From 6594cce57038c5118e9b056f2b2c0b4ec9451b93 Mon Sep 17 00:00:00 2001 From: wjbeckett Date: Wed, 25 Sep 2024 14:53:48 +1000 Subject: [PATCH 001/108] Feat: Added element call setup and configuration. --- docs/configuring-playbook-element-call.md | 74 ++++++++ group_vars/matrix_servers | 58 +++++++ .../matrix-element-call/defaults/main.yml | 34 ++++ .../tasks/create_element_json.yml | 22 +++ .../matrix-element-call/tasks/install.yml | 17 ++ .../tasks/install_docker_containers.yml | 158 ++++++++++++++++++ .../custom/matrix-element-call/tasks/main.yml | 14 ++ .../matrix-element-call/tasks/uninstall.yml | 51 ++++++ .../tasks/update_element_web_config.yml | 29 ++++ .../tasks/update_homeserver_config.yml | 36 ++++ .../tasks/update_well_known_client.yml | 24 +++ .../tasks/validate_config.yml | 79 +++++++++ .../templates/config.json.j2 | 11 ++ .../matrix-element-call/templates/env.j2 | 9 + .../matrix-element-call/templates/labels.j2 | 11 ++ .../templates/livekit.yaml.j2 | 21 +++ .../templates/redis.conf.j2 | 5 + .../systemd/matrix-element-call.service.j2 | 17 ++ .../custom/matrix-element-call/vars/main.yml | 5 + setup.yml | 1 + 20 files changed, 676 insertions(+) create mode 100644 docs/configuring-playbook-element-call.md create mode 100644 roles/custom/matrix-element-call/defaults/main.yml create mode 100644 roles/custom/matrix-element-call/tasks/create_element_json.yml create mode 100644 roles/custom/matrix-element-call/tasks/install.yml create mode 100644 roles/custom/matrix-element-call/tasks/install_docker_containers.yml create mode 100644 roles/custom/matrix-element-call/tasks/main.yml create mode 100644 roles/custom/matrix-element-call/tasks/uninstall.yml create mode 100644 roles/custom/matrix-element-call/tasks/update_element_web_config.yml create mode 100644 roles/custom/matrix-element-call/tasks/update_homeserver_config.yml create mode 100644 roles/custom/matrix-element-call/tasks/update_well_known_client.yml create mode 100644 roles/custom/matrix-element-call/tasks/validate_config.yml create mode 100644 roles/custom/matrix-element-call/templates/config.json.j2 create mode 100644 roles/custom/matrix-element-call/templates/env.j2 create mode 100644 roles/custom/matrix-element-call/templates/labels.j2 create mode 100644 roles/custom/matrix-element-call/templates/livekit.yaml.j2 create mode 100644 roles/custom/matrix-element-call/templates/redis.conf.j2 create mode 100644 roles/custom/matrix-element-call/templates/systemd/matrix-element-call.service.j2 create mode 100644 roles/custom/matrix-element-call/vars/main.yml diff --git a/docs/configuring-playbook-element-call.md b/docs/configuring-playbook-element-call.md new file mode 100644 index 000000000..bd36357ab --- /dev/null +++ b/docs/configuring-playbook-element-call.md @@ -0,0 +1,74 @@ +# Setting up Element Call (optional) + +The playbook can install and configure [Element Call](https://github.com/vector-im/element-call) for you. + +Element Call is a WebRTC-based video and voice calling platform that integrates with Matrix clients such as Element Web. It provides secure, decentralized communication with support for video calls, audio calls, and screen sharing. + +See the project's [documentation](https://github.com/vector-im/element-call) to learn more. + +## Decide on a domain and path + +By default, Element Call is configured to be served on the Matrix domain (`call.DOMAIN`, controlled by the `matrix_element_call_hostname` variable). + +This makes it easy to set it up, **without** having to adjust your DNS records manually. + +If you'd like to run Element Call on another hostname or path, use the `matrix_element_call_hostname` and `matrix_element_call_path_prefix` variables. + +## Adjusting DNS records + +If you've changed the default hostname, **you may need to adjust your DNS** records accordingly to point to the correct server. + +Ensure that the following DNS names have a public IP/FQDN: +- `call.DOMAIN` +- `sfu.DOMAIN` +- `sfu-jwt.DOMAIN` + +## Adjusting the playbook configuration + +Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file: + +```yaml +matrix_element_call_enabled: true +# Set a secure key for LiveKit authentication +matrix_element_call_livekit_dev_key: 'your-secure-livekit-key' +``` + +## External databases + +If your setup utilizes an external database, you may need to adjust the default configuration for Redis used by Element Call. Modify the defaults in group_vars/matrix_servers.yml or host_vars to suit your setup: + +```yaml +matrix_element_call_redis_hostname: 'localhost' +matrix_element_call_redis_port: 6379 +matrix_element_call_redis_password: '' +``` + +## Installing +After potentially adjusting DNS records and configuring the playbook, run the installation command again: +```yaml +ansible-playbook -i inventory setup.yml +``` + +## Usage +Once installed, Element Call integrates seamlessly with Matrix clients like Element Web. When the Element Call service is installed, the `/.well-known/matrix/client` file is also updated. A new `org.matrix.msc4143.rtc_foci` section is added to point to your JWT service URL (e.g., `https://sfu-jwt.DOMAIN`). + +Additionally, the `/.well-known/element/element.json` file is created to help Element clients discover the Element Call URL (e.g., `https://call.DOMAIN`). + +## Required Firewall and Port Forwarding Rules + +To ensure the services function correctly, the following firewall rules and port forwarding settings are required: + +LiveKit: + + • Forward UDP ports 50100:50200 to the Docker instance running LiveKit. + • Forward TCP port 7881 to the Docker instance running LiveKit. + +Element Call: + + • Forward TCP port 443 to the server running Traefik (for Element Call). + +Ensure these ports are open and forwarded appropriately to allow traffic to flow correctly between the services. + +## Additional Information + +Refer to the Element Call documentation for more details on configuring and using Element Call. \ No newline at end of file diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index c6682be41..58e93c7b2 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -5690,3 +5690,61 @@ devture_traefik_certs_dumper_ssl_dir_path: "{{ devture_traefik_ssl_dir_path if d # /com.devture.ansible.role.traefik_certs_dumper # # # ######################################################################## + + +######################################################################## +# # +# matrix-element-call # +# # +######################################################################## + +# Matrix Element Call Configuration +matrix_element_call_enabled: false # Default is false; should be enabled in host_vars as needed +matrix_element_call_version: "latest" # Default version; can be overridden in host_vars +matrix_element_call_scheme: "https" # Scheme for Element Call (e.g., https) +matrix_element_call_hostname: "call.{{ matrix_domain }}" # Default hostname; should be overridden in host_vars if different +matrix_element_call_path_prefix: "/" # Path prefix for Element Call +matrix_element_call_base_path: "{{ matrix_base_data_path }}/element-call" # Base path for storing Element Call-related files +matrix_element_call_container_image: "ghcr.io/element-hq/element-call:{{ matrix_element_call_version }}" +matrix_element_call_container_image_name_prefix: ghcr.io/ +matrix_element_call_container_image_registry_prefix: ghcr.io/ +matrix_element_call_container_image_force_pull: true + +# Docker network configuration for Element Call +matrix_element_call_container_network: "{{ matrix_homeserver_container_network }}" # Use the homeserver network by default + +# Traefik Configuration for Element Call +matrix_element_call_container_labels_traefik_enabled: true +matrix_element_call_container_labels_traefik_hostname: "{{ matrix_element_call_hostname }}" +matrix_element_call_container_labels_traefik_path_prefix: "{{ matrix_element_call_path_prefix }}" +matrix_element_call_container_labels_traefik_rule: "Host(`{{ matrix_element_call_container_labels_traefik_hostname }}`)" +matrix_element_call_container_labels_traefik_entrypoints: "websecure" +matrix_element_call_container_labels_traefik_tls_certResolver: "default" + +# JWT Service Configuration +matrix_element_call_jwt_service_url: "https://sfu-jwt.{{ matrix_domain }}" # Default JWT service URL; adjust as needed + +# LiveKit Service Configuration +matrix_element_call_livekit_service_url: "https://sfu.{{ matrix_domain }}" # Default LiveKit service URL; adjust as needed +matrix_element_call_livekit_dev_key: "{{ matrix_livekit_dev_key }}" # LiveKit dev key + +# Redis Configuration for Element Call +matrix_element_call_redis_hostname: "localhost" # Default Redis hostname; can be overridden +matrix_element_call_redis_port: 6379 # Default Redis port; can be overridden +matrix_element_call_redis_password: "" # Redis password; should be set in host_vars if needed + +# Additional environment variables for the container +matrix_element_call_environment_variables_additional: {} + +# Additional arguments or configuration options for the Docker container +matrix_element_call_container_extra_arguments: [] + +# Enable or disable metrics collection +matrix_element_call_metrics_enabled: false +matrix_element_call_metrics_port: 2112 + +######################################################################## +# # +# /matrix-element-call # +# # +######################################################################## \ No newline at end of file diff --git a/roles/custom/matrix-element-call/defaults/main.yml b/roles/custom/matrix-element-call/defaults/main.yml new file mode 100644 index 000000000..38b175532 --- /dev/null +++ b/roles/custom/matrix-element-call/defaults/main.yml @@ -0,0 +1,34 @@ +--- +# roles/custom/matrix-element-call/defaults/main.yml + +# Enable or disable matrix-element-call deployment +matrix_element_call_enabled: false + +# Base path configuration +matrix_element_call_base_path: "/home/{{ matrix_user_username }}/dockerdata/volumes/elementcall" +matrix_element_call_config_path: "{{ matrix_element_call_base_path }}/config" +matrix_element_call_backend_path: "{{ matrix_element_call_base_path }}/backend" + +# Docker network configuration +matrix_element_call_container_network: "matrix_element_call_network" + +# Docker images +matrix_element_call_image: "ghcr.io/element-hq/element-call:latest" +matrix_jwt_service_image: "ghcr.io/element-hq/lk-jwt-service:latest-ci" +matrix_livekit_image: "livekit/livekit-server:latest" +matrix_redis_image: "redis:6-alpine" + +# Ports +matrix_element_call_port: "8093" +matrix_jwt_service_port: "8881" +matrix_redis_port: "6379" + +# LiveKit configuration (should be set in host_vars or globally) +matrix_element_call_livekit_dev_key: "{{ matrix_livekit_dev_key | default('unset-livekit-key') }}" +matrix_element_call_livekit_service_url: "wss://sfu.{{ matrix_base_domain }}:443" + +# Well-known paths and domains (derived from matrix_base_domain) +matrix_element_call_domain: "call.{{ matrix_base_domain }}" +matrix_element_call_well_known_client_path: "/var/www/.well-known/matrix/client" +matrix_element_call_well_known_element_path: "/var/www/.well-known/element/element.json" +matrix_element_call_base_url: "https://{{ matrix_element_call_domain }}" \ No newline at end of file diff --git a/roles/custom/matrix-element-call/tasks/create_element_json.yml b/roles/custom/matrix-element-call/tasks/create_element_json.yml new file mode 100644 index 000000000..7fe689183 --- /dev/null +++ b/roles/custom/matrix-element-call/tasks/create_element_json.yml @@ -0,0 +1,22 @@ +--- +--- +# Create the element.json file to point to Element Call + +- name: Ensure .well-known/element directory exists + ansible.builtin.file: + path: "{{ matrix_element_call_well_known_element_path | dirname }}" + state: directory + mode: 0755 + +- name: Create or update the element.json file with Element Call config + ansible.builtin.copy: + dest: "{{ matrix_element_call_well_known_element_path }}" + content: | + { + "call": { + "widget_url": "{{ matrix_element_call_base_url }}" + } + } + mode: '0644' + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" \ No newline at end of file diff --git a/roles/custom/matrix-element-call/tasks/install.yml b/roles/custom/matrix-element-call/tasks/install.yml new file mode 100644 index 000000000..250f8c093 --- /dev/null +++ b/roles/custom/matrix-element-call/tasks/install.yml @@ -0,0 +1,17 @@ +--- +# Main install task for matrix-element-call + +- name: Install Docker containers for Element Call + include_tasks: install_docker_containers.yml + +- name: Update .well-known/matrix/client + include_tasks: update_well_known_client.yml + +- name: Create .well-known/element/element.json + include_tasks: create_element_json.yml + +- name: Update homeserver.yaml for Element Call + include_tasks: update_homeserver_config.yml + +- name: Update Element-Web config.json for Element Call + include_tasks: update_element_web_config.yml \ No newline at end of file diff --git a/roles/custom/matrix-element-call/tasks/install_docker_containers.yml b/roles/custom/matrix-element-call/tasks/install_docker_containers.yml new file mode 100644 index 000000000..38dfbbd70 --- /dev/null +++ b/roles/custom/matrix-element-call/tasks/install_docker_containers.yml @@ -0,0 +1,158 @@ +--- +# Ensure Required Directories Exist +- name: Ensure matrix-element-call paths exist + ansible.builtin.file: + path: "{{ item.path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + loop: + - path: "{{ matrix_element_call_base_path }}" + - path: "{{ matrix_element_call_base_path }}/data" + - path: "{{ matrix_element_call_base_path }}/config" + - path: "{{ matrix_element_call_base_path }}/backend" # For LiveKit and Redis config + +# Ensure Configuration Files are in Place +- name: Ensure Element Call config.json is in place + ansible.builtin.template: + src: "{{ role_path }}/templates/config.json.j2" + dest: "{{ matrix_element_call_base_path }}/config/config.json" + mode: 0640 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure LiveKit livekit.yaml is in place + ansible.builtin.template: + src: "{{ role_path }}/templates/livekit.yaml.j2" + dest: "{{ matrix_element_call_base_path }}/backend/livekit.yaml" + mode: 0640 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure Redis redis.conf is in place + ansible.builtin.template: + src: "{{ role_path }}/templates/redis.conf.j2" + dest: "{{ matrix_element_call_base_path }}/backend/redis.conf" + mode: 0640 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure matrix-element-call environment file is in place + ansible.builtin.template: + src: "{{ role_path }}/templates/env.j2" + dest: "{{ matrix_element_call_base_path }}/config/env" + mode: 0640 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure matrix-element-call Docker labels file is in place + ansible.builtin.template: + src: "{{ role_path }}/templates/labels.j2" + dest: "{{ matrix_element_call_base_path }}/config/labels" + mode: 0640 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +# Ensure Docker Images are Pulled +- name: Ensure matrix-element-call Docker image is pulled + community.docker.docker_image: + name: "{{ matrix_element_call_image }}" + source: pull + force_source: "{{ matrix_element_call_container_image_force_pull }}" + register: element_call_image_result + retries: "{{ devture_playbook_help_container_retries_count }}" + delay: "{{ devture_playbook_help_container_retries_delay }}" + until: element_call_image_result is not failed + +- name: Ensure jwt-service Docker image is pulled + community.docker.docker_image: + name: "ghcr.io/element-hq/lk-jwt-service:latest-ci" + source: pull + register: jwt_image_result + retries: 3 + delay: 10 + until: jwt_image_result is not failed + +- name: Ensure livekit Docker image is pulled + community.docker.docker_image: + name: "livekit/livekit-server:latest" + source: pull + register: livekit_image_result + retries: 3 + delay: 10 + until: livekit_image_result is not failed + +- name: Ensure redis Docker image is pulled + community.docker.docker_image: + name: "redis:6-alpine" + source: pull + register: redis_image_result + retries: 3 + delay: 10 + until: redis_image_result is not failed + +# Ensure Docker Containers are Running +- name: Run matrix-element-call Docker container + community.docker.docker_container: + name: "matrix-element-call" + image: "{{ matrix_element_call_image }}" + state: started + restart_policy: unless-stopped + env_file: "{{ matrix_element_call_base_path }}/config/env" + labels: "{{ lookup('file', matrix_element_call_base_path ~ '/config/labels') | from_yaml }}" + networks: + - name: "{{ matrix_element_call_container_network }}" + volumes: + - "{{ matrix_element_call_base_path }}/config/config.json:/app/config.json" + - "{{ matrix_element_call_base_path }}/data:/data" + +- name: Run jwt-service Docker container + community.docker.docker_container: + name: "matrix-jwt-service" + image: "ghcr.io/element-hq/lk-jwt-service:latest-ci" + state: started + restart_policy: unless-stopped + environment: + LIVEKIT_SECRET: "{{ matrix_element_call_livekit_dev_key }}" # User-specified key + LIVEKIT_URL: "{{ matrix_element_call_livekit_service_url }}" + LIVEKIT_KEY: "devkey" + networks: + - name: "{{ matrix_element_call_container_network }}" + +- name: Run livekit Docker container + community.docker.docker_container: + name: "matrix-livekit" + image: "livekit/livekit-server:latest" + state: started + restart_policy: unless-stopped + command: "--dev --config /etc/livekit.yaml" + volumes: + - "{{ matrix_element_call_base_path }}/backend/livekit.yaml:/etc/livekit.yaml" + network_mode: "host" + +- name: Run redis Docker container + community.docker.docker_container: + name: "matrix-redis" + image: "redis:6-alpine" + state: started + restart_policy: unless-stopped + command: redis-server /etc/redis.conf + volumes: + - "{{ matrix_element_call_base_path }}/backend/redis.conf:/etc/redis.conf" + networks: + - name: "{{ matrix_element_call_container_network }}" + +# Ensure Systemd Services are Set Up +- name: Ensure matrix-element-call systemd service is installed + ansible.builtin.template: + src: "{{ role_path }}/templates/element-call.service.j2" + dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-element-call.service" + mode: 0644 + +- name: Ensure matrix-element-call systemd service is enabled and started + ansible.builtin.systemd: + name: matrix-element-call + enabled: true + state: started + daemon_reload: true \ No newline at end of file diff --git a/roles/custom/matrix-element-call/tasks/main.yml b/roles/custom/matrix-element-call/tasks/main.yml new file mode 100644 index 000000000..ae0f7ce68 --- /dev/null +++ b/roles/custom/matrix-element-call/tasks/main.yml @@ -0,0 +1,14 @@ +--- +# roles/custom/matrix-element-call/tasks/main.yml + +- name: Ensure Element Call dependencies are valid and present + when: matrix_element_call_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" + +- name: Install Element Call and its related services + when: matrix_element_call_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/install.yml" + +- name: Uninstall Element Call and clean up resources + when: not matrix_element_call_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/uninstall.yml" \ No newline at end of file diff --git a/roles/custom/matrix-element-call/tasks/uninstall.yml b/roles/custom/matrix-element-call/tasks/uninstall.yml new file mode 100644 index 000000000..f863c25be --- /dev/null +++ b/roles/custom/matrix-element-call/tasks/uninstall.yml @@ -0,0 +1,51 @@ +--- +--- +# roles/custom/matrix-element-call/tasks/uninstall.yml + +# Stop and remove Docker containers +- name: Stop and remove matrix-element-call Docker container + community.docker.docker_container: + name: "matrix-element-call" + state: absent + when: matrix_element_call_enabled | bool == false + +- name: Stop and remove jwt-service Docker container + community.docker.docker_container: + name: "matrix-jwt-service" + state: absent + when: matrix_element_call_enabled | bool == false + +- name: Stop and remove livekit Docker container + community.docker.docker_container: + name: "matrix-livekit" + state: absent + when: matrix_element_call_enabled | bool == false + +- name: Stop and remove redis Docker container + community.docker.docker_container: + name: "matrix-redis" + state: absent + when: matrix_element_call_enabled | bool == false + +# Remove matrix-element-call directories +- name: Remove matrix-element-call directories + ansible.builtin.file: + path: "{{ item }}" + state: absent + loop: + - "{{ matrix_element_call_base_path }}" + when: matrix_element_call_enabled | bool == false + +# Disable and remove systemd service for matrix-element-call +- name: Stop and disable matrix-element-call systemd service + ansible.builtin.systemd: + name: matrix-element-call + state: stopped + enabled: false + when: matrix_element_call_enabled | bool == false + +- name: Remove matrix-element-call systemd service file + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-element-call.service" + state: absent + when: matrix_element_call_enabled | bool == false \ No newline at end of file diff --git a/roles/custom/matrix-element-call/tasks/update_element_web_config.yml b/roles/custom/matrix-element-call/tasks/update_element_web_config.yml new file mode 100644 index 000000000..0fa227172 --- /dev/null +++ b/roles/custom/matrix-element-call/tasks/update_element_web_config.yml @@ -0,0 +1,29 @@ +--- +# Update Element-Web config.json with Element Call features + +- name: Ensure Element-Web config.json exists + ansible.builtin.file: + path: "{{ matrix_element_web_config_path }}" + state: file + mode: 0644 + +- name: Update Element-Web config.json with Element Call features + ansible.builtin.blockinfile: + path: "{{ matrix_element_web_config_path }}" + block: | + "features": { + "feature_video_rooms": true, + "feature_new_room_decoration_ui": true, + "feature_group_calls": true, + "feature_element_call_video_rooms": true + }, + "element_call": { + "url": "{{ matrix_element_call_base_url }}", + "participant_limit": 8, + "brand": "Element Call", + "use_exclusively": true + } + marker: "# ANSIBLE MANAGED BLOCK - Element Call features" + mode: '0644' + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" \ No newline at end of file diff --git a/roles/custom/matrix-element-call/tasks/update_homeserver_config.yml b/roles/custom/matrix-element-call/tasks/update_homeserver_config.yml new file mode 100644 index 000000000..46e4f5a09 --- /dev/null +++ b/roles/custom/matrix-element-call/tasks/update_homeserver_config.yml @@ -0,0 +1,36 @@ +--- +# Update the homeserver.yaml file with Element Call config + +- name: Ensure homeserver.yaml exists + ansible.builtin.file: + path: "{{ matrix_homeserver_config_path }}" + state: file + mode: 0644 + +- name: Add listeners section for Element Call to homeserver.yaml + ansible.builtin.blockinfile: + path: "{{ matrix_homeserver_config_path }}" + block: | + listeners: + - port: 8008 + tls: false + type: http + x_forwarded: true + + resources: + - names: [client, federation, openid] + compress: false + marker: "# ANSIBLE MANAGED BLOCK - Element Call listeners" + mode: '0644' + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure serve_server_wellknown is enabled in homeserver.yaml + ansible.builtin.lineinfile: + path: "{{ matrix_homeserver_config_path }}" + line: "serve_server_wellknown: true" + insertafter: EOF + state: present + mode: '0644' + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" \ No newline at end of file diff --git a/roles/custom/matrix-element-call/tasks/update_well_known_client.yml b/roles/custom/matrix-element-call/tasks/update_well_known_client.yml new file mode 100644 index 000000000..b02269f1c --- /dev/null +++ b/roles/custom/matrix-element-call/tasks/update_well_known_client.yml @@ -0,0 +1,24 @@ +--- +--- +# Update the .well-known/matrix/client file with Element Call config + +- name: Ensure .well-known directory exists + ansible.builtin.file: + path: "{{ matrix_element_call_well_known_client_path | dirname }}" + state: directory + mode: 0755 + +- name: Update .well-known/matrix/client file with Element Call config + ansible.builtin.blockinfile: + path: "{{ matrix_element_call_well_known_client_path }}" + block: | + "org.matrix.msc4143.rtc_foci": [ + { + "type": "livekit", + "livekit_service_url": "{{ matrix_element_call_jwt_service_url }}" + } + ] + create: yes + mode: '0644' + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" \ No newline at end of file diff --git a/roles/custom/matrix-element-call/tasks/validate_config.yml b/roles/custom/matrix-element-call/tasks/validate_config.yml new file mode 100644 index 000000000..c4a55e0df --- /dev/null +++ b/roles/custom/matrix-element-call/tasks/validate_config.yml @@ -0,0 +1,79 @@ +--- +# roles/custom/matrix-element-call/tasks/validate_config.yml + +- name: Ensure required variables for Element Call are defined + ansible.builtin.fail: + msg: "The variable '{{ item }}' is required and must be set." + when: vars[item] is not defined or vars[item] == '' + loop: + - matrix_element_call_enabled + - matrix_element_call_version + - matrix_element_call_hostname + - matrix_element_call_path_prefix + - matrix_element_call_base_path + - matrix_element_call_container_image + - matrix_element_call_container_network + - matrix_element_call_container_labels_traefik_hostname + - matrix_element_call_jwt_service_url + - matrix_element_call_livekit_service_url + - matrix_element_call_livekit_dev_key + +- name: Validate that the Element Call hostname is properly formatted + ansible.builtin.assert: + that: + - "'{{ matrix_element_call_hostname }}' is match('^([a-zA-Z0-9][-a-zA-Z0-9]*[a-zA-Z0-9])$')" + fail_msg: "The hostname '{{ matrix_element_call_hostname }}' is not valid. It should be a valid domain or subdomain." + success_msg: "The hostname '{{ matrix_element_call_hostname }}' is valid." + +- name: Validate that the Element Call version is specified correctly + ansible.builtin.assert: + that: + - matrix_element_call_version is string + - matrix_element_call_version != '' + fail_msg: "The Element Call version must be a non-empty string." + success_msg: "The Element Call version is set correctly." + +- name: Ensure LiveKit dev key is set + ansible.builtin.assert: + that: + - matrix_element_call_livekit_dev_key is string + - matrix_element_call_livekit_dev_key != '' + fail_msg: "The LiveKit dev key (matrix_element_call_livekit_dev_key) must be a non-empty string." + success_msg: "The LiveKit dev key is set correctly." + +- name: Ensure JWT service URL is valid + ansible.builtin.assert: + that: + - matrix_element_call_jwt_service_url is match('^https?://[a-zA-Z0-9.-]+$') + fail_msg: "The JWT service URL '{{ matrix_element_call_jwt_service_url }}' is not valid." + success_msg: "The JWT service URL is valid." + +- name: Ensure LiveKit service URL is valid + ansible.builtin.assert: + that: + - matrix_element_call_livekit_service_url is match('^https?://[a-zA-Z0-9.-]+$') + fail_msg: "The LiveKit service URL '{{ matrix_element_call_livekit_service_url }}' is not valid." + success_msg: "The LiveKit service URL is valid." + +- name: Ensure matrix-element-call base path is set and exists + ansible.builtin.assert: + that: + - matrix_element_call_base_path is string + - matrix_element_call_base_path != '' + fail_msg: "The base path for Element Call (matrix_element_call_base_path) must be a non-empty string." + success_msg: "The base path for Element Call is set correctly." + +- name: Ensure required paths for configurations are accessible + ansible.builtin.file: + path: "{{ item }}" + state: directory + with_items: + - "{{ matrix_element_call_base_path }}/config" + - "{{ matrix_element_call_base_path }}/backend" + register: config_paths_check + +- name: Fail if any required paths for configurations are not accessible + ansible.builtin.fail: + msg: "The required configuration path '{{ item.path }}' does not exist or is not accessible." + when: config_paths_check.results is defined and config_paths_check.results | selectattr('failed', 'eq', True) | list | length > 0 + loop: "{{ config_paths_check.results | selectattr('failed', 'eq', True) | list }}" \ No newline at end of file diff --git a/roles/custom/matrix-element-call/templates/config.json.j2 b/roles/custom/matrix-element-call/templates/config.json.j2 new file mode 100644 index 000000000..1ce2f57c5 --- /dev/null +++ b/roles/custom/matrix-element-call/templates/config.json.j2 @@ -0,0 +1,11 @@ +{ + "default_server_config": { + "m.homeserver": { + "base_url": "{{ matrix_homeserver_url }}", + "server_name": "{{ matrix_server_name }}" + } + }, + "livekit": { + "livekit_service_url": "{{ matrix_element_call_livekit_service_url }}" + } +} \ No newline at end of file diff --git a/roles/custom/matrix-element-call/templates/env.j2 b/roles/custom/matrix-element-call/templates/env.j2 new file mode 100644 index 000000000..db25ed81b --- /dev/null +++ b/roles/custom/matrix-element-call/templates/env.j2 @@ -0,0 +1,9 @@ +# Environment variables for Element Call +ELEMENT_CALL_SERVER_URL=https://{{ matrix_element_call_domain }} +LIVEKIT_SERVICE_URL={{ matrix_element_call_livekit_service_url }} +JWT_SERVICE_URL={{ matrix_element_call_jwt_service_url }} + +# Optional additional environment variables provided by the user +{% for key, value in matrix_element_call_environment_variables_additional.items() %} +{{ key }}={{ value }} +{% endfor %} \ No newline at end of file diff --git a/roles/custom/matrix-element-call/templates/labels.j2 b/roles/custom/matrix-element-call/templates/labels.j2 new file mode 100644 index 000000000..988bfba1c --- /dev/null +++ b/roles/custom/matrix-element-call/templates/labels.j2 @@ -0,0 +1,11 @@ +# Docker labels for Traefik or other routing +traefik.enable: "true" +traefik.http.routers.{{ matrix_element_call_hostname | replace('.', '_') }}-router.rule: "Host(`{{ matrix_element_call_hostname }}`)" +traefik.http.routers.{{ matrix_element_call_hostname | replace('.', '_') }}-router.entrypoints: "{{ matrix_element_call_container_labels_traefik_entrypoints }}" +traefik.http.routers.{{ matrix_element_call_hostname | replace('.', '_') }}-router.tls.certresolver: "{{ matrix_element_call_container_labels_traefik_tls_certResolver }}" +traefik.http.services.{{ matrix_element_call_hostname | replace('.', '_') }}-service.loadbalancer.server.port: "8080" + +# Additional labels (if any) specified by the user +{% for key, value in matrix_element_call_container_extra_arguments.items() %} +{{ key }}: "{{ value }}" +{% endfor %} \ No newline at end of file diff --git a/roles/custom/matrix-element-call/templates/livekit.yaml.j2 b/roles/custom/matrix-element-call/templates/livekit.yaml.j2 new file mode 100644 index 000000000..a53c0896a --- /dev/null +++ b/roles/custom/matrix-element-call/templates/livekit.yaml.j2 @@ -0,0 +1,21 @@ +port: 7880 +bind_addresses: + - "0.0.0.0" +rtc: + tcp_port: 7881 + port_range_start: 50100 + port_range_end: 50200 + use_external_ip: false + +turn: + enabled: false + domain: localhost + cert_file: "" + key_file: "" + tls_port: 5349 + udp_port: 443 + external_tls: true + +keys: + devkey: "{{ matrix_element_call_livekit_dev_key }}" +logging: \ No newline at end of file diff --git a/roles/custom/matrix-element-call/templates/redis.conf.j2 b/roles/custom/matrix-element-call/templates/redis.conf.j2 new file mode 100644 index 000000000..da19af05a --- /dev/null +++ b/roles/custom/matrix-element-call/templates/redis.conf.j2 @@ -0,0 +1,5 @@ +bind 0.0.0.0 +protected-mode yes +port 6379 +timeout 0 +tcp-keepalive 300 \ No newline at end of file diff --git a/roles/custom/matrix-element-call/templates/systemd/matrix-element-call.service.j2 b/roles/custom/matrix-element-call/templates/systemd/matrix-element-call.service.j2 new file mode 100644 index 000000000..8caad624f --- /dev/null +++ b/roles/custom/matrix-element-call/templates/systemd/matrix-element-call.service.j2 @@ -0,0 +1,17 @@ +[Unit] +Description=Matrix Element Call Service +After=docker.service +Requires=docker.service + +[Service] +Type=simple +ExecStart=/usr/bin/docker start -a matrix-element-call +ExecStop=/usr/bin/docker stop matrix-element-call +Restart=always +User={{ matrix_user_username }} +Group={{ matrix_user_groupname }} +TimeoutStartSec=0 +RestartSec=10 + +[Install] +WantedBy=multi-user.target \ No newline at end of file diff --git a/roles/custom/matrix-element-call/vars/main.yml b/roles/custom/matrix-element-call/vars/main.yml new file mode 100644 index 000000000..1f224472a --- /dev/null +++ b/roles/custom/matrix-element-call/vars/main.yml @@ -0,0 +1,5 @@ +--- +# roles/custom/matrix-element-call/vars/main.yml + +# Variables specific to matrix-element-call, like service configurations, can go here. +# Any environment-specific values can be overridden here. \ No newline at end of file diff --git a/setup.yml b/setup.yml index 3cff6dbb1..cbc3e1673 100644 --- a/setup.yml +++ b/setup.yml @@ -130,6 +130,7 @@ - custom/matrix-coturn - custom/matrix-media-repo - custom/matrix-pantalaimon + - custom/matrix-element-call - role: galaxy/postgres_backup From d1ba784dde736a72dac55a2575a11dedfa0fcc42 Mon Sep 17 00:00:00 2001 From: wjbeckett Date: Wed, 25 Sep 2024 15:01:53 +1000 Subject: [PATCH 002/108] added doc for setting up element call. --- docs/configuring-playbook.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index 4b4a3366b..fb0704e08 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -232,3 +232,5 @@ When you're done with all the configuration you'd like to do, continue with [Ins - [Setting up the Rageshake bug report server](configuring-playbook-rageshake.md) (optional) - [Setting up Prometheus Alertmanager integration via matrix-alertmanager-receiver](configuring-playbook-alertmanager-receiver.md) (optional) + +- [Setting up the Element Call server](configuring-playbook-element-call.md) (optional) From 60f34cd7af6e752542ace17c61a77122777dd370 Mon Sep 17 00:00:00 2001 From: wjbeckett Date: Wed, 25 Sep 2024 16:13:29 +1000 Subject: [PATCH 003/108] fixed matrix_redis for migration --- roles/custom/matrix-element-call/defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/custom/matrix-element-call/defaults/main.yml b/roles/custom/matrix-element-call/defaults/main.yml index 38b175532..68217d37f 100644 --- a/roles/custom/matrix-element-call/defaults/main.yml +++ b/roles/custom/matrix-element-call/defaults/main.yml @@ -16,12 +16,12 @@ matrix_element_call_container_network: "matrix_element_call_network" matrix_element_call_image: "ghcr.io/element-hq/element-call:latest" matrix_jwt_service_image: "ghcr.io/element-hq/lk-jwt-service:latest-ci" matrix_livekit_image: "livekit/livekit-server:latest" -matrix_redis_image: "redis:6-alpine" +redis_image: "redis:6-alpine" # Ports matrix_element_call_port: "8093" matrix_jwt_service_port: "8881" -matrix_redis_port: "6379" +redis_port: "6379" # LiveKit configuration (should be set in host_vars or globally) matrix_element_call_livekit_dev_key: "{{ matrix_livekit_dev_key | default('unset-livekit-key') }}" From fc6357a089f57a16f5117f6940a25fad2ca0f9ec Mon Sep 17 00:00:00 2001 From: Backslash Date: Wed, 25 Sep 2024 18:05:34 +1000 Subject: [PATCH 004/108] Update main.yml --- .../custom/matrix-element-call/tasks/main.yml | 26 ++++++++++++------- 1 file changed, 16 insertions(+), 10 deletions(-) diff --git a/roles/custom/matrix-element-call/tasks/main.yml b/roles/custom/matrix-element-call/tasks/main.yml index ae0f7ce68..5727957ff 100644 --- a/roles/custom/matrix-element-call/tasks/main.yml +++ b/roles/custom/matrix-element-call/tasks/main.yml @@ -1,14 +1,20 @@ --- -# roles/custom/matrix-element-call/tasks/main.yml -- name: Ensure Element Call dependencies are valid and present - when: matrix_element_call_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" +- tags: + - setup-all + - setup-element-call + - install-all + - install-element-call + block: + - when: matrix_element_call_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" -- name: Install Element Call and its related services - when: matrix_element_call_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/install.yml" + - when: matrix_element_call_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/install.yml" -- name: Uninstall Element Call and clean up resources - when: not matrix_element_call_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/uninstall.yml" \ No newline at end of file +- tags: + - setup-all + - setup-element-call + block: + - when: not matrix_element_call_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/uninstall.yml" From 350d4d4bcd0361ca0dfa5806c0a76b2bdc781df7 Mon Sep 17 00:00:00 2001 From: Backslash Date: Wed, 25 Sep 2024 18:35:09 +1000 Subject: [PATCH 005/108] Fixed assertion block to remove jinja2 delimiters --- roles/custom/matrix-element-call/tasks/validate_config.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/custom/matrix-element-call/tasks/validate_config.yml b/roles/custom/matrix-element-call/tasks/validate_config.yml index c4a55e0df..d6e10c930 100644 --- a/roles/custom/matrix-element-call/tasks/validate_config.yml +++ b/roles/custom/matrix-element-call/tasks/validate_config.yml @@ -21,7 +21,7 @@ - name: Validate that the Element Call hostname is properly formatted ansible.builtin.assert: that: - - "'{{ matrix_element_call_hostname }}' is match('^([a-zA-Z0-9][-a-zA-Z0-9]*[a-zA-Z0-9])$')" + - matrix_element_call_hostname is match('^([a-zA-Z0-9][-a-zA-Z0-9]*[a-zA-Z0-9])$') fail_msg: "The hostname '{{ matrix_element_call_hostname }}' is not valid. It should be a valid domain or subdomain." success_msg: "The hostname '{{ matrix_element_call_hostname }}' is valid." @@ -76,4 +76,4 @@ ansible.builtin.fail: msg: "The required configuration path '{{ item.path }}' does not exist or is not accessible." when: config_paths_check.results is defined and config_paths_check.results | selectattr('failed', 'eq', True) | list | length > 0 - loop: "{{ config_paths_check.results | selectattr('failed', 'eq', True) | list }}" \ No newline at end of file + loop: "{{ config_paths_check.results | selectattr('failed', 'eq', True) | list }}" From 90ea758c3bd2ac5cfe03dd946021fb1be668da87 Mon Sep 17 00:00:00 2001 From: Backslash Date: Wed, 25 Sep 2024 18:39:26 +1000 Subject: [PATCH 006/108] Fixed regex for checking the hostname. --- roles/custom/matrix-element-call/tasks/validate_config.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/custom/matrix-element-call/tasks/validate_config.yml b/roles/custom/matrix-element-call/tasks/validate_config.yml index d6e10c930..e61973fdd 100644 --- a/roles/custom/matrix-element-call/tasks/validate_config.yml +++ b/roles/custom/matrix-element-call/tasks/validate_config.yml @@ -21,10 +21,10 @@ - name: Validate that the Element Call hostname is properly formatted ansible.builtin.assert: that: - - matrix_element_call_hostname is match('^([a-zA-Z0-9][-a-zA-Z0-9]*[a-zA-Z0-9])$') + - matrix_element_call_hostname is match('^([a-zA-Z0-9][-a-zA-Z0-9]*[a-zA-Z0-9]\.)+[a-zA-Z]{2,}$') fail_msg: "The hostname '{{ matrix_element_call_hostname }}' is not valid. It should be a valid domain or subdomain." success_msg: "The hostname '{{ matrix_element_call_hostname }}' is valid." - + - name: Validate that the Element Call version is specified correctly ansible.builtin.assert: that: From c93d30bcb8bffdea4d995fb6fba3c267d36a695f Mon Sep 17 00:00:00 2001 From: Backslash Date: Wed, 25 Sep 2024 19:07:03 +1000 Subject: [PATCH 007/108] Added matrix_server_name to the defaults --- roles/custom/matrix-element-call/defaults/main.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/roles/custom/matrix-element-call/defaults/main.yml b/roles/custom/matrix-element-call/defaults/main.yml index 68217d37f..3fe77edde 100644 --- a/roles/custom/matrix-element-call/defaults/main.yml +++ b/roles/custom/matrix-element-call/defaults/main.yml @@ -4,6 +4,9 @@ # Enable or disable matrix-element-call deployment matrix_element_call_enabled: false +# Default Matrix server name (can be overridden in host_vars if needed) +matrix_server_name: "{{ matrix_base_domain }}" + # Base path configuration matrix_element_call_base_path: "/home/{{ matrix_user_username }}/dockerdata/volumes/elementcall" matrix_element_call_config_path: "{{ matrix_element_call_base_path }}/config" @@ -31,4 +34,4 @@ matrix_element_call_livekit_service_url: "wss://sfu.{{ matrix_base_domain }}:443 matrix_element_call_domain: "call.{{ matrix_base_domain }}" matrix_element_call_well_known_client_path: "/var/www/.well-known/matrix/client" matrix_element_call_well_known_element_path: "/var/www/.well-known/element/element.json" -matrix_element_call_base_url: "https://{{ matrix_element_call_domain }}" \ No newline at end of file +matrix_element_call_base_url: "https://{{ matrix_element_call_domain }}" From ce827e7953a2ee9d5471f96dd7effb3f00691303 Mon Sep 17 00:00:00 2001 From: Backslash Date: Wed, 25 Sep 2024 19:09:13 +1000 Subject: [PATCH 008/108] Changed matrix_base_domain to matrix_domain --- roles/custom/matrix-element-call/defaults/main.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/custom/matrix-element-call/defaults/main.yml b/roles/custom/matrix-element-call/defaults/main.yml index 3fe77edde..d6aaf02e0 100644 --- a/roles/custom/matrix-element-call/defaults/main.yml +++ b/roles/custom/matrix-element-call/defaults/main.yml @@ -5,7 +5,7 @@ matrix_element_call_enabled: false # Default Matrix server name (can be overridden in host_vars if needed) -matrix_server_name: "{{ matrix_base_domain }}" +matrix_server_name: "{{ matrix_domain }}" # Base path configuration matrix_element_call_base_path: "/home/{{ matrix_user_username }}/dockerdata/volumes/elementcall" @@ -28,10 +28,10 @@ redis_port: "6379" # LiveKit configuration (should be set in host_vars or globally) matrix_element_call_livekit_dev_key: "{{ matrix_livekit_dev_key | default('unset-livekit-key') }}" -matrix_element_call_livekit_service_url: "wss://sfu.