.yml b/roles/matrix-jitsi/tasks/setup_jitsi_web.yml index 2b8a2cd2b..4fdcc67b8 100644 --- a/roles/matrix-jitsi/tasks/setup_jitsi_web.yml +++ b/roles/matrix-jitsi/tasks/setup_jitsi_web.yml @@ -69,6 +69,7 @@ service: name: matrix-jitsi-web state: stopped + enabled: no daemon_reload: yes register: stopping_result when: "not matrix_jitsi_enabled|bool and matrix_jitsi_web_service_stat.stat.exists" diff --git a/roles/matrix-ma1sd/tasks/migrate_mxisd.yml b/roles/matrix-ma1sd/tasks/migrate_mxisd.yml index 1d9662042..c36c3de9d 100644 --- a/roles/matrix-ma1sd/tasks/migrate_mxisd.yml +++ b/roles/matrix-ma1sd/tasks/migrate_mxisd.yml @@ -23,6 +23,7 @@ service: name: matrix-mxisd state: stopped + enabled: no daemon_reload: yes when: "matrix_mxisd_service_stat.stat.exists" diff --git a/roles/matrix-ma1sd/tasks/setup_uninstall.yml b/roles/matrix-ma1sd/tasks/setup_uninstall.yml index b36ab508f..153f6e08c 100644 --- a/roles/matrix-ma1sd/tasks/setup_uninstall.yml +++ b/roles/matrix-ma1sd/tasks/setup_uninstall.yml @@ -9,6 +9,7 @@ service: name: matrix-ma1sd state: stopped + enabled: no daemon_reload: yes register: stopping_result when: "matrix_ma1sd_service_stat.stat.exists|bool" diff --git a/roles/matrix-mailer/tasks/setup_mailer.yml b/roles/matrix-mailer/tasks/setup_mailer.yml index 251a52da5..def178835 100644 --- a/roles/matrix-mailer/tasks/setup_mailer.yml +++ b/roles/matrix-mailer/tasks/setup_mailer.yml @@ -79,6 +79,7 @@ service: name: matrix-mailer state: stopped + enabled: no daemon_reload: yes register: stopping_result when: "not matrix_mailer_enabled|bool and matrix_mailer_service_stat.stat.exists" diff --git a/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml b/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml index e577491b8..d325d2f0f 100644 --- a/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml +++ b/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml @@ -193,6 +193,7 @@ service: name: matrix-nginx-proxy state: stopped + enabled: no daemon_reload: yes register: stopping_result when: "not matrix_nginx_proxy_enabled|bool and matrix_nginx_proxy_service_stat.stat.exists" diff --git a/roles/matrix-postgres-backup/tasks/setup_postgres_backup.yml b/roles/matrix-postgres-backup/tasks/setup_postgres_backup.yml index 9761088d2..68eae4430 100644 --- a/roles/matrix-postgres-backup/tasks/setup_postgres_backup.yml +++ b/roles/matrix-postgres-backup/tasks/setup_postgres_backup.yml @@ -69,6 +69,7 @@ service: name: matrix-postgres-backup state: stopped + enabled: no daemon_reload: yes when: "not matrix_postgres_backup_enabled|bool and matrix_postgres_backup_service_stat.stat.exists" diff --git a/roles/matrix-postgres/tasks/migrate_postgres_data_directory.yml b/roles/matrix-postgres/tasks/migrate_postgres_data_directory.yml index ef5fbf47d..e62feee39 100644 --- a/roles/matrix-postgres/tasks/migrate_postgres_data_directory.yml +++ b/roles/matrix-postgres/tasks/migrate_postgres_data_directory.yml @@ -69,4 +69,4 @@ - name: Ensure systemd reloaded after getting rid of outdated matrix-postgres.service service: daemon_reload: yes - when: "result_pg_old_data_dir_stat.stat.exists" \ No newline at end of file + when: "result_pg_old_data_dir_stat.stat.exists" diff --git a/roles/matrix-prometheus-node-exporter/tasks/setup.yml b/roles/matrix-prometheus-node-exporter/tasks/setup.yml index 34086e6cf..fa8eb7675 100644 --- a/roles/matrix-prometheus-node-exporter/tasks/setup.yml +++ b/roles/matrix-prometheus-node-exporter/tasks/setup.yml @@ -38,6 +38,7 @@ service: name: matrix-prometheus-node-exporter state: stopped + enabled: no daemon_reload: yes register: stopping_result when: "not matrix_prometheus_node_exporter_enabled|bool and matrix_prometheus_node_exporter_service_stat.stat.exists" diff --git a/roles/matrix-prometheus-postgres-exporter/tasks/setup.yml b/roles/matrix-prometheus-postgres-exporter/tasks/setup.yml index 076ece1a8..37743b66f 100644 --- a/roles/matrix-prometheus-postgres-exporter/tasks/setup.yml +++ b/roles/matrix-prometheus-postgres-exporter/tasks/setup.yml @@ -38,6 +38,7 @@ service: name: matrix-prometheus-postgres-exporter state: stopped + enabled: no daemon_reload: yes register: stopping_result when: "not matrix_prometheus_postgres_exporter_enabled|bool and matrix_prometheus_postgres_exporter_service_stat.stat.exists" diff --git a/roles/matrix-prometheus/tasks/setup_uninstall.yml b/roles/matrix-prometheus/tasks/setup_uninstall.yml index dd46a2228..d99c1a8e4 100644 --- a/roles/matrix-prometheus/tasks/setup_uninstall.yml +++ b/roles/matrix-prometheus/tasks/setup_uninstall.yml @@ -9,6 +9,7 @@ service: name: matrix-prometheus state: stopped + enabled: no daemon_reload: yes register: stopping_result when: "matrix_prometheus_service_stat.stat.exists|bool" diff --git a/roles/matrix-redis/tasks/setup_redis.yml b/roles/matrix-redis/tasks/setup_redis.yml index 6f00282b4..f1f32238f 100644 --- a/roles/matrix-redis/tasks/setup_redis.yml +++ b/roles/matrix-redis/tasks/setup_redis.yml @@ -72,6 +72,7 @@ service: name: matrix-redis state: stopped + enabled: no daemon_reload: yes when: "not matrix_redis_enabled|bool and matrix_redis_service_stat.stat.exists" diff --git a/roles/matrix-registration/tasks/setup_uninstall.yml b/roles/matrix-registration/tasks/setup_uninstall.yml index 573f8170b..8afd10849 100644 --- a/roles/matrix-registration/tasks/setup_uninstall.yml +++ b/roles/matrix-registration/tasks/setup_uninstall.yml @@ -9,6 +9,7 @@ service: name: matrix-registration state: stopped + enabled: no daemon_reload: yes register: stopping_result when: "matrix_registration_service_stat.stat.exists|bool" diff --git a/roles/matrix-sygnal/tasks/setup_uninstall.yml b/roles/matrix-sygnal/tasks/setup_uninstall.yml index dc50078ca..f2b6133f7 100644 --- a/roles/matrix-sygnal/tasks/setup_uninstall.yml +++ b/roles/matrix-sygnal/tasks/setup_uninstall.yml @@ -9,6 +9,7 @@ service: name: matrix-sygnal state: stopped + enabled: no daemon_reload: yes register: stopping_result when: "matrix_sygnal_service_stat.stat.exists|bool" diff --git a/roles/matrix-synapse-admin/tasks/setup.yml b/roles/matrix-synapse-admin/tasks/setup.yml index 6fb47fb3a..d54583af6 100644 --- a/roles/matrix-synapse-admin/tasks/setup.yml +++ b/roles/matrix-synapse-admin/tasks/setup.yml @@ -59,6 +59,7 @@ service: name: matrix-synapse-admin state: stopped + enabled: no daemon_reload: yes register: stopping_result when: "not matrix_synapse_admin_enabled|bool and matrix_synapse_admin_service_stat.stat.exists" diff --git a/roles/matrix-synapse/tasks/goofys/setup_uninstall.yml b/roles/matrix-synapse/tasks/goofys/setup_uninstall.yml index 91d434569..317a5371e 100644 --- a/roles/matrix-synapse/tasks/goofys/setup_uninstall.yml +++ b/roles/matrix-synapse/tasks/goofys/setup_uninstall.yml @@ -7,6 +7,7 @@ service: name: matrix-goofys state: stopped + enabled: no daemon_reload: yes register: stopping_result when: "matrix_goofys_service_stat.stat.exists" diff --git a/roles/matrix-synapse/tasks/import_media_store.yml b/roles/matrix-synapse/tasks/import_media_store.yml index 487bcb356..42455b44c 100644 --- a/roles/matrix-synapse/tasks/import_media_store.yml +++ b/roles/matrix-synapse/tasks/import_media_store.yml @@ -44,6 +44,7 @@ service: name: matrix-synapse state: stopped + enabled: no daemon_reload: yes register: stopping_result diff --git a/roles/matrix-synapse/tasks/synapse/setup_uninstall.yml b/roles/matrix-synapse/tasks/synapse/setup_uninstall.yml index f1cdf1670..070856e48 100644 --- a/roles/matrix-synapse/tasks/synapse/setup_uninstall.yml +++ b/roles/matrix-synapse/tasks/synapse/setup_uninstall.yml @@ -7,6 +7,7 @@ service: name: matrix-synapse state: stopped + enabled: no daemon_reload: yes register: stopping_result when: "matrix_synapse_service_stat.stat.exists" From 7a4f49c457e6346989152b0679907a51d25c631c Mon Sep 17 00:00:00 2001 From: sakkiii Date: Wed, 10 Nov 2021 22:52:23 +0530 Subject: [PATCH 050/139] Nginx Minio Update (1.21.3 -> 1.21.4) --- roles/matrix-nginx-proxy/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index ff917c90f..e3c19d86b 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -1,5 +1,5 @@ matrix_nginx_proxy_enabled: true -matrix_nginx_proxy_version: 1.21.3-alpine +matrix_nginx_proxy_version: 1.21.4-alpine # We use an official nginx image, which we fix-up to run unprivileged. # An alternative would be an `nginxinc/nginx-unprivileged` image, but From cd26af2f6fac44b49f4cd9f098e16a64c89104fe Mon Sep 17 00:00:00 2001 From: sakkiii Date: Wed, 10 Nov 2021 22:58:45 +0530 Subject: [PATCH 051/139] Certbot Update (v1.20.0 -> v1.21.0) --- roles/matrix-nginx-proxy/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index e3c19d86b..3bb2723d8 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -437,7 +437,7 @@ matrix_ssl_additional_domains_to_obtain_certificates_for: [] # Controls whether to obtain production or staging certificates from Let's Encrypt. matrix_ssl_lets_encrypt_staging: false -matrix_ssl_lets_encrypt_certbot_docker_image: "{{ matrix_container_global_registry_prefix }}certbot/certbot:{{ matrix_ssl_architecture }}-v1.20.0" +matrix_ssl_lets_encrypt_certbot_docker_image: "{{ matrix_container_global_registry_prefix }}certbot/certbot:{{ matrix_ssl_architecture }}-v1.21.0" matrix_ssl_lets_encrypt_certbot_docker_image_force_pull: "{{ matrix_ssl_lets_encrypt_certbot_docker_image.endswith(':latest') }}" matrix_ssl_lets_encrypt_certbot_standalone_http_port: 2402 matrix_ssl_lets_encrypt_support_email: ~ From c4d2c8394ca90facc7605ab2bc16b4cc993b0c84 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 11 Nov 2021 15:42:34 +0200 Subject: [PATCH 052/139] Abort if on an unsupported Postgres version (v9.6) Official support ends today (2021-11-11). Synapse still supports v9.6, but we'd better force users to transition to newer versions anyway. --- roles/matrix-postgres/tasks/setup_postgres.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/roles/matrix-postgres/tasks/setup_postgres.yml b/roles/matrix-postgres/tasks/setup_postgres.yml index 4294bc113..96a20d254 100644 --- a/roles/matrix-postgres/tasks/setup_postgres.yml +++ b/roles/matrix-postgres/tasks/setup_postgres.yml @@ -18,6 +18,11 @@ matrix_postgres_docker_image_to_use: "{{ matrix_postgres_docker_image_latest if matrix_postgres_detected_version_corresponding_docker_image == '' else matrix_postgres_detected_version_corresponding_docker_image }}" when: matrix_postgres_enabled|bool +- name: Abort if on an unsupported Postgres version + fail: + msg: "You're on Postgres {{ matrix_postgres_detected_version }}, which is no longer supported. To upgrade, see docs/maintenance-postgres.md" + when: "matrix_postgres_enabled|bool and matrix_postgres_detected_version.startswith('9.')" + - name: Inject warning if on an old version of Postgres set_fact: matrix_playbook_runtime_results: | From b19576030188381b353766e90f63117ac1e165a7 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 11 Nov 2021 16:04:11 +0200 Subject: [PATCH 053/139] Mention dropped Postgres v9.6 support in the changelog Related to c4d2c8394ca90f --- CHANGELOG.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index c706b4a67..7e1241593 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,12 @@ +# 2021-11-11 + +## Dropped support for Postgres v9.6 + +Postgres v9.6 reached its end of life today, so the playbook will refuse to run for you if you're still on that version. + +Synapse still supports v9.6 (for now), but we're retiring support for it early, to avoid having to maintain support for so many Postgres versions. Users that are still on Postgres v9.6 can easily [upgrade Postgres](docs/maintenance-postgres.md#upgrading-postgresql) via the playbook. + + # 2021-10-23 ## Hangouts bridge no longer updated, superseded by a Googlechat bridge From f01b9c386519e8967bc01ee32bec39bfcbc682b7 Mon Sep 17 00:00:00 2001 From: Toni Spets Date: Fri, 12 Nov 2021 04:50:29 +0200 Subject: [PATCH 054/139] Upgrade Heisenbridge (1.5.0 -> 1.6.0) --- roles/matrix-bridge-heisenbridge/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-heisenbridge/defaults/main.yml b/roles/matrix-bridge-heisenbridge/defaults/main.yml index f25f502fe..9a87a6daf 100644 --- a/roles/matrix-bridge-heisenbridge/defaults/main.yml +++ b/roles/matrix-bridge-heisenbridge/defaults/main.yml @@ -3,7 +3,7 @@ matrix_heisenbridge_enabled: true -matrix_heisenbridge_version: 1.5.0 +matrix_heisenbridge_version: 1.6.0 matrix_heisenbridge_docker_image: "{{ matrix_container_global_registry_prefix }}hif1/heisenbridge:{{ matrix_heisenbridge_version }}" matrix_heisenbridge_docker_image_force_pull: "{{ matrix_heisenbridge_docker_image.endswith(':latest') }}" From c0656448f75d9fc09b6b290a7d987da2a1c76b4a Mon Sep 17 00:00:00 2001 From: JokerGermany <30293477+JokerGermany@users.noreply.github.com> Date: Sat, 13 Nov 2021 01:18:22 +0100 Subject: [PATCH 055/139] Port 80 for IPv6 --- .../templates/nginx/conf.d/matrix-base-domain.conf.j2 | 1 + .../templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 | 4 +++- .../templates/nginx/conf.d/matrix-client-element.conf.j2 | 2 ++ .../templates/nginx/conf.d/matrix-client-hydrogen.conf.j2 | 2 ++ .../templates/nginx/conf.d/matrix-dimension.conf.j2 | 4 +++- .../templates/nginx/conf.d/matrix-domain.conf.j2 | 2 ++ .../templates/nginx/conf.d/matrix-grafana.conf.j2 | 6 ++++-- .../templates/nginx/conf.d/matrix-jitsi.conf.j2 | 2 ++ .../templates/nginx/conf.d/matrix-riot-web.conf.j2 | 2 ++ .../templates/nginx/conf.d/matrix-sygnal.conf.j2 | 2 ++ 10 files changed, 23 insertions(+), 4 deletions(-) diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2 index b02942838..3aff997db 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2 @@ -36,6 +36,7 @@ server { listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }}; + listen [::]:{{ 8080 if matrix_nginx_proxy_enabled else 80 }}; server_name {{ matrix_nginx_proxy_base_domain_hostname }}; server_tokens off; diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 index 6cb5f57a1..79269f434 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 @@ -33,6 +33,8 @@ server { listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }}; + listen [::]:{{ 8080 if matrix_nginx_proxy_enabled else 80 }}; + server_name {{ matrix_nginx_proxy_proxy_bot_go_neb_hostname }}; server_tokens off; @@ -83,7 +85,7 @@ server { ssl_stapling_verify on; ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_bot_go_neb_hostname }}/chain.pem; {% endif %} - + {% if matrix_nginx_proxy_ssl_session_tickets_off %} ssl_session_tickets off; {% endif %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 index 2f4f4aa15..095d5fcff 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 @@ -41,6 +41,8 @@ server { listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }}; + listen [::]:{{ 8080 if matrix_nginx_proxy_enabled else 80 }}; + server_name {{ matrix_nginx_proxy_proxy_element_hostname }}; diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-hydrogen.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-hydrogen.conf.j2 index 1ea4a3443..c0794205b 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-hydrogen.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-hydrogen.conf.j2 @@ -39,6 +39,8 @@ server { listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }}; + listen [::]:{{ 8080 if matrix_nginx_proxy_enabled else 80 }}; + server_name {{ matrix_nginx_proxy_proxy_hydrogen_hostname }}; diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 index ef8ee972d..292cc4c28 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 @@ -36,6 +36,8 @@ server { listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }}; + listen [::]:{{ 8080 if matrix_nginx_proxy_enabled else 80 }}; + server_name {{ matrix_nginx_proxy_proxy_dimension_hostname }}; server_tokens off; @@ -86,7 +88,7 @@ server { ssl_stapling_verify on; ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_dimension_hostname }}/chain.pem; {% endif %} - + {% if matrix_nginx_proxy_ssl_session_tickets_off %} ssl_session_tickets off; {% endif %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 index b6506b437..02201b9cc 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 @@ -161,6 +161,8 @@ server { listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }}; + listen [::]:{{ 8080 if matrix_nginx_proxy_enabled else 80 }}; + server_name {{ matrix_nginx_proxy_proxy_matrix_hostname }}; server_tokens off; diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-grafana.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-grafana.conf.j2 index 0f7c43c57..209c1cd0c 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-grafana.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-grafana.conf.j2 @@ -43,6 +43,8 @@ server { listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }}; + listen [::]:{{ 8080 if matrix_nginx_proxy_enabled else 80 }}; + server_name {{ matrix_nginx_proxy_proxy_grafana_hostname }}; @@ -94,12 +96,12 @@ server { ssl_stapling_verify on; ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_grafana_hostname }}/chain.pem; {% endif %} - + {% if matrix_nginx_proxy_ssl_session_tickets_off %} ssl_session_tickets off; {% endif %} ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }}; - ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }}; + ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }}; {{ render_vhost_directives() }} } diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 index 86d95453c..7fccce945 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 @@ -78,6 +78,8 @@ server { listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }}; + listen [::]:{{ 8080 if matrix_nginx_proxy_enabled else 80 }}; + server_name {{ matrix_nginx_proxy_proxy_jitsi_hostname }}; server_tokens off; diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 index d153d5c20..5bcbeba5b 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 @@ -24,6 +24,8 @@ server { listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }}; + listen [::]:{{ 8080 if matrix_nginx_proxy_enabled else 80 }}; + server_name {{ matrix_nginx_proxy_proxy_riot_compat_redirect_hostname }}; diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2 index 9c4af1d9a..ba442b378 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2 @@ -35,6 +35,8 @@ server { listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }}; + listen [::]:{{ 8080 if matrix_nginx_proxy_enabled else 80 }}; + server_name {{ matrix_nginx_proxy_proxy_sygnal_hostname }}; server_tokens off; From 7756cc4c8ee05612c53660122131be399328d0c5 Mon Sep 17 00:00:00 2001 From: b Date: Sun, 14 Nov 2021 20:30:13 +0200 Subject: [PATCH 056/139] replace port 8048 with matrix_synapse_container_default_federation_port --- group_vars/matrix_servers | 3 ++- roles/matrix-dimension/defaults/main.yml | 2 +- roles/matrix-nginx-proxy/defaults/main.yml | 4 ++-- roles/matrix-synapse/defaults/main.yml | 2 +- roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 | 2 +- .../templates/synapse/systemd/matrix-synapse.service.j2 | 2 +- 6 files changed, 8 insertions(+), 7 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index d58f4dda3..cfca8c92f 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1720,7 +1720,8 @@ matrix_synapse_account_threepid_delegates_msisdn: "{{ 'http://matrix-ma1sd:' + m matrix_synapse_container_client_api_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:8008' }}" # # For exposing the Matrix Federation API's plain port (plain HTTP) to the local host. -matrix_synapse_container_federation_api_plain_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:8048' }}" +matrix_synapse_container_default_federation_port: 8048 +matrix_synapse_container_federation_api_plain_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:' + matrix_synapse_container_default_federation_port|string }}" # # For exposing the Matrix Federation API's TLS port (HTTPS) to the internet on all network interfaces. matrix_synapse_container_federation_api_tls_host_bind_port: "{{ matrix_federation_public_port if (matrix_synapse_federation_enabled and matrix_synapse_tls_federation_listener_enabled) else '' }}" diff --git a/roles/matrix-dimension/defaults/main.yml b/roles/matrix-dimension/defaults/main.yml index f7a84ca1d..a5e0bf1a4 100644 --- a/roles/matrix-dimension/defaults/main.yml +++ b/roles/matrix-dimension/defaults/main.yml @@ -39,7 +39,7 @@ matrix_dimension_integrations_rest_url: "https://{{ matrix_server_fqn_dimension matrix_dimension_integrations_widgets_urls: ["https://{{ matrix_server_fqn_dimension }}/widgets"] matrix_dimension_integrations_jitsi_widget_url: "https://{{ matrix_server_fqn_dimension }}/widgets/jitsi" -matrix_dimension_homeserver_federationUrl: "http://matrix-synapse:8048" +matrix_dimension_homeserver_federationUrl: ""http://matrix-synapse:{{matrix_synapse_container_default_federation_port|string}}"" # Database-related configuration fields. diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index 3bb2723d8..af549b947 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -116,8 +116,8 @@ matrix_nginx_proxy_proxy_synapse_enabled: false matrix_nginx_proxy_proxy_synapse_hostname: "matrix-nginx-proxy" matrix_nginx_proxy_proxy_synapse_federation_api_enabled: "{{ matrix_nginx_proxy_proxy_matrix_federation_api_enabled }}" # The addresses where the Federation API is, when using Synapse. -matrix_nginx_proxy_proxy_synapse_federation_api_addr_with_container: "matrix-synapse:8048" -matrix_nginx_proxy_proxy_synapse_federation_api_addr_sans_container: "localhost:8048" +matrix_nginx_proxy_proxy_synapse_federation_api_addr_with_container: "matrix-synapse:{{matrix_synapse_container_default_federation_port|string}}" +matrix_nginx_proxy_proxy_synapse_federation_api_addr_sans_container: "localhost:{{matrix_synapse_container_default_federation_port|string}}" # Controls whether proxying the Element domain should be done. matrix_nginx_proxy_proxy_element_enabled: false diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index ce596c6bb..eb9d8e662 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -146,7 +146,7 @@ matrix_synapse_federation_rr_transactions_per_room_per_second: 50 # Controls whether the TLS federation listener is enabled (tcp/8448). # Only makes sense if federation is enabled (`matrix_synapse_federation_enabled`). -# Note that federation may potentially be enabled as non-TLS on tcp/8048 as well. +# Note that federation may potentially be enabled as non-TLS on `matrix_synapse_container_default_federation_port` as well. # If you're serving Synapse behind an HTTPS-capable reverse-proxy, # you can disable the TLS listener (`matrix_synapse_tls_federation_listener_enabled: false`). matrix_synapse_tls_federation_listener_enabled: true diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index cebe7a1f6..2bfec1b4c 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -302,7 +302,7 @@ listeners: {% if matrix_synapse_federation_port_enabled %} # Unsecure HTTP listener (Federation API): for when matrix traffic passes through a reverse proxy # that unwraps TLS. - - port: 8048 + - port: {{ matrix_synapse_container_default_federation_port }} tls: false bind_addresses: ['::'] type: http diff --git a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 index 2fbaac7b5..d58f1f192 100644 --- a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 +++ b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 @@ -46,7 +46,7 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-synapse \ -p {{ matrix_synapse_container_federation_api_tls_host_bind_port }}:8448 \ {% endif %} {% if matrix_synapse_federation_enabled and matrix_synapse_container_federation_api_plain_host_bind_port %} - -p {{ matrix_synapse_container_federation_api_plain_host_bind_port }}:8048 \ + -p {{ matrix_synapse_container_federation_api_plain_host_bind_port }}:{{ matrix_synapse_container_default_federation_port }} \ {% endif %} {% if matrix_synapse_metrics_enabled and matrix_synapse_container_metrics_api_host_bind_port %} -p {{ matrix_synapse_container_metrics_api_host_bind_port }}:{{ matrix_synapse_metrics_port }} \ From 5e97f5a4e6319a057905a8fd2c4d9bb409f3d1cb Mon Sep 17 00:00:00 2001 From: b Date: Sun, 14 Nov 2021 20:57:27 +0200 Subject: [PATCH 057/139] fixed matrix_dimension_homeserver_federationUrl --- roles/matrix-dimension/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-dimension/defaults/main.yml b/roles/matrix-dimension/defaults/main.yml index a5e0bf1a4..48958020c 100644 --- a/roles/matrix-dimension/defaults/main.yml +++ b/roles/matrix-dimension/defaults/main.yml @@ -39,7 +39,7 @@ matrix_dimension_integrations_rest_url: "https://{{ matrix_server_fqn_dimension matrix_dimension_integrations_widgets_urls: ["https://{{ matrix_server_fqn_dimension }}/widgets"] matrix_dimension_integrations_jitsi_widget_url: "https://{{ matrix_server_fqn_dimension }}/widgets/jitsi" -matrix_dimension_homeserver_federationUrl: ""http://matrix-synapse:{{matrix_synapse_container_default_federation_port|string}}"" +matrix_dimension_homeserver_federationUrl: "http://matrix-synapse:{{matrix_synapse_container_default_federation_port|string}}" # Database-related configuration fields. From 61b743f86dcc05c308747adc7ab7756383b2fd92 Mon Sep 17 00:00:00 2001 From: Aaron Raimist Date: Sun, 14 Nov 2021 19:10:56 +0000 Subject: [PATCH 058/139] Postgres Minor Updates (14.1, 13.5, 12.9, 11.14, 10.19) --- roles/matrix-postgres/defaults/main.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/roles/matrix-postgres/defaults/main.yml b/roles/matrix-postgres/defaults/main.yml index 91a31d997..424132862 100644 --- a/roles/matrix-postgres/defaults/main.yml +++ b/roles/matrix-postgres/defaults/main.yml @@ -18,11 +18,11 @@ matrix_postgres_architecture: amd64 matrix_postgres_docker_image_suffix: "{{ '-alpine' if matrix_postgres_architecture in ['amd64', 'arm64'] else '' }}" matrix_postgres_docker_image_v9: "{{ matrix_container_global_registry_prefix }}postgres:9.6.23{{ matrix_postgres_docker_image_suffix }}" -matrix_postgres_docker_image_v10: "{{ matrix_container_global_registry_prefix }}postgres:10.18{{ matrix_postgres_docker_image_suffix }}" -matrix_postgres_docker_image_v11: "{{ matrix_container_global_registry_prefix }}postgres:11.13{{ matrix_postgres_docker_image_suffix }}" -matrix_postgres_docker_image_v12: "{{ matrix_container_global_registry_prefix }}postgres:12.8{{ matrix_postgres_docker_image_suffix }}" -matrix_postgres_docker_image_v13: "{{ matrix_container_global_registry_prefix }}postgres:13.4{{ matrix_postgres_docker_image_suffix }}" -matrix_postgres_docker_image_v14: "{{ matrix_container_global_registry_prefix }}postgres:14.0{{ matrix_postgres_docker_image_suffix }}" +matrix_postgres_docker_image_v10: "{{ matrix_container_global_registry_prefix }}postgres:10.19{{ matrix_postgres_docker_image_suffix }}" +matrix_postgres_docker_image_v11: "{{ matrix_container_global_registry_prefix }}postgres:11.14{{ matrix_postgres_docker_image_suffix }}" +matrix_postgres_docker_image_v12: "{{ matrix_container_global_registry_prefix }}postgres:12.9{{ matrix_postgres_docker_image_suffix }}" +matrix_postgres_docker_image_v13: "{{ matrix_container_global_registry_prefix }}postgres:13.5{{ matrix_postgres_docker_image_suffix }}" +matrix_postgres_docker_image_v14: "{{ matrix_container_global_registry_prefix }}postgres:14.1{{ matrix_postgres_docker_image_suffix }}" matrix_postgres_docker_image_latest: "{{ matrix_postgres_docker_image_v14 }}" # This variable is assigned at runtime. Overriding its value has no effect. From afccc2b11fc8b8ac02ccc659dfc9497d58f55686 Mon Sep 17 00:00:00 2001 From: b Date: Sun, 14 Nov 2021 23:32:25 +0200 Subject: [PATCH 059/139] make 8448 configurable instead of hard coded --- roles/matrix-synapse/defaults/main.yml | 2 ++ roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 | 2 +- .../templates/synapse/systemd/matrix-synapse.service.j2 | 2 +- 3 files changed, 4 insertions(+), 2 deletions(-) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index ce596c6bb..c42d1f216 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -27,6 +27,8 @@ matrix_synapse_storage_path: "{{ matrix_synapse_base_path }}/storage" matrix_synapse_media_store_path: "{{ matrix_synapse_storage_path }}/media-store" matrix_synapse_ext_path: "{{ matrix_synapse_base_path }}/ext" + matrix_synapse_container_default_federation_api_port: 8448 + # Controls whether the matrix-synapse container exposes the Client/Server API port (tcp/8008 in the container). # # Takes an ":" or "" value (e.g. "127.0.0.1:8008"), or empty string to not expose. diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index cebe7a1f6..b3e4478bb 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -276,7 +276,7 @@ listeners: {% if matrix_synapse_federation_port_enabled and matrix_synapse_tls_federation_listener_enabled %} # TLS-enabled listener: for when matrix traffic is sent directly to synapse. - - port: 8448 + - port: {{ matrix_federation_public_port }} tls: true bind_addresses: ['::'] type: http diff --git a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 index 2fbaac7b5..c53296426 100644 --- a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 +++ b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 @@ -43,7 +43,7 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-synapse \ -p {{ matrix_synapse_container_client_api_host_bind_port }}:8008 \ {% endif %} {% if matrix_synapse_federation_enabled and matrix_synapse_tls_federation_listener_enabled and matrix_synapse_container_federation_api_tls_host_bind_port %} - -p {{ matrix_synapse_container_federation_api_tls_host_bind_port }}:8448 \ + -p {{ matrix_synapse_container_federation_api_tls_host_bind_port }}:{{ matrix_synapse_container_default_federation_api_port }} \ {% endif %} {% if matrix_synapse_federation_enabled and matrix_synapse_container_federation_api_plain_host_bind_port %} -p {{ matrix_synapse_container_federation_api_plain_host_bind_port }}:8048 \ From 1d0e594defe2809714ad6e57fa8039522a7551ac Mon Sep 17 00:00:00 2001 From: iucca Date: Sun, 14 Nov 2021 23:45:07 +0100 Subject: [PATCH 060/139] updated whatsapp config, backfill doesn't work --- roles/matrix-base/defaults/main.yml | 6 + .../templates/config.yaml.j2 | 195 ++++++++++++------ .../templates/synapse/homeserver.yaml.j2 | 5 + 3 files changed, 140 insertions(+), 66 deletions(-) diff --git a/roles/matrix-base/defaults/main.yml b/roles/matrix-base/defaults/main.yml index bf376c948..a6f287f6d 100644 --- a/roles/matrix-base/defaults/main.yml +++ b/roles/matrix-base/defaults/main.yml @@ -98,6 +98,10 @@ matrix_identity_server_url: ~ matrix_integration_manager_rest_url: ~ matrix_integration_manager_ui_url: ~ +# Enable backfilling history sync payloads from bridges using batch sending? +# This requires a server with MSC2716 support, which is currently an experimental feature in synapse. +matrix_bridges_backfill_enabled: false + # The domain name where a Jitsi server is self-hosted. # If set, `/.well-known/matrix/client` will suggest Element clients to use that Jitsi server. # See: https://github.com/vector-im/element-web/blob/develop/docs/jitsi.md#configuring-element-to-use-your-self-hosted-jitsi-server @@ -121,6 +125,8 @@ matrix_client_element_e2ee_secure_backup_setup_methods: [] # The Docker network that all services would be put into matrix_docker_network: "matrix" + + # Controls whether we'll preserve the vars.yml file on the Matrix server. # If you have a differently organized inventory, you may wish to disable this feature, # or to repoint `matrix_vars_yml_snapshotting_src` to the file you'd like to preserve. diff --git a/roles/matrix-bridge-mautrix-whatsapp/templates/config.yaml.j2 b/roles/matrix-bridge-mautrix-whatsapp/templates/config.yaml.j2 index b3b1caf1f..849b15d4d 100644 --- a/roles/matrix-bridge-mautrix-whatsapp/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mautrix-whatsapp/templates/config.yaml.j2 @@ -7,6 +7,10 @@ homeserver: domain: {{ matrix_mautrix_whatsapp_homeserver_domain }} # Application service host/registration related details. # Changing these values requires regeneration of the registration. + # The URL to push real-time bridge status to. + # If set, the bridge will make POST requests to this URL whenever a user's whatsapp connection state changes. + # The bridge will use the appservice as_token to authorize requests. +# status_endpoint: "null" appservice: # The address that the homeserver can use to connect to this appservice. @@ -28,9 +32,6 @@ appservice: max_open_conns: 20 max_idle_conns: 2 - # Path to the Matrix room state store. - state_store_path: ./mx-state.json - # The unique ID of this appservice. id: whatsapp # Appservice bot details. @@ -51,79 +52,142 @@ bridge: # Localpart template of MXIDs for WhatsApp users. # {{ '{{.}}' }} is replaced with the phone number of the WhatsApp user. username_template: "{{ 'whatsapp_{{.