{{ matrix_base_domain }}:443" +matrix_element_call_livekit_service_url: "wss://sfu.{{ matrix_domain }}:443" # Well-known paths and domains (derived from matrix_base_domain) -matrix_element_call_domain: "call.{{ matrix_base_domain }}" +matrix_element_call_domain: "call.{{ matrix_domain }}" matrix_element_call_well_known_client_path: "/var/www/.well-known/matrix/client" matrix_element_call_well_known_element_path: "/var/www/.well-known/element/element.json" matrix_element_call_base_url: "https://{{ matrix_element_call_domain }}" From 8644a7383e3a1a882f70bf3b33b71307cda2c2ab Mon Sep 17 00:00:00 2001 From: Backslash Date: Wed, 25 Sep 2024 19:22:21 +1000 Subject: [PATCH 009/108] Removed additional label loop --- roles/custom/matrix-element-call/templates/labels.j2 | 5 ----- 1 file changed, 5 deletions(-) diff --git a/roles/custom/matrix-element-call/templates/labels.j2 b/roles/custom/matrix-element-call/templates/labels.j2 index 988bfba1c..ccfbdbf93 100644 --- a/roles/custom/matrix-element-call/templates/labels.j2 +++ b/roles/custom/matrix-element-call/templates/labels.j2 @@ -4,8 +4,3 @@ traefik.http.routers.{{ matrix_element_call_hostname | replace('.', '_') }}-rout traefik.http.routers.{{ matrix_element_call_hostname | replace('.', '_') }}-router.entrypoints: "{{ matrix_element_call_container_labels_traefik_entrypoints }}" traefik.http.routers.{{ matrix_element_call_hostname | replace('.', '_') }}-router.tls.certresolver: "{{ matrix_element_call_container_labels_traefik_tls_certResolver }}" traefik.http.services.{{ matrix_element_call_hostname | replace('.', '_') }}-service.loadbalancer.server.port: "8080" - -# Additional labels (if any) specified by the user -{% for key, value in matrix_element_call_container_extra_arguments.items() %} -{{ key }}: "{{ value }}" -{% endfor %} \ No newline at end of file From 81735503f8985359c7b0cc9e8674e0e6ed7aa36f Mon Sep 17 00:00:00 2001 From: Backslash Date: Wed, 25 Sep 2024 20:06:27 +1000 Subject: [PATCH 010/108] Added debug task to test labels configuration --- .../matrix-element-call/tasks/install_docker_containers.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/roles/custom/matrix-element-call/tasks/install_docker_containers.yml b/roles/custom/matrix-element-call/tasks/install_docker_containers.yml index 38dfbbd70..dbf1a9433 100644 --- a/roles/custom/matrix-element-call/tasks/install_docker_containers.yml +++ b/roles/custom/matrix-element-call/tasks/install_docker_containers.yml @@ -92,6 +92,10 @@ delay: 10 until: redis_image_result is not failed +- name: Debug labels file content + ansible.builtin.debug: + msg: "{{ lookup('file', matrix_element_call_base_path ~ '/config/labels') | from_yaml }}" + # Ensure Docker Containers are Running - name: Run matrix-element-call Docker container community.docker.docker_container: @@ -155,4 +159,4 @@ name: matrix-element-call enabled: true state: started - daemon_reload: true \ No newline at end of file + daemon_reload: true From 63641014101b947e43207f591ec56a3f56d8acc9 Mon Sep 17 00:00:00 2001 From: Backslash Date: Wed, 25 Sep 2024 20:20:20 +1000 Subject: [PATCH 011/108] Adding another debug task for testing the labels file. --- .../matrix-element-call/tasks/install_docker_containers.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/roles/custom/matrix-element-call/tasks/install_docker_containers.yml b/roles/custom/matrix-element-call/tasks/install_docker_containers.yml index dbf1a9433..a9d55ff85 100644 --- a/roles/custom/matrix-element-call/tasks/install_docker_containers.yml +++ b/roles/custom/matrix-element-call/tasks/install_docker_containers.yml @@ -92,6 +92,10 @@ delay: 10 until: redis_image_result is not failed +- name: Debug matrix_element_call_base_path + ansible.builtin.debug: + var: matrix_element_call_base_path + - name: Debug labels file content ansible.builtin.debug: msg: "{{ lookup('file', matrix_element_call_base_path ~ '/config/labels') | from_yaml }}" From 16ed788b3f8a94298bcb688306a08a688cb42e59 Mon Sep 17 00:00:00 2001 From: Backslash Date: Wed, 25 Sep 2024 21:07:22 +1000 Subject: [PATCH 012/108] Update main.yml --- .../matrix-element-call/defaults/main.yml | 41 +++++++++++++------ 1 file changed, 28 insertions(+), 13 deletions(-) diff --git a/roles/custom/matrix-element-call/defaults/main.yml b/roles/custom/matrix-element-call/defaults/main.yml index d6aaf02e0..972941d91 100644 --- a/roles/custom/matrix-element-call/defaults/main.yml +++ b/roles/custom/matrix-element-call/defaults/main.yml @@ -1,14 +1,9 @@ --- -# roles/custom/matrix-element-call/defaults/main.yml - # Enable or disable matrix-element-call deployment matrix_element_call_enabled: false -# Default Matrix server name (can be overridden in host_vars if needed) -matrix_server_name: "{{ matrix_domain }}" - # Base path configuration -matrix_element_call_base_path: "/home/{{ matrix_user_username }}/dockerdata/volumes/elementcall" +matrix_element_call_base_path: "{{ matrix_base_data_path }}/element-call" matrix_element_call_config_path: "{{ matrix_element_call_base_path }}/config" matrix_element_call_backend_path: "{{ matrix_element_call_base_path }}/backend" @@ -19,19 +14,39 @@ matrix_element_call_container_network: "matrix_element_call_network" matrix_element_call_image: "ghcr.io/element-hq/element-call:latest" matrix_jwt_service_image: "ghcr.io/element-hq/lk-jwt-service:latest-ci" matrix_livekit_image: "livekit/livekit-server:latest" -redis_image: "redis:6-alpine" +matrix_redis_image: "redis:6-alpine" # Ports matrix_element_call_port: "8093" matrix_jwt_service_port: "8881" -redis_port: "6379" +matrix_redis_port: "6379" -# LiveKit configuration (should be set in host_vars or globally) -matrix_element_call_livekit_dev_key: "{{ matrix_livekit_dev_key | default('unset-livekit-key') }}" +# LiveKit configuration +matrix_element_call_livekit_dev_key: "{{ matrix_livekit_dev_key }}" # Must be defined in host_vars matrix_element_call_livekit_service_url: "wss://sfu.{{ matrix_domain }}:443" -# Well-known paths and domains (derived from matrix_base_domain) +# Well-known paths and domains (derived from matrix_domain) matrix_element_call_domain: "call.{{ matrix_domain }}" -matrix_element_call_well_known_client_path: "/var/www/.well-known/matrix/client" -matrix_element_call_well_known_element_path: "/var/www/.well-known/element/element.json" +matrix_element_call_well_known_client_path: "{{ matrix_base_data_path }}/static-files/public/.well-known/matrix/client" +matrix_element_call_well_known_element_path: "{{ matrix_base_data_path }}/static-files/public/.well-known/element/element.json" matrix_element_call_base_url: "https://{{ matrix_element_call_domain }}" + +# Redis Configuration for Element Call +redis_hostname: "localhost" +redis_port: 6379 +redis_password: "" + +# Traefik Configuration for Element Call +matrix_element_call_container_labels_traefik_enabled: true +matrix_element_call_container_labels_traefik_hostname: "{{ matrix_element_call_domain }}" +matrix_element_call_container_labels_traefik_path_prefix: "/" +matrix_element_call_container_labels_traefik_rule: "Host(`{{ matrix_element_call_container_labels_traefik_hostname }}`)" +matrix_element_call_container_labels_traefik_entrypoints: "websecure" +matrix_element_call_container_labels_traefik_tls_certResolver: "default" + +# Additional environment variables for the container +matrix_element_call_environment_variables_additional: {} + +# Enable or disable metrics collection +matrix_element_call_metrics_enabled: false +matrix_element_call_metrics_port: 2112 From 0eef094f2bf8717c1bdbc7ae7e6ba05eb68c15b0 Mon Sep 17 00:00:00 2001 From: Backslash Date: Thu, 26 Sep 2024 06:51:36 +1000 Subject: [PATCH 013/108] Restructure install.yml to follow other roles more closely --- .../matrix-element-call/tasks/install.yml | 119 ++++++++++++++++-- 1 file changed, 108 insertions(+), 11 deletions(-) diff --git a/roles/custom/matrix-element-call/tasks/install.yml b/roles/custom/matrix-element-call/tasks/install.yml index 250f8c093..18b525e4a 100644 --- a/roles/custom/matrix-element-call/tasks/install.yml +++ b/roles/custom/matrix-element-call/tasks/install.yml @@ -1,17 +1,114 @@ --- -# Main install task for matrix-element-call +# Main installation tasks for matrix-element-call -- name: Install Docker containers for Element Call - include_tasks: install_docker_containers.yml +# Ensure Required Directories Exist +- name: Ensure matrix-element-call paths exist + ansible.builtin.file: + path: "{{ item.path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - path: "{{ matrix_element_call_base_path }}" + - path: "{{ matrix_element_call_config_path }}" + - path: "{{ matrix_element_call_backend_path }}" -- name: Update .well-known/matrix/client - include_tasks: update_well_known_client.yml +# Ensure Configuration Files are in Place +- name: Ensure matrix-element-call support files installed + ansible.builtin.template: + src: "{{ role_path }}/templates/{{ item }}.j2" + dest: "{{ matrix_element_call_base_path }}/{{ item }}" + mode: 0640 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - config.json + - env + - labels -- name: Create .well-known/element/element.json - include_tasks: create_element_json.yml +- name: Ensure livekit.yaml is installed + ansible.builtin.template: + src: "{{ role_path }}/templates/livekit.yaml.j2" + dest: "{{ matrix_element_call_backend_path }}/livekit.yaml" + mode: 0640 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" -- name: Update homeserver.yaml for Element Call - include_tasks: update_homeserver_config.yml +- name: Ensure redis.conf is installed + ansible.builtin.template: + src: "{{ role_path }}/templates/redis.conf.j2" + dest: "{{ matrix_element_call_backend_path }}/redis.conf" + mode: 0640 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" -- name: Update Element-Web config.json for Element Call - include_tasks: update_element_web_config.yml \ No newline at end of file +# Ensure Docker Images are Pulled +- name: Ensure matrix-element-call container image is pulled + community.docker.docker_image: + name: "{{ matrix_element_call_image }}" + source: pull + register: element_call_image_result + retries: "{{ devture_playbook_help_container_retries_count }}" + delay: "{{ devture_playbook_help_container_retries_delay }}" + until: element_call_image_result is not failed + +- name: Ensure jwt-service container image is pulled + community.docker.docker_image: + name: "{{ matrix_jwt_service_image }}" + source: pull + register: jwt_image_result + retries: 3 + delay: 10 + until: jwt_image_result is not failed + +- name: Ensure livekit container image is pulled + community.docker.docker_image: + name: "{{ matrix_livekit_image }}" + source: pull + register: livekit_image_result + retries: 3 + delay: 10 + until: livekit_image_result is not failed + +- name: Ensure redis container image is pulled + community.docker.docker_image: + name: "{{ matrix_redis_image }}" + source: pull + register: redis_image_result + retries: 3 + delay: 10 + until: redis_image_result is not failed + +# Ensure Docker Networks are Created +- name: Ensure matrix-element-call container network is created + community.general.docker_network: + enable_ipv6: "{{ devture_systemd_docker_base_ipv6_enabled }}" + name: "{{ matrix_element_call_container_network }}" + driver: bridge + driver_options: "{{ devture_systemd_docker_base_container_networks_driver_options }}" + +# Deploy Systemd Services for Containers +- name: Ensure matrix-element-call systemd service is installed + ansible.builtin.template: + src: "{{ role_path }}/templates/systemd/matrix-element-call.service.j2" + dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-element-call.service" + mode: 0644 + +- name: Ensure jwt-service systemd service is installed + ansible.builtin.template: + src: "{{ role_path }}/templates/systemd/matrix-jwt-service.service.j2" + dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-jwt-service.service" + mode: 0644 + +- name: Ensure livekit systemd service is installed + ansible.builtin.template: + src: "{{ role_path }}/templates/systemd/matrix-livekit.service.j2" + dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-livekit.service" + mode: 0644 + +- name: Ensure redis systemd service is installed + ansible.builtin.template: + src: "{{ role_path }}/templates/systemd/matrix-redis.service.j2" + dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-redis.service" + mode: 0644 From 02479e8becc9e1db7617f789db94387b19492f1d Mon Sep 17 00:00:00 2001 From: Backslash Date: Thu, 26 Sep 2024 07:59:09 +1000 Subject: [PATCH 014/108] Updated with new structure. --- .../matrix-element-call/tasks/uninstall.yml | 60 +++++++++---------- 1 file changed, 30 insertions(+), 30 deletions(-) diff --git a/roles/custom/matrix-element-call/tasks/uninstall.yml b/roles/custom/matrix-element-call/tasks/uninstall.yml index f863c25be..d9a77415f 100644 --- a/roles/custom/matrix-element-call/tasks/uninstall.yml +++ b/roles/custom/matrix-element-call/tasks/uninstall.yml @@ -1,51 +1,51 @@ --- ---- -# roles/custom/matrix-element-call/tasks/uninstall.yml +# Uninstall tasks for matrix-element-call -# Stop and remove Docker containers -- name: Stop and remove matrix-element-call Docker container +- name: Stop and remove matrix-element-call container community.docker.docker_container: name: "matrix-element-call" state: absent - when: matrix_element_call_enabled | bool == false -- name: Stop and remove jwt-service Docker container +- name: Stop and remove jwt-service container community.docker.docker_container: name: "matrix-jwt-service" state: absent - when: matrix_element_call_enabled | bool == false -- name: Stop and remove livekit Docker container +- name: Stop and remove livekit container community.docker.docker_container: name: "matrix-livekit" state: absent - when: matrix_element_call_enabled | bool == false -- name: Stop and remove redis Docker container +- name: Stop and remove redis container community.docker.docker_container: name: "matrix-redis" state: absent - when: matrix_element_call_enabled | bool == false -# Remove matrix-element-call directories -- name: Remove matrix-element-call directories - ansible.builtin.file: - path: "{{ item }}" - state: absent - loop: - - "{{ matrix_element_call_base_path }}" - when: matrix_element_call_enabled | bool == false - -# Disable and remove systemd service for matrix-element-call -- name: Stop and disable matrix-element-call systemd service - ansible.builtin.systemd: - name: matrix-element-call - state: stopped - enabled: false - when: matrix_element_call_enabled | bool == false - -- name: Remove matrix-element-call systemd service file +- name: Remove matrix-element-call systemd service ansible.builtin.file: path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-element-call.service" state: absent - when: matrix_element_call_enabled | bool == false \ No newline at end of file + +- name: Remove jwt-service systemd service + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-jwt-service.service" + state: absent + +- name: Remove livekit systemd service + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-livekit.service" + state: absent + +- name: Remove redis systemd service + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-redis.service" + state: absent + +- name: Remove matrix-element-call configuration files + ansible.builtin.file: + path: "{{ matrix_element_call_base_path }}" + state: absent + +- name: Reload systemd daemon + ansible.builtin.systemd: + daemon_reload: true From 5efc1892935a3e0cfc323f5b3f950bcd037ab434 Mon Sep 17 00:00:00 2001 From: Backslash Date: Thu, 26 Sep 2024 08:12:06 +1000 Subject: [PATCH 015/108] Updated to support new structure --- roles/custom/matrix-element-call/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/custom/matrix-element-call/tasks/main.yml b/roles/custom/matrix-element-call/tasks/main.yml index 5727957ff..ad50c2d96 100644 --- a/roles/custom/matrix-element-call/tasks/main.yml +++ b/roles/custom/matrix-element-call/tasks/main.yml @@ -1,4 +1,5 @@ --- +# Main task file for matrix-element-call - tags: - setup-all From 68cc1f4b2bff23d2c190fb18d6e638eb57c73a4d Mon Sep 17 00:00:00 2001 From: Backslash Date: Thu, 26 Sep 2024 08:29:16 +1000 Subject: [PATCH 016/108] Simplified the validation step. --- .../tasks/validate_config.yml | 88 +++---------------- 1 file changed, 13 insertions(+), 75 deletions(-) diff --git a/roles/custom/matrix-element-call/tasks/validate_config.yml b/roles/custom/matrix-element-call/tasks/validate_config.yml index e61973fdd..1feccecb8 100644 --- a/roles/custom/matrix-element-call/tasks/validate_config.yml +++ b/roles/custom/matrix-element-call/tasks/validate_config.yml @@ -1,79 +1,17 @@ --- -# roles/custom/matrix-element-call/tasks/validate_config.yml +# Validate configuration for matrix-element-call -- name: Ensure required variables for Element Call are defined +- name: Fail if required matrix-element-call settings are not defined ansible.builtin.fail: - msg: "The variable '{{ item }}' is required and must be set." - when: vars[item] is not defined or vars[item] == '' - loop: - - matrix_element_call_enabled - - matrix_element_call_version - - matrix_element_call_hostname - - matrix_element_call_path_prefix - - matrix_element_call_base_path - - matrix_element_call_container_image - - matrix_element_call_container_network - - matrix_element_call_container_labels_traefik_hostname - - matrix_element_call_jwt_service_url - - matrix_element_call_livekit_service_url - - matrix_element_call_livekit_dev_key - -- name: Validate that the Element Call hostname is properly formatted - ansible.builtin.assert: - that: - - matrix_element_call_hostname is match('^([a-zA-Z0-9][-a-zA-Z0-9]*[a-zA-Z0-9]\.)+[a-zA-Z]{2,}$') - fail_msg: "The hostname '{{ matrix_element_call_hostname }}' is not valid. It should be a valid domain or subdomain." - success_msg: "The hostname '{{ matrix_element_call_hostname }}' is valid." - -- name: Validate that the Element Call version is specified correctly - ansible.builtin.assert: - that: - - matrix_element_call_version is string - - matrix_element_call_version != '' - fail_msg: "The Element Call version must be a non-empty string." - success_msg: "The Element Call version is set correctly." - -- name: Ensure LiveKit dev key is set - ansible.builtin.assert: - that: - - matrix_element_call_livekit_dev_key is string - - matrix_element_call_livekit_dev_key != '' - fail_msg: "The LiveKit dev key (matrix_element_call_livekit_dev_key) must be a non-empty string." - success_msg: "The LiveKit dev key is set correctly." - -- name: Ensure JWT service URL is valid - ansible.builtin.assert: - that: - - matrix_element_call_jwt_service_url is match('^https?://[a-zA-Z0-9.-]+$') - fail_msg: "The JWT service URL '{{ matrix_element_call_jwt_service_url }}' is not valid." - success_msg: "The JWT service URL is valid." - -- name: Ensure LiveKit service URL is valid - ansible.builtin.assert: - that: - - matrix_element_call_livekit_service_url is match('^https?://[a-zA-Z0-9.-]+$') - fail_msg: "The LiveKit service URL '{{ matrix_element_call_livekit_service_url }}' is not valid." - success_msg: "The LiveKit service URL is valid." - -- name: Ensure matrix-element-call base path is set and exists - ansible.builtin.assert: - that: - - matrix_element_call_base_path is string - - matrix_element_call_base_path != '' - fail_msg: "The base path for Element Call (matrix_element_call_base_path) must be a non-empty string." - success_msg: "The base path for Element Call is set correctly." - -- name: Ensure required paths for configurations are accessible - ansible.builtin.file: - path: "{{ item }}" - state: directory + msg: > + You need to define a required configuration setting (`{{ item.name }}`). + when: "item.when | bool and vars[item.name] == ''" with_items: - - "{{ matrix_element_call_base_path }}/config" - - "{{ matrix_element_call_base_path }}/backend" - register: config_paths_check - -- name: Fail if any required paths for configurations are not accessible - ansible.builtin.fail: - msg: "The required configuration path '{{ item.path }}' does not exist or is not accessible." - when: config_paths_check.results is defined and config_paths_check.results | selectattr('failed', 'eq', True) | list | length > 0 - loop: "{{ config_paths_check.results | selectattr('failed', 'eq', True) | list }}" + - {'name': 'matrix_element_call_base_path', when: true} + - {'name': 'matrix_element_call_container_network', when: true} + - {'name': 'matrix_element_call_image', when: true} + - {'name': 'matrix_jwt_service_image', when: true} + - {'name': 'matrix_livekit_image', when: true} + - {'name': 'matrix_redis_image', when: true} + - {'name': 'matrix_element_call_livekit_dev_key', when: true} + - {'name': 'matrix_element_call_livekit_service_url', when: true} From 37fd2e701d7e7c30f58602b589325f0c7c766b6f Mon Sep 17 00:00:00 2001 From: Backslash Date: Thu, 26 Sep 2024 09:15:07 +1000 Subject: [PATCH 017/108] Update env.j2 to support the new configuration --- roles/custom/matrix-element-call/templates/env.j2 | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/custom/matrix-element-call/templates/env.j2 b/roles/custom/matrix-element-call/templates/env.j2 index db25ed81b..71e9a0693 100644 --- a/roles/custom/matrix-element-call/templates/env.j2 +++ b/roles/custom/matrix-element-call/templates/env.j2 @@ -1,9 +1,10 @@ # Environment variables for Element Call ELEMENT_CALL_SERVER_URL=https://{{ matrix_element_call_domain }} LIVEKIT_SERVICE_URL={{ matrix_element_call_livekit_service_url }} +LIVEKIT_SECRET={{ matrix_element_call_livekit_dev_key }} JWT_SERVICE_URL={{ matrix_element_call_jwt_service_url }} # Optional additional environment variables provided by the user {% for key, value in matrix_element_call_environment_variables_additional.items() %} {{ key }}={{ value }} -{% endfor %} \ No newline at end of file +{% endfor %} From becdb0810c6522ede3d3bf17a6ef3099a95cb99d Mon Sep 17 00:00:00 2001 From: Backslash Date: Thu, 26 Sep 2024 09:18:55 +1000 Subject: [PATCH 018/108] Update config.json.j2 --- roles/custom/matrix-element-call/templates/config.json.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-element-call/templates/config.json.j2 b/roles/custom/matrix-element-call/templates/config.json.j2 index 1ce2f57c5..7c75144e3 100644 --- a/roles/custom/matrix-element-call/templates/config.json.j2 +++ b/roles/custom/matrix-element-call/templates/config.json.j2 @@ -8,4 +8,4 @@ "livekit": { "livekit_service_url": "{{ matrix_element_call_livekit_service_url }}" } -} \ No newline at end of file +} From f306a47b830e262d22f426d75f91a544f4719b41 Mon Sep 17 00:00:00 2001 From: Backslash Date: Thu, 26 Sep 2024 09:22:29 +1000 Subject: [PATCH 019/108] Update livekit.yaml.j2 --- roles/custom/matrix-element-call/templates/livekit.yaml.j2 | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/custom/matrix-element-call/templates/livekit.yaml.j2 b/roles/custom/matrix-element-call/templates/livekit.yaml.j2 index a53c0896a..384cf3722 100644 --- a/roles/custom/matrix-element-call/templates/livekit.yaml.j2 +++ b/roles/custom/matrix-element-call/templates/livekit.yaml.j2 @@ -18,4 +18,3 @@ turn: keys: devkey: "{{ matrix_element_call_livekit_dev_key }}" -logging: \ No newline at end of file From dfeca192abe6b319985e6bfccde8d3841d59a003 Mon Sep 17 00:00:00 2001 From: Backslash Date: Thu, 26 Sep 2024 09:23:26 +1000 Subject: [PATCH 020/108] Update redis.conf.j2 --- roles/custom/matrix-element-call/templates/redis.conf.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/custom/matrix-element-call/templates/redis.conf.j2 b/roles/custom/matrix-element-call/templates/redis.conf.j2 index da19af05a..993572096 100644 --- a/roles/custom/matrix-element-call/templates/redis.conf.j2 +++ b/roles/custom/matrix-element-call/templates/redis.conf.j2 @@ -1,5 +1,5 @@ bind 0.0.0.0 protected-mode yes -port 6379 +port {{ matrix_element_call_redis_port }} timeout 0 -tcp-keepalive 300 \ No newline at end of file +tcp-keepalive 300 From 954d46cfd7bb8b3a960fd4f147be1597ccc401a0 Mon Sep 17 00:00:00 2001 From: Backslash Date: Thu, 26 Sep 2024 09:25:49 +1000 Subject: [PATCH 021/108] Update labels.j2 --- .../matrix-element-call/templates/labels.j2 | 52 ++++++++++++++++--- 1 file changed, 46 insertions(+), 6 deletions(-) diff --git a/roles/custom/matrix-element-call/templates/labels.j2 b/roles/custom/matrix-element-call/templates/labels.j2 index ccfbdbf93..7e2ea810d 100644 --- a/roles/custom/matrix-element-call/templates/labels.j2 +++ b/roles/custom/matrix-element-call/templates/labels.j2 @@ -1,6 +1,46 @@ -# Docker labels for Traefik or other routing -traefik.enable: "true" -traefik.http.routers.{{ matrix_element_call_hostname | replace('.', '_') }}-router.rule: "Host(`{{ matrix_element_call_hostname }}`)" -traefik.http.routers.{{ matrix_element_call_hostname | replace('.', '_') }}-router.entrypoints: "{{ matrix_element_call_container_labels_traefik_entrypoints }}" -traefik.http.routers.{{ matrix_element_call_hostname | replace('.', '_') }}-router.tls.certresolver: "{{ matrix_element_call_container_labels_traefik_tls_certResolver }}" -traefik.http.services.{{ matrix_element_call_hostname | replace('.', '_') }}-service.loadbalancer.server.port: "8080" +{% if matrix_element_call_container_labels_traefik_enabled %} +traefik.enable=true + +{% if matrix_element_call_container_labels_traefik_docker_network %} +traefik.docker.network={{ matrix_element_call_container_labels_traefik_docker_network }} +{% endif %} + +traefik.http.services.matrix-element-call.loadbalancer.server.port=8080 + +{% set middlewares = [] %} + +{% if matrix_element_call_container_labels_traefik_path_prefix != '/' %} +traefik.http.middlewares.matrix-element-call-slashless-redirect.redirectregex.regex=({{ matrix_element_call_container_labels_traefik_path_prefix | quote }})$ +traefik.http.middlewares.matrix-element-call-slashless-redirect.redirectregex.replacement=${1}/ +{% set middlewares = middlewares + ['matrix-element-call-slashless-redirect'] %} +{% endif %} + +{% if matrix_element_call_container_labels_traefik_path_prefix != '/' %} +traefik.http.middlewares.matrix-element-call-strip-prefix.stripprefix.prefixes={{ matrix_element_call_container_labels_traefik_path_prefix }} +{% set middlewares = middlewares + ['matrix-element-call-strip-prefix'] %} +{% endif %} + +{% if matrix_element_call_container_labels_traefik_additional_response_headers.keys() | length > 0 %} +{% for name, value in matrix_element_call_container_labels_traefik_additional_response_headers.items() %} +traefik.http.middlewares.matrix-element-call-add-headers.headers.customresponseheaders.{{ name }}={{ value }} +{% endfor %} +{% set middlewares = middlewares + ['matrix-element-call-add-headers'] %} +{% endif %} + +traefik.http.routers.matrix-element-call.rule={{ matrix_element_call_container_labels_traefik_rule }} +{% if matrix_element_call_container_labels_traefik_priority | int > 0 %} +traefik.http.routers.matrix-element-call.priority={{ matrix_element_call_container_labels_traefik_priority }} +{% endif %} +traefik.http.routers.matrix-element-call.service=matrix-element-call +{% if middlewares | length > 0 %} +traefik.http.routers.matrix-element-call.middlewares={{ middlewares | join(',') }} +{% endif %} +traefik.http.routers.matrix-element-call.entrypoints={{ matrix_element_call_container_labels_traefik_entrypoints }} +traefik.http.routers.matrix-element-call.tls={{ matrix_element_call_container_labels_traefik_tls | to_json }} +{% if matrix_element_call_container_labels_traefik_tls %} +traefik.http.routers.matrix-element-call.tls.certResolver={{ matrix_element_call_container_labels_traefik_tls_certResolver }} +{% endif %} + +{% endif %} + +{{ matrix_element_call_container_extra_arguments }} From 45c8a61f043bce8548da17831438527dba9a5b09 Mon Sep 17 00:00:00 2001 From: Backslash Date: Thu, 26 Sep 2024 11:39:33 +1000 Subject: [PATCH 022/108] Migrating to systemd for container management --- .../systemd/matrix-element-call.service.j2 | 35 +++++++++++++++---- 1 file changed, 28 insertions(+), 7 deletions(-) diff --git a/roles/custom/matrix-element-call/templates/systemd/matrix-element-call.service.j2 b/roles/custom/matrix-element-call/templates/systemd/matrix-element-call.service.j2 index 8caad624f..ff08ff9fd 100644 --- a/roles/custom/matrix-element-call/templates/systemd/matrix-element-call.service.j2 +++ b/roles/custom/matrix-element-call/templates/systemd/matrix-element-call.service.j2 @@ -5,13 +5,34 @@ Requires=docker.service [Service] Type=simple -ExecStart=/usr/bin/docker start -a matrix-element-call -ExecStop=/usr/bin/docker stop matrix-element-call +Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" +ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-element-call 2>/dev/null || true' +ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-element-call 2>/dev/null || true' + +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ + --rm \ + --name=matrix-element-call \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --network={{ matrix_element_call_container_network }} \ + -p {{ matrix_element_call_port }}:8080 \ + --env-file={{ matrix_element_call_base_path }}/config/env \ + --label-file={{ matrix_element_call_base_path }}/config/labels \ + {{ matrix_element_call_image }} \ + serve + +{% for network in matrix_element_call_container_additional_networks %} +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-element-call +{% endfor %} + +ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-element-call + +ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-element-call 2>/dev/null || true' +ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-element-call 2>/dev/null || true' Restart=always -User={{ matrix_user_username }} -Group={{ matrix_user_groupname }} -TimeoutStartSec=0 -RestartSec=10 +RestartSec=30 +SyslogIdentifier=matrix-element-call [Install] -WantedBy=multi-user.target \ No newline at end of file +WantedBy=multi-user.target From bc9658c06b38f2a647154eb29720ddca33afe645 Mon Sep 17 00:00:00 2001 From: Backslash Date: Thu, 26 Sep 2024 13:40:38 +1000 Subject: [PATCH 023/108] Create matrix-livekit.service.j2 --- .../systemd/matrix-livekit.service.j2 | 32 +++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 roles/custom/matrix-element-call/templates/systemd/matrix-livekit.service.j2 diff --git a/roles/custom/matrix-element-call/templates/systemd/matrix-livekit.service.j2 b/roles/custom/matrix-element-call/templates/systemd/matrix-livekit.service.j2 new file mode 100644 index 000000000..0b28522a5 --- /dev/null +++ b/roles/custom/matrix-element-call/templates/systemd/matrix-livekit.service.j2 @@ -0,0 +1,32 @@ +[Unit] +Description=Matrix LiveKit Service +After=docker.service +Requires=docker.service + +[Service] +Type=simple +Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" +ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-livekit 2>/dev/null || true' +ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-livekit 2>/dev/null || true' + +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ + --rm \ + --name=matrix-livekit \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --network=host \ + --mount type=bind,src={{ matrix_element_call_backend_path }}/livekit.yaml,dst=/etc/livekit.yaml,ro \ + {{ matrix_livekit_image }} \ + --dev --config /etc/livekit.yaml + +ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-livekit + +ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-livekit 2>/dev/null || true' +ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-livekit 2>/dev/null || true' +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-livekit + +[Install] +WantedBy=multi-user.target From e910d09ff142d6e931e4d4d238f14b2ad08817a3 Mon Sep 17 00:00:00 2001 From: Backslash Date: Thu, 26 Sep 2024 14:52:30 +1000 Subject: [PATCH 024/108] Create matrix-redis.service.j2 --- .../templates/systemd/matrix-redis.service.j2 | 32 +++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 roles/custom/matrix-element-call/templates/systemd/matrix-redis.service.j2 diff --git a/roles/custom/matrix-element-call/templates/systemd/matrix-redis.service.j2 b/roles/custom/matrix-element-call/templates/systemd/matrix-redis.service.j2 new file mode 100644 index 000000000..17adad1b4 --- /dev/null +++ b/roles/custom/matrix-element-call/templates/systemd/matrix-redis.service.j2 @@ -0,0 +1,32 @@ +[Unit] +Description=Matrix Redis Service +After=docker.service +Requires=docker.service + +[Service] +Type=simple +Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" +ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-redis 2>/dev/null || true' +ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-redis 2>/dev/null || true' + +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ + --rm \ + --name=matrix-redis \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --network={{ matrix_element_call_container_network }} \ + --mount type=bind,src={{ matrix_element_call_backend_path }}/redis.conf,dst=/etc/redis.conf,ro \ + {{ matrix_redis_image }} \ + redis-server /etc/redis.conf + +ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-redis + +ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-redis 2>/dev/null || true' +ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-redis 2>/dev/null || true' +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-redis + +[Install] +WantedBy=multi-user.target From f16ca24408e622650e257e9a99f485278f6a5b23 Mon Sep 17 00:00:00 2001 From: Backslash Date: Thu, 26 Sep 2024 15:17:15 +1000 Subject: [PATCH 025/108] Update install.yml --- .../matrix-element-call/tasks/install.yml | 133 ++++++++++++++---- 1 file changed, 105 insertions(+), 28 deletions(-) diff --git a/roles/custom/matrix-element-call/tasks/install.yml b/roles/custom/matrix-element-call/tasks/install.yml index 18b525e4a..c0e16456b 100644 --- a/roles/custom/matrix-element-call/tasks/install.yml +++ b/roles/custom/matrix-element-call/tasks/install.yml @@ -1,5 +1,5 @@ --- -# Main installation tasks for matrix-element-call +# roles/custom/matrix-element-call/tasks/install.yml # Ensure Required Directories Exist - name: Ensure matrix-element-call paths exist @@ -9,51 +9,65 @@ mode: 0750 owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" - with_items: + loop: - path: "{{ matrix_element_call_base_path }}" - - path: "{{ matrix_element_call_config_path }}" - - path: "{{ matrix_element_call_backend_path }}" + - path: "{{ matrix_element_call_base_path }}/data" + - path: "{{ matrix_element_call_base_path }}/config" + - path: "{{ matrix_element_call_base_path }}/backend" # For LiveKit and Redis config # Ensure Configuration Files are in Place -- name: Ensure matrix-element-call support files installed +- name: Ensure Element Call config.json is in place ansible.builtin.template: - src: "{{ role_path }}/templates/{{ item }}.j2" - dest: "{{ matrix_element_call_base_path }}/{{ item }}" + src: "{{ role_path }}/templates/config.json.j2" + dest: "{{ matrix_element_call_base_path }}/config/config.json" mode: 0640 owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" - with_items: - - config.json - - env - - labels -- name: Ensure livekit.yaml is installed +- name: Ensure LiveKit livekit.yaml is in place ansible.builtin.template: src: "{{ role_path }}/templates/livekit.yaml.j2" - dest: "{{ matrix_element_call_backend_path }}/livekit.yaml" + dest: "{{ matrix_element_call_base_path }}/backend/livekit.yaml" mode: 0640 owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" -- name: Ensure redis.conf is installed +- name: Ensure Redis redis.conf is in place ansible.builtin.template: src: "{{ role_path }}/templates/redis.conf.j2" - dest: "{{ matrix_element_call_backend_path }}/redis.conf" + dest: "{{ matrix_element_call_base_path }}/backend/redis.conf" + mode: 0640 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure matrix-element-call environment file is in place + ansible.builtin.template: + src: "{{ role_path }}/templates/env.j2" + dest: "{{ matrix_element_call_base_path }}/config/env" + mode: 0640 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure matrix-element-call Docker labels file is in place + ansible.builtin.template: + src: "{{ role_path }}/templates/labels.j2" + dest: "{{ matrix_element_call_base_path }}/config/labels" mode: 0640 owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" # Ensure Docker Images are Pulled -- name: Ensure matrix-element-call container image is pulled +- name: Ensure matrix-element-call Docker image is pulled community.docker.docker_image: - name: "{{ matrix_element_call_image }}" + name: "{{ matrix_element_call_container_image }}" source: pull + force_source: "{{ matrix_element_call_container_image_force_pull }}" register: element_call_image_result retries: "{{ devture_playbook_help_container_retries_count }}" delay: "{{ devture_playbook_help_container_retries_delay }}" until: element_call_image_result is not failed -- name: Ensure jwt-service container image is pulled +- name: Ensure jwt-service Docker image is pulled community.docker.docker_image: name: "{{ matrix_jwt_service_image }}" source: pull @@ -62,7 +76,7 @@ delay: 10 until: jwt_image_result is not failed -- name: Ensure livekit container image is pulled +- name: Ensure livekit Docker image is pulled community.docker.docker_image: name: "{{ matrix_livekit_image }}" source: pull @@ -71,7 +85,7 @@ delay: 10 until: livekit_image_result is not failed -- name: Ensure redis container image is pulled +- name: Ensure redis Docker image is pulled community.docker.docker_image: name: "{{ matrix_redis_image }}" source: pull @@ -80,15 +94,8 @@ delay: 10 until: redis_image_result is not failed -# Ensure Docker Networks are Created -- name: Ensure matrix-element-call container network is created - community.general.docker_network: - enable_ipv6: "{{ devture_systemd_docker_base_ipv6_enabled }}" - name: "{{ matrix_element_call_container_network }}" - driver: bridge - driver_options: "{{ devture_systemd_docker_base_container_networks_driver_options }}" +# Systemd Services for Element Call, JWT Service, LiveKit, and Redis -# Deploy Systemd Services for Containers - name: Ensure matrix-element-call systemd service is installed ansible.builtin.template: src: "{{ role_path }}/templates/systemd/matrix-element-call.service.j2" @@ -112,3 +119,73 @@ src: "{{ role_path }}/templates/systemd/matrix-redis.service.j2" dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-redis.service" mode: 0644 + +# Update homeserver.yaml for Element Call +- name: Add listeners section for Element Call to homeserver.yaml + ansible.builtin.blockinfile: + path: "{{ matrix_homeserver_config_path }}" + block: | + listeners: + - port: 8008 + tls: false + type: http + x_forwarded: true + resources: + - names: [client, federation, openid] + compress: false + marker: "# ANSIBLE MANAGED BLOCK - Element Call listeners" + mode: '0644' + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + when: matrix_element_call_enabled | bool + +- name: Ensure serve_server_wellknown is enabled in homeserver.yaml + ansible.builtin.lineinfile: + path: "{{ matrix_homeserver_config_path }}" + line: "serve_server_wellknown: true" + insertafter: EOF + state: present + mode: '0644' + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + when: matrix_element_call_enabled | bool + +# Update the .well-known/matrix/client file +- name: Update the well-known client file + ansible.builtin.template: + src: "{{ role_path }}/templates/well_known_client.json.j2" + dest: "{{ matrix_base_data_path }}/static-files/public/.well-known/matrix/client" + mode: '0644' + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +# Create .well-known/element/element.json for Element Call +- name: Create the well-known element.json file + ansible.builtin.template: + src: "{{ role_path }}/templates/well_known_element.json.j2" + dest: "{{ matrix_base_data_path }}/static-files/public/.well-known/element/element.json" + mode: '0644' + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +# Update Element Web config.json with Element Call settings +- name: Update Element Web config.json + ansible.builtin.blockinfile: + path: "{{ element_web_config_path }}" + block: | + "features": { + "feature_video_rooms": true, + "feature_new_room_decoration_ui": true, + "feature_group_calls": true, + "feature_element_call_video_rooms": true + }, + "element_call": { + "url": "https://{{ matrix_element_call_domain }}", + "participant_limit": 8, + "brand": "Element Call", + "use_exclusively": true + } + marker: "# ANSIBLE MANAGED BLOCK - Element Call settings" + mode: '0644' + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" From a533ec4204343de6469b80d0bd5ebba4b412ffdb Mon Sep 17 00:00:00 2001 From: Backslash Date: Thu, 26 Sep 2024 15:38:12 +1000 Subject: [PATCH 026/108] Update matrix_servers --- group_vars/matrix_servers | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index c36c348e0..ff107af21 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -5890,6 +5890,7 @@ matrix_element_call_container_network: "{{ matrix_homeserver_container_network } # Traefik Configuration for Element Call matrix_element_call_container_labels_traefik_enabled: true +matrix_element_call_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" matrix_element_call_container_labels_traefik_hostname: "{{ matrix_element_call_hostname }}" matrix_element_call_container_labels_traefik_path_prefix: "{{ matrix_element_call_path_prefix }}" matrix_element_call_container_labels_traefik_rule: "Host(`{{ matrix_element_call_container_labels_traefik_hostname }}`)" @@ -5922,4 +5923,4 @@ matrix_element_call_metrics_port: 2112 # # # /matrix-element-call # # # -######################################################################## \ No newline at end of file +######################################################################## From e31e688a416ffad0d9c9aa4f9d8187ef3faf2755 Mon Sep 17 00:00:00 2001 From: Backslash Date: Thu, 26 Sep 2024 15:42:05 +1000 Subject: [PATCH 027/108] Update main.yml --- roles/custom/matrix-element-call/defaults/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/custom/matrix-element-call/defaults/main.yml b/roles/custom/matrix-element-call/defaults/main.yml index 972941d91..de507b704 100644 --- a/roles/custom/matrix-element-call/defaults/main.yml +++ b/roles/custom/matrix-element-call/defaults/main.yml @@ -9,6 +9,7 @@ matrix_element_call_backend_path: "{{ matrix_element_call_base_path }}/backend" # Docker network configuration matrix_element_call_container_network: "matrix_element_call_network" +matrix_element_call_container_labels_traefik_additional_response_headers: {} # Docker images matrix_element_call_image: "ghcr.io/element-hq/element-call:latest" From f7621283fdb4690e65709f9f649d01419b06c373 Mon Sep 17 00:00:00 2001 From: Backslash Date: Thu, 26 Sep 2024 16:31:23 +1000 Subject: [PATCH 028/108] Update labels.j2 --- .../matrix-element-call/templates/labels.j2 | 41 ++++++++----------- 1 file changed, 17 insertions(+), 24 deletions(-) diff --git a/roles/custom/matrix-element-call/templates/labels.j2 b/roles/custom/matrix-element-call/templates/labels.j2 index 7e2ea810d..a31c6ea6b 100644 --- a/roles/custom/matrix-element-call/templates/labels.j2 +++ b/roles/custom/matrix-element-call/templates/labels.j2 @@ -5,42 +5,35 @@ traefik.enable=true traefik.docker.network={{ matrix_element_call_container_labels_traefik_docker_network }} {% endif %} -traefik.http.services.matrix-element-call.loadbalancer.server.port=8080 +# Define the Traefik router rule +traefik.http.routers.element-call-router.rule={{ matrix_element_call_container_labels_traefik_rule }} +traefik.http.routers.element-call-router.entrypoints={{ matrix_element_call_container_labels_traefik_entrypoints }} +traefik.http.routers.element-call-router.tls.certresolver={{ matrix_element_call_container_labels_traefik_tls_certResolver }} +traefik.http.services.element-call-service.loadbalancer.server.port=8080 {% set middlewares = [] %} +# Define any path prefix redirection or stripping middleware {% if matrix_element_call_container_labels_traefik_path_prefix != '/' %} -traefik.http.middlewares.matrix-element-call-slashless-redirect.redirectregex.regex=({{ matrix_element_call_container_labels_traefik_path_prefix | quote }})$ -traefik.http.middlewares.matrix-element-call-slashless-redirect.redirectregex.replacement=${1}/ -{% set middlewares = middlewares + ['matrix-element-call-slashless-redirect'] %} -{% endif %} - -{% if matrix_element_call_container_labels_traefik_path_prefix != '/' %} -traefik.http.middlewares.matrix-element-call-strip-prefix.stripprefix.prefixes={{ matrix_element_call_container_labels_traefik_path_prefix }} -{% set middlewares = middlewares + ['matrix-element-call-strip-prefix'] %} +traefik.http.middlewares.element-call-slashless-redirect.redirectregex.regex=({{ matrix_element_call_container_labels_traefik_path_prefix | quote }})$ +traefik.http.middlewares.element-call-slashless-redirect.redirectregex.replacement=${1}/ +{% set middlewares = middlewares + ['element-call-slashless-redirect'] %} + +traefik.http.middlewares.element-call-strip-prefix.stripprefix.prefixes={{ matrix_element_call_container_labels_traefik_path_prefix }} +{% set middlewares = middlewares + ['element-call-strip-prefix'] %} {% endif %} +# Apply any additional response headers if provided {% if matrix_element_call_container_labels_traefik_additional_response_headers.keys() | length > 0 %} {% for name, value in matrix_element_call_container_labels_traefik_additional_response_headers.items() %} -traefik.http.middlewares.matrix-element-call-add-headers.headers.customresponseheaders.