}}' }}" - # Displayname template for WhatsApp users. - # {{ '{{.Notify'}}' }} - nickname set by the WhatsApp user - # {{ '{{.Jid}}' }} - phone number (international format) - # The following variables are also available, but will cause problems on multi-user instances: - # {{ '{{.Name}}' }} - display name from contact list - # {{ '{{.Short}}' }} - short display name from contact list - displayname_template: "{{ '{{if .Notify}}{{.Notify}}{{else}}{{.Jid}}{{end}} (WA)' }}" - # WhatsApp connection timeout in seconds. - connection_timeout: 20 - # Maximum number of times to retry connecting on connection error. - max_connection_attempts: 3 - # Number of seconds to wait between connection attempts. - # Negative numbers are exponential backoff: -connection_retry_delay + 1 + 2^attempts - connection_retry_delay: -1 - # Whether or not the bridge should send a notice to the user's management room when it retries connecting. - # If false, it will only report when it stops retrying. - report_connection_retry: true - # Maximum number of seconds to wait for chats to be sent at startup. - # If this is too low and you have lots of chats, it could cause backfilling to fail. - chat_list_wait: 30 - # Maximum number of seconds to wait to sync portals before force unlocking message processing. - # If this is too low and you have lots of chats, it could cause backfilling to fail. - portal_sync_wait: 600 + displayname_template: "{{ '{{if .PushName}}{{.PushName}}{{else if .BusinessName}}{{.BusinessName}}{{else}}{{.JID}}{{end}} (WA)' }}" - # Whether or not to send call start/end notices to Matrix. - call_notices: - start: true - end: true + # Should the bridge send a read receipt from the bridge bot when a message has been sent to WhatsApp? + delivery_receipts: false + # Should incoming calls send a message to the Matrix room? + call_start_notices: true + # Should another user's cryptographic identity changing send a message to Matrix? + identity_change_notices: false + # Should a "reactions not yet supported" warning be sent to the Matrix room when a user reacts to a message? + reaction_notices: true - # Number of chats to sync for new users. - initial_chat_sync_count: 10 - # Number of old messages to fill when creating new portal rooms. - initial_history_fill_count: 20 - # Maximum number of chats to sync when recovering from downtime. - # Set to -1 to sync all new chats during downtime. - recovery_chat_sync_limit: -1 - # Whether or not to sync history when recovering from downtime. - recovery_history_backfill: true - # Maximum number of seconds since last message in chat to skip - # syncing the chat in any case. This setting will take priority - # over both recovery_chat_sync_limit and initial_chat_sync_count. - # Default is 3 days = 259200 seconds - sync_max_chat_age: 259200 + portal_message_buffer: 128 - # Whether or not to sync with custom puppets to receive EDUs that - # are not normally sent to appservices. + # Settings for handling history sync payloads. These settings only apply right after login, + # because the phone only sends the history sync data once, and there's no way to re-request it + # (other than logging out and back in again). + history_sync: + # Should the bridge create portals for chats in the history sync payload? + create_portals: true + # Maximum age of chats in seconds to create portals for. Set to 0 to create portals for all chats in sync payload. + max_age: 604800 + # Enable backfilling history sync payloads from WhatsApp using batch sending? + # This requires a server with MSC2716 support, which is currently an experimental feature in synapse. + # It can be enabled by setting experimental_features -> msc2716_enabled to true in homeserver.yaml. + # Note that as of Synapse 1.46, there are still some bugs with the implementation, especially if using event persistence workers. + backfill: {{ matrix_bridges_backfill_enabled }} + # Use double puppets for backfilling? + # In order to use this, the double puppets must be in the appservice's user ID namespace + # (because the bridge can't use the double puppet access token with batch sending). + # This only affects double puppets on the local server, double puppets on other servers will never be used. + double_puppet_backfill: {{ matrix_bridges_backfill_enabled }} + # Should the bridge request a full sync from the phone when logging in? + # This bumps the size of history syncs from 3 months to 1 year. + request_full_sync: false + + user_avatar_sync: true + # Should Matrix users leaving groups be bridged to WhatsApp? + bridge_matrix_leave: true + + + # Should the bridge sync with double puppeting to receive EDUs that aren't normally sent to appservices. sync_with_custom_puppets: true - # Shared secret for https://github.com/devture/matrix-synapse-shared-secret-auth + # Should the bridge update the m.direct account data event when double puppeting is enabled. + # Note that updating the m.direct event is not atomic (except with mautrix-asmux) + # and is therefore prone to race conditions. + sync_direct_chat_list: false + # When double puppeting is enabled, users can use `!wa toggle` to change whether + # presence and read receipts are bridged. These settings set the default values. + # Existing users won't be affected when these are changed. + default_bridge_receipts: true + default_bridge_presence: true + # Servers to always allow double puppeting from + double_puppet_server_map: "{{ matrix_domain }}" + + # Allow using double puppeting from any server with a valid client .well-known file. + double_puppet_allow_discovery: false + # Shared secrets for https://github.com/devture/matrix-synapse-shared-secret-auth # - # If set, custom puppets will be enabled automatically for local users + # If set, double puppeting will be enabled automatically for local users # instead of users having to find an access token and run `login-matrix` # manually. - login_shared_secret: {{ matrix_mautrix_whatsapp_login_shared_secret|to_json }} + login_shared_secret_map: + "{{ matrix_mautrix_whatsapp_homeserver_domain }}": {{ matrix_mautrix_whatsapp_login_shared_secret|to_json }} - # Whether or not to invite own WhatsApp user's Matrix puppet into private - # chat portals when backfilling if needed. - # This always uses the default puppet instead of custom puppets due to - # rate limits and timestamp massaging. - invite_own_puppet_for_backfilling: true - # Whether or not to explicitly set the avatar and room name for private - # chat portal rooms. This can be useful if the previous field works fine, - # but causes room avatar/name bugs. + + # Should the bridge explicitly set the avatar and room name for private chat portal rooms? private_chat_portal_meta: false - + # Should Matrix m.notice-type messages be bridged? + bridge_notices: true + # Set this to true to tell the bridge to re-send m.bridge events to all rooms on the next run. + # This field will automatically be changed back to false after it, except if the config file is not writable. + resend_bridge_info: false + # When using double puppeting, should muted chats be muted in Matrix? + mute_bridging: false + # When using double puppeting, should archived chats be moved to a specific tag in Matrix? + # Note that WhatsApp unarchives chats when a message is received, which will also be mirrored to Matrix. + # This can be set to a tag (e.g. m.lowpriority), or null to disable. + archive_tag: null + # Same as above, but for pinned chats. The favorite tag is called m.favourite + pinned_tag: null + # Should mute status and tags only be bridged when the portal room is created? + tag_only_on_create: true + # Should WhatsApp status messages be bridged into a Matrix room? + # Disabling this won't affect already created status broadcast rooms. + enable_status_broadcast: true + # Should the bridge use thumbnails from WhatsApp? + # They're disabled by default due to very low resolution. + whatsapp_thumbnail: false # Allow invite permission for user. User can invite any bots to room with whatsapp # users (private chat and groups) allow_user_invite: false + # Whether or not created rooms should have federation enabled. + # If false, created portal rooms will never be federated. + federate_rooms: true # The prefix for commands. Only required in non-management rooms. command_prefix: "!wa" + # Messages sent upon joining a management room. + # Markdown is supported. The defaults are listed below. + management_room_text: + # Sent when joining a room. + welcome: "Hello, I'm a WhatsApp bridge bot." + # Sent when joining a management room and the user is already logged in. + welcome_connected: "Use `help` for help." + # Sent when joining a management room and the user is not logged in. + welcome_unconnected: "Use `help` for help or `login` to log in." + # Optional extra text sent when joining a management room. + additional_help: "" + + # End-to-bridge encryption support options. + # + # See https://docs.mau.fi/bridges/general/end-to-bridge-encryption.html for more info. + encryption: + # Allow encryption, work in group chat rooms with e2ee enabled + allow: false + # Default to encryption, force-enable encryption in all portals the bridge creates + # This will cause the bridge bot to be in private chats for the encryption to work properly. + # It is recommended to also set private_chat_portal_meta to true when using this. + default: false + # Options for automatic key sharing. + key_sharing: + # Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled. + # You must use a client that supports requesting keys from other users to use this feature. + allow: false + # Require the requesting device to have a valid cross-signing signature? + # This doesn't require that the bridge has verified the device, only that the user has verified it. + # Not yet implemented. + require_cross_signing: false + # Require devices to be verified by the bridge? + # Verification by the bridge is not yet implemented. + require_verification: true + # Permissions for using the bridge. # Permitted values: + # relay - Talk through the relaybot (if enabled), no access otherwise # user - Access to use the bridge to chat with a WhatsApp account. # admin - User level and some additional administration tools # Permitted keys: @@ -133,15 +197,13 @@ bridge: permissions: "{{ matrix_mautrix_whatsapp_homeserver_domain }}": user - relaybot: - # Whether or not relaybot support is enabled. + # Settings for relay mode + relay: + # Whether relay mode should be allowed. If allowed, `!wa set-relay` can be used to turn any + # authenticated user into a relaybot for that chat. enabled: false - # The management room for the bot. This is where all status notifications are posted and - # in this room, you can use `!wa ` instead of `!wa relaybot `. Omitting - # the command prefix completely like in user management rooms is not possible. - management: '!foo:example.com' - # List of users to invite to all created rooms that include the relaybot. - invites: [] + # Should only admins be allowed to set themselves as relay users? + admin_only: true # The formats to use when sending messages to WhatsApp via the relaybot. message_formats: m.text: "{{ '{{ .Sender.Displayname }}' }}: {{ '{{ .Message }}' }}" @@ -152,6 +214,7 @@ bridge: m.audio: "{{ '{{ .Sender.Displayname }}' }}: sent an audio file" m.video: "{{ '{{ .Sender.Displayname }}' }}: sent a video" m.location: "{{ '{{ .Sender.Displayname }}' }}: sent a location" + # Logging config. logging: # The directory for log files. Will be created if not found. diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index cebe7a1f6..aa99d94d5 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -2875,6 +2875,11 @@ opentracing: # events: worker1 # typing: worker1 +{% if matrix_bridges_backfill_enabled %} +Experimental: + msc2716_enabled: true +{% endif %} + # The worker that is used to run background tasks (e.g. cleaning up expired # data). If not provided this defaults to the main process. # From 4ff8fddd72d8a17ca567ccfcd8489ef7235027fd Mon Sep 17 00:00:00 2001 From: iucca Date: Sun, 14 Nov 2021 23:57:52 +0100 Subject: [PATCH 061/139] updated whatsapp config, backfill doesn't work --- docs/configuring-playbook-bridge-mautrix-whatsapp.md | 9 +++++++++ .../templates/config.yaml.j2 | 2 +- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/docs/configuring-playbook-bridge-mautrix-whatsapp.md b/docs/configuring-playbook-bridge-mautrix-whatsapp.md index 1e5f70380..0101cecc2 100644 --- a/docs/configuring-playbook-bridge-mautrix-whatsapp.md +++ b/docs/configuring-playbook-bridge-mautrix-whatsapp.md @@ -10,6 +10,15 @@ Use the following playbook configuration: matrix_mautrix_whatsapp_enabled: true ``` +## Enable backfilling history +This requires a server with MSC2716 support, which is currently an experimental feature in synapse. +Note that as of Synapse 1.46, there are still some bugs with the implementation, especially if using event persistence workers. + +Use the following playbook configuration: + +```yaml +matrix_bridges_backfill_enabled: true +``` ## Set up Double Puppeting diff --git a/roles/matrix-bridge-mautrix-whatsapp/templates/config.yaml.j2 b/roles/matrix-bridge-mautrix-whatsapp/templates/config.yaml.j2 index 849b15d4d..8e6d8edac 100644 --- a/roles/matrix-bridge-mautrix-whatsapp/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mautrix-whatsapp/templates/config.yaml.j2 @@ -10,7 +10,7 @@ homeserver: # The URL to push real-time bridge status to. # If set, the bridge will make POST requests to this URL whenever a user's whatsapp connection state changes. # The bridge will use the appservice as_token to authorize requests. -# status_endpoint: "null" + status_endpoint: "null" appservice: # The address that the homeserver can use to connect to this appservice. From 708a7108b3d9c6814e9c9a0fe34c7eb795befe91 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Arthur=20Brugi=C3=A8re?= <16764085+RoiArthurB@users.noreply.github.com> Date: Mon, 15 Nov 2021 10:29:13 +0700 Subject: [PATCH 062/139] Upgrade Mautrix Facebook bridge version --- roles/matrix-bridge-mautrix-facebook/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-mautrix-facebook/defaults/main.yml b/roles/matrix-bridge-mautrix-facebook/defaults/main.yml index 6c1d6b69d..2b453babe 100644 --- a/roles/matrix-bridge-mautrix-facebook/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-facebook/defaults/main.yml @@ -6,7 +6,7 @@ matrix_mautrix_facebook_enabled: true matrix_mautrix_facebook_container_image_self_build: false matrix_mautrix_facebook_container_image_self_build_repo: "https://mau.dev/mautrix/facebook.git" -matrix_mautrix_facebook_version: v0.3.1 +matrix_mautrix_facebook_version: v0.3.2 matrix_mautrix_facebook_docker_image: "{{ matrix_mautrix_facebook_docker_image_name_prefix }}mautrix/facebook:{{ matrix_mautrix_facebook_version }}" matrix_mautrix_facebook_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_facebook_container_image_self_build else 'dock.mau.dev/' }}" matrix_mautrix_facebook_docker_image_force_pull: "{{ matrix_mautrix_facebook_docker_image.endswith(':latest') }}" From 8abe1ac483407a7f1e2ab9fdf31f717038dfeeb7 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 15 Nov 2021 08:18:39 +0200 Subject: [PATCH 063/139] Warn people if on an old SQLite-supporting mautrix-facebook version Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1401 https://github.com/mautrix/facebook/releases/tag/v0.3.2 says that this version re-adds SQLite support. --- CHANGELOG.md | 2 ++ .../tasks/validate_config.yml | 14 +++----------- 2 files changed, 5 insertions(+), 11 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7e1241593..43af8dd10 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -253,6 +253,8 @@ The fact that we've renamed Synapse's database from `homeserver` to `synapse` (i ## (Breaking Change) The mautrix-facebook bridge now requires a Postgres database +**Update from 2021-11-15**: SQLite support has been re-added to the mautrix-facebook bridge in [v0.3.2](https://github.com/mautrix/facebook/releases/tag/v0.3.2). You can ignore this changelog entry. + A new version of the [mautrix-facebook](https://github.com/tulir/mautrix-facebook) bridge has been released. It's a full rewrite of its backend and the bridge now requires Postgres. New versions of the bridge can no longer run on SQLite. **TLDR**: if you're NOT using an [external Postgres server](docs/configuring-playbook-external-postgres.md) and have NOT forcefully kept the bridge on SQLite during [The big move to all-on-Postgres (potentially dangerous)](#the-big-move-to-all-on-postgres-potentially-dangerous), you will be automatically upgraded without manual intervention. All you need to do is send a `login` message to the Facebook bridge bot again. diff --git a/roles/matrix-bridge-mautrix-facebook/tasks/validate_config.yml b/roles/matrix-bridge-mautrix-facebook/tasks/validate_config.yml index 0879bad9c..1e482efb7 100644 --- a/roles/matrix-bridge-mautrix-facebook/tasks/validate_config.yml +++ b/roles/matrix-bridge-mautrix-facebook/tasks/validate_config.yml @@ -10,22 +10,14 @@ - "matrix_mautrix_facebook_homeserver_token" - block: - - name: Fail if on SQLite, unless on the last version supporting SQLite - fail: - msg: >- - You're trying to use the mautrix-facebook bridge with an SQLite database. - Going forward, this bridge only supports Postgres. - To learn more about this, see our changelog: https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/CHANGELOG.md#breaking-change-the-mautrix-facebook-bridge-now-requires-a-postgres-database - when: "not matrix_mautrix_facebook_docker_image.endswith(':da1b4ec596e334325a1589e70829dea46e73064b')" - - - name: Inject warning if still on SQLite + - name: Inject warning if on an old SQLite-supporting version set_fact: matrix_playbook_runtime_results: | {{ matrix_playbook_runtime_results|default([]) + [ - "NOTE: Your mautrix-facebook bridge setup is still on SQLite. Your bridge is not getting any updates and will likely stop working at some point. To learn more about this, see our changelog: https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/CHANGELOG.md#breaking-change-the-mautrix-facebook-bridge-now-requires-a-postgres-database" + "NOTE: Your mautrix-facebook bridge is still on SQLite and on the last version that supported it, before support was dropped. Support has been subsequently re-added in v0.3.2, so we advise you to upgrade (by removing your `matrix_mautrix_facebook_docker_image` definition from vars.yml)" ] }} - when: "matrix_mautrix_facebook_database_engine == 'sqlite'" + when: "matrix_mautrix_facebook_database_engine == 'sqlite' and matrix_mautrix_facebook_docker_image.endswith(':da1b4ec596e334325a1589e70829dea46e73064b')" From c08880d175fdbb737784e8043c58e49a48ba2502 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 15 Nov 2021 09:15:44 +0200 Subject: [PATCH 064/139] Upgrade postgres-backup to v14 --- roles/matrix-postgres-backup/defaults/main.yml | 1 + .../tasks/util/detect_existing_postgres_version.yml | 5 +++++ 2 files changed, 6 insertions(+) diff --git a/roles/matrix-postgres-backup/defaults/main.yml b/roles/matrix-postgres-backup/defaults/main.yml index 522764ac0..e1f252fe0 100644 --- a/roles/matrix-postgres-backup/defaults/main.yml +++ b/roles/matrix-postgres-backup/defaults/main.yml @@ -32,6 +32,7 @@ matrix_postgres_backup_docker_image_v10: "{{ matrix_container_global_registry_pr matrix_postgres_backup_docker_image_v11: "{{ matrix_container_global_registry_prefix }}prodrigestivill/postgres-backup-local:11{{ matrix_postgres_backup_docker_image_suffix }}" matrix_postgres_backup_docker_image_v12: "{{ matrix_container_global_registry_prefix }}prodrigestivill/postgres-backup-local:12{{ matrix_postgres_backup_docker_image_suffix }}" matrix_postgres_backup_docker_image_v13: "{{ matrix_container_global_registry_prefix }}prodrigestivill/postgres-backup-local:13{{ matrix_postgres_backup_docker_image_suffix }}" +matrix_postgres_backup_docker_image_v14: "{{ matrix_container_global_registry_prefix }}prodrigestivill/postgres-backup-local:14{{ matrix_postgres_backup_docker_image_suffix }}" matrix_postgres_backup_docker_image_latest: "{{ matrix_postgres_backup_docker_image_v13 }}" # This variable is assigned at runtime. Overriding its value has no effect. diff --git a/roles/matrix-postgres-backup/tasks/util/detect_existing_postgres_version.yml b/roles/matrix-postgres-backup/tasks/util/detect_existing_postgres_version.yml index 87a81f74c..10828cc7a 100644 --- a/roles/matrix-postgres-backup/tasks/util/detect_existing_postgres_version.yml +++ b/roles/matrix-postgres-backup/tasks/util/detect_existing_postgres_version.yml @@ -54,3 +54,8 @@ set_fact: matrix_postgres_backup_detected_version_corresponding_docker_image: "{{ matrix_postgres_backup_docker_image_v12 }}" when: "matrix_postgres_backup_detected_version == '12' or matrix_postgres_backup_detected_version.startswith('12.')" + +- name: Determine corresponding Docker image to detected version (use 13.x, if detected) + set_fact: + matrix_postgres_backup_detected_version_corresponding_docker_image: "{{ matrix_postgres_backup_docker_image_v13 }}" + when: "matrix_postgres_backup_detected_version == '13' or matrix_postgres_backup_detected_version.startswith('13.')" From 266bdbc902e430f8bb566c955fb8ff58772904c9 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 15 Nov 2021 10:29:25 +0200 Subject: [PATCH 065/139] Update matrix-corporal documentation --- docs/configuring-playbook-matrix-corporal.md | 41 +++++++++++++++++++- 1 file changed, 40 insertions(+), 1 deletion(-) diff --git a/docs/configuring-playbook-matrix-corporal.md b/docs/configuring-playbook-matrix-corporal.md index fb12e94a9..eb635c641 100644 --- a/docs/configuring-playbook-matrix-corporal.md +++ b/docs/configuring-playbook-matrix-corporal.md @@ -37,6 +37,7 @@ matrix_synapse_ext_password_provider_rest_auth_endpoint: "http://matrix-corporal matrix_corporal_enabled: true +# See below for an example of how to use a locally-stored static policy matrix_corporal_policy_provider_config: | { "Type": "http", @@ -74,10 +75,48 @@ Matrix Corporal operates with a specific Matrix user on your server. By default, it's `matrix-corporal` (controllable by the `matrix_corporal_reconciliation_user_id_local_part` setting, see above). No matter what Matrix user id you configure to run it with, make sure that: -- the Matrix Corporal user is created by [registering it](registering-users.md). Use a password you remember, as you'll need to log in from time to time to create or join rooms +- the Matrix Corporal user is created by [registering it](registering-users.md) **with administrator privileges**. Use a password you remember, as you'll need to log in from time to time to create or join rooms - the Matrix Corporal user is joined and has Admin/Moderator-level access to any rooms you want it to manage +### Using a locally-stored static policy + +If you'd like to use a [static policy file](https://github.com/devture/matrix-corporal/blob/master/docs/policy-providers.md#static-file-pull-style-policy-provider), you can use a configuration like this: + +```yaml +matrix_corporal_policy_provider_config: | + { + "Type": "static_file", + "Path": "/etc/matrix-corporal/policy.json" + } + +# Modify the policy below as you see fit +matrix_aux_file_definitions: + - dest: "{{ matrix_corporal_config_dir_path }}/policy.json" + content: | + { + "schemaVersion": 1, + "identificationStamp": "stamp-1", + "flags": { + "allowCustomUserDisplayNames": false, + "allowCustomUserAvatars": false, + "forbidRoomCreation": false, + "forbidEncryptedRoomCreation": true, + "forbidUnencryptedRoomCreation": false, + "allowCustomPassthroughUserPasswords": true, + "allowUnauthenticatedPasswordResets": false, + "allow3pidLogin": false + }, + "managedCommunityIds": [], + "managedRoomIds": [], + "users": [] + } +``` + +To learn more about what the policy configuration, see the matrix-corporal documentation on [policy](https://github.com/devture/matrix-corporal/blob/master/docs/policy.md). + +Each time you update the policy in your `vars.yml` file, you'd need to re-run the playbook and restart matrix-corporal (`--tags=setup-all,start` or `--tags=setup-aux-files,setup-corporal,start`). + ## Matrix Corporal files From 0d4764a21346e168bc3a9c6f1248bc2cf6986eff Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 15 Nov 2021 11:24:01 +0200 Subject: [PATCH 066/139] Upgrade matrix-corporal (2.1.2 -> 2.1.3) 2.1.3 fixes a security vulnerability, which allowed attackers to circuimvent policy checks by sending HTTP requests with trailing slashes. Learn more in the matrix-corporal changelog: https://github.com/devture/matrix-corporal/blob/master/CHANGELOG.md --- roles/matrix-corporal/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-corporal/defaults/main.yml b/roles/matrix-corporal/defaults/main.yml index 313f79a8f..fd6b65d35 100644 --- a/roles/matrix-corporal/defaults/main.yml +++ b/roles/matrix-corporal/defaults/main.yml @@ -22,7 +22,7 @@ matrix_corporal_container_extra_arguments: [] # List of systemd services that matrix-corporal.service depends on matrix_corporal_systemd_required_services_list: ['docker.service'] -matrix_corporal_version: 2.1.2 +matrix_corporal_version: 2.1.3 matrix_corporal_docker_image: "{{ matrix_corporal_docker_image_name_prefix }}devture/matrix-corporal:{{ matrix_corporal_docker_image_tag }}" matrix_corporal_docker_image_name_prefix: "{{ 'localhost/' if matrix_corporal_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_corporal_docker_image_tag: "{{ matrix_corporal_version }}" # for backward-compatibility From 07496069c8cad666d8cdbe3ac9cec466f556dfd5 Mon Sep 17 00:00:00 2001 From: b Date: Mon, 15 Nov 2021 12:07:54 +0200 Subject: [PATCH 067/139] rellocating variables for consistency --- group_vars/matrix_servers | 8 ++++++-- roles/matrix-dimension/defaults/main.yml | 2 +- roles/matrix-nginx-proxy/defaults/main.yml | 5 +++-- roles/matrix-synapse/defaults/main.yml | 4 +++- roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 | 2 +- .../templates/synapse/systemd/matrix-synapse.service.j2 | 2 +- 6 files changed, 15 insertions(+), 8 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index cfca8c92f..e67403b36 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1047,6 +1047,8 @@ matrix_dimension_enabled: false # the Dimension HTTP port to the local host. matrix_dimension_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:8184' }}" +matrix_dimension_homeserver_federationUrl: "http://matrix-synapse:{{matrix_synapse_container_federation_port|string}}" + matrix_integration_manager_rest_url: "{{ matrix_dimension_integrations_rest_url if matrix_dimension_enabled else None }}" matrix_integration_manager_ui_url: "{{ matrix_dimension_integrations_ui_url if matrix_dimension_enabled else None }}" @@ -1306,6 +1308,9 @@ matrix_nginx_proxy_proxy_matrix_federation_api_addr_sans_container: "127.0.0.1:1 # Settings controlling matrix-synapse-proxy.conf matrix_nginx_proxy_proxy_synapse_enabled: "{{ matrix_synapse_enabled }}" +matrix_nginx_proxy_proxy_synapse_federation_api_addr_with_container: "matrix-synapse:{{matrix_synapse_container_federation_port|string}}" +matrix_nginx_proxy_proxy_synapse_federation_api_addr_sans_container: "localhost:{{matrix_synapse_container_federation_port|string}}" + # When matrix-nginx-proxy is disabled, the actual port number that the vhost uses may begin to matter. matrix_nginx_proxy_proxy_matrix_federation_port: "{{ matrix_federation_public_port }}" @@ -1720,8 +1725,7 @@ matrix_synapse_account_threepid_delegates_msisdn: "{{ 'http://matrix-ma1sd:' + m matrix_synapse_container_client_api_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:8008' }}" # # For exposing the Matrix Federation API's plain port (plain HTTP) to the local host. -matrix_synapse_container_default_federation_port: 8048 -matrix_synapse_container_federation_api_plain_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:' + matrix_synapse_container_default_federation_port|string }}" +matrix_synapse_container_federation_api_plain_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:' + matrix_synapse_container_federation_port|string }}" # # For exposing the Matrix Federation API's TLS port (HTTPS) to the internet on all network interfaces. matrix_synapse_container_federation_api_tls_host_bind_port: "{{ matrix_federation_public_port if (matrix_synapse_federation_enabled and matrix_synapse_tls_federation_listener_enabled) else '' }}" diff --git a/roles/matrix-dimension/defaults/main.yml b/roles/matrix-dimension/defaults/main.yml index 48958020c..fc1f17a65 100644 --- a/roles/matrix-dimension/defaults/main.yml +++ b/roles/matrix-dimension/defaults/main.yml @@ -39,7 +39,7 @@ matrix_dimension_integrations_rest_url: "https://{{ matrix_server_fqn_dimension matrix_dimension_integrations_widgets_urls: ["https://{{ matrix_server_fqn_dimension }}/widgets"] matrix_dimension_integrations_jitsi_widget_url: "https://{{ matrix_server_fqn_dimension }}/widgets/jitsi" -matrix_dimension_homeserver_federationUrl: "http://matrix-synapse:{{matrix_synapse_container_default_federation_port|string}}" +matrix_dimension_homeserver_federationUrl: "" # Database-related configuration fields. diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index af549b947..ea26084ef 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -115,9 +115,10 @@ matrix_nginx_proxy_proxy_riot_compat_redirect_hostname: "riot.{{ matrix_domain } matrix_nginx_proxy_proxy_synapse_enabled: false matrix_nginx_proxy_proxy_synapse_hostname: "matrix-nginx-proxy" matrix_nginx_proxy_proxy_synapse_federation_api_enabled: "{{ matrix_nginx_proxy_proxy_matrix_federation_api_enabled }}" + # The addresses where the Federation API is, when using Synapse. -matrix_nginx_proxy_proxy_synapse_federation_api_addr_with_container: "matrix-synapse:{{matrix_synapse_container_default_federation_port|string}}" -matrix_nginx_proxy_proxy_synapse_federation_api_addr_sans_container: "localhost:{{matrix_synapse_container_default_federation_port|string}}" +matrix_nginx_proxy_proxy_synapse_federation_api_addr_with_container: "" +matrix_nginx_proxy_proxy_synapse_federation_api_addr_sans_container: "" # Controls whether proxying the Element domain should be done. matrix_nginx_proxy_proxy_element_enabled: false diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index eb9d8e662..8e32764a6 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -27,6 +27,8 @@ matrix_synapse_storage_path: "{{ matrix_synapse_base_path }}/storage" matrix_synapse_media_store_path: "{{ matrix_synapse_storage_path }}/media-store" matrix_synapse_ext_path: "{{ matrix_synapse_base_path }}/ext" +matrix_synapse_container_federation_port: 8048 + # Controls whether the matrix-synapse container exposes the Client/Server API port (tcp/8008 in the container). # # Takes an ":" or "" value (e.g. "127.0.0.1:8008"), or empty string to not expose. @@ -146,7 +148,7 @@ matrix_synapse_federation_rr_transactions_per_room_per_second: 50 # Controls whether the TLS federation listener is enabled (tcp/8448). # Only makes sense if federation is enabled (`matrix_synapse_federation_enabled`). -# Note that federation may potentially be enabled as non-TLS on `matrix_synapse_container_default_federation_port` as well. +# Note that federation may potentially be enabled as non-TLS on `matrix_synapse_container_federation_port` as well. # If you're serving Synapse behind an HTTPS-capable reverse-proxy, # you can disable the TLS listener (`matrix_synapse_tls_federation_listener_enabled: false`). matrix_synapse_tls_federation_listener_enabled: true diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index 2bfec1b4c..7a7cdfa5a 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -302,7 +302,7 @@ listeners: {% if matrix_synapse_federation_port_enabled %} # Unsecure HTTP listener (Federation API): for when matrix traffic passes through a reverse proxy # that unwraps TLS. - - port: {{ matrix_synapse_container_default_federation_port }} + - port: {{ matrix_synapse_container_default_federation_port|to_json }} tls: false bind_addresses: ['::'] type: http diff --git a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 index d58f1f192..0224c3fb9 100644 --- a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 +++ b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 @@ -46,7 +46,7 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-synapse \ -p {{ matrix_synapse_container_federation_api_tls_host_bind_port }}:8448 \ {% endif %} {% if matrix_synapse_federation_enabled and matrix_synapse_container_federation_api_plain_host_bind_port %} - -p {{ matrix_synapse_container_federation_api_plain_host_bind_port }}:{{ matrix_synapse_container_default_federation_port }} \ + -p {{ matrix_synapse_container_federation_api_plain_host_bind_port }}:{{ matrix_synapse_container_federation_port }} \ {% endif %} {% if matrix_synapse_metrics_enabled and matrix_synapse_container_metrics_api_host_bind_port %} -p {{ matrix_synapse_container_metrics_api_host_bind_port }}:{{ matrix_synapse_metrics_port }} \ From 8c3e25de1bfb98b79ee84c8a0598eacb75cf9e77 Mon Sep 17 00:00:00 2001 From: boris runakov Date: Mon, 15 Nov 2021 13:01:22 +0200 Subject: [PATCH 068/139] renamed var to matrix_synapse_container_federation_api_port --- roles/matrix-synapse/defaults/main.yml | 2 +- roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 | 2 +- .../templates/synapse/systemd/matrix-synapse.service.j2 | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index c42d1f216..7a889fbd2 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -27,7 +27,7 @@ matrix_synapse_storage_path: "{{ matrix_synapse_base_path }}/storage" matrix_synapse_media_store_path: "{{ matrix_synapse_storage_path }}/media-store" matrix_synapse_ext_path: "{{ matrix_synapse_base_path }}/ext" - matrix_synapse_container_default_federation_api_port: 8448 + matrix_synapse_container_federation_api_port: 8448 # Controls whether the matrix-synapse container exposes the Client/Server API port (tcp/8008 in the container). # diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index b3e4478bb..43f9baf84 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -276,7 +276,7 @@ listeners: {% if matrix_synapse_federation_port_enabled and matrix_synapse_tls_federation_listener_enabled %} # TLS-enabled listener: for when matrix traffic is sent directly to synapse. - - port: {{ matrix_federation_public_port }} + - port: {{ matrix_synapse_container_federation_api_port }} tls: true bind_addresses: ['::'] type: http diff --git a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 index c53296426..f4e629368 100644 --- a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 +++ b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 @@ -43,7 +43,7 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-synapse \ -p {{ matrix_synapse_container_client_api_host_bind_port }}:8008 \ {% endif %} {% if matrix_synapse_federation_enabled and matrix_synapse_tls_federation_listener_enabled and matrix_synapse_container_federation_api_tls_host_bind_port %} - -p {{ matrix_synapse_container_federation_api_tls_host_bind_port }}:{{ matrix_synapse_container_default_federation_api_port }} \ + -p {{ matrix_synapse_container_federation_api_tls_host_bind_port }}:{{ matrix_synapse_container_federation_api_port }} \ {% endif %} {% if matrix_synapse_federation_enabled and matrix_synapse_container_federation_api_plain_host_bind_port %} -p {{ matrix_synapse_container_federation_api_plain_host_bind_port }}:8048 \ From 994c0e504cffbee5af5051ada8fcb4abe3ddc3cf Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 15 Nov 2021 14:46:44 +0200 Subject: [PATCH 069/139] Ensure some matrix-nginx-proxy variables are defined Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1397 --- roles/matrix-nginx-proxy/tasks/validate_config.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/matrix-nginx-proxy/tasks/validate_config.yml b/roles/matrix-nginx-proxy/tasks/validate_config.yml index 9661ae5e9..39a2dfe59 100644 --- a/roles/matrix-nginx-proxy/tasks/validate_config.yml +++ b/roles/matrix-nginx-proxy/tasks/validate_config.yml @@ -43,5 +43,7 @@ msg: "The `{{ item }}` variable must be defined and have a non-null value" with_items: - "matrix_ssl_lets_encrypt_support_email" + - "matrix_nginx_proxy_proxy_synapse_federation_api_addr_sans_container" + - "matrix_nginx_proxy_proxy_synapse_federation_api_addr_with_container" when: "vars[item] == '' or vars[item] is none" when: "matrix_ssl_retrieval_method == 'lets-encrypt'" From edf63bfdd7a65b487a55b9762d30823e08f7b399 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 15 Nov 2021 14:48:25 +0200 Subject: [PATCH 070/139] Add some to_json invocations --- roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index 43f9baf84..4e5ddea3d 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -269,14 +269,14 @@ default_room_version: {{ matrix_synapse_default_room_version|to_json }} listeners: {% if matrix_synapse_metrics_enabled %} - type: metrics - port: {{ matrix_synapse_metrics_port }} + port: {{ matrix_synapse_metrics_port|to_json }} bind_addresses: - '0.0.0.0' {% endif %} {% if matrix_synapse_federation_port_enabled and matrix_synapse_tls_federation_listener_enabled %} # TLS-enabled listener: for when matrix traffic is sent directly to synapse. - - port: {{ matrix_synapse_container_federation_api_port }} + - port: {{ matrix_synapse_container_federation_api_port|to_json }} tls: true bind_addresses: ['::'] type: http From ba48aa70f73fb54a37c4e13ed32cd80ce83a8018 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 15 Nov 2021 14:52:08 +0200 Subject: [PATCH 071/139] Fix variable name typo Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1397 --- roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index e88ed2565..1a1cf6ebd 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -302,7 +302,7 @@ listeners: {% if matrix_synapse_federation_port_enabled %} # Unsecure HTTP listener (Federation API): for when matrix traffic passes through a reverse proxy # that unwraps TLS. - - port: {{ matrix_synapse_container_default_federation_port|to_json }} + - port: {{ matrix_synapse_container_federation_port|to_json }} tls: false bind_addresses: ['::'] type: http From c1bc7b9f934a1862442a4e0d7e81f017ccb101d3 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 15 Nov 2021 14:56:11 +0200 Subject: [PATCH 072/139] Rename variables to prevent confusion Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1397 and https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1399 --- group_vars/matrix_servers | 8 ++++---- roles/matrix-synapse/defaults/main.yml | 6 +++--- roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 | 4 ++-- .../templates/synapse/systemd/matrix-synapse.service.j2 | 4 ++-- 4 files changed, 11 insertions(+), 11 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index e67403b36..52dc671cf 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1047,7 +1047,7 @@ matrix_dimension_enabled: false # the Dimension HTTP port to the local host. matrix_dimension_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:8184' }}" -matrix_dimension_homeserver_federationUrl: "http://matrix-synapse:{{matrix_synapse_container_federation_port|string}}" +matrix_dimension_homeserver_federationUrl: "http://matrix-synapse:{{matrix_synapse_container_federation_api_plain_port|string}}" matrix_integration_manager_rest_url: "{{ matrix_dimension_integrations_rest_url if matrix_dimension_enabled else None }}" matrix_integration_manager_ui_url: "{{ matrix_dimension_integrations_ui_url if matrix_dimension_enabled else None }}" @@ -1308,8 +1308,8 @@ matrix_nginx_proxy_proxy_matrix_federation_api_addr_sans_container: "127.0.0.1:1 # Settings controlling matrix-synapse-proxy.conf matrix_nginx_proxy_proxy_synapse_enabled: "{{ matrix_synapse_enabled }}" -matrix_nginx_proxy_proxy_synapse_federation_api_addr_with_container: "matrix-synapse:{{matrix_synapse_container_federation_port|string}}" -matrix_nginx_proxy_proxy_synapse_federation_api_addr_sans_container: "localhost:{{matrix_synapse_container_federation_port|string}}" +matrix_nginx_proxy_proxy_synapse_federation_api_addr_with_container: "matrix-synapse:{{matrix_synapse_container_federation_api_plain_port|string}}" +matrix_nginx_proxy_proxy_synapse_federation_api_addr_sans_container: "localhost:{{matrix_synapse_container_federation_api_plain_port|string}}" # When matrix-nginx-proxy is disabled, the actual port number that the vhost uses may begin to matter. matrix_nginx_proxy_proxy_matrix_federation_port: "{{ matrix_federation_public_port }}" @@ -1725,7 +1725,7 @@ matrix_synapse_account_threepid_delegates_msisdn: "{{ 'http://matrix-ma1sd:' + m matrix_synapse_container_client_api_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:8008' }}" # # For exposing the Matrix Federation API's plain port (plain HTTP) to the local host. -matrix_synapse_container_federation_api_plain_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:' + matrix_synapse_container_federation_port|string }}" +matrix_synapse_container_federation_api_plain_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:' + matrix_synapse_container_federation_api_plain_port|string }}" # # For exposing the Matrix Federation API's TLS port (HTTPS) to the internet on all network interfaces. matrix_synapse_container_federation_api_tls_host_bind_port: "{{ matrix_federation_public_port if (matrix_synapse_federation_enabled and matrix_synapse_tls_federation_listener_enabled) else '' }}" diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index cfc985b40..624a6b5e0 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -27,9 +27,9 @@ matrix_synapse_storage_path: "{{ matrix_synapse_base_path }}/storage" matrix_synapse_media_store_path: "{{ matrix_synapse_storage_path }}/media-store" matrix_synapse_ext_path: "{{ matrix_synapse_base_path }}/ext" -matrix_synapse_container_federation_api_port: 8448 +matrix_synapse_container_federation_api_tls_port: 8448 -matrix_synapse_container_federation_port: 8048 +matrix_synapse_container_federation_api_plain_port: 8048 # Controls whether the matrix-synapse container exposes the Client/Server API port (tcp/8008 in the container). # @@ -150,7 +150,7 @@ matrix_synapse_federation_rr_transactions_per_room_per_second: 50 # Controls whether the TLS federation listener is enabled (tcp/8448). # Only makes sense if federation is enabled (`matrix_synapse_federation_enabled`). -# Note that federation may potentially be enabled as non-TLS on `matrix_synapse_container_federation_port` as well. +# Note that federation may potentially be enabled as non-TLS on `matrix_synapse_container_federation_api_plain_port` as well. # If you're serving Synapse behind an HTTPS-capable reverse-proxy, # you can disable the TLS listener (`matrix_synapse_tls_federation_listener_enabled: false`). matrix_synapse_tls_federation_listener_enabled: true diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index 1a1cf6ebd..a8e0ab6f8 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -276,7 +276,7 @@ listeners: {% if matrix_synapse_federation_port_enabled and matrix_synapse_tls_federation_listener_enabled %} # TLS-enabled listener: for when matrix traffic is sent directly to synapse. - - port: {{ matrix_synapse_container_federation_api_port|to_json }} + - port: {{ matrix_synapse_container_federation_api_tls_port|to_json }} tls: true bind_addresses: ['::'] type: http @@ -302,7 +302,7 @@ listeners: {% if matrix_synapse_federation_port_enabled %} # Unsecure HTTP listener (Federation API): for when matrix traffic passes through a reverse proxy # that unwraps TLS. - - port: {{ matrix_synapse_container_federation_port|to_json }} + - port: {{ matrix_synapse_container_federation_api_plain_port|to_json }} tls: false bind_addresses: ['::'] type: http diff --git a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 index 011d30f7f..0451fd8dc 100644 --- a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 +++ b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 @@ -43,10 +43,10 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-synapse \ -p {{ matrix_synapse_container_client_api_host_bind_port }}:8008 \ {% endif %} {% if matrix_synapse_federation_enabled and matrix_synapse_tls_federation_listener_enabled and matrix_synapse_container_federation_api_tls_host_bind_port %} - -p {{ matrix_synapse_container_federation_api_tls_host_bind_port }}:{{ matrix_synapse_container_federation_api_port }} \ + -p {{ matrix_synapse_container_federation_api_tls_host_bind_port }}:{{ matrix_synapse_container_federation_api_tls_port }} \ {% endif %} {% if matrix_synapse_federation_enabled and matrix_synapse_container_federation_api_plain_host_bind_port %} - -p {{ matrix_synapse_container_federation_api_plain_host_bind_port }}:{{ matrix_synapse_container_federation_port }} \ + -p {{ matrix_synapse_container_federation_api_plain_host_bind_port }}:{{ matrix_synapse_container_federation_api_plain_port }} \ {% endif %} {% if matrix_synapse_metrics_enabled and matrix_synapse_container_metrics_api_host_bind_port %} -p {{ matrix_synapse_container_metrics_api_host_bind_port }}:{{ matrix_synapse_metrics_port }} \ From e72ae8bc484cfc1e35a2cd463ec81bebdf2a3342 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 15 Nov 2021 17:23:25 +0200 Subject: [PATCH 073/139] Upgrade matrix-corporal (2.1.3 -> 2.1.4) --- roles/matrix-corporal/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-corporal/defaults/main.yml b/roles/matrix-corporal/defaults/main.yml index fd6b65d35..ccc7ef65c 100644 --- a/roles/matrix-corporal/defaults/main.yml +++ b/roles/matrix-corporal/defaults/main.yml @@ -22,7 +22,7 @@ matrix_corporal_container_extra_arguments: [] # List of systemd services that matrix-corporal.service depends on matrix_corporal_systemd_required_services_list: ['docker.service'] -matrix_corporal_version: 2.1.3 +matrix_corporal_version: 2.1.4 matrix_corporal_docker_image: "{{ matrix_corporal_docker_image_name_prefix }}devture/matrix-corporal:{{ matrix_corporal_docker_image_tag }}" matrix_corporal_docker_image_name_prefix: "{{ 'localhost/' if matrix_corporal_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_corporal_docker_image_tag: "{{ matrix_corporal_version }}" # for backward-compatibility From ae122466fc232d21da3cd5cdf5fcdf0a4625d460 Mon Sep 17 00:00:00 2001 From: iucca Date: Mon, 15 Nov 2021 19:23:28 +0100 Subject: [PATCH 074/139] updated whatsapp config --- docs/configuring-playbook-bridge-mautrix-whatsapp.md | 11 +++++++++-- roles/matrix-base/defaults/main.yml | 4 ---- .../templates/config.yaml.j2 | 10 +++++++--- .../templates/synapse/homeserver.yaml.j2 | 5 ----- 4 files changed, 16 insertions(+), 14 deletions(-) diff --git a/docs/configuring-playbook-bridge-mautrix-whatsapp.md b/docs/configuring-playbook-bridge-mautrix-whatsapp.md index 0101cecc2..1e94e6186 100644 --- a/docs/configuring-playbook-bridge-mautrix-whatsapp.md +++ b/docs/configuring-playbook-bridge-mautrix-whatsapp.md @@ -13,11 +13,18 @@ matrix_mautrix_whatsapp_enabled: true ## Enable backfilling history This requires a server with MSC2716 support, which is currently an experimental feature in synapse. Note that as of Synapse 1.46, there are still some bugs with the implementation, especially if using event persistence workers. - Use the following playbook configuration: ```yaml -matrix_bridges_backfill_enabled: true +matrix_synapse_configuration_extension_yaml: | + experimental_features: + msc2716_enabled: true +``` +```yaml +matrix_mautrix_whatsapp_configuration_extension_yaml: + bridge: + history_sync: + backfill: true ``` ## Set up Double Puppeting diff --git a/roles/matrix-base/defaults/main.yml b/roles/matrix-base/defaults/main.yml index a6f287f6d..f61a53814 100644 --- a/roles/matrix-base/defaults/main.yml +++ b/roles/matrix-base/defaults/main.yml @@ -98,10 +98,6 @@ matrix_identity_server_url: ~ matrix_integration_manager_rest_url: ~ matrix_integration_manager_ui_url: ~ -# Enable backfilling history sync payloads from bridges using batch sending? -# This requires a server with MSC2716 support, which is currently an experimental feature in synapse. -matrix_bridges_backfill_enabled: false - # The domain name where a Jitsi server is self-hosted. # If set, `/.well-known/matrix/client` will suggest Element clients to use that Jitsi server. # See: https://github.com/vector-im/element-web/blob/develop/docs/jitsi.md#configuring-element-to-use-your-self-hosted-jitsi-server diff --git a/roles/matrix-bridge-mautrix-whatsapp/templates/config.yaml.j2 b/roles/matrix-bridge-mautrix-whatsapp/templates/config.yaml.j2 index 8e6d8edac..133cba2a1 100644 --- a/roles/matrix-bridge-mautrix-whatsapp/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mautrix-whatsapp/templates/config.yaml.j2 @@ -33,7 +33,7 @@ appservice: max_idle_conns: 2 # The unique ID of this appservice. - id: whatsapp + id: whatsappbot # Appservice bot details. bot: # Username of the appservice bot. @@ -77,12 +77,13 @@ bridge: # This requires a server with MSC2716 support, which is currently an experimental feature in synapse. # It can be enabled by setting experimental_features -> msc2716_enabled to true in homeserver.yaml. # Note that as of Synapse 1.46, there are still some bugs with the implementation, especially if using event persistence workers. - backfill: {{ matrix_bridges_backfill_enabled }} + backfill: false # Use double puppets for backfilling? # In order to use this, the double puppets must be in the appservice's user ID namespace # (because the bridge can't use the double puppet access token with batch sending). # This only affects double puppets on the local server, double puppets on other servers will never be used. - double_puppet_backfill: {{ matrix_bridges_backfill_enabled }} + # Doesn't work out of box with this playbook + double_puppet_backfill: false # Should the bridge request a full sync from the phone when logging in? # This bumps the size of history syncs from 3 months to 1 year. request_full_sync: false @@ -137,6 +138,9 @@ bridge: # Should WhatsApp status messages be bridged into a Matrix room? # Disabling this won't affect already created status broadcast rooms. enable_status_broadcast: true + # Should the status broadcast room be muted and moved into low priority by default? + # This is only applied when creating the room, the user can unmute/untag it later. + mute_status_broadcast: true # Should the bridge use thumbnails from WhatsApp? # They're disabled by default due to very low resolution. whatsapp_thumbnail: false diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index aa99d94d5..cebe7a1f6 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -2875,11 +2875,6 @@ opentracing: # events: worker1 # typing: worker1 -{% if matrix_bridges_backfill_enabled %} -Experimental: - msc2716_enabled: true -{% endif %} - # The worker that is used to run background tasks (e.g. cleaning up expired # data). If not provided this defaults to the main process. # From 3535c9711791591fa6ebc3ba53355b5e1a97523a Mon Sep 17 00:00:00 2001 From: iucca Date: Mon, 15 Nov 2021 19:25:08 +0100 Subject: [PATCH 075/139] updated whatsapp config --- roles/matrix-bridge-mautrix-whatsapp/templates/config.yaml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-mautrix-whatsapp/templates/config.yaml.j2 b/roles/matrix-bridge-mautrix-whatsapp/templates/config.yaml.j2 index 133cba2a1..358658932 100644 --- a/roles/matrix-bridge-mautrix-whatsapp/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mautrix-whatsapp/templates/config.yaml.j2 @@ -33,7 +33,7 @@ appservice: max_idle_conns: 2 # The unique ID of this appservice. - id: whatsappbot + id: whatsapp # Appservice bot details. bot: # Username of the appservice bot. From adf2dc13b394b9520aa67b0e629c9bde7ede38d1 Mon Sep 17 00:00:00 2001 From: IUCCA <33322841+IUCCA@users.noreply.github.com> Date: Mon, 15 Nov 2021 19:27:49 +0100 Subject: [PATCH 076/139] Update main.yml --- roles/matrix-base/defaults/main.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/roles/matrix-base/defaults/main.yml b/roles/matrix-base/defaults/main.yml index f61a53814..bf376c948 100644 --- a/roles/matrix-base/defaults/main.yml +++ b/roles/matrix-base/defaults/main.yml @@ -121,8 +121,6 @@ matrix_client_element_e2ee_secure_backup_setup_methods: [] # The Docker network that all services would be put into matrix_docker_network: "matrix" - - # Controls whether we'll preserve the vars.yml file on the Matrix server. # If you have a differently organized inventory, you may wish to disable this feature, # or to repoint `matrix_vars_yml_snapshotting_src` to the file you'd like to preserve. From 788999d29cce126bace2b8e907e99c9b32fb423c Mon Sep 17 00:00:00 2001 From: iucca Date: Mon, 15 Nov 2021 19:34:56 +0100 Subject: [PATCH 077/139] updated whatsapp config --- docs/configuring-playbook-bridge-mautrix-whatsapp.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/configuring-playbook-bridge-mautrix-whatsapp.md b/docs/configuring-playbook-bridge-mautrix-whatsapp.md index 1e94e6186..2af38be1f 100644 --- a/docs/configuring-playbook-bridge-mautrix-whatsapp.md +++ b/docs/configuring-playbook-bridge-mautrix-whatsapp.md @@ -8,7 +8,8 @@ Use the following playbook configuration: ```yaml matrix_mautrix_whatsapp_enabled: true -``` +``` +Whatsapp multidevice beta is required, now it is enough if Whatsapp is connected to the Internet every 2 weeks. ## Enable backfilling history This requires a server with MSC2716 support, which is currently an experimental feature in synapse. From 1ec67f49b07c5c096288ed73021ecf2770b4a1f4 Mon Sep 17 00:00:00 2001 From: boris runakov Date: Mon, 15 Nov 2021 22:43:05 +0200 Subject: [PATCH 078/139] replaced 8008 where possible --- group_vars/matrix_servers | 6 +++--- .../scripts/matrix_build_room_list.py | 5 +++-- .../tasks/purge_database_build_list.yml | 4 ++-- .../matrix-awx/tasks/purge_database_events.yml | 4 ++-- roles/matrix-awx/tasks/purge_database_main.yml | 18 +++++++++--------- .../tasks/purge_database_no_local.yml | 6 +++--- .../matrix-awx/tasks/purge_database_users.yml | 6 +++--- roles/matrix-awx/tasks/purge_media_local.yml | 6 +++--- roles/matrix-awx/tasks/purge_media_main.yml | 10 +++++----- roles/matrix-awx/tasks/purge_media_remote.yml | 6 +++--- roles/matrix-base/defaults/main.yml | 2 +- .../defaults/main.yml | 4 ++-- .../defaults/main.yml | 2 +- roles/matrix-bridge-sms/defaults/main.yml | 2 +- roles/matrix-corporal/defaults/main.yml | 2 +- roles/matrix-ma1sd/defaults/main.yml | 2 +- roles/matrix-nginx-proxy/defaults/main.yml | 4 ++-- roles/matrix-synapse/defaults/main.yml | 4 +++- .../templates/synapse/homeserver.yaml.j2 | 2 +- .../synapse/systemd/matrix-synapse.service.j2 | 2 +- .../matrix-synapse-register-user.j2 | 4 ++-- .../templates/synapse/worker.yaml.j2 | 2 +- roles/matrix-synapse/vars/workers.yml | 2 +- 23 files changed, 54 insertions(+), 51 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 52dc671cf..139ccb02c 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -19,9 +19,9 @@ matrix_container_global_registry_prefix: "docker.io/" matrix_identity_server_url: "{{ ('https://' + matrix_server_fqn_matrix) if matrix_ma1sd_enabled else None }}" -# If Synapse workers are enabled and matrix-nginx-proxy is disabled, certain APIs may not work over 'http://matrix-synapse:8008'. +# If Synapse workers are enabled and matrix-nginx-proxy is disabled, certain APIs may not work over 'http://matrix-synapse:{{ matrix_synapse_container_client_api_port }}'. # This is because we explicitly disable them for the main Synapse process. -matrix_homeserver_container_url: "{{ 'http://matrix-nginx-proxy:12080' if matrix_nginx_proxy_enabled else 'http://matrix-synapse:8008' }}" +matrix_homeserver_container_url: "{{ 'http://matrix-nginx-proxy:12080' if matrix_nginx_proxy_enabled else 'http://matrix-synapse:'+ matrix_synapse_container_client_api_port|string }}" ###################################################################### # @@ -1722,7 +1722,7 @@ matrix_synapse_account_threepid_delegates_msisdn: "{{ 'http://matrix-ma1sd:' + m # you can expose Synapse's ports to the host. # # For exposing the Matrix Client API's port (plain HTTP) to the local host. -matrix_synapse_container_client_api_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:8008' }}" +matrix_synapse_container_client_api_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:' + matrix_synapse_container_client_api_port|string }}" # # For exposing the Matrix Federation API's plain port (plain HTTP) to the local host. matrix_synapse_container_federation_api_plain_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:' + matrix_synapse_container_federation_api_plain_port|string }}" diff --git a/roles/matrix-awx/scripts/matrix_build_room_list.py b/roles/matrix-awx/scripts/matrix_build_room_list.py index 3abfcd8c9..94779ca70 100644 --- a/roles/matrix-awx/scripts/matrix_build_room_list.py +++ b/roles/matrix-awx/scripts/matrix_build_room_list.py @@ -5,10 +5,11 @@ import json janitor_token = sys.argv[1] synapse_container_ip = sys.argv[2] +synapse_container_port = sys.argv[3] # collect total amount of rooms -rooms_raw_url = 'http://' + synapse_container_ip + ':8008/_synapse/admin/v1/rooms' +rooms_raw_url = 'http://' + synapse_container_ip + ':' + synapse_container_port + '/_synapse/admin/v1/rooms' rooms_raw_header = {'Authorization': 'Bearer ' + janitor_token} rooms_raw = requests.get(rooms_raw_url, headers=rooms_raw_header) rooms_raw_python = json.loads(rooms_raw.text) @@ -19,7 +20,7 @@ total_rooms = rooms_raw_python["total_rooms"] room_list_file = open("/tmp/room_list_complete.json", "w") for i in range(0, total_rooms, 100): - rooms_inc_url = 'http://' + synapse_container_ip + ':8008/_synapse/admin/v1/rooms?from=' + str(i) + rooms_inc_url = 'http://' + synapse_container_ip + ':' + synapse_container_port + '/_synapse/admin/v1/rooms?from=' + str(i) rooms_inc = requests.get(rooms_inc_url, headers=rooms_raw_header) room_list_file.write(rooms_inc.text) diff --git a/roles/matrix-awx/tasks/purge_database_build_list.yml b/roles/matrix-awx/tasks/purge_database_build_list.yml index 5ca57d220..339510f0d 100644 --- a/roles/matrix-awx/tasks/purge_database_build_list.yml +++ b/roles/matrix-awx/tasks/purge_database_build_list.yml @@ -2,9 +2,9 @@ - name: Collect entire room list into stdout shell: | - curl -X GET --header "Authorization: Bearer {{ janitors_token.stdout[1:-1] }}" '{{ synapse_container_ip.stdout }}:8008/_synapse/admin/v1/rooms?from={{ item }}' + curl -X GET --header "Authorization: Bearer {{ janitors_token.stdout[1:-1] }}" '{{ synapse_container_ip.stdout }}:{{ matrix_synapse_container_client_api_port }}/_synapse/admin/v1/rooms?from={{ item }}' register: awx_rooms_output - + - name: Print stdout to file delegate_to: 127.0.0.1 shell: | diff --git a/roles/matrix-awx/tasks/purge_database_events.yml b/roles/matrix-awx/tasks/purge_database_events.yml index aaef3cba5..586bc17c9 100644 --- a/roles/matrix-awx/tasks/purge_database_events.yml +++ b/roles/matrix-awx/tasks/purge_database_events.yml @@ -2,11 +2,11 @@ - name: Purge all rooms with more then N events shell: | - curl --header "Authorization: Bearer {{ awx_janitors_token.stdout[1:-1] }}" -X POST -H "Content-Type: application/json" -d '{ "delete_local_events": false, "purge_up_to_ts": {{ awx_purge_epoche_time.stdout }}000 }' "{{ awx_synapse_container_ip.stdout }}:8008/_synapse/admin/v1/purge_history/{{ item[1:-1] }}" + curl --header "Authorization: Bearer {{ awx_janitors_token.stdout[1:-1] }}" -X POST -H "Content-Type: application/json" -d '{ "delete_local_events": false, "purge_up_to_ts": {{ awx_purge_epoche_time.stdout }}000 }' "{{ awx_synapse_container_ip.stdout }}:{{ matrix_synapse_container_client_api_port }}/_synapse/admin/v1/purge_history/{{ item[1:-1] }}" register: awx_purge_command - name: Print output of purge command - debug: + debug: msg: "{{ awx_purge_command.stdout }}" - name: Pause for 5 seconds to let Synapse breathe diff --git a/roles/matrix-awx/tasks/purge_database_main.yml b/roles/matrix-awx/tasks/purge_database_main.yml index 6b132091b..2cdf03303 100644 --- a/roles/matrix-awx/tasks/purge_database_main.yml +++ b/roles/matrix-awx/tasks/purge_database_main.yml @@ -31,7 +31,7 @@ - name: Collect access token for janitor user shell: | - curl -X POST -d '{"type":"m.login.password", "user":"janitor", "password":"{{ awx_janitor_user_password }}"}' "{{ awx_synapse_container_ip.stdout }}:8008/_matrix/client/r0/login" | jq '.access_token' + curl -X POST -d '{"type":"m.login.password", "user":"janitor", "password":"{{ awx_janitor_user_password }}"}' "{{ awx_synapse_container_ip.stdout }}:{{ matrix_synapse_container_client_api_port }}/_matrix/client/r0/login" | jq '.access_token' when: (awx_purge_mode.find("No local users [recommended]") != -1) or (awx_purge_mode.find("Number of users [slower]") != -1) or (awx_purge_mode.find("Number of events [slower]") != -1) register: awx_janitors_token no_log: True @@ -47,7 +47,7 @@ - name: Run build_room_list.py script shell: | - runuser -u matrix -- python3 /usr/local/bin/matrix_build_room_list.py {{ awx_janitors_token.stdout[1:-1] }} {{ awx_synapse_container_ip.stdout }} + runuser -u matrix -- python3 /usr/local/bin/matrix_build_room_list.py {{ awx_janitors_token.stdout[1:-1] }} {{ awx_synapse_container_ip.stdout }} {{ matrix_synapse_container_client_api_port.stdout }} register: awx_rooms_total when: (awx_purge_mode.find("No local users [recommended]") != -1) or (awx_purge_mode.find("Number of users [slower]") != -1) or (awx_purge_mode.find("Number of events [slower]") != -1) @@ -69,7 +69,7 @@ shell: | jq 'try .rooms[] | select(.joined_local_members == 0) | .room_id' < /tmp/{{ subscription_id }}_room_list_complete.json > /tmp/{{ subscription_id }}_room_list_no_local_users.txt when: (awx_purge_mode.find("No local users [recommended]") != -1) or (awx_purge_mode.find("Number of users [slower]") != -1) or (awx_purge_mode.find("Number of events [slower]") != -1) - + - name: Count number of rooms with no local users delegate_to: 127.0.0.1 shell: | @@ -84,7 +84,7 @@ when: (awx_purge_mode.find("No local users [recommended]") != -1) or (awx_purge_mode.find("Number of users [slower]") != -1) or (awx_purge_mode.find("Number of events [slower]") != -1) - name: Purge all rooms with no local users - include_tasks: purge_database_no_local.yml + include_tasks: purge_database_no_local.yml loop: "{{ awx_room_list_no_local_users.splitlines() | flatten(levels=1) }}" when: (awx_purge_mode.find("No local users [recommended]") != -1) or (awx_purge_mode.find("Number of users [slower]") != -1) or (awx_purge_mode.find("Number of events [slower]") != -1) @@ -116,7 +116,7 @@ no_log: True - name: Purge all rooms with more then N users - include_tasks: purge_database_users.yml + include_tasks: purge_database_users.yml loop: "{{ awx_room_list_joined_members.splitlines() | flatten(levels=1) }}" when: awx_purge_mode.find("Number of users [slower]") != -1 @@ -141,7 +141,7 @@ no_log: True - name: Purge all rooms with more then N events - include_tasks: purge_database_events.yml + include_tasks: purge_database_events.yml loop: "{{ awx_room_list_state_events.splitlines() | flatten(levels=1) }}" when: awx_purge_mode.find("Number of events [slower]") != -1 @@ -171,7 +171,7 @@ wait: yes tower_host: "https://{{ awx_host }}" tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}" - validate_certs: yes + validate_certs: yes when: (awx_purge_mode.find("No local users [recommended]") != -1) or (awx_purge_mode.find("Number of users [slower]") != -1) or (awx_purge_mode.find("Number of events [slower]") != -1) or (awx_purge_mode.find("Skip purging rooms [faster]") != -1) - name: Revert 'Deploy/Update a Server' job template @@ -237,7 +237,7 @@ wait: yes tower_host: "https://{{ awx_host }}" tower_oauthtoken: "{{ awx_session_token.ansible_facts.tower_token.token }}" - validate_certs: yes + validate_certs: yes when: (awx_purge_mode.find("Perform final shrink") != -1) - name: Revert 'Deploy/Update a Server' job template @@ -272,7 +272,7 @@ when: (awx_purge_mode.find("Perform final shrink") != -1) no_log: True -- name: Print total number of rooms processed +- name: Print total number of rooms processed debug: msg: '{{ awx_rooms_total.stdout }}' when: (awx_purge_mode.find("No local users [recommended]") != -1) or (awx_purge_mode.find("Number of users [slower]") != -1) or (awx_purge_mode.find("Number of events [slower]") != -1) diff --git a/roles/matrix-awx/tasks/purge_database_no_local.yml b/roles/matrix-awx/tasks/purge_database_no_local.yml index 33f99c49b..e464f56d1 100644 --- a/roles/matrix-awx/tasks/purge_database_no_local.yml +++ b/roles/matrix-awx/tasks/purge_database_no_local.yml @@ -2,11 +2,11 @@ - name: Purge all rooms with no local users shell: | - curl --header "Authorization: Bearer {{ awx_janitors_token.stdout[1:-1] }}" -X POST -H "Content-Type: application/json" -d '{ "room_id": {{ item }} }' '{{ awx_synapse_container_ip.stdout }}:8008/_synapse/admin/v1/purge_room' + curl --header "Authorization: Bearer {{ awx_janitors_token.stdout[1:-1] }}" -X POST -H "Content-Type: application/json" -d '{ "room_id": {{ item }} }' '{{ awx_synapse_container_ip.stdout }}:{{ matrix_synapse_container_client_api_port }}/_synapse/admin/v1/purge_room' register: awx_purge_command - + - name: Print output of purge command - debug: + debug: msg: "{{ awx_purge_command.stdout }}" - name: Pause for 5 seconds to let Synapse breathe diff --git a/roles/matrix-awx/tasks/purge_database_users.yml b/roles/matrix-awx/tasks/purge_database_users.yml index 1c8da14d8..d315a9ef1 100644 --- a/roles/matrix-awx/tasks/purge_database_users.yml +++ b/roles/matrix-awx/tasks/purge_database_users.yml @@ -2,11 +2,11 @@ - name: Purge all rooms with more then N users shell: | - curl --header "Authorization: Bearer {{ awx_janitors_token.stdout[1:-1] }}" -X POST -H "Content-Type: application/json" -d '{ "delete_local_events": false, "purge_up_to_ts": {{ awx_purge_epoche_time.stdout }}000 }' "{{ awx_synapse_container_ip.stdout }}:8008/_synapse/admin/v1/purge_history/{{ item[1:-1] }}" + curl --header "Authorization: Bearer {{ awx_janitors_token.stdout[1:-1] }}" -X POST -H "Content-Type: application/json" -d '{ "delete_local_events": false, "purge_up_to_ts": {{ awx_purge_epoche_time.stdout }}000 }' "{{ awx_synapse_container_ip.stdout }}:{{ matrix_synapse_container_client_api_port }}/_synapse/admin/v1/purge_history/{{ item[1:-1] }}" register: awx_purge_command - + - name: Print output of purge command - debug: + debug: msg: "{{ awx_purge_command.stdout }}" - name: Pause for 5 seconds to let Synapse breathe diff --git a/roles/matrix-awx/tasks/purge_media_local.yml b/roles/matrix-awx/tasks/purge_media_local.yml index 2074d5d8b..7ef79eca3 100644 --- a/roles/matrix-awx/tasks/purge_media_local.yml +++ b/roles/matrix-awx/tasks/purge_media_local.yml @@ -7,11 +7,11 @@ - name: Purge local media to specific date shell: | - curl -X POST --header "Authorization: Bearer {{ awx_janitors_token.stdout[1:-1] }}" '{{ awx_synapse_container_ip.stdout }}:8008/_synapse/admin/v1/media/matrix.{{ matrix_domain }}/delete?before_ts={{ awx_epoche_time.stdout }}000' + curl -X POST --header "Authorization: Bearer {{ awx_janitors_token.stdout[1:-1] }}" '{{ awx_synapse_container_ip.stdout }}:{{ matrix_synapse_container_client_api_port }}/_synapse/admin/v1/media/matrix.{{ matrix_domain }}/delete?before_ts={{ awx_epoche_time.stdout }}000' register: awx_purge_command - + - name: Print output of purge command - debug: + debug: msg: "{{ awx_purge_command.stdout }}" - name: Pause for 5 seconds to let Synapse breathe diff --git a/roles/matrix-awx/tasks/purge_media_main.yml b/roles/matrix-awx/tasks/purge_media_main.yml index 9c5f6bfb8..0c322b85a 100644 --- a/roles/matrix-awx/tasks/purge_media_main.yml +++ b/roles/matrix-awx/tasks/purge_media_main.yml @@ -9,7 +9,7 @@ include_vars: file: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' no_log: True - + - name: Ensure curl and jq intalled on target machine apt: pkg: @@ -23,7 +23,7 @@ - name: Collect access token for janitor user shell: | - curl -XPOST -d '{"type":"m.login.password", "user":"janitor", "password":"{{ awx_janitor_user_password }}"}' "{{ awx_synapse_container_ip.stdout }}:8008/_matrix/client/r0/login" | jq '.access_token' + curl -XPOST -d '{"type":"m.login.password", "user":"janitor", "password":"{{ awx_janitor_user_password }}"}' "{{ awx_synapse_container_ip.stdout }}:{{ matrix_synapse_container_client_api_port }}/_matrix/client/r0/login" | jq '.access_token' register: awx_janitors_token no_log: True @@ -31,7 +31,7 @@ delegate_to: 127.0.0.1 shell: "dateseq {{ matrix_purge_from_date }} {{ matrix_purge_to_date }}" register: awx_purge_dates - + - name: Calculate initial size of local media repository shell: du -sh /matrix/synapse/storage/media-store/local* register: awx_local_media_size_before @@ -47,12 +47,12 @@ no_log: True - name: Purge local media with loop - include_tasks: purge_media_local.yml + include_tasks: purge_media_local.yml loop: "{{ awx_purge_dates.stdout_lines | flatten(levels=1) }}" when: awx_purge_media_type == "Local Media" - name: Purge remote media with loop - include_tasks: purge_media_remote.yml + include_tasks: purge_media_remote.yml loop: "{{ awx_purge_dates.stdout_lines | flatten(levels=1) }}" when: awx_purge_media_type == "Remote Media" diff --git a/roles/matrix-awx/tasks/purge_media_remote.yml b/roles/matrix-awx/tasks/purge_media_remote.yml index 1418d9a61..5bb71918f 100644 --- a/roles/matrix-awx/tasks/purge_media_remote.yml +++ b/roles/matrix-awx/tasks/purge_media_remote.yml @@ -7,11 +7,11 @@ - name: Purge remote media to specific date shell: | - curl -X POST --header "Authorization: Bearer {{ awx_janitors_token.stdout[1:-1] }}" '{{ awx_synapse_container_ip.stdout }}:8008/_synapse/admin/v1/purge_media_cache?before_ts={{ awx_epoche_time.stdout }}000' + curl -X POST --header "Authorization: Bearer {{ awx_janitors_token.stdout[1:-1] }}" '{{ awx_synapse_container_ip.stdout }}:{{ matrix_synapse_container_client_api_port }}/_synapse/admin/v1/purge_media_cache?before_ts={{ awx_epoche_time.stdout }}000' register: awx_purge_command - + - name: Print output of purge command - debug: + debug: msg: "{{ awx_purge_command.stdout }}" - name: Pause for 5 seconds to let Synapse breathe diff --git a/roles/matrix-base/defaults/main.yml b/roles/matrix-base/defaults/main.yml index bf376c948..8f3203ab3 100644 --- a/roles/matrix-base/defaults/main.yml +++ b/roles/matrix-base/defaults/main.yml @@ -91,7 +91,7 @@ matrix_homeserver_url: "https://{{ matrix_server_fqn_matrix }}" # Specifies where the homeserver is on the container network. # Where this is depends on whether there's a reverse-proxy in front of it, etc. # This likely gets overriden elsewhere. -matrix_homeserver_container_url: "http://matrix-synapse:8008" +matrix_homeserver_container_url: "http://matrix-synapse:{{ matrix_synapse_container_client_api_port }}" matrix_identity_server_url: ~ diff --git a/roles/matrix-bridge-appservice-slack/defaults/main.yml b/roles/matrix-bridge-appservice-slack/defaults/main.yml index 10b3d7b48..317ea0c09 100644 --- a/roles/matrix-bridge-appservice-slack/defaults/main.yml +++ b/roles/matrix-bridge-appservice-slack/defaults/main.yml @@ -33,7 +33,7 @@ matrix_appservice_slack_slack_port: 9003 matrix_appservice_slack_container_http_host_bind_port: '' matrix_appservice_slack_homeserver_media_url: "{{ matrix_server_fqn_matrix }}" -matrix_appservice_slack_homeserver_url: "http://matrix-synapse:8008" +matrix_appservice_slack_homeserver_url: "http://matrix-synapse:{{ matrix_synapse_container_client_api_port }}" matrix_appservice_slack_homeserver_domain: "{{ matrix_domain }}" matrix_appservice_slack_appservice_url: 'http://matrix-appservice-slack' @@ -82,7 +82,7 @@ matrix_appservice_slack_configuration_extension_yaml: | # Optional #matrix_admin_room: "!aBcDeF:matrix.org" #homeserver: - # url: http://localhost:8008 + # url: http://localhost:{{ matrix_synapse_container_client_api_port }} # server_name: my.server # Optional #tls: diff --git a/roles/matrix-bridge-appservice-webhooks/defaults/main.yml b/roles/matrix-bridge-appservice-webhooks/defaults/main.yml index 2b9fe310e..e051ea220 100644 --- a/roles/matrix-bridge-appservice-webhooks/defaults/main.yml +++ b/roles/matrix-bridge-appservice-webhooks/defaults/main.yml @@ -36,7 +36,7 @@ matrix_appservice_webhooks_matrix_port: 6789 matrix_appservice_webhooks_container_http_host_bind_port: '' matrix_appservice_webhooks_homeserver_media_url: "{{ matrix_server_fqn_matrix }}" -matrix_appservice_webhooks_homeserver_url: "http://matrix-synapse:8008" +matrix_appservice_webhooks_homeserver_url: "http://matrix-synapse:{{ matrix_synapse_container_client_api_port }}" matrix_appservice_webhooks_homeserver_domain: "{{ matrix_domain }}" matrix_appservice_webhooks_appservice_url: 'http://matrix-appservice-webhooks' diff --git a/roles/matrix-bridge-sms/defaults/main.yml b/roles/matrix-bridge-sms/defaults/main.yml index 55f99101b..8f2f79a08 100644 --- a/roles/matrix-bridge-sms/defaults/main.yml +++ b/roles/matrix-bridge-sms/defaults/main.yml @@ -26,7 +26,7 @@ matrix_sms_bridge_systemd_wanted_services_list: [] matrix_sms_bridge_appservice_url: 'http://matrix-sms-bridge:8080' matrix_sms_bridge_homeserver_hostname: 'matrix-synapse' -matrix_sms_bridge_homeserver_port: '8008' +matrix_sms_bridge_homeserver_port: "{{ matrix_synapse_container_client_api_port }}" matrix_sms_bridge_homserver_domain: "{{ matrix_domain }}" matrix_sms_bridge_default_room: '' diff --git a/roles/matrix-corporal/defaults/main.yml b/roles/matrix-corporal/defaults/main.yml index fd6b65d35..d542fd775 100644 --- a/roles/matrix-corporal/defaults/main.yml +++ b/roles/matrix-corporal/defaults/main.yml @@ -36,7 +36,7 @@ matrix_corporal_var_dir_path: "{{ matrix_corporal_base_path }}/var" matrix_corporal_matrix_homeserver_domain_name: "{{ matrix_domain }}" -# Controls where matrix-corporal can reach your Synapse server (e.g. "http://matrix-synapse:8008"). +# Controls where matrix-corporal can reach your Synapse server (e.g. "http://matrix-synapse:{{ matrix_synapse_container_client_api_port }}"). # If Synapse runs on the same machine, you may need to add its service to `matrix_corporal_systemd_required_services_list`. matrix_corporal_matrix_homeserver_api_endpoint: "" diff --git a/roles/matrix-ma1sd/defaults/main.yml b/roles/matrix-ma1sd/defaults/main.yml index adee0b447..9e1e611ab 100644 --- a/roles/matrix-ma1sd/defaults/main.yml +++ b/roles/matrix-ma1sd/defaults/main.yml @@ -83,7 +83,7 @@ matrix_ma1sd_threepid_medium_email_connectors_smtp_password: "" # so that ma1sd can rewrite the original URL to one that would reach the homeserver. matrix_ma1sd_dns_overwrite_enabled: false matrix_ma1sd_dns_overwrite_homeserver_client_name: "{{ matrix_server_fqn_matrix }}" -matrix_ma1sd_dns_overwrite_homeserver_client_value: "http://matrix-synapse:8008" +matrix_ma1sd_dns_overwrite_homeserver_client_value: "http://matrix-synapse:{{ matrix_synapse_container_client_api_port }}" # Override the default session templates # To use this, fill in the template variables with the full desired template as a multi-line YAML variable diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index ea26084ef..368d9bddd 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -197,8 +197,8 @@ matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container: "matrix-nginx-pr matrix_nginx_proxy_proxy_matrix_client_api_addr_sans_container: "127.0.0.1:12080" # The addresses where the Matrix Client API is, when using Synapse. -matrix_nginx_proxy_proxy_synapse_client_api_addr_with_container: "matrix-synapse:8008" -matrix_nginx_proxy_proxy_synapse_client_api_addr_sans_container: "127.0.0.1:8008" +matrix_nginx_proxy_proxy_synapse_client_api_addr_with_container: "matrix-synapse:{{ matrix_synapse_container_client_api_port }}" +matrix_nginx_proxy_proxy_synapse_client_api_addr_sans_container: "127.0.0.1:{{ matrix_synapse_container_client_api_port }}" # This needs to be equal or higher than the maximum upload size accepted by Synapse. matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb: 50 diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index 624a6b5e0..a6feb1ab0 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -27,11 +27,13 @@ matrix_synapse_storage_path: "{{ matrix_synapse_base_path }}/storage" matrix_synapse_media_store_path: "{{ matrix_synapse_storage_path }}/media-store" matrix_synapse_ext_path: "{{ matrix_synapse_base_path }}/ext" +matrix_synapse_container_client_api_port: 8008 + matrix_synapse_container_federation_api_tls_port: 8448 matrix_synapse_container_federation_api_plain_port: 8048 -# Controls whether the matrix-synapse container exposes the Client/Server API port (tcp/8008 in the container). +# Controls whether the matrix-synapse container exposes the Client/Server API port (tcp/{{ matrix_synapse_container_client_api_port }} in the container). # # Takes an ":" or "" value (e.g. "127.0.0.1:8008"), or empty string to not expose. matrix_synapse_container_client_api_host_bind_port: '' diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index a8e0ab6f8..e1ee7307e 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -289,7 +289,7 @@ listeners: # Unsecure HTTP listener (Client API): for when matrix traffic passes through a reverse proxy # that unwraps TLS. - - port: 8008 + - port: {{ matrix_synapse_container_client_api_port|tojson }} tls: false bind_addresses: ['::'] type: http diff --git a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 index 0451fd8dc..7fec66492 100644 --- a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 +++ b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 @@ -40,7 +40,7 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-synapse \ --tmpfs=/tmp:rw,noexec,nosuid,size={{ matrix_synapse_tmp_directory_size_mb }}m \ --network={{ matrix_docker_network }} \ {% if matrix_synapse_container_client_api_host_bind_port %} - -p {{ matrix_synapse_container_client_api_host_bind_port }}:8008 \ + -p {{ matrix_synapse_container_client_api_host_bind_port }}:{{ matrix_synapse_container_client_api_port }} \ {% endif %} {% if matrix_synapse_federation_enabled and matrix_synapse_tls_federation_listener_enabled and matrix_synapse_container_federation_api_tls_host_bind_port %} -p {{ matrix_synapse_container_federation_api_tls_host_bind_port }}:{{ matrix_synapse_container_federation_api_tls_port }} \ diff --git a/roles/matrix-synapse/templates/synapse/usr-local-bin/matrix-synapse-register-user.j2 b/roles/matrix-synapse/templates/synapse/usr-local-bin/matrix-synapse-register-user.j2 index 456c0667a..228cc9eaa 100644 --- a/roles/matrix-synapse/templates/synapse/usr-local-bin/matrix-synapse-register-user.j2 +++ b/roles/matrix-synapse/templates/synapse/usr-local-bin/matrix-synapse-register-user.j2 @@ -11,7 +11,7 @@ password=$2 admin=$3 if [ "$admin" -eq "1" ]; then - docker exec matrix-synapse register_new_matrix_user -u "$user" -p "$password" -c /data/homeserver.yaml --admin http://localhost:8008 + docker exec matrix-synapse register_new_matrix_user -u "$user" -p "$password" -c /data/homeserver.yaml --admin http://localhost:{{ matrix_synapse_container_client_api_port }} else - docker exec matrix-synapse register_new_matrix_user -u "$user" -p "$password" -c /data/homeserver.yaml --no-admin http://localhost:8008 + docker exec matrix-synapse register_new_matrix_user -u "$user" -p "$password" -c /data/homeserver.yaml --no-admin http://localhost:{{ matrix_synapse_container_client_api_port }} fi diff --git a/roles/matrix-synapse/templates/synapse/worker.yaml.j2 b/roles/matrix-synapse/templates/synapse/worker.yaml.j2 index 36ae5a7e6..40714f442 100644 --- a/roles/matrix-synapse/templates/synapse/worker.