{{ name }}={{ value }} +traefik.http.middlewares.element-call-add-headers.headers.customresponseheaders.{{ name }}={{ value }} {% endfor %} -{% set middlewares = middlewares + ['matrix-element-call-add-headers'] %} +{% set middlewares = middlewares + ['element-call-add-headers'] %} {% endif %} -traefik.http.routers.matrix-element-call.rule={{ matrix_element_call_container_labels_traefik_rule }} -{% if matrix_element_call_container_labels_traefik_priority | int > 0 %} -traefik.http.routers.matrix-element-call.priority={{ matrix_element_call_container_labels_traefik_priority }} -{% endif %} -traefik.http.routers.matrix-element-call.service=matrix-element-call +# Add middlewares to the router {% if middlewares | length > 0 %} -traefik.http.routers.matrix-element-call.middlewares={{ middlewares | join(',') }} -{% endif %} -traefik.http.routers.matrix-element-call.entrypoints={{ matrix_element_call_container_labels_traefik_entrypoints }} -traefik.http.routers.matrix-element-call.tls={{ matrix_element_call_container_labels_traefik_tls | to_json }} -{% if matrix_element_call_container_labels_traefik_tls %} -traefik.http.routers.matrix-element-call.tls.certResolver={{ matrix_element_call_container_labels_traefik_tls_certResolver }} +traefik.http.routers.element-call-router.middlewares={{ middlewares | join(',') }} {% endif %} {% endif %} - -{{ matrix_element_call_container_extra_arguments }} From bc2ed6076260e2720ec230b49d245f4f0173c1dc Mon Sep 17 00:00:00 2001 From: Backslash Date: Thu, 26 Sep 2024 17:23:03 +1000 Subject: [PATCH 029/108] Update main.yml --- roles/custom/matrix-element-call/defaults/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/custom/matrix-element-call/defaults/main.yml b/roles/custom/matrix-element-call/defaults/main.yml index de507b704..1fa2c57d9 100644 --- a/roles/custom/matrix-element-call/defaults/main.yml +++ b/roles/custom/matrix-element-call/defaults/main.yml @@ -10,6 +10,7 @@ matrix_element_call_backend_path: "{{ matrix_element_call_base_path }}/backend" # Docker network configuration matrix_element_call_container_network: "matrix_element_call_network" matrix_element_call_container_labels_traefik_additional_response_headers: {} +matrix_element_call_container_additional_networks: [] # No additional networks by default # Docker images matrix_element_call_image: "ghcr.io/element-hq/element-call:latest" From ac1295ac455ce82731c6a8ea9c42db0d2c48eeb3 Mon Sep 17 00:00:00 2001 From: Backslash Date: Thu, 26 Sep 2024 18:33:22 +1000 Subject: [PATCH 030/108] Create matrix-jwt-service.service.j2 --- .../systemd/matrix-jwt-service.service.j2 | 38 +++++++++++++++++++ 1 file changed, 38 insertions(+) create mode 100644 roles/custom/matrix-element-call/templates/systemd/matrix-jwt-service.service.j2 diff --git a/roles/custom/matrix-element-call/templates/systemd/matrix-jwt-service.service.j2 b/roles/custom/matrix-element-call/templates/systemd/matrix-jwt-service.service.j2 new file mode 100644 index 000000000..1df21478d --- /dev/null +++ b/roles/custom/matrix-element-call/templates/systemd/matrix-jwt-service.service.j2 @@ -0,0 +1,38 @@ +[Unit] +Description=Matrix JWT Service +After=docker.service +Requires=docker.service + +[Service] +Type=simple +Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" +ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-jwt-service 2>/dev/null || true' +ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-jwt-service 2>/dev/null || true' + +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ + --rm \ + --name=matrix-jwt-service \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --network={{ matrix_element_call_container_network }} \ + -p {{ matrix_jwt_service_port }}:8080 \ + --env-file={{ matrix_element_call_base_path }}/config/env \ + --label-file={{ matrix_element_call_base_path }}/config/labels \ + {{ matrix_jwt_service_image }} \ + serve + +{% for network in matrix_element_call_container_additional_networks %} +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-jwt-service +{% endfor %} + +ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-jwt-service + +ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-jwt-service 2>/dev/null || true' +ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-jwt-service 2>/dev/null || true' +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-jwt-service + +[Install] +WantedBy=multi-user.target From f38d6a0d88067cb64c9a266ab7963fbe57b16482 Mon Sep 17 00:00:00 2001 From: Backslash Date: Thu, 26 Sep 2024 18:39:03 +1000 Subject: [PATCH 031/108] Update main.yml --- roles/custom/matrix-element-call/defaults/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/custom/matrix-element-call/defaults/main.yml b/roles/custom/matrix-element-call/defaults/main.yml index 1fa2c57d9..33525303d 100644 --- a/roles/custom/matrix-element-call/defaults/main.yml +++ b/roles/custom/matrix-element-call/defaults/main.yml @@ -6,6 +6,7 @@ matrix_element_call_enabled: false matrix_element_call_base_path: "{{ matrix_base_data_path }}/element-call" matrix_element_call_config_path: "{{ matrix_element_call_base_path }}/config" matrix_element_call_backend_path: "{{ matrix_element_call_base_path }}/backend" +matrix_homeserver_config_path: "{{ matrix_base_data_path }}/synapse/config/homeserver.yaml" # Docker network configuration matrix_element_call_container_network: "matrix_element_call_network" From 9cb236da30795dd3071e4a7ee1e531d830fb99b7 Mon Sep 17 00:00:00 2001 From: Backslash Date: Thu, 26 Sep 2024 18:50:48 +1000 Subject: [PATCH 032/108] Update install.yml --- .../matrix-element-call/tasks/install.yml | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/roles/custom/matrix-element-call/tasks/install.yml b/roles/custom/matrix-element-call/tasks/install.yml index c0e16456b..ccf2d4121 100644 --- a/roles/custom/matrix-element-call/tasks/install.yml +++ b/roles/custom/matrix-element-call/tasks/install.yml @@ -150,11 +150,18 @@ group: "{{ matrix_user_groupname }}" when: matrix_element_call_enabled | bool -# Update the .well-known/matrix/client file -- name: Update the well-known client file - ansible.builtin.template: - src: "{{ role_path }}/templates/well_known_client.json.j2" - dest: "{{ matrix_base_data_path }}/static-files/public/.well-known/matrix/client" +# Update the well-known client file for Element Call (adding RTC FOCI) +- name: Update the existing well-known client file for Element Call (RTC FOCI) + ansible.builtin.blockinfile: + path: "{{ matrix_base_data_path }}/static-files/public/.well-known/matrix/client" + block: | + "org.matrix.msc4143.rtc_foci": [ + { + "type": "livekit", + "livekit_service_url": "{{ matrix_element_call_jwt_service_url }}" + } + ] + marker: "# ANSIBLE MANAGED BLOCK - Element Call RTC FOCI" mode: '0644' owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" From f2acc7430dc6865ec6ac847339a8c6c8b69962b8 Mon Sep 17 00:00:00 2001 From: Backslash Date: Thu, 26 Sep 2024 18:53:49 +1000 Subject: [PATCH 033/108] Create well_known_element.json.j2 --- .../matrix-element-call/templates/well_known_element.json.j2 | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 roles/custom/matrix-element-call/templates/well_known_element.json.j2 diff --git a/roles/custom/matrix-element-call/templates/well_known_element.json.j2 b/roles/custom/matrix-element-call/templates/well_known_element.json.j2 new file mode 100644 index 000000000..eae63cf83 --- /dev/null +++ b/roles/custom/matrix-element-call/templates/well_known_element.json.j2 @@ -0,0 +1,5 @@ +{ + "call": { + "widget_url": "https://{{ matrix_element_call_domain }}" + } +} From ba54e549c47927951490088b1ef962a36a063306 Mon Sep 17 00:00:00 2001 From: Backslash Date: Thu, 26 Sep 2024 19:08:09 +1000 Subject: [PATCH 034/108] Added well-known element directory --- roles/custom/matrix-element-call/tasks/install.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/custom/matrix-element-call/tasks/install.yml b/roles/custom/matrix-element-call/tasks/install.yml index ccf2d4121..93fbeba95 100644 --- a/roles/custom/matrix-element-call/tasks/install.yml +++ b/roles/custom/matrix-element-call/tasks/install.yml @@ -14,6 +14,7 @@ - path: "{{ matrix_element_call_base_path }}/data" - path: "{{ matrix_element_call_base_path }}/config" - path: "{{ matrix_element_call_base_path }}/backend" # For LiveKit and Redis config + - path: "{{ matrix_base_data_path }}/static-files/public/.well-known/element" # Directory for element.json # Ensure Configuration Files are in Place - name: Ensure Element Call config.json is in place From 3f6c327da288c00e1cfc24d27fa15d142d26e74a Mon Sep 17 00:00:00 2001 From: Backslash Date: Thu, 26 Sep 2024 19:18:47 +1000 Subject: [PATCH 035/108] Update main.yml --- roles/custom/matrix-element-call/defaults/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/custom/matrix-element-call/defaults/main.yml b/roles/custom/matrix-element-call/defaults/main.yml index 33525303d..5de1b8f94 100644 --- a/roles/custom/matrix-element-call/defaults/main.yml +++ b/roles/custom/matrix-element-call/defaults/main.yml @@ -7,6 +7,7 @@ matrix_element_call_base_path: "{{ matrix_base_data_path }}/element-call" matrix_element_call_config_path: "{{ matrix_element_call_base_path }}/config" matrix_element_call_backend_path: "{{ matrix_element_call_base_path }}/backend" matrix_homeserver_config_path: "{{ matrix_base_data_path }}/synapse/config/homeserver.yaml" +element_web_config_path: "{{ matrix_base_data_path }}/static-files/public/.well-known/matrix/client" # Docker network configuration matrix_element_call_container_network: "matrix_element_call_network" From 85be68946cbac0a21302a1746b3a61d6ab3a6953 Mon Sep 17 00:00:00 2001 From: Backslash Date: Thu, 26 Sep 2024 19:30:15 +1000 Subject: [PATCH 036/108] Migrated from matrix_redis to redis_ --- roles/custom/matrix-element-call/defaults/main.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/custom/matrix-element-call/defaults/main.yml b/roles/custom/matrix-element-call/defaults/main.yml index 5de1b8f94..35c3d90ed 100644 --- a/roles/custom/matrix-element-call/defaults/main.yml +++ b/roles/custom/matrix-element-call/defaults/main.yml @@ -18,12 +18,12 @@ matrix_element_call_container_additional_networks: [] # No additional networks matrix_element_call_image: "ghcr.io/element-hq/element-call:latest" matrix_jwt_service_image: "ghcr.io/element-hq/lk-jwt-service:latest-ci" matrix_livekit_image: "livekit/livekit-server:latest" -matrix_redis_image: "redis:6-alpine" +redis_image: "redis:6-alpine" # Ports matrix_element_call_port: "8093" matrix_jwt_service_port: "8881" -matrix_redis_port: "6379" +redis_port: "6379" # LiveKit configuration matrix_element_call_livekit_dev_key: "{{ matrix_livekit_dev_key }}" # Must be defined in host_vars @@ -37,7 +37,7 @@ matrix_element_call_base_url: "https://{{ matrix_element_call_domain }}" # Redis Configuration for Element Call redis_hostname: "localhost" -redis_port: 6379 +#redis_port: 6379 redis_password: "" # Traefik Configuration for Element Call From 6ef304b118e9d1bd58943ac2f8c34f2ed342357c Mon Sep 17 00:00:00 2001 From: Backslash Date: Thu, 26 Sep 2024 19:43:22 +1000 Subject: [PATCH 037/108] Update validate_config.yml --- roles/custom/matrix-element-call/tasks/validate_config.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-element-call/tasks/validate_config.yml b/roles/custom/matrix-element-call/tasks/validate_config.yml index 1feccecb8..c0e0ef940 100644 --- a/roles/custom/matrix-element-call/tasks/validate_config.yml +++ b/roles/custom/matrix-element-call/tasks/validate_config.yml @@ -12,6 +12,6 @@ - {'name': 'matrix_element_call_image', when: true} - {'name': 'matrix_jwt_service_image', when: true} - {'name': 'matrix_livekit_image', when: true} - - {'name': 'matrix_redis_image', when: true} + - {'name': 'redis_image', when: true} - {'name': 'matrix_element_call_livekit_dev_key', when: true} - {'name': 'matrix_element_call_livekit_service_url', when: true} From 656d4275bcab2a638f18a1442ce4b6dad9e79af4 Mon Sep 17 00:00:00 2001 From: Backslash Date: Thu, 26 Sep 2024 19:48:06 +1000 Subject: [PATCH 038/108] Update install.yml --- roles/custom/matrix-element-call/tasks/install.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-element-call/tasks/install.yml b/roles/custom/matrix-element-call/tasks/install.yml index 93fbeba95..5e3c716d3 100644 --- a/roles/custom/matrix-element-call/tasks/install.yml +++ b/roles/custom/matrix-element-call/tasks/install.yml @@ -88,7 +88,7 @@ - name: Ensure redis Docker image is pulled community.docker.docker_image: - name: "{{ matrix_redis_image }}" + name: "{{ redis_image }}" source: pull register: redis_image_result retries: 3 From e34e5da9a4d27d3d656dd48fe3409f7d2b769300 Mon Sep 17 00:00:00 2001 From: Backslash Date: Thu, 26 Sep 2024 19:57:39 +1000 Subject: [PATCH 039/108] Update matrix-redis.service.j2 --- .../templates/systemd/matrix-redis.service.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-element-call/templates/systemd/matrix-redis.service.j2 b/roles/custom/matrix-element-call/templates/systemd/matrix-redis.service.j2 index 17adad1b4..5cccced16 100644 --- a/roles/custom/matrix-element-call/templates/systemd/matrix-redis.service.j2 +++ b/roles/custom/matrix-element-call/templates/systemd/matrix-redis.service.j2 @@ -17,7 +17,7 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ --cap-drop=ALL \ --network={{ matrix_element_call_container_network }} \ --mount type=bind,src={{ matrix_element_call_backend_path }}/redis.conf,dst=/etc/redis.conf,ro \ - {{ matrix_redis_image }} \ + {{ redis_image }} \ redis-server /etc/redis.conf ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-redis From 5cc9c70ba6fc95a575b380fa55ab9f058fd59766 Mon Sep 17 00:00:00 2001 From: Backslash Date: Thu, 26 Sep 2024 20:57:47 +1000 Subject: [PATCH 040/108] Remove serve command from matrix-element-call.service.j2 --- .../templates/systemd/matrix-element-call.service.j2 | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/roles/custom/matrix-element-call/templates/systemd/matrix-element-call.service.j2 b/roles/custom/matrix-element-call/templates/systemd/matrix-element-call.service.j2 index ff08ff9fd..21ddd54f3 100644 --- a/roles/custom/matrix-element-call/templates/systemd/matrix-element-call.service.j2 +++ b/roles/custom/matrix-element-call/templates/systemd/matrix-element-call.service.j2 @@ -19,8 +19,7 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ -p {{ matrix_element_call_port }}:8080 \ --env-file={{ matrix_element_call_base_path }}/config/env \ --label-file={{ matrix_element_call_base_path }}/config/labels \ - {{ matrix_element_call_image }} \ - serve + {{ matrix_element_call_image }} {% for network in matrix_element_call_container_additional_networks %} ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-element-call From f0632b20ebed7611373b690fe8483960b2d36230 Mon Sep 17 00:00:00 2001 From: Backslash Date: Thu, 26 Sep 2024 21:24:43 +1000 Subject: [PATCH 041/108] Added missing labels for sfu and jwt --- .../matrix-element-call/templates/labels.j2 | 33 ++++++++++++++++--- 1 file changed, 29 insertions(+), 4 deletions(-) diff --git a/roles/custom/matrix-element-call/templates/labels.j2 b/roles/custom/matrix-element-call/templates/labels.j2 index a31c6ea6b..a13a75ef0 100644 --- a/roles/custom/matrix-element-call/templates/labels.j2 +++ b/roles/custom/matrix-element-call/templates/labels.j2 @@ -5,7 +5,7 @@ traefik.enable=true traefik.docker.network={{ matrix_element_call_container_labels_traefik_docker_network }} {% endif %} -# Define the Traefik router rule +# Element Call Labels traefik.http.routers.element-call-router.rule={{ matrix_element_call_container_labels_traefik_rule }} traefik.http.routers.element-call-router.entrypoints={{ matrix_element_call_container_labels_traefik_entrypoints }} traefik.http.routers.element-call-router.tls.certresolver={{ matrix_element_call_container_labels_traefik_tls_certResolver }} @@ -13,7 +13,7 @@ traefik.http.services.element-call-service.loadbalancer.server.port=8080 {% set middlewares = [] %} -# Define any path prefix redirection or stripping middleware +# Path prefix handling for Element Call {% if matrix_element_call_container_labels_traefik_path_prefix != '/' %} traefik.http.middlewares.element-call-slashless-redirect.redirectregex.regex=({{ matrix_element_call_container_labels_traefik_path_prefix | quote }})$ traefik.http.middlewares.element-call-slashless-redirect.redirectregex.replacement=${1}/ @@ -23,7 +23,7 @@ traefik.http.middlewares.element-call-strip-prefix.stripprefix.prefixes={{ matri {% set middlewares = middlewares + ['element-call-strip-prefix'] %} {% endif %} -# Apply any additional response headers if provided +# Additional response headers for Element Call {% if matrix_element_call_container_labels_traefik_additional_response_headers.keys() | length > 0 %} {% for name, value in matrix_element_call_container_labels_traefik_additional_response_headers.items() %} traefik.http.middlewares.element-call-add-headers.headers.customresponseheaders.{{ name }}={{ value }} @@ -31,9 +31,34 @@ traefik.http.middlewares.element-call-add-headers.headers.customresponseheaders. {% set middlewares = middlewares + ['element-call-add-headers'] %} {% endif %} -# Add middlewares to the router +# Add middlewares to the Element Call router {% if middlewares | length > 0 %} traefik.http.routers.element-call-router.middlewares={{ middlewares | join(',') }} {% endif %} +# LiveKit Labels +traefik.http.routers.sfu-router.rule=Host(`{{ matrix_element_call_livekit_service_url | regex_replace('^https?://', '') }}`) +traefik.http.routers.sfu-router.entrypoints=websecure +traefik.http.routers.sfu-router.tls.certresolver=default +traefik.http.services.sfu-service.loadbalancer.server.port=7880 +traefik.http.middlewares.sfu-headers.headers.customFrameOptionsValue=SAMEORIGIN +traefik.http.middlewares.sfu-headers.headers.customResponseHeaders.X-Content-Type-Options=nosniff +traefik.http.middlewares.sfu-headers.headers.customResponseHeaders.Strict-Transport-Security=max-age=31536000; includeSubDomains; preload +traefik.http.routers.sfu-router.middlewares=sfu-headers + +# JWT Labels +traefik.http.routers.jwt-router.rule=Host(`{{ matrix_element_call_jwt_service_url | regex_replace('^https?://', '') }}`) +traefik.http.routers.jwt-router.entrypoints=websecure +traefik.http.routers.jwt-router.tls.certresolver=default +traefik.http.services.jwt-service.loadbalancer.server.port=8881 +traefik.http.middlewares.jwt-headers.headers.customFrameOptionsValue=SAMEORIGIN +traefik.http.middlewares.jwt-headers.headers.customResponseHeaders.X-Content-Type-Options=nosniff +traefik.http.middlewares.jwt-headers.headers.customResponseHeaders.Strict-Transport-Security=max-age=31536000; includeSubDomains; preload +traefik.http.routers.jwt-router.middlewares=jwt-headers + {% endif %} + +# Additional labels (if any) specified by the user +{% for key, value in matrix_element_call_container_extra_arguments.items() %} +{{ key }}={{ value }} +{% endfor %} From 6a519bb05332940f6b19c70345a1d3eb8671731f Mon Sep 17 00:00:00 2001 From: Backslash Date: Fri, 27 Sep 2024 08:08:42 +1000 Subject: [PATCH 042/108] Created element-call-labels to separate the labels for each container --- .../templates/element-call-labels.j2 | 39 +++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 roles/custom/matrix-element-call/templates/element-call-labels.j2 diff --git a/roles/custom/matrix-element-call/templates/element-call-labels.j2 b/roles/custom/matrix-element-call/templates/element-call-labels.j2 new file mode 100644 index 000000000..a31c6ea6b --- /dev/null +++ b/roles/custom/matrix-element-call/templates/element-call-labels.j2 @@ -0,0 +1,39 @@ +{% if matrix_element_call_container_labels_traefik_enabled %} +traefik.enable=true + +{% if matrix_element_call_container_labels_traefik_docker_network %} +traefik.docker.network={{ matrix_element_call_container_labels_traefik_docker_network }} +{% endif %} + +# Define the Traefik router rule +traefik.http.routers.element-call-router.rule={{ matrix_element_call_container_labels_traefik_rule }} +traefik.http.routers.element-call-router.entrypoints={{ matrix_element_call_container_labels_traefik_entrypoints }} +traefik.http.routers.element-call-router.tls.certresolver={{ matrix_element_call_container_labels_traefik_tls_certResolver }} +traefik.http.services.element-call-service.loadbalancer.server.port=8080 + +{% set middlewares = [] %} + +# Define any path prefix redirection or stripping middleware +{% if matrix_element_call_container_labels_traefik_path_prefix != '/' %} +traefik.http.middlewares.element-call-slashless-redirect.redirectregex.regex=({{ matrix_element_call_container_labels_traefik_path_prefix | quote }})$ +traefik.http.middlewares.element-call-slashless-redirect.redirectregex.replacement=${1}/ +{% set middlewares = middlewares + ['element-call-slashless-redirect'] %} + +traefik.http.middlewares.element-call-strip-prefix.stripprefix.prefixes={{ matrix_element_call_container_labels_traefik_path_prefix }} +{% set middlewares = middlewares + ['element-call-strip-prefix'] %} +{% endif %} + +# Apply any additional response headers if provided +{% if matrix_element_call_container_labels_traefik_additional_response_headers.keys() | length > 0 %} +{% for name, value in matrix_element_call_container_labels_traefik_additional_response_headers.items() %} +traefik.http.middlewares.element-call-add-headers.headers.customresponseheaders.{{ name }}={{ value }} +{% endfor %} +{% set middlewares = middlewares + ['element-call-add-headers'] %} +{% endif %} + +# Add middlewares to the router +{% if middlewares | length > 0 %} +traefik.http.routers.element-call-router.middlewares={{ middlewares | join(',') }} +{% endif %} + +{% endif %} From 2cf471075db355f6df66ffb188424425be1c8981 Mon Sep 17 00:00:00 2001 From: Backslash Date: Fri, 27 Sep 2024 08:09:32 +1000 Subject: [PATCH 043/108] Created livekit-labels.j2 --- .../matrix-element-call/templates/livekit-labels.j2 | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 roles/custom/matrix-element-call/templates/livekit-labels.j2 diff --git a/roles/custom/matrix-element-call/templates/livekit-labels.j2 b/roles/custom/matrix-element-call/templates/livekit-labels.j2 new file mode 100644 index 000000000..df680b2a7 --- /dev/null +++ b/roles/custom/matrix-element-call/templates/livekit-labels.j2 @@ -0,0 +1,13 @@ +{% if matrix_element_call_container_labels_traefik_enabled %} +traefik.enable=true + +{% if matrix_element_call_container_labels_traefik_docker_network %} +traefik.docker.network={{ matrix_element_call_container_labels_traefik_docker_network }} +{% endif %} + +# Define the Traefik router rule for LiveKit +traefik.http.routers.livekit-router.rule=Host(`{{ matrix_element_call_sfu_hostname }}`) +traefik.http.routers.livekit-router.entrypoints={{ matrix_element_call_container_labels_traefik_entrypoints }} +traefik.http.routers.livekit-router.tls.certresolver={{ matrix_element_call_container_labels_traefik_tls_certResolver }} +traefik.http.services.livekit-service.loadbalancer.server.port=7880 +{% endif %} From 1d7a60055c2114c35ab64e18157a79f86fbcf33b Mon Sep 17 00:00:00 2001 From: Backslash Date: Fri, 27 Sep 2024 08:10:06 +1000 Subject: [PATCH 044/108] Create jwt-service-labels.j2 --- .../templates/jwt-service-labels.j2 | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 roles/custom/matrix-element-call/templates/jwt-service-labels.j2 diff --git a/roles/custom/matrix-element-call/templates/jwt-service-labels.j2 b/roles/custom/matrix-element-call/templates/jwt-service-labels.j2 new file mode 100644 index 000000000..86b314cf4 --- /dev/null +++ b/roles/custom/matrix-element-call/templates/jwt-service-labels.j2 @@ -0,0 +1,13 @@ +{% if matrix_element_call_container_labels_traefik_enabled %} +traefik.enable=true + +{% if matrix_element_call_container_labels_traefik_docker_network %} +traefik.docker.network={{ matrix_element_call_container_labels_traefik_docker_network }} +{% endif %} + +# Define the Traefik router rule for JWT Service +traefik.http.routers.jwt-router.rule=Host(`{{ matrix_element_call_jwt_service_hostname }}`) +traefik.http.routers.jwt-router.entrypoints={{ matrix_element_call_container_labels_traefik_entrypoints }} +traefik.http.routers.jwt-router.tls.certresolver={{ matrix_element_call_container_labels_traefik_tls_certResolver }} +traefik.http.services.jwt-service.loadbalancer.server.port=8881 +{% endif %} From 80763804f914506b119f4b90fdd2013901d91648 Mon Sep 17 00:00:00 2001 From: Backslash Date: Fri, 27 Sep 2024 08:16:56 +1000 Subject: [PATCH 045/108] Updated label file --- .../templates/systemd/matrix-element-call.service.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-element-call/templates/systemd/matrix-element-call.service.j2 b/roles/custom/matrix-element-call/templates/systemd/matrix-element-call.service.j2 index 21ddd54f3..eded8dc6a 100644 --- a/roles/custom/matrix-element-call/templates/systemd/matrix-element-call.service.j2 +++ b/roles/custom/matrix-element-call/templates/systemd/matrix-element-call.service.j2 @@ -18,7 +18,7 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ --network={{ matrix_element_call_container_network }} \ -p {{ matrix_element_call_port }}:8080 \ --env-file={{ matrix_element_call_base_path }}/config/env \ - --label-file={{ matrix_element_call_base_path }}/config/labels \ + --label-file={{ matrix_element_call_base_path }}/config/element-call-labels \ {{ matrix_element_call_image }} {% for network in matrix_element_call_container_additional_networks %} From d2e2781d3b715ea3872c60fe5a2290a6d55c30ef Mon Sep 17 00:00:00 2001 From: Backslash Date: Fri, 27 Sep 2024 08:18:27 +1000 Subject: [PATCH 046/108] Updated label file --- .../templates/systemd/matrix-jwt-service.service.j2 | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/roles/custom/matrix-element-call/templates/systemd/matrix-jwt-service.service.j2 b/roles/custom/matrix-element-call/templates/systemd/matrix-jwt-service.service.j2 index 1df21478d..7d2ac8fd8 100644 --- a/roles/custom/matrix-element-call/templates/systemd/matrix-jwt-service.service.j2 +++ b/roles/custom/matrix-element-call/templates/systemd/matrix-jwt-service.service.j2 @@ -18,9 +18,8 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ --network={{ matrix_element_call_container_network }} \ -p {{ matrix_jwt_service_port }}:8080 \ --env-file={{ matrix_element_call_base_path }}/config/env \ - --label-file={{ matrix_element_call_base_path }}/config/labels \ - {{ matrix_jwt_service_image }} \ - serve + --label-file={{ matrix_element_call_base_path }}/config/jwt-service-labels \ + {{ matrix_jwt_service_image }} {% for network in matrix_element_call_container_additional_networks %} ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-jwt-service From 2f2cb8962e64984f5c62acbe176a54c5a6d96591 Mon Sep 17 00:00:00 2001 From: Backslash Date: Fri, 27 Sep 2024 08:19:26 +1000 Subject: [PATCH 047/108] Updated livekit labels --- .../templates/systemd/matrix-livekit.service.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/custom/matrix-element-call/templates/systemd/matrix-livekit.service.j2 b/roles/custom/matrix-element-call/templates/systemd/matrix-livekit.service.j2 index 0b28522a5..4b7f3ea8a 100644 --- a/roles/custom/matrix-element-call/templates/systemd/matrix-livekit.service.j2 +++ b/roles/custom/matrix-element-call/templates/systemd/matrix-livekit.service.j2 @@ -17,6 +17,7 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ --cap-drop=ALL \ --network=host \ --mount type=bind,src={{ matrix_element_call_backend_path }}/livekit.yaml,dst=/etc/livekit.yaml,ro \ + --label-file={{ matrix_element_call_base_path }}/config/livekit-labels \ {{ matrix_livekit_image }} \ --dev --config /etc/livekit.yaml From df4bf4a0c930b549316180a1880dc55f00fbbf71 Mon Sep 17 00:00:00 2001 From: Backslash Date: Fri, 27 Sep 2024 08:23:24 +1000 Subject: [PATCH 048/108] Added tasks for moving the new labels files into place --- .../matrix-element-call/tasks/install.yml | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/roles/custom/matrix-element-call/tasks/install.yml b/roles/custom/matrix-element-call/tasks/install.yml index 5e3c716d3..fdb607871 100644 --- a/roles/custom/matrix-element-call/tasks/install.yml +++ b/roles/custom/matrix-element-call/tasks/install.yml @@ -52,7 +52,23 @@ - name: Ensure matrix-element-call Docker labels file is in place ansible.builtin.template: src: "{{ role_path }}/templates/labels.j2" - dest: "{{ matrix_element_call_base_path }}/config/labels" + dest: "{{ matrix_element_call_base_path }}/config/element-call-labels" + mode: 0640 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure LiveKit labels file is in place + ansible.builtin.template: + src: "{{ role_path }}/templates/livekit-labels.j2" + dest: "{{ matrix_element_call_base_path }}/config/livekit-labels" + mode: 0640 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure JWT Service labels file is in place + ansible.builtin.template: + src: "{{ role_path }}/templates/jwt-service-labels.j2" + dest: "{{ matrix_element_call_base_path }}/config/jwt-service-labels" mode: 0640 owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" From dd96b93d899b7ba6c46cef8e93b86d5068b55ac8 Mon Sep 17 00:00:00 2001 From: Backslash Date: Fri, 27 Sep 2024 08:34:01 +1000 Subject: [PATCH 049/108] Update matrix-element-call.service.j2 --- .../systemd/matrix-element-call.service.j2 | 56 +++++++++---------- 1 file changed, 25 insertions(+), 31 deletions(-) diff --git a/roles/custom/matrix-element-call/templates/systemd/matrix-element-call.service.j2 b/roles/custom/matrix-element-call/templates/systemd/matrix-element-call.service.j2 index eded8dc6a..488b1f400 100644 --- a/roles/custom/matrix-element-call/templates/systemd/matrix-element-call.service.j2 +++ b/roles/custom/matrix-element-call/templates/systemd/matrix-element-call.service.j2 @@ -1,37 +1,31 @@ -[Unit] -Description=Matrix Element Call Service -After=docker.service -Requires=docker.service +{% if matrix_element_call_container_labels_traefik_enabled %} +traefik.enable=true -[Service] -Type=simple -Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" -ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-element-call 2>/dev/null || true' -ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-element-call 2>/dev/null || true' +{% if matrix_element_call_container_labels_traefik_docker_network %} +traefik.docker.network={{ matrix_element_call_container_labels_traefik_docker_network }} +{% endif %} -ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ - --rm \ - --name=matrix-element-call \ - --log-driver=none \ - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ - --cap-drop=ALL \ - --network={{ matrix_element_call_container_network }} \ - -p {{ matrix_element_call_port }}:8080 \ - --env-file={{ matrix_element_call_base_path }}/config/env \ - --label-file={{ matrix_element_call_base_path }}/config/element-call-labels \ - {{ matrix_element_call_image }} +# Define the Traefik router rule +traefik.http.routers.element-call-router.rule={{ matrix_element_call_container_labels_traefik_rule }} +traefik.http.routers.element-call-router.entrypoints={{ matrix_element_call_container_labels_traefik_entrypoints }} +traefik.http.routers.element-call-router.tls.certresolver={{ matrix_element_call_container_labels_traefik_tls_certResolver }} +traefik.http.services.element-call-service.loadbalancer.server.port=8080 -{% for network in matrix_element_call_container_additional_networks %} -ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-element-call -{% endfor %} +{% set middlewares = [] %} -ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-element-call +# Define any path prefix redirection or stripping middleware +{% if matrix_element_call_container_labels_traefik_path_prefix != '/' %} +traefik.http.middlewares.element-call-slashless-redirect.redirectregex.regex=({{ matrix_element_call_container_labels_traefik_path_prefix | quote }})$ +traefik.http.middlewares.element-call-slashless-redirect.redirectregex.replacement=${1}/ +{% set middlewares = middlewares + ['element-call-slashless-redirect'] %} -ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-element-call 2>/dev/null || true' -ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-element-call 2>/dev/null || true' -Restart=always -RestartSec=30 -SyslogIdentifier=matrix-element-call +traefik.http.middlewares.element-call-strip-prefix.stripprefix.prefixes={{ matrix_element_call_container_labels_traefik_path_prefix }} +{% set middlewares = middlewares + ['element-call-strip-prefix'] %} +{% endif %} -[Install] -WantedBy=multi-user.target +# Add middlewares to the router +{% if middlewares | length > 0 %} +traefik.http.routers.element-call-router.middlewares={{ middlewares | join(',') }} +{% endif %} + +{% endif %} From 3264408758bf162dfba2724f20a6cc0b015df227 Mon Sep 17 00:00:00 2001 From: Backslash Date: Fri, 27 Sep 2024 08:49:55 +1000 Subject: [PATCH 050/108] Rename element-call-labels.j2 to element-call-labels.j2-new --- .../{element-call-labels.j2 => element-call-labels.j2-new} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename roles/custom/matrix-element-call/templates/{element-call-labels.j2 => element-call-labels.j2-new} (100%) diff --git a/roles/custom/matrix-element-call/templates/element-call-labels.j2 b/roles/custom/matrix-element-call/templates/element-call-labels.j2-new similarity index 100% rename from roles/custom/matrix-element-call/templates/element-call-labels.j2 rename to roles/custom/matrix-element-call/templates/element-call-labels.j2-new From 25909b102945fbd030466fcc04b4f861d1418587 Mon Sep 17 00:00:00 2001 From: Backslash Date: Fri, 27 Sep 2024 08:51:27 +1000 Subject: [PATCH 051/108] Update and rename labels.j2 to element-call-labels.j2 --- .../{labels.j2 => element-call-labels.j2} | 20 ------------------- 1 file changed, 20 deletions(-) rename roles/custom/matrix-element-call/templates/{labels.j2 => element-call-labels.j2} (61%) diff --git a/roles/custom/matrix-element-call/templates/labels.j2 b/roles/custom/matrix-element-call/templates/element-call-labels.j2 similarity index 61% rename from roles/custom/matrix-element-call/templates/labels.j2 rename to roles/custom/matrix-element-call/templates/element-call-labels.j2 index a13a75ef0..7ec9aa164 100644 --- a/roles/custom/matrix-element-call/templates/labels.j2 +++ b/roles/custom/matrix-element-call/templates/element-call-labels.j2 @@ -36,26 +36,6 @@ traefik.http.middlewares.element-call-add-headers.headers.customresponseheaders. traefik.http.routers.element-call-router.middlewares={{ middlewares | join(',') }} {% endif %} -# LiveKit Labels -traefik.http.routers.sfu-router.rule=Host(`{{ matrix_element_call_livekit_service_url | regex_replace('^https?://', '') }}`) -traefik.http.routers.sfu-router.entrypoints=websecure -traefik.http.routers.sfu-router.tls.certresolver=default -traefik.http.services.sfu-service.loadbalancer.server.port=7880 -traefik.http.middlewares.sfu-headers.headers.customFrameOptionsValue=SAMEORIGIN -traefik.http.middlewares.sfu-headers.headers.customResponseHeaders.X-Content-Type-Options=nosniff -traefik.http.middlewares.sfu-headers.headers.customResponseHeaders.Strict-Transport-Security=max-age=31536000; includeSubDomains; preload -traefik.http.routers.sfu-router.middlewares=sfu-headers - -# JWT Labels -traefik.http.routers.jwt-router.rule=Host(`{{ matrix_element_call_jwt_service_url | regex_replace('^https?://', '') }}`) -traefik.http.routers.jwt-router.entrypoints=websecure -traefik.http.routers.jwt-router.tls.certresolver=default -traefik.http.services.jwt-service.loadbalancer.server.port=8881 -traefik.http.middlewares.jwt-headers.headers.customFrameOptionsValue=SAMEORIGIN -traefik.http.middlewares.jwt-headers.headers.customResponseHeaders.X-Content-Type-Options=nosniff -traefik.http.middlewares.jwt-headers.headers.customResponseHeaders.Strict-Transport-Security=max-age=31536000; includeSubDomains; preload -traefik.http.routers.jwt-router.middlewares=jwt-headers - {% endif %} # Additional labels (if any) specified by the user From 1721e85195e2aa6fcd3ce53ffa3a302cb0af6d22 Mon Sep 17 00:00:00 2001 From: Backslash Date: Fri, 27 Sep 2024 09:00:03 +1000 Subject: [PATCH 052/108] Corrected element call labels file name --- roles/custom/matrix-element-call/tasks/install.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-element-call/tasks/install.yml b/roles/custom/matrix-element-call/tasks/install.yml index fdb607871..ba3a8704d 100644 --- a/roles/custom/matrix-element-call/tasks/install.yml +++ b/roles/custom/matrix-element-call/tasks/install.yml @@ -51,7 +51,7 @@ - name: Ensure matrix-element-call Docker labels file is in place ansible.builtin.template: - src: "{{ role_path }}/templates/labels.j2" + src: "{{ role_path }}/templates/element-call-labels.j2" dest: "{{ matrix_element_call_base_path }}/config/element-call-labels" mode: 0640 owner: "{{ matrix_user_username }}" From 510cfb2dace4bb23332dc4596fcff0395053885f Mon Sep 17 00:00:00 2001 From: Backslash Date: Fri, 27 Sep 2024 09:14:29 +1000 Subject: [PATCH 053/108] Update matrix_servers --- group_vars/matrix_servers | 1 + 1 file changed, 1 insertion(+) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index ff107af21..6c80b0884 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -5896,6 +5896,7 @@ matrix_element_call_container_labels_traefik_path_prefix: "{{ matrix_element_cal matrix_element_call_container_labels_traefik_rule: "Host(`{{ matrix_element_call_container_labels_traefik_hostname }}`)" matrix_element_call_container_labels_traefik_entrypoints: "websecure" matrix_element_call_container_labels_traefik_tls_certResolver: "default" +matrix_element_call_container_labels_traefik_additional_response_headers: {} # JWT Service Configuration matrix_element_call_jwt_service_url: "https://sfu-jwt.