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/worker.yaml.j2 @@ -38,7 +38,7 @@ worker_listeners: {% endif %} {% if matrix_synapse_worker_details.type == 'frontend_proxy' %} -worker_main_http_uri: http://matrix-synapse:8008 +worker_main_http_uri: http://matrix-synapse:{{ matrix_synapse_container_client_api_port }} {% endif %} worker_daemonize: false diff --git a/roles/matrix-synapse/vars/workers.yml b/roles/matrix-synapse/vars/workers.yml index 049ae9b53..fda7227cb 100644 --- a/roles/matrix-synapse/vars/workers.yml +++ b/roles/matrix-synapse/vars/workers.yml @@ -319,7 +319,7 @@ matrix_synapse_workers_frontend_proxy_endpoints: # the `worker_main_http_uri` setting in the `frontend_proxy` worker configuration # file. For example: - # worker_main_http_uri: http://127.0.0.1:8008 + # worker_main_http_uri: http://127.0.0.1:{{ matrix_synapse_container_client_api_port }} matrix_synapse_workers_avail_list: - appservice From b272e6147ad923174edb85b20a4a2f78148ad25f Mon Sep 17 00:00:00 2001 From: iucca Date: Tue, 16 Nov 2021 13:37:11 +0100 Subject: [PATCH 079/139] Resolved server_map --- .../defaults/main.yml | 1 + .../templates/config.yaml.j2 | 19 +++---------------- 2 files changed, 4 insertions(+), 16 deletions(-) diff --git a/roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml b/roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml index 7409fb4da..a39cdeb99 100644 --- a/roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml @@ -74,6 +74,7 @@ matrix_mautrix_whatsapp_appservice_database_uri: "{{ # Can be set to enable automatic double-puppeting via Shared Secret Auth (https://github.com/devture/matrix-synapse-shared-secret-auth). matrix_mautrix_whatsapp_login_shared_secret: '' +matrix_mautrix_whatsapp_login_shared_secret_map: "{{ {matrix_mautrix_whatsapp_homeserver_domain: matrix_mautrix_whatsapp_login_shared_secret} if matrix_mautrix_whatsapp_login_shared_secret else {} }}" # Default mautrix-whatsapp configuration template which covers the generic use case. # You can customize it by controlling the various variables inside it. diff --git a/roles/matrix-bridge-mautrix-whatsapp/templates/config.yaml.j2 b/roles/matrix-bridge-mautrix-whatsapp/templates/config.yaml.j2 index 358658932..a43359369 100644 --- a/roles/matrix-bridge-mautrix-whatsapp/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mautrix-whatsapp/templates/config.yaml.j2 @@ -15,11 +15,9 @@ homeserver: appservice: # The address that the homeserver can use to connect to this appservice. address: {{ matrix_mautrix_whatsapp_appservice_address }} - # The hostname and port where this appservice should listen. hostname: 0.0.0.0 port: 8080 - # Database config. database: # The database type. "sqlite3" and "postgres" are supported. @@ -31,7 +29,6 @@ appservice: # Maximum number of connections. Mostly relevant for Postgres. max_open_conns: 20 max_idle_conns: 2 - # The unique ID of this appservice. id: whatsapp # Appservice bot details. @@ -42,7 +39,6 @@ appservice: # to leave display name/avatar as-is. displayname: WhatsApp bridge bot avatar: mxc://maunium.net/NeXNQarUbrlYBiPCpprYsRqr - # Authentication tokens for AS <-> HS communication. Autogenerated; do not modify. as_token: "{{ matrix_mautrix_whatsapp_appservice_token }}" hs_token: "{{ matrix_mautrix_whatsapp_homeserver_token }}" @@ -53,7 +49,6 @@ bridge: # {{ '{{.}}' }} is replaced with the phone number of the WhatsApp user. username_template: "{{ 'whatsapp_{{.}}' }}" displayname_template: "{{ '{{if .PushName}}{{.PushName}}{{else if .BusinessName}}{{.BusinessName}}{{else}}{{.JID}}{{end}} (WA)' }}" - # Should the bridge send a read receipt from the bridge bot when a message has been sent to WhatsApp? delivery_receipts: false # Should incoming calls send a message to the Matrix room? @@ -62,9 +57,7 @@ bridge: identity_change_notices: false # Should a "reactions not yet supported" warning be sent to the Matrix room when a user reacts to a message? reaction_notices: true - portal_message_buffer: 128 - # Settings for handling history sync payloads. These settings only apply right after login, # because the phone only sends the history sync data once, and there's no way to re-request it # (other than logging out and back in again). @@ -87,12 +80,9 @@ bridge: # Should the bridge request a full sync from the phone when logging in? # This bumps the size of history syncs from 3 months to 1 year. request_full_sync: false - user_avatar_sync: true # Should Matrix users leaving groups be bridged to WhatsApp? bridge_matrix_leave: true - - # Should the bridge sync with double puppeting to receive EDUs that aren't normally sent to appservices. sync_with_custom_puppets: true # Should the bridge update the m.direct account data event when double puppeting is enabled. @@ -105,8 +95,8 @@ bridge: default_bridge_receipts: true default_bridge_presence: true # Servers to always allow double puppeting from - double_puppet_server_map: "{{ matrix_domain }}" - + double_puppet_server_map: + "{{ matrix_mautrix_whatsapp_homeserver_domain }}": {{ matrix_mautrix_whatsapp_homeserver_address }} # Allow using double puppeting from any server with a valid client .well-known file. double_puppet_allow_discovery: false # Shared secrets for https://github.com/devture/matrix-synapse-shared-secret-auth @@ -114,10 +104,7 @@ bridge: # If set, double puppeting will be enabled automatically for local users # instead of users having to find an access token and run `login-matrix` # manually. - login_shared_secret_map: - "{{ matrix_mautrix_whatsapp_homeserver_domain }}": {{ matrix_mautrix_whatsapp_login_shared_secret|to_json }} - - + login_shared_secret_map: {{ matrix_mautrix_whatsapp_login_shared_secret_map|to_json }} # Should the bridge explicitly set the avatar and room name for private chat portal rooms? private_chat_portal_meta: false # Should Matrix m.notice-type messages be bridged? From 949ae80117e6f58e4bb415cfc1db576a077d2afc Mon Sep 17 00:00:00 2001 From: iucca Date: Tue, 16 Nov 2021 14:22:06 +0100 Subject: [PATCH 080/139] added server_map variable and renamed secret_map --- roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml | 9 ++++++--- .../templates/config.yaml.j2 | 2 +- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml b/roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml index a39cdeb99..3d630fcfd 100644 --- a/roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml @@ -36,7 +36,6 @@ matrix_mautrix_whatsapp_homeserver_token: '' matrix_mautrix_whatsapp_appservice_bot_username: whatsappbot - # Database-related configuration fields. # # To use SQLite, stick to these defaults. @@ -71,10 +70,14 @@ matrix_mautrix_whatsapp_appservice_database_uri: "{{ }[matrix_mautrix_whatsapp_database_engine] }}" - # Can be set to enable automatic double-puppeting via Shared Secret Auth (https://github.com/devture/matrix-synapse-shared-secret-auth). matrix_mautrix_whatsapp_login_shared_secret: '' -matrix_mautrix_whatsapp_login_shared_secret_map: "{{ {matrix_mautrix_whatsapp_homeserver_domain: matrix_mautrix_whatsapp_login_shared_secret} if matrix_mautrix_whatsapp_login_shared_secret else {} }}" +matrix_mautrix_whatsapp_bridge_login_shared_secret_map: + "{{ {matrix_mautrix_whatsapp_homeserver_domain: matrix_mautrix_whatsapp_login_shared_secret} if matrix_mautrix_whatsapp_login_shared_secret else {} }}" + +# Servers to always allow double puppeting from +matrix_mautrix_whatsapp_bridge_double_puppet_server_map: + "{{ matrix_mautrix_whatsapp_homeserver_domain : matrix_mautrix_whatsapp_homeserver_address }}" # Default mautrix-whatsapp configuration template which covers the generic use case. # You can customize it by controlling the various variables inside it. diff --git a/roles/matrix-bridge-mautrix-whatsapp/templates/config.yaml.j2 b/roles/matrix-bridge-mautrix-whatsapp/templates/config.yaml.j2 index a43359369..394f16a60 100644 --- a/roles/matrix-bridge-mautrix-whatsapp/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mautrix-whatsapp/templates/config.yaml.j2 @@ -104,7 +104,7 @@ bridge: # If set, double puppeting will be enabled automatically for local users # instead of users having to find an access token and run `login-matrix` # manually. - login_shared_secret_map: {{ matrix_mautrix_whatsapp_login_shared_secret_map|to_json }} + login_shared_secret_map: {{ matrix_mautrix_whatsapp_bridge_login_shared_secret_map|to_json }} # Should the bridge explicitly set the avatar and room name for private chat portal rooms? private_chat_portal_meta: false # Should Matrix m.notice-type messages be bridged? From d3a9ec98de7d336be98b2432919720f45a5b8101 Mon Sep 17 00:00:00 2001 From: boris runakov Date: Tue, 16 Nov 2021 21:03:21 +0200 Subject: [PATCH 081/139] refactoring --- group_vars/matrix_servers | 7 +++++++ roles/matrix-base/defaults/main.yml | 2 +- roles/matrix-base/tasks/validate_config.yml | 9 +++++++++ roles/matrix-bridge-appservice-slack/defaults/main.yml | 2 +- .../tasks/validate_config.yml | 1 + .../matrix-bridge-appservice-webhooks/defaults/main.yml | 2 +- .../tasks/validate_config.yml | 1 + roles/matrix-bridge-sms/defaults/main.yml | 2 +- roles/matrix-bridge-sms/tasks/validate_config.yml | 1 + roles/matrix-ma1sd/defaults/main.yml | 2 +- roles/matrix-ma1sd/tasks/validate_config.yml | 1 + roles/matrix-nginx-proxy/defaults/main.yml | 4 ++-- roles/matrix-nginx-proxy/tasks/validate_config.yml | 2 ++ .../matrix-synapse/templates/synapse/homeserver.yaml.j2 | 2 +- 14 files changed, 30 insertions(+), 8 deletions(-) create mode 100644 roles/matrix-base/tasks/validate_config.yml diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 139ccb02c..7aa10625c 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -113,6 +113,7 @@ matrix_appservice_webhooks_container_http_host_bind_port: "{{ '' if matrix_nginx matrix_appservice_webhooks_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'webhook.as.token') | to_uuid }}" +matrix_appservice_webhooks_homeserver_url: "http://matrix-synapse:{{ matrix_synapse_container_client_api_port }}" matrix_appservice_webhooks_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'webhook.hs.token') | to_uuid }}" matrix_appservice_webhooks_id_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'webhook.id.token') | to_uuid }}" @@ -151,6 +152,7 @@ matrix_appservice_slack_container_http_host_bind_port: "{{ '' if matrix_nginx_pr matrix_appservice_slack_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'slack.as.token') | to_uuid }}" +matrix_appservice_slack_homeserver_url: "http://matrix-synapse:{{ matrix_synapse_container_client_api_port }}" matrix_appservice_slack_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'slack.hs.token') | to_uuid }}" matrix_appservice_slack_id_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'slack.id.token') | to_uuid }}" @@ -567,6 +569,7 @@ matrix_sms_bridge_systemd_required_services_list: | matrix_sms_bridge_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'sms.as.token') | to_uuid }}" +matrix_sms_bridge_homeserver_port: "{{ matrix_synapse_container_client_api_port }}" matrix_sms_bridge_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'sms.hs.token') | to_uuid }}" ###################################################################### @@ -1216,6 +1219,7 @@ matrix_ma1sd_container_image_self_build: "{{ matrix_architecture != 'amd64' }}" # ma1sd's web-server port. matrix_ma1sd_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:' + matrix_ma1sd_default_port|string }}" + # We enable Synapse integration via its Postgres database by default. # When using another Identity store, you might wish to disable this and define # your own configuration in `matrix_ma1sd_configuration_extension_yaml`. @@ -1308,6 +1312,9 @@ matrix_nginx_proxy_proxy_matrix_federation_api_addr_sans_container: "127.0.0.1:1 # Settings controlling matrix-synapse-proxy.conf matrix_nginx_proxy_proxy_synapse_enabled: "{{ matrix_synapse_enabled }}" +matrix_nginx_proxy_proxy_synapse_client_api_addr_with_container: "matrix-synapse:{{ matrix_synapse_container_client_api_port }}" +matrix_nginx_proxy_proxy_synapse_client_api_addr_sans_container: "127.0.0.1:{{ matrix_synapse_container_client_api_port }}" + matrix_nginx_proxy_proxy_synapse_federation_api_addr_with_container: "matrix-synapse:{{matrix_synapse_container_federation_api_plain_port|string}}" matrix_nginx_proxy_proxy_synapse_federation_api_addr_sans_container: "localhost:{{matrix_synapse_container_federation_api_plain_port|string}}" diff --git a/roles/matrix-base/defaults/main.yml b/roles/matrix-base/defaults/main.yml index 8f3203ab3..6639c223c 100644 --- a/roles/matrix-base/defaults/main.yml +++ b/roles/matrix-base/defaults/main.yml @@ -91,7 +91,7 @@ matrix_homeserver_url: "https://{{ matrix_server_fqn_matrix }}" # Specifies where the homeserver is on the container network. # Where this is depends on whether there's a reverse-proxy in front of it, etc. # This likely gets overriden elsewhere. -matrix_homeserver_container_url: "http://matrix-synapse:{{ matrix_synapse_container_client_api_port }}" +matrix_homeserver_container_url: "" matrix_identity_server_url: ~ diff --git a/roles/matrix-base/tasks/validate_config.yml b/roles/matrix-base/tasks/validate_config.yml new file mode 100644 index 000000000..8bb3fca06 --- /dev/null +++ b/roles/matrix-base/tasks/validate_config.yml @@ -0,0 +1,9 @@ +--- + +- name: Fail if required Matrix Base settings not defined + fail: + msg: >- + You need to define a required configuration setting (`{{ item }}`) for using this playbook. + when: "vars[item] == ''" + with_items: + - "matrix_homeserver_container_url" \ No newline at end of file diff --git a/roles/matrix-bridge-appservice-slack/defaults/main.yml b/roles/matrix-bridge-appservice-slack/defaults/main.yml index 317ea0c09..4f4d5e2ff 100644 --- a/roles/matrix-bridge-appservice-slack/defaults/main.yml +++ b/roles/matrix-bridge-appservice-slack/defaults/main.yml @@ -33,7 +33,7 @@ matrix_appservice_slack_slack_port: 9003 matrix_appservice_slack_container_http_host_bind_port: '' matrix_appservice_slack_homeserver_media_url: "{{ matrix_server_fqn_matrix }}" -matrix_appservice_slack_homeserver_url: "http://matrix-synapse:{{ matrix_synapse_container_client_api_port }}" +matrix_appservice_slack_homeserver_url: "" matrix_appservice_slack_homeserver_domain: "{{ matrix_domain }}" matrix_appservice_slack_appservice_url: 'http://matrix-appservice-slack' diff --git a/roles/matrix-bridge-appservice-slack/tasks/validate_config.yml b/roles/matrix-bridge-appservice-slack/tasks/validate_config.yml index 8af10f2f5..e02c6ab07 100644 --- a/roles/matrix-bridge-appservice-slack/tasks/validate_config.yml +++ b/roles/matrix-bridge-appservice-slack/tasks/validate_config.yml @@ -8,5 +8,6 @@ with_items: - "matrix_appservice_slack_control_room_id" - "matrix_appservice_slack_appservice_token" + - "matrix_appservice_slack_homeserver_url" - "matrix_appservice_slack_homeserver_token" - "matrix_appservice_slack_id_token" diff --git a/roles/matrix-bridge-appservice-webhooks/defaults/main.yml b/roles/matrix-bridge-appservice-webhooks/defaults/main.yml index e051ea220..25419900c 100644 --- a/roles/matrix-bridge-appservice-webhooks/defaults/main.yml +++ b/roles/matrix-bridge-appservice-webhooks/defaults/main.yml @@ -36,7 +36,7 @@ matrix_appservice_webhooks_matrix_port: 6789 matrix_appservice_webhooks_container_http_host_bind_port: '' matrix_appservice_webhooks_homeserver_media_url: "{{ matrix_server_fqn_matrix }}" -matrix_appservice_webhooks_homeserver_url: "http://matrix-synapse:{{ matrix_synapse_container_client_api_port }}" +matrix_appservice_webhooks_homeserver_url: "" matrix_appservice_webhooks_homeserver_domain: "{{ matrix_domain }}" matrix_appservice_webhooks_appservice_url: 'http://matrix-appservice-webhooks' diff --git a/roles/matrix-bridge-appservice-webhooks/tasks/validate_config.yml b/roles/matrix-bridge-appservice-webhooks/tasks/validate_config.yml index b92a0eb91..48f63e68b 100644 --- a/roles/matrix-bridge-appservice-webhooks/tasks/validate_config.yml +++ b/roles/matrix-bridge-appservice-webhooks/tasks/validate_config.yml @@ -7,6 +7,7 @@ when: "vars[item] == ''" with_items: - "matrix_appservice_webhooks_appservice_token" + - "matrix_appservice_webhooks_homeserver_url" - "matrix_appservice_webhooks_homeserver_token" - "matrix_appservice_webhooks_id_token" - "matrix_appservice_webhooks_api_secret" diff --git a/roles/matrix-bridge-sms/defaults/main.yml b/roles/matrix-bridge-sms/defaults/main.yml index 8f2f79a08..d3a686cef 100644 --- a/roles/matrix-bridge-sms/defaults/main.yml +++ b/roles/matrix-bridge-sms/defaults/main.yml @@ -26,7 +26,7 @@ matrix_sms_bridge_systemd_wanted_services_list: [] matrix_sms_bridge_appservice_url: 'http://matrix-sms-bridge:8080' matrix_sms_bridge_homeserver_hostname: 'matrix-synapse' -matrix_sms_bridge_homeserver_port: "{{ matrix_synapse_container_client_api_port }}" +matrix_sms_bridge_homeserver_port: "" matrix_sms_bridge_homserver_domain: "{{ matrix_domain }}" matrix_sms_bridge_default_room: '' diff --git a/roles/matrix-bridge-sms/tasks/validate_config.yml b/roles/matrix-bridge-sms/tasks/validate_config.yml index 6dc6ce9c3..f89b18faa 100644 --- a/roles/matrix-bridge-sms/tasks/validate_config.yml +++ b/roles/matrix-bridge-sms/tasks/validate_config.yml @@ -7,6 +7,7 @@ when: "vars[item] == ''" with_items: - "matrix_sms_bridge_appservice_token" + - "matrix_sms_bridge_homeserver_port" - "matrix_sms_bridge_homeserver_token" - "matrix_sms_bridge_default_region" - "matrix_sms_bridge_default_timezone" diff --git a/roles/matrix-ma1sd/defaults/main.yml b/roles/matrix-ma1sd/defaults/main.yml index 9e1e611ab..35a48e97c 100644 --- a/roles/matrix-ma1sd/defaults/main.yml +++ b/roles/matrix-ma1sd/defaults/main.yml @@ -83,7 +83,7 @@ matrix_ma1sd_threepid_medium_email_connectors_smtp_password: "" # so that ma1sd can rewrite the original URL to one that would reach the homeserver. matrix_ma1sd_dns_overwrite_enabled: false matrix_ma1sd_dns_overwrite_homeserver_client_name: "{{ matrix_server_fqn_matrix }}" -matrix_ma1sd_dns_overwrite_homeserver_client_value: "http://matrix-synapse:{{ matrix_synapse_container_client_api_port }}" +matrix_ma1sd_dns_overwrite_homeserver_client_value: "" # Override the default session templates # To use this, fill in the template variables with the full desired template as a multi-line YAML variable diff --git a/roles/matrix-ma1sd/tasks/validate_config.yml b/roles/matrix-ma1sd/tasks/validate_config.yml index 4f80b1548..1c64b134d 100644 --- a/roles/matrix-ma1sd/tasks/validate_config.yml +++ b/roles/matrix-ma1sd/tasks/validate_config.yml @@ -46,6 +46,7 @@ when: "vars[item] == ''" with_items: - "matrix_ma1sd_threepid_medium_email_connectors_smtp_host" + - "matrix_ma1sd_dns_overwrite_homeserver_client_value" - name: (Deprecation) Catch and report renamed ma1sd variables fail: diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index 368d9bddd..96468c207 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -197,8 +197,8 @@ matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container: "matrix-nginx-pr matrix_nginx_proxy_proxy_matrix_client_api_addr_sans_container: "127.0.0.1:12080" # The addresses where the Matrix Client API is, when using Synapse. -matrix_nginx_proxy_proxy_synapse_client_api_addr_with_container: "matrix-synapse:{{ matrix_synapse_container_client_api_port }}" -matrix_nginx_proxy_proxy_synapse_client_api_addr_sans_container: "127.0.0.1:{{ matrix_synapse_container_client_api_port }}" +matrix_nginx_proxy_proxy_synapse_client_api_addr_with_container: "" +matrix_nginx_proxy_proxy_synapse_client_api_addr_sans_container: "" # This needs to be equal or higher than the maximum upload size accepted by Synapse. matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb: 50 diff --git a/roles/matrix-nginx-proxy/tasks/validate_config.yml b/roles/matrix-nginx-proxy/tasks/validate_config.yml index 39a2dfe59..0de93873f 100644 --- a/roles/matrix-nginx-proxy/tasks/validate_config.yml +++ b/roles/matrix-nginx-proxy/tasks/validate_config.yml @@ -45,5 +45,7 @@ - "matrix_ssl_lets_encrypt_support_email" - "matrix_nginx_proxy_proxy_synapse_federation_api_addr_sans_container" - "matrix_nginx_proxy_proxy_synapse_federation_api_addr_with_container" + - "matrix_nginx_proxy_proxy_synapse_client_api_addr_with_container" + - "matrix_nginx_proxy_proxy_synapse_client_api_addr_sans_container" when: "vars[item] == '' or vars[item] is none" when: "matrix_ssl_retrieval_method == 'lets-encrypt'" diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index e1ee7307e..1f699ee27 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -289,7 +289,7 @@ listeners: # Unsecure HTTP listener (Client API): for when matrix traffic passes through a reverse proxy # that unwraps TLS. - - port: {{ matrix_synapse_container_client_api_port|tojson }} + - port: {{ matrix_synapse_container_client_api_port|to_json }} tls: false bind_addresses: ['::'] type: http From 394ecb0accf02397c1614588fc3a61343e8d30b2 Mon Sep 17 00:00:00 2001 From: boris runakov Date: Tue, 16 Nov 2021 21:14:28 +0200 Subject: [PATCH 082/139] remove default from variable name --- group_vars/matrix_servers | 10 +++++----- roles/matrix-awx/tasks/set_variables_ma1sd.yml | 2 +- roles/matrix-ma1sd/defaults/main.yml | 4 ++-- .../templates/systemd/matrix-ma1sd.service.j2 | 2 +- roles/matrix-nginx-proxy/defaults/main.yml | 12 ++++++------ 5 files changed, 15 insertions(+), 15 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 52dc671cf..a1dc5f7f2 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1214,7 +1214,7 @@ matrix_ma1sd_container_image_self_build: "{{ matrix_architecture != 'amd64' }}" # Normally, matrix-nginx-proxy is enabled and nginx can reach ma1sd over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose # ma1sd's web-server port. -matrix_ma1sd_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:' + matrix_ma1sd_default_port|string }}" +matrix_ma1sd_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:' + matrix_ma1sd_container_port|string }}" # We enable Synapse integration via its Postgres database by default. # When using another Identity store, you might wish to disable this and define @@ -1296,8 +1296,8 @@ matrix_nginx_proxy_proxy_matrix_corporal_api_addr_with_container: "matrix-corpor matrix_nginx_proxy_proxy_matrix_corporal_api_addr_sans_container: "127.0.0.1:41081" matrix_nginx_proxy_proxy_matrix_identity_api_enabled: "{{ matrix_ma1sd_enabled }}" -matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container: "matrix-ma1sd:{{ matrix_ma1sd_default_port }}" -matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container: "127.0.0.1:{{ matrix_ma1sd_default_port }}" +matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container: "matrix-ma1sd:{{ matrix_ma1sd_container_port }}" +matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container: "127.0.0.1:{{ matrix_ma1sd_container_port }}" # By default, we do TLS termination for the Matrix Federation API (port 8448) at matrix-nginx-proxy. # Unless this is handled there OR Synapse's federation listener port is disabled, we'll reverse-proxy. @@ -1714,8 +1714,8 @@ matrix_synapse_container_image_self_build: "{{ matrix_architecture not in ['arm6 # When ma1sd is enabled, we can use it to validate email addresses and phone numbers. # Synapse can validate email addresses by itself as well, but it's probably not what we want by default when we have an identity server. -matrix_synapse_account_threepid_delegates_email: "{{ 'http://matrix-ma1sd:' + matrix_ma1sd_default_port|string if matrix_ma1sd_enabled else '' }}" -matrix_synapse_account_threepid_delegates_msisdn: "{{ 'http://matrix-ma1sd:' + matrix_ma1sd_default_port|string if matrix_ma1sd_enabled else '' }}" +matrix_synapse_account_threepid_delegates_email: "{{ 'http://matrix-ma1sd:' + matrix_ma1sd_container_port|string if matrix_ma1sd_enabled else '' }}" +matrix_synapse_account_threepid_delegates_msisdn: "{{ 'http://matrix-ma1sd:' + matrix_ma1sd_container_port|string if matrix_ma1sd_enabled else '' }}" # Normally, matrix-nginx-proxy is enabled and nginx can reach Synapse over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, diff --git a/roles/matrix-awx/tasks/set_variables_ma1sd.yml b/roles/matrix-awx/tasks/set_variables_ma1sd.yml index 81012d285..db5037d1d 100755 --- a/roles/matrix-awx/tasks/set_variables_ma1sd.yml +++ b/roles/matrix-awx/tasks/set_variables_ma1sd.yml @@ -30,7 +30,7 @@ insertafter: '# Synapse Extension Start' with_dict: 'matrix_synapse_awx_password_provider_rest_auth_enabled': 'true' - 'matrix_synapse_awx_password_provider_rest_auth_endpoint': '"http://matrix-ma1sd:{{ matrix_ma1sd_default_port }}"' + 'matrix_synapse_awx_password_provider_rest_auth_endpoint': '"http://matrix-ma1sd:{{ matrix_ma1sd_container_port }}"' when: awx_matrix_ma1sd_auth_store == 'LDAP/AD' - name: Remove entire ma1sd configuration extension diff --git a/roles/matrix-ma1sd/defaults/main.yml b/roles/matrix-ma1sd/defaults/main.yml index adee0b447..0b9144ddc 100644 --- a/roles/matrix-ma1sd/defaults/main.yml +++ b/roles/matrix-ma1sd/defaults/main.yml @@ -19,8 +19,8 @@ matrix_ma1sd_docker_src_files_path: "{{ matrix_ma1sd_base_path }}/docker-src/ma1 matrix_ma1sd_config_path: "{{ matrix_ma1sd_base_path }}/config" matrix_ma1sd_data_path: "{{ matrix_ma1sd_base_path }}/data" -matrix_ma1sd_default_port: 8090 -# Controls whether the matrix-ma1sd container exposes its HTTP port (tcp/{{ matrix_ma1sd_default_port }} in the container). +matrix_ma1sd_container_port: 8090 +# Controls whether the matrix-ma1sd container exposes its HTTP port (tcp/{{ matrix_ma1sd_container_port }} in the container). # # Takes an ":" or "" value (e.g. "127.0.0.1:8090"), or empty string to not expose. matrix_ma1sd_container_http_host_bind_port: '' diff --git a/roles/matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2 b/roles/matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2 index 696e8008f..8e5cc6dd1 100644 --- a/roles/matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2 +++ b/roles/matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2 @@ -26,7 +26,7 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-ma1sd \ --tmpfs=/tmp:rw,exec,nosuid,size=10m \ --network={{ matrix_docker_network }} \ {% if matrix_ma1sd_container_http_host_bind_port %} - -p {{ matrix_ma1sd_container_http_host_bind_port }}:{{ matrix_ma1sd_default_port }} \ + -p {{ matrix_ma1sd_container_http_host_bind_port }}:{{ matrix_ma1sd_container_port }} \ {% endif %} {% if matrix_ma1sd_verbose_logging %} -e MA1SD_LOG_LEVEL=debug \ diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index ea26084ef..fba0f4ead 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -166,20 +166,20 @@ matrix_nginx_proxy_proxy_matrix_corporal_api_addr_sans_container: "127.0.0.1:410 # This can be used to forward the API endpoint to another service, augmenting the functionality of Synapse's own User Directory Search. # To learn more, see: https://github.com/ma1uta/ma1sd/blob/master/docs/features/directory.md matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled: false -matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container: "matrix-ma1sd:{{ matrix_ma1sd_default_port }}" -matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container: "127.0.0.1:{{ matrix_ma1sd_default_port }}" +matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container: "matrix-ma1sd:{{ matrix_ma1sd_container_port }}" +matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container: "127.0.0.1:{{ matrix_ma1sd_container_port }}" # Controls whether proxying for 3PID-based registration (`/_matrix/client/r0/register/(email|msisdn)/requestToken`) should be done (on the matrix domain). # This allows another service to control registrations involving 3PIDs. # To learn more, see: https://github.com/ma1uta/ma1sd/blob/master/docs/features/registration.md matrix_nginx_proxy_proxy_matrix_3pid_registration_enabled: false -matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_with_container: "matrix-ma1sd:{{ matrix_ma1sd_default_port }}" -matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_sans_container: "127.0.0.1:{{ matrix_ma1sd_default_port }}" +matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_with_container: "matrix-ma1sd:{{ matrix_ma1sd_container_port }}" +matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_sans_container: "127.0.0.1:{{ matrix_ma1sd_container_port }}" # Controls whether proxying for the Identity API (`/_matrix/identity`) should be done (on the matrix domain) matrix_nginx_proxy_proxy_matrix_identity_api_enabled: false -matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container: "matrix-ma1sd:{{ matrix_ma1sd_default_port }}" -matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container: "127.0.0.1:{{ matrix_ma1sd_default_port }}" +matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container: "matrix-ma1sd:{{ matrix_ma1sd_container_port }}" +matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container: "127.0.0.1:{{ matrix_ma1sd_container_port }}" # Controls whether proxying for metrics (`/_synapse/metrics`) should be done (on the matrix domain) matrix_nginx_proxy_proxy_synapse_metrics: false From 75cb4ce3b02ba0cd005e6cb008b2bc0227eb60dd Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 17 Nov 2021 10:38:52 +0200 Subject: [PATCH 083/139] Add warning about matrix_ma1sd_default_port being renamed Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1403 --- roles/matrix-ma1sd/tasks/validate_config.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/matrix-ma1sd/tasks/validate_config.yml b/roles/matrix-ma1sd/tasks/validate_config.yml index 1c64b134d..5f621fcac 100644 --- a/roles/matrix-ma1sd/tasks/validate_config.yml +++ b/roles/matrix-ma1sd/tasks/validate_config.yml @@ -57,6 +57,7 @@ with_items: - {'old': 'matrix_ma1sd_container_expose_port', 'new': ''} - {'old': 'matrix_ma1sd_threepid_medium_email_custom_unbind_fraudulent_template', 'new': 'matrix_ma1sd_threepid_medium_email_custom_session_unbind_notification_template'} + - {'old': 'matrix_ma1sd_default_port', 'new': 'matrix_ma1sd_container_port'} - name: (Deprecation) Catch and report mxisd variables fail: From f8fe68b38523b20cf5896d46a7cf8582ad35eaa0 Mon Sep 17 00:00:00 2001 From: Aaron Raimist Date: Wed, 17 Nov 2021 14:54:49 +0000 Subject: [PATCH 084/139] Allow workers to serve new v3 APIs https://github.com/matrix-org/synapse/pull/11371/commits/1f196f59cb91a1a7f8206e4dd0c93fcd05c2d9c1 --- .../nginx/conf.d/matrix-synapse.conf.j2 | 2 +- .../files/workers-doc-to-yaml.awk | 2 +- roles/matrix-synapse/vars/workers.yml | 70 +++++++++---------- 3 files changed, 37 insertions(+), 37 deletions(-) diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 index 30f4877c1..720b50867 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 @@ -120,7 +120,7 @@ server { {% endfor %} {% if matrix_nginx_proxy_synapse_presence_disabled %} # FIXME: keep in sync with synapse workers documentation manually - location ~ ^/_matrix/client/(api/v1|r0|unstable)/presence/[^/]+/status { + location ~ ^/_matrix/client/(api/v1|r0|v3|unstable)/presence/[^/]+/status { proxy_pass http://frontend_proxy_upstream$request_uri; proxy_set_header Host $host; } diff --git a/roles/matrix-synapse/files/workers-doc-to-yaml.awk b/roles/matrix-synapse/files/workers-doc-to-yaml.awk index d9295e32c..ca58b4862 100755 --- a/roles/matrix-synapse/files/workers-doc-to-yaml.awk +++ b/roles/matrix-synapse/files/workers-doc-to-yaml.awk @@ -86,7 +86,7 @@ enable_parsing { # FIXME: https://github.com/matrix-org/synapse/issues/7530 # https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/456#issuecomment-719015911 - if (api_endpoint_regex == "^/_matrix/client/(r0|unstable)/auth/.*/fallback/web$") { + if (api_endpoint_regex == "^/_matrix/client/(r0|v3|unstable)/auth/.*/fallback/web$") { worker_stanza_append(" # FIXME: possible bug with SSO and multiple generic workers\n") worker_stanza_append(" # see https://github.com/matrix-org/synapse/issues/7530\n") worker_stanza_append(" # " api_endpoint_regex linefeed) diff --git a/roles/matrix-synapse/vars/workers.yml b/roles/matrix-synapse/vars/workers.yml index 049ae9b53..db9b519e7 100644 --- a/roles/matrix-synapse/vars/workers.yml +++ b/roles/matrix-synapse/vars/workers.yml @@ -5,10 +5,10 @@ matrix_synapse_workers_generic_worker_endpoints: # expressions: # Sync requests - - ^/_matrix/client/(v2_alpha|r0)/sync$ - - ^/_matrix/client/(api/v1|v2_alpha|r0)/events$ - - ^/_matrix/client/(api/v1|r0)/initialSync$ - - ^/_matrix/client/(api/v1|r0)/rooms/[^/]+/initialSync$ + - ^/_matrix/client/(v2_alpha|r0|v3)/sync$ + - ^/_matrix/client/(api/v1|v2_alpha|r0|v3)/events$ + - ^/_matrix/client/(api/v1|r0|v3)/initialSync$ + - ^/_matrix/client/(api/v1|r0|v3)/rooms/[^/]+/initialSync$ # Federation requests - ^/_matrix/federation/v1/event/ @@ -39,40 +39,40 @@ matrix_synapse_workers_generic_worker_endpoints: - ^/_matrix/federation/v1/send/ # Client API requests - - ^/_matrix/client/(api/v1|r0|unstable)/createRoom$ - - ^/_matrix/client/(api/v1|r0|unstable)/publicRooms$ - - ^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/joined_members$ - - ^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/context/.*$ - - ^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/members$ - - ^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/state$ + - ^/_matrix/client/(api/v1|r0|v3|unstable)/createRoom$ + - ^/_matrix/client/(api/v1|r0|v3|unstable)/publicRooms$ + - ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/joined_members$ + - ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/context/.*$ + - ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/members$ + - ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/state$ - ^/_matrix/client/unstable/org.matrix.msc2946/rooms/.*/spaces$ - ^/_matrix/client/unstable/org.matrix.msc2946/rooms/.*/hierarchy$ - ^/_matrix/client/unstable/im.nheko.summary/rooms/.*/summary$ - - ^/_matrix/client/(api/v1|r0|unstable)/account/3pid$ - - ^/_matrix/client/(api/v1|r0|unstable)/devices$ - - ^/_matrix/client/(api/v1|r0|unstable)/keys/query$ - - ^/_matrix/client/(api/v1|r0|unstable)/keys/changes$ + - ^/_matrix/client/(api/v1|r0|v3|unstable)/account/3pid$ + - ^/_matrix/client/(api/v1|r0|v3|unstable)/devices$ + - ^/_matrix/client/(api/v1|r0|v3|unstable)/keys/query$ + - ^/_matrix/client/(api/v1|r0|v3|unstable)/keys/changes$ - ^/_matrix/client/versions$ - - ^/_matrix/client/(api/v1|r0|unstable)/voip/turnServer$ - - ^/_matrix/client/(api/v1|r0|unstable)/joined_groups$ - - ^/_matrix/client/(api/v1|r0|unstable)/publicised_groups$ - - ^/_matrix/client/(api/v1|r0|unstable)/publicised_groups/ - - ^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/event/ - - ^/_matrix/client/(api/v1|r0|unstable)/joined_rooms$ - - ^/_matrix/client/(api/v1|r0|unstable)/search$ + - ^/_matrix/client/(api/v1|r0|v3|unstable)/voip/turnServer$ + - ^/_matrix/client/(api/v1|r0|v3|unstable)/joined_groups$ + - ^/_matrix/client/(api/v1|r0|v3|unstable)/publicised_groups$ + - ^/_matrix/client/(api/v1|r0|v3|unstable)/publicised_groups/ + - ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/event/ + - ^/_matrix/client/(api/v1|r0|v3|unstable)/joined_rooms$ + - ^/_matrix/client/(api/v1|r0|v3|unstable)/search$ # Registration/login requests - - ^/_matrix/client/(api/v1|r0|unstable)/login$ - - ^/_matrix/client/(r0|unstable)/register$ + - ^/_matrix/client/(api/v1|r0|v3|unstable)/login$ + - ^/_matrix/client/(r0|v3|unstable)/register$ - ^/_matrix/client/unstable/org.matrix.msc3231/register/org.matrix.msc3231.login.registration_token/validity$ # Event sending requests - - ^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/redact - - ^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/send - - ^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/state/ - - ^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/(join|invite|leave|ban|unban|kick)$ - - ^/_matrix/client/(api/v1|r0|unstable)/join/ - - ^/_matrix/client/(api/v1|r0|unstable)/profile/ + - ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/redact + - ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/send + - ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/state/ + - ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/(join|invite|leave|ban|unban|kick)$ + - ^/_matrix/client/(api/v1|r0|v3|unstable)/join/ + - ^/_matrix/client/(api/v1|r0|v3|unstable)/profile/ # Additionally, the following REST endpoints can be handled for GET requests: @@ -86,7 +86,7 @@ matrix_synapse_workers_generic_worker_endpoints: # for the room are in flight: # FIXME: ADDITIONAL CONDITIONS REQUIRED: to be enabled manually - # ^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/messages$ + # ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/messages$ # Additionally, the following endpoints should be included if Synapse is configured # to use SSO (you only need to include the ones for whichever SSO provider you're @@ -94,7 +94,7 @@ matrix_synapse_workers_generic_worker_endpoints: # for all SSO providers # FIXME: ADDITIONAL CONDITIONS REQUIRED: to be enabled manually - # ^/_matrix/client/(api/v1|r0|unstable)/login/sso/redirect + # ^/_matrix/client/(api/v1|r0|v3|unstable)/login/sso/redirect # ^/_synapse/client/pick_idp$ # ^/_synapse/client/pick_username # ^/_synapse/client/new_user_consent$ @@ -110,7 +110,7 @@ matrix_synapse_workers_generic_worker_endpoints: # CAS requests. # FIXME: ADDITIONAL CONDITIONS REQUIRED: to be enabled manually - # ^/_matrix/client/(api/v1|r0|unstable)/login/cas/ticket$ + # ^/_matrix/client/(api/v1|r0|v3|unstable)/login/cas/ticket$ # Ensure that all SSO logins go to a single process. # For multiple workers not handling the SSO endpoints properly, see @@ -292,7 +292,7 @@ matrix_synapse_workers_user_dir_endpoints: # Handles searches in the user directory. It can handle REST endpoints matching # the following regular expressions: - - ^/_matrix/client/(api/v1|r0|unstable)/user_directory/search$ + - ^/_matrix/client/(api/v1|r0|v3|unstable)/user_directory/search$ # When using this worker you must also set `update_user_directory: False` in the # shared configuration file to stop the main synapse running background @@ -303,13 +303,13 @@ matrix_synapse_workers_frontend_proxy_endpoints: # load from the main synapse. It can handle REST endpoints matching the following # regular expressions: - - ^/_matrix/client/(api/v1|r0|unstable)/keys/upload + - ^/_matrix/client/(api/v1|r0|v3|unstable)/keys/upload # If `use_presence` is False in the homeserver config, it can also handle REST # endpoints matching the following regular expressions: # FIXME: ADDITIONAL CONDITIONS REQUIRED: to be enabled manually - # ^/_matrix/client/(api/v1|r0|unstable)/presence/[^/]+/status + # ^/_matrix/client/(api/v1|r0|v3|unstable)/presence/[^/]+/status # This "stub" presence handler will pass through `GET` request but make the # `PUT` effectively a no-op. From e1a6d1e4b231abb07b8203d988489caf7902093d Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 17 Nov 2021 17:21:15 +0200 Subject: [PATCH 085/139] Upgrade Synapse (1.46.0 -> 1.47.0) We had to remove UID/GID environment variables that we used to pass to the Synapse container, because it was causing a problem after https://github.com/matrix-org/synapse/pull/11209 We were using both `--user` and UID/GID environment variables until now. --- roles/matrix-synapse/defaults/main.yml | 4 +-- .../tasks/synapse/setup_install.yml | 2 -- .../templates/synapse/homeserver.yaml.j2 | 31 ++++++++++++++----- .../systemd/matrix-synapse-worker.service.j2 | 2 -- .../synapse/systemd/matrix-synapse.service.j2 | 2 -- roles/matrix-synapse/vars/workers.yml | 18 ++++++----- 6 files changed, 36 insertions(+), 23 deletions(-) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index a6feb1ab0..e48e3e899 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -15,8 +15,8 @@ matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_cont # amd64 gets released first. # arm32 relies on self-building, so the same version can be built immediately. # arm64 users need to wait for a prebuilt image to become available. -matrix_synapse_version: v1.46.0 -matrix_synapse_version_arm64: v1.46.0 +matrix_synapse_version: v1.47.0 +matrix_synapse_version_arm64: v1.47.0 matrix_synapse_docker_image_tag: "{{ matrix_synapse_version if matrix_architecture in ['arm32', 'amd64'] else matrix_synapse_version_arm64 }}" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-synapse/tasks/synapse/setup_install.yml b/roles/matrix-synapse/tasks/synapse/setup_install.yml index b658cfffc..09ec798d2 100644 --- a/roles/matrix-synapse/tasks/synapse/setup_install.yml +++ b/roles/matrix-synapse/tasks/synapse/setup_install.yml @@ -67,8 +67,6 @@ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} --cap-drop=ALL --mount type=bind,src={{ matrix_synapse_config_dir_path }},dst=/data - -e UID={{ matrix_user_uid }} - -e GID={{ matrix_user_gid }} -e SYNAPSE_CONFIG_PATH=/data/homeserver.yaml -e SYNAPSE_SERVER_NAME={{ matrix_server_fqn_matrix }} -e SYNAPSE_REPORT_STATS=no diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index 1f699ee27..1780fb91b 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -66,8 +66,28 @@ pid_file: /homeserver.pid # Otherwise, it should be the URL to reach Synapse's client HTTP listener (see # 'listeners' below). # +# Defaults to 'https:///'. +# public_baseurl: https://{{ matrix_server_fqn_matrix }}/ +# Uncomment the following to tell other servers to send federation traffic on +# port 443. +# +# By default, other servers will try to reach our server on port 8448, which can +# be inconvenient in some environments. +# +# Provided 'https:///' on port 443 is routed to Synapse, this +# option configures Synapse to serve a file at +# 'https:///.well-known/matrix/server'. This will tell other +# servers to send traffic to port 443 instead. +# +# See https://matrix-org.github.io/synapse/latest/delegate.html for more +# information. +# +# Defaults to 'false'. +# +#serve_server_wellknown: true + # Set the soft limit on the number of file descriptors synapse can use # Zero is used to indicate synapse should set the soft limit to the # hard limit. @@ -1271,7 +1291,7 @@ allow_guest_access: {{ matrix_synapse_allow_guest_access|to_json }} # in on this server. # # (By default, no suggestion is made, so it is left up to the client. -# This setting is ignored unless public_baseurl is also set.) +# This setting is ignored unless public_baseurl is also explicitly set.) # #default_identity_server: https://matrix.org @@ -1296,8 +1316,6 @@ allow_guest_access: {{ matrix_synapse_allow_guest_access|to_json }} # by the Matrix Identity Service API specification: # https://matrix.org/docs/spec/identity_service/latest # -# If a delegate is specified, the config option public_baseurl must also be filled out. -# account_threepid_delegates: email: {{ matrix_synapse_account_threepid_delegates_email|to_json }} msisdn: {{ matrix_synapse_account_threepid_delegates_msisdn|to_json }} @@ -1990,11 +2008,10 @@ sso: # phishing attacks from evil.site. To avoid this, include a slash after the # hostname: "https://my.client/". # - # If public_baseurl is set, then the login fallback page (used by clients - # that don't natively support the required login flows) is whitelisted in - # addition to any URLs in this list. + # The login fallback page (used by clients that don't natively support the + # required login flows) is whitelisted in addition to any URLs in this list. # - # By default, this list is empty. + # By default, this list contains only the login fallback page. # #client_whitelist: # - https://riot.im/develop diff --git a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker.service.j2 b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker.service.j2 index 6c90c9a3e..43dc42d1f 100644 --- a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker.service.j2 +++ b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker.service.j2 @@ -17,8 +17,6 @@ ExecStartPre={{ matrix_host_command_sleep }} 5 ExecStart={{ matrix_host_command_docker }} run --rm --name {{ matrix_synapse_worker_container_name }} \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ - -e UID={{ matrix_user_uid }} \ - -e GID={{ matrix_user_gid }} \ --cap-drop=ALL \ --read-only \ --tmpfs=/tmp:rw,noexec,nosuid,size={{ matrix_synapse_tmp_directory_size_mb }}m \ diff --git a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 index 7fec66492..188db5ef9 100644 --- a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 +++ b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 @@ -33,8 +33,6 @@ ExecStartPre={{ matrix_host_command_sleep }} 3 ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-synapse \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ - --env=UID={{ matrix_user_uid }} \ - --env=GID={{ matrix_user_gid }} \ --cap-drop=ALL \ --read-only \ --tmpfs=/tmp:rw,noexec,nosuid,size={{ matrix_synapse_tmp_directory_size_mb }}m \ diff --git a/roles/matrix-synapse/vars/workers.yml b/roles/matrix-synapse/vars/workers.yml index fda7227cb..ad9a73150 100644 --- a/roles/matrix-synapse/vars/workers.yml +++ b/roles/matrix-synapse/vars/workers.yml @@ -271,19 +271,19 @@ matrix_synapse_workers_media_repository_endpoints: # expose the `media` resource. For example: # ```yaml - # worker_listeners: - # - type: http - # port: 8085 - # resources: - # - names: - # - media + # worker_listeners: + # - type: http + # port: 8085 + # resources: + # - names: + # - media # ``` # Note that if running multiple media repositories they must be on the same server # and you must configure a single instance to run the background tasks, e.g.: # ```yaml - # media_instance_running_background_jobs: "media-repository-1" + # media_instance_running_background_jobs: "media-repository-1" # ``` # Note that if a reverse proxy is used , then `/_matrix/media/` must be routed for both inbound client and federation requests (if they are handled separately). @@ -319,7 +319,9 @@ matrix_synapse_workers_frontend_proxy_endpoints: # the `worker_main_http_uri` setting in the `frontend_proxy` worker configuration # file. For example: - # worker_main_http_uri: http://127.0.0.1:{{ matrix_synapse_container_client_api_port }} + # ```yaml + # worker_main_http_uri: http://127.0.0.1:8008 + # ``` matrix_synapse_workers_avail_list: - appservice From d41e9230da30a5f12beac49ad4d66c53d8750f2d Mon Sep 17 00:00:00 2001 From: rakshazi Date: Wed, 17 Nov 2021 21:34:46 +0200 Subject: [PATCH 086/139] expose smtp_user and smtp_pass to ansible configs (role: matrix-synapse) --- roles/matrix-synapse/defaults/main.yml | 2 ++ roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 | 5 ++--- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index e48e3e899..dc8a9eb0b 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -473,6 +473,8 @@ matrix_synapse_turn_allow_guests: False matrix_synapse_email_enabled: false matrix_synapse_email_smtp_host: "" matrix_synapse_email_smtp_port: 587 +matrix_synapse_email_smtp_user: "" +matrix_synapse_email_smtp_pass: "" matrix_synapse_email_smtp_require_transport_security: false matrix_synapse_email_notif_from: "Matrix " matrix_synapse_email_client_base_url: "https://{{ matrix_server_fqn_element }}" diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index 1780fb91b..042ea0839 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -2338,9 +2338,8 @@ email: # Username/password for authentication to the SMTP server. By default, no # authentication is attempted. - # - #smtp_user: "exampleusername" - #smtp_pass: "examplepassword" + smtp_user: {{ matrix_synapse_email_smtp_user|string|to_json }} + smtp_pass: {{ matrix_synapse_email_smtp_pass|string|to_json }} # Uncomment the following to require TLS transport security for SMTP. # By default, Synapse will connect over plain text, and will then switch to From 110d91b06ed235957d263ce85e62dade022940e3 Mon Sep 17 00:00:00 2001 From: Toni Spets Date: Thu, 18 Nov 2021 13:05:30 +0200 Subject: [PATCH 087/139] Upgrade Heisenbridge (1.6.0 -> 1.7.0) --- roles/matrix-bridge-heisenbridge/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-heisenbridge/defaults/main.yml b/roles/matrix-bridge-heisenbridge/defaults/main.yml index 9a87a6daf..9a769432e 100644 --- a/roles/matrix-bridge-heisenbridge/defaults/main.yml +++ b/roles/matrix-bridge-heisenbridge/defaults/main.yml @@ -3,7 +3,7 @@ matrix_heisenbridge_enabled: true -matrix_heisenbridge_version: 1.6.0 +matrix_heisenbridge_version: 1.7.0 matrix_heisenbridge_docker_image: "{{ matrix_container_global_registry_prefix }}hif1/heisenbridge:{{ matrix_heisenbridge_version }}" matrix_heisenbridge_docker_image_force_pull: "{{ matrix_heisenbridge_docker_image.endswith(':latest') }}" From 2e73dac39fb55c4f526d7deba173f0b9e9f6d180 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 19 Nov 2021 10:51:46 +0200 Subject: [PATCH 088/139] Upgrade matrix-corporal (2.1.4 -> 2.2.0) There was also a 2.1.5 security release made today. 2.2.0 contains the same security fix + more. Both make handling of Client-Server API v3-prefixed requests better. Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1404 --- roles/matrix-corporal/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-corporal/defaults/main.yml b/roles/matrix-corporal/defaults/main.yml index 5c90fe994..f60402639 100644 --- a/roles/matrix-corporal/defaults/main.yml +++ b/roles/matrix-corporal/defaults/main.yml @@ -22,7 +22,7 @@ matrix_corporal_container_extra_arguments: [] # List of systemd services that matrix-corporal.service depends on matrix_corporal_systemd_required_services_list: ['docker.service'] -matrix_corporal_version: 2.1.4 +matrix_corporal_version: 2.2.0 matrix_corporal_docker_image: "{{ matrix_corporal_docker_image_name_prefix }}devture/matrix-corporal:{{ matrix_corporal_docker_image_tag }}" matrix_corporal_docker_image_name_prefix: "{{ 'localhost/' if matrix_corporal_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_corporal_docker_image_tag: "{{ matrix_corporal_version }}" # for backward-compatibility From 2734adfb4e30bfabe5b2b8f2d01c1ea4cc049e15 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 20 Nov 2021 09:28:27 +0200 Subject: [PATCH 089/139] Upgrade matrix-corporal (2.2.0 -> 2.2.1) --- roles/matrix-corporal/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-corporal/defaults/main.yml b/roles/matrix-corporal/defaults/main.yml index f60402639..dfc71479c 100644 --- a/roles/matrix-corporal/defaults/main.yml +++ b/roles/matrix-corporal/defaults/main.yml @@ -22,7 +22,7 @@ matrix_corporal_container_extra_arguments: [] # List of systemd services that matrix-corporal.service depends on matrix_corporal_systemd_required_services_list: ['docker.service'] -matrix_corporal_version: 2.2.0 +matrix_corporal_version: 2.2.1 matrix_corporal_docker_image: "{{ matrix_corporal_docker_image_name_prefix }}devture/matrix-corporal:{{ matrix_corporal_docker_image_tag }}" matrix_corporal_docker_image_name_prefix: "{{ 'localhost/' if matrix_corporal_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_corporal_docker_image_tag: "{{ matrix_corporal_version }}" # for backward-compatibility From fc751f0330ac487de1ba4526eca969da8889abf4 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 20 Nov 2021 09:31:04 +0200 Subject: [PATCH 090/139] Upgrade exim-relay (4.94.2-r0-4 -> 4.94.2-r0-5) --- roles/matrix-mailer/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-mailer/defaults/main.yml b/roles/matrix-mailer/defaults/main.yml index 71a33752d..e60ea50f7 100644 --- a/roles/matrix-mailer/defaults/main.yml +++ b/roles/matrix-mailer/defaults/main.yml @@ -7,7 +7,7 @@ matrix_mailer_container_image_self_build_repository_url: "https://github.com/dev matrix_mailer_container_image_self_build_src_files_path: "{{ matrix_mailer_base_path }}/docker-src" matrix_mailer_container_image_self_build_version: "{{ matrix_mailer_docker_image.split(':')[1] }}" -matrix_mailer_version: 4.94.2-r0-4 +matrix_mailer_version: 4.94.2-r0-5 matrix_mailer_docker_image: "{{ matrix_mailer_docker_image_name_prefix }}devture/exim-relay:{{ matrix_mailer_version }}" matrix_mailer_docker_image_name_prefix: "{{ 'localhost/' if matrix_mailer_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_mailer_docker_image_force_pull: "{{ matrix_mailer_docker_image.endswith(':latest') }}" From e11e31e2c602b775b94b8292cfbd26ad2964346d Mon Sep 17 00:00:00 2001 From: WobbelTheBear Date: Mon, 22 Nov 2021 16:53:20 +0100 Subject: [PATCH 091/139] Update main.yml --- roles/matrix-client-element/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-client-element/defaults/main.yml b/roles/matrix-client-element/defaults/main.yml index 1273859d1..b05f0d853 100644 --- a/roles/matrix-client-element/defaults/main.yml +++ b/roles/matrix-client-element/defaults/main.yml @@ -7,7 +7,7 @@ matrix_client_element_container_image_self_build_repo: "https://github.com/vecto # - https://github.com/vector-im/element-web/issues/19544 matrix_client_element_container_image_self_build_low_memory_system_patch_enabled: "{{ ansible_memtotal_mb < 4096 }}" -matrix_client_element_version: v1.9.4 +matrix_client_element_version: v1.9.5 matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}" matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}" From 6b07ee3b582e06b92e9e237a68cff4b4bfa68acd Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 23 Nov 2021 14:50:07 +0200 Subject: [PATCH 092/139] Upgrade Synapse (1.47.0 -> 1.47.1) - security fixes Learn more here: https://github.com/matrix-org/synapse/releases/tag/v1.47.1 --- roles/matrix-synapse/defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index dc8a9eb0b..56d448df1 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -15,8 +15,8 @@ matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_cont # amd64 gets released first. # arm32 relies on self-building, so the same version can be built immediately. # arm64 users need to wait for a prebuilt image to become available. -matrix_synapse_version: v1.47.0 -matrix_synapse_version_arm64: v1.47.0 +matrix_synapse_version: v1.47.1 +matrix_synapse_version_arm64: v1.47.1 matrix_synapse_docker_image_tag: "{{ matrix_synapse_version if matrix_architecture in ['arm32', 'amd64'] else matrix_synapse_version_arm64 }}" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" From e8a57ad432ed40d01078a12db471ce515d29d38b Mon Sep 17 00:00:00 2001 From: Toni Spets Date: Tue, 23 Nov 2021 15:03:09 +0200 Subject: [PATCH 093/139] Upgrade Heisenbridge (1.7.0 -> 1.7.1) --- roles/matrix-bridge-heisenbridge/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-heisenbridge/defaults/main.yml b/roles/matrix-bridge-heisenbridge/defaults/main.yml index 9a769432e..cd5a08583 100644 --- a/roles/matrix-bridge-heisenbridge/defaults/main.yml +++ b/roles/matrix-bridge-heisenbridge/defaults/main.yml @@ -3,7 +3,7 @@ matrix_heisenbridge_enabled: true -matrix_heisenbridge_version: 1.7.0 +matrix_heisenbridge_version: 1.7.1 matrix_heisenbridge_docker_image: "{{ matrix_container_global_registry_prefix }}hif1/heisenbridge:{{ matrix_heisenbridge_version }}" matrix_heisenbridge_docker_image_force_pull: "{{ matrix_heisenbridge_docker_image.endswith(':latest') }}" From 37191d98c5095a5dca440d590796342954ac5b26 Mon Sep 17 00:00:00 2001 From: PC-Admin Date: Wed, 24 Nov 2021 10:43:25 +0800 Subject: [PATCH 094/139] GoMatrixHosting v0.6.6 --- roles/matrix-awx/tasks/purge_database_build_list.yml | 11 ----------- roles/matrix-awx/tasks/purge_database_main.yml | 4 ++-- roles/matrix-awx/tasks/purge_media_main.yml | 8 +++++--- roles/matrix-awx/tasks/set_variables_dimension.yml | 4 ++-- roles/matrix-common-after/tasks/awx_post.yml | 12 ++++++------ 5 files changed, 15 insertions(+), 24 deletions(-) delete mode 100644 roles/matrix-awx/tasks/purge_database_build_list.yml diff --git a/roles/matrix-awx/tasks/purge_database_build_list.yml b/roles/matrix-awx/tasks/purge_database_build_list.yml deleted file mode 100644 index 339510f0d..000000000 --- a/roles/matrix-awx/tasks/purge_database_build_list.yml +++ /dev/null @@ -1,11 +0,0 @@ ---- - -- name: Collect entire room list into stdout - shell: | - curl -X GET --header "Authorization: Bearer {{ janitors_token.stdout[1:-1] }}" '{{ synapse_container_ip.stdout }}:{{ matrix_synapse_container_client_api_port }}/_synapse/admin/v1/rooms?from={{ item }}' - register: awx_rooms_output - -- name: Print stdout to file - delegate_to: 127.0.0.1 - shell: | - echo '{{ awx_rooms_output.stdout }}' >> /tmp/{{ subscription_id }}_room_list_complete.json diff --git a/roles/matrix-awx/tasks/purge_database_main.yml b/roles/matrix-awx/tasks/purge_database_main.yml index 2cdf03303..1e16c4ad4 100644 --- a/roles/matrix-awx/tasks/purge_database_main.yml +++ b/roles/matrix-awx/tasks/purge_database_main.yml @@ -29,9 +29,9 @@ when: (awx_purge_mode.find("No local users [recommended]") != -1) or (awx_purge_mode.find("Number of users [slower]") != -1) or (awx_purge_mode.find("Number of events [slower]") != -1) register: awx_synapse_container_ip -- name: Collect access token for janitor user +- name: Collect access token for @_janitor user shell: | - curl -X POST -d '{"type":"m.login.password", "user":"janitor", "password":"{{ awx_janitor_user_password }}"}' "{{ awx_synapse_container_ip.stdout }}:{{ matrix_synapse_container_client_api_port }}/_matrix/client/r0/login" | jq '.access_token' + curl -X POST -d '{"type":"m.login.password", "user":"_janitor", "password":"{{ awx_janitor_user_password }}"}' "{{ awx_synapse_container_ip.stdout }}:{{ matrix_synapse_container_client_api_port }}/_matrix/client/r0/login" | jq '.access_token' when: (awx_purge_mode.find("No local users [recommended]") != -1) or (awx_purge_mode.find("Number of users [slower]") != -1) or (awx_purge_mode.find("Number of events [slower]") != -1) register: awx_janitors_token no_log: True diff --git a/roles/matrix-awx/tasks/purge_media_main.yml b/roles/matrix-awx/tasks/purge_media_main.yml index 0c322b85a..59e0d89c9 100644 --- a/roles/matrix-awx/tasks/purge_media_main.yml +++ b/roles/matrix-awx/tasks/purge_media_main.yml @@ -21,21 +21,22 @@ shell: "/usr/bin/docker inspect --format '{''{range.NetworkSettings.Networks}''}{''{.IPAddress}''}{''{end}''}' matrix-synapse" register: awx_synapse_container_ip -- name: Collect access token for janitor user +- name: Collect access token for @_janitor user shell: | - curl -XPOST -d '{"type":"m.login.password", "user":"janitor", "password":"{{ awx_janitor_user_password }}"}' "{{ awx_synapse_container_ip.stdout }}:{{ matrix_synapse_container_client_api_port }}/_matrix/client/r0/login" | jq '.access_token' + curl -XPOST -d '{"type":"m.login.password", "user":"_janitor", "password":"{{ awx_janitor_user_password }}"}' "{{ awx_synapse_container_ip.stdout }}:{{ matrix_synapse_container_client_api_port }}/_matrix/client/r0/login" | jq '.access_token' register: awx_janitors_token no_log: True - name: Generate list of dates to purge to delegate_to: 127.0.0.1 - shell: "dateseq {{ matrix_purge_from_date }} {{ matrix_purge_to_date }}" + shell: "dateseq {{ awx_purge_from_date }} {{ awx_purge_to_date }}" register: awx_purge_dates - name: Calculate initial size of local media repository shell: du -sh /matrix/synapse/storage/media-store/local* register: awx_local_media_size_before when: awx_purge_media_type == "Local Media" + async: 600 ignore_errors: yes no_log: True @@ -43,6 +44,7 @@ shell: du -sh /matrix/synapse/storage/media-store/remote* register: awx_remote_media_size_before when: awx_purge_media_type == "Remote Media" + async: 600 ignore_errors: yes no_log: True diff --git a/roles/matrix-awx/tasks/set_variables_dimension.yml b/roles/matrix-awx/tasks/set_variables_dimension.yml index d5e51c6bc..0db01c579 100644 --- a/roles/matrix-awx/tasks/set_variables_dimension.yml +++ b/roles/matrix-awx/tasks/set_variables_dimension.yml @@ -12,9 +12,9 @@ - curl state: present -- name: Collect access token of Dimension user +- name: Collect access token of @_dimension user shell: | - curl -X POST --header 'Content-Type: application/json' -d '{ "identifier": { "type": "m.id.user","user": "dimension" }, "password": "{{ awx_dimension_user_password }}", "type": "m.login.password"}' 'https://matrix.{{ matrix_domain }}/_matrix/client/r0/login' | jq -c '. | {access_token}' | sed 's/.*\":\"//' | sed 's/\"}//' + curl -X POST --header 'Content-Type: application/json' -d '{ "identifier": { "type": "m.id.user","user": "_dimension" }, "password": "{{ awx_dimension_user_password }}", "type": "m.login.password"}' 'https://matrix.{{ matrix_domain }}/_matrix/client/r0/login' | jq -c '. | {access_token}' | sed 's/.*\":\"//' | sed 's/\"}//' register: awx_dimension_user_access_token - name: Record Synapse variables locally on AWX diff --git a/roles/matrix-common-after/tasks/awx_post.yml b/roles/matrix-common-after/tasks/awx_post.yml index 4fbd5e557..278855fb8 100644 --- a/roles/matrix-common-after/tasks/awx_post.yml +++ b/roles/matrix-common-after/tasks/awx_post.yml @@ -1,8 +1,8 @@ --- -- name: Create user account @janitor +- name: Create user account @_janitor command: | - /usr/local/bin/matrix-synapse-register-user janitor {{ awx_janitor_user_password | quote }} 1 + /usr/local/bin/matrix-synapse-register-user _janitor {{ awx_janitor_user_password | quote }} 1 register: cmd when: not awx_janitor_user_created|bool no_log: True @@ -18,9 +18,9 @@ 'awx_janitor_user_created': 'true' when: not awx_janitor_user_created|bool -- name: Create user account @dimension +- name: Create user account @_dimension command: | - /usr/local/bin/matrix-synapse-register-user dimension {{ awx_dimension_user_password | quote }} 0 + /usr/local/bin/matrix-synapse-register-user _dimension {{ awx_dimension_user_password | quote }} 0 register: cmd when: not awx_dimension_user_created|bool no_log: True @@ -36,9 +36,9 @@ 'awx_dimension_user_created': 'true' when: not awx_dimension_user_created|bool -- name: Create user account @mjolnir +- name: Create user account @_mjolnir command: | - /usr/local/bin/matrix-synapse-register-user mjolnir {{ awx_mjolnir_user_password | quote }} 0 + /usr/local/bin/matrix-synapse-register-user _mjolnir {{ awx_mjolnir_user_password | quote }} 0 register: cmd when: not awx_mjolnir_user_created|bool no_log: True From 3a9fe48deb025b5d49256675bf563f81c39f910b Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 24 Nov 2021 11:32:06 +0200 Subject: [PATCH 095/139] Make matrix-nginx-proxy's X-Forwarded-For header customizable Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1393 --- docs/configuring-playbook-own-webserver.md | 3 +++ roles/matrix-nginx-proxy/defaults/main.yml | 5 +++++ .../templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 | 2 +- .../nginx/conf.d/matrix-client-element.conf.j2 | 2 +- .../nginx/conf.d/matrix-client-hydrogen.conf.j2 | 2 +- .../templates/nginx/conf.d/matrix-dimension.conf.j2 | 2 +- .../templates/nginx/conf.d/matrix-domain.conf.j2 | 12 ++++++------ .../templates/nginx/conf.d/matrix-grafana.conf.j2 | 2 +- .../templates/nginx/conf.d/matrix-jitsi.conf.j2 | 6 +++--- .../templates/nginx/conf.d/matrix-sygnal.conf.j2 | 2 +- 10 files changed, 23 insertions(+), 15 deletions(-) diff --git a/docs/configuring-playbook-own-webserver.md b/docs/configuring-playbook-own-webserver.md index 6a33ffbe1..0f525df81 100644 --- a/docs/configuring-playbook-own-webserver.md +++ b/docs/configuring-playbook-own-webserver.md @@ -111,6 +111,9 @@ matrix_coturn_enabled: false # Trust the reverse proxy to send the correct `X-Forwarded-Proto` header as it is handling the SSL connection. matrix_nginx_proxy_trust_forwarded_proto: true + +# Trust and use the other reverse proxy's `X-Forwarded-For` header. +matrix_nginx_proxy_x_forwarded_for: '$proxy_add_x_forwarded_for' ``` With this, nginx would still be in use, but it would not bother with anything SSL related or with taking up public ports. diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index 5a4a873cc..a2a2a6b9e 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -382,6 +382,11 @@ matrix_nginx_proxy_ssl_prefer_server_ciphers: "{{ matrix_nginx_proxy_ssl_presets # To see the full list for suportes ciphers run `openssl ciphers` on your server matrix_nginx_proxy_ssl_ciphers: "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['ciphers'] }}" +# Specifies what to use for the X-Forwarded-For variable. +# If you're fronting the nginx reverse-proxy with additional reverse-proxy servers, +# you may wish to set this to '$proxy_add_x_forwarded_for' instead. +matrix_nginx_proxy_x_forwarded_for: '$remote_addr' + # Controls whether the self-check feature should validate SSL certificates. matrix_nginx_proxy_self_check_validate_certificates: true diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 index 79269f434..e5589f555 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 @@ -27,7 +27,7 @@ {% endif %} proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }}; } {% endmacro %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 index 095d5fcff..dea91b212 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 @@ -35,7 +35,7 @@ {% endif %} proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }}; } {% endmacro %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-hydrogen.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-hydrogen.conf.j2 index c0794205b..e9428c557 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-hydrogen.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-hydrogen.conf.j2 @@ -33,7 +33,7 @@ {% endif %} proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }}; } {% endmacro %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 index 292cc4c28..07347be62 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 @@ -30,7 +30,7 @@ {% endif %} proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }}; } {% endmacro %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 index 02201b9cc..4abcd40a0 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 @@ -58,7 +58,7 @@ {% endif %} proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }}; proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }}; } {% endif %} @@ -76,7 +76,7 @@ {% endif %} proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }}; proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }}; } {% endif %} @@ -94,7 +94,7 @@ {% endif %} proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }}; } {% endif %} @@ -111,7 +111,7 @@ {% endif %} proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }}; proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }}; } {% endif %} @@ -136,7 +136,7 @@ {% endif %} proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }}; proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }}; client_body_buffer_size 25M; @@ -284,7 +284,7 @@ server { {% endif %} proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }}; proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }}; client_body_buffer_size 25M; diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-grafana.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-grafana.conf.j2 index 209c1cd0c..def67f666 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-grafana.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-grafana.conf.j2 @@ -37,7 +37,7 @@ {% endif %} proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }}; } {% endmacro %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 index 7fccce945..54b8ea436 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 @@ -30,7 +30,7 @@ {% endif %} proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }}; } # colibri (JVB) websockets @@ -45,7 +45,7 @@ {% endif %} proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }}; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; @@ -70,7 +70,7 @@ proxy_read_timeout 900s; proxy_set_header Connection "upgrade"; proxy_set_header Upgrade $http_upgrade; - proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }}; proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }}; tcp_nodelay on; } diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2 index ba442b378..0f33c0a77 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2 @@ -28,7 +28,7 @@ {% endif %} proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }}; proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }}; } {% endmacro %} From ae45254d83387b349c4ce4daa142c41c6252bcf3 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 24 Nov 2021 11:34:30 +0200 Subject: [PATCH 096/139] Add missing headers in Traefik v2 example Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1393 --- docs/configuring-playbook-own-webserver.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/docs/configuring-playbook-own-webserver.md b/docs/configuring-playbook-own-webserver.md index 0f525df81..fb970ef03 100644 --- a/docs/configuring-playbook-own-webserver.md +++ b/docs/configuring-playbook-own-webserver.md @@ -139,6 +139,12 @@ matrix_nginx_proxy_https_enabled: false matrix_nginx_proxy_container_http_host_bind_port: '' matrix_nginx_proxy_container_federation_host_bind_port: '' +# Trust the reverse proxy to send the correct `X-Forwarded-Proto` header as it is handling the SSL connection. +matrix_nginx_proxy_trust_forwarded_proto: true + +# Trust and use the other reverse proxy's `X-Forwarded-For` header. +matrix_nginx_proxy_x_forwarded_for: '$proxy_add_x_forwarded_for' + # Disable Coturn because it needs SSL certs # (Clients can, though exposing IP address, use Matrix.org TURN) matrix_coturn_enabled: false From 87a2240dc268ff8fbd755dba41bdfb95a029694b Mon Sep 17 00:00:00 2001 From: Stefan Warnat Date: Wed, 24 Nov 2021 13:02:29 +0100 Subject: [PATCH 097/139] Create requirements.yml Add collections for simple awx compatiblity --- collections/requirements.yml | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 collections/requirements.yml diff --git a/collections/requirements.yml b/collections/requirements.yml new file mode 100644 index 000000000..2872cc53a --- /dev/null +++ b/collections/requirements.yml @@ -0,0 +1,3 @@ +--- +collections: + - name: community.general.docker_network From 4d5d855ff1ca11f7729846b1b107dd906e848122 Mon Sep 17 00:00:00 2001 From: Stefan Warnat Date: Wed, 24 Nov 2021 13:03:28 +0100 Subject: [PATCH 098/139] Update requirements.yml Correct collections name --- collections/requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/collections/requirements.yml b/collections/requirements.yml index 2872cc53a..afc836d72 100644 --- a/collections/requirements.yml +++ b/collections/requirements.yml @@ -1,3 +1,3 @@ --- collections: - - name: community.general.docker_network + - name: community.general From 65bb34c1ad09ea7b674c15d053df7b8ab953eccc Mon Sep 17 00:00:00 2001 From: Stefan Warnat Date: Wed, 24 Nov 2021 13:15:34 +0100 Subject: [PATCH 099/139] Update requirements.yml Use correct collection for docker commands --- collections/requirements.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/collections/requirements.yml b/collections/requirements.yml index afc836d72..9d365441f 100644 --- a/collections/requirements.yml +++ b/collections/requirements.yml @@ -1,3 +1,4 @@ --- collections: - name: community.general + - name: community.docker From cfc79ebe2902fe6e0e69b10315e1e62520657279 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 25 Nov 2021 09:21:05 +0200 Subject: [PATCH 100/139] Upgrade exim-relay (4.94.2-r0-5 -> 4.95-r0) --- roles/matrix-mailer/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-mailer/defaults/main.yml b/roles/matrix-mailer/defaults/main.yml index e60ea50f7..f006568f5 100644 --- a/roles/matrix-mailer/defaults/main.yml +++ b/roles/matrix-mailer/defaults/main.yml @@ -7,7 +7,7 @@ matrix_mailer_container_image_self_build_repository_url: "https://github.com/dev matrix_mailer_container_image_self_build_src_files_path: "{{ matrix_mailer_base_path }}/docker-src" matrix_mailer_container_image_self_build_version: "{{ matrix_mailer_docker_image.split(':')[1] }}" -matrix_mailer_version: 4.94.2-r0-5 +matrix_mailer_version: 4.95-r0 matrix_mailer_docker_image: "{{ matrix_mailer_docker_image_name_prefix }}devture/exim-relay:{{ matrix_mailer_version }}" matrix_mailer_docker_image_name_prefix: "{{ 'localhost/' if matrix_mailer_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_mailer_docker_image_force_pull: "{{ matrix_mailer_docker_image.endswith(':latest') }}" From 61391647e9681968f65096223507c6645ad03acb Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 26 Nov 2021 15:25:18 +0200 Subject: [PATCH 101/139] Make /.well-known/matrix/client and /.well-known/matrix/server customizable We recently had someone need to inject additional configuration into `/.well-known/matrix/client` as described here: https://github.com/turt2live/matrix-dimension/blob/22b245bbd11f7067b09c5f17efc48fc9c629b743/docs/bigbluebutton.md#have-dimension-create-meetings-with-elements-video-call-button There may be other use cases as well. --- roles/matrix-base/defaults/main.yml | 66 ++++++++++++++++++++ roles/matrix-base/tasks/setup_well_known.yml | 8 +-- 2 files changed, 70 insertions(+), 4 deletions(-) diff --git a/roles/matrix-base/defaults/main.yml b/roles/matrix-base/defaults/main.yml index 6639c223c..4767bcf43 100644 --- a/roles/matrix-base/defaults/main.yml +++ b/roles/matrix-base/defaults/main.yml @@ -118,6 +118,72 @@ matrix_client_element_e2ee_secure_backup_required: false # See: https://github.com/vector-im/element-web/blob/develop/docs/e2ee.md matrix_client_element_e2ee_secure_backup_setup_methods: [] +# Default `/.well-known/matrix/client` configuration - it covers the generic use case. +# You can customize it by controlling the various variables inside the template file that it references. +# +# For a more advanced customization, you can extend the default (see `matrix_well_known_matrix_client_configuration_extension_json`) +# or completely replace this variable with your own template. +# +# The side-effect of this lookup is that Ansible would even parse the JSON for us, returning a dict. +# This is unlike what it does when looking up YAML template files (no automatic parsing there). +matrix_well_known_matrix_client_configuration_default: "{{ lookup('template', 'templates/static-files/well-known/matrix-client.j2') }}" + +# Your custom JSON configuration for `/.well-known/matrix/client` should go to `matrix_well_known_matrix_client_configuration_extension_json`. +# This configuration extends the default starting configuration (`matrix_well_known_matrix_client_configuration_default`). +# +# You can override individual variables from the default configuration, or introduce new ones. +# +# If you need something more special, you can take full control by +# completely redefining `matrix_well_known_matrix_client_configuration`. +# +# Example configuration extension follows: +# +# matrix_well_known_matrix_client_configuration_extension_json: | +# { +# "io.element.call_behaviour": { +# "widget_build_url": "https://dimension.example.com/api/v1/dimension/bigbluebutton/widget_state" +# } +# } +matrix_well_known_matrix_client_configuration_extension_json: '{}' + +matrix_well_known_matrix_client_configuration_extension: "{{ matrix_well_known_matrix_client_configuration_extension_json|from_json if matrix_well_known_matrix_client_configuration_extension_json|from_json is mapping else {} }}" + +# Holds the final `/.well-known/matrix/client` configuration (a combination of the default and its extension). +# You most likely don't need to touch this variable. Instead, see `matrix_well_known_matrix_client_configuration_default` and `matrix_well_known_matrix_client_configuration_extension_json`. +matrix_well_known_matrix_client_configuration: "{{ matrix_well_known_matrix_client_configuration_default|combine(matrix_well_known_matrix_client_configuration_extension, recursive=True) }}" + +# Default `/.well-known/matrix/server` configuration - it covers the generic use case. +# You can customize it by controlling the various variables inside the template file that it references. +# +# For a more advanced customization, you can extend the default (see `matrix_well_known_matrix_server_configuration_extension_json`) +# or completely replace this variable with your own template. +# +# The side-effect of this lookup is that Ansible would even parse the JSON for us, returning a dict. +# This is unlike what it does when looking up YAML template files (no automatic parsing there). +matrix_well_known_matrix_server_configuration_default: "{{ lookup('template', 'templates/static-files/well-known/matrix-server.j2') }}" + +# Your custom JSON configuration for `/.well-known/matrix/server` should go to `matrix_well_known_matrix_server_configuration_extension_json`. +# This configuration