{{ matrix_domain }}" # Default JWT service URL; adjust as needed From 5f49433f6c93e45f1e253d9981d4b23a098c9478 Mon Sep 17 00:00:00 2001 From: Backslash Date: Fri, 27 Sep 2024 09:15:21 +1000 Subject: [PATCH 054/108] Handle empty labels correctly. --- .../custom/matrix-element-call/templates/element-call-labels.j2 | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/custom/matrix-element-call/templates/element-call-labels.j2 b/roles/custom/matrix-element-call/templates/element-call-labels.j2 index 7ec9aa164..915ab6e25 100644 --- a/roles/custom/matrix-element-call/templates/element-call-labels.j2 +++ b/roles/custom/matrix-element-call/templates/element-call-labels.j2 @@ -39,6 +39,8 @@ traefik.http.routers.element-call-router.middlewares={{ middlewares | join(',') {% endif %} # Additional labels (if any) specified by the user +{% if matrix_element_call_container_extra_arguments.keys() | length > 0 %} {% for key, value in matrix_element_call_container_extra_arguments.items() %} {{ key }}={{ value }} {% endfor %} +{% endif %} From 805b726c6d8132516197d29c941044d361d3a6ce Mon Sep 17 00:00:00 2001 From: Backslash Date: Fri, 27 Sep 2024 09:25:01 +1000 Subject: [PATCH 055/108] Update element-call-labels.j2 --- .../matrix-element-call/templates/element-call-labels.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/custom/matrix-element-call/templates/element-call-labels.j2 b/roles/custom/matrix-element-call/templates/element-call-labels.j2 index 915ab6e25..e721c93cc 100644 --- a/roles/custom/matrix-element-call/templates/element-call-labels.j2 +++ b/roles/custom/matrix-element-call/templates/element-call-labels.j2 @@ -24,7 +24,7 @@ traefik.http.middlewares.element-call-strip-prefix.stripprefix.prefixes={{ matri {% endif %} # Additional response headers for Element Call -{% if matrix_element_call_container_labels_traefik_additional_response_headers.keys() | length > 0 %} +{% if matrix_element_call_container_labels_traefik_additional_response_headers is mapping and matrix_element_call_container_labels_traefik_additional_response_headers.keys() | length > 0 %} {% for name, value in matrix_element_call_container_labels_traefik_additional_response_headers.items() %} traefik.http.middlewares.element-call-add-headers.headers.customresponseheaders.{{ name }}={{ value }} {% endfor %} @@ -39,7 +39,7 @@ traefik.http.routers.element-call-router.middlewares={{ middlewares | join(',') {% endif %} # Additional labels (if any) specified by the user -{% if matrix_element_call_container_extra_arguments.keys() | length > 0 %} +{% if matrix_element_call_container_extra_arguments is mapping and matrix_element_call_container_extra_arguments.keys() | length > 0 %} {% for key, value in matrix_element_call_container_extra_arguments.items() %} {{ key }}={{ value }} {% endfor %} From c14f9cdcb59e9fd92f5ba7465abc2042ed4e8a43 Mon Sep 17 00:00:00 2001 From: Backslash Date: Fri, 27 Sep 2024 09:25:48 +1000 Subject: [PATCH 056/108] Update matrix_servers --- group_vars/matrix_servers | 1 + 1 file changed, 1 insertion(+) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 6c80b0884..008eba6dc 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -5897,6 +5897,7 @@ matrix_element_call_container_labels_traefik_rule: "Host(`{{ matrix_element_call matrix_element_call_container_labels_traefik_entrypoints: "websecure" matrix_element_call_container_labels_traefik_tls_certResolver: "default" matrix_element_call_container_labels_traefik_additional_response_headers: {} +matrix_element_call_container_extra_arguments: {} # JWT Service Configuration matrix_element_call_jwt_service_url: "https://sfu-jwt.{{ matrix_domain }}" # Default JWT service URL; adjust as needed From 5730dbfc6e0928b1b4defa6e4fe734759feb3ae8 Mon Sep 17 00:00:00 2001 From: Backslash Date: Fri, 27 Sep 2024 09:54:01 +1000 Subject: [PATCH 057/108] Added hostname label --- .../templates/element-call-labels.j2 | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/roles/custom/matrix-element-call/templates/element-call-labels.j2 b/roles/custom/matrix-element-call/templates/element-call-labels.j2 index e721c93cc..0428d056a 100644 --- a/roles/custom/matrix-element-call/templates/element-call-labels.j2 +++ b/roles/custom/matrix-element-call/templates/element-call-labels.j2 @@ -1,12 +1,13 @@ {% if matrix_element_call_container_labels_traefik_enabled %} traefik.enable=true +# Network configuration for Traefik {% if matrix_element_call_container_labels_traefik_docker_network %} traefik.docker.network={{ matrix_element_call_container_labels_traefik_docker_network }} {% endif %} -# Element Call Labels -traefik.http.routers.element-call-router.rule={{ matrix_element_call_container_labels_traefik_rule }} +# Traefik Router and Service configuration for Element Call +traefik.http.routers.element-call-router.rule=Host(`{{ matrix_element_call_container_labels_traefik_hostname }}`) traefik.http.routers.element-call-router.entrypoints={{ matrix_element_call_container_labels_traefik_entrypoints }} traefik.http.routers.element-call-router.tls.certresolver={{ matrix_element_call_container_labels_traefik_tls_certResolver }} traefik.http.services.element-call-service.loadbalancer.server.port=8080 @@ -24,14 +25,14 @@ traefik.http.middlewares.element-call-strip-prefix.stripprefix.prefixes={{ matri {% endif %} # Additional response headers for Element Call -{% if matrix_element_call_container_labels_traefik_additional_response_headers is mapping and matrix_element_call_container_labels_traefik_additional_response_headers.keys() | length > 0 %} +{% if matrix_element_call_container_labels_traefik_additional_response_headers is defined and matrix_element_call_container_labels_traefik_additional_response_headers | length > 0 %} {% for name, value in matrix_element_call_container_labels_traefik_additional_response_headers.items() %} traefik.http.middlewares.element-call-add-headers.headers.customresponseheaders.{{ name }}={{ value }} {% endfor %} {% set middlewares = middlewares + ['element-call-add-headers'] %} {% endif %} -# Add middlewares to the Element Call router +# Apply middlewares to the Element Call router {% if middlewares | length > 0 %} traefik.http.routers.element-call-router.middlewares={{ middlewares | join(',') }} {% endif %} @@ -39,7 +40,7 @@ traefik.http.routers.element-call-router.middlewares={{ middlewares | join(',') {% endif %} # Additional labels (if any) specified by the user -{% if matrix_element_call_container_extra_arguments is mapping and matrix_element_call_container_extra_arguments.keys() | length > 0 %} +{% if matrix_element_call_container_extra_arguments is defined and matrix_element_call_container_extra_arguments | length > 0 %} {% for key, value in matrix_element_call_container_extra_arguments.items() %} {{ key }}={{ value }} {% endfor %} From 6d6f9ab853104213f7e6cc5d8db3381a298713dc Mon Sep 17 00:00:00 2001 From: Backslash Date: Fri, 27 Sep 2024 09:59:13 +1000 Subject: [PATCH 058/108] Added hostnames for livekit and jwt labels --- roles/custom/matrix-element-call/defaults/main.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/roles/custom/matrix-element-call/defaults/main.yml b/roles/custom/matrix-element-call/defaults/main.yml index 35c3d90ed..8d04028e4 100644 --- a/roles/custom/matrix-element-call/defaults/main.yml +++ b/roles/custom/matrix-element-call/defaults/main.yml @@ -28,6 +28,10 @@ redis_port: "6379" # LiveKit configuration matrix_element_call_livekit_dev_key: "{{ matrix_livekit_dev_key }}" # Must be defined in host_vars matrix_element_call_livekit_service_url: "wss://sfu.{{ matrix_domain }}:443" +matrix_element_call_livekit_hostname: "sfu.{{ matrix_domain }}" + +# jwt configuration +matrix_element_call_jwt_hostname: "sfu-jwt.{{ matrix_domain }}" # Well-known paths and domains (derived from matrix_domain) matrix_element_call_domain: "call.{{ matrix_domain }}" From b6571fc4fdfffd60cc5d11e63e13dd6077fbba93 Mon Sep 17 00:00:00 2001 From: Backslash Date: Fri, 27 Sep 2024 09:59:54 +1000 Subject: [PATCH 059/108] Update livekit-labels.j2 --- roles/custom/matrix-element-call/templates/livekit-labels.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-element-call/templates/livekit-labels.j2 b/roles/custom/matrix-element-call/templates/livekit-labels.j2 index df680b2a7..5fa0c51ad 100644 --- a/roles/custom/matrix-element-call/templates/livekit-labels.j2 +++ b/roles/custom/matrix-element-call/templates/livekit-labels.j2 @@ -6,7 +6,7 @@ traefik.docker.network={{ matrix_element_call_container_labels_traefik_docker_ne {% endif %} # Define the Traefik router rule for LiveKit -traefik.http.routers.livekit-router.rule=Host(`{{ matrix_element_call_sfu_hostname }}`) +traefik.http.routers.livekit-router.rule=Host(`{{ matrix_element_call_livekit_hostname }}`) traefik.http.routers.livekit-router.entrypoints={{ matrix_element_call_container_labels_traefik_entrypoints }} traefik.http.routers.livekit-router.tls.certresolver={{ matrix_element_call_container_labels_traefik_tls_certResolver }} traefik.http.services.livekit-service.loadbalancer.server.port=7880 From 089c5f14c8e9ee57fb8da0f48a8c221e1d67b1a1 Mon Sep 17 00:00:00 2001 From: Backslash Date: Fri, 27 Sep 2024 10:00:40 +1000 Subject: [PATCH 060/108] Update jwt-service-labels.j2 --- .../custom/matrix-element-call/templates/jwt-service-labels.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-element-call/templates/jwt-service-labels.j2 b/roles/custom/matrix-element-call/templates/jwt-service-labels.j2 index 86b314cf4..603ced758 100644 --- a/roles/custom/matrix-element-call/templates/jwt-service-labels.j2 +++ b/roles/custom/matrix-element-call/templates/jwt-service-labels.j2 @@ -6,7 +6,7 @@ traefik.docker.network={{ matrix_element_call_container_labels_traefik_docker_ne {% endif %} # Define the Traefik router rule for JWT Service -traefik.http.routers.jwt-router.rule=Host(`{{ matrix_element_call_jwt_service_hostname }}`) +traefik.http.routers.jwt-router.rule=Host(`{{ matrix_element_call_jwt_hostname }}`) traefik.http.routers.jwt-router.entrypoints={{ matrix_element_call_container_labels_traefik_entrypoints }} traefik.http.routers.jwt-router.tls.certresolver={{ matrix_element_call_container_labels_traefik_tls_certResolver }} traefik.http.services.jwt-service.loadbalancer.server.port=8881 From 3c084e17d266892ea10e51188d70508e5ab6a64e Mon Sep 17 00:00:00 2001 From: Backslash Date: Fri, 27 Sep 2024 10:15:51 +1000 Subject: [PATCH 061/108] Update element-call-labels.j2-new --- .../templates/element-call-labels.j2-new | 20 +++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/roles/custom/matrix-element-call/templates/element-call-labels.j2-new b/roles/custom/matrix-element-call/templates/element-call-labels.j2-new index a31c6ea6b..0428d056a 100644 --- a/roles/custom/matrix-element-call/templates/element-call-labels.j2-new +++ b/roles/custom/matrix-element-call/templates/element-call-labels.j2-new @@ -1,19 +1,20 @@ {% if matrix_element_call_container_labels_traefik_enabled %} traefik.enable=true +# Network configuration for Traefik {% if matrix_element_call_container_labels_traefik_docker_network %} traefik.docker.network={{ matrix_element_call_container_labels_traefik_docker_network }} {% endif %} -# Define the Traefik router rule -traefik.http.routers.element-call-router.rule={{ matrix_element_call_container_labels_traefik_rule }} +# Traefik Router and Service configuration for Element Call +traefik.http.routers.element-call-router.rule=Host(`{{ matrix_element_call_container_labels_traefik_hostname }}`) traefik.http.routers.element-call-router.entrypoints={{ matrix_element_call_container_labels_traefik_entrypoints }} traefik.http.routers.element-call-router.tls.certresolver={{ matrix_element_call_container_labels_traefik_tls_certResolver }} traefik.http.services.element-call-service.loadbalancer.server.port=8080 {% set middlewares = [] %} -# Define any path prefix redirection or stripping middleware +# Path prefix handling for Element Call {% if matrix_element_call_container_labels_traefik_path_prefix != '/' %} traefik.http.middlewares.element-call-slashless-redirect.redirectregex.regex=({{ matrix_element_call_container_labels_traefik_path_prefix | quote }})$ traefik.http.middlewares.element-call-slashless-redirect.redirectregex.replacement=${1}/ @@ -23,17 +24,24 @@ traefik.http.middlewares.element-call-strip-prefix.stripprefix.prefixes={{ matri {% set middlewares = middlewares + ['element-call-strip-prefix'] %} {% endif %} -# Apply any additional response headers if provided -{% if matrix_element_call_container_labels_traefik_additional_response_headers.keys() | length > 0 %} +# Additional response headers for Element Call +{% if matrix_element_call_container_labels_traefik_additional_response_headers is defined and matrix_element_call_container_labels_traefik_additional_response_headers | length > 0 %} {% for name, value in matrix_element_call_container_labels_traefik_additional_response_headers.items() %} traefik.http.middlewares.element-call-add-headers.headers.customresponseheaders.{{ name }}={{ value }} {% endfor %} {% set middlewares = middlewares + ['element-call-add-headers'] %} {% endif %} -# Add middlewares to the router +# Apply middlewares to the Element Call router {% if middlewares | length > 0 %} traefik.http.routers.element-call-router.middlewares={{ middlewares | join(',') }} {% endif %} {% endif %} + +# Additional labels (if any) specified by the user +{% if matrix_element_call_container_extra_arguments is defined and matrix_element_call_container_extra_arguments | length > 0 %} +{% for key, value in matrix_element_call_container_extra_arguments.items() %} +{{ key }}={{ value }} +{% endfor %} +{% endif %} From 14614cb21102dfc6c645d05ca8e38156add079d7 Mon Sep 17 00:00:00 2001 From: Backslash Date: Fri, 27 Sep 2024 10:26:01 +1000 Subject: [PATCH 062/108] Update matrix-element-call.service.j2 --- .../systemd/matrix-element-call.service.j2 | 56 ++++++++++--------- 1 file changed, 31 insertions(+), 25 deletions(-) diff --git a/roles/custom/matrix-element-call/templates/systemd/matrix-element-call.service.j2 b/roles/custom/matrix-element-call/templates/systemd/matrix-element-call.service.j2 index 488b1f400..eded8dc6a 100644 --- a/roles/custom/matrix-element-call/templates/systemd/matrix-element-call.service.j2 +++ b/roles/custom/matrix-element-call/templates/systemd/matrix-element-call.service.j2 @@ -1,31 +1,37 @@ -{% if matrix_element_call_container_labels_traefik_enabled %} -traefik.enable=true +[Unit] +Description=Matrix Element Call Service +After=docker.service +Requires=docker.service -{% if matrix_element_call_container_labels_traefik_docker_network %} -traefik.docker.network={{ matrix_element_call_container_labels_traefik_docker_network }} -{% endif %} +[Service] +Type=simple +Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" +ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-element-call 2>/dev/null || true' +ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-element-call 2>/dev/null || true' -# Define the Traefik router rule -traefik.http.routers.element-call-router.rule={{ matrix_element_call_container_labels_traefik_rule }} -traefik.http.routers.element-call-router.entrypoints={{ matrix_element_call_container_labels_traefik_entrypoints }} -traefik.http.routers.element-call-router.tls.certresolver={{ matrix_element_call_container_labels_traefik_tls_certResolver }} -traefik.http.services.element-call-service.loadbalancer.server.port=8080 +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ + --rm \ + --name=matrix-element-call \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --network={{ matrix_element_call_container_network }} \ + -p {{ matrix_element_call_port }}:8080 \ + --env-file={{ matrix_element_call_base_path }}/config/env \ + --label-file={{ matrix_element_call_base_path }}/config/element-call-labels \ + {{ matrix_element_call_image }} -{% set middlewares = [] %} +{% for network in matrix_element_call_container_additional_networks %} +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-element-call +{% endfor %} -# Define any path prefix redirection or stripping middleware -{% if matrix_element_call_container_labels_traefik_path_prefix != '/' %} -traefik.http.middlewares.element-call-slashless-redirect.redirectregex.regex=({{ matrix_element_call_container_labels_traefik_path_prefix | quote }})$ -traefik.http.middlewares.element-call-slashless-redirect.redirectregex.replacement=${1}/ -{% set middlewares = middlewares + ['element-call-slashless-redirect'] %} +ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-element-call -traefik.http.middlewares.element-call-strip-prefix.stripprefix.prefixes={{ matrix_element_call_container_labels_traefik_path_prefix }} -{% set middlewares = middlewares + ['element-call-strip-prefix'] %} -{% endif %} +ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-element-call 2>/dev/null || true' +ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-element-call 2>/dev/null || true' +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-element-call -# Add middlewares to the router -{% if middlewares | length > 0 %} -traefik.http.routers.element-call-router.middlewares={{ middlewares | join(',') }} -{% endif %} - -{% endif %} +[Install] +WantedBy=multi-user.target From 5b8dcf32d5fa47d0cbb5777b66138c47db0b41d0 Mon Sep 17 00:00:00 2001 From: Backslash Date: Fri, 27 Sep 2024 11:42:34 +1000 Subject: [PATCH 063/108] Added element-call systemd services to the service manager. --- group_vars/matrix_servers | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 008eba6dc..9da357c88 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -433,6 +433,14 @@ devture_systemd_service_manager_services_list_auto: | + ([{'name': 'matrix-pantalaimon.service', 'priority': 4000, 'groups': ['matrix', 'pantalaimon']}] if matrix_pantalaimon_enabled else []) + + ([{'name': 'matrix-element-call.service', 'priority': 4000, 'groups': ['matrix', 'element-call']}] if matrix_element_call_enabled else []) + + + ([{'name': 'matrix-jwt-service.service', 'priority': 3000, 'groups': ['matrix', 'jwt-service']}] if matrix_element_call_enabled else []) + + + ([{'name': 'matrix-livekit.service', 'priority': 3000, 'groups': ['matrix', 'livekit']}] if matrix_element_call_enabled else []) + + + ([{'name': 'matrix-redis.service', 'priority': 450, 'groups': ['matrix', 'redis']}] if matrix_element_call_enabled else []) + + ([{'name': 'matrix-registration.service', 'priority': 4000, 'groups': ['matrix', 'registration', 'matrix-registration']}] if matrix_registration_enabled else []) + ([{'name': 'matrix-sliding-sync.service', 'priority': 1500, 'groups': ['matrix', 'sliding-sync']}] if matrix_sliding_sync_enabled else []) From 63133d659972342b825782ed678ce356c1541acf Mon Sep 17 00:00:00 2001 From: Backslash Date: Fri, 27 Sep 2024 11:53:26 +1000 Subject: [PATCH 064/108] Added serve command back in. --- .../templates/systemd/matrix-jwt-service.service.j2 | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/custom/matrix-element-call/templates/systemd/matrix-jwt-service.service.j2 b/roles/custom/matrix-element-call/templates/systemd/matrix-jwt-service.service.j2 index 7d2ac8fd8..cdcac8b40 100644 --- a/roles/custom/matrix-element-call/templates/systemd/matrix-jwt-service.service.j2 +++ b/roles/custom/matrix-element-call/templates/systemd/matrix-jwt-service.service.j2 @@ -19,7 +19,8 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ -p {{ matrix_jwt_service_port }}:8080 \ --env-file={{ matrix_element_call_base_path }}/config/env \ --label-file={{ matrix_element_call_base_path }}/config/jwt-service-labels \ - {{ matrix_jwt_service_image }} + {{ matrix_jwt_service_image }} \ + serve {% for network in matrix_element_call_container_additional_networks %} ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-jwt-service From 8b172cc19447be51a17fd94db46246b29a961086 Mon Sep 17 00:00:00 2001 From: Backslash Date: Fri, 27 Sep 2024 12:35:38 +1000 Subject: [PATCH 065/108] Update env.j2 --- roles/custom/matrix-element-call/templates/env.j2 | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/custom/matrix-element-call/templates/env.j2 b/roles/custom/matrix-element-call/templates/env.j2 index 71e9a0693..1a1eb953d 100644 --- a/roles/custom/matrix-element-call/templates/env.j2 +++ b/roles/custom/matrix-element-call/templates/env.j2 @@ -1,7 +1,8 @@ # Environment variables for Element Call ELEMENT_CALL_SERVER_URL=https://{{ matrix_element_call_domain }} +LIVEKIT_KEY=devkey LIVEKIT_SERVICE_URL={{ matrix_element_call_livekit_service_url }} -LIVEKIT_SECRET={{ matrix_element_call_livekit_dev_key }} +LIVEKIT_SECRET={{ matrix_element_call_jwt_secret }} JWT_SERVICE_URL={{ matrix_element_call_jwt_service_url }} # Optional additional environment variables provided by the user From a0917fa2833ec3ee0b42bd5a2b61396dc535bcb2 Mon Sep 17 00:00:00 2001 From: Backslash Date: Fri, 27 Sep 2024 12:37:36 +1000 Subject: [PATCH 066/108] Update main.yml --- roles/custom/matrix-element-call/defaults/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/custom/matrix-element-call/defaults/main.yml b/roles/custom/matrix-element-call/defaults/main.yml index 8d04028e4..c9e9aeaba 100644 --- a/roles/custom/matrix-element-call/defaults/main.yml +++ b/roles/custom/matrix-element-call/defaults/main.yml @@ -27,6 +27,7 @@ redis_port: "6379" # LiveKit configuration matrix_element_call_livekit_dev_key: "{{ matrix_livekit_dev_key }}" # Must be defined in host_vars +matrix_element_call_jwt_secret: "{{ matrix_jwt_secret }}" # Must be defined in host_vars matrix_element_call_livekit_service_url: "wss://sfu.{{ matrix_domain }}:443" matrix_element_call_livekit_hostname: "sfu.{{ matrix_domain }}" From 24926720252b0eb5d9d8344514a6eb3ab445304d Mon Sep 17 00:00:00 2001 From: Backslash Date: Fri, 27 Sep 2024 12:39:39 +1000 Subject: [PATCH 067/108] Update env.j2 --- roles/custom/matrix-element-call/templates/env.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-element-call/templates/env.j2 b/roles/custom/matrix-element-call/templates/env.j2 index 1a1eb953d..b5a5d4be4 100644 --- a/roles/custom/matrix-element-call/templates/env.j2 +++ b/roles/custom/matrix-element-call/templates/env.j2 @@ -1,7 +1,7 @@ # Environment variables for Element Call ELEMENT_CALL_SERVER_URL=https://{{ matrix_element_call_domain }} LIVEKIT_KEY=devkey -LIVEKIT_SERVICE_URL={{ matrix_element_call_livekit_service_url }} +LIVEKIT_URL={{ matrix_element_call_livekit_service_url }} LIVEKIT_SECRET={{ matrix_element_call_jwt_secret }} JWT_SERVICE_URL={{ matrix_element_call_jwt_service_url }} From 5db9a5c061efb8c8806b0fdf9ffcc968e4fea2d3 Mon Sep 17 00:00:00 2001 From: Backslash Date: Fri, 27 Sep 2024 12:40:37 +1000 Subject: [PATCH 068/108] Removed env file --- .../templates/systemd/matrix-element-call.service.j2 | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/custom/matrix-element-call/templates/systemd/matrix-element-call.service.j2 b/roles/custom/matrix-element-call/templates/systemd/matrix-element-call.service.j2 index eded8dc6a..b64e3fbe8 100644 --- a/roles/custom/matrix-element-call/templates/systemd/matrix-element-call.service.j2 +++ b/roles/custom/matrix-element-call/templates/systemd/matrix-element-call.service.j2 @@ -17,7 +17,6 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ --cap-drop=ALL \ --network={{ matrix_element_call_container_network }} \ -p {{ matrix_element_call_port }}:8080 \ - --env-file={{ matrix_element_call_base_path }}/config/env \ --label-file={{ matrix_element_call_base_path }}/config/element-call-labels \ {{ matrix_element_call_image }} From a274d32c6d800379d2241449b68cea8bc4778042 Mon Sep 17 00:00:00 2001 From: Backslash Date: Fri, 27 Sep 2024 12:50:31 +1000 Subject: [PATCH 069/108] Removed serve function --- .../templates/systemd/matrix-jwt-service.service.j2 | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/roles/custom/matrix-element-call/templates/systemd/matrix-jwt-service.service.j2 b/roles/custom/matrix-element-call/templates/systemd/matrix-jwt-service.service.j2 index cdcac8b40..7d2ac8fd8 100644 --- a/roles/custom/matrix-element-call/templates/systemd/matrix-jwt-service.service.j2 +++ b/roles/custom/matrix-element-call/templates/systemd/matrix-jwt-service.service.j2 @@ -19,8 +19,7 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ -p {{ matrix_jwt_service_port }}:8080 \ --env-file={{ matrix_element_call_base_path }}/config/env \ --label-file={{ matrix_element_call_base_path }}/config/jwt-service-labels \ - {{ matrix_jwt_service_image }} \ - serve + {{ matrix_jwt_service_image }} {% for network in matrix_element_call_container_additional_networks %} ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-jwt-service From f036e18789ffd332c40d296bc4744a1dc508586a Mon Sep 17 00:00:00 2001 From: wjbeckett Date: Mon, 30 Sep 2024 11:05:11 +1000 Subject: [PATCH 070/108] Fix: Restructured Element call configuration files. --- group_vars/matrix_servers | 24 ++---- .../matrix-element-call/defaults/main.yml | 84 +++++++++++++++++-- .../matrix-element-call/tasks/install.yml | 2 +- .../templates/element-call-labels.j2 | 31 ++++--- .../systemd/matrix-element-call.service.j2 | 16 +++- 5 files changed, 117 insertions(+), 40 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 9da357c88..4ba3e6eb2 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -5894,18 +5894,22 @@ matrix_element_call_container_image_registry_prefix: ghcr.io/ matrix_element_call_container_image_force_pull: true # Docker network configuration for Element Call -matrix_element_call_container_network: "{{ matrix_homeserver_container_network }}" # Use the homeserver network by default +matrix_element_call_container_network: "{{ matrix_addons_container_network }}" +matrix_element_call_container_additional_networks: "{{ [matrix_playbook_reverse_proxyable_services_additional_network] if (matrix_element_call_container_labels_traefik_enabled and matrix_playbook_reverse_proxyable_services_additional_network) else [] }}" + # Traefik Configuration for Element Call +matrix_element_call_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}" +matrix_element_call_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" +matrix_element_call_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" +matrix_element_call_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" + + matrix_element_call_container_labels_traefik_enabled: true matrix_element_call_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" matrix_element_call_container_labels_traefik_hostname: "{{ matrix_element_call_hostname }}" matrix_element_call_container_labels_traefik_path_prefix: "{{ matrix_element_call_path_prefix }}" matrix_element_call_container_labels_traefik_rule: "Host(`{{ matrix_element_call_container_labels_traefik_hostname }}`)" -matrix_element_call_container_labels_traefik_entrypoints: "websecure" -matrix_element_call_container_labels_traefik_tls_certResolver: "default" -matrix_element_call_container_labels_traefik_additional_response_headers: {} -matrix_element_call_container_extra_arguments: {} # JWT Service Configuration matrix_element_call_jwt_service_url: "https://sfu-jwt.{{ matrix_domain }}" # Default JWT service URL; adjust as needed @@ -5919,16 +5923,6 @@ matrix_element_call_redis_hostname: "localhost" # Default Redis hostname; can b matrix_element_call_redis_port: 6379 # Default Redis port; can be overridden matrix_element_call_redis_password: "" # Redis password; should be set in host_vars if needed -# Additional environment variables for the container -matrix_element_call_environment_variables_additional: {} - -# Additional arguments or configuration options for the Docker container -matrix_element_call_container_extra_arguments: [] - -# Enable or disable metrics collection -matrix_element_call_metrics_enabled: false -matrix_element_call_metrics_port: 2112 - ######################################################################## # # # /matrix-element-call # diff --git a/roles/custom/matrix-element-call/defaults/main.yml b/roles/custom/matrix-element-call/defaults/main.yml index c9e9aeaba..d5a9dbb2f 100644 --- a/roles/custom/matrix-element-call/defaults/main.yml +++ b/roles/custom/matrix-element-call/defaults/main.yml @@ -10,7 +10,8 @@ matrix_homeserver_config_path: "{{ matrix_base_data_path }}/synapse/config/homes element_web_config_path: "{{ matrix_base_data_path }}/static-files/public/.well-known/matrix/client" # Docker network configuration -matrix_element_call_container_network: "matrix_element_call_network" +matrix_element_call_container_network: '' +matrix_element_call_container_http_host_bind_port: '' matrix_element_call_container_labels_traefik_additional_response_headers: {} matrix_element_call_container_additional_networks: [] # No additional networks by default @@ -47,15 +48,88 @@ redis_password: "" # Traefik Configuration for Element Call matrix_element_call_container_labels_traefik_enabled: true +matrix_element_call_container_labels_traefik_docker_network: "{{ matrix_element_callcontainer_network }}" matrix_element_call_container_labels_traefik_hostname: "{{ matrix_element_call_domain }}" -matrix_element_call_container_labels_traefik_path_prefix: "/" -matrix_element_call_container_labels_traefik_rule: "Host(`{{ matrix_element_call_container_labels_traefik_hostname }}`)" -matrix_element_call_container_labels_traefik_entrypoints: "websecure" -matrix_element_call_container_labels_traefik_tls_certResolver: "default" +# The path prefix must either be `/` or not end with a slash (e.g. `/element`). +matrix_element_call_container_labels_traefik_path_prefix: "{{ matrix_element_callpath_prefix }}" +matrix_element_call_container_labels_traefik_rule: "Host(`{{ matrix_element_call_container_labels_traefik_hostname }}`){% if matrix_element_call_container_labels_traefik_path_prefix != '/' %} && PathPrefix(`{{ matrix_element_call_container_labels_traefik_path_prefix }}`){% endif %}" +matrix_element_call_container_labels_traefik_priority: 0 +matrix_element_call_container_labels_traefik_entrypoints: web-secure +matrix_element_call_container_labels_traefik_tls: "{{ matrix_element_call_container_labels_traefik_entrypoints != 'web' }}" +matrix_element_call_container_labels_traefik_tls_certResolver: default # noqa var-naming + +# Controls which additional headers to attach to all HTTP responses. +# To add your own headers, use `matrix_element_call_container_labels_traefik_additional_response_headers_custom` +matrix_element_call_container_labels_traefik_additional_response_headers: "{{ matrix_element_call_container_labels_traefik_additional_response_headers_auto | combine(matrix_element_call_container_labels_traefik_additional_response_headers_custom) }}" +matrix_element_call_container_labels_traefik_additional_response_headers_auto: | + {{ + {} + | combine ({'X-XSS-Protection': matrix_element_call_http_header_xss_protection} if matrix_element_call_http_header_xss_protection else {}) + | combine ({'X-Frame-Options': matrix_element_call_http_header_frame_options} if matrix_element_call_http_header_frame_options else {}) + | combine ({'X-Content-Type-Options': matrix_element_call_http_header_content_type_options} if matrix_element_call_http_header_content_type_options else {}) + | combine ({'Content-Security-Policy': matrix_element_call_http_header_content_security_policy} if matrix_element_call_http_header_content_security_policy else {}) + | combine ({'Permission-Policy': matrix_element_call_http_header_content_permission_policy} if matrix_element_call_http_header_content_permission_policy else {}) + | combine ({'Strict-Transport-Security': matrix_element_call_http_header_strict_transport_security} if matrix_element_call_http_header_strict_transport_security and matrix_element_call_container_labels_traefik_tls else {}) + }} +matrix_element_call_container_labels_traefik_additional_response_headers_custom: {} # Additional environment variables for the container matrix_element_call_environment_variables_additional: {} +# List of systemd services that matrix-client-element.service depends on +matrix_element_call_systemd_required_services_list: "{{ [devture_systemd_docker_base_docker_service_name] if devture_systemd_docker_base_docker_service_name else [] }}" + +# Specifies the value of the `X-XSS-Protection` header +# Stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. +# +# Learn more about it is here: +# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection +# - https://portswigger.net/web-security/cross-site-scripting/reflected +matrix_element_call_http_header_xss_protection: "1; mode=block" + +# Specifies the value of the `X-Frame-Options` header which controls whether framing can happen. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options +matrix_element_call_http_header_frame_options: SAMEORIGIN + +# Specifies the value of the `X-Content-Type-Options` header. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options +matrix_element_call_http_header_content_type_options: nosniff + +# Specifies the value of the `Content-Security-Policy` header. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy +matrix_element_call_http_header_content_security_policy: frame-ancestors 'self' + +# Specifies the value of the `Permission-Policy` header. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permission-Policy +matrix_element_call_http_header_content_permission_policy: "{{ 'interest-cohort=()' if matrix_element_callfloc_optout_enabled else '' }}" + +# Specifies the value of the `Strict-Transport-Security` header. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security +matrix_element_call_http_header_strict_transport_security: "max-age=31536000; includeSubDomains{{ '; preload' if matrix_element_callhsts_preload_enabled else '' }}" + +# Controls whether to send a "Permissions-Policy interest-cohort=();" header along with all responses +# +# Learn more about what it is here: +# - https://www.eff.org/deeplinks/2021/03/googles-floc-terrible-idea +# - https://paramdeo.com/blog/opting-your-website-out-of-googles-floc-network +# - https://amifloced.org/ +# +# Of course, a better solution is to just stop using browsers (like Chrome), which participate in such tracking practices. +# See: `matrix_element_callcontent_permission_policy` +matrix_element_callfloc_optout_enabled: true + +# Controls if HSTS preloading is enabled +# +# In its strongest and recommended form, the [HSTS policy](https://www.chromium.org/hsts) includes all subdomains, and +# indicates a willingness to be "preloaded" into browsers: +# `Strict-Transport-Security: max-age=31536000; includeSubDomains; preload` +# For more information visit: +# - https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security +# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security +# - https://hstspreload.org/#opt-in +# See: `matrix_element_call_http_header_strict_transport_security` +matrix_element_callhsts_preload_enabled: false + # Enable or disable metrics collection matrix_element_call_metrics_enabled: false matrix_element_call_metrics_port: 2112 diff --git a/roles/custom/matrix-element-call/tasks/install.yml b/roles/custom/matrix-element-call/tasks/install.yml index ba3a8704d..f036fa2f9 100644 --- a/roles/custom/matrix-element-call/tasks/install.yml +++ b/roles/custom/matrix-element-call/tasks/install.yml @@ -9,7 +9,7 @@ mode: 0750 owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" - loop: + with_items: - path: "{{ matrix_element_call_base_path }}" - path: "{{ matrix_element_call_base_path }}/data" - path: "{{ matrix_element_call_base_path }}/config" diff --git a/roles/custom/matrix-element-call/templates/element-call-labels.j2 b/roles/custom/matrix-element-call/templates/element-call-labels.j2 index 0428d056a..feeeb2c65 100644 --- a/roles/custom/matrix-element-call/templates/element-call-labels.j2 +++ b/roles/custom/matrix-element-call/templates/element-call-labels.j2 @@ -6,10 +6,6 @@ traefik.enable=true traefik.docker.network={{ matrix_element_call_container_labels_traefik_docker_network }} {% endif %} -# Traefik Router and Service configuration for Element Call -traefik.http.routers.element-call-router.rule=Host(`{{ matrix_element_call_container_labels_traefik_hostname }}`) -traefik.http.routers.element-call-router.entrypoints={{ matrix_element_call_container_labels_traefik_entrypoints }} -traefik.http.routers.element-call-router.tls.certresolver={{ matrix_element_call_container_labels_traefik_tls_certResolver }} traefik.http.services.element-call-service.loadbalancer.server.port=8080 {% set middlewares = [] %} @@ -24,24 +20,27 @@ traefik.http.middlewares.element-call-strip-prefix.stripprefix.prefixes={{ matri {% set middlewares = middlewares + ['element-call-strip-prefix'] %} {% endif %} -# Additional response headers for Element Call -{% if matrix_element_call_container_labels_traefik_additional_response_headers is defined and matrix_element_call_container_labels_traefik_additional_response_headers | length > 0 %} +{% if matrix_element_call_container_labels_traefik_additional_response_headers.keys() | length > 0 %} {% for name, value in matrix_element_call_container_labels_traefik_additional_response_headers.items() %} -traefik.http.middlewares.element-call-add-headers.headers.customresponseheaders.{{ name }}={{ value }} +traefik.http.middlewares.matrix-element-call-add-headers.headers.customresponseheaders.{{ name }}={{ value }} {% endfor %} -{% set middlewares = middlewares + ['element-call-add-headers'] %} +{% set middlewares = middlewares + ['matrix-element-call-add-headers'] %} {% endif %} -# Apply middlewares to the Element Call router +traefik.http.routers.matrix-element-call.rule={{ matrix_element_call_container_labels_traefik_rule }} +{% if matrix_element_call_container_labels_traefik_priority | int > 0 %} +traefik.http.routers.matrix-element-call.priority={{ matrix_element_call_container_labels_traefik_priority }} +{% endif %} +traefik.http.routers.matrix-element-call.service=matrix-element-call {% if middlewares | length > 0 %} -traefik.http.routers.element-call-router.middlewares={{ middlewares | join(',') }} +traefik.http.routers.matrix-element-call.middlewares={{ middlewares | join(',') }} +{% endif %} +traefik.http.routers.matrix-element-call.entrypoints={{ matrix_element_call_container_labels_traefik_entrypoints }} +traefik.http.routers.matrix-element-call.tls={{ matrix_element_call_container_labels_traefik_tls | to_json }} +{% if matrix_element_call_container_labels_traefik_tls %} +traefik.http.routers.matrix-element-call.tls.certResolver={{ matrix_element_call_container_labels_traefik_tls_certResolver }} {% endif %} {% endif %} -# Additional labels (if any) specified by the user -{% if matrix_element_call_container_extra_arguments is defined and matrix_element_call_container_extra_arguments | length > 0 %} -{% for key, value in matrix_element_call_container_extra_arguments.items() %} -{{ key }}={{ value }} -{% endfor %} -{% endif %} +{{ matrix_element_call_container_labels_additional_labels }} diff --git a/roles/custom/matrix-element-call/templates/systemd/matrix-element-call.service.j2 b/roles/custom/matrix-element-call/templates/systemd/matrix-element-call.service.j2 index b64e3fbe8..b4bb602d0 100644 --- a/roles/custom/matrix-element-call/templates/systemd/matrix-element-call.service.j2 +++ b/roles/custom/matrix-element-call/templates/systemd/matrix-element-call.service.j2 @@ -1,7 +1,11 @@ +#jinja2: lstrip_blocks: "True" [Unit] Description=Matrix Element Call Service -After=docker.service -Requires=docker.service +{% for service in matrix_client_element_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +DefaultDependencies=no [Service] Type=simple @@ -15,9 +19,15 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ + --read-only \ --network={{ matrix_element_call_container_network }} \ - -p {{ matrix_element_call_port }}:8080 \ + {% if matrix_element_call_container_http_host_bind_port %} + -p {{ matrix_element_call_container_http_host_bind_port }}:8080 \ + {% endif %} --label-file={{ matrix_element_call_base_path }}/config/element-call-labels \ + {% for arg in matrix_element_call_container_extra_arguments %} + {{ arg }} \ + {% endfor %} {{ matrix_element_call_image }} {% for network in matrix_element_call_container_additional_networks %} From 1167e1ec13ab3f9e64a1ac35eabb0a392551baf4 Mon Sep 17 00:00:00 2001 From: wjbeckett Date: Mon, 30 Sep 2024 11:17:34 +1000 Subject: [PATCH 071/108] fix: changed matrix server name to matrix domain in element-call config. --- roles/custom/matrix-element-call/templates/config.json.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-element-call/templates/config.json.j2 b/roles/custom/matrix-element-call/templates/config.json.j2 index 7c75144e3..3dc7f0e8a 100644 --- a/roles/custom/matrix-element-call/templates/config.json.j2 +++ b/roles/custom/matrix-element-call/templates/config.json.j2 @@ -2,7 +2,7 @@ "default_server_config": { "m.homeserver": { "base_url": "{{ matrix_homeserver_url }}", - "server_name": "{{ matrix_server_name }}" + "server_name": "{{ matrix_domain }}" } }, "livekit": { From 9dbee212d81f7584089ae0e77d69e2de52b04ff8 Mon Sep 17 00:00:00 2001 From: wjbeckett Date: Mon, 30 Sep 2024 11:37:08 +1000 Subject: [PATCH 072/108] fix: removed duplicate keys. --- group_vars/matrix_servers | 7 --- .../matrix-element-call/defaults/main.yml | 1 - .../templates/element-call-labels.j2-new | 47 ------------------- 3 files changed, 55 deletions(-) delete mode 100644 roles/custom/matrix-element-call/templates/element-call-labels.j2-new diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 4ba3e6eb2..bf55b9a43 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -5904,13 +5904,6 @@ matrix_element_call_container_labels_traefik_docker_network: "{{ matrix_playbook matrix_element_call_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" matrix_element_call_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" - -matrix_element_call_container_labels_traefik_enabled: true -matrix_element_call_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" -matrix_element_call_container_labels_traefik_hostname: "{{ matrix_element_call_hostname }}" -matrix_element_call_container_labels_traefik_path_prefix: "{{ matrix_element_call_path_prefix }}" -matrix_element_call_container_labels_traefik_rule: "Host(`{{ matrix_element_call_container_labels_traefik_hostname }}`)" - # JWT Service Configuration matrix_element_call_jwt_service_url: "https://sfu-jwt.