extends the default starting configuration (`matrix_well_known_matrix_server_configuration_default`). +# +# You can override individual variables from the default configuration, or introduce new ones. +# +# If you need something more special, you can take full control by +# completely redefining `matrix_well_known_matrix_server_configuration`. +# +# Example configuration extension follows: +# +# matrix_well_known_matrix_server_configuration_extension_json: | +# { +# "something": "another" +# } +matrix_well_known_matrix_server_configuration_extension_json: '{}' + +matrix_well_known_matrix_server_configuration_extension: "{{ matrix_well_known_matrix_server_configuration_extension_json|from_json if matrix_well_known_matrix_server_configuration_extension_json|from_json is mapping else {} }}" + +# Holds the final `/.well-known/matrix/server` configuration (a combination of the default and its extension). +# You most likely don't need to touch this variable. Instead, see `matrix_well_known_matrix_server_configuration_default` and `matrix_well_known_matrix_server_configuration_extension_json`. +matrix_well_known_matrix_server_configuration: "{{ matrix_well_known_matrix_server_configuration_default|combine(matrix_well_known_matrix_server_configuration_extension, recursive=True) }}" + # The Docker network that all services would be put into matrix_docker_network: "matrix" diff --git a/roles/matrix-base/tasks/setup_well_known.yml b/roles/matrix-base/tasks/setup_well_known.yml index 3b81ce1e3..11ee48b92 100644 --- a/roles/matrix-base/tasks/setup_well_known.yml +++ b/roles/matrix-base/tasks/setup_well_known.yml @@ -13,16 +13,16 @@ - "{{ matrix_static_files_base_path }}/.well-known/matrix" - name: Ensure Matrix /.well-known/matrix/client file configured - template: - src: "{{ role_path }}/templates/static-files/well-known/matrix-client.j2" + copy: + content: "{{ matrix_well_known_matrix_client_configuration|to_nice_json }}" dest: "{{ matrix_static_files_base_path }}/.well-known/matrix/client" mode: 0644 owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" - name: Ensure Matrix /.well-known/matrix/server file configured - template: - src: "{{ role_path }}/templates/static-files/well-known/matrix-server.j2" + copy: + content: "{{ matrix_well_known_matrix_server_configuration|to_nice_json }}" dest: "{{ matrix_static_files_base_path }}/.well-known/matrix/server" mode: 0644 owner: "{{ matrix_user_username }}" From ab602385180944c403ff9aafd88944b3bf9f5cc5 Mon Sep 17 00:00:00 2001 From: Christos Karamolegkos Date: Fri, 26 Nov 2021 19:51:05 +0200 Subject: [PATCH 102/139] Support encrypted matrix_synapse_macaroon_secret_key This change forces ansible to decrypt the variable with ansible-vault if encrypted, to avoid the error '{"msg": "Unexpected templating type error occurred on ({{ matrix_synapse_macaroon_secret_key | password_hash('sha512') }}): secret must be unicode or bytes, not ansible.parsing.yaml.objects.AnsibleVaultEncryptedUnicode"}' Every other variable in the playbook was found to have no problems with encryption. The change has no negative impact on non-encrypted matrix_synapse_macaroon_secret_key. --- group_vars/matrix_servers | 146 +++++++++++++++++++------------------- 1 file changed, 73 insertions(+), 73 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 377c27cd2..7b2a74947 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -79,14 +79,14 @@ matrix_appservice_discord_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_appservice_discord_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'discord.as.token') | to_uuid }}" +matrix_appservice_discord_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'discord.as.token') | to_uuid }}" -matrix_appservice_discord_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'discord.hs.token') | to_uuid }}" +matrix_appservice_discord_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'discord.hs.token') | to_uuid }}" # We only make this use Postgres if our own Postgres server is enabled. # It's only then (for now) that we can automatically create the necessary database and user for this service. matrix_appservice_discord_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_appservice_discord_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'as.discord.db') | to_uuid }}" +matrix_appservice_discord_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'as.discord.db') | to_uuid }}" ###################################################################### # @@ -111,12 +111,12 @@ matrix_appservice_webhooks_container_image_self_build: "{{ matrix_architecture ! # matrix-appservice-webhooks' client-server port to the local host. matrix_appservice_webhooks_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else ('127.0.0.1:' ~ matrix_appservice_webhooks_matrix_port) }}" -matrix_appservice_webhooks_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'webhook.as.token') | to_uuid }}" +matrix_appservice_webhooks_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'webhook.as.token') | to_uuid }}" matrix_appservice_webhooks_homeserver_url: "http://matrix-synapse:{{ matrix_synapse_container_client_api_port }}" -matrix_appservice_webhooks_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'webhook.hs.token') | to_uuid }}" +matrix_appservice_webhooks_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'webhook.hs.token') | to_uuid }}" -matrix_appservice_webhooks_id_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'webhook.id.token') | to_uuid }}" +matrix_appservice_webhooks_id_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'webhook.id.token') | to_uuid }}" matrix_appservice_webhooks_systemd_required_services_list: | {{ @@ -150,12 +150,12 @@ matrix_appservice_slack_container_self_build: "{{ matrix_architecture != 'amd64' # matrix-appservice-slack's client-server port to the local host. matrix_appservice_slack_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else ('127.0.0.1:' ~ matrix_appservice_slack_slack_port) }}" -matrix_appservice_slack_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'slack.as.token') | to_uuid }}" +matrix_appservice_slack_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'slack.as.token') | to_uuid }}" matrix_appservice_slack_homeserver_url: "http://matrix-synapse:{{ matrix_synapse_container_client_api_port }}" -matrix_appservice_slack_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'slack.hs.token') | to_uuid }}" +matrix_appservice_slack_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'slack.hs.token') | to_uuid }}" -matrix_appservice_slack_id_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'slack.id.token') | to_uuid }}" +matrix_appservice_slack_id_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'slack.id.token') | to_uuid }}" matrix_appservice_slack_systemd_required_services_list: | {{ @@ -168,7 +168,7 @@ matrix_appservice_slack_systemd_required_services_list: | # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_appservice_slack_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'nedb' }}" -matrix_appservice_slack_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'as.slack.db') | to_uuid }}" +matrix_appservice_slack_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'as.slack.db') | to_uuid }}" ###################################################################### # @@ -205,12 +205,12 @@ matrix_appservice_irc_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_appservice_irc_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'irc.as.token') | to_uuid }}" +matrix_appservice_irc_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'irc.as.token') | to_uuid }}" -matrix_appservice_irc_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'irc.hs.token') | to_uuid }}" +matrix_appservice_irc_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'irc.hs.token') | to_uuid }}" matrix_appservice_irc_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'nedb' }}" -matrix_appservice_irc_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'as.irc.db') | to_uuid }}" +matrix_appservice_irc_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'as.irc.db') | to_uuid }}" ###################################################################### @@ -240,15 +240,15 @@ matrix_beeper_linkedin_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_beeper_linkedin_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'linked.as.token') | to_uuid }}" +matrix_beeper_linkedin_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'linked.as.token') | to_uuid }}" -matrix_beeper_linkedin_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'linked.hs.token') | to_uuid }}" +matrix_beeper_linkedin_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'linked.hs.token') | to_uuid }}" matrix_beeper_linkedin_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" matrix_beeper_linkedin_bridge_presence: "{{ matrix_synapse_presence_enabled if matrix_synapse_enabled else true }}" -matrix_beeper_linkedin_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'maulinkedin.db') | to_uuid }}" +matrix_beeper_linkedin_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'maulinkedin.db') | to_uuid }}" ###################################################################### # @@ -278,9 +278,9 @@ matrix_mautrix_facebook_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mautrix_facebook_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'fb.as.token') | to_uuid }}" +matrix_mautrix_facebook_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'fb.as.token') | to_uuid }}" -matrix_mautrix_facebook_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'fb.hs.token') | to_uuid }}" +matrix_mautrix_facebook_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'fb.hs.token') | to_uuid }}" matrix_mautrix_facebook_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" @@ -289,7 +289,7 @@ matrix_mautrix_facebook_bridge_presence: "{{ matrix_synapse_presence_enabled if # We'd like to force-set people with external Postgres to SQLite, so the bridge role can complain # and point them to a migration path. matrix_mautrix_facebook_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mautrix_facebook_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mau.fb.db') | to_uuid }}" +matrix_mautrix_facebook_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mau.fb.db') | to_uuid }}" ###################################################################### # @@ -320,9 +320,9 @@ matrix_mautrix_hangouts_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mautrix_hangouts_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'ho.as.token') | to_uuid }}" +matrix_mautrix_hangouts_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'ho.as.token') | to_uuid }}" -matrix_mautrix_hangouts_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'ho.hs.token') | to_uuid }}" +matrix_mautrix_hangouts_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'ho.hs.token') | to_uuid }}" matrix_mautrix_hangouts_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:9007' }}" @@ -330,7 +330,7 @@ matrix_mautrix_hangouts_login_shared_secret: "{{ matrix_synapse_ext_password_pro # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mautrix_hangouts_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mautrix_hangouts_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mau.hangouts.db') | to_uuid }}" +matrix_mautrix_hangouts_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mau.hangouts.db') | to_uuid }}" ###################################################################### # @@ -361,9 +361,9 @@ matrix_mautrix_googlechat_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mautrix_googlechat_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'gc.as.token') | to_uuid }}" +matrix_mautrix_googlechat_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'gc.as.token') | to_uuid }}" -matrix_mautrix_googlechat_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'gc.hs.token') | to_uuid }}" +matrix_mautrix_googlechat_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'gc.hs.token') | to_uuid }}" matrix_mautrix_googlechat_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:9007' }}" @@ -371,7 +371,7 @@ matrix_mautrix_googlechat_login_shared_secret: "{{ matrix_synapse_ext_password_p # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mautrix_googlechat_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mautrix_googlechat_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mau.gc.db') | to_uuid }}" +matrix_mautrix_googlechat_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mau.gc.db') | to_uuid }}" ###################################################################### # @@ -402,9 +402,9 @@ matrix_mautrix_instagram_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mautrix_instagram_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'ig.as.token') | to_uuid }}" +matrix_mautrix_instagram_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'ig.as.token') | to_uuid }}" -matrix_mautrix_instagram_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'ig.hs.token') | to_uuid }}" +matrix_mautrix_instagram_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'ig.hs.token') | to_uuid }}" matrix_mautrix_instagram_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" @@ -413,7 +413,7 @@ matrix_mautrix_instagram_bridge_presence: "{{ matrix_synapse_presence_enabled if # We'd like to force-set people with external Postgres to SQLite, so the bridge role can complain # and point them to a migration path. matrix_mautrix_instagram_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mautrix_instagram_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mau.ig.db') | to_uuid }}" +matrix_mautrix_instagram_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mau.ig.db') | to_uuid }}" ###################################################################### # @@ -448,14 +448,14 @@ matrix_mautrix_signal_homeserver_domain: '{{ matrix_domain }}' matrix_mautrix_signal_homeserver_address: "{{ matrix_homeserver_container_url }}" -matrix_mautrix_signal_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'si.hs.token') | to_uuid }}" +matrix_mautrix_signal_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'si.hs.token') | to_uuid }}" -matrix_mautrix_signal_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'si.as.token') | to_uuid }}" +matrix_mautrix_signal_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'si.as.token') | to_uuid }}" matrix_mautrix_signal_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" matrix_mautrix_signal_database_engine: 'postgres' -matrix_mautrix_signal_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mau.signal.db') | to_uuid }}" +matrix_mautrix_signal_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mau.signal.db') | to_uuid }}" matrix_mautrix_signal_container_self_build: "{{ matrix_architecture not in ['amd64', 'arm64'] }}" matrix_mautrix_signal_daemon_container_self_build: "{{ matrix_architecture != 'amd64' }}" @@ -491,11 +491,11 @@ matrix_mautrix_telegram_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mautrix_telegram_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'telegr.as.token') | to_uuid }}" +matrix_mautrix_telegram_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'telegr.as.token') | to_uuid }}" -matrix_mautrix_telegram_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'telegr.hs.token') | to_uuid }}" +matrix_mautrix_telegram_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'telegr.hs.token') | to_uuid }}" -matrix_mautrix_telegram_public_endpoint: "/{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'telegram') | to_uuid }}" +matrix_mautrix_telegram_public_endpoint: "/{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'telegram') | to_uuid }}" matrix_mautrix_telegram_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:9006' }}" @@ -503,7 +503,7 @@ matrix_mautrix_telegram_login_shared_secret: "{{ matrix_synapse_ext_password_pro # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mautrix_telegram_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mautrix_telegram_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mau.telegram.db') | to_uuid }}" +matrix_mautrix_telegram_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mau.telegram.db') | to_uuid }}" ###################################################################### # @@ -533,15 +533,15 @@ matrix_mautrix_whatsapp_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mautrix_whatsapp_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'whats.as.token') | to_uuid }}" +matrix_mautrix_whatsapp_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'whats.as.token') | to_uuid }}" -matrix_mautrix_whatsapp_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'whats.hs.token') | to_uuid }}" +matrix_mautrix_whatsapp_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'whats.hs.token') | to_uuid }}" matrix_mautrix_whatsapp_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mautrix_whatsapp_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mautrix_whatsapp_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mauwhatsapp.db') | to_uuid }}" +matrix_mautrix_whatsapp_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mauwhatsapp.db') | to_uuid }}" ###################################################################### # @@ -567,10 +567,10 @@ matrix_sms_bridge_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_sms_bridge_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'sms.as.token') | to_uuid }}" +matrix_sms_bridge_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'sms.as.token') | to_uuid }}" matrix_sms_bridge_homeserver_port: "{{ matrix_synapse_container_client_api_port }}" -matrix_sms_bridge_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'sms.hs.token') | to_uuid }}" +matrix_sms_bridge_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'sms.hs.token') | to_uuid }}" ###################################################################### # @@ -587,9 +587,9 @@ matrix_sms_bridge_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | pas # We don't enable bridges by default. matrix_heisenbridge_enabled: false -matrix_heisenbridge_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'heisen.as.tok') | to_uuid }}" +matrix_heisenbridge_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'heisen.as.tok') | to_uuid }}" -matrix_heisenbridge_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'heisen.hs.tok') | to_uuid }}" +matrix_heisenbridge_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'heisen.hs.tok') | to_uuid }}" matrix_heisenbridge_systemd_wanted_services_list: | {{ @@ -626,15 +626,15 @@ matrix_mx_puppet_skype_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mx_puppet_skype_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'skype.as.tok') | to_uuid }}" +matrix_mx_puppet_skype_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'skype.as.tok') | to_uuid }}" -matrix_mx_puppet_skype_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'skype.hs.tok') | to_uuid }}" +matrix_mx_puppet_skype_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'skype.hs.tok') | to_uuid }}" matrix_mx_puppet_skype_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mx_puppet_skype_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mx_puppet_skype_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxpup.skype.db') | to_uuid }}" +matrix_mx_puppet_skype_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxpup.skype.db') | to_uuid }}" ###################################################################### # @@ -665,15 +665,15 @@ matrix_mx_puppet_slack_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mx_puppet_slack_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxslk.as.tok') | to_uuid }}" +matrix_mx_puppet_slack_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxslk.as.tok') | to_uuid }}" -matrix_mx_puppet_slack_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxslk.hs.tok') | to_uuid }}" +matrix_mx_puppet_slack_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxslk.hs.tok') | to_uuid }}" matrix_mx_puppet_slack_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mx_puppet_slack_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mx_puppet_slack_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxpup.slack.db') | to_uuid }}" +matrix_mx_puppet_slack_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxpup.slack.db') | to_uuid }}" ###################################################################### # @@ -703,9 +703,9 @@ matrix_mx_puppet_twitter_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mx_puppet_twitter_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxtwt.as.tok') | to_uuid }}" +matrix_mx_puppet_twitter_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxtwt.as.tok') | to_uuid }}" -matrix_mx_puppet_twitter_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxtwt.hs.tok') | to_uuid }}" +matrix_mx_puppet_twitter_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxtwt.hs.tok') | to_uuid }}" matrix_mx_puppet_twitter_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" @@ -713,7 +713,7 @@ matrix_mx_puppet_twitter_container_http_host_bind_port: "{{ '' if matrix_nginx_p # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mx_puppet_twitter_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mx_puppet_twitter_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxpup.twitter.db') | to_uuid }}" +matrix_mx_puppet_twitter_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxpup.twitter.db') | to_uuid }}" ###################################################################### # @@ -744,15 +744,15 @@ matrix_mx_puppet_instagram_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mx_puppet_instagram_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxig.as.tok') | to_uuid }}" +matrix_mx_puppet_instagram_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxig.as.tok') | to_uuid }}" -matrix_mx_puppet_instagram_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxig.hs.tok') | to_uuid }}" +matrix_mx_puppet_instagram_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxig.hs.tok') | to_uuid }}" matrix_mx_puppet_instagram_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mx_puppet_instagram_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mx_puppet_instagram_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxpup.ig.db') | to_uuid }}" +matrix_mx_puppet_instagram_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxpup.ig.db') | to_uuid }}" ###################################################################### # @@ -782,15 +782,15 @@ matrix_mx_puppet_discord_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mx_puppet_discord_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxdsc.as.tok') | to_uuid }}" +matrix_mx_puppet_discord_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxdsc.as.tok') | to_uuid }}" -matrix_mx_puppet_discord_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxdsc.hs.tok') | to_uuid }}" +matrix_mx_puppet_discord_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxdsc.hs.tok') | to_uuid }}" matrix_mx_puppet_discord_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mx_puppet_discord_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mx_puppet_discord_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxpup.dsc.db') | to_uuid }}" +matrix_mx_puppet_discord_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxpup.dsc.db') | to_uuid }}" ###################################################################### # @@ -820,15 +820,15 @@ matrix_mx_puppet_steam_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mx_puppet_steam_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxste.as.tok') | to_uuid }}" +matrix_mx_puppet_steam_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxste.as.tok') | to_uuid }}" -matrix_mx_puppet_steam_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxste.hs.tok') | to_uuid }}" +matrix_mx_puppet_steam_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxste.hs.tok') | to_uuid }}" matrix_mx_puppet_steam_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mx_puppet_steam_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mx_puppet_steam_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxpup.steam.db') | to_uuid }}" +matrix_mx_puppet_steam_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxpup.steam.db') | to_uuid }}" ###################################################################### # @@ -858,15 +858,15 @@ matrix_mx_puppet_groupme_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_mx_puppet_groupme_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxgro.as.tok') | to_uuid }}" +matrix_mx_puppet_groupme_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxgro.as.tok') | to_uuid }}" -matrix_mx_puppet_groupme_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxgro.hs.tok') | to_uuid }}" +matrix_mx_puppet_groupme_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxgro.hs.tok') | to_uuid }}" matrix_mx_puppet_groupme_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mx_puppet_groupme_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mx_puppet_groupme_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxpup.groupme.db') | to_uuid }}" +matrix_mx_puppet_groupme_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxpup.groupme.db') | to_uuid }}" ###################################################################### # @@ -896,7 +896,7 @@ matrix_bot_matrix_reminder_bot_systemd_required_services_list: | # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_bot_matrix_reminder_bot_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_bot_matrix_reminder_bot_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'reminder.bot.db') | to_uuid }}" +matrix_bot_matrix_reminder_bot_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'reminder.bot.db') | to_uuid }}" matrix_bot_matrix_reminder_bot_container_self_build: "{{ matrix_architecture != 'amd64' }}" ###################################################################### @@ -1068,7 +1068,7 @@ matrix_dimension_systemd_required_services_list: | # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_dimension_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_dimension_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'dimension.db') | to_uuid }}" +matrix_dimension_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'dimension.db') | to_uuid }}" ###################################################################### # @@ -1093,7 +1093,7 @@ matrix_etherpad_systemd_required_services_list: | (['matrix-postgres.service'] if matrix_postgres_enabled else []) }} -matrix_etherpad_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'etherpad.db') | to_uuid }}" +matrix_etherpad_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'etherpad.db') | to_uuid }}" ###################################################################### # @@ -1152,9 +1152,9 @@ matrix_jitsi_jvb_container_colibri_ws_host_bind_port: "{{ '' if matrix_nginx_pro matrix_jitsi_prosody_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:5280' }}" -matrix_jitsi_jibri_xmpp_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'jibri') | to_uuid }}" -matrix_jitsi_jicofo_auth_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'jicofo') | to_uuid }}" -matrix_jitsi_jvb_auth_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'jvb') | to_uuid }}" +matrix_jitsi_jibri_xmpp_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'jibri') | to_uuid }}" +matrix_jitsi_jicofo_auth_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'jicofo') | to_uuid }}" +matrix_jitsi_jvb_auth_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'jvb') | to_uuid }}" matrix_jitsi_web_stun_servers: | {{ @@ -1257,7 +1257,7 @@ matrix_ma1sd_systemd_wanted_services_list: | # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_ma1sd_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_ma1sd_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'ma1sd.db') | to_uuid }}" +matrix_ma1sd_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'ma1sd.db') | to_uuid }}" ###################################################################### # @@ -1746,7 +1746,7 @@ matrix_synapse_container_manhole_api_host_bind_port: "{{ '127.0.0.1:9000' if mat # For exposing the Synapse worker (and metrics) ports to the local host. matrix_synapse_workers_container_host_bind_address: "{{ '127.0.0.1' if (matrix_synapse_workers_enabled and not matrix_nginx_proxy_enabled) else '' }}" -matrix_synapse_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'synapse.db') | to_uuid }}" +matrix_synapse_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'synapse.db') | to_uuid }}" # We do not enable TLS in Synapse by default. # TLS is handled by the matrix-nginx-proxy, which proxies the requests to Synapse. @@ -1897,7 +1897,7 @@ matrix_prometheus_scraper_postgres_targets: "{{ ['matrix-prometheus-postgres-exp ###################################################################### matrix_prometheus_postgres_exporter_enabled: false -matrix_prometheus_postgres_exporter_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'prometheus.pg.db') | to_uuid }}" +matrix_prometheus_postgres_exporter_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'prometheus.pg.db') | to_uuid }}" matrix_prometheus_postgres_exporter_systemd_required_services_list: | {{ @@ -1973,7 +1973,7 @@ matrix_registration_systemd_required_services_list: | # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_registration_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_registration_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mx.registr.db') | to_uuid }}" +matrix_registration_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mx.registr.db') | to_uuid }}" ###################################################################### # From 8e1463a6a156535f532f7afd161911a42caa6864 Mon Sep 17 00:00:00 2001 From: SkepticalWaves Date: Sun, 28 Nov 2021 21:59:33 -0500 Subject: [PATCH 103/139] Update matrix-bridge-mautrix-telegram version --- roles/matrix-bridge-mautrix-telegram/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-mautrix-telegram/defaults/main.yml b/roles/matrix-bridge-mautrix-telegram/defaults/main.yml index a105621a6..f7c98950f 100644 --- a/roles/matrix-bridge-mautrix-telegram/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-telegram/defaults/main.yml @@ -13,7 +13,7 @@ matrix_mautrix_telegram_container_self_build: false matrix_mautrix_telegram_docker_repo: "https://mau.dev/mautrix/telegram.git" matrix_mautrix_telegram_docker_src_files_path: "{{ matrix_base_data_path }}/mautrix-telegram/docker-src" -matrix_mautrix_telegram_version: v0.10.1 +matrix_mautrix_telegram_version: v0.10.2 # See: https://mau.dev/mautrix/telegram/container_registry matrix_mautrix_telegram_docker_image: "dock.mau.dev/mautrix/telegram:{{ matrix_mautrix_telegram_version }}" matrix_mautrix_telegram_docker_image_force_pull: "{{ matrix_mautrix_telegram_docker_image.endswith(':latest') }}" From 1472958e25c729f3fb9f6c018c2df947bcae97aa Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 30 Nov 2021 16:35:23 +0200 Subject: [PATCH 104/139] Upgrade Synapse (1.47.1 -> 1.48.0) --- roles/matrix-synapse/defaults/main.yml | 4 ++-- .../templates/synapse/homeserver.yaml.j2 | 14 ++++++++++---- roles/matrix-synapse/vars/workers.yml | 10 +++++----- 3 files changed, 17 insertions(+), 11 deletions(-) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index 56d448df1..e888ac92b 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -15,8 +15,8 @@ matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_cont # amd64 gets released first. # arm32 relies on self-building, so the same version can be built immediately. # arm64 users need to wait for a prebuilt image to become available. -matrix_synapse_version: v1.47.1 -matrix_synapse_version_arm64: v1.47.1 +matrix_synapse_version: v1.48.0 +matrix_synapse_version_arm64: v1.48.0 matrix_synapse_docker_image_tag: "{{ matrix_synapse_version if matrix_architecture in ['arm32', 'amd64'] else matrix_synapse_version_arm64 }}" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index 042ea0839..f27fcb067 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -667,8 +667,8 @@ tls_private_key_path: {{ matrix_synapse_tls_private_key_path|to_json }} # #federation_certificate_verification_whitelist: # - lon.example.com -# - *.domain.com -# - *.onion +# - "*.domain.com" +# - "*.onion" # List of custom certificate authorities for federation traffic. # @@ -2229,6 +2229,12 @@ sso: # #algorithm: "provided-by-your-issuer" + # Name of the claim containing a unique identifier for the user. + # + # Optional, defaults to `sub`. + # + #subject_claim: "sub" + # The issuer to validate the "iss" claim against. # # Optional, if provided the "iss" claim will be required and @@ -2637,8 +2643,8 @@ user_directory: # indexes were (re)built was before Synapse 1.44, you'll have to # rebuild the indexes in order to search through all known users. # These indexes are built the first time Synapse starts; admins can - # manually trigger a rebuild following the instructions at - # https://matrix-org.github.io/synapse/latest/user_directory.html + # manually trigger a rebuild via API following the instructions at + # https://matrix-org.github.io/synapse/latest/usage/administration/admin_api/background_updates.html#run # # Uncomment to return search results containing all known users, even if that # user does not share a room with the requester. diff --git a/roles/matrix-synapse/vars/workers.yml b/roles/matrix-synapse/vars/workers.yml index def223f8b..2d6f393ad 100644 --- a/roles/matrix-synapse/vars/workers.yml +++ b/roles/matrix-synapse/vars/workers.yml @@ -5,10 +5,10 @@ matrix_synapse_workers_generic_worker_endpoints: # expressions: # Sync requests - - ^/_matrix/client/(v2_alpha|r0|v3)/sync$ - - ^/_matrix/client/(api/v1|v2_alpha|r0|v3)/events$ - - ^/_matrix/client/(api/v1|r0|v3)/initialSync$ - - ^/_matrix/client/(api/v1|r0|v3)/rooms/[^/]+/initialSync$ + - ^/_matrix/client/(v2_alpha|r0)/sync$ + - ^/_matrix/client/(api/v1|v2_alpha|r0)/events$ + - ^/_matrix/client/(api/v1|r0)/initialSync$ + - ^/_matrix/client/(api/v1|r0)/rooms/[^/]+/initialSync$ # Federation requests - ^/_matrix/federation/v1/event/ @@ -63,7 +63,7 @@ matrix_synapse_workers_generic_worker_endpoints: # Registration/login requests - ^/_matrix/client/(api/v1|r0|v3|unstable)/login$ - - ^/_matrix/client/(r0|v3|unstable)/register$ + - ^/_matrix/client/(r0|unstable)/register$ - ^/_matrix/client/unstable/org.matrix.msc3231/register/org.matrix.msc3231.login.registration_token/validity$ # Event sending requests From c2c68f814b02832b54ddfeda45a7dd6a84aa2c72 Mon Sep 17 00:00:00 2001 From: felixx9 <51174875+felixx9@users.noreply.github.com> Date: Tue, 30 Nov 2021 22:07:04 +0100 Subject: [PATCH 105/139] Update importing-postgres.md typos an suggestion to expand search/replace statement to not replace on wrong places. --- docs/importing-postgres.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/importing-postgres.md b/docs/importing-postgres.md index 925ed14db..b72e7694b 100644 --- a/docs/importing-postgres.md +++ b/docs/importing-postgres.md @@ -48,7 +48,7 @@ where `synapse_user` is the database username from the previous Synapse installa This can be verified by examining the dump for ALTER TABLE statements which set OWNER TO that username: ```Shell -$ grep "ALTER TABLE" homeserver.sql" +$ grep "ALTER TABLE" homeserver.sql ALTER TABLE public.access_tokens OWNER TO synapse_user; ALTER TABLE public.account_data OWNER TO synapse_user; ALTER TABLE public.account_data_max_stream_id OWNER TO synapse_user; @@ -60,10 +60,10 @@ ALTER TABLE public.application_services_state OWNER TO synapse_user; It can be worked around by changing the username to `synapse`, for example by using `sed`: ```Shell -$ sed -i "s/synapse_user/synapse/g" homeserver.sql +$ sed -i "s/OWNER TO synapse_user;/OWNER TO synapse;/g" homeserver.sql ``` -This uses sed to perform an 'in-place' (`-i`) replacement globally (`/g`), searching for `synapse user` and replacing with `synapse` (`s/synapse_user/synapse`). If your database username was different, change `synapse_user` to that username instead. +This uses sed to perform an 'in-place' (`-i`) replacement globally (`/g`), searching for `synapse_user` and replacing with `synapse` (`s/synapse_user/synapse`). If your database username was different, change `synapse_user` to that username instead. Expand search/replace statement as shown in example above, in case of old user name like `matrix` - replacing `matrix` only would... well - you can imagine. Note that if the previous import failed with an error it may have made changes which are incompatible with re-running the import task right away; if you do so it may fail with an error such as: From d584b44f1057fc2ce2d95fa0fa2c816e78ffb6a4 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 1 Dec 2021 08:13:06 +0200 Subject: [PATCH 106/139] Upgrade matrix-corporal (2.2.1 -> 2.2.2) --- roles/matrix-corporal/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-corporal/defaults/main.yml b/roles/matrix-corporal/defaults/main.yml index dfc71479c..aede4d505 100644 --- a/roles/matrix-corporal/defaults/main.yml +++ b/roles/matrix-corporal/defaults/main.yml @@ -22,7 +22,7 @@ matrix_corporal_container_extra_arguments: [] # List of systemd services that matrix-corporal.service depends on matrix_corporal_systemd_required_services_list: ['docker.service'] -matrix_corporal_version: 2.2.1 +matrix_corporal_version: 2.2.2 matrix_corporal_docker_image: "{{ matrix_corporal_docker_image_name_prefix }}devture/matrix-corporal:{{ matrix_corporal_docker_image_tag }}" matrix_corporal_docker_image_name_prefix: "{{ 'localhost/' if matrix_corporal_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_corporal_docker_image_tag: "{{ matrix_corporal_version }}" # for backward-compatibility From 27e1451cbcc550abd66253fc88f84b9682aad4e8 Mon Sep 17 00:00:00 2001 From: WobbelTheBear Date: Thu, 2 Dec 2021 13:31:57 +0100 Subject: [PATCH 107/139] Update main.yml --- roles/matrix-grafana/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-grafana/defaults/main.yml b/roles/matrix-grafana/defaults/main.yml index 8e4bd7bb1..8998e3685 100644 --- a/roles/matrix-grafana/defaults/main.yml +++ b/roles/matrix-grafana/defaults/main.yml @@ -3,7 +3,7 @@ matrix_grafana_enabled: false -matrix_grafana_version: 8.2.2 +matrix_grafana_version: 8.3.0 matrix_grafana_docker_image: "{{ matrix_container_global_registry_prefix }}grafana/grafana:{{ matrix_grafana_version }}" matrix_grafana_docker_image_force_pull: "{{ matrix_grafana_docker_image.endswith(':latest') }}" From 3f0e8122eccfe4bde89f9323e0e04efc6e61d7cd Mon Sep 17 00:00:00 2001 From: WobbelTheBear Date: Thu, 2 Dec 2021 13:41:12 +0100 Subject: [PATCH 108/139] Update prometheus --- roles/matrix-prometheus/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-prometheus/defaults/main.yml b/roles/matrix-prometheus/defaults/main.yml index 1cbeed8bb..d76ce7442 100644 --- a/roles/matrix-prometheus/defaults/main.yml +++ b/roles/matrix-prometheus/defaults/main.yml @@ -3,7 +3,7 @@ matrix_prometheus_enabled: false -matrix_prometheus_version: v2.30.3 +matrix_prometheus_version: v2.31.1 matrix_prometheus_docker_image: "{{ matrix_container_global_registry_prefix }}prom/prometheus:{{ matrix_prometheus_version }}" matrix_prometheus_docker_image_force_pull: "{{ matrix_prometheus_docker_image.endswith(':latest') }}" From 229b93d7c8f6a8de1e2a6ea56de53016cafc3eb4 Mon Sep 17 00:00:00 2001 From: WobbelTheBear Date: Thu, 2 Dec 2021 13:54:57 +0100 Subject: [PATCH 109/139] Update redis (6.2.4 -> 6.2.6) --- roles/matrix-redis/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-redis/defaults/main.yml b/roles/matrix-redis/defaults/main.yml index 409c7926f..355679d05 100644 --- a/roles/matrix-redis/defaults/main.yml +++ b/roles/matrix-redis/defaults/main.yml @@ -5,7 +5,7 @@ matrix_redis_connection_password: "" matrix_redis_base_path: "{{ matrix_base_data_path }}/redis" matrix_redis_data_path: "{{ matrix_redis_base_path }}/data" -matrix_redis_version: 6.2.4-alpine +matrix_redis_version: 6.2.6-alpine matrix_redis_docker_image_v6: "{{ matrix_container_global_registry_prefix }}redis:{{ matrix_redis_version }}" matrix_redis_docker_image_latest: "{{ matrix_redis_docker_image_v6 }}" matrix_redis_docker_image_to_use: '{{ matrix_redis_docker_image_latest }}' From 20bc3eb24b06be3ed6380c653f3dafb333360895 Mon Sep 17 00:00:00 2001 From: Jan <31133207+Jaffex@users.noreply.github.com> Date: Sat, 4 Dec 2021 22:04:25 +0100 Subject: [PATCH 110/139] Update signal bridge configuration template --- .../templates/config.yaml.j2 | 73 +++++++++++++++---- 1 file changed, 57 insertions(+), 16 deletions(-) diff --git a/roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 b/roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 index 19c3ba053..0498d6ea5 100644 --- a/roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 @@ -15,6 +15,8 @@ homeserver: # If set, the bridge will make POST requests to this URL whenever a user's Signal connection state changes. # The bridge will use the appservice as_token to authorize requests. status_endpoint: null + # Endpoint for reporting per-message status. + message_send_checkpoint_endpoint: null # Application service host/registration related details # Changing these values requires regeneration of the registration. @@ -32,25 +34,19 @@ appservice: # Usually 1 is enough, but on high-traffic bridges you might need to increase this to avoid 413s max_body_size: 1 - # The full URI to the database. Only Postgres is currently supported. + # The full URI to the database. SQLite and Postgres are supported. + # Format examples: + # SQLite: sqlite:///filename.db + # Postgres: postgres://username:password@hostname/dbname database: {{ matrix_mautrix_signal_database_connection_string }} - # Additional arguments for asyncpg.create_pool() + # Additional arguments for asyncpg.create_pool() or sqlite3.connect() # https://magicstack.github.io/asyncpg/current/api/index.html#asyncpg.pool.create_pool + # https://docs.python.org/3/library/sqlite3.html#sqlite3.connect + # For sqlite, min_size is used as the connection thread pool size and max_size is ignored. database_opts: min_size: 5 max_size: 10 - # Provisioning API part of the web server for automated portal creation and fetching information. - # Used by things like mautrix-manager (https://github.com/tulir/mautrix-manager). - provisioning: - # Whether or not the provisioning API should be enabled. - enabled: true - # The prefix to use in the provisioning API endpoints. - prefix: /_matrix/provision/v1 - # The shared secret to authorize users of the API. - # Set to "generate" to generate and save a new token. - shared_secret: generate - # The unique ID of this appservice. id: signal # Username of the appservice bot. @@ -66,7 +62,12 @@ appservice: # Example: "+signal:example.com". Set to false to disable. community_id: false - # Authentication tokens for AS <-> HS communication. + # Whether or not to receive ephemeral events via appservice transactions. + # Requires MSC2409 support (i.e. Synapse 1.22+). + # You should disable bridge -> sync_with_custom_puppets when this is enabled. + ephemeral_events: false + + # Authentication tokens for AS <-> HS communication. Autogenerated; do not modify. as_token: "{{ matrix_mautrix_signal_appservice_token }}" hs_token: "{{ matrix_mautrix_signal_homeserver_token }}" @@ -75,6 +76,17 @@ metrics: enabled: false listen_port: 8000 +# Manhole config. +manhole: + # Whether or not opening the manhole is allowed. + enabled: false + # The path for the unix socket. + path: /var/tmp/mautrix-signal.manhole + # The list of UIDs who can be added to the whitelist. + # If empty, any UIDs can be specified in the open-manhole command. + whitelist: + - 0 + signal: # Path to signald unix socket socket_path: /signald/signald.sock @@ -91,6 +103,8 @@ signal: delete_unknown_accounts_on_start: false # Whether or not message attachments should be removed from disk after they're bridged. remove_file_after_handling: true + # Whether or not users can register a primary device + registration_enabled: true # Bridge config bridge: @@ -102,6 +116,7 @@ bridge: # available variable in displayname_preference. The variables in displayname_preference # can also be used here directly. displayname_template: "{displayname} (Signal)" + # Whether or not contact list displaynames should be used. # Possible values: disallow, allow, prefer # # Multi-user instances are recommended to disallow contact list names, as otherwise there can @@ -140,7 +155,7 @@ bridge: # If false, created portal rooms will never be federated. federate_rooms: true # End-to-bridge encryption support options. You must install the e2be optional dependency for - # this to work. See https://docs.mau.fi/bridges/general/end-to-bridge-encryption.html + # this to work. See https://github.com/tulir/mautrix-telegram/wiki/End‐to‐bridge-encryption encryption: # Allow encryption, work in group chat rooms with e2ee enabled allow: false @@ -173,12 +188,38 @@ bridge: # This field will automatically be changed back to false after it, # except if the config file is not writable. resend_bridge_info: false - # Interval at which to resync contacts. + # Interval at which to resync contacts (in seconds). periodic_sync: 0 + # Provisioning API part of the web server for automated portal creation and fetching information. + # Used by things like mautrix-manager (https://github.com/tulir/mautrix-manager). + provisioning: + # Whether or not the provisioning API should be enabled. + enabled: true + # The prefix to use in the provisioning API endpoints. + prefix: /_matrix/provision/v1 + # The shared secret to authorize users of the API. + # Set to "generate" to generate and save a new token. + shared_secret: generate + # The prefix for commands. Only required in non-management rooms. command_prefix: "!signal" + # Messages sent upon joining a management room. + # Markdown is supported. The defaults are listed below. + management_room_text: + # Sent when joining a room. + welcome: "Hello, I'm a Signal bridge bot." + # Sent when joining a management room and the user is already logged in. + welcome_connected: "Use `help` for help." + # Sent when joining a management room and the user is not logged in. + welcome_unconnected: "Use `help` for help or `register` to log in." + # Optional extra text sent when joining a management room. + additional_help: "" + + # Send each message separately (for readability in some clients) + management_room_multiple_messages: false + # Permissions for using the bridge. # Permitted values: # relay - Allowed to be relayed through the bridge, no access to commands. From d51a9118d348c54a6567e47d8632148b6a407579 Mon Sep 17 00:00:00 2001 From: felixx9 <51174875+felixx9@users.noreply.github.com> Date: Sun, 5 Dec 2021 09:41:00 +0100 Subject: [PATCH 111/139] Update importing-postgres.md with individual DB and repeat-import information (#1437) * Update importing-postgres.md Additional deatails, mostly on repeating import. Structure troubleshouting section. * Update importing-postgres.md removing -K * Fix path typo Co-authored-by: Slavi Pantaleev --- docs/importing-postgres.md | 24 ++++++++++++++++++++++-- 1 file changed, 22 insertions(+), 2 deletions(-) diff --git a/docs/importing-postgres.md b/docs/importing-postgres.md index b72e7694b..c5a8d8286 100644 --- a/docs/importing-postgres.md +++ b/docs/importing-postgres.md @@ -12,7 +12,8 @@ If your database name differs, be sure to change `matrix_synapse_database_databa The playbook supports importing Postgres dump files in **text** (e.g. `pg_dump > dump.sql`) or **gzipped** formats (e.g. `pg_dump | gzip -c > dump.sql.gz`). -Importing multiple databases (as dumped by `pg_dumpall`) is also supported. +Importing multiple databases (as dumped by `pg_dumpall`) is also supported. +But the migration might be a good moment, to "reset" a not properly working bridge. Be aware, that it might affect all users (new link to bridge, new roomes, ...) Before doing the actual import, **you need to upload your Postgres dump file to the server** (any path is okay). @@ -32,6 +33,7 @@ ansible-playbook -i inventory/hosts setup.yml \ ## Troubleshooting +### Table Ownership A table ownership issue can occur if you are importing from a Synapse installation which was both: - migrated from SQLite to Postgres, and @@ -71,6 +73,8 @@ Note that if the previous import failed with an error it may have made changes w ERROR: relation \"access_tokens\" already exists ``` +### Repeat import + In this case you can use the command suggested in the import task to clear the database before retrying the import: ```Shell @@ -79,4 +83,20 @@ In this case you can use the command suggested in the import task to clear the d # systemctl start matrix-postgres ``` -Once the database is clear and the ownership of the tables has been fixed in the SQL file, the import task should succeed. +Now on your local machine run `ansible-playbook -i inventory/hosts setup.yml --tags=setup-postgres` to prepare the database roles etc. + +If not, you probably get this error. `synapse` is the correct table owner, but the role is missing in database. +``` +"ERROR: role synapse does not exist" +``` + +Once the database is clear and the ownership of the tables has been fixed in the SQL file, the import task should succeed. +Check, if `--dbname` is set to `synapse` (not `matrix`) and replace paths (or even better, copy this line from your terminal) + +``` +/usr/bin/env docker run --rm --name matrix-postgres-import --log-driver=none --user=998:1001 --cap-drop=ALL --network=matrix --env-file=/matrix/postgres/env-postgres-psql --mount type=bind,src=/migration/synapse_dump.sql,dst=/synapse_dump.sql,ro --entrypoint=/bin/sh docker.io/postgres:14.1-alpine -c "cat /synapse_dump.sql | grep -vE '^(CREATE|ALTER) ROLE (matrix)(;| WITH)' | grep -vE '^CREATE DATABASE (matrix)\s' | psql -v ON_ERROR_STOP=1 -h matrix-postgres --dbname=synapse" +``` + +### Hints + +To open psql terminal run `/usr/local/bin/matrix-postgres-cli` From 9babaa5a2bfd9dd982ac3338d350e83186c666bb Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 6 Dec 2021 13:40:01 +0200 Subject: [PATCH 112/139] Fix mx-puppet-discord media URLs using container-network URLs (http://matrix-nginx-proxy:12080) --- .../matrix-bridge-mx-puppet-discord/defaults/main.yml | 2 ++ .../templates/config.yaml.j2 | 10 +++++----- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/roles/matrix-bridge-mx-puppet-discord/defaults/main.yml b/roles/matrix-bridge-mx-puppet-discord/defaults/main.yml index 1113bb1c4..cd9c1477f 100644 --- a/roles/matrix-bridge-mx-puppet-discord/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-discord/defaults/main.yml @@ -27,6 +27,8 @@ matrix_mx_puppet_discord_homeserver_address: "{{ matrix_homeserver_container_url matrix_mx_puppet_discord_homeserver_domain: '{{ matrix_domain }}' matrix_mx_puppet_discord_appservice_address: 'http://matrix-mx-puppet-discord:{{ matrix_mx_puppet_discord_appservice_port }}' +matrix_mx_puppet_discord_bridge_mediaUrl: "https:/{{ matrix_server_fqn_matrix }}" + # "@user:server.com" to allow specific user # "@.*:yourserver.com" to allow users on a specific homeserver # "@.*" to allow anyone diff --git a/roles/matrix-bridge-mx-puppet-discord/templates/config.yaml.j2 b/roles/matrix-bridge-mx-puppet-discord/templates/config.yaml.j2 index 93c0a491e..edb0c280b 100644 --- a/roles/matrix-bridge-mx-puppet-discord/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mx-puppet-discord/templates/config.yaml.j2 @@ -9,17 +9,17 @@ bridge: domain: {{ matrix_mx_puppet_discord_homeserver_domain }} # Reachable URL of the Matrix homeserver homeserverUrl: {{ matrix_mx_puppet_discord_homeserver_address }} + # Optionally specify a different media URL used for the media store + # + # This is where Discord will download user profile pictures and media + # from + mediaUrl: {{ matrix_mx_puppet_discord_bridge_mediaUrl }} {% if matrix_mx_puppet_discord_login_shared_secret != '' %} loginSharedSecretMap: {{ matrix_domain }}: {{ matrix_mx_puppet_discord_login_shared_secret }} {% endif %} # Display name of the bridge bot displayname: Discord Puppet Bridge - # Optionally specify a different media URL used for the media store - # - # This is where Discord will download user profile pictures and media - # from - #mediaUrl: https://external-url.org presence: # Bridge Discord online/offline status From 391e095cb95a1426b89efeaa2f79b5a90e3bc383 Mon Sep 17 00:00:00 2001 From: WobbelTheBear Date: Mon, 6 Dec 2021 19:56:13 +0100 Subject: [PATCH 113/139] Update main.yml --- roles/matrix-client-element/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-client-element/defaults/main.yml b/roles/matrix-client-element/defaults/main.yml index b05f0d853..d1a6a73a5 100644 --- a/roles/matrix-client-element/defaults/main.yml +++ b/roles/matrix-client-element/defaults/main.yml @@ -7,7 +7,7 @@ matrix_client_element_container_image_self_build_repo: "https://github.com/vecto # - https://github.com/vector-im/element-web/issues/19544 matrix_client_element_container_image_self_build_low_memory_system_patch_enabled: "{{ ansible_memtotal_mb < 4096 }}" -matrix_client_element_version: v1.9.5 +matrix_client_element_version: v1.9.6 matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}" matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}" From ff720bedce2c6c2ae83784aacd41253787141900 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 7 Dec 2021 19:43:14 +0200 Subject: [PATCH 114/139] Upgrade matrix-postgres-backup default to v14 Related to c08880d175fdbb73778 --- roles/matrix-postgres-backup/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-postgres-backup/defaults/main.yml b/roles/matrix-postgres-backup/defaults/main.yml index e1f252fe0..efce36562 100644 --- a/roles/matrix-postgres-backup/defaults/main.yml +++ b/roles/matrix-postgres-backup/defaults/main.yml @@ -33,7 +33,7 @@ matrix_postgres_backup_docker_image_v11: "{{ matrix_container_global_registry_pr matrix_postgres_backup_docker_image_v12: "{{ matrix_container_global_registry_prefix }}prodrigestivill/postgres-backup-local:12{{ matrix_postgres_backup_docker_image_suffix }}" matrix_postgres_backup_docker_image_v13: "{{ matrix_container_global_registry_prefix }}prodrigestivill/postgres-backup-local:13{{ matrix_postgres_backup_docker_image_suffix }}" matrix_postgres_backup_docker_image_v14: "{{ matrix_container_global_registry_prefix }}prodrigestivill/postgres-backup-local:14{{ matrix_postgres_backup_docker_image_suffix }}" -matrix_postgres_backup_docker_image_latest: "{{ matrix_postgres_backup_docker_image_v13 }}" +matrix_postgres_backup_docker_image_latest: "{{ matrix_postgres_backup_docker_image_v14 }}" # This variable is assigned at runtime. Overriding its value has no effect. matrix_postgres_backup_docker_image_to_use: '{{ matrix_postgres_backup_docker_image_latest }}' From 18daf8f3da249f38086278c11182ed7dacb062cf Mon Sep 17 00:00:00 2001 From: Catalan Lover <48515417+FSG-Cat@users.noreply.github.com> Date: Tue, 7 Dec 2021 21:52:49 +0100 Subject: [PATCH 115/139] Update Grafana from 8.3.0 to 8.3.1 due to Security Flaw https://grafana.com/blog/2021/12/07/grafana-8.3.1-8.2.7-8.1.8-and-8.0.7-released-with-high-severity-security-fix/ --- roles/matrix-grafana/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-grafana/defaults/main.yml b/roles/matrix-grafana/defaults/main.yml index 8998e3685..37202d6d6 100644 --- a/roles/matrix-grafana/defaults/main.yml +++ b/roles/matrix-grafana/defaults/main.yml @@ -3,7 +3,7 @@ matrix_grafana_enabled: false -matrix_grafana_version: 8.3.0 +matrix_grafana_version: 8.3.1 matrix_grafana_docker_image: "{{ matrix_container_global_registry_prefix }}grafana/grafana:{{ matrix_grafana_version }}" matrix_grafana_docker_image_force_pull: "{{ matrix_grafana_docker_image.endswith(':latest') }}" From 0071828503a63fdeb57d7a80d411b081811130fd Mon Sep 17 00:00:00 2001 From: Aaron Raimist Date: Wed, 8 Dec 2021 08:37:55 +0000 Subject: [PATCH 116/139] Run `workers-doc-to-yaml.sh` MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 1472958e25c729f3fb9f6c018c2df947bcae97aa reverted some of the v3 changes. I'm not sure why. Running the `workers-doc-to-yaml.sh` script now puts them back 🤷‍♂️. --- roles/matrix-synapse/vars/workers.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/roles/matrix-synapse/vars/workers.yml b/roles/matrix-synapse/vars/workers.yml index 2d6f393ad..def223f8b 100644 --- a/roles/matrix-synapse/vars/workers.yml +++ b/roles/matrix-synapse/vars/workers.yml @@ -5,10 +5,10 @@ matrix_synapse_workers_generic_worker_endpoints: # expressions: # Sync requests - - ^/_matrix/client/(v2_alpha|r0)/sync$ - - ^/_matrix/client/(api/v1|v2_alpha|r0)/events$ - - ^/_matrix/client/(api/v1|r0)/initialSync$ - - ^/_matrix/client/(api/v1|r0)/rooms/[^/]+/initialSync$ + - ^/_matrix/client/(v2_alpha|r0|v3)/sync$ + - ^/_matrix/client/(api/v1|v2_alpha|r0|v3)/events$ + - ^/_matrix/client/(api/v1|r0|v3)/initialSync$ + - ^/_matrix/client/(api/v1|r0|v3)/rooms/[^/]+/initialSync$ # Federation requests - ^/_matrix/federation/v1/event/ @@ -63,7 +63,7 @@ matrix_synapse_workers_generic_worker_endpoints: # Registration/login requests - ^/_matrix/client/(api/v1|r0|v3|unstable)/login$ - - ^/_matrix/client/(r0|unstable)/register$ + - ^/_matrix/client/(r0|v3|unstable)/register$ - ^/_matrix/client/unstable/org.matrix.msc3231/register/org.matrix.msc3231.login.registration_token/validity$ # Event sending requests From 421b055cb5f09d104d4d31036dde5f48f22a4987 Mon Sep 17 00:00:00 2001 From: Aaron R Date: Wed, 8 Dec 2021 04:09:09 -0600 Subject: [PATCH 117/139] Fix comment about `matrix_mautrix_whatsapp_database_*` variables Was renamed in 087dbe4ddc80ba6308e7ee98391ea475354e8860 It is unclear to me if there is anything you actually need to adjust with these variables. It looks like that is done automatically in `matrix_servers`. --- roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml b/roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml index 3d630fcfd..81c451cf4 100644 --- a/roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml @@ -42,7 +42,7 @@ matrix_mautrix_whatsapp_appservice_bot_username: whatsappbot # # To use Postgres: # - change the engine (`matrix_mautrix_whatsapp_database_engine: 'postgres'`) -# - adjust your database credentials via the `matrix_mautrix_whatsapp_postgres_*` variables +# - adjust your database credentials via the `matrix_mautrix_whatsapp_database_*` variables matrix_mautrix_whatsapp_database_engine: 'sqlite' matrix_mautrix_whatsapp_sqlite_database_path_local: "{{ matrix_mautrix_whatsapp_data_path }}/mautrix-whatsapp.db" From fac497faa58e3f9b40075ec910c810eb76436f08 Mon Sep 17 00:00:00 2001 From: Aaron Raimist Date: Wed, 8 Dec 2021 10:13:12 +0000 Subject: [PATCH 118/139] Fix comments in other roles --- roles/matrix-bridge-appservice-discord/defaults/main.yml | 2 +- roles/matrix-bridge-mautrix-facebook/defaults/main.yml | 2 +- roles/matrix-bridge-mautrix-googlechat/defaults/main.yml | 2 +- roles/matrix-bridge-mautrix-hangouts/defaults/main.yml | 2 +- roles/matrix-bridge-mautrix-instagram/defaults/main.yml | 2 +- roles/matrix-bridge-mautrix-telegram/defaults/main.yml | 2 +- roles/matrix-dimension/defaults/main.yml | 2 +- roles/matrix-ma1sd/defaults/main.yml | 2 +- roles/matrix-registration/defaults/main.yml | 2 +- 9 files changed, 9 insertions(+), 9 deletions(-) diff --git a/roles/matrix-bridge-appservice-discord/defaults/main.yml b/roles/matrix-bridge-appservice-discord/defaults/main.yml index 9b9284dc3..92a51a31c 100644 --- a/roles/matrix-bridge-appservice-discord/defaults/main.yml +++ b/roles/matrix-bridge-appservice-discord/defaults/main.yml @@ -48,7 +48,7 @@ matrix_appservice_discord_bridge_enableSelfServiceBridging: false # # To use Postgres: # - change the engine (`matrix_appservice_discord_database_engine: 'postgres'`) -# - adjust your database credentials via the `matrix_appservice_discord_postgres_*` variables +# - adjust your database credentials via the `matrix_appservice_discord_database_*` variables matrix_appservice_discord_database_engine: 'sqlite' matrix_appservice_discord_sqlite_database_path_local: "{{ matrix_appservice_discord_data_path }}/discord.db" diff --git a/roles/matrix-bridge-mautrix-facebook/defaults/main.yml b/roles/matrix-bridge-mautrix-facebook/defaults/main.yml index 2b453babe..5d83e9cc2 100644 --- a/roles/matrix-bridge-mautrix-facebook/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-facebook/defaults/main.yml @@ -42,7 +42,7 @@ matrix_mautrix_facebook_homeserver_token: '' # - plan your migration to Postgres, as this bridge does not support SQLite anymore (and neither will the playbook in the future). # # To use Postgres: -# - adjust your database credentials via the `matrix_mautrix_facebook_postgres_*` variables +# - adjust your database credentials via the `matrix_mautrix_facebook_database_*` variables matrix_mautrix_facebook_database_engine: 'postgres' matrix_mautrix_facebook_sqlite_database_path_local: "{{ matrix_mautrix_facebook_data_path }}/mautrix-facebook.db" diff --git a/roles/matrix-bridge-mautrix-googlechat/defaults/main.yml b/roles/matrix-bridge-mautrix-googlechat/defaults/main.yml index 22f863fff..02bef16aa 100644 --- a/roles/matrix-bridge-mautrix-googlechat/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-googlechat/defaults/main.yml @@ -47,7 +47,7 @@ matrix_mautrix_googlechat_homeserver_token: '' # # To use Postgres: # - change the engine (`matrix_mautrix_googlechat_database_engine: 'postgres'`) -# - adjust your database credentials via the `matrix_mautrix_googlechat_postgres_*` variables +# - adjust your database credentials via the `matrix_mautrix_googlechat_database_*` variables matrix_mautrix_googlechat_database_engine: 'sqlite' matrix_mautrix_googlechat_sqlite_database_path_local: "{{ matrix_mautrix_googlechat_data_path }}/mautrix-googlechat.db" diff --git a/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml b/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml index fa46d33c9..013e1d14a 100644 --- a/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml @@ -47,7 +47,7 @@ matrix_mautrix_hangouts_homeserver_token: '' # # To use Postgres: # - change the engine (`matrix_mautrix_hangouts_database_engine: 'postgres'`) -# - adjust your database credentials via the `matrix_mautrix_hangouts_postgres_*` variables +# - adjust your database credentials via the `matrix_mautrix_hangouts_database_*` variables matrix_mautrix_hangouts_database_engine: 'sqlite' matrix_mautrix_hangouts_sqlite_database_path_local: "{{ matrix_mautrix_hangouts_data_path }}/mautrix-hangouts.db" diff --git a/roles/matrix-bridge-mautrix-instagram/defaults/main.yml b/roles/matrix-bridge-mautrix-instagram/defaults/main.yml index a648018ec..e1a1bddab 100644 --- a/roles/matrix-bridge-mautrix-instagram/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-instagram/defaults/main.yml @@ -37,7 +37,7 @@ matrix_mautrix_instagram_homeserver_token: '' # Database-related configuration fields. # # To use Postgres: -# - adjust your database credentials via the `matrix_mautrix_instagram_postgres_*` variables +# - adjust your database credentials via the `matrix_mautrix_instagram_database_*` variables matrix_mautrix_instagram_database_engine: 'postgres' matrix_mautrix_instagram_database_username: 'matrix_mautrix_instagram' diff --git a/roles/matrix-bridge-mautrix-telegram/defaults/main.yml b/roles/matrix-bridge-mautrix-telegram/defaults/main.yml index f7c98950f..45a7d6e88 100644 --- a/roles/matrix-bridge-mautrix-telegram/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-telegram/defaults/main.yml @@ -63,7 +63,7 @@ matrix_mautrix_telegram_homeserver_token: '' # # To use Postgres: # - change the engine (`matrix_mautrix_telegram_database_engine: 'postgres'`) -# - adjust your database credentials via the `matrix_mautrix_telegram_postgres_*` variables +# - adjust your database credentials via the `matrix_mautrix_telegram_database_*` variables matrix_mautrix_telegram_database_engine: 'sqlite' matrix_mautrix_telegram_sqlite_database_path_local: "{{ matrix_mautrix_telegram_data_path }}/mautrix-telegram.db" diff --git a/roles/matrix-dimension/defaults/main.yml b/roles/matrix-dimension/defaults/main.yml index fc1f17a65..10f8b13a8 100644 --- a/roles/matrix-dimension/defaults/main.yml +++ b/roles/matrix-dimension/defaults/main.yml @@ -48,7 +48,7 @@ matrix_dimension_homeserver_federationUrl: "" # # To use Postgres: # - change the engine (`matrix_dimension_database_engine: 'postgres'`) -# - adjust your database credentials via the `matrix_dimension_postgres_*` variables +# - adjust your database credentials via the `matrix_dimension_database_*` variables matrix_dimension_database_engine: 'sqlite' matrix_dimension_sqlite_database_path_local: "{{ matrix_dimension_base_path }}/dimension.db" diff --git a/roles/matrix-ma1sd/defaults/main.yml b/roles/matrix-ma1sd/defaults/main.yml index 6929f5cd9..f0e96effc 100644 --- a/roles/matrix-ma1sd/defaults/main.yml +++ b/roles/matrix-ma1sd/defaults/main.yml @@ -48,7 +48,7 @@ matrix_ma1sd_matrixorg_forwarding_enabled: false # # To use Postgres: # - change the engine (`matrix_ma1sd_database_engine: 'postgres'`) -# - adjust your database credentials via the `matrix_ma1sd_postgres_*` variables +# - adjust your database credentials via the `matrix_ma1sd_database_*` variables matrix_ma1sd_database_engine: 'sqlite' matrix_ma1sd_sqlite_database_path_local: "{{ matrix_ma1sd_data_path }}/ma1sd.db" diff --git a/roles/matrix-registration/defaults/main.yml b/roles/matrix-registration/defaults/main.yml index e03891b2e..4705fb5eb 100644 --- a/roles/matrix-registration/defaults/main.yml +++ b/roles/matrix-registration/defaults/main.yml @@ -38,7 +38,7 @@ matrix_registration_container_http_host_bind_port: '' # # To use Postgres: # - change the engine (`matrix_registration_database_engine: 'postgres'`) -# - adjust your database credentials via the `matrix_registration_postgres_*` variables +# - adjust your database credentials via the `matrix_registration_database_*` variables matrix_registration_database_engine: 'sqlite' matrix_registration_sqlite_database_path_local: "{{ matrix_registration_data_path }}/db.sqlite3" From 286871b9b59a652c89b8d4b911ce208c14d275b1 Mon Sep 17 00:00:00 2001 From: John M Date: Sun, 28 Nov 2021 04:31:06 +0000 Subject: [PATCH 119/139] Add self-build for Dimension Add a self-build option for the Dimension Dockerfile. - This helps further support arm64 hosts (i.e. A1.Flex w/Oracle) --- docs/self-building.md | 1 + group_vars/matrix_servers | 2 ++ roles/matrix-dimension/defaults/main.yml | 8 ++++++- .../matrix-dimension/tasks/setup_install.yml | 23 +++++++++++++++++++ 4 files changed, 33 insertions(+), 1 deletion(-) diff --git a/docs/self-building.md b/docs/self-building.md index 82726bb78..9ff28e4c5 100644 --- a/docs/self-building.md +++ b/docs/self-building.md @@ -18,6 +18,7 @@ List of roles where self-building the Docker image is currently possible: - `matrix-registration` - `matrix-coturn` - `matrix-corporal` +- `matrix-dimension` - `matrix-ma1sd` - `matrix-mailer` - `matrix-bridge-appservice-irc` diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 7b2a74947..64ec0bd12 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1045,6 +1045,8 @@ matrix_coturn_container_additional_volumes: | matrix_dimension_enabled: false +matrix_dimension_container_image_self_build: "{{ matrix_architecture != 'amd64' }}" + # Normally, matrix-nginx-proxy is enabled and nginx can reach Dimension over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose # the Dimension HTTP port to the local host. diff --git a/roles/matrix-dimension/defaults/main.yml b/roles/matrix-dimension/defaults/main.yml index fc1f17a65..6e1ad512d 100644 --- a/roles/matrix-dimension/defaults/main.yml +++ b/roles/matrix-dimension/defaults/main.yml @@ -10,10 +10,16 @@ matrix_dimension_admins: [] # Whether to allow Dimension widgets serve websites with invalid or self signed SSL certificates matrix_dimension_widgets_allow_self_signed_ssl_certificates: false +matrix_dimension_container_image_self_build: false +matrix_dimension_container_image_self_build_repo: "https://github.com/turt2live/matrix-dimension.git" +matrix_dimension_container_image_self_build_branch: master + matrix_dimension_base_path: "{{ matrix_base_data_path }}/dimension" +matrix_dimension_docker_src_files_path: "{{ matrix_base_data_path }}/docker-src/dimension" matrix_dimension_version: latest -matrix_dimension_docker_image: "{{ matrix_container_global_registry_prefix }}turt2live/matrix-dimension:{{ matrix_dimension_version }}" +matrix_dimension_docker_image: "{{ matrix_dimension_docker_image_name_prefix }}turt2live/matrix-dimension:{{ matrix_dimension_version }}" +matrix_dimension_docker_image_name_prefix: "{{ 'localhost/' if matrix_dimension_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_dimension_docker_image_force_pull: "{{ matrix_dimension_docker_image.endswith(':latest') }}" # List of systemd services that matrix-dimension.service depends on. diff --git a/roles/matrix-dimension/tasks/setup_install.yml b/roles/matrix-dimension/tasks/setup_install.yml index 804be88d7..c75fc0b96 100644 --- a/roles/matrix-dimension/tasks/setup_install.yml +++ b/roles/matrix-dimension/tasks/setup_install.yml @@ -90,6 +90,29 @@ source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" force_source: "{{ matrix_dimension_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_dimension_docker_image_force_pull }}" + when: "not matrix_dimension_container_image_self_build|bool" + register: matrix_dimension_pull_results + +- name: Ensure dimension repository is present on self-build + git: + repo: "{{ matrix_dimension_container_image_self_build_repo }}" + dest: "{{ matrix_dimension_docker_src_files_path }}" + version: "{{ matrix_dimension_container_image_self_build_branch }}" + force: "yes" + when: "matrix_dimension_container_image_self_build|bool" + register: matrix_dimension_git_pull_results + +- name: Ensure Dimension Docker image is built + docker_image: + name: "{{ matrix_dimension_docker_image }}" + source: build + force_source: "{{ matrix_dimension_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_dimension_git_pull_results.changed }}" + build: + dockerfile: Dockerfile + path: "{{ matrix_dimension_docker_src_files_path }}" + pull: yes + when: "matrix_dimension_container_image_self_build|bool" - name: Ensure matrix-dimension.service installed template: From f2cd37685c8dfbc1579dfa18222865356695171d Mon Sep 17 00:00:00 2001 From: ppacheco28 Date: Wed, 8 Dec 2021 19:52:05 -0300 Subject: [PATCH 120/139] Add support for Jitsi internal authentication user creation --- roles/matrix-jitsi/defaults/main.yml | 35 ++++++++++++++++--- .../tasks/setup_jitsi_prosody.yml | 21 +++++++---- .../tasks/util/setup_jitsi_auth.yml | 30 ++++++++++++++++ 3 files changed, 76 insertions(+), 10 deletions(-) create mode 100644 roles/matrix-jitsi/tasks/util/setup_jitsi_auth.yml diff --git a/roles/matrix-jitsi/defaults/main.yml b/roles/matrix-jitsi/defaults/main.yml index bef993e05..bdc553354 100644 --- a/roles/matrix-jitsi/defaults/main.yml +++ b/roles/matrix-jitsi/defaults/main.yml @@ -12,6 +12,9 @@ matrix_jitsi_enable_av_moderation: true # Authentication type, must be one of internal, jwt or ldap. Currently only # internal and ldap are supported by this playbook. matrix_jitsi_auth_type: internal +matrix_jitsi_prosody_auth_internal_accounts: + - username: "jitsti-moderator" + password: "" # Configuration options for LDAP authentication. For details see upstream: # https://github.com/jitsi/docker-jitsi-meet#authentication-using-ldap. @@ -41,16 +44,17 @@ matrix_jitsi_xmpp_guest_domain: guest.meet.jitsi matrix_jitsi_xmpp_muc_domain: muc.meet.jitsi matrix_jitsi_xmpp_internal_muc_domain: internal-muc.meet.jitsi matrix_jitsi_xmpp_modules: '' +matrix_jitsi_xmpp_muc_modules: '' +matrix_jitsi_xmpp_muc_modules_internal: '' matrix_jitsi_recorder_domain: recorder.meet.jitsi - +matrix_jitsi_jibri_recorder_user: recorder +matrix_jitsi_jibri_recorder_password: '' matrix_jitsi_jibri_brewery_muc: jibribrewery matrix_jitsi_jibri_pending_timeout: 90 matrix_jitsi_jibri_xmpp_user: jibri matrix_jitsi_jibri_xmpp_password: '' -matrix_jitsi_jibri_recorder_user: recorder -matrix_jitsi_jibri_recorder_password: '' matrix_jitsi_enable_lobby: false @@ -205,7 +209,6 @@ matrix_jitsi_jicofo_component_secret: '' matrix_jitsi_jicofo_auth_user: focus matrix_jitsi_jicofo_auth_password: '' - matrix_jitsi_jvb_docker_image: "{{ matrix_container_global_registry_prefix }}jitsi/jvb:{{ matrix_jitsi_container_image_tag }}" matrix_jitsi_jvb_docker_image_force_pull: "{{ matrix_jitsi_jvb_docker_image.endswith(':latest') }}" @@ -229,6 +232,30 @@ matrix_jitsi_jvb_brewery_muc: jvbbrewery matrix_jitsi_jvb_rtp_udp_port: 10000 matrix_jitsi_jvb_rtp_tcp_port: 4443 +# JWT Auth +matrix_jitsi_auth_jwt_id: jitsi +matrix_jitsi_auth_jwt_secret: '' +matrix_jitsi_auth_jwt_accepted_issuers: '' +matrix_jitsi_authjwt_allow_empty: false + +# Jigasi SIP Gateway Configuration - Not Fully Implemented +matrix_jitsi_jigasi_auth_user: '' +matrix_jitsi_jigasi_auth_password: '' +#JIGASI_SIP_URI: '' # SIP URI for incoming / outgoing calls test@sip2sip.info +#JIGASI_SIP_PASSWORD: '' # Password for the specified SIP account passw0rd +#JIGASI_SIP_SERVER SIP: '' # server (use the SIP account domain if in doubt) sip2sip.info +#JIGASI_SIP_PORT SIP: '5060' # server port 5060 +#JIGASI_SIP_TRANSPORT: 'UDP' # SIP transport UDP +#DIALIN_NUMBERS_URL: 'https://jitsi.chs.chat/dial-in.json' # URL to the JSON with all Dial-In numbers. Example: https://meet.example.com/dialin.json +#CONFCODE_URL: '' # URL to the API for checking/generating Dial-In codes. Example: https://jitsi-api.jitsi.net/conferenceMapper +#GC_PROJECT_ID: # project_id from Google Cloud Credentials +#GC_PRIVATE_KEY_ID: # private_key_id from Google Cloud Credentials +#GC_PRIVATE_KEY: # private_key from Google Cloud Credentials +#GC_CLIENT_EMAIL: # client_email from Google Cloud Credentials +#GC_CLIENT_ID: # client_id from Google Cloud Credentials +#GC_CLIENT_CERT_URL: # client_x509_cert_url from Google Cloud Credentials + + # Custom configuration to be injected into `custom-sip-communicator.properties`, passed to Jitsi JVB. # This configuration gets appended to the final configuration that Jitsi JVB uses. # diff --git a/roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml b/roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml index 39a571ae6..25dee8ec7 100644 --- a/roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml +++ b/roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml @@ -25,14 +25,14 @@ force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_jitsi_prosody_docker_image_force_pull }}" when: matrix_jitsi_enabled|bool -- name: Ensure jitsi-prosody environment variables file created +- name: Ensure jitsi-prosody environment variables file is created template: src: "{{ role_path }}/templates/prosody/env.j2" dest: "{{ matrix_jitsi_prosody_base_path }}/env" mode: 0640 when: matrix_jitsi_enabled|bool -- name: Ensure matrix-jitsi-prosody.service installed +- name: Ensure matrix-jitsi-prosody.service is installed template: src: "{{ role_path }}/templates/prosody/matrix-jitsi-prosody.service.j2" dest: "{{ matrix_systemd_path }}/matrix-jitsi-prosody.service" @@ -40,16 +40,25 @@ register: matrix_jitsi_prosody_systemd_service_result when: matrix_jitsi_enabled|bool -- name: Ensure systemd reloaded after matrix-jitsi-prosody.service