{{ matrix_domain }}" # Default JWT service URL; adjust as needed diff --git a/roles/custom/matrix-element-call/defaults/main.yml b/roles/custom/matrix-element-call/defaults/main.yml index d5a9dbb2f..1b72ca0a1 100644 --- a/roles/custom/matrix-element-call/defaults/main.yml +++ b/roles/custom/matrix-element-call/defaults/main.yml @@ -12,7 +12,6 @@ element_web_config_path: "{{ matrix_base_data_path }}/static-files/public/.well- # Docker network configuration matrix_element_call_container_network: '' matrix_element_call_container_http_host_bind_port: '' -matrix_element_call_container_labels_traefik_additional_response_headers: {} matrix_element_call_container_additional_networks: [] # No additional networks by default # Docker images diff --git a/roles/custom/matrix-element-call/templates/element-call-labels.j2-new b/roles/custom/matrix-element-call/templates/element-call-labels.j2-new deleted file mode 100644 index 0428d056a..000000000 --- a/roles/custom/matrix-element-call/templates/element-call-labels.j2-new +++ /dev/null @@ -1,47 +0,0 @@ -{% if matrix_element_call_container_labels_traefik_enabled %} -traefik.enable=true - -# Network configuration for Traefik -{% if matrix_element_call_container_labels_traefik_docker_network %} -traefik.docker.network={{ matrix_element_call_container_labels_traefik_docker_network }} -{% endif %} - -# Traefik Router and Service configuration for Element Call -traefik.http.routers.element-call-router.rule=Host(`{{ matrix_element_call_container_labels_traefik_hostname }}`) -traefik.http.routers.element-call-router.entrypoints={{ matrix_element_call_container_labels_traefik_entrypoints }} -traefik.http.routers.element-call-router.tls.certresolver={{ matrix_element_call_container_labels_traefik_tls_certResolver }} -traefik.http.services.element-call-service.loadbalancer.server.port=8080 - -{% set middlewares = [] %} - -# Path prefix handling for Element Call -{% if matrix_element_call_container_labels_traefik_path_prefix != '/' %} -traefik.http.middlewares.element-call-slashless-redirect.redirectregex.regex=({{ matrix_element_call_container_labels_traefik_path_prefix | quote }})$ -traefik.http.middlewares.element-call-slashless-redirect.redirectregex.replacement=${1}/ -{% set middlewares = middlewares + ['element-call-slashless-redirect'] %} - -traefik.http.middlewares.element-call-strip-prefix.stripprefix.prefixes={{ matrix_element_call_container_labels_traefik_path_prefix }} -{% set middlewares = middlewares + ['element-call-strip-prefix'] %} -{% endif %} - -# Additional response headers for Element Call -{% if matrix_element_call_container_labels_traefik_additional_response_headers is defined and matrix_element_call_container_labels_traefik_additional_response_headers | length > 0 %} -{% for name, value in matrix_element_call_container_labels_traefik_additional_response_headers.items() %} -traefik.http.middlewares.element-call-add-headers.headers.customresponseheaders.{{ name }}={{ value }} -{% endfor %} -{% set middlewares = middlewares + ['element-call-add-headers'] %} -{% endif %} - -# Apply middlewares to the Element Call router -{% if middlewares | length > 0 %} -traefik.http.routers.element-call-router.middlewares={{ middlewares | join(',') }} -{% endif %} - -{% endif %} - -# Additional labels (if any) specified by the user -{% if matrix_element_call_container_extra_arguments is defined and matrix_element_call_container_extra_arguments | length > 0 %} -{% for key, value in matrix_element_call_container_extra_arguments.items() %} -{{ key }}={{ value }} -{% endfor %} -{% endif %} From 93650cf20ea9b72a4ced744380d57132cc417313 Mon Sep 17 00:00:00 2001 From: wjbeckett Date: Mon, 30 Sep 2024 12:02:45 +1000 Subject: [PATCH 073/108] fix: Type in the element-call main.yml --- roles/custom/matrix-element-call/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-element-call/defaults/main.yml b/roles/custom/matrix-element-call/defaults/main.yml index 1b72ca0a1..f1ab26261 100644 --- a/roles/custom/matrix-element-call/defaults/main.yml +++ b/roles/custom/matrix-element-call/defaults/main.yml @@ -50,7 +50,7 @@ matrix_element_call_container_labels_traefik_enabled: true matrix_element_call_container_labels_traefik_docker_network: "{{ matrix_element_callcontainer_network }}" matrix_element_call_container_labels_traefik_hostname: "{{ matrix_element_call_domain }}" # The path prefix must either be `/` or not end with a slash (e.g. `/element`). -matrix_element_call_container_labels_traefik_path_prefix: "{{ matrix_element_callpath_prefix }}" +matrix_element_call_container_labels_traefik_path_prefix: "{{ matrix_element_call_path_prefix }}" matrix_element_call_container_labels_traefik_rule: "Host(`{{ matrix_element_call_container_labels_traefik_hostname }}`){% if matrix_element_call_container_labels_traefik_path_prefix != '/' %} && PathPrefix(`{{ matrix_element_call_container_labels_traefik_path_prefix }}`){% endif %}" matrix_element_call_container_labels_traefik_priority: 0 matrix_element_call_container_labels_traefik_entrypoints: web-secure From f762048a8dcaa691d183fee147f621c031cdd25d Mon Sep 17 00:00:00 2001 From: wjbeckett Date: Mon, 30 Sep 2024 12:15:27 +1000 Subject: [PATCH 074/108] fix: added missing labels to main. --- roles/custom/matrix-element-call/defaults/main.yml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/roles/custom/matrix-element-call/defaults/main.yml b/roles/custom/matrix-element-call/defaults/main.yml index f1ab26261..787acf0a1 100644 --- a/roles/custom/matrix-element-call/defaults/main.yml +++ b/roles/custom/matrix-element-call/defaults/main.yml @@ -72,6 +72,18 @@ matrix_element_call_container_labels_traefik_additional_response_headers_auto: | }} matrix_element_call_container_labels_traefik_additional_response_headers_custom: {} +# matrix_client_element_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file. +# See `../templates/labels.j2` for details. +# +# Example: +# matrix_client_element_container_labels_additional_labels: | +# my.label=1 +# another.label="here" +matrix_element_call_container_labels_additional_labels: '' + +# A list of extra arguments to pass to the container +matrix_element_call_container_extra_arguments: [] + # Additional environment variables for the container matrix_element_call_environment_variables_additional: {} From 6143ad7ffa04d98714eb51acf5675921a1d96b86 Mon Sep 17 00:00:00 2001 From: wjbeckett Date: Mon, 30 Sep 2024 12:27:04 +1000 Subject: [PATCH 075/108] fix: removed the read-only tag from the element-call systemd file. --- .../templates/systemd/matrix-element-call.service.j2 | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/custom/matrix-element-call/templates/systemd/matrix-element-call.service.j2 b/roles/custom/matrix-element-call/templates/systemd/matrix-element-call.service.j2 index b4bb602d0..6048f9e4d 100644 --- a/roles/custom/matrix-element-call/templates/systemd/matrix-element-call.service.j2 +++ b/roles/custom/matrix-element-call/templates/systemd/matrix-element-call.service.j2 @@ -19,7 +19,6 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ - --read-only \ --network={{ matrix_element_call_container_network }} \ {% if matrix_element_call_container_http_host_bind_port %} -p {{ matrix_element_call_container_http_host_bind_port }}:8080 \ From 31a138a6ba7570b7bb9cd8ebc60c28d284c74302 Mon Sep 17 00:00:00 2001 From: wjbeckett Date: Mon, 30 Sep 2024 12:47:42 +1000 Subject: [PATCH 076/108] fixed traefik router issues. --- .../templates/element-call-labels.j2 | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/roles/custom/matrix-element-call/templates/element-call-labels.j2 b/roles/custom/matrix-element-call/templates/element-call-labels.j2 index feeeb2c65..5287ab98c 100644 --- a/roles/custom/matrix-element-call/templates/element-call-labels.j2 +++ b/roles/custom/matrix-element-call/templates/element-call-labels.j2 @@ -22,23 +22,23 @@ traefik.http.middlewares.element-call-strip-prefix.stripprefix.prefixes={{ matri {% if matrix_element_call_container_labels_traefik_additional_response_headers.keys() | length > 0 %} {% for name, value in matrix_element_call_container_labels_traefik_additional_response_headers.items() %} -traefik.http.middlewares.matrix-element-call-add-headers.headers.customresponseheaders.{{ name }}={{ value }} +traefik.http.middlewares.element-call-add-headers.headers.customresponseheaders.{{ name }}={{ value }} {% endfor %} -{% set middlewares = middlewares + ['matrix-element-call-add-headers'] %} +{% set middlewares = middlewares + ['element-call-add-headers'] %} {% endif %} -traefik.http.routers.matrix-element-call.rule={{ matrix_element_call_container_labels_traefik_rule }} +traefik.http.routers.element-call.rule={{ matrix_element_call_container_labels_traefik_rule }} {% if matrix_element_call_container_labels_traefik_priority | int > 0 %} -traefik.http.routers.matrix-element-call.priority={{ matrix_element_call_container_labels_traefik_priority }} +traefik.http.routers.element-call.priority={{ matrix_element_call_container_labels_traefik_priority }} {% endif %} -traefik.http.routers.matrix-element-call.service=matrix-element-call +traefik.http.routers.element-call.service=matrix-element-call {% if middlewares | length > 0 %} -traefik.http.routers.matrix-element-call.middlewares={{ middlewares | join(',') }} +traefik.http.routers.element-call.middlewares={{ middlewares | join(',') }} {% endif %} -traefik.http.routers.matrix-element-call.entrypoints={{ matrix_element_call_container_labels_traefik_entrypoints }} -traefik.http.routers.matrix-element-call.tls={{ matrix_element_call_container_labels_traefik_tls | to_json }} +traefik.http.routers.element-call.entrypoints={{ matrix_element_call_container_labels_traefik_entrypoints }} +traefik.http.routers.element-call.tls={{ matrix_element_call_container_labels_traefik_tls | to_json }} {% if matrix_element_call_container_labels_traefik_tls %} -traefik.http.routers.matrix-element-call.tls.certResolver={{ matrix_element_call_container_labels_traefik_tls_certResolver }} +traefik.http.routers.element-call.tls.certResolver={{ matrix_element_call_container_labels_traefik_tls_certResolver }} {% endif %} {% endif %} From cb41fb02ae3611ae1211c73e044cb07b35d416e1 Mon Sep 17 00:00:00 2001 From: wjbeckett Date: Mon, 30 Sep 2024 13:00:10 +1000 Subject: [PATCH 077/108] testing traefik labels again. --- .../custom/matrix-element-call/templates/element-call-labels.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-element-call/templates/element-call-labels.j2 b/roles/custom/matrix-element-call/templates/element-call-labels.j2 index 5287ab98c..2a023b28e 100644 --- a/roles/custom/matrix-element-call/templates/element-call-labels.j2 +++ b/roles/custom/matrix-element-call/templates/element-call-labels.j2 @@ -31,7 +31,7 @@ traefik.http.routers.element-call.rule={{ matrix_element_call_container_labels_t {% if matrix_element_call_container_labels_traefik_priority | int > 0 %} traefik.http.routers.element-call.priority={{ matrix_element_call_container_labels_traefik_priority }} {% endif %} -traefik.http.routers.element-call.service=matrix-element-call +traefik.http.routers.element-call.service=element-call {% if middlewares | length > 0 %} traefik.http.routers.element-call.middlewares={{ middlewares | join(',') }} {% endif %} From b907777ae53475ee93aefcd827b08a47e0b44824 Mon Sep 17 00:00:00 2001 From: wjbeckett Date: Mon, 30 Sep 2024 13:13:29 +1000 Subject: [PATCH 078/108] fixing labels again. --- .../matrix-element-call/defaults/main.yml | 2 +- .../templates/element-call-labels.j2 | 30 +++++++++---------- 2 files changed, 16 insertions(+), 16 deletions(-) diff --git a/roles/custom/matrix-element-call/defaults/main.yml b/roles/custom/matrix-element-call/defaults/main.yml index 787acf0a1..d2660e7e3 100644 --- a/roles/custom/matrix-element-call/defaults/main.yml +++ b/roles/custom/matrix-element-call/defaults/main.yml @@ -87,7 +87,7 @@ matrix_element_call_container_extra_arguments: [] # Additional environment variables for the container matrix_element_call_environment_variables_additional: {} -# List of systemd services that matrix-client-element.service depends on +# List of systemd services that matrix-element-call.service depends on matrix_element_call_systemd_required_services_list: "{{ [devture_systemd_docker_base_docker_service_name] if devture_systemd_docker_base_docker_service_name else [] }}" # Specifies the value of the `X-XSS-Protection` header diff --git a/roles/custom/matrix-element-call/templates/element-call-labels.j2 b/roles/custom/matrix-element-call/templates/element-call-labels.j2 index 2a023b28e..10a84751b 100644 --- a/roles/custom/matrix-element-call/templates/element-call-labels.j2 +++ b/roles/custom/matrix-element-call/templates/element-call-labels.j2 @@ -6,39 +6,39 @@ traefik.enable=true traefik.docker.network={{ matrix_element_call_container_labels_traefik_docker_network }} {% endif %} -traefik.http.services.element-call-service.loadbalancer.server.port=8080 +traefik.http.services.matrix-element-call.loadbalancer.server.port=8080 {% set middlewares = [] %} # Path prefix handling for Element Call {% if matrix_element_call_container_labels_traefik_path_prefix != '/' %} -traefik.http.middlewares.element-call-slashless-redirect.redirectregex.regex=({{ matrix_element_call_container_labels_traefik_path_prefix | quote }})$ -traefik.http.middlewares.element-call-slashless-redirect.redirectregex.replacement=${1}/ -{% set middlewares = middlewares + ['element-call-slashless-redirect'] %} +traefik.http.middlewares.matrix-element-call-slashless-redirect.redirectregex.regex=({{ matrix_element_call_container_labels_traefik_path_prefix | quote }})$ +traefik.http.middlewares.matrix-element-call-slashless-redirect.redirectregex.replacement=${1}/ +{% set middlewares = middlewares + ['matrix-element-call-slashless-redirect'] %} -traefik.http.middlewares.element-call-strip-prefix.stripprefix.prefixes={{ matrix_element_call_container_labels_traefik_path_prefix }} -{% set middlewares = middlewares + ['element-call-strip-prefix'] %} +traefik.http.middlewares.matrix-element-call-strip-prefix.stripprefix.prefixes={{ matrix_element_call_container_labels_traefik_path_prefix }} +{% set middlewares = middlewares + ['matrix-element-call-strip-prefix'] %} {% endif %} {% if matrix_element_call_container_labels_traefik_additional_response_headers.keys() | length > 0 %} {% for name, value in matrix_element_call_container_labels_traefik_additional_response_headers.items() %} -traefik.http.middlewares.element-call-add-headers.headers.customresponseheaders.{{ name }}={{ value }} +traefik.http.middlewares.matrix-element-call-add-headers.headers.customresponseheaders.{{ name }}={{ value }} {% endfor %} -{% set middlewares = middlewares + ['element-call-add-headers'] %} +{% set middlewares = middlewares + ['matrix-element-call-add-headers'] %} {% endif %} -traefik.http.routers.element-call.rule={{ matrix_element_call_container_labels_traefik_rule }} +traefik.http.routers.matrix-element-call.rule={{ matrix_element_call_container_labels_traefik_rule }} {% if matrix_element_call_container_labels_traefik_priority | int > 0 %} -traefik.http.routers.element-call.priority={{ matrix_element_call_container_labels_traefik_priority }} +traefik.http.routers.matrix-element-call.priority={{ matrix_element_call_container_labels_traefik_priority }} {% endif %} -traefik.http.routers.element-call.service=element-call +traefik.http.routers.matrix-element-call.service=matrix-element-call {% if middlewares | length > 0 %} -traefik.http.routers.element-call.middlewares={{ middlewares | join(',') }} +traefik.http.routers.matrix-element-call.middlewares={{ middlewares | join(',') }} {% endif %} -traefik.http.routers.element-call.entrypoints={{ matrix_element_call_container_labels_traefik_entrypoints }} -traefik.http.routers.element-call.tls={{ matrix_element_call_container_labels_traefik_tls | to_json }} +traefik.http.routers.matrix-element-call.entrypoints={{ matrix_element_call_container_labels_traefik_entrypoints }} +traefik.http.routers.matrix-element-call.tls={{ matrix_element_call_container_labels_traefik_tls | to_json }} {% if matrix_element_call_container_labels_traefik_tls %} -traefik.http.routers.element-call.tls.certResolver={{ matrix_element_call_container_labels_traefik_tls_certResolver }} +traefik.http.routers.matrix-element-call.tls.certResolver={{ matrix_element_call_container_labels_traefik_tls_certResolver }} {% endif %} {% endif %} From 8cb3e33bbfddaa50b7370e65d1668e6e1333b606 Mon Sep 17 00:00:00 2001 From: wjbeckett Date: Mon, 30 Sep 2024 22:20:46 +1000 Subject: [PATCH 079/108] separated livekit and jwt to separate roles --- group_vars/matrix_servers | 88 ++++++++-- .../matrix-element-call/defaults/main.yml | 26 +-- .../tasks/create_element_json.yml | 22 --- .../matrix-element-call/tasks/install.yml | 2 +- .../tasks/install_docker_containers.yml | 166 ------------------ .../tasks/update_element_web_config.yml | 29 --- .../tasks/update_homeserver_config.yml | 36 ---- .../tasks/update_well_known_client.yml | 24 --- .../tasks/validate_config.yml | 2 +- .../templates/config.json.j2 | 2 +- .../matrix-element-call/templates/env.j2 | 11 -- .../templates/jwt-service-labels.j2 | 13 -- .../templates/livekit-labels.j2 | 13 -- .../matrix-jwt-service/defaults/main.yml | 118 +++++++++++++ .../matrix-jwt-service/tasks/install.yml | 46 +++++ .../custom/matrix-jwt-service/tasks/main.yml | 21 +++ .../matrix-jwt-service/tasks/uninstall.yml | 22 +++ .../tasks/validate_config.yml | 12 ++ .../matrix-jwt-service/templates/env.j2 | 4 + .../matrix-jwt-service/templates/labels.j2 | 46 +++++ .../systemd/matrix-jwt-service.service.j2 | 8 +- roles/custom/matrix-livekit/defaults/main.yml | 119 +++++++++++++ roles/custom/matrix-livekit/tasks/install.yml | 47 +++++ roles/custom/matrix-livekit/tasks/main.yml | 21 +++ .../custom/matrix-livekit/tasks/uninstall.yml | 21 +++ .../matrix-livekit/tasks/validate_config.yml | 13 ++ .../custom/matrix-livekit/templates/labels.j2 | 46 +++++ .../templates/livekit.yaml.j2 | 2 +- .../systemd/matrix-livekit-server.service.j2} | 20 +-- 29 files changed, 634 insertions(+), 366 deletions(-) delete mode 100644 roles/custom/matrix-element-call/tasks/create_element_json.yml delete mode 100644 roles/custom/matrix-element-call/tasks/install_docker_containers.yml delete mode 100644 roles/custom/matrix-element-call/tasks/update_element_web_config.yml delete mode 100644 roles/custom/matrix-element-call/tasks/update_homeserver_config.yml delete mode 100644 roles/custom/matrix-element-call/tasks/update_well_known_client.yml delete mode 100644 roles/custom/matrix-element-call/templates/env.j2 delete mode 100644 roles/custom/matrix-element-call/templates/jwt-service-labels.j2 delete mode 100644 roles/custom/matrix-element-call/templates/livekit-labels.j2 create mode 100644 roles/custom/matrix-jwt-service/defaults/main.yml create mode 100644 roles/custom/matrix-jwt-service/tasks/install.yml create mode 100644 roles/custom/matrix-jwt-service/tasks/main.yml create mode 100644 roles/custom/matrix-jwt-service/tasks/uninstall.yml create mode 100644 roles/custom/matrix-jwt-service/tasks/validate_config.yml create mode 100644 roles/custom/matrix-jwt-service/templates/env.j2 create mode 100644 roles/custom/matrix-jwt-service/templates/labels.j2 rename roles/custom/{matrix-element-call => matrix-jwt-service}/templates/systemd/matrix-jwt-service.service.j2 (85%) create mode 100644 roles/custom/matrix-livekit/defaults/main.yml create mode 100644 roles/custom/matrix-livekit/tasks/install.yml create mode 100644 roles/custom/matrix-livekit/tasks/main.yml create mode 100644 roles/custom/matrix-livekit/tasks/uninstall.yml create mode 100644 roles/custom/matrix-livekit/tasks/validate_config.yml create mode 100644 roles/custom/matrix-livekit/templates/labels.j2 rename roles/custom/{matrix-element-call => matrix-livekit}/templates/livekit.yaml.j2 (83%) rename roles/custom/{matrix-element-call/templates/systemd/matrix-livekit.service.j2 => matrix-livekit/templates/systemd/matrix-livekit-server.service.j2} (71%) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index bf55b9a43..1739f54dd 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -435,9 +435,9 @@ devture_systemd_service_manager_services_list_auto: | + ([{'name': 'matrix-element-call.service', 'priority': 4000, 'groups': ['matrix', 'element-call']}] if matrix_element_call_enabled else []) + - ([{'name': 'matrix-jwt-service.service', 'priority': 3000, 'groups': ['matrix', 'jwt-service']}] if matrix_element_call_enabled else []) + ([{'name': 'matrix-jwt-service.service', 'priority': 3000, 'groups': ['matrix', 'jwt-service']}] if matrix_jwt_service_enabled else []) + - ([{'name': 'matrix-livekit.service', 'priority': 3000, 'groups': ['matrix', 'livekit']}] if matrix_element_call_enabled else []) + ([{'name': 'matrix-livekit-server.service', 'priority': 3000, 'groups': ['matrix', 'livekit-server']}] if matrix_livekit_server_enabled else []) + ([{'name': 'matrix-redis.service', 'priority': 450, 'groups': ['matrix', 'redis']}] if matrix_element_call_enabled else []) + @@ -5897,27 +5897,87 @@ matrix_element_call_container_image_force_pull: true matrix_element_call_container_network: "{{ matrix_addons_container_network }}" matrix_element_call_container_additional_networks: "{{ [matrix_playbook_reverse_proxyable_services_additional_network] if (matrix_element_call_container_labels_traefik_enabled and matrix_playbook_reverse_proxyable_services_additional_network) else [] }}" - # Traefik Configuration for Element Call matrix_element_call_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}" matrix_element_call_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" matrix_element_call_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" matrix_element_call_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" -# JWT Service Configuration -matrix_element_call_jwt_service_url: "https://sfu-jwt.{{ matrix_domain }}" # Default JWT service URL; adjust as needed - -# LiveKit Service Configuration -matrix_element_call_livekit_service_url: "https://sfu.{{ matrix_domain }}" # Default LiveKit service URL; adjust as needed -matrix_element_call_livekit_dev_key: "{{ matrix_livekit_dev_key }}" # LiveKit dev key - -# Redis Configuration for Element Call -matrix_element_call_redis_hostname: "localhost" # Default Redis hostname; can be overridden -matrix_element_call_redis_port: 6379 # Default Redis port; can be overridden -matrix_element_call_redis_password: "" # Redis password; should be set in host_vars if needed ######################################################################## # # # /matrix-element-call # # # ######################################################################## + +######################################################################## +# # +# matrix-livekit-server # +# # +######################################################################## + +# Matrix Livekit Server Configuration +matrix_livekit_server_enabled: false # Default is false; should be enabled in host_vars as needed +matrix_livekit_server_version: "latest" # Default version; can be overridden in host_vars +matrix_livekit_server_scheme: "https" +matrix_livekit_server_hostname: "sfu.{{ matrix_domain }}" # Default hostname; should be overridden in host_vars if different +matrix_livekit_server_path_prefix: "/" +matrix_livekit_server_base_path: "{{ matrix_base_data_path }}/livekit-server" +matrix_livekit_server_container_image: "livekit/livekit-server:{{ matrix_livekit_server_version }}" +matrix_livekit_server_container_image_force_pull: true + +# Docker network configuration for Livekit +matrix_livekit_server_container_network: "{{ matrix_addons_container_network }}" +matrix_livekit_server_container_additional_networks: "{{ [matrix_playbook_reverse_proxyable_services_additional_network] if (matrix_livekit_server_container_labels_traefik_enabled and matrix_playbook_reverse_proxyable_services_additional_network) else [] }}" + +# Traefik Configuration for Livekit +matrix_livekit_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}" +matrix_livekit_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" +matrix_livekit_server_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" +matrix_livekit_server_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" + +# LiveKit Service Configuration +matrix_livekit_server_livekit_dev_key: "{{ matrix_livekit_dev_key }}" # LiveKit dev key + +######################################################################## +# # +# /matrix-livekit-server # +# # +######################################################################## + +######################################################################## +# # +# matrix-jwt-service # +# # +######################################################################## + +# Matrix JWT Service Configuration +matrix_jwt_service_enabled: false # Default is false; should be enabled in host_vars as needed +matrix_jwt_service_version: "latest-ci" # Default version; can be overridden in host_vars +matrix_jwt_service_scheme: "https" # Scheme for Element Call (e.g., https) +matrix_jwt_service_hostname: "lk-jwt-service" # Default hostname; should be overridden in host_vars if different +matrix_jwt_service_path_prefix: "/" # Path prefix for Element Call +matrix_jwt_service_base_path: "{{ matrix_base_data_path }}/jwt-service" # Base path for storing Element Call-related files +matrix_jwt_service_container_image: "ghcr.io/element-hq/lk-jwt-service:{{ matrix_jwt_service_version }}" +matrix_jwt_service_container_image_name_prefix: ghcr.io/ +matrix_jwt_service_container_image_registry_prefix: ghcr.io/ +matrix_jwt_service_container_image_force_pull: true + +# Docker network configuration for JWT Service +matrix_jwt_service_container_network: "{{ matrix_addons_container_network }}" +matrix_jwt_service_container_additional_networks: "{{ [matrix_playbook_reverse_proxyable_services_additional_network] if (matrix_jwt_service_container_labels_traefik_enabled and matrix_playbook_reverse_proxyable_services_additional_network) else [] }}" + +# Traefik Configuration for JWT Service +matrix_jwt_service_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}" +matrix_jwt_service_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" +matrix_jwt_service_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" +matrix_jwt_service_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" + +# JWT Service Configuration +matrix_jwt_service_url: "https://sfu-jwt.{{ matrix_domain }}" # Default JWT service URL; adjust as needed + +######################################################################## +# # +# /matrix-jwt-service # +# # +######################################################################## \ No newline at end of file diff --git a/roles/custom/matrix-element-call/defaults/main.yml b/roles/custom/matrix-element-call/defaults/main.yml index d2660e7e3..eb7652b1a 100644 --- a/roles/custom/matrix-element-call/defaults/main.yml +++ b/roles/custom/matrix-element-call/defaults/main.yml @@ -4,8 +4,6 @@ matrix_element_call_enabled: false # Base path configuration matrix_element_call_base_path: "{{ matrix_base_data_path }}/element-call" -matrix_element_call_config_path: "{{ matrix_element_call_base_path }}/config" -matrix_element_call_backend_path: "{{ matrix_element_call_base_path }}/backend" matrix_homeserver_config_path: "{{ matrix_base_data_path }}/synapse/config/homeserver.yaml" element_web_config_path: "{{ matrix_base_data_path }}/static-files/public/.well-known/matrix/client" @@ -16,24 +14,12 @@ matrix_element_call_container_additional_networks: [] # No additional networks # Docker images matrix_element_call_image: "ghcr.io/element-hq/element-call:latest" -matrix_jwt_service_image: "ghcr.io/element-hq/lk-jwt-service:latest-ci" -matrix_livekit_image: "livekit/livekit-server:latest" redis_image: "redis:6-alpine" # Ports matrix_element_call_port: "8093" -matrix_jwt_service_port: "8881" redis_port: "6379" -# LiveKit configuration -matrix_element_call_livekit_dev_key: "{{ matrix_livekit_dev_key }}" # Must be defined in host_vars -matrix_element_call_jwt_secret: "{{ matrix_jwt_secret }}" # Must be defined in host_vars -matrix_element_call_livekit_service_url: "wss://sfu.{{ matrix_domain }}:443" -matrix_element_call_livekit_hostname: "sfu.{{ matrix_domain }}" - -# jwt configuration -matrix_element_call_jwt_hostname: "sfu-jwt.{{ matrix_domain }}" - # Well-known paths and domains (derived from matrix_domain) matrix_element_call_domain: "call.{{ matrix_domain }}" matrix_element_call_well_known_client_path: "{{ matrix_base_data_path }}/static-files/public/.well-known/matrix/client" @@ -47,7 +33,7 @@ redis_password: "" # Traefik Configuration for Element Call matrix_element_call_container_labels_traefik_enabled: true -matrix_element_call_container_labels_traefik_docker_network: "{{ matrix_element_callcontainer_network }}" +matrix_element_call_container_labels_traefik_docker_network: "{{ matrix_element_call_container_network }}" matrix_element_call_container_labels_traefik_hostname: "{{ matrix_element_call_domain }}" # The path prefix must either be `/` or not end with a slash (e.g. `/element`). matrix_element_call_container_labels_traefik_path_prefix: "{{ matrix_element_call_path_prefix }}" @@ -112,11 +98,11 @@ matrix_element_call_http_header_content_security_policy: frame-ancestors 'self' # Specifies the value of the `Permission-Policy` header. # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permission-Policy -matrix_element_call_http_header_content_permission_policy: "{{ 'interest-cohort=()' if matrix_element_callfloc_optout_enabled else '' }}" +matrix_element_call_http_header_content_permission_policy: "{{ 'interest-cohort=()' if matrix_element_call_floc_optout_enabled else '' }}" # Specifies the value of the `Strict-Transport-Security` header. # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security -matrix_element_call_http_header_strict_transport_security: "max-age=31536000; includeSubDomains{{ '; preload' if matrix_element_callhsts_preload_enabled else '' }}" +matrix_element_call_http_header_strict_transport_security: "max-age=31536000; includeSubDomains{{ '; preload' if matrix_element_call_hsts_preload_enabled else '' }}" # Controls whether to send a "Permissions-Policy interest-cohort=();" header along with all responses # @@ -126,8 +112,8 @@ matrix_element_call_http_header_strict_transport_security: "max-age=31536000; in # - https://amifloced.org/ # # Of course, a better solution is to just stop using browsers (like Chrome), which participate in such tracking practices. -# See: `matrix_element_callcontent_permission_policy` -matrix_element_callfloc_optout_enabled: true +# See: `matrix_element_call_content_permission_policy` +matrix_element_call_floc_optout_enabled: true # Controls if HSTS preloading is enabled # @@ -139,7 +125,7 @@ matrix_element_callfloc_optout_enabled: true # - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security # - https://hstspreload.org/#opt-in # See: `matrix_element_call_http_header_strict_transport_security` -matrix_element_callhsts_preload_enabled: false +matrix_element_call_hsts_preload_enabled: false # Enable or disable metrics collection matrix_element_call_metrics_enabled: false diff --git a/roles/custom/matrix-element-call/tasks/create_element_json.yml b/roles/custom/matrix-element-call/tasks/create_element_json.yml deleted file mode 100644 index 7fe689183..000000000 --- a/roles/custom/matrix-element-call/tasks/create_element_json.yml +++ /dev/null @@ -1,22 +0,0 @@ ---- ---- -# Create the element.json file to point to Element Call - -- name: Ensure .well-known/element directory exists - ansible.builtin.file: - path: "{{ matrix_element_call_well_known_element_path | dirname }}" - state: directory - mode: 0755 - -- name: Create or update the element.json file with Element Call config - ansible.builtin.copy: - dest: "{{ matrix_element_call_well_known_element_path }}" - content: | - { - "call": { - "widget_url": "{{ matrix_element_call_base_url }}" - } - } - mode: '0644' - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" \ No newline at end of file diff --git a/roles/custom/matrix-element-call/tasks/install.yml b/roles/custom/matrix-element-call/tasks/install.yml index f036fa2f9..48719f413 100644 --- a/roles/custom/matrix-element-call/tasks/install.yml +++ b/roles/custom/matrix-element-call/tasks/install.yml @@ -175,7 +175,7 @@ "org.matrix.msc4143.rtc_foci": [ { "type": "livekit", - "livekit_service_url": "{{ matrix_element_call_jwt_service_url }}" + "livekit_service_url": "{{ matrix_jwt_service_url }}" } ] marker: "# ANSIBLE MANAGED BLOCK - Element Call RTC FOCI" diff --git a/roles/custom/matrix-element-call/tasks/install_docker_containers.yml b/roles/custom/matrix-element-call/tasks/install_docker_containers.yml deleted file mode 100644 index a9d55ff85..000000000 --- a/roles/custom/matrix-element-call/tasks/install_docker_containers.yml +++ /dev/null @@ -1,166 +0,0 @@ ---- -# Ensure Required Directories Exist -- name: Ensure matrix-element-call paths exist - ansible.builtin.file: - path: "{{ item.path }}" - state: directory - mode: 0750 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - loop: - - path: "{{ matrix_element_call_base_path }}" - - path: "{{ matrix_element_call_base_path }}/data" - - path: "{{ matrix_element_call_base_path }}/config" - - path: "{{ matrix_element_call_base_path }}/backend" # For LiveKit and Redis config - -# Ensure Configuration Files are in Place -- name: Ensure Element Call config.json is in place - ansible.builtin.template: - src: "{{ role_path }}/templates/config.json.j2" - dest: "{{ matrix_element_call_base_path }}/config/config.json" - mode: 0640 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - -- name: Ensure LiveKit livekit.yaml is in place - ansible.builtin.template: - src: "{{ role_path }}/templates/livekit.yaml.j2" - dest: "{{ matrix_element_call_base_path }}/backend/livekit.yaml" - mode: 0640 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - -- name: Ensure Redis redis.conf is in place - ansible.builtin.template: - src: "{{ role_path }}/templates/redis.conf.j2" - dest: "{{ matrix_element_call_base_path }}/backend/redis.conf" - mode: 0640 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - -- name: Ensure matrix-element-call environment file is in place - ansible.builtin.template: - src: "{{ role_path }}/templates/env.j2" - dest: "{{ matrix_element_call_base_path }}/config/env" - mode: 0640 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - -- name: Ensure matrix-element-call Docker labels file is in place - ansible.builtin.template: - src: "{{ role_path }}/templates/labels.j2" - dest: "{{ matrix_element_call_base_path }}/config/labels" - mode: 0640 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - -# Ensure Docker Images are Pulled -- name: Ensure matrix-element-call Docker image is pulled - community.docker.docker_image: - name: "{{ matrix_element_call_image }}" - source: pull - force_source: "{{ matrix_element_call_container_image_force_pull }}" - register: element_call_image_result - retries: "{{ devture_playbook_help_container_retries_count }}" - delay: "{{ devture_playbook_help_container_retries_delay }}" - until: element_call_image_result is not failed - -- name: Ensure jwt-service Docker image is pulled - community.docker.docker_image: - name: "ghcr.io/element-hq/lk-jwt-service:latest-ci" - source: pull - register: jwt_image_result - retries: 3 - delay: 10 - until: jwt_image_result is not failed - -- name: Ensure livekit Docker image is pulled - community.docker.docker_image: - name: "livekit/livekit-server:latest" - source: pull - register: livekit_image_result - retries: 3 - delay: 10 - until: livekit_image_result is not failed - -- name: Ensure redis Docker image is pulled - community.docker.docker_image: - name: "redis:6-alpine" - source: pull - register: redis_image_result - retries: 3 - delay: 10 - until: redis_image_result is not failed - -- name: Debug matrix_element_call_base_path - ansible.builtin.debug: - var: matrix_element_call_base_path - -- name: Debug labels file content - ansible.builtin.debug: - msg: "{{ lookup('file', matrix_element_call_base_path ~ '/config/labels') | from_yaml }}" - -# Ensure Docker Containers are Running -- name: Run matrix-element-call Docker container - community.docker.docker_container: - name: "matrix-element-call" - image: "{{ matrix_element_call_image }}" - state: started - restart_policy: unless-stopped - env_file: "{{ matrix_element_call_base_path }}/config/env" - labels: "{{ lookup('file', matrix_element_call_base_path ~ '/config/labels') | from_yaml }}" - networks: - - name: "{{ matrix_element_call_container_network }}" - volumes: - - "{{ matrix_element_call_base_path }}/config/config.json:/app/config.json" - - "{{ matrix_element_call_base_path }}/data:/data" - -- name: Run jwt-service Docker container - community.docker.docker_container: - name: "matrix-jwt-service" - image: "ghcr.io/element-hq/lk-jwt-service:latest-ci" - state: started - restart_policy: unless-stopped - environment: - LIVEKIT_SECRET: "{{ matrix_element_call_livekit_dev_key }}" # User-specified key - LIVEKIT_URL: "{{ matrix_element_call_livekit_service_url }}" - LIVEKIT_KEY: "devkey" - networks: - - name: "{{ matrix_element_call_container_network }}" - -- name: Run livekit Docker container - community.docker.docker_container: - name: "matrix-livekit" - image: "livekit/livekit-server:latest" - state: started - restart_policy: unless-stopped - command: "--dev --config /etc/livekit.yaml" - volumes: - - "{{ matrix_element_call_base_path }}/backend/livekit.yaml:/etc/livekit.yaml" - network_mode: "host" - -- name: Run redis Docker container - community.docker.docker_container: - name: "matrix-redis" - image: "redis:6-alpine" - state: started - restart_policy: unless-stopped - command: redis-server /etc/redis.conf - volumes: - - "{{ matrix_element_call_base_path }}/backend/redis.conf:/etc/redis.conf" - networks: - - name: "{{ matrix_element_call_container_network }}" - -# Ensure Systemd Services are Set Up -- name: Ensure matrix-element-call systemd service is installed - ansible.builtin.template: - src: "{{ role_path }}/templates/element-call.service.j2" - dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-element-call.service" - mode: 0644 - -- name: Ensure matrix-element-call systemd service is enabled and started - ansible.builtin.systemd: - name: matrix-element-call - enabled: true - state: started - daemon_reload: true diff --git a/roles/custom/matrix-element-call/tasks/update_element_web_config.yml b/roles/custom/matrix-element-call/tasks/update_element_web_config.yml deleted file mode 100644 index 0fa227172..000000000 --- a/roles/custom/matrix-element-call/tasks/update_element_web_config.yml +++ /dev/null @@ -1,29 +0,0 @@ ---- -# Update Element-Web config.json with Element Call features - -- name: Ensure Element-Web config.json exists - ansible.builtin.file: - path: "{{ matrix_element_web_config_path }}" - state: file - mode: 0644 - -- name: Update Element-Web config.json with Element Call features - ansible.builtin.blockinfile: - path: "{{ matrix_element_web_config_path }}" - block: | - "features": { - "feature_video_rooms": true, - "feature_new_room_decoration_ui": true, - "feature_group_calls": true, - "feature_element_call_video_rooms": true - }, - "element_call": { - "url": "{{ matrix_element_call_base_url }}", - "participant_limit": 8, - "brand": "Element Call", - "use_exclusively": true - } - marker: "# ANSIBLE MANAGED BLOCK - Element Call features" - mode: '0644' - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" \ No newline at end of file diff --git a/roles/custom/matrix-element-call/tasks/update_homeserver_config.yml b/roles/custom/matrix-element-call/tasks/update_homeserver_config.yml deleted file mode 100644 index 46e4f5a09..000000000 --- a/roles/custom/matrix-element-call/tasks/update_homeserver_config.yml +++ /dev/null @@ -1,36 +0,0 @@ ---- -# Update the homeserver.yaml file with Element Call config - -- name: Ensure homeserver.yaml exists - ansible.builtin.file: - path: "{{ matrix_homeserver_config_path }}" - state: file - mode: 0644 - -- name: Add listeners section for Element Call to homeserver.yaml - ansible.builtin.blockinfile: - path: "{{ matrix_homeserver_config_path }}" - block: | - listeners: - - port: 8008 - tls: false - type: http - x_forwarded: true - - resources: - - names: [client, federation, openid] - compress: false - marker: "# ANSIBLE MANAGED BLOCK - Element Call listeners" - mode: '0644' - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - -- name: Ensure serve_server_wellknown is enabled in homeserver.yaml - ansible.builtin.lineinfile: - path: "{{ matrix_homeserver_config_path }}" - line: "serve_server_wellknown: true" - insertafter: EOF - state: present - mode: '0644' - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" \ No newline at end of file diff --git a/roles/custom/matrix-element-call/tasks/update_well_known_client.yml b/roles/custom/matrix-element-call/tasks/update_well_known_client.yml deleted file mode 100644 index b02269f1c..000000000 --- a/roles/custom/matrix-element-call/tasks/update_well_known_client.yml +++ /dev/null @@ -1,24 +0,0 @@ ---- ---- -# Update the .well-known/matrix/client file with Element Call config - -- name: Ensure .well-known directory exists - ansible.builtin.file: - path: "{{ matrix_element_call_well_known_client_path | dirname }}" - state: directory - mode: 0755 - -- name: Update .well-known/matrix/client file with Element Call config - ansible.builtin.blockinfile: - path: "{{ matrix_element_call_well_known_client_path }}" - block: | - "org.matrix.msc4143.rtc_foci": [ - { - "type": "livekit", - "livekit_service_url": "{{ matrix_element_call_jwt_service_url }}" - } - ] - create: yes - mode: '0644' - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" \ No newline at end of file diff --git a/roles/custom/matrix-element-call/tasks/validate_config.yml b/roles/custom/matrix-element-call/tasks/validate_config.yml index c0e0ef940..7760cb94e 100644 --- a/roles/custom/matrix-element-call/tasks/validate_config.yml +++ b/roles/custom/matrix-element-call/tasks/validate_config.yml @@ -14,4 +14,4 @@ - {'name': 'matrix_livekit_image', when: true} - {'name': 'redis_image', when: true} - {'name': 'matrix_element_call_livekit_dev_key', when: true} - - {'name': 'matrix_element_call_livekit_service_url', when: true} + - {'name': 'matrix_jwt_service_url', when: true} diff --git a/roles/custom/matrix-element-call/templates/config.json.j2 b/roles/custom/matrix-element-call/templates/config.json.j2 index 3dc7f0e8a..e58648e50 100644 --- a/roles/custom/matrix-element-call/templates/config.json.j2 +++ b/roles/custom/matrix-element-call/templates/config.json.j2 @@ -6,6 +6,6 @@ } }, "livekit": { - "livekit_service_url": "{{ matrix_element_call_livekit_service_url }}" + "livekit_service_url": "{{ matrix_jwt_service_url }}" } } diff --git a/roles/custom/matrix-element-call/templates/env.j2 b/roles/custom/matrix-element-call/templates/env.j2 deleted file mode 100644 index b5a5d4be4..000000000 --- a/roles/custom/matrix-element-call/templates/env.j2 +++ /dev/null @@ -1,11 +0,0 @@ -# Environment variables for Element Call -ELEMENT_CALL_SERVER_URL=https://{{ matrix_element_call_domain }} -LIVEKIT_KEY=devkey -LIVEKIT_URL={{ matrix_element_call_livekit_service_url }} -LIVEKIT_SECRET={{ matrix_element_call_jwt_secret }} -JWT_SERVICE_URL={{ matrix_element_call_jwt_service_url }} - -# Optional additional environment variables provided by the user -{% for key, value in matrix_element_call_environment_variables_additional.items() %} -{{ key }}={{ value }} -{% endfor %} diff --git a/roles/custom/matrix-element-call/templates/jwt-service-labels.j2 b/roles/custom/matrix-element-call/templates/jwt-service-labels.j2 deleted file mode 100644 index 603ced758..000000000 --- a/roles/custom/matrix-element-call/templates/jwt-service-labels.j2 +++ /dev/null @@ -1,13 +0,0 @@ -{% if matrix_element_call_container_labels_traefik_enabled %} -traefik.enable=true - -{% if matrix_element_call_container_labels_traefik_docker_network %} -traefik.docker.network={{ matrix_element_call_container_labels_traefik_docker_network }} -{% endif %} - -# Define the Traefik router rule for JWT Service -traefik.http.routers.jwt-router.rule=Host(`{{ matrix_element_call_jwt_hostname }}`) -traefik.http.routers.jwt-router.entrypoints={{ matrix_element_call_container_labels_traefik_entrypoints }} -traefik.http.routers.jwt-router.tls.certresolver={{ matrix_element_call_container_labels_traefik_tls_certResolver }} -traefik.http.services.jwt-service.loadbalancer.server.port=8881 -{% endif %} diff --git a/roles/custom/matrix-element-call/templates/livekit-labels.j2 b/roles/custom/matrix-element-call/templates/livekit-labels.j2 deleted file mode 100644 index 5fa0c51ad..000000000 --- a/roles/custom/matrix-element-call/templates/livekit-labels.j2 +++ /dev/null @@ -1,13 +0,0 @@ -{% if matrix_element_call_container_labels_traefik_enabled %} -traefik.enable=true - -{% if matrix_element_call_container_labels_traefik_docker_network %} -traefik.docker.network={{ matrix_element_call_container_labels_traefik_docker_network }} -{% endif %} - -# Define the Traefik router rule for LiveKit -traefik.http.routers.livekit-router.rule=Host(`{{ matrix_element_call_livekit_hostname }}`) -traefik.http.routers.livekit-router.entrypoints={{ matrix_element_call_container_labels_traefik_entrypoints }} -traefik.http.routers.livekit-router.tls.certresolver={{ matrix_element_call_container_labels_traefik_tls_certResolver }} -traefik.http.services.livekit-service.loadbalancer.server.port=7880 -{% endif %} diff --git a/roles/custom/matrix-jwt-service/defaults/main.yml b/roles/custom/matrix-jwt-service/defaults/main.yml new file mode 100644 index 000000000..cf087da87 --- /dev/null +++ b/roles/custom/matrix-jwt-service/defaults/main.yml @@ -0,0 +1,118 @@ +--- +# Enable or disable matrix-element-call deployment +matrix_jwt_service_enabled: false + +# Base path configuration +matrix_jwt_service_base_path: "{{ matrix_base_data_path }}/jwt-service" +matrix_homeserver_config_path: "{{ matrix_base_data_path }}/synapse/config/homeserver.yaml" + +# Docker network configuration +matrix_jwt_service_container_network: '' +matrix_jwt_service_container_http_host_bind_port: '' +matrix_jwt_service_container_additional_networks: [] # No additional networks by default + +# Docker images +matrix_jwt_service_image: "ghcr.io/element-hq/lk-jwt-service:latest-ci" + +# Ports +matrix_jwt_service_port: "8881" + +# jwt configuration +matrix_jwt_service_hostname: "sfu-jwt.{{ matrix_domain }}" +matrix_jwt_service_url: "https://sfu-jwt.{{ matrix_domain }}" + +# Traefik Configuration for JWT Service +matrix_jwt_service_container_labels_traefik_enabled: true +matrix_jwt_service_container_labels_traefik_docker_network: "{{ matrix_jwt_service_container_network }}" +matrix_jwt_service_container_labels_traefik_hostname: "{{ matrix_jwt_service_hostname }}" +# The path prefix must either be `/` or not end with a slash (e.g. `/element`). +matrix_jwt_service_container_labels_traefik_path_prefix: "{{ matrix_jwt_service_path_prefix }}" +matrix_jwt_service_container_labels_traefik_rule: "Host(`{{ matrix_jwt_service_container_labels_traefik_hostname }}`){% if matrix_jwt_service_container_labels_traefik_path_prefix != '/' %} && PathPrefix(`{{ matrix_jwt_service_container_labels_traefik_path_prefix }}`){% endif %}" +matrix_jwt_service_container_labels_traefik_priority: 0 +matrix_jwt_service_container_labels_traefik_entrypoints: web-secure +matrix_jwt_service_container_labels_traefik_tls: "{{ matrix_jwt_service_container_labels_traefik_entrypoints != 'web' }}" +matrix_jwt_service_container_labels_traefik_tls_certResolver: default # noqa var-naming + +# Controls which additional headers to attach to all HTTP responses. +# To add your own headers, use `matrix_jwt_service_container_labels_traefik_additional_response_headers_custom` +matrix_jwt_service_container_labels_traefik_additional_response_headers: "{{ matrix_jwt_service_container_labels_traefik_additional_response_headers_auto | combine(matrix_jwt_service_container_labels_traefik_additional_response_headers_custom) }}" +matrix_jwt_service_container_labels_traefik_additional_response_headers_auto: | + {{ + {} + | combine ({'X-XSS-Protection': matrix_jwt_service_http_header_xss_protection} if matrix_jwt_service_http_header_xss_protection else {}) + | combine ({'X-Frame-Options': matrix_jwt_service_http_header_frame_options} if matrix_jwt_service_http_header_frame_options else {}) + | combine ({'X-Content-Type-Options': matrix_jwt_service_http_header_content_type_options} if matrix_jwt_service_http_header_content_type_options else {}) + | combine ({'Content-Security-Policy': matrix_jwt_service_http_header_content_security_policy} if matrix_jwt_service_http_header_content_security_policy else {}) + | combine ({'Permission-Policy': matrix_jwt_service_http_header_content_permission_policy} if matrix_jwt_service_http_header_content_permission_policy else {}) + | combine ({'Strict-Transport-Security': matrix_jwt_service_http_header_strict_transport_security} if matrix_jwt_service_http_header_strict_transport_security and matrix_jwt_service_container_labels_traefik_tls else {}) + }} +matrix_jwt_service_container_labels_traefik_additional_response_headers_custom: {} + +# matrix_client_element_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file. +# See `../templates/labels.j2` for details. +# +# Example: +# matrix_client_element_container_labels_additional_labels: | +# my.label=1 +# another.label="here" +matrix_jwt_service_container_labels_additional_labels: '' + +# A list of extra arguments to pass to the container +matrix_jwt_service_container_extra_arguments: [] + +# Additional environment variables for the container +matrix_jwt_service_environment_variables_additional: {} + +# List of systemd services that matrix-element-call.service depends on +matrix_jwt_service_systemd_required_services_list: "{{ [devture_systemd_docker_base_docker_service_name] if devture_systemd_docker_base_docker_service_name else [] }}" + +# Specifies the value of the `X-XSS-Protection` header +# Stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. +# +# Learn more about it is here: +# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection +# - https://portswigger.net/web-security/cross-site-scripting/reflected +matrix_jwt_service_http_header_xss_protection: "1; mode=block" + +# Specifies the value of the `X-Frame-Options` header which controls whether framing can happen. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options +matrix_jwt_service_http_header_frame_options: SAMEORIGIN + +# Specifies the value of the `X-Content-Type-Options` header. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options +matrix_jwt_service_http_header_content_type_options: nosniff + +# Specifies the value of the `Content-Security-Policy` header. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy +matrix_jwt_service_http_header_content_security_policy: frame-ancestors 'self' + +# Specifies the value of the `Permission-Policy` header. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permission-Policy +matrix_jwt_service_http_header_content_permission_policy: "{{ 'interest-cohort=()' if matrix_jwt_service_floc_optout_enabled else '' }}" + +# Specifies the value of the `Strict-Transport-Security` header. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security +matrix_jwt_service_http_header_strict_transport_security: "max-age=31536000; includeSubDomains{{ '; preload' if matrix_jwt_service_hsts_preload_enabled else '' }}" + +# Controls whether to send a "Permissions-Policy interest-cohort=();" header along with all responses +# +# Learn more about what it is here: +# - https://www.eff.org/deeplinks/2021/03/googles-floc-terrible-idea +# - https://paramdeo.com/blog/opting-your-website-out-of-googles-floc-network +# - https://amifloced.org/ +# +# Of course, a better solution is to just stop using browsers (like Chrome), which participate in such tracking practices. +# See: `matrix_jwt_service_content_permission_policy` +matrix_jwt_service_floc_optout_enabled: true + +# Controls if HSTS preloading is enabled +# +# In its strongest and recommended form, the [HSTS policy](https://www.chromium.org/hsts) includes all subdomains, and +# indicates a willingness to be "preloaded" into browsers: +# `Strict-Transport-Security: max-age=31536000; includeSubDomains; preload` +# For more information visit: +# - https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security +# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security +# - https://hstspreload.org/#opt-in +# See: `matrix_jwt_service_http_header_strict_transport_security` +matrix_jwt_service_hsts_preload_enabled: false \ No newline at end of file diff --git a/roles/custom/matrix-jwt-service/tasks/install.yml b/roles/custom/matrix-jwt-service/tasks/install.yml new file mode 100644 index 000000000..9a51bdfd3 --- /dev/null +++ b/roles/custom/matrix-jwt-service/tasks/install.yml @@ -0,0 +1,46 @@ +--- +# roles/custom/matrix-jwt-service/tasks/install.yml + +# Ensure Required Directories Exist +- name: Ensure matrix-jwt-service paths exist + ansible.builtin.file: + path: "{{ item.path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - path: "{{ matrix_jwt_service_base_path }}" + +- name: Ensure matrix-jwt-service environment file is in place + ansible.builtin.template: + src: "{{ role_path }}/templates/env.j2" + dest: "{{ matrix_jwt_service_base_path }}/env" + mode: 0640 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure JWT Service labels file is in place + ansible.builtin.template: + src: "{{ role_path }}/templates/labels.j2" + dest: "{{ matrix_jwt_service_base_path }}/labels" + mode: 0640 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +# Ensure Docker Images are Pulled +- name: Ensure jwt-service Docker image is pulled + community.docker.docker_image: + name: "{{ matrix_jwt_service_image }}" + source: pull + register: jwt_image_result + retries: 3 + delay: 10 + until: jwt_image_result is not failed + +# Systemd Services for JWT Service +- name: Ensure jwt-service systemd service is installed + ansible.builtin.template: + src: "{{ role_path }}/templates/systemd/matrix-jwt-service.service.j2" + dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-jwt-service.service" + mode: 0644 \ No newline at end of file diff --git a/roles/custom/matrix-jwt-service/tasks/main.yml b/roles/custom/matrix-jwt-service/tasks/main.yml new file mode 100644 index 000000000..ee74a8967 --- /dev/null +++ b/roles/custom/matrix-jwt-service/tasks/main.yml @@ -0,0 +1,21 @@ +--- +# Main task file for matrix-element-call + +- tags: + - setup-all + - setup-jwt-service + - install-all + - install-wt-service + block: + - when: matrix_jwt_service_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" + + - when: matrix_jwt_service_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/install.yml" + +- tags: + - setup-all + - setup-jwt-service + block: + - when: not matrix_jwt_service_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/uninstall.yml" diff --git a/roles/custom/matrix-jwt-service/tasks/uninstall.yml b/roles/custom/matrix-jwt-service/tasks/uninstall.yml new file mode 100644 index 000000000..550c82951 --- /dev/null +++ b/roles/custom/matrix-jwt-service/tasks/uninstall.yml @@ -0,0 +1,22 @@ +--- +# Uninstall tasks for matrix-jwt-service + + +- name: Stop and remove jwt-service container + community.docker.docker_container: + name: "matrix-jwt-service" + state: absent + +- name: Remove jwt-service systemd service + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-jwt-service.service" + state: absent + +- name: Remove matrix-jwt-service configuration files + ansible.builtin.file: + path: "{{ matrix_jwt_service_base_path }}" + state: absent + +- name: Reload systemd daemon + ansible.builtin.systemd: + daemon_reload: true diff --git a/roles/custom/matrix-jwt-service/tasks/validate_config.yml b/roles/custom/matrix-jwt-service/tasks/validate_config.yml new file mode 100644 index 000000000..a0105e940 --- /dev/null +++ b/roles/custom/matrix-jwt-service/tasks/validate_config.yml @@ -0,0 +1,12 @@ +--- +# Validate configuration for matrix-jwt-service + +- name: Fail if required matrix-jwt-service settings are not defined + ansible.builtin.fail: + msg: > + You need to define a required configuration setting (`{{ item.name }}`). + when: "item.when | bool and vars[item.name] == ''" + with_items: + - {'name': 'matrix_jwt_service_base_path', when: true} + - {'name': 'matrix_jwt_service_container_network', when: true} + - {'name': 'matrix_jwt_service_image', when: true} diff --git a/roles/custom/matrix-jwt-service/templates/env.j2 b/roles/custom/matrix-jwt-service/templates/env.j2 new file mode 100644 index 000000000..8034a9b33 --- /dev/null +++ b/roles/custom/matrix-jwt-service/templates/env.j2 @@ -0,0 +1,4 @@ +# Environment variables for JWT Service +LIVEKIT_KEY=devkey +LIVEKIT_URL=wss://{{ matrix_livekit_server_hostname }}:443 +LIVEKIT_SECRET={{ matrix_element_call_jwt_secret }} \ No newline at end of file diff --git a/roles/custom/matrix-jwt-service/templates/labels.j2 b/roles/custom/matrix-jwt-service/templates/labels.j2 new file mode 100644 index 000000000..b547e1952 --- /dev/null +++ b/roles/custom/matrix-jwt-service/templates/labels.j2 @@ -0,0 +1,46 @@ +{% if matrix_element_call_container_labels_traefik_enabled %} +traefik.enable=true + +# Network configuration for Traefik +{% if matrix_jwt_service_container_labels_traefik_docker_network %} +traefik.docker.network={{ matrix_jwt_service_container_labels_traefik_docker_network }} +{% endif %} + +traefik.http.services.matrix-jwt-service.loadbalancer.server.port=8080 + +{% set middlewares = [] %} + +# Path prefix handling for JWT +{% if matrix_jwt_service_container_labels_traefik_path_prefix != '/' %} +traefik.http.middlewares.matrix-jwt-service-slashless-redirect.redirectregex.regex=({{ matrix_jwt_service_container_labels_traefik_path_prefix | quote }})$ +traefik.http.middlewares.matrix-jwt-service-slashless-redirect.redirectregex.replacement=${1}/ +{% set middlewares = middlewares + ['matrix-jwt-service-slashless-redirect'] %} + +traefik.http.middlewares.matrix-jwt-service-strip-prefix.stripprefix.prefixes={{ matrix_jwt_service_container_labels_traefik_path_prefix }} +{% set middlewares = middlewares + ['matrix-jwt-service-strip-prefix'] %} +{% endif %} + +{% if matrix_jwt_service_container_labels_traefik_additional_response_headers.keys() | length > 0 %} +{% for name, value in matrix_jwt_service_container_labels_traefik_additional_response_headers.items() %} +traefik.http.middlewares.matrix-jwt-service-add-headers.headers.customresponseheaders.{{ name }}={{ value }} +{% endfor %} +{% set middlewares = middlewares + ['matrix-jwt-service-add-headers'] %} +{% endif %} + +traefik.http.routers.matrix-jwt-service.rule={{ matrix_jwt_service_container_labels_traefik_rule }} +{% if matrix_jwt_service_container_labels_traefik_priority | int > 0 %} +traefik.http.routers.matrix-jwt-service.priority={{ matrix_jwt_service_container_labels_traefik_priority }} +{% endif %} +traefik.http.routers.matrix-jwt-service.service=matrix-jwt-service +{% if middlewares | length > 0 %} +traefik.http.routers.matrix-jwt-service.middlewares={{ middlewares | join(',') }} +{% endif %} +traefik.http.routers.matrix-jwt-service.entrypoints={{ matrix_jwt_service_container_labels_traefik_entrypoints }} +traefik.http.routers.matrix-jwt-service.tls={{ matrix_jwt_service_container_labels_traefik_tls | to_json }} +{% if matrix_jwt_service_container_labels_traefik_tls %} +traefik.http.routers.matrix-jwt-service.tls.certResolver={{ matrix_jwt_service_container_labels_traefik_tls_certResolver }} +{% endif %} + +{% endif %} + +{{ matrix_jwt_service_container_labels_additional_labels }} diff --git a/roles/custom/matrix-element-call/templates/systemd/matrix-jwt-service.service.j2 b/roles/custom/matrix-jwt-service/templates/systemd/matrix-jwt-service.service.j2 similarity index 85% rename from roles/custom/matrix-element-call/templates/systemd/matrix-jwt-service.service.j2 rename to roles/custom/matrix-jwt-service/templates/systemd/matrix-jwt-service.service.j2 index 7d2ac8fd8..07c8ef1ed 100644 --- a/roles/custom/matrix-element-call/templates/systemd/matrix-jwt-service.service.j2 +++ b/roles/custom/matrix-jwt-service/templates/systemd/matrix-jwt-service.service.j2 @@ -15,13 +15,13 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ - --network={{ matrix_element_call_container_network }} \ + --network={{ matrix_jwt_service_container_network }} \ -p {{ matrix_jwt_service_port }}:8080 \ - --env-file={{ matrix_element_call_base_path }}/config/env \ - --label-file={{ matrix_element_call_base_path }}/config/jwt-service-labels \ + --env-file={{ matrix_jwt_service_base_path }}/env \ + --label-file={{ matrix_jwt_service_base_path }}/labels \ {{ matrix_jwt_service_image }} -{% for network in matrix_element_call_container_additional_networks %} +{% for network in matrix_jwt_service_container_additional_networks %} ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-jwt-service {% endfor %} diff --git a/roles/custom/matrix-livekit/defaults/main.yml b/roles/custom/matrix-livekit/defaults/main.yml new file mode 100644 index 000000000..73ee72f6b --- /dev/null +++ b/roles/custom/matrix-livekit/defaults/main.yml @@ -0,0 +1,119 @@ +--- +# Enable or disable matrix-livekit-server deployment +matrix_livekit_server_enabled: false + +# Base path configuration +matrix_livekit_server_base_path: "{{ matrix_base_data_path }}/livekit-server" +matrix_livekit_server_config_path: "{{ matrix_livekit_server_base_path }}/config" +matrix_livekit_server_backend_path: "{{ matrix_livekit_server_base_path }}/backend" +matrix_homeserver_config_path: "{{ matrix_base_data_path }}/synapse/config/homeserver.yaml" +element_web_config_path: "{{ matrix_base_data_path }}/static-files/public/.well-known/matrix/client" + +# Docker network configuration +matrix_livekit_server_container_network: '' +matrix_livekit_server_container_http_host_bind_port: '' +matrix_livekit_server_container_additional_networks: [] # No additional networks by default + +# Docker images +matrix_livekit_server_image: "livekit/livekit-server:latest" + +# LiveKit configuration +matrix_livekit_server_livekit_server_dev_key: "{{ matrix_livekit_server_dev_key }}" # Must be defined in host_vars +matrix_livekit_server_jwt_secret: "{{ matrix_element_call_jwt_secret }}" # Must be defined in host_vars +matrix_livekit_server_hostname: "sfu.{{ matrix_domain }}" + +# Traefik Configuration for Element Call +matrix_livekit_server_container_labels_traefik_enabled: true +matrix_livekit_server_container_labels_traefik_docker_network: "{{ matrix_livekit_server_container_network }}" +matrix_livekit_server_container_labels_traefik_hostname: "{{ matrix_livekit_server_domain }}" +# The path prefix must either be `/` or not end with a slash (e.g. `/element`). +matrix_livekit_server_container_labels_traefik_path_prefix: "{{ matrix_livekit_server_path_prefix }}" +matrix_livekit_server_container_labels_traefik_rule: "Host(`{{ matrix_livekit_server_container_labels_traefik_hostname }}`){% if matrix_livekit_server_container_labels_traefik_path_prefix != '/' %} && PathPrefix(`{{ matrix_livekit_server_container_labels_traefik_path_prefix }}`){% endif %}" +matrix_livekit_server_container_labels_traefik_priority: 0 +matrix_livekit_server_container_labels_traefik_entrypoints: web-secure +matrix_livekit_server_container_labels_traefik_tls: "{{ matrix_livekit_server_container_labels_traefik_entrypoints != 'web' }}" +matrix_livekit_server_container_labels_traefik_tls_certResolver: default # noqa var-naming + +# Controls which additional headers to attach to all HTTP responses. +# To add your own headers, use `matrix_livekit_server_container_labels_traefik_additional_response_headers_custom` +matrix_livekit_server_container_labels_traefik_additional_response_headers: "{{ matrix_livekit_server_container_labels_traefik_additional_response_headers_auto | combine(matrix_livekit_server_container_labels_traefik_additional_response_headers_custom) }}" +matrix_livekit_server_container_labels_traefik_additional_response_headers_auto: | + {{ + {} + | combine ({'X-XSS-Protection': matrix_livekit_server_http_header_xss_protection} if matrix_livekit_server_http_header_xss_protection else {}) + | combine ({'X-Frame-Options': matrix_livekit_server_http_header_frame_options} if matrix_livekit_server_http_header_frame_options else {}) + | combine ({'X-Content-Type-Options': matrix_livekit_server_http_header_content_type_options} if matrix_livekit_server_http_header_content_type_options else {}) + | combine ({'Content-Security-Policy': matrix_livekit_server_http_header_content_security_policy} if matrix_livekit_server_http_header_content_security_policy else {}) + | combine ({'Permission-Policy': matrix_livekit_server_http_header_content_permission_policy} if matrix_livekit_server_http_header_content_permission_policy else {}) + | combine ({'Strict-Transport-Security': matrix_livekit_server_http_header_strict_transport_security} if matrix_livekit_server_http_header_strict_transport_security and matrix_livekit_server_container_labels_traefik_tls else {}) + }} +matrix_livekit_server_container_labels_traefik_additional_response_headers_custom: {} + +# matrix_client_element_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file. +# See `../templates/labels.j2` for details. +# +# Example: +# matrix_client_element_container_labels_additional_labels: | +# my.label=1 +# another.label="here" +matrix_livekit_server_container_labels_additional_labels: '' + +# A list of extra arguments to pass to the container +matrix_livekit_server_container_extra_arguments: [] + +# Additional environment variables for the container +matrix_livekit_server_environment_variables_additional: {} + +# List of systemd services that matrix-element-call.service depends on +matrix_livekit_server_systemd_required_services_list: "{{ [devture_systemd_docker_base_docker_service_name] if devture_systemd_docker_base_docker_service_name else [] }}" + +# Specifies the value of the `X-XSS-Protection` header +# Stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. +# +# Learn more about it is here: +# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection +# - https://portswigger.net/web-security/cross-site-scripting/reflected +matrix_livekit_server_http_header_xss_protection: "1; mode=block" + +# Specifies the value of the `X-Frame-Options` header which controls whether framing can happen. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options +matrix_livekit_server_http_header_frame_options: SAMEORIGIN + +# Specifies the value of the `X-Content-Type-Options` header. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options +matrix_livekit_server_http_header_content_type_options: nosniff + +# Specifies the value of the `Content-Security-Policy` header. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy +matrix_livekit_server_http_header_content_security_policy: frame-ancestors 'self' + +# Specifies the value of the `Permission-Policy` header. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permission-Policy +matrix_livekit_server_http_header_content_permission_policy: "{{ 'interest-cohort=()' if matrix_livekit_server_floc_optout_enabled else '' }}" + +# Specifies the value of the `Strict-Transport-Security` header. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security +matrix_livekit_server_http_header_strict_transport_security: "max-age=31536000; includeSubDomains{{ '; preload' if matrix_livekit_server_hsts_preload_enabled else '' }}" + +# Controls whether to send a "Permissions-Policy interest-cohort=();" header along with all responses +# +# Learn more about what it is here: +# - https://www.eff.org/deeplinks/2021/03/googles-floc-terrible-idea +# - https://paramdeo.com/blog/opting-your-website-out-of-googles-floc-network +# - https://amifloced.org/ +# +# Of course, a better solution is to just stop using browsers (like Chrome), which participate in such tracking practices. +# See: `matrix_livekit_server_content_permission_policy` +matrix_livekit_server_floc_optout_enabled: true + +# Controls if HSTS preloading is enabled +# +# In its strongest and recommended form, the [HSTS policy](https://www.chromium.org/hsts) includes all subdomains, and +# indicates a willingness to be "preloaded" into browsers: +# `Strict-Transport-Security: max-age=31536000; includeSubDomains; preload` +# For more information visit: +# - https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security +# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security +# - https://hstspreload.org/#opt-in +# See: `matrix_livekit_server_http_header_strict_transport_security` +matrix_livekit_server_hsts_preload_enabled: false \ No newline at end of file diff --git a/roles/custom/matrix-livekit/tasks/install.yml b/roles/custom/matrix-livekit/tasks/install.yml new file mode 100644 index 000000000..cccb89deb --- /dev/null +++ b/roles/custom/matrix-livekit/tasks/install.yml @@ -0,0 +1,47 @@ +--- +# roles/custom/matrix-livekit-server/tasks/install.yml + +# Ensure Required Directories Exist +- name: Ensure matrix-livekit-server paths exist + ansible.builtin.file: + path: "{{ item.path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - path: "{{ matrix_livekit_server_base_path }}" + +# Ensure Configuration Files are in Place +- name: Ensure LiveKit livekit.yaml is in place + ansible.builtin.template: + src: "{{ role_path }}/templates/livekit.yaml.j2" + dest: "{{ matrix_livekit_server_base_path }}/livekit.yaml" + mode: 0640 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure LiveKit labels file is in place + ansible.builtin.template: + src: "{{ role_path }}/templates/labels.j2" + dest: "{{ matrix_livekit_server_base_path }}/labels" + mode: 0640 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +# Ensure Docker Images are Pulled +- name: Ensure livekit Docker image is pulled + community.docker.docker_image: + name: "{{ matrix_livekit_server_image }}" + source: pull + register: livekit_image_result + retries: 3 + delay: 10 + until: livekit_image_result is not failed + +# Systemd Services for LiveKit +- name: Ensure livekit systemd service is installed + ansible.builtin.template: + src: "{{ role_path }}/templates/systemd/matrix-livekit-server.service.j2" + dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-livekit.service" + mode: 0644 \ No newline at end of file diff --git a/roles/custom/matrix-livekit/tasks/main.yml b/roles/custom/matrix-livekit/tasks/main.yml new file mode 100644 index 000000000..255906c75 --- /dev/null +++ b/roles/custom/matrix-livekit/tasks/main.yml @@ -0,0 +1,21 @@ +--- +# Main task file for matrix-livekit-server + +- tags: + - setup-all + - setup-livekit-server + - install-all + - install-livekit-server + block: + - when: matrix_livekit_server_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" + + - when: matrix_livekit_server_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/install.yml" + +- tags: + - setup-all + - setup-livekit-server + block: + - when: not matrix_livekit_server_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/uninstall.yml" diff --git a/roles/custom/matrix-livekit/tasks/uninstall.yml b/roles/custom/matrix-livekit/tasks/uninstall.yml new file mode 100644 index 000000000..371db5c83 --- /dev/null +++ b/roles/custom/matrix-livekit/tasks/uninstall.yml @@ -0,0 +1,21 @@ +--- +# Uninstall tasks for matrix-livekit-server + +- name: Stop and remove livekit container + community.docker.docker_container: + name: "matrix-livekit-server" + state: absent + +- name: Remove livekit systemd service + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-livekit-server.service" + state: absent + +- name: Remove matrix-livekit-server configuration files + ansible.builtin.file: + path: "{{ matrix_livekit_serverbase_path }}" + state: absent + +- name: Reload systemd daemon + ansible.builtin.systemd: + daemon_reload: true diff --git a/roles/custom/matrix-livekit/tasks/validate_config.yml b/roles/custom/matrix-livekit/tasks/validate_config.yml new file mode 100644 index 000000000..552524318 --- /dev/null +++ b/roles/custom/matrix-livekit/tasks/validate_config.yml @@ -0,0 +1,13 @@ +--- +# Validate configuration for matrix-livekit-server + +- name: Fail if required matrix-livekit-server settings are not defined + ansible.builtin.fail: + msg: > + You need to define a required configuration setting (`{{ item.name }}`). + when: "item.when | bool and vars[item.name] == ''" + with_items: + - {'name': 'matrix_livekit_server_base_path', when: true} + - {'name': 'matrix_livekit_server_container_network', when: true} + - {'name': 'matrix_livekit_server_image', when: true} + - {'name': 'matrix_livekit_image', when: true} diff --git a/roles/custom/matrix-livekit/templates/labels.j2 b/roles/custom/matrix-livekit/templates/labels.j2 new file mode 100644 index 000000000..c41b7ed01 --- /dev/null +++ b/roles/custom/matrix-livekit/templates/labels.j2 @@ -0,0 +1,46 @@ +{% if matrix_livekit_server_container_labels_traefik_enabled %} +traefik.enable=true + +# Network configuration for Traefik +{% if matrix_livekit_server_container_labels_traefik_docker_network %} +traefik.docker.network={{ matrix_livekit_server_container_labels_traefik_docker_network }} +{% endif %} + +traefik.http.services.matrix-livekit-server.loadbalancer.server.port=7880 + +{% set middlewares = [] %} + +# Path prefix handling for Livekit +{% if matrix_livekit_server_container_labels_traefik_path_prefix != '/' %} +traefik.http.middlewares.matrix-livekit-server-slashless-redirect.redirectregex.regex=({{ matrix_livekit_server_container_labels_traefik_path_prefix | quote }})$ +traefik.http.middlewares.matrix-livekit-server-slashless-redirect.redirectregex.replacement=${1}/ +{% set middlewares = middlewares + ['matrix-livekit-server-slashless-redirect'] %} + +traefik.http.middlewares.matrix-livekit-server-strip-prefix.stripprefix.prefixes={{ matrix_livekit_server_container_labels_traefik_path_prefix }} +{% set middlewares = middlewares + ['matrix-livekit-server-strip-prefix'] %} +{% endif %} + +{% if matrix_livekit_server_container_labels_traefik_additional_response_headers.keys() | length > 0 %} +{% for name, value in matrix_livekit_server_container_labels_traefik_additional_response_headers.items() %} +traefik.http.middlewares.matrix-livekit-server-add-headers.headers.customresponseheaders.{{ name }}={{ value }} +{% endfor %} +{% set middlewares = middlewares + ['matrix-livekit-server-add-headers'] %} +{% endif %} + +traefik.http.routers.matrix-livekit-server.rule={{ matrix_livekit_server_container_labels_traefik_rule }} +{% if matrix_livekit_server_container_labels_traefik_priority | int > 0 %} +traefik.http.routers.matrix-livekit-server.priority={{ matrix_livekit_server_container_labels_traefik_priority }} +{% endif %} +traefik.http.routers.matrix-livekit-server.service=matrix-livekit-server +{% if middlewares | length > 0 %} +traefik.http.routers.matrix-livekit-server.middlewares={{ middlewares | join(',') }} +{% endif %} +traefik.http.routers.matrix-livekit-server.entrypoints={{ matrix_livekit_server_container_labels_traefik_entrypoints }} +traefik.http.routers.matrix-livekit-server.tls={{ matrix_livekit_server_container_labels_traefik_tls | to_json }} +{% if matrix_livekit_server_container_labels_traefik_tls %} +traefik.http.routers.matrix-livekit-server.tls.certResolver={{ matrix_livekit_server_container_labels_traefik_tls_certResolver }} +{% endif %} + +{% endif %} + +{{ matrix_livekit_server_container_labels_additional_labels }} diff --git a/roles/custom/matrix-element-call/templates/livekit.yaml.j2 b/roles/custom/matrix-livekit/templates/livekit.yaml.j2 similarity index 83% rename from roles/custom/matrix-element-call/templates/livekit.yaml.j2 rename to roles/custom/matrix-livekit/templates/livekit.yaml.j2 index 384cf3722..f8e2ad0c2 100644 --- a/roles/custom/matrix-element-call/templates/livekit.yaml.j2 +++ b/roles/custom/matrix-livekit/templates/livekit.yaml.j2 @@ -17,4 +17,4 @@ turn: external_tls: true keys: - devkey: "{{ matrix_element_call_livekit_dev_key }}" + devkey: "{{ matrix_livekit_server_livekit_dev_key }}" diff --git a/roles/custom/matrix-element-call/templates/systemd/matrix-livekit.service.j2 b/roles/custom/matrix-livekit/templates/systemd/matrix-livekit-server.service.j2 similarity index 71% rename from roles/custom/matrix-element-call/templates/systemd/matrix-livekit.service.j2 rename to roles/custom/matrix-livekit/templates/systemd/matrix-livekit-server.service.j2 index 4b7f3ea8a..0f416c82d 100644 --- a/roles/custom/matrix-element-call/templates/systemd/matrix-livekit.service.j2 +++ b/roles/custom/matrix-livekit/templates/systemd/matrix-livekit-server.service.j2 @@ -1,33 +1,33 @@ [Unit] -Description=Matrix LiveKit Service +Description=Matrix LiveKit Server After=docker.service Requires=docker.service [Service] Type=simple Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" -ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-livekit 2>/dev/null || true' -ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-livekit 2>/dev/null || true' +ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-livekit-server 2>/dev/null || true' +ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-livekit-server 2>/dev/null || true' ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ --rm \ - --name=matrix-livekit \ + --name=matrix-livekit-server \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ --network=host \ - --mount type=bind,src={{ matrix_element_call_backend_path }}/livekit.yaml,dst=/etc/livekit.yaml,ro \ - --label-file={{ matrix_element_call_base_path }}/config/livekit-labels \ + --mount type=bind,src={{ matrix_livekit_server_base_path }}/livekit.yaml,dst=/etc/livekit.yaml,ro \ + --label-file={{ matrix_livekit_server_base_path }}/labels \ {{ matrix_livekit_image }} \ --dev --config /etc/livekit.yaml -ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-livekit +ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-livekit-server -ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-livekit 2>/dev/null || true' -ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-livekit 2>/dev/null || true' +ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-livekit-server 2>/dev/null || true' +ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-livekit-server 2>/dev/null || true' Restart=always RestartSec=30 -SyslogIdentifier=matrix-livekit +SyslogIdentifier=matrix-livekit-server [Install] WantedBy=multi-user.target From e952ba1c3a0c4db903a1b595c5ce1804ae2db636 Mon Sep 17 00:00:00 2001 From: wjbeckett Date: Mon, 30 Sep 2024 22:35:59 +1000 Subject: [PATCH 080/108] removed duplicate tasks. --- .../matrix-element-call/tasks/install.yml | 69 +------------------ .../matrix-element-call/tasks/uninstall.yml | 20 ------ .../tasks/validate_config.yml | 4 -- .../systemd/matrix-element-call.service.j2 | 2 +- 4 files changed, 3 insertions(+), 92 deletions(-) diff --git a/roles/custom/matrix-element-call/tasks/install.yml b/roles/custom/matrix-element-call/tasks/install.yml index 48719f413..cd0612fce 100644 --- a/roles/custom/matrix-element-call/tasks/install.yml +++ b/roles/custom/matrix-element-call/tasks/install.yml @@ -11,24 +11,13 @@ group: "{{ matrix_user_groupname }}" with_items: - path: "{{ matrix_element_call_base_path }}" - - path: "{{ matrix_element_call_base_path }}/data" - - path: "{{ matrix_element_call_base_path }}/config" - - path: "{{ matrix_element_call_base_path }}/backend" # For LiveKit and Redis config - path: "{{ matrix_base_data_path }}/static-files/public/.well-known/element" # Directory for element.json # Ensure Configuration Files are in Place - name: Ensure Element Call config.json is in place ansible.builtin.template: src: "{{ role_path }}/templates/config.json.j2" - dest: "{{ matrix_element_call_base_path }}/config/config.json" - mode: 0640 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - -- name: Ensure LiveKit livekit.yaml is in place - ansible.builtin.template: - src: "{{ role_path }}/templates/livekit.yaml.j2" - dest: "{{ matrix_element_call_base_path }}/backend/livekit.yaml" + dest: "{{ matrix_element_call_base_path }}/config.json" mode: 0640 owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" @@ -41,34 +30,10 @@ owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" -- name: Ensure matrix-element-call environment file is in place - ansible.builtin.template: - src: "{{ role_path }}/templates/env.j2" - dest: "{{ matrix_element_call_base_path }}/config/env" - mode: 0640 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - - name: Ensure matrix-element-call Docker labels file is in place ansible.builtin.template: src: "{{ role_path }}/templates/element-call-labels.j2" - dest: "{{ matrix_element_call_base_path }}/config/element-call-labels" - mode: 0640 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - -- name: Ensure LiveKit labels file is in place - ansible.builtin.template: - src: "{{ role_path }}/templates/livekit-labels.j2" - dest: "{{ matrix_element_call_base_path }}/config/livekit-labels" - mode: 0640 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - -- name: Ensure JWT Service labels file is in place - ansible.builtin.template: - src: "{{ role_path }}/templates/jwt-service-labels.j2" - dest: "{{ matrix_element_call_base_path }}/config/jwt-service-labels" + dest: "{{ matrix_element_call_base_path }}/element-call-labels" mode: 0640 owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" @@ -84,24 +49,6 @@ delay: "{{ devture_playbook_help_container_retries_delay }}" until: element_call_image_result is not failed -- name: Ensure jwt-service Docker image is pulled - community.docker.docker_image: - name: "{{ matrix_jwt_service_image }}" - source: pull - register: jwt_image_result - retries: 3 - delay: 10 - until: jwt_image_result is not failed - -- name: Ensure livekit Docker image is pulled - community.docker.docker_image: - name: "{{ matrix_livekit_image }}" - source: pull - register: livekit_image_result - retries: 3 - delay: 10 - until: livekit_image_result is not failed - - name: Ensure redis Docker image is pulled community.docker.docker_image: name: "{{ redis_image }}" @@ -119,18 +66,6 @@ dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-element-call.service" mode: 0644 -- name: Ensure jwt-service systemd service is installed - ansible.builtin.template: - src: "{{ role_path }}/templates/systemd/matrix-jwt-service.service.j2" - dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-jwt-service.service" - mode: 0644 - -- name: Ensure livekit systemd service is installed - ansible.builtin.template: - src: "{{ role_path }}/templates/systemd/matrix-livekit.service.j2" - dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-livekit.service" - mode: 0644 - - name: Ensure redis systemd service is installed ansible.builtin.template: src: "{{ role_path }}/templates/systemd/matrix-redis.service.j2" diff --git a/roles/custom/matrix-element-call/tasks/uninstall.yml b/roles/custom/matrix-element-call/tasks/uninstall.yml index d9a77415f..d137136c2 100644 --- a/roles/custom/matrix-element-call/tasks/uninstall.yml +++ b/roles/custom/matrix-element-call/tasks/uninstall.yml @@ -6,16 +6,6 @@ name: "matrix-element-call" state: absent -- name: Stop and remove jwt-service container - community.docker.docker_container: - name: "matrix-jwt-service" - state: absent - -- name: Stop and remove livekit container - community.docker.docker_container: - name: "matrix-livekit" - state: absent - - name: Stop and remove redis container community.docker.docker_container: name: "matrix-redis" @@ -26,16 +16,6 @@ path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-element-call.service" state: absent -- name: Remove jwt-service systemd service - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-jwt-service.service" - state: absent - -- name: Remove livekit systemd service - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-livekit.service" - state: absent - - name: Remove redis systemd service ansible.builtin.file: path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-redis.service" diff --git a/roles/custom/matrix-element-call/tasks/validate_config.yml b/roles/custom/matrix-element-call/tasks/validate_config.yml index 7760cb94e..5c00dcc92 100644 --- a/roles/custom/matrix-element-call/tasks/validate_config.yml +++ b/roles/custom/matrix-element-call/tasks/validate_config.yml @@ -10,8 +10,4 @@ - {'name': 'matrix_element_call_base_path', when: true} - {'name': 'matrix_element_call_container_network', when: true} - {'name': 'matrix_element_call_image', when: true} - - {'name': 'matrix_jwt_service_image', when: true} - - {'name': 'matrix_livekit_image', when: true} - {'name': 'redis_image', when: true} - - {'name': 'matrix_element_call_livekit_dev_key', when: true} - - {'name': 'matrix_jwt_service_url', when: true} diff --git a/roles/custom/matrix-element-call/templates/systemd/matrix-element-call.service.j2 b/roles/custom/matrix-element-call/templates/systemd/matrix-element-call.service.j2 index 6048f9e4d..b9e2c315b 100644 --- a/roles/custom/matrix-element-call/templates/systemd/matrix-element-call.service.j2 +++ b/roles/custom/matrix-element-call/templates/systemd/matrix-element-call.service.j2 @@ -23,7 +23,7 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ {% if matrix_element_call_container_http_host_bind_port %} -p {{ matrix_element_call_container_http_host_bind_port }}:8080 \ {% endif %} - --label-file={{ matrix_element_call_base_path }}/config/element-call-labels \ + --label-file={{ matrix_element_call_base_path }}/element-call-labels \ {% for arg in matrix_element_call_container_extra_arguments %} {{ arg }} \ {% endfor %} From 3de399025f550973b04baeb6b66d062a16e1b884 Mon Sep 17 00:00:00 2001 From: wjbeckett Date: Mon, 30 Sep 2024 22:41:36 +1000 Subject: [PATCH 081/108] hard coded redis port. --- roles/custom/matrix-element-call/templates/redis.conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-element-call/templates/redis.conf.j2 b/roles/custom/matrix-element-call/templates/redis.conf.j2 index 993572096..32a39f7be 100644 --- a/roles/custom/matrix-element-call/templates/redis.conf.j2 +++ b/roles/custom/matrix-element-call/templates/redis.conf.j2 @@ -1,5 +1,5 @@ bind 0.0.0.0 protected-mode yes -port {{ matrix_element_call_redis_port }} +port 6379 timeout 0 tcp-keepalive 300 From 58a9642e8c33fe87da03bd4db911d5569e22523b Mon Sep 17 00:00:00 2001 From: wjbeckett Date: Mon, 30 Sep 2024 22:45:56 +1000 Subject: [PATCH 082/108] fixed config file placement. --- .../templates/systemd/matrix-redis.service.