installation +- name: Ensure systemd service is reloaded after matrix-jitsi-prosody.service installation service: daemon_reload: yes when: "matrix_jitsi_enabled and matrix_jitsi_prosody_systemd_service_result.changed" + +- name: Ensure authentication is properly configured + include_tasks: + file: "{{ role_path }}/tasks/util/setup_jitsi_auth.yml" + when: + - matrix_jitsi_enabled|bool + - matrix_jitsi_enable_auth|bool + + # # Tasks related to getting rid of jitsi-prosody (if it was previously enabled) # -- name: Check existence of matrix-jitsi-prosody service +- name: Ensure matrix-jitsi-prosody service file exists stat: path: "{{ matrix_systemd_path }}/matrix-jitsi-prosody.service" register: matrix_jitsi_prosody_service_stat @@ -64,13 +73,13 @@ register: stopping_result when: "not matrix_jitsi_enabled|bool and matrix_jitsi_prosody_service_stat.stat.exists" -- name: Ensure matrix-jitsi-prosody.service doesn't exist +- name: Ensure matrix-jitsi-prosody service file doesn't exist file: path: "{{ matrix_systemd_path }}/matrix-jitsi-prosody.service" state: absent when: "not matrix_jitsi_enabled|bool and matrix_jitsi_prosody_service_stat.stat.exists" -- name: Ensure systemd reloaded after matrix-jitsi-prosody.service removal +- name: Ensure systemd is reloaded after matrix-jitsi-prosody.service removal service: daemon_reload: yes when: "not matrix_jitsi_enabled|bool and matrix_jitsi_prosody_service_stat.stat.exists" diff --git a/roles/matrix-jitsi/tasks/util/setup_jitsi_auth.yml b/roles/matrix-jitsi/tasks/util/setup_jitsi_auth.yml new file mode 100644 index 000000000..804e6526f --- /dev/null +++ b/roles/matrix-jitsi/tasks/util/setup_jitsi_auth.yml @@ -0,0 +1,30 @@ +--- + +# +# Tasks related to setting up Jitsi authentication mechanisms +# + +- name: Ensure matrix-jitsi-prosody container is running + systemd: + state: started + name: matrix-jitsi-prosody + +- name: Ensire Jitsi internal authentication users are created + shell: "docker exec matrix-jitsi-prosody prosodyctl --config /config/prosody.cfg.lua register {{ item.username | quote }} meet.jitsi {{ item.password | quote }}" + with_items: "{{ matrix_jitsi_prosody_auth_internal_accounts }}" + when: + - matrix_jitsi_auth_type == "internal" + + +# +# Configure other authentication mechanisms below +# + + +# +# End +# +- name: Ensure matrix-jitsi-prosody container is stopped + systemd: + state: stopped + name: matrix-jitsi-prosody \ No newline at end of file From dd1feffcc245a72217dec11dfc21db779ed5b176 Mon Sep 17 00:00:00 2001 From: ppacheco28 Date: Wed, 8 Dec 2021 20:14:18 -0300 Subject: [PATCH 121/139] Add support for Jitsi internal authentication user creation --- roles/matrix-jitsi/defaults/main.yml | 24 ------------------- .../tasks/setup_jitsi_prosody.yml | 8 +++---- 2 files changed, 4 insertions(+), 28 deletions(-) diff --git a/roles/matrix-jitsi/defaults/main.yml b/roles/matrix-jitsi/defaults/main.yml index bdc553354..617421263 100644 --- a/roles/matrix-jitsi/defaults/main.yml +++ b/roles/matrix-jitsi/defaults/main.yml @@ -232,30 +232,6 @@ matrix_jitsi_jvb_brewery_muc: jvbbrewery matrix_jitsi_jvb_rtp_udp_port: 10000 matrix_jitsi_jvb_rtp_tcp_port: 4443 -# JWT Auth -matrix_jitsi_auth_jwt_id: jitsi -matrix_jitsi_auth_jwt_secret: '' -matrix_jitsi_auth_jwt_accepted_issuers: '' -matrix_jitsi_authjwt_allow_empty: false - -# Jigasi SIP Gateway Configuration - Not Fully Implemented -matrix_jitsi_jigasi_auth_user: '' -matrix_jitsi_jigasi_auth_password: '' -#JIGASI_SIP_URI: '' # SIP URI for incoming / outgoing calls test@sip2sip.info -#JIGASI_SIP_PASSWORD: '' # Password for the specified SIP account passw0rd -#JIGASI_SIP_SERVER SIP: '' # server (use the SIP account domain if in doubt) sip2sip.info -#JIGASI_SIP_PORT SIP: '5060' # server port 5060 -#JIGASI_SIP_TRANSPORT: 'UDP' # SIP transport UDP -#DIALIN_NUMBERS_URL: 'https://jitsi.chs.chat/dial-in.json' # URL to the JSON with all Dial-In numbers. Example: https://meet.example.com/dialin.json -#CONFCODE_URL: '' # URL to the API for checking/generating Dial-In codes. Example: https://jitsi-api.jitsi.net/conferenceMapper -#GC_PROJECT_ID: # project_id from Google Cloud Credentials -#GC_PRIVATE_KEY_ID: # private_key_id from Google Cloud Credentials -#GC_PRIVATE_KEY: # private_key from Google Cloud Credentials -#GC_CLIENT_EMAIL: # client_email from Google Cloud Credentials -#GC_CLIENT_ID: # client_id from Google Cloud Credentials -#GC_CLIENT_CERT_URL: # client_x509_cert_url from Google Cloud Credentials - - # Custom configuration to be injected into `custom-sip-communicator.properties`, passed to Jitsi JVB. # This configuration gets appended to the final configuration that Jitsi JVB uses. # diff --git a/roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml b/roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml index 25dee8ec7..d9b6fcba7 100644 --- a/roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml +++ b/roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml @@ -4,7 +4,7 @@ # Tasks related to setting up jitsi-prosody # -- name: Ensure Matrix jitsi-prosody path exists +- name: Ensure Matrix jitsi-prosody environment exists file: path: "{{ item.path }}" state: directory @@ -32,7 +32,7 @@ mode: 0640 when: matrix_jitsi_enabled|bool -- name: Ensure matrix-jitsi-prosody.service is installed +- name: Ensure matrix-jitsi-prosody.service file is installed template: src: "{{ role_path }}/templates/prosody/matrix-jitsi-prosody.service.j2" dest: "{{ matrix_systemd_path }}/matrix-jitsi-prosody.service" @@ -58,7 +58,7 @@ # Tasks related to getting rid of jitsi-prosody (if it was previously enabled) # -- name: Ensure matrix-jitsi-prosody service file exists +- name: Ensure matrix-jitsi-prosody.service file exists stat: path: "{{ matrix_systemd_path }}/matrix-jitsi-prosody.service" register: matrix_jitsi_prosody_service_stat @@ -73,7 +73,7 @@ register: stopping_result when: "not matrix_jitsi_enabled|bool and matrix_jitsi_prosody_service_stat.stat.exists" -- name: Ensure matrix-jitsi-prosody service file doesn't exist +- name: Ensure matrix-jitsi-prosody.service file doesn't exist file: path: "{{ matrix_systemd_path }}/matrix-jitsi-prosody.service" state: absent From 7a7dc0033387d8586739141af713587f4a6c64ee Mon Sep 17 00:00:00 2001 From: ppacheco28 Date: Wed, 8 Dec 2021 20:19:55 -0300 Subject: [PATCH 122/139] Update documentation to reflect added support for Jitsi internal authentication user creation --- docs/configuring-playbook-jitsi.md | 23 +++++++++-------------- 1 file changed, 9 insertions(+), 14 deletions(-) diff --git a/docs/configuring-playbook-jitsi.md b/docs/configuring-playbook-jitsi.md index f4e4c9f36..940252b45 100644 --- a/docs/configuring-playbook-jitsi.md +++ b/docs/configuring-playbook-jitsi.md @@ -41,13 +41,21 @@ If you're fine with such an open Jitsi instance, please skip to [Apply changes]( If you would like to control who is allowed to open meetings on your new Jitsi instance, then please follow this step to enable Jitsi's authentication and guests mode. With authentication enabled, all meeting rooms have to be opened by a registered user, after which guests are free to join. If a registered host is not yet present, guests are put on hold in individual waiting rooms. -Add these two lines to your `inventory/host_vars/matrix.DOMAIN/vars.yml` configuration: +Add these lines to your `inventory/host_vars/matrix.DOMAIN/vars.yml` configuration: ```yaml matrix_jitsi_enable_auth: true matrix_jitsi_enable_guests: true +matrix_jitsi_prosody_auth_internal_accounts: + - username: "jitsi-moderator" + password: "some-password" + - username: "other-user" + password: "some-other-password" ``` +**If you get an error** like this: "Error: Account creation/modification not supported.", it's likely that you had previously installed Jitsi without auth/guest support. In such a case, you should look into [Rebuilding your Jitsi installation](#rebuilding-your-jitsi-installation). + + ### (Optional) LDAP authentication The default authentication mode of Jitsi is `internal`, however LDAP is also supported. An example LDAP configuration could be: @@ -122,19 +130,6 @@ You may want to **limit the maximum video resolution**, to save up resources on Then re-run the playbook: `ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start` -## Required if configuring Jitsi with internal authentication: register new users - -Until this gets integrated into the playbook, we need to register new users / meeting hosts for Jitsi manually. -Please SSH into your matrix host machine and execute the following command targeting the `matrix-jitsi-prosody` container: - -```bash -docker exec matrix-jitsi-prosody prosodyctl --config /config/prosody.cfg.lua register meet.jitsi -``` - -Run this command for each user you would like to create, replacing `` and `` accordingly. After you've finished, please exit the host. - -**If you get an error** like this: "Error: Account creation/modification not supported.", it's likely that you had previously installed Jitsi without auth/guest support. In such a case, you should look into [Rebuilding your Jitsi installation](#rebuilding-your-jitsi-installation). - ## Usage From d086668f524d7859e52c581c252560c135323929 Mon Sep 17 00:00:00 2001 From: ppacheco28 Date: Thu, 9 Dec 2021 02:42:36 -0300 Subject: [PATCH 123/139] Ensure internal authentication users are properly configured --- roles/matrix-jitsi/tasks/validate_config.yml | 30 +++++++++++++++++--- 1 file changed, 26 insertions(+), 4 deletions(-) diff --git a/roles/matrix-jitsi/tasks/validate_config.yml b/roles/matrix-jitsi/tasks/validate_config.yml index d2887b12c..8f874176b 100644 --- a/roles/matrix-jitsi/tasks/validate_config.yml +++ b/roles/matrix-jitsi/tasks/validate_config.yml @@ -3,14 +3,14 @@ - name: Fail if required Jitsi settings not defined fail: msg: >- - You need to define a required configuration setting (`{{ item }}`) for using Jitsi. + You need to define a required configuration setting (`{{ item }}`) to properly configure Jitsi. If you're setting up Jitsi for the first time, you may have missed a step. Refer to our setup instructions (docs/configuring-playbook-jitsi.md). - If you had setup Jitsi successfully before and it's just now that you're observing this failure, - it means that your installation may be using some default passwords that the playbook used to define until now. - This is not secure and we urge you to rebuild your Jitsi setup. + If you had previously setup Jitsi successfully and are only now facing this error, + it means that your installation is most likely using default passwords previously defined by the playbook. + These defaults are insecure. Jitsi should be rebuilt with secure values. Refer to the "Rebuilding your Jitsi installation" section in our setup instructions (docs/configuring-playbook-jitsi.md). when: "vars[item] == ''" with_items: @@ -19,6 +19,28 @@ - "matrix_jitsi_jicofo_auth_password" - "matrix_jitsi_jvb_auth_password" + +- name: Fail if Jitsi internal authentication settings not defined + fail: + msg: >- + You must define the (`{{ item.username }}`) and (`{{ item.password }}`) configuration settings to properly configure an account using Jitsi's internal authentication. + + Please ensure you have defined at least one user and password when using internal authentication. + + If you're setting up Jitsi for the first time, you may have missed a step. + Refer to our setup instructions (docs/configuring-playbook-jitsi.md). + + If you had previously setup Jitsi successfully and are only now facing this error, + it means that your installation is most likely using default passwords previously defined by the playbook. + These defaults are insecure. Jitsi should be rebuilt with secure values. + Refer to the "Rebuilding your Jitsi installation" section in our setup instructions (docs/configuring-playbook-jitsi.md). + when: + - matrix_jitsi_auth_type == "internal" + - item.username == '' + - item.password == '' + with_items: "{{ matrix_jitsi_prosody_auth_internal_accounts }}" + + - name: (Deprecation) Catch and report renamed settings fail: msg: >- From 6e38ce42d880d23c574d084c666060e17f0924a6 Mon Sep 17 00:00:00 2001 From: ppacheco28 Date: Thu, 9 Dec 2021 07:40:25 -0300 Subject: [PATCH 124/139] Added check before stopping service, fixed unnecessary checking of user attributes, and created sections to clarify the file's purpose --- .../tasks/util/setup_jitsi_auth.yml | 27 ++++++++++++++----- 1 file changed, 20 insertions(+), 7 deletions(-) diff --git a/roles/matrix-jitsi/tasks/util/setup_jitsi_auth.yml b/roles/matrix-jitsi/tasks/util/setup_jitsi_auth.yml index 804e6526f..66fb7e5d1 100644 --- a/roles/matrix-jitsi/tasks/util/setup_jitsi_auth.yml +++ b/roles/matrix-jitsi/tasks/util/setup_jitsi_auth.yml @@ -1,30 +1,43 @@ --- - # -# Tasks related to setting up Jitsi authentication mechanisms +# Start Necessary Services # - name: Ensure matrix-jitsi-prosody container is running systemd: state: started name: matrix-jitsi-prosody + register: matrix_jitsi_prosody_start_result -- name: Ensire Jitsi internal authentication users are created + +# +# Tasks related to configuring Jitsi internal authentication +# + +- name: Ensure Jitsi internal authentication users are configured shell: "docker exec matrix-jitsi-prosody prosodyctl --config /config/prosody.cfg.lua register {{ item.username | quote }} meet.jitsi {{ item.password | quote }}" with_items: "{{ matrix_jitsi_prosody_auth_internal_accounts }}" when: - matrix_jitsi_auth_type == "internal" + - matrix_jitsi_prosody_auth_internal_accounts|length > 0 # -# Configure other authentication mechanisms below +# Tasks related to configuring other Jitsi authentication mechanisms +# + + + +# +# Tasks related to cleaning after Jitsi authentication configuration # # -# End +# Stop Necessary Services # -- name: Ensure matrix-jitsi-prosody container is stopped +- name: Ensure matrix-jitsi-prosody container is stopped if necessary systemd: state: stopped - name: matrix-jitsi-prosody \ No newline at end of file + name: matrix-jitsi-prosody + when: matrix_jitsi_prosody_start_result.changed|bool \ No newline at end of file From a26abb2f1b2c5e5c8ddd0eb2792ab02a921665c4 Mon Sep 17 00:00:00 2001 From: ppacheco28 Date: Thu, 9 Dec 2021 07:44:50 -0300 Subject: [PATCH 125/139] Removed an empty line (formatting) --- roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml b/roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml index d9b6fcba7..c1c7c7fca 100644 --- a/roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml +++ b/roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml @@ -45,7 +45,6 @@ daemon_reload: yes when: "matrix_jitsi_enabled and matrix_jitsi_prosody_systemd_service_result.changed" - - name: Ensure authentication is properly configured include_tasks: file: "{{ role_path }}/tasks/util/setup_jitsi_auth.yml" From 4c25c1df06f9eb68309e138fe1286d1d74437289 Mon Sep 17 00:00:00 2001 From: ppacheco28 Date: Thu, 9 Dec 2021 07:50:31 -0300 Subject: [PATCH 126/139] Changed matrix_jitsi_prosody_auth_internal_accounts default to an empty array, removed unused configuration declaration, and moved jibri configuration back to its proper place --- roles/matrix-jitsi/defaults/main.yml | 27 ++++++++++++++++++--------- 1 file changed, 18 insertions(+), 9 deletions(-) diff --git a/roles/matrix-jitsi/defaults/main.yml b/roles/matrix-jitsi/defaults/main.yml index 617421263..e233e0167 100644 --- a/roles/matrix-jitsi/defaults/main.yml +++ b/roles/matrix-jitsi/defaults/main.yml @@ -9,12 +9,22 @@ matrix_jitsi_enable_transcriptions: false matrix_jitsi_enable_p2p: true matrix_jitsi_enable_av_moderation: true -# Authentication type, must be one of internal, jwt or ldap. Currently only -# internal and ldap are supported by this playbook. +# Authentication type, must be one of internal, jwt or ldap. +# Currently only internal and ldap mechanisms are supported by this playbook. matrix_jitsi_auth_type: internal -matrix_jitsi_prosody_auth_internal_accounts: - - username: "jitsti-moderator" - password: "" + +# A list of Jitsi (Prosody) accounts to create using the internal authentication mechanism. +# +# Accounts added here and subsquently removed will not be automatically removed +# from the Prosody server until user account cleaning is integrated into the playbook. +# +# Example: +# matrix_jitsi_prosody_auth_internal_accounts: +# - username: "jitsi-moderator" +# password: "secret-password" +# - username: "another-user" +# password: "another-password" +matrix_jitsi_prosody_auth_internal_accounts: [] # Configuration options for LDAP authentication. For details see upstream: # https://github.com/jitsi/docker-jitsi-meet#authentication-using-ldap. @@ -44,17 +54,16 @@ matrix_jitsi_xmpp_guest_domain: guest.meet.jitsi matrix_jitsi_xmpp_muc_domain: muc.meet.jitsi matrix_jitsi_xmpp_internal_muc_domain: internal-muc.meet.jitsi matrix_jitsi_xmpp_modules: '' -matrix_jitsi_xmpp_muc_modules: '' -matrix_jitsi_xmpp_muc_modules_internal: '' matrix_jitsi_recorder_domain: recorder.meet.jitsi -matrix_jitsi_jibri_recorder_user: recorder -matrix_jitsi_jibri_recorder_password: '' + matrix_jitsi_jibri_brewery_muc: jibribrewery matrix_jitsi_jibri_pending_timeout: 90 matrix_jitsi_jibri_xmpp_user: jibri matrix_jitsi_jibri_xmpp_password: '' +matrix_jitsi_jibri_recorder_user: recorder +matrix_jitsi_jibri_recorder_password: '' matrix_jitsi_enable_lobby: false From 0c101f20c447ac5b4fe494cb7379f516f2f17ff1 Mon Sep 17 00:00:00 2001 From: ppacheco28 Date: Thu, 9 Dec 2021 07:54:40 -0300 Subject: [PATCH 127/139] Fixed unnecessary checking of user attributes, added check for matrix_jitsi_enable_auth boolean --- roles/matrix-jitsi/tasks/validate_config.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/matrix-jitsi/tasks/validate_config.yml b/roles/matrix-jitsi/tasks/validate_config.yml index 8f874176b..37b10cb4e 100644 --- a/roles/matrix-jitsi/tasks/validate_config.yml +++ b/roles/matrix-jitsi/tasks/validate_config.yml @@ -34,10 +34,10 @@ it means that your installation is most likely using default passwords previously defined by the playbook. These defaults are insecure. Jitsi should be rebuilt with secure values. Refer to the "Rebuilding your Jitsi installation" section in our setup instructions (docs/configuring-playbook-jitsi.md). - when: - - matrix_jitsi_auth_type == "internal" - - item.username == '' - - item.password == '' + when: + - matrix_jitsi_enable_auth|bool + - matrix_jitsi_auth_type == 'internal' + - matrix_jitsi_prosody_auth_internal_accounts|length == '0' with_items: "{{ matrix_jitsi_prosody_auth_internal_accounts }}" From f2293f61eebe49f47d7bb42363ed4f6b0fa9eb5a Mon Sep 17 00:00:00 2001 From: ppacheco28 Date: Thu, 9 Dec 2021 07:58:50 -0300 Subject: [PATCH 128/139] Updated documentation to better reflect the workings of Jitsi internal authentication with this playbook --- docs/configuring-playbook-jitsi.md | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/docs/configuring-playbook-jitsi.md b/docs/configuring-playbook-jitsi.md index 940252b45..f7e8a949c 100644 --- a/docs/configuring-playbook-jitsi.md +++ b/docs/configuring-playbook-jitsi.md @@ -48,11 +48,13 @@ matrix_jitsi_enable_auth: true matrix_jitsi_enable_guests: true matrix_jitsi_prosody_auth_internal_accounts: - username: "jitsi-moderator" - password: "some-password" - - username: "other-user" - password: "some-other-password" + password: "secret-password" + - username: "another-user" + password: "another-password" ``` +**Caution:** Accounts added here and subsquently removed will not be automatically removed from the Prosody server until user account cleaning is integrated into the playbook. + **If you get an error** like this: "Error: Account creation/modification not supported.", it's likely that you had previously installed Jitsi without auth/guest support. In such a case, you should look into [Rebuilding your Jitsi installation](#rebuilding-your-jitsi-installation). From a9e222d5238af3a76e8d77e2ef7801a05662dbdc Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 9 Dec 2021 19:45:39 +0200 Subject: [PATCH 129/139] Remove useless variable (matrix_appservice_webhooks_control_room_id) Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1447 Seems like there's such a variable in the `matrix-bridge-appservice-slack` role, which is probably where it got copied over from. --- roles/matrix-bridge-appservice-webhooks/defaults/main.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/roles/matrix-bridge-appservice-webhooks/defaults/main.yml b/roles/matrix-bridge-appservice-webhooks/defaults/main.yml index 25419900c..bc9ae8b40 100644 --- a/roles/matrix-bridge-appservice-webhooks/defaults/main.yml +++ b/roles/matrix-bridge-appservice-webhooks/defaults/main.yml @@ -22,8 +22,6 @@ matrix_appservice_webhooks_docker_src_files_path: "{{ matrix_appservice_webhooks matrix_appservice_webhooks_public_endpoint: /appservice-webhooks matrix_appservice_webhooks_inbound_uri_prefix: "{{ matrix_homeserver_url }}{{ matrix_appservice_webhooks_public_endpoint }}" -# Once you make a control room in Matrix, you can get its ID by typing any message and checking its source -matrix_appservice_webhooks_control_room_id: '' matrix_appservice_webhooks_bot_name: 'webhookbot' matrix_appservice_webhooks_user_prefix: '_webhook' From c116f268f2f1aa03e2b14036201229b529b94d26 Mon Sep 17 00:00:00 2001 From: ppacheco28 Date: Thu, 9 Dec 2021 19:30:32 -0300 Subject: [PATCH 130/139] Fixed type mismatch --- roles/matrix-jitsi/tasks/validate_config.yml | 12 +++--------- 1 file changed, 3 insertions(+), 9 deletions(-) diff --git a/roles/matrix-jitsi/tasks/validate_config.yml b/roles/matrix-jitsi/tasks/validate_config.yml index 37b10cb4e..5452768a4 100644 --- a/roles/matrix-jitsi/tasks/validate_config.yml +++ b/roles/matrix-jitsi/tasks/validate_config.yml @@ -20,25 +20,19 @@ - "matrix_jitsi_jvb_auth_password" -- name: Fail if Jitsi internal authentication settings not defined +- name: Fail if a Jitsi internal authentication account is not defined fail: msg: >- - You must define the (`{{ item.username }}`) and (`{{ item.password }}`) configuration settings to properly configure an account using Jitsi's internal authentication. + Each Jitsi user in `matrix_jitsi_prosody_auth_internal_accounts` needs to have a non-empty `username`/`password`. Please ensure you have defined at least one user and password when using internal authentication. If you're setting up Jitsi for the first time, you may have missed a step. Refer to our setup instructions (docs/configuring-playbook-jitsi.md). - - If you had previously setup Jitsi successfully and are only now facing this error, - it means that your installation is most likely using default passwords previously defined by the playbook. - These defaults are insecure. Jitsi should be rebuilt with secure values. - Refer to the "Rebuilding your Jitsi installation" section in our setup instructions (docs/configuring-playbook-jitsi.md). when: - matrix_jitsi_enable_auth|bool - matrix_jitsi_auth_type == 'internal' - - matrix_jitsi_prosody_auth_internal_accounts|length == '0' - with_items: "{{ matrix_jitsi_prosody_auth_internal_accounts }}" + - matrix_jitsi_prosody_auth_internal_accounts == '' - name: (Deprecation) Catch and report renamed settings From fc55df9318efb28d17295293adf3a6edf7ab4b84 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 10 Dec 2021 08:29:57 +0200 Subject: [PATCH 131/139] Make some appservices reach the homeserver via nginx This is useful when Synapse is using a worker setup. In that case, we don't want appservices to connect to `matrix-synapse:8008`, because not all APIs are exposed there. Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1449 --- group_vars/matrix_servers | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 64ec0bd12..f9763c560 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -113,7 +113,7 @@ matrix_appservice_webhooks_container_http_host_bind_port: "{{ '' if matrix_nginx matrix_appservice_webhooks_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'webhook.as.token') | to_uuid }}" -matrix_appservice_webhooks_homeserver_url: "http://matrix-synapse:{{ matrix_synapse_container_client_api_port }}" +matrix_appservice_webhooks_homeserver_url: "{{ matrix_homeserver_container_url }}" matrix_appservice_webhooks_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'webhook.hs.token') | to_uuid }}" matrix_appservice_webhooks_id_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'webhook.id.token') | to_uuid }}" @@ -152,7 +152,7 @@ matrix_appservice_slack_container_http_host_bind_port: "{{ '' if matrix_nginx_pr matrix_appservice_slack_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'slack.as.token') | to_uuid }}" -matrix_appservice_slack_homeserver_url: "http://matrix-synapse:{{ matrix_synapse_container_client_api_port }}" +matrix_appservice_slack_homeserver_url: "{{ matrix_homeserver_container_url }}" matrix_appservice_slack_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'slack.hs.token') | to_uuid }}" matrix_appservice_slack_id_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'slack.id.token') | to_uuid }}" From 6568b68759901a1fdef4dd55d8f915837b435738 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 11 Dec 2021 10:14:33 +0200 Subject: [PATCH 132/139] Fix validation message The check was checking for an empty string in `matrix_jitsi_prosody_auth_internal_accounts`, which is unlikely to happen. We should check for an empty list instead. The check was not validating username/password values, so telling the user that they need a non-empty username/password is misleading. It was merely checking if there's at least one entry in the list. This patch adjusts the check and message accordingly. --- roles/matrix-jitsi/tasks/validate_config.yml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/roles/matrix-jitsi/tasks/validate_config.yml b/roles/matrix-jitsi/tasks/validate_config.yml index 5452768a4..a9d86764e 100644 --- a/roles/matrix-jitsi/tasks/validate_config.yml +++ b/roles/matrix-jitsi/tasks/validate_config.yml @@ -23,16 +23,14 @@ - name: Fail if a Jitsi internal authentication account is not defined fail: msg: >- - Each Jitsi user in `matrix_jitsi_prosody_auth_internal_accounts` needs to have a non-empty `username`/`password`. - - Please ensure you have defined at least one user and password when using internal authentication. + At least one Jitsi user needs to be defined in `matrix_jitsi_prosody_auth_internal_accounts` when using internal authentication. If you're setting up Jitsi for the first time, you may have missed a step. Refer to our setup instructions (docs/configuring-playbook-jitsi.md). when: - matrix_jitsi_enable_auth|bool - matrix_jitsi_auth_type == 'internal' - - matrix_jitsi_prosody_auth_internal_accounts == '' + - matrix_jitsi_prosody_auth_internal_accounts|length == 0 - name: (Deprecation) Catch and report renamed settings From ece163b29ff49ef706cbfb4bbeebe3d3f7aee2ef Mon Sep 17 00:00:00 2001 From: AnonyPla <86740652+AnonyPla@users.noreply.github.com> Date: Sat, 11 Dec 2021 08:16:33 +0000 Subject: [PATCH 133/139] Upgrade Mjolnir from 1.1.20 to version 1.2.1 (#1422) * Upgrade Mjolnir from 1.1.20 to version 1.2.1 https://hub.docker.com/r/matrixdotorg/mjolnir/tags using the "latest" tag seems inefficient as it doesn't actually redirect to the latest release In any case, the latest release is now 1.2.1 docker pull matrixdotorg/mjolnir:v1.2.1 * Fixup Co-authored-by: Slavi Pantaleev --- roles/matrix-bot-mjolnir/defaults/main.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/roles/matrix-bot-mjolnir/defaults/main.yml b/roles/matrix-bot-mjolnir/defaults/main.yml index 6e7331c45..72c685027 100644 --- a/roles/matrix-bot-mjolnir/defaults/main.yml +++ b/roles/matrix-bot-mjolnir/defaults/main.yml @@ -3,14 +3,13 @@ matrix_bot_mjolnir_enabled: true -matrix_bot_mjolnir_version: "v1.1.20" +matrix_bot_mjolnir_version: "v1.2.1" matrix_bot_mjolnir_container_image_self_build: false matrix_bot_mjolnir_container_image_self_build_repo: "https://github.com/matrix-org/mjolnir.git" matrix_bot_mjolnir_docker_image: "{{ matrix_bot_mjolnir_docker_image_name_prefix }}matrixdotorg/mjolnir:{{ matrix_bot_mjolnir_version }}" matrix_bot_mjolnir_docker_image_name_prefix: "{{ 'localhost/' if matrix_bot_mjolnir_container_image_self_build else matrix_container_global_registry_prefix }}" - matrix_bot_mjolnir_docker_image_force_pull: "{{ matrix_bot_mjolnir_docker_image.endswith(':latest') }}" matrix_bot_mjolnir_base_path: "{{ matrix_base_data_path }}/mjolnir" From eca26e49e1561603eecab65a8ba9e60f2d46f39c Mon Sep 17 00:00:00 2001 From: ppacheco28 Date: Sat, 11 Dec 2021 11:09:06 -0300 Subject: [PATCH 134/139] Update Jitsi to version stable-6727 --- roles/matrix-jitsi/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-jitsi/defaults/main.yml b/roles/matrix-jitsi/defaults/main.yml index e233e0167..b1002a7f2 100644 --- a/roles/matrix-jitsi/defaults/main.yml +++ b/roles/matrix-jitsi/defaults/main.yml @@ -67,7 +67,7 @@ matrix_jitsi_jibri_recorder_password: '' matrix_jitsi_enable_lobby: false -matrix_jitsi_version: stable-6173 +matrix_jitsi_version: stable-6726 matrix_jitsi_container_image_tag: "{{ matrix_jitsi_version }}" # for backward-compatibility matrix_jitsi_web_docker_image: "{{ matrix_container_global_registry_prefix }}jitsi/web:{{ matrix_jitsi_container_image_tag }}" From bbab82ee647348fc6d4f864ceac93f18dc3a9461 Mon Sep 17 00:00:00 2001 From: SkepticalWaves Date: Sat, 11 Dec 2021 10:26:55 -0500 Subject: [PATCH 135/139] Fix email sending broken by #1406 --- roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index f27fcb067..3e289b0c7 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -2344,8 +2344,10 @@ email: # Username/password for authentication to the SMTP server. By default, no # authentication is attempted. + {% if matrix_synapse_email_smtp_user %} smtp_user: {{ matrix_synapse_email_smtp_user|string|to_json }} smtp_pass: {{ matrix_synapse_email_smtp_pass|string|to_json }} + {% endif %} # Uncomment the following to require TLS transport security for SMTP. # By default, Synapse will connect over plain text, and will then switch to From dd903ffcc2c2beec08557b157f1cd4aa4ce0b16b Mon Sep 17 00:00:00 2001 From: laszabine Date: Sat, 11 Dec 2021 16:16:41 +0000 Subject: [PATCH 136/139] Updated signald docker image path --- roles/matrix-bridge-mautrix-signal/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-mautrix-signal/defaults/main.yml b/roles/matrix-bridge-mautrix-signal/defaults/main.yml index 93993fa11..6e0a9918b 100644 --- a/roles/matrix-bridge-mautrix-signal/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-signal/defaults/main.yml @@ -17,7 +17,7 @@ matrix_mautrix_signal_daemon_container_self_build: false matrix_mautrix_signal_daemon_docker_repo: "https://mau.dev/maunium/signald.git" matrix_mautrix_signal_daemon_docker_src_files_path: "{{ matrix_base_data_path }}/mautrix-signald/docker-src" -matrix_mautrix_signal_daemon_docker_image: "dock.mau.dev/maunium/signald:{{ matrix_mautrix_signal_daemon_version }}" +matrix_mautrix_signal_daemon_docker_image: "docker.io/signald/signald:{{ matrix_mautrix_signal_daemon_version }}" matrix_mautrix_signal_daemon_docker_image_force_pull: "{{ matrix_mautrix_signal_daemon_docker_image.endswith(':latest') }}" matrix_mautrix_signal_base_path: "{{ matrix_base_data_path }}/mautrix-signal" From 1f0d56fb75b053ca91d803416b01e498c2461901 Mon Sep 17 00:00:00 2001 From: rakshazi Date: Mon, 13 Dec 2021 15:55:40 +0000 Subject: [PATCH 137/139] (Security fix) Update Element 1.9.6 -> 1.9.7 Ref: https://matrix.org/blog/2021/12/13/disclosure-buffer-overflow-in-libolm-and-matrix-js-sdk --- roles/matrix-client-element/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-client-element/defaults/main.yml b/roles/matrix-client-element/defaults/main.yml index d1a6a73a5..28412a264 100644 --- a/roles/matrix-client-element/defaults/main.yml +++ b/roles/matrix-client-element/defaults/main.yml @@ -7,7 +7,7 @@ matrix_client_element_container_image_self_build_repo: "https://github.com/vecto # - https://github.com/vector-im/element-web/issues/19544 matrix_client_element_container_image_self_build_low_memory_system_patch_enabled: "{{ ansible_memtotal_mb < 4096 }}" -matrix_client_element_version: v1.9.6 +matrix_client_element_version: v1.9.7 matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}" matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}" From a8fc4fe6ce5e82d44060b7e50c131eca8b502aff Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 14 Dec 2021 12:33:59 +0200 Subject: [PATCH 138/139] Mention log4j vulnerability affecting mautrix-signal Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1459 and https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1452 --- CHANGELOG.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 43af8dd10..a6d15b963 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,12 @@ +# 2021-12-14 + +## (Security) Users of the Signal bridge may wish to upgrade it to work around log4j vulnerability + +Recently, a security vulnerability affecting the Java logging package `log4j` [has been discovered](https://www.huntress.com/blog/rapid-response-critical-rce-vulnerability-is-affecting-java). Software that uses this Java package is potentially vulnerable. + +One such piece of software that is part of the playbook is the [mautrix-signal bridge](./docs/configuring-playbook-bridge-mautrix-signal.md), which [has been patched already](https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1452). If you're running this bridge, you may wish to [upgrade](./docs/maintenance-upgrading-services.md). + + # 2021-11-11 ## Dropped support for Postgres v9.6 From 5be131054102398e20b7a825dd26d6de0021ef3e Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 14 Dec 2021 16:54:35 +0200 Subject: [PATCH 139/139] Upgrade Synapse (1.48.0 -> 1.49.0) --- roles/matrix-synapse/defaults/main.yml | 4 +- .../templates/synapse/homeserver.yaml.j2 | 40 +++++++++++++++++++ roles/matrix-synapse/vars/workers.yml | 4 +- 3 files changed, 44 insertions(+), 4 deletions(-) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index e888ac92b..d1d049d5e 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -15,8 +15,8 @@ matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_cont # amd64 gets released first. # arm32 relies on self-building, so the same version can be built immediately. # arm64 users need to wait for a prebuilt image to become available. -matrix_synapse_version: v1.48.0 -matrix_synapse_version_arm64: v1.48.0 +matrix_synapse_version: v1.49.0 +matrix_synapse_version_arm64: v1.49.0 matrix_synapse_docker_image_tag: "{{ matrix_synapse_version if matrix_architecture in ['arm32', 'amd64'] else matrix_synapse_version_arm64 }}" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index 3e289b0c7..1361eb9e1 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -1227,6 +1227,46 @@ enable_registration: {{ matrix_synapse_enable_registration|to_json }} # #session_lifetime: 24h +# Time that an access token remains valid for, if the session is +# using refresh tokens. +# For more information about refresh tokens, please see the manual. +# Note that this only applies to clients which advertise support for +# refresh tokens. +# +# Note also that this is calculated at login time and refresh time: +# changes are not applied to existing sessions until they are refreshed. +# +# By default, this is 5 minutes. +# +#refreshable_access_token_lifetime: 5m + +# Time that a refresh token remains valid for (provided that it is not +# exchanged for another one first). +# This option can be used to automatically log-out inactive sessions. +# Please see the manual for more information. +# +# Note also that this is calculated at login time and refresh time: +# changes are not applied to existing sessions until they are refreshed. +# +# By default, this is infinite. +# +#refresh_token_lifetime: 24h + +# Time that an access token remains valid for, if the session is NOT +# using refresh tokens. +# Please note that not all clients support refresh tokens, so setting +# this to a short value may be inconvenient for some users who will +# then be logged out frequently. +# +# Note also that this is calculated at login time: changes are not applied +# retrospectively to existing sessions for users that have already logged in. +# +# By default, this is infinite. +# +#nonrefreshable_access_token_lifetime: 24h + +# The user must provide all of the below types of 3PID when registering. + # The user must provide all of the below types of 3PID when registering. # #registrations_require_3pid: diff --git a/roles/matrix-synapse/vars/workers.yml b/roles/matrix-synapse/vars/workers.yml index def223f8b..1a279ad6b 100644 --- a/roles/matrix-synapse/vars/workers.yml +++ b/roles/matrix-synapse/vars/workers.yml @@ -33,7 +33,7 @@ matrix_synapse_workers_generic_worker_endpoints: - ^/_matrix/federation/v1/get_groups_publicised$ - ^/_matrix/key/v2/query - ^/_matrix/federation/unstable/org.matrix.msc2946/spaces/ - - ^/_matrix/federation/unstable/org.matrix.msc2946/hierarchy/ + - ^/_matrix/federation/(v1|unstable/org.matrix.msc2946)/hierarchy/ # Inbound federation transaction request - ^/_matrix/federation/v1/send/ @@ -46,7 +46,7 @@ matrix_synapse_workers_generic_worker_endpoints: - ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/members$ - ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/state$ - ^/_matrix/client/unstable/org.matrix.msc2946/rooms/.*/spaces$ - - ^/_matrix/client/unstable/org.matrix.msc2946/rooms/.*/hierarchy$ + - ^/_matrix/client/(v1|unstable/org.matrix.msc2946)/rooms/.*/hierarchy$ - ^/_matrix/client/unstable/im.nheko.summary/rooms/.*/summary$ - ^/_matrix/client/(api/v1|r0|v3|unstable)/account/3pid$ - ^/_matrix/client/(api/v1|r0|v3|unstable)/devices$