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-element-call/templates/systemd/matrix-redis.service.j2 b/roles/custom/matrix-element-call/templates/systemd/matrix-redis.service.j2 index 5cccced16..f65b0c766 100644 --- a/roles/custom/matrix-element-call/templates/systemd/matrix-redis.service.j2 +++ b/roles/custom/matrix-element-call/templates/systemd/matrix-redis.service.j2 @@ -16,7 +16,7 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ --network={{ matrix_element_call_container_network }} \ - --mount type=bind,src={{ matrix_element_call_backend_path }}/redis.conf,dst=/etc/redis.conf,ro \ + --mount type=bind,src={{ matrix_element_call_base_path }}/redis.conf,dst=/etc/redis.conf,ro \ {{ redis_image }} \ redis-server /etc/redis.conf From 71dff50a65ccd00a328f1f6f068889bb2d6bc205 Mon Sep 17 00:00:00 2001 From: wjbeckett Date: Mon, 30 Sep 2024 22:53:21 +1000 Subject: [PATCH 083/108] fixed livekit service name --- roles/custom/matrix-livekit/tasks/install.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-livekit/tasks/install.yml b/roles/custom/matrix-livekit/tasks/install.yml index cccb89deb..8e859565b 100644 --- a/roles/custom/matrix-livekit/tasks/install.yml +++ b/roles/custom/matrix-livekit/tasks/install.yml @@ -43,5 +43,5 @@ - name: Ensure livekit systemd service is installed ansible.builtin.template: src: "{{ role_path }}/templates/systemd/matrix-livekit-server.service.j2" - dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-livekit.service" + dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-livekit-server.service" mode: 0644 \ No newline at end of file From 8cb7deff15e585571f69dfc3e7de63ce96b9c9c8 Mon Sep 17 00:00:00 2001 From: wjbeckett Date: Mon, 30 Sep 2024 23:04:10 +1000 Subject: [PATCH 084/108] cleaned up old services again --- roles/custom/matrix-livekit/defaults/main.yml | 4 ---- .../templates/systemd/matrix-livekit-server.service.j2 | 1 + 2 files changed, 1 insertion(+), 4 deletions(-) diff --git a/roles/custom/matrix-livekit/defaults/main.yml b/roles/custom/matrix-livekit/defaults/main.yml index 73ee72f6b..2a549df76 100644 --- a/roles/custom/matrix-livekit/defaults/main.yml +++ b/roles/custom/matrix-livekit/defaults/main.yml @@ -4,10 +4,6 @@ matrix_livekit_server_enabled: false # Base path configuration matrix_livekit_server_base_path: "{{ matrix_base_data_path }}/livekit-server" -matrix_livekit_server_config_path: "{{ matrix_livekit_server_base_path }}/config" -matrix_livekit_server_backend_path: "{{ matrix_livekit_server_base_path }}/backend" -matrix_homeserver_config_path: "{{ matrix_base_data_path }}/synapse/config/homeserver.yaml" -element_web_config_path: "{{ matrix_base_data_path }}/static-files/public/.well-known/matrix/client" # Docker network configuration matrix_livekit_server_container_network: '' diff --git a/roles/custom/matrix-livekit/templates/systemd/matrix-livekit-server.service.j2 b/roles/custom/matrix-livekit/templates/systemd/matrix-livekit-server.service.j2 index 0f416c82d..b28739ac4 100644 --- a/roles/custom/matrix-livekit/templates/systemd/matrix-livekit-server.service.j2 +++ b/roles/custom/matrix-livekit/templates/systemd/matrix-livekit-server.service.j2 @@ -1,3 +1,4 @@ +#jinja2: lstrip_blocks: "True" [Unit] Description=Matrix LiveKit Server After=docker.service From 97f93ebd76d984e80c398161335d036f40e1e280 Mon Sep 17 00:00:00 2001 From: wjbeckett Date: Tue, 1 Oct 2024 09:31:42 +1000 Subject: [PATCH 085/108] renamed the livekit role and added livekit-server and jwt-service roles to the setup file. --- .../{matrix-livekit => matrix-livekit-server}/defaults/main.yml | 0 .../{matrix-livekit => matrix-livekit-server}/tasks/install.yml | 0 .../{matrix-livekit => matrix-livekit-server}/tasks/main.yml | 0 .../tasks/uninstall.yml | 0 .../tasks/validate_config.yml | 0 .../templates/labels.j2 | 0 .../templates/livekit.yaml.j2 | 0 .../templates/systemd/matrix-livekit-server.service.j2 | 0 setup.yml | 2 ++ 9 files changed, 2 insertions(+) rename roles/custom/{matrix-livekit => matrix-livekit-server}/defaults/main.yml (100%) rename roles/custom/{matrix-livekit => matrix-livekit-server}/tasks/install.yml (100%) rename roles/custom/{matrix-livekit => matrix-livekit-server}/tasks/main.yml (100%) rename roles/custom/{matrix-livekit => matrix-livekit-server}/tasks/uninstall.yml (100%) rename roles/custom/{matrix-livekit => matrix-livekit-server}/tasks/validate_config.yml (100%) rename roles/custom/{matrix-livekit => matrix-livekit-server}/templates/labels.j2 (100%) rename roles/custom/{matrix-livekit => matrix-livekit-server}/templates/livekit.yaml.j2 (100%) rename roles/custom/{matrix-livekit => matrix-livekit-server}/templates/systemd/matrix-livekit-server.service.j2 (100%) diff --git a/roles/custom/matrix-livekit/defaults/main.yml b/roles/custom/matrix-livekit-server/defaults/main.yml similarity index 100% rename from roles/custom/matrix-livekit/defaults/main.yml rename to roles/custom/matrix-livekit-server/defaults/main.yml diff --git a/roles/custom/matrix-livekit/tasks/install.yml b/roles/custom/matrix-livekit-server/tasks/install.yml similarity index 100% rename from roles/custom/matrix-livekit/tasks/install.yml rename to roles/custom/matrix-livekit-server/tasks/install.yml diff --git a/roles/custom/matrix-livekit/tasks/main.yml b/roles/custom/matrix-livekit-server/tasks/main.yml similarity index 100% rename from roles/custom/matrix-livekit/tasks/main.yml rename to roles/custom/matrix-livekit-server/tasks/main.yml diff --git a/roles/custom/matrix-livekit/tasks/uninstall.yml b/roles/custom/matrix-livekit-server/tasks/uninstall.yml similarity index 100% rename from roles/custom/matrix-livekit/tasks/uninstall.yml rename to roles/custom/matrix-livekit-server/tasks/uninstall.yml diff --git a/roles/custom/matrix-livekit/tasks/validate_config.yml b/roles/custom/matrix-livekit-server/tasks/validate_config.yml similarity index 100% rename from roles/custom/matrix-livekit/tasks/validate_config.yml rename to roles/custom/matrix-livekit-server/tasks/validate_config.yml diff --git a/roles/custom/matrix-livekit/templates/labels.j2 b/roles/custom/matrix-livekit-server/templates/labels.j2 similarity index 100% rename from roles/custom/matrix-livekit/templates/labels.j2 rename to roles/custom/matrix-livekit-server/templates/labels.j2 diff --git a/roles/custom/matrix-livekit/templates/livekit.yaml.j2 b/roles/custom/matrix-livekit-server/templates/livekit.yaml.j2 similarity index 100% rename from roles/custom/matrix-livekit/templates/livekit.yaml.j2 rename to roles/custom/matrix-livekit-server/templates/livekit.yaml.j2 diff --git a/roles/custom/matrix-livekit/templates/systemd/matrix-livekit-server.service.j2 b/roles/custom/matrix-livekit-server/templates/systemd/matrix-livekit-server.service.j2 similarity index 100% rename from roles/custom/matrix-livekit/templates/systemd/matrix-livekit-server.service.j2 rename to roles/custom/matrix-livekit-server/templates/systemd/matrix-livekit-server.service.j2 diff --git a/setup.yml b/setup.yml index cbc3e1673..8055b46ba 100644 --- a/setup.yml +++ b/setup.yml @@ -131,6 +131,8 @@ - custom/matrix-media-repo - custom/matrix-pantalaimon - custom/matrix-element-call + - custom/matrix-livekit-server + - custom/matrix-jwt-service - role: galaxy/postgres_backup From b7b8ed573b9a56034785e17f232c707524fe4f16 Mon Sep 17 00:00:00 2001 From: wjbeckett Date: Tue, 1 Oct 2024 09:48:44 +1000 Subject: [PATCH 086/108] typo in livekit-server validate. --- roles/custom/matrix-livekit-server/tasks/validate_config.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-livekit-server/tasks/validate_config.yml b/roles/custom/matrix-livekit-server/tasks/validate_config.yml index 552524318..7fdfa0511 100644 --- a/roles/custom/matrix-livekit-server/tasks/validate_config.yml +++ b/roles/custom/matrix-livekit-server/tasks/validate_config.yml @@ -10,4 +10,4 @@ - {'name': 'matrix_livekit_server_base_path', when: true} - {'name': 'matrix_livekit_server_container_network', when: true} - {'name': 'matrix_livekit_server_image', when: true} - - {'name': 'matrix_livekit_image', when: true} + - {'name': 'matrix_livekit_server_image', when: true} From 812b57cfaa81d19b959bc13919abcba4c88b5336 Mon Sep 17 00:00:00 2001 From: wjbeckett Date: Tue, 1 Oct 2024 09:54:02 +1000 Subject: [PATCH 087/108] resolved missing key. --- group_vars/matrix_servers | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 1739f54dd..c97697011 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -5937,7 +5937,7 @@ matrix_livekit_server_container_labels_traefik_entrypoints: "{{ devture_traefik_ matrix_livekit_server_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" # LiveKit Service Configuration -matrix_livekit_server_livekit_dev_key: "{{ matrix_livekit_dev_key }}" # LiveKit dev key +matrix_livekit_server_livekit_dev_key: "{{ matrix_livekit_server_dev_key }}" # LiveKit dev key ######################################################################## # # From fd2f505b34092a8f0267023b9f6ac9c41308f1f9 Mon Sep 17 00:00:00 2001 From: wjbeckett Date: Tue, 1 Oct 2024 10:00:30 +1000 Subject: [PATCH 088/108] Fixed typo in livekit server hostname --- roles/custom/matrix-livekit-server/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-livekit-server/defaults/main.yml b/roles/custom/matrix-livekit-server/defaults/main.yml index 2a549df76..5b8edc5c2 100644 --- a/roles/custom/matrix-livekit-server/defaults/main.yml +++ b/roles/custom/matrix-livekit-server/defaults/main.yml @@ -21,7 +21,7 @@ matrix_livekit_server_hostname: "sfu.{{ matrix_domain }}" # Traefik Configuration for Element Call matrix_livekit_server_container_labels_traefik_enabled: true matrix_livekit_server_container_labels_traefik_docker_network: "{{ matrix_livekit_server_container_network }}" -matrix_livekit_server_container_labels_traefik_hostname: "{{ matrix_livekit_server_domain }}" +matrix_livekit_server_container_labels_traefik_hostname: "{{ matrix_livekit_server_hostname }}" # The path prefix must either be `/` or not end with a slash (e.g. `/element`). matrix_livekit_server_container_labels_traefik_path_prefix: "{{ matrix_livekit_server_path_prefix }}" matrix_livekit_server_container_labels_traefik_rule: "Host(`{{ matrix_livekit_server_container_labels_traefik_hostname }}`){% if matrix_livekit_server_container_labels_traefik_path_prefix != '/' %} && PathPrefix(`{{ matrix_livekit_server_container_labels_traefik_path_prefix }}`){% endif %}" From 7cdec5f2513c5c31d018c41468065f766fdbea57 Mon Sep 17 00:00:00 2001 From: wjbeckett Date: Tue, 1 Oct 2024 10:17:34 +1000 Subject: [PATCH 089/108] fixed type in livekit image --- .../templates/systemd/matrix-livekit-server.service.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-livekit-server/templates/systemd/matrix-livekit-server.service.j2 b/roles/custom/matrix-livekit-server/templates/systemd/matrix-livekit-server.service.j2 index b28739ac4..30505a2dc 100644 --- a/roles/custom/matrix-livekit-server/templates/systemd/matrix-livekit-server.service.j2 +++ b/roles/custom/matrix-livekit-server/templates/systemd/matrix-livekit-server.service.j2 @@ -19,7 +19,7 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ --network=host \ --mount type=bind,src={{ matrix_livekit_server_base_path }}/livekit.yaml,dst=/etc/livekit.yaml,ro \ --label-file={{ matrix_livekit_server_base_path }}/labels \ - {{ matrix_livekit_image }} \ + {{ matrix_livekit_server_image }} \ --dev --config /etc/livekit.yaml ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-livekit-server From d5aabc85be569354dc99f967ba3c397e371880ac Mon Sep 17 00:00:00 2001 From: wjbeckett Date: Tue, 1 Oct 2024 10:41:30 +1000 Subject: [PATCH 090/108] removed redis images in favor of the inbuilt keyDB --- group_vars/matrix_servers | 2 -- .../matrix-element-call/defaults/main.yml | 7 ---- .../matrix-element-call/tasks/install.yml | 26 +-------------- .../matrix-element-call/tasks/uninstall.yml | 10 ------ .../tasks/validate_config.yml | 1 - .../templates/redis.conf.j2 | 5 --- .../templates/systemd/matrix-redis.service.j2 | 32 ------------------- 7 files changed, 1 insertion(+), 82 deletions(-) delete mode 100644 roles/custom/matrix-element-call/templates/redis.conf.j2 delete mode 100644 roles/custom/matrix-element-call/templates/systemd/matrix-redis.service.j2 diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index c97697011..6728825fa 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -439,8 +439,6 @@ devture_systemd_service_manager_services_list_auto: | + ([{'name': 'matrix-livekit-server.service', 'priority': 3000, 'groups': ['matrix', 'livekit-server']}] if matrix_livekit_server_enabled else []) + - ([{'name': 'matrix-redis.service', 'priority': 450, 'groups': ['matrix', 'redis']}] if matrix_element_call_enabled else []) - + ([{'name': 'matrix-registration.service', 'priority': 4000, 'groups': ['matrix', 'registration', 'matrix-registration']}] if matrix_registration_enabled else []) + ([{'name': 'matrix-sliding-sync.service', 'priority': 1500, 'groups': ['matrix', 'sliding-sync']}] if matrix_sliding_sync_enabled else []) diff --git a/roles/custom/matrix-element-call/defaults/main.yml b/roles/custom/matrix-element-call/defaults/main.yml index eb7652b1a..393863ad5 100644 --- a/roles/custom/matrix-element-call/defaults/main.yml +++ b/roles/custom/matrix-element-call/defaults/main.yml @@ -14,11 +14,9 @@ matrix_element_call_container_additional_networks: [] # No additional networks # Docker images matrix_element_call_image: "ghcr.io/element-hq/element-call:latest" -redis_image: "redis:6-alpine" # Ports matrix_element_call_port: "8093" -redis_port: "6379" # Well-known paths and domains (derived from matrix_domain) matrix_element_call_domain: "call.{{ matrix_domain }}" @@ -26,11 +24,6 @@ matrix_element_call_well_known_client_path: "{{ matrix_base_data_path }}/static- matrix_element_call_well_known_element_path: "{{ matrix_base_data_path }}/static-files/public/.well-known/element/element.json" matrix_element_call_base_url: "https://{{ matrix_element_call_domain }}" -# Redis Configuration for Element Call -redis_hostname: "localhost" -#redis_port: 6379 -redis_password: "" - # Traefik Configuration for Element Call matrix_element_call_container_labels_traefik_enabled: true matrix_element_call_container_labels_traefik_docker_network: "{{ matrix_element_call_container_network }}" diff --git a/roles/custom/matrix-element-call/tasks/install.yml b/roles/custom/matrix-element-call/tasks/install.yml index cd0612fce..266a9407b 100644 --- a/roles/custom/matrix-element-call/tasks/install.yml +++ b/roles/custom/matrix-element-call/tasks/install.yml @@ -22,14 +22,6 @@ owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" -- name: Ensure Redis redis.conf is in place - ansible.builtin.template: - src: "{{ role_path }}/templates/redis.conf.j2" - dest: "{{ matrix_element_call_base_path }}/backend/redis.conf" - mode: 0640 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - - name: Ensure matrix-element-call Docker labels file is in place ansible.builtin.template: src: "{{ role_path }}/templates/element-call-labels.j2" @@ -49,29 +41,13 @@ delay: "{{ devture_playbook_help_container_retries_delay }}" until: element_call_image_result is not failed -- name: Ensure redis Docker image is pulled - community.docker.docker_image: - name: "{{ redis_image }}" - source: pull - register: redis_image_result - retries: 3 - delay: 10 - until: redis_image_result is not failed - -# Systemd Services for Element Call, JWT Service, LiveKit, and Redis - +# Systemd Services for Element Call - name: Ensure matrix-element-call systemd service is installed ansible.builtin.template: src: "{{ role_path }}/templates/systemd/matrix-element-call.service.j2" dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-element-call.service" mode: 0644 -- name: Ensure redis systemd service is installed - ansible.builtin.template: - src: "{{ role_path }}/templates/systemd/matrix-redis.service.j2" - dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-redis.service" - mode: 0644 - # Update homeserver.yaml for Element Call - name: Add listeners section for Element Call to homeserver.yaml ansible.builtin.blockinfile: diff --git a/roles/custom/matrix-element-call/tasks/uninstall.yml b/roles/custom/matrix-element-call/tasks/uninstall.yml index d137136c2..184f88ac2 100644 --- a/roles/custom/matrix-element-call/tasks/uninstall.yml +++ b/roles/custom/matrix-element-call/tasks/uninstall.yml @@ -6,21 +6,11 @@ name: "matrix-element-call" state: absent -- name: Stop and remove redis container - community.docker.docker_container: - name: "matrix-redis" - state: absent - - name: Remove matrix-element-call systemd service ansible.builtin.file: path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-element-call.service" state: absent -- name: Remove redis systemd service - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-redis.service" - state: absent - - name: Remove matrix-element-call configuration files ansible.builtin.file: path: "{{ matrix_element_call_base_path }}" diff --git a/roles/custom/matrix-element-call/tasks/validate_config.yml b/roles/custom/matrix-element-call/tasks/validate_config.yml index 5c00dcc92..084e510d6 100644 --- a/roles/custom/matrix-element-call/tasks/validate_config.yml +++ b/roles/custom/matrix-element-call/tasks/validate_config.yml @@ -10,4 +10,3 @@ - {'name': 'matrix_element_call_base_path', when: true} - {'name': 'matrix_element_call_container_network', when: true} - {'name': 'matrix_element_call_image', when: true} - - {'name': 'redis_image', when: true} diff --git a/roles/custom/matrix-element-call/templates/redis.conf.j2 b/roles/custom/matrix-element-call/templates/redis.conf.j2 deleted file mode 100644 index 32a39f7be..000000000 --- a/roles/custom/matrix-element-call/templates/redis.conf.j2 +++ /dev/null @@ -1,5 +0,0 @@ -bind 0.0.0.0 -protected-mode yes -port 6379 -timeout 0 -tcp-keepalive 300 diff --git a/roles/custom/matrix-element-call/templates/systemd/matrix-redis.service.j2 b/roles/custom/matrix-element-call/templates/systemd/matrix-redis.service.j2 deleted file mode 100644 index f65b0c766..000000000 --- a/roles/custom/matrix-element-call/templates/systemd/matrix-redis.service.j2 +++ /dev/null @@ -1,32 +0,0 @@ -[Unit] -Description=Matrix Redis Service -After=docker.service -Requires=docker.service - -[Service] -Type=simple -Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" -ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-redis 2>/dev/null || true' -ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-redis 2>/dev/null || true' - -ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ - --rm \ - --name=matrix-redis \ - --log-driver=none \ - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ - --cap-drop=ALL \ - --network={{ matrix_element_call_container_network }} \ - --mount type=bind,src={{ matrix_element_call_base_path }}/redis.conf,dst=/etc/redis.conf,ro \ - {{ redis_image }} \ - redis-server /etc/redis.conf - -ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-redis - -ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-redis 2>/dev/null || true' -ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-redis 2>/dev/null || true' -Restart=always -RestartSec=30 -SyslogIdentifier=matrix-redis - -[Install] -WantedBy=multi-user.target From f98a505df82526e8acc4460eea45a41fd9293382 Mon Sep 17 00:00:00 2001 From: wjbeckett Date: Tue, 1 Oct 2024 11:00:56 +1000 Subject: [PATCH 091/108] changed jwt-service port label. --- roles/custom/matrix-jwt-service/templates/labels.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-jwt-service/templates/labels.j2 b/roles/custom/matrix-jwt-service/templates/labels.j2 index b547e1952..62e2755ce 100644 --- a/roles/custom/matrix-jwt-service/templates/labels.j2 +++ b/roles/custom/matrix-jwt-service/templates/labels.j2 @@ -6,7 +6,7 @@ traefik.enable=true traefik.docker.network={{ matrix_jwt_service_container_labels_traefik_docker_network }} {% endif %} -traefik.http.services.matrix-jwt-service.loadbalancer.server.port=8080 +traefik.http.services.matrix-jwt-service.loadbalancer.server.port=8881 {% set middlewares = [] %} From d53c2428b8cfb9da1a7e668802716fc4f2caaf6c Mon Sep 17 00:00:00 2001 From: wjbeckett Date: Tue, 1 Oct 2024 12:29:35 +1000 Subject: [PATCH 092/108] updated jwt hostname. --- group_vars/matrix_servers | 4 ++-- roles/custom/matrix-jwt-service/defaults/main.yml | 5 ++--- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 6728825fa..ef138b1fe 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -5953,9 +5953,9 @@ matrix_livekit_server_livekit_dev_key: "{{ matrix_livekit_server_dev_key }}" # matrix_jwt_service_enabled: false # Default is false; should be enabled in host_vars as needed matrix_jwt_service_version: "latest-ci" # Default version; can be overridden in host_vars matrix_jwt_service_scheme: "https" # Scheme for Element Call (e.g., https) -matrix_jwt_service_hostname: "lk-jwt-service" # Default hostname; should be overridden in host_vars if different +matrix_jwt_service_hostname: "{{ matrix_jwt_service_hostname }}" # Default hostname; should be overridden in host_vars if different matrix_jwt_service_path_prefix: "/" # Path prefix for Element Call -matrix_jwt_service_base_path: "{{ matrix_base_data_path }}/jwt-service" # Base path for storing Element Call-related files +matrix_jwt_service_base_path: "{{ matrix_base_data_path }}/matrix-jwt-service" # Base path for storing Element Call-related files matrix_jwt_service_container_image: "ghcr.io/element-hq/lk-jwt-service:{{ matrix_jwt_service_version }}" matrix_jwt_service_container_image_name_prefix: ghcr.io/ matrix_jwt_service_container_image_registry_prefix: ghcr.io/ diff --git a/roles/custom/matrix-jwt-service/defaults/main.yml b/roles/custom/matrix-jwt-service/defaults/main.yml index cf087da87..eef19f621 100644 --- a/roles/custom/matrix-jwt-service/defaults/main.yml +++ b/roles/custom/matrix-jwt-service/defaults/main.yml @@ -4,11 +4,10 @@ matrix_jwt_service_enabled: false # Base path configuration matrix_jwt_service_base_path: "{{ matrix_base_data_path }}/jwt-service" -matrix_homeserver_config_path: "{{ matrix_base_data_path }}/synapse/config/homeserver.yaml" # Docker network configuration matrix_jwt_service_container_network: '' -matrix_jwt_service_container_http_host_bind_port: '' +matrix_jwt_service_container_http_host_bind_port: '8881' matrix_jwt_service_container_additional_networks: [] # No additional networks by default # Docker images @@ -115,4 +114,4 @@ matrix_jwt_service_floc_optout_enabled: true # - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security # - https://hstspreload.org/#opt-in # See: `matrix_jwt_service_http_header_strict_transport_security` -matrix_jwt_service_hsts_preload_enabled: false \ No newline at end of file +matrix_jwt_service_hsts_preload_enabled: true \ No newline at end of file From dbbaae4fbebd1bdd06d20d7ddf6325aa347918a2 Mon Sep 17 00:00:00 2001 From: wjbeckett Date: Tue, 1 Oct 2024 12:34:25 +1000 Subject: [PATCH 093/108] stopping the recursive loop --- group_vars/matrix_servers | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index ef138b1fe..97c5e3b41 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -5953,7 +5953,7 @@ matrix_livekit_server_livekit_dev_key: "{{ matrix_livekit_server_dev_key }}" # matrix_jwt_service_enabled: false # Default is false; should be enabled in host_vars as needed matrix_jwt_service_version: "latest-ci" # Default version; can be overridden in host_vars matrix_jwt_service_scheme: "https" # Scheme for Element Call (e.g., https) -matrix_jwt_service_hostname: "{{ matrix_jwt_service_hostname }}" # Default hostname; should be overridden in host_vars if different +matrix_jwt_service_hostname: "sfu-jwt.{{ matrix_domain }}" # Default hostname; should be overridden in host_vars if different matrix_jwt_service_path_prefix: "/" # Path prefix for Element Call matrix_jwt_service_base_path: "{{ matrix_base_data_path }}/matrix-jwt-service" # Base path for storing Element Call-related files matrix_jwt_service_container_image: "ghcr.io/element-hq/lk-jwt-service:{{ matrix_jwt_service_version }}" From 9864996aad36de6350c66095a4bb224ba022648b Mon Sep 17 00:00:00 2001 From: wjbeckett Date: Tue, 1 Oct 2024 12:46:37 +1000 Subject: [PATCH 094/108] adjusted jwt service ports for traefik --- roles/custom/matrix-jwt-service/defaults/main.yml | 2 +- roles/custom/matrix-jwt-service/templates/labels.j2 | 2 +- .../templates/systemd/matrix-jwt-service.service.j2 | 4 +++- 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/roles/custom/matrix-jwt-service/defaults/main.yml b/roles/custom/matrix-jwt-service/defaults/main.yml index eef19f621..3496e55db 100644 --- a/roles/custom/matrix-jwt-service/defaults/main.yml +++ b/roles/custom/matrix-jwt-service/defaults/main.yml @@ -7,7 +7,7 @@ matrix_jwt_service_base_path: "{{ matrix_base_data_path }}/jwt-service" # Docker network configuration matrix_jwt_service_container_network: '' -matrix_jwt_service_container_http_host_bind_port: '8881' +matrix_jwt_service_container_http_host_bind_port: '' matrix_jwt_service_container_additional_networks: [] # No additional networks by default # Docker images diff --git a/roles/custom/matrix-jwt-service/templates/labels.j2 b/roles/custom/matrix-jwt-service/templates/labels.j2 index 62e2755ce..b547e1952 100644 --- a/roles/custom/matrix-jwt-service/templates/labels.j2 +++ b/roles/custom/matrix-jwt-service/templates/labels.j2 @@ -6,7 +6,7 @@ traefik.enable=true traefik.docker.network={{ matrix_jwt_service_container_labels_traefik_docker_network }} {% endif %} -traefik.http.services.matrix-jwt-service.loadbalancer.server.port=8881 +traefik.http.services.matrix-jwt-service.loadbalancer.server.port=8080 {% set middlewares = [] %} diff --git a/roles/custom/matrix-jwt-service/templates/systemd/matrix-jwt-service.service.j2 b/roles/custom/matrix-jwt-service/templates/systemd/matrix-jwt-service.service.j2 index 07c8ef1ed..bdf36635a 100644 --- a/roles/custom/matrix-jwt-service/templates/systemd/matrix-jwt-service.service.j2 +++ b/roles/custom/matrix-jwt-service/templates/systemd/matrix-jwt-service.service.j2 @@ -16,7 +16,9 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ --network={{ matrix_jwt_service_container_network }} \ - -p {{ matrix_jwt_service_port }}:8080 \ + {% if matrix_jwt_service_container_http_host_bind_port %} + -p {{ matrix_jwt_service_container_http_host_bind_port }}:8080 \ + {% endif %} --env-file={{ matrix_jwt_service_base_path }}/env \ --label-file={{ matrix_jwt_service_base_path }}/labels \ {{ matrix_jwt_service_image }} From 5507fb3bab5fb89733f82715dfac67ff1457f99a Mon Sep 17 00:00:00 2001 From: wjbeckett Date: Tue, 1 Oct 2024 13:08:21 +1000 Subject: [PATCH 095/108] added element-call config.json to systemd file --- .../templates/systemd/matrix-element-call.service.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/custom/matrix-element-call/templates/systemd/matrix-element-call.service.j2 b/roles/custom/matrix-element-call/templates/systemd/matrix-element-call.service.j2 index b9e2c315b..791c62ddc 100644 --- a/roles/custom/matrix-element-call/templates/systemd/matrix-element-call.service.j2 +++ b/roles/custom/matrix-element-call/templates/systemd/matrix-element-call.service.j2 @@ -20,6 +20,7 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ --network={{ matrix_element_call_container_network }} \ + --mount type=bind,src={{ matrix_element_call_base_path }}/config.json,dst=/app/config.json,ro \ {% if matrix_element_call_container_http_host_bind_port %} -p {{ matrix_element_call_container_http_host_bind_port }}:8080 \ {% endif %} From e421852af5a0d571c9ef74e8c3cade58111d67ad Mon Sep 17 00:00:00 2001 From: wjbeckett Date: Tue, 1 Oct 2024 13:09:00 +1000 Subject: [PATCH 096/108] updated jwt bind port --- roles/custom/matrix-jwt-service/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-jwt-service/defaults/main.yml b/roles/custom/matrix-jwt-service/defaults/main.yml index 3496e55db..eef19f621 100644 --- a/roles/custom/matrix-jwt-service/defaults/main.yml +++ b/roles/custom/matrix-jwt-service/defaults/main.yml @@ -7,7 +7,7 @@ matrix_jwt_service_base_path: "{{ matrix_base_data_path }}/jwt-service" # Docker network configuration matrix_jwt_service_container_network: '' -matrix_jwt_service_container_http_host_bind_port: '' +matrix_jwt_service_container_http_host_bind_port: '8881' matrix_jwt_service_container_additional_networks: [] # No additional networks by default # Docker images From 4acb025130278f2a8426b41f2ec4920f9d409ed4 Mon Sep 17 00:00:00 2001 From: wjbeckett Date: Tue, 1 Oct 2024 13:35:53 +1000 Subject: [PATCH 097/108] testing livekit configuration --- roles/custom/matrix-jwt-service/templates/env.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-jwt-service/templates/env.j2 b/roles/custom/matrix-jwt-service/templates/env.j2 index 8034a9b33..4bb12aaf5 100644 --- a/roles/custom/matrix-jwt-service/templates/env.j2 +++ b/roles/custom/matrix-jwt-service/templates/env.j2 @@ -1,4 +1,4 @@ # Environment variables for JWT Service LIVEKIT_KEY=devkey LIVEKIT_URL=wss://{{ matrix_livekit_server_hostname }}:443 -LIVEKIT_SECRET={{ matrix_element_call_jwt_secret }} \ No newline at end of file +LIVEKIT_SECRET={{ matrix_livekit_server_dev_key }} \ No newline at end of file From 46109565e1235be5203df505d4a1455acd8be4a3 Mon Sep 17 00:00:00 2001 From: wjbeckett Date: Tue, 1 Oct 2024 16:33:48 +1000 Subject: [PATCH 098/108] updated headers for each of the call services. --- .../custom/matrix-element-call/defaults/main.yml | 16 ++++++++-------- .../custom/matrix-jwt-service/defaults/main.yml | 14 +++++++------- .../matrix-livekit-server/defaults/main.yml | 16 ++++++++-------- .../templates/livekit.yaml.j2 | 2 +- 4 files changed, 24 insertions(+), 24 deletions(-) diff --git a/roles/custom/matrix-element-call/defaults/main.yml b/roles/custom/matrix-element-call/defaults/main.yml index 393863ad5..e62703271 100644 --- a/roles/custom/matrix-element-call/defaults/main.yml +++ b/roles/custom/matrix-element-call/defaults/main.yml @@ -75,27 +75,27 @@ matrix_element_call_systemd_required_services_list: "{{ [devture_systemd_docker_ # Learn more about it is here: # - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection # - https://portswigger.net/web-security/cross-site-scripting/reflected -matrix_element_call_http_header_xss_protection: "1; mode=block" +#matrix_element_call_http_header_xss_protection: "1; mode=block" # Specifies the value of the `X-Frame-Options` header which controls whether framing can happen. # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options -matrix_element_call_http_header_frame_options: SAMEORIGIN +#matrix_element_call_http_header_frame_options: SAMEORIGIN # Specifies the value of the `X-Content-Type-Options` header. # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options -matrix_element_call_http_header_content_type_options: nosniff +#matrix_element_call_http_header_content_type_options: nosniff # Specifies the value of the `Content-Security-Policy` header. # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy -matrix_element_call_http_header_content_security_policy: frame-ancestors 'self' +#matrix_element_call_http_header_content_security_policy: frame-ancestors 'self' # Specifies the value of the `Permission-Policy` header. # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permission-Policy -matrix_element_call_http_header_content_permission_policy: "{{ 'interest-cohort=()' if matrix_element_call_floc_optout_enabled else '' }}" +#matrix_element_call_http_header_content_permission_policy: "{{ 'interest-cohort=()' if matrix_element_call_floc_optout_enabled else '' }}" # Specifies the value of the `Strict-Transport-Security` header. # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security -matrix_element_call_http_header_strict_transport_security: "max-age=31536000; includeSubDomains{{ '; preload' if matrix_element_call_hsts_preload_enabled else '' }}" +#matrix_element_call_http_header_strict_transport_security: "max-age=31536000; includeSubDomains{{ '; preload' if matrix_element_call_hsts_preload_enabled else '' }}" # Controls whether to send a "Permissions-Policy interest-cohort=();" header along with all responses # @@ -106,7 +106,7 @@ matrix_element_call_http_header_strict_transport_security: "max-age=31536000; in # # Of course, a better solution is to just stop using browsers (like Chrome), which participate in such tracking practices. # See: `matrix_element_call_content_permission_policy` -matrix_element_call_floc_optout_enabled: true +#matrix_element_call_floc_optout_enabled: true # Controls if HSTS preloading is enabled # @@ -118,7 +118,7 @@ matrix_element_call_floc_optout_enabled: true # - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security # - https://hstspreload.org/#opt-in # See: `matrix_element_call_http_header_strict_transport_security` -matrix_element_call_hsts_preload_enabled: false +matrix_element_call_hsts_preload_enabled: true # Enable or disable metrics collection matrix_element_call_metrics_enabled: false diff --git a/roles/custom/matrix-jwt-service/defaults/main.yml b/roles/custom/matrix-jwt-service/defaults/main.yml index eef19f621..2d5fd9013 100644 --- a/roles/custom/matrix-jwt-service/defaults/main.yml +++ b/roles/custom/matrix-jwt-service/defaults/main.yml @@ -71,27 +71,27 @@ matrix_jwt_service_systemd_required_services_list: "{{ [devture_systemd_docker_b # Learn more about it is here: # - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection # - https://portswigger.net/web-security/cross-site-scripting/reflected -matrix_jwt_service_http_header_xss_protection: "1; mode=block" +#matrix_jwt_service_http_header_xss_protection: "1; mode=block" # Specifies the value of the `X-Frame-Options` header which controls whether framing can happen. # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options -matrix_jwt_service_http_header_frame_options: SAMEORIGIN +#matrix_jwt_service_http_header_frame_options: SAMEORIGIN # Specifies the value of the `X-Content-Type-Options` header. # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options -matrix_jwt_service_http_header_content_type_options: nosniff +#matrix_jwt_service_http_header_content_type_options: nosniff # Specifies the value of the `Content-Security-Policy` header. # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy -matrix_jwt_service_http_header_content_security_policy: frame-ancestors 'self' +#matrix_jwt_service_http_header_content_security_policy: frame-ancestors 'self' # Specifies the value of the `Permission-Policy` header. # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permission-Policy -matrix_jwt_service_http_header_content_permission_policy: "{{ 'interest-cohort=()' if matrix_jwt_service_floc_optout_enabled else '' }}" +#matrix_jwt_service_http_header_content_permission_policy: "{{ 'interest-cohort=()' if matrix_jwt_service_floc_optout_enabled else '' }}" # Specifies the value of the `Strict-Transport-Security` header. # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security -matrix_jwt_service_http_header_strict_transport_security: "max-age=31536000; includeSubDomains{{ '; preload' if matrix_jwt_service_hsts_preload_enabled else '' }}" +#matrix_jwt_service_http_header_strict_transport_security: "max-age=31536000; includeSubDomains{{ '; preload' if matrix_jwt_service_hsts_preload_enabled else '' }}" # Controls whether to send a "Permissions-Policy interest-cohort=();" header along with all responses # @@ -102,7 +102,7 @@ matrix_jwt_service_http_header_strict_transport_security: "max-age=31536000; inc # # Of course, a better solution is to just stop using browsers (like Chrome), which participate in such tracking practices. # See: `matrix_jwt_service_content_permission_policy` -matrix_jwt_service_floc_optout_enabled: true +#matrix_jwt_service_floc_optout_enabled: true # Controls if HSTS preloading is enabled # diff --git a/roles/custom/matrix-livekit-server/defaults/main.yml b/roles/custom/matrix-livekit-server/defaults/main.yml index 5b8edc5c2..662bc4e81 100644 --- a/roles/custom/matrix-livekit-server/defaults/main.yml +++ b/roles/custom/matrix-livekit-server/defaults/main.yml @@ -69,27 +69,27 @@ matrix_livekit_server_systemd_required_services_list: "{{ [devture_systemd_docke # Learn more about it is here: # - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection # - https://portswigger.net/web-security/cross-site-scripting/reflected -matrix_livekit_server_http_header_xss_protection: "1; mode=block" +#matrix_livekit_server_http_header_xss_protection: "1; mode=block" # Specifies the value of the `X-Frame-Options` header which controls whether framing can happen. # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options -matrix_livekit_server_http_header_frame_options: SAMEORIGIN +#matrix_livekit_server_http_header_frame_options: SAMEORIGIN # Specifies the value of the `X-Content-Type-Options` header. # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options -matrix_livekit_server_http_header_content_type_options: nosniff +#matrix_livekit_server_http_header_content_type_options: nosniff # Specifies the value of the `Content-Security-Policy` header. # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy -matrix_livekit_server_http_header_content_security_policy: frame-ancestors 'self' +#matrix_livekit_server_http_header_content_security_policy: frame-ancestors 'self' # Specifies the value of the `Permission-Policy` header. # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permission-Policy -matrix_livekit_server_http_header_content_permission_policy: "{{ 'interest-cohort=()' if matrix_livekit_server_floc_optout_enabled else '' }}" +#matrix_livekit_server_http_header_content_permission_policy: "{{ 'interest-cohort=()' if matrix_livekit_server_floc_optout_enabled else '' }}" # Specifies the value of the `Strict-Transport-Security` header. # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security -matrix_livekit_server_http_header_strict_transport_security: "max-age=31536000; includeSubDomains{{ '; preload' if matrix_livekit_server_hsts_preload_enabled else '' }}" +#matrix_livekit_server_http_header_strict_transport_security: "max-age=31536000; includeSubDomains{{ '; preload' if matrix_livekit_server_hsts_preload_enabled else '' }}" # Controls whether to send a "Permissions-Policy interest-cohort=();" header along with all responses # @@ -100,7 +100,7 @@ matrix_livekit_server_http_header_strict_transport_security: "max-age=31536000; # # Of course, a better solution is to just stop using browsers (like Chrome), which participate in such tracking practices. # See: `matrix_livekit_server_content_permission_policy` -matrix_livekit_server_floc_optout_enabled: true +#matrix_livekit_server_floc_optout_enabled: true # Controls if HSTS preloading is enabled # @@ -112,4 +112,4 @@ matrix_livekit_server_floc_optout_enabled: true # - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security # - https://hstspreload.org/#opt-in # See: `matrix_livekit_server_http_header_strict_transport_security` -matrix_livekit_server_hsts_preload_enabled: false \ No newline at end of file +matrix_livekit_server_hsts_preload_enabled: true \ No newline at end of file diff --git a/roles/custom/matrix-livekit-server/templates/livekit.yaml.j2 b/roles/custom/matrix-livekit-server/templates/livekit.yaml.j2 index f8e2ad0c2..492a12214 100644 --- a/roles/custom/matrix-livekit-server/templates/livekit.yaml.j2 +++ b/roles/custom/matrix-livekit-server/templates/livekit.yaml.j2 @@ -5,7 +5,7 @@ rtc: tcp_port: 7881 port_range_start: 50100 port_range_end: 50200 - use_external_ip: false + use_external_ip: true turn: enabled: false From 9691577b2239e894f9c8c1ae52f38b3c29802b80 Mon Sep 17 00:00:00 2001 From: wjbeckett Date: Tue, 1 Oct 2024 16:45:07 +1000 Subject: [PATCH 099/108] removed additinoal headers --- .../matrix-element-call/defaults/main.yml | 26 +++++++++---------- .../matrix-jwt-service/defaults/main.yml | 26 +++++++++---------- .../matrix-livekit-server/defaults/main.yml | 26 +++++++++---------- 3 files changed, 39 insertions(+), 39 deletions(-) diff --git a/roles/custom/matrix-element-call/defaults/main.yml b/roles/custom/matrix-element-call/defaults/main.yml index e62703271..d445e7ab4 100644 --- a/roles/custom/matrix-element-call/defaults/main.yml +++ b/roles/custom/matrix-element-call/defaults/main.yml @@ -38,18 +38,18 @@ matrix_element_call_container_labels_traefik_tls_certResolver: default # noqa v # Controls which additional headers to attach to all HTTP responses. # To add your own headers, use `matrix_element_call_container_labels_traefik_additional_response_headers_custom` -matrix_element_call_container_labels_traefik_additional_response_headers: "{{ matrix_element_call_container_labels_traefik_additional_response_headers_auto | combine(matrix_element_call_container_labels_traefik_additional_response_headers_custom) }}" -matrix_element_call_container_labels_traefik_additional_response_headers_auto: | - {{ - {} - | combine ({'X-XSS-Protection': matrix_element_call_http_header_xss_protection} if matrix_element_call_http_header_xss_protection else {}) - | combine ({'X-Frame-Options': matrix_element_call_http_header_frame_options} if matrix_element_call_http_header_frame_options else {}) - | combine ({'X-Content-Type-Options': matrix_element_call_http_header_content_type_options} if matrix_element_call_http_header_content_type_options else {}) - | combine ({'Content-Security-Policy': matrix_element_call_http_header_content_security_policy} if matrix_element_call_http_header_content_security_policy else {}) - | combine ({'Permission-Policy': matrix_element_call_http_header_content_permission_policy} if matrix_element_call_http_header_content_permission_policy else {}) - | combine ({'Strict-Transport-Security': matrix_element_call_http_header_strict_transport_security} if matrix_element_call_http_header_strict_transport_security and matrix_element_call_container_labels_traefik_tls else {}) - }} -matrix_element_call_container_labels_traefik_additional_response_headers_custom: {} +#matrix_element_call_container_labels_traefik_additional_response_headers: "{{ matrix_element_call_container_labels_traefik_additional_response_headers_auto | combine(matrix_element_call_container_labels_traefik_additional_response_headers_custom) }}" +#matrix_element_call_container_labels_traefik_additional_response_headers_auto: | +# {{ +# {} +# | combine ({'X-XSS-Protection': matrix_element_call_http_header_xss_protection} if matrix_element_call_http_header_xss_protection else {}) +# | combine ({'X-Frame-Options': matrix_element_call_http_header_frame_options} if matrix_element_call_http_header_frame_options else {}) +# | combine ({'X-Content-Type-Options': matrix_element_call_http_header_content_type_options} if matrix_element_call_http_header_content_type_options else {}) +# | combine ({'Content-Security-Policy': matrix_element_call_http_header_content_security_policy} if matrix_element_call_http_header_content_security_policy else {}) +# | combine ({'Permission-Policy': matrix_element_call_http_header_content_permission_policy} if matrix_element_call_http_header_content_permission_policy else {}) +# | combine ({'Strict-Transport-Security': matrix_element_call_http_header_strict_transport_security} if matrix_element_call_http_header_strict_transport_security and matrix_element_call_container_labels_traefik_tls else {}) +# }} +#matrix_element_call_container_labels_traefik_additional_response_headers_custom: {} # matrix_client_element_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file. # See `../templates/labels.j2` for details. @@ -118,7 +118,7 @@ matrix_element_call_systemd_required_services_list: "{{ [devture_systemd_docker_ # - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security # - https://hstspreload.org/#opt-in # See: `matrix_element_call_http_header_strict_transport_security` -matrix_element_call_hsts_preload_enabled: true +#matrix_element_call_hsts_preload_enabled: true # Enable or disable metrics collection matrix_element_call_metrics_enabled: false diff --git a/roles/custom/matrix-jwt-service/defaults/main.yml b/roles/custom/matrix-jwt-service/defaults/main.yml index 2d5fd9013..e688556f3 100644 --- a/roles/custom/matrix-jwt-service/defaults/main.yml +++ b/roles/custom/matrix-jwt-service/defaults/main.yml @@ -34,18 +34,18 @@ matrix_jwt_service_container_labels_traefik_tls_certResolver: default # noqa va # Controls which additional headers to attach to all HTTP responses. # To add your own headers, use `matrix_jwt_service_container_labels_traefik_additional_response_headers_custom` -matrix_jwt_service_container_labels_traefik_additional_response_headers: "{{ matrix_jwt_service_container_labels_traefik_additional_response_headers_auto | combine(matrix_jwt_service_container_labels_traefik_additional_response_headers_custom) }}" -matrix_jwt_service_container_labels_traefik_additional_response_headers_auto: | - {{ - {} - | combine ({'X-XSS-Protection': matrix_jwt_service_http_header_xss_protection} if matrix_jwt_service_http_header_xss_protection else {}) - | combine ({'X-Frame-Options': matrix_jwt_service_http_header_frame_options} if matrix_jwt_service_http_header_frame_options else {}) - | combine ({'X-Content-Type-Options': matrix_jwt_service_http_header_content_type_options} if matrix_jwt_service_http_header_content_type_options else {}) - | combine ({'Content-Security-Policy': matrix_jwt_service_http_header_content_security_policy} if matrix_jwt_service_http_header_content_security_policy else {}) - | combine ({'Permission-Policy': matrix_jwt_service_http_header_content_permission_policy} if matrix_jwt_service_http_header_content_permission_policy else {}) - | combine ({'Strict-Transport-Security': matrix_jwt_service_http_header_strict_transport_security} if matrix_jwt_service_http_header_strict_transport_security and matrix_jwt_service_container_labels_traefik_tls else {}) - }} -matrix_jwt_service_container_labels_traefik_additional_response_headers_custom: {} +#matrix_jwt_service_container_labels_traefik_additional_response_headers: "{{ matrix_jwt_service_container_labels_traefik_additional_response_headers_auto | combine(matrix_jwt_service_container_labels_traefik_additional_response_headers_custom) }}" +#matrix_jwt_service_container_labels_traefik_additional_response_headers_auto: | +# {{ +# {} +# | combine ({'X-XSS-Protection': matrix_jwt_service_http_header_xss_protection} if matrix_jwt_service_http_header_xss_protection else {}) +# | combine ({'X-Frame-Options': matrix_jwt_service_http_header_frame_options} if matrix_jwt_service_http_header_frame_options else {}) +# | combine ({'X-Content-Type-Options': matrix_jwt_service_http_header_content_type_options} if matrix_jwt_service_http_header_content_type_options else {}) +# | combine ({'Content-Security-Policy': matrix_jwt_service_http_header_content_security_policy} if matrix_jwt_service_http_header_content_security_policy else {}) +## | combine ({'Permission-Policy': matrix_jwt_service_http_header_content_permission_policy} if matrix_jwt_service_http_header_content_permission_policy else {}) +# | combine ({'Strict-Transport-Security': matrix_jwt_service_http_header_strict_transport_security} if matrix_jwt_service_http_header_strict_transport_security and matrix_jwt_service_container_labels_traefik_tls else {}) +# }} +#matrix_jwt_service_container_labels_traefik_additional_response_headers_custom: {} # matrix_client_element_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file. # See `../templates/labels.j2` for details. @@ -114,4 +114,4 @@ matrix_jwt_service_systemd_required_services_list: "{{ [devture_systemd_docker_b # - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security # - https://hstspreload.org/#opt-in # See: `matrix_jwt_service_http_header_strict_transport_security` -matrix_jwt_service_hsts_preload_enabled: true \ No newline at end of file +#matrix_jwt_service_hsts_preload_enabled: true \ No newline at end of file diff --git a/roles/custom/matrix-livekit-server/defaults/main.yml b/roles/custom/matrix-livekit-server/defaults/main.yml index 662bc4e81..b392aefe6 100644 --- a/roles/custom/matrix-livekit-server/defaults/main.yml +++ b/roles/custom/matrix-livekit-server/defaults/main.yml @@ -32,18 +32,18 @@ matrix_livekit_server_container_labels_traefik_tls_certResolver: default # noqa # Controls which additional headers to attach to all HTTP responses. # To add your own headers, use `matrix_livekit_server_container_labels_traefik_additional_response_headers_custom` -matrix_livekit_server_container_labels_traefik_additional_response_headers: "{{ matrix_livekit_server_container_labels_traefik_additional_response_headers_auto | combine(matrix_livekit_server_container_labels_traefik_additional_response_headers_custom) }}" -matrix_livekit_server_container_labels_traefik_additional_response_headers_auto: | - {{ - {} - | combine ({'X-XSS-Protection': matrix_livekit_server_http_header_xss_protection} if matrix_livekit_server_http_header_xss_protection else {}) - | combine ({'X-Frame-Options': matrix_livekit_server_http_header_frame_options} if matrix_livekit_server_http_header_frame_options else {}) - | combine ({'X-Content-Type-Options': matrix_livekit_server_http_header_content_type_options} if matrix_livekit_server_http_header_content_type_options else {}) - | combine ({'Content-Security-Policy': matrix_livekit_server_http_header_content_security_policy} if matrix_livekit_server_http_header_content_security_policy else {}) - | combine ({'Permission-Policy': matrix_livekit_server_http_header_content_permission_policy} if matrix_livekit_server_http_header_content_permission_policy else {}) - | combine ({'Strict-Transport-Security': matrix_livekit_server_http_header_strict_transport_security} if matrix_livekit_server_http_header_strict_transport_security and matrix_livekit_server_container_labels_traefik_tls else {}) - }} -matrix_livekit_server_container_labels_traefik_additional_response_headers_custom: {} +#matrix_livekit_server_container_labels_traefik_additional_response_headers: "{{ matrix_livekit_server_container_labels_traefik_additional_response_headers_auto | combine(matrix_livekit_server_container_labels_traefik_additional_response_headers_custom) }}" +#matrix_livekit_server_container_labels_traefik_additional_response_headers_auto: | +# {{ +# {} +# | combine ({'X-XSS-Protection': matrix_livekit_server_http_header_xss_protection} if matrix_livekit_server_http_header_xss_protection else {}) +# | combine ({'X-Frame-Options': matrix_livekit_server_http_header_frame_options} if matrix_livekit_server_http_header_frame_options else {}) +# | combine ({'X-Content-Type-Options': matrix_livekit_server_http_header_content_type_options} if matrix_livekit_server_http_header_content_type_options else {}) +# | combine ({'Content-Security-Policy': matrix_livekit_server_http_header_content_security_policy} if matrix_livekit_server_http_header_content_security_policy else {}) +# | combine ({'Permission-Policy': matrix_livekit_server_http_header_content_permission_policy} if matrix_livekit_server_http_header_content_permission_policy else {}) +# | combine ({'Strict-Transport-Security': matrix_livekit_server_http_header_strict_transport_security} if matrix_livekit_server_http_header_strict_transport_security and matrix_livekit_server_container_labels_traefik_tls else {}) +# }} +#matrix_livekit_server_container_labels_traefik_additional_response_headers_custom: {} # matrix_client_element_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file. # See `../templates/labels.j2` for details. @@ -112,4 +112,4 @@ matrix_livekit_server_systemd_required_services_list: "{{ [devture_systemd_docke # - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security # - https://hstspreload.org/#opt-in # See: `matrix_livekit_server_http_header_strict_transport_security` -matrix_livekit_server_hsts_preload_enabled: true \ No newline at end of file +#matrix_livekit_server_hsts_preload_enabled: true \ No newline at end of file From 6c8923ae2879948fbdaa794bdb5992aee1a13e3c Mon Sep 17 00:00:00 2001 From: wjbeckett Date: Tue, 1 Oct 2024 16:51:06 +1000 Subject: [PATCH 100/108] removed headers. --- .../templates/element-call-labels.j2 | 12 ++++++------ roles/custom/matrix-jwt-service/templates/labels.j2 | 12 ++++++------ .../custom/matrix-livekit-server/templates/labels.j2 | 12 ++++++------ 3 files changed, 18 insertions(+), 18 deletions(-) diff --git a/roles/custom/matrix-element-call/templates/element-call-labels.j2 b/roles/custom/matrix-element-call/templates/element-call-labels.j2 index 10a84751b..28d7d714a 100644 --- a/roles/custom/matrix-element-call/templates/element-call-labels.j2 +++ b/roles/custom/matrix-element-call/templates/element-call-labels.j2 @@ -20,12 +20,12 @@ traefik.http.middlewares.matrix-element-call-strip-prefix.stripprefix.prefixes={ {% set middlewares = middlewares + ['matrix-element-call-strip-prefix'] %} {% endif %} -{% if matrix_element_call_container_labels_traefik_additional_response_headers.keys() | length > 0 %} -{% for name, value in matrix_element_call_container_labels_traefik_additional_response_headers.items() %} -traefik.http.middlewares.matrix-element-call-add-headers.headers.customresponseheaders.{{ name }}={{ value }} -{% endfor %} -{% set middlewares = middlewares + ['matrix-element-call-add-headers'] %} -{% endif %} +#{% if matrix_element_call_container_labels_traefik_additional_response_headers.keys() | length > 0 %} +#{% for name, value in matrix_element_call_container_labels_traefik_additional_response_headers.items() %} +#traefik.http.middlewares.matrix-element-call-add-headers.headers.customresponseheaders.{{ name }}={{ value }} +#{% endfor %} +#{% set middlewares = middlewares + ['matrix-element-call-add-headers'] %} +#{% endif %} traefik.http.routers.matrix-element-call.rule={{ matrix_element_call_container_labels_traefik_rule }} {% if matrix_element_call_container_labels_traefik_priority | int > 0 %} diff --git a/roles/custom/matrix-jwt-service/templates/labels.j2 b/roles/custom/matrix-jwt-service/templates/labels.j2 index b547e1952..939c8d4d3 100644 --- a/roles/custom/matrix-jwt-service/templates/labels.j2 +++ b/roles/custom/matrix-jwt-service/templates/labels.j2 @@ -20,12 +20,12 @@ traefik.http.middlewares.matrix-jwt-service-strip-prefix.stripprefix.prefixes={{ {% set middlewares = middlewares + ['matrix-jwt-service-strip-prefix'] %} {% endif %} -{% if matrix_jwt_service_container_labels_traefik_additional_response_headers.keys() | length > 0 %} -{% for name, value in matrix_jwt_service_container_labels_traefik_additional_response_headers.items() %} -traefik.http.middlewares.matrix-jwt-service-add-headers.headers.customresponseheaders.{{ name }}={{ value }} -{% endfor %} -{% set middlewares = middlewares + ['matrix-jwt-service-add-headers'] %} -{% endif %} +#{% if matrix_jwt_service_container_labels_traefik_additional_response_headers.keys() | length > 0 %} +#{% for name, value in matrix_jwt_service_container_labels_traefik_additional_response_headers.items() %} +#traefik.http.middlewares.matrix-jwt-service-add-headers.headers.customresponseheaders.{{ name }}={{ value }} +#{% endfor %} +#{% set middlewares = middlewares + ['matrix-jwt-service-add-headers'] %} +#{% endif %} traefik.http.routers.matrix-jwt-service.rule={{ matrix_jwt_service_container_labels_traefik_rule }} {% if matrix_jwt_service_container_labels_traefik_priority | int > 0 %} diff --git a/roles/custom/matrix-livekit-server/templates/labels.j2 b/roles/custom/matrix-livekit-server/templates/labels.j2 index c41b7ed01..141045f2f 100644 --- a/roles/custom/matrix-livekit-server/templates/labels.j2 +++ b/roles/custom/matrix-livekit-server/templates/labels.j2 @@ -20,12 +20,12 @@ traefik.http.middlewares.matrix-livekit-server-strip-prefix.stripprefix.prefixes {% set middlewares = middlewares + ['matrix-livekit-server-strip-prefix'] %} {% endif %} -{% if matrix_livekit_server_container_labels_traefik_additional_response_headers.keys() | length > 0 %} -{% for name, value in matrix_livekit_server_container_labels_traefik_additional_response_headers.items() %} -traefik.http.middlewares.matrix-livekit-server-add-headers.headers.customresponseheaders.{{ name }}={{ value }} -{% endfor %} -{% set middlewares = middlewares + ['matrix-livekit-server-add-headers'] %} -{% endif %} +#{% if matrix_livekit_server_container_labels_traefik_additional_response_headers.keys() | length > 0 %} +#{% for name, value in matrix_livekit_server_container_labels_traefik_additional_response_headers.items() %} +#traefik.http.middlewares.matrix-livekit-server-add-headers.headers.customresponseheaders.{{ name }}={{ value }} +#{% endfor %} +#{% set middlewares = middlewares + ['matrix-livekit-server-add-headers'] %} +#{% endif %} traefik.http.routers.matrix-livekit-server.rule={{ matrix_livekit_server_container_labels_traefik_rule }} {% if matrix_livekit_server_container_labels_traefik_priority | int > 0 %} From 2b4fdea70fd8572cc1074bd5f7eaff84ed1247de Mon Sep 17 00:00:00 2001 From: wjbeckett Date: Tue, 1 Oct 2024 17:04:11 +1000 Subject: [PATCH 101/108] added header flags back in. --- .../matrix-element-call/defaults/main.yml | 40 +++++++++---------- .../templates/element-call-labels.j2 | 12 +++--- .../matrix-jwt-service/defaults/main.yml | 40 +++++++++---------- .../matrix-jwt-service/templates/labels.j2 | 12 +++--- .../matrix-livekit-server/defaults/main.yml | 40 +++++++++---------- .../matrix-livekit-server/templates/labels.j2 | 12 +++--- 6 files changed, 78 insertions(+), 78 deletions(-) diff --git a/roles/custom/matrix-element-call/defaults/main.yml b/roles/custom/matrix-element-call/defaults/main.yml index d445e7ab4..0a227a1bc 100644 --- a/roles/custom/matrix-element-call/defaults/main.yml +++ b/roles/custom/matrix-element-call/defaults/main.yml @@ -38,18 +38,18 @@ matrix_element_call_container_labels_traefik_tls_certResolver: default # noqa v # Controls which additional headers to attach to all HTTP responses. # To add your own headers, use `matrix_element_call_container_labels_traefik_additional_response_headers_custom` -#matrix_element_call_container_labels_traefik_additional_response_headers: "{{ matrix_element_call_container_labels_traefik_additional_response_headers_auto | combine(matrix_element_call_container_labels_traefik_additional_response_headers_custom) }}" -#matrix_element_call_container_labels_traefik_additional_response_headers_auto: | -# {{ -# {} -# | combine ({'X-XSS-Protection': matrix_element_call_http_header_xss_protection} if matrix_element_call_http_header_xss_protection else {}) -# | combine ({'X-Frame-Options': matrix_element_call_http_header_frame_options} if matrix_element_call_http_header_frame_options else {}) -# | combine ({'X-Content-Type-Options': matrix_element_call_http_header_content_type_options} if matrix_element_call_http_header_content_type_options else {}) -# | combine ({'Content-Security-Policy': matrix_element_call_http_header_content_security_policy} if matrix_element_call_http_header_content_security_policy else {}) -# | combine ({'Permission-Policy': matrix_element_call_http_header_content_permission_policy} if matrix_element_call_http_header_content_permission_policy else {}) -# | combine ({'Strict-Transport-Security': matrix_element_call_http_header_strict_transport_security} if matrix_element_call_http_header_strict_transport_security and matrix_element_call_container_labels_traefik_tls else {}) -# }} -#matrix_element_call_container_labels_traefik_additional_response_headers_custom: {} +matrix_element_call_container_labels_traefik_additional_response_headers: "{{ matrix_element_call_container_labels_traefik_additional_response_headers_auto | combine(matrix_element_call_container_labels_traefik_additional_response_headers_custom) }}" +matrix_element_call_container_labels_traefik_additional_response_headers_auto: | + {{ + {} + | combine ({'X-XSS-Protection': matrix_element_call_http_header_xss_protection} if matrix_element_call_http_header_xss_protection else {}) + | combine ({'X-Frame-Options': matrix_element_call_http_header_frame_options} if matrix_element_call_http_header_frame_options else {}) + | combine ({'X-Content-Type-Options': matrix_element_call_http_header_content_type_options} if matrix_element_call_http_header_content_type_options else {}) + | combine ({'Content-Security-Policy': matrix_element_call_http_header_content_security_policy} if matrix_element_call_http_header_content_security_policy else {}) + | combine ({'Permission-Policy': matrix_element_call_http_header_content_permission_policy} if matrix_element_call_http_header_content_permission_policy else {}) + | combine ({'Strict-Transport-Security': matrix_element_call_http_header_strict_transport_security} if matrix_element_call_http_header_strict_transport_security and matrix_element_call_container_labels_traefik_tls else {}) + }} +matrix_element_call_container_labels_traefik_additional_response_headers_custom: {} # matrix_client_element_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file. # See `../templates/labels.j2` for details. @@ -75,27 +75,27 @@ matrix_element_call_systemd_required_services_list: "{{ [devture_systemd_docker_ # Learn more about it is here: # - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection # - https://portswigger.net/web-security/cross-site-scripting/reflected -#matrix_element_call_http_header_xss_protection: "1; mode=block" +matrix_element_call_http_header_xss_protection: '' # Specifies the value of the `X-Frame-Options` header which controls whether framing can happen. # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options -#matrix_element_call_http_header_frame_options: SAMEORIGIN +matrix_element_call_http_header_frame_options: '' # Specifies the value of the `X-Content-Type-Options` header. # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options -#matrix_element_call_http_header_content_type_options: nosniff +matrix_element_call_http_header_content_type_options: '' # Specifies the value of the `Content-Security-Policy` header. # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy -#matrix_element_call_http_header_content_security_policy: frame-ancestors 'self' +matrix_element_call_http_header_content_security_policy: '' # Specifies the value of the `Permission-Policy` header. # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permission-Policy -#matrix_element_call_http_header_content_permission_policy: "{{ 'interest-cohort=()' if matrix_element_call_floc_optout_enabled else '' }}" +matrix_element_call_http_header_content_permission_policy: '' # Specifies the value of the `Strict-Transport-Security` header. # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security -#matrix_element_call_http_header_strict_transport_security: "max-age=31536000; includeSubDomains{{ '; preload' if matrix_element_call_hsts_preload_enabled else '' }}" +matrix_element_call_http_header_strict_transport_security: '' # Controls whether to send a "Permissions-Policy interest-cohort=();" header along with all responses # @@ -106,7 +106,7 @@ matrix_element_call_systemd_required_services_list: "{{ [devture_systemd_docker_ # # Of course, a better solution is to just stop using browsers (like Chrome), which participate in such tracking practices. # See: `matrix_element_call_content_permission_policy` -#matrix_element_call_floc_optout_enabled: true +matrix_element_call_floc_optout_enabled: false # Controls if HSTS preloading is enabled # @@ -118,7 +118,7 @@ matrix_element_call_systemd_required_services_list: "{{ [devture_systemd_docker_ # - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security # - https://hstspreload.org/#opt-in # See: `matrix_element_call_http_header_strict_transport_security` -#matrix_element_call_hsts_preload_enabled: true +matrix_element_call_hsts_preload_enabled: false # Enable or disable metrics collection matrix_element_call_metrics_enabled: false diff --git a/roles/custom/matrix-element-call/templates/element-call-labels.j2 b/roles/custom/matrix-element-call/templates/element-call-labels.j2 index 28d7d714a..cfc5c72f7 100644 --- a/roles/custom/matrix-element-call/templates/element-call-labels.j2 +++ b/roles/custom/matrix-element-call/templates/element-call-labels.j2 @@ -20,12 +20,12 @@ traefik.http.middlewares.matrix-element-call-strip-prefix.stripprefix.prefixes={ {% set middlewares = middlewares + ['matrix-element-call-strip-prefix'] %} {% endif %} -#{% if matrix_element_call_container_labels_traefik_additional_response_headers.keys() | length > 0 %} -#{% for name, value in matrix_element_call_container_labels_traefik_additional_response_headers.items() %} -#traefik.http.middlewares.matrix-element-call-add-headers.headers.customresponseheaders.{{ name }}={{ value }} -#{% endfor %} -#{% set middlewares = middlewares + ['matrix-element-call-add-headers'] %} -#{% endif %} +{% if matrix_element_call_container_labels_traefik_additional_response_headers.keys() | length > 0 %} +{% for name, value in matrix_element_call_container_labels_traefik_additional_response_headers.items() %} +traefik.http.middlewares.matrix-element-call-add-headers.headers.customresponseheaders.{{ name }}={{ value }} +{% endfor %} +{% set middlewares = middlewares + ['matrix-element-call-add-headers'] %} + {% endif %} traefik.http.routers.matrix-element-call.rule={{ matrix_element_call_container_labels_traefik_rule }} {% if matrix_element_call_container_labels_traefik_priority | int > 0 %} diff --git a/roles/custom/matrix-jwt-service/defaults/main.yml b/roles/custom/matrix-jwt-service/defaults/main.yml index e688556f3..97d58a273 100644 --- a/roles/custom/matrix-jwt-service/defaults/main.yml +++ b/roles/custom/matrix-jwt-service/defaults/main.yml @@ -34,18 +34,18 @@ matrix_jwt_service_container_labels_traefik_tls_certResolver: default # noqa va # Controls which additional headers to attach to all HTTP responses. # To add your own headers, use `matrix_jwt_service_container_labels_traefik_additional_response_headers_custom` -#matrix_jwt_service_container_labels_traefik_additional_response_headers: "{{ matrix_jwt_service_container_labels_traefik_additional_response_headers_auto | combine(matrix_jwt_service_container_labels_traefik_additional_response_headers_custom) }}" -#matrix_jwt_service_container_labels_traefik_additional_response_headers_auto: | -# {{ -# {} -# | combine ({'X-XSS-Protection': matrix_jwt_service_http_header_xss_protection} if matrix_jwt_service_http_header_xss_protection else {}) -# | combine ({'X-Frame-Options': matrix_jwt_service_http_header_frame_options} if matrix_jwt_service_http_header_frame_options else {}) -# | combine ({'X-Content-Type-Options': matrix_jwt_service_http_header_content_type_options} if matrix_jwt_service_http_header_content_type_options else {}) -# | combine ({'Content-Security-Policy': matrix_jwt_service_http_header_content_security_policy} if matrix_jwt_service_http_header_content_security_policy else {}) -## | combine ({'Permission-Policy': matrix_jwt_service_http_header_content_permission_policy} if matrix_jwt_service_http_header_content_permission_policy else {}) -# | combine ({'Strict-Transport-Security': matrix_jwt_service_http_header_strict_transport_security} if matrix_jwt_service_http_header_strict_transport_security and matrix_jwt_service_container_labels_traefik_tls else {}) -# }} -#matrix_jwt_service_container_labels_traefik_additional_response_headers_custom: {} +matrix_jwt_service_container_labels_traefik_additional_response_headers: "{{ matrix_jwt_service_container_labels_traefik_additional_response_headers_auto | combine(matrix_jwt_service_container_labels_traefik_additional_response_headers_custom) }}" +matrix_jwt_service_container_labels_traefik_additional_response_headers_auto: | + {{ + {} + | combine ({'X-XSS-Protection': matrix_jwt_service_http_header_xss_protection} if matrix_jwt_service_http_header_xss_protection else {}) + | combine ({'X-Frame-Options': matrix_jwt_service_http_header_frame_options} if matrix_jwt_service_http_header_frame_options else {}) + | combine ({'X-Content-Type-Options': matrix_jwt_service_http_header_content_type_options} if matrix_jwt_service_http_header_content_type_options else {}) + | combine ({'Content-Security-Policy': matrix_jwt_service_http_header_content_security_policy} if matrix_jwt_service_http_header_content_security_policy else {}) + | combine ({'Permission-Policy': matrix_jwt_service_http_header_content_permission_policy} if matrix_jwt_service_http_header_content_permission_policy else {}) + | combine ({'Strict-Transport-Security': matrix_jwt_service_http_header_strict_transport_security} if matrix_jwt_service_http_header_strict_transport_security and matrix_jwt_service_container_labels_traefik_tls else {}) + }} +matrix_jwt_service_container_labels_traefik_additional_response_headers_custom: {} # matrix_client_element_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file. # See `../templates/labels.j2` for details. @@ -71,27 +71,27 @@ matrix_jwt_service_systemd_required_services_list: "{{ [devture_systemd_docker_b # Learn more about it is here: # - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection # - https://portswigger.net/web-security/cross-site-scripting/reflected -#matrix_jwt_service_http_header_xss_protection: "1; mode=block" +matrix_jwt_service_http_header_xss_protection: '' # Specifies the value of the `X-Frame-Options` header which controls whether framing can happen. # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options -#matrix_jwt_service_http_header_frame_options: SAMEORIGIN +matrix_jwt_service_http_header_frame_options: '' # Specifies the value of the `X-Content-Type-Options` header. # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options -#matrix_jwt_service_http_header_content_type_options: nosniff +matrix_jwt_service_http_header_content_type_options: '' # Specifies the value of the `Content-Security-Policy` header. # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy -#matrix_jwt_service_http_header_content_security_policy: frame-ancestors 'self' +matrix_jwt_service_http_header_content_security_policy: '' # Specifies the value of the `Permission-Policy` header. # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permission-Policy -#matrix_jwt_service_http_header_content_permission_policy: "{{ 'interest-cohort=()' if matrix_jwt_service_floc_optout_enabled else '' }}" +matrix_jwt_service_http_header_content_permission_policy: '' # Specifies the value of the `Strict-Transport-Security` header. # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security -#matrix_jwt_service_http_header_strict_transport_security: "max-age=31536000; includeSubDomains{{ '; preload' if matrix_jwt_service_hsts_preload_enabled else '' }}" +matrix_jwt_service_http_header_strict_transport_security: '' # Controls whether to send a "Permissions-Policy interest-cohort=();" header along with all responses # @@ -102,7 +102,7 @@ matrix_jwt_service_systemd_required_services_list: "{{ [devture_systemd_docker_b # # Of course, a better solution is to just stop using browsers (like Chrome), which participate in such tracking practices. # See: `matrix_jwt_service_content_permission_policy` -#matrix_jwt_service_floc_optout_enabled: true +matrix_jwt_service_floc_optout_enabled: false # Controls if HSTS preloading is enabled # @@ -114,4 +114,4 @@ matrix_jwt_service_systemd_required_services_list: "{{ [devture_systemd_docker_b # - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security # - https://hstspreload.org/#opt-in # See: `matrix_jwt_service_http_header_strict_transport_security` -#matrix_jwt_service_hsts_preload_enabled: true \ No newline at end of file +matrix_jwt_service_hsts_preload_enabled: true \ No newline at end of file diff --git a/roles/custom/matrix-jwt-service/templates/labels.j2 b/roles/custom/matrix-jwt-service/templates/labels.j2 index 939c8d4d3..b547e1952 100644 --- a/roles/custom/matrix-jwt-service/templates/labels.j2 +++ b/roles/custom/matrix-jwt-service/templates/labels.j2 @@ -20,12 +20,12 @@ traefik.http.middlewares.matrix-jwt-service-strip-prefix.stripprefix.prefixes={{ {% set middlewares = middlewares + ['matrix-jwt-service-strip-prefix'] %} {% endif %} -#{% if matrix_jwt_service_container_labels_traefik_additional_response_headers.keys() | length > 0 %} -#{% for name, value in matrix_jwt_service_container_labels_traefik_additional_response_headers.items() %} -#traefik.http.middlewares.matrix-jwt-service-add-headers.headers.customresponseheaders.{{ name }}={{ value }} -#{% endfor %} -#{% set middlewares = middlewares + ['matrix-jwt-service-add-headers'] %} -#{% endif %} +{% if matrix_jwt_service_container_labels_traefik_additional_response_headers.keys() | length > 0 %} +{% for name, value in matrix_jwt_service_container_labels_traefik_additional_response_headers.items() %} +traefik.http.middlewares.matrix-jwt-service-add-headers.headers.customresponseheaders.{{ name }}={{ value }} +{% endfor %} +{% set middlewares = middlewares + ['matrix-jwt-service-add-headers'] %} +{% endif %} traefik.http.routers.matrix-jwt-service.rule={{ matrix_jwt_service_container_labels_traefik_rule }} {% if matrix_jwt_service_container_labels_traefik_priority | int > 0 %} diff --git a/roles/custom/matrix-livekit-server/defaults/main.yml b/roles/custom/matrix-livekit-server/defaults/main.yml index b392aefe6..8175af0ea 100644 --- a/roles/custom/matrix-livekit-server/defaults/main.yml +++ b/roles/custom/matrix-livekit-server/defaults/main.yml @@ -32,18 +32,18 @@ matrix_livekit_server_container_labels_traefik_tls_certResolver: default # noqa # Controls which additional headers to attach to all HTTP responses. # To add your own headers, use `matrix_livekit_server_container_labels_traefik_additional_response_headers_custom` -#matrix_livekit_server_container_labels_traefik_additional_response_headers: "{{ matrix_livekit_server_container_labels_traefik_additional_response_headers_auto | combine(matrix_livekit_server_container_labels_traefik_additional_response_headers_custom) }}" -#matrix_livekit_server_container_labels_traefik_additional_response_headers_auto: | -# {{ -# {} -# | combine ({'X-XSS-Protection': matrix_livekit_server_http_header_xss_protection} if matrix_livekit_server_http_header_xss_protection else {}) -# | combine ({'X-Frame-Options': matrix_livekit_server_http_header_frame_options} if matrix_livekit_server_http_header_frame_options else {}) -# | combine ({'X-Content-Type-Options': matrix_livekit_server_http_header_content_type_options} if matrix_livekit_server_http_header_content_type_options else {}) -# | combine ({'Content-Security-Policy': matrix_livekit_server_http_header_content_security_policy} if matrix_livekit_server_http_header_content_security_policy else {}) -# | combine ({'Permission-Policy': matrix_livekit_server_http_header_content_permission_policy} if matrix_livekit_server_http_header_content_permission_policy else {}) -# | combine ({'Strict-Transport-Security': matrix_livekit_server_http_header_strict_transport_security} if matrix_livekit_server_http_header_strict_transport_security and matrix_livekit_server_container_labels_traefik_tls else {}) -# }} -#matrix_livekit_server_container_labels_traefik_additional_response_headers_custom: {} +matrix_livekit_server_container_labels_traefik_additional_response_headers: "{{ matrix_livekit_server_container_labels_traefik_additional_response_headers_auto | combine(matrix_livekit_server_container_labels_traefik_additional_response_headers_custom) }}" +matrix_livekit_server_container_labels_traefik_additional_response_headers_auto: | + {{ + {} + | combine ({'X-XSS-Protection': matrix_livekit_server_http_header_xss_protection} if matrix_livekit_server_http_header_xss_protection else {}) + | combine ({'X-Frame-Options': matrix_livekit_server_http_header_frame_options} if matrix_livekit_server_http_header_frame_options else {}) + | combine ({'X-Content-Type-Options': matrix_livekit_server_http_header_content_type_options} if matrix_livekit_server_http_header_content_type_options else {}) + | combine ({'Content-Security-Policy': matrix_livekit_server_http_header_content_security_policy} if matrix_livekit_server_http_header_content_security_policy else {}) + | combine ({'Permission-Policy': matrix_livekit_server_http_header_content_permission_policy} if matrix_livekit_server_http_header_content_permission_policy else {}) + | combine ({'Strict-Transport-Security': matrix_livekit_server_http_header_strict_transport_security} if matrix_livekit_server_http_header_strict_transport_security and matrix_livekit_server_container_labels_traefik_tls else {}) + }} +matrix_livekit_server_container_labels_traefik_additional_response_headers_custom: {} # matrix_client_element_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file. # See `../templates/labels.j2` for details. @@ -69,27 +69,27 @@ matrix_livekit_server_systemd_required_services_list: "{{ [devture_systemd_docke # Learn more about it is here: # - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection # - https://portswigger.net/web-security/cross-site-scripting/reflected -#matrix_livekit_server_http_header_xss_protection: "1; mode=block" +matrix_livekit_server_http_header_xss_protection: '' # Specifies the value of the `X-Frame-Options` header which controls whether framing can happen. # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options -#matrix_livekit_server_http_header_frame_options: SAMEORIGIN +matrix_livekit_server_http_header_frame_options: '' # Specifies the value of the `X-Content-Type-Options` header. # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options -#matrix_livekit_server_http_header_content_type_options: nosniff +matrix_livekit_server_http_header_content_type_options: '' # Specifies the value of the `Content-Security-Policy` header. # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy -#matrix_livekit_server_http_header_content_security_policy: frame-ancestors 'self' +matrix_livekit_server_http_header_content_security_policy: '' # Specifies the value of the `Permission-Policy` header. # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permission-Policy -#matrix_livekit_server_http_header_content_permission_policy: "{{ 'interest-cohort=()' if matrix_livekit_server_floc_optout_enabled else '' }}" +matrix_livekit_server_http_header_content_permission_policy: '' # Specifies the value of the `Strict-Transport-Security` header. # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security -#matrix_livekit_server_http_header_strict_transport_security: "max-age=31536000; includeSubDomains{{ '; preload' if matrix_livekit_server_hsts_preload_enabled else '' }}" +matrix_livekit_server_http_header_strict_transport_security: '' # Controls whether to send a "Permissions-Policy interest-cohort=();" header along with all responses # @@ -100,7 +100,7 @@ matrix_livekit_server_systemd_required_services_list: "{{ [devture_systemd_docke # # Of course, a better solution is to just stop using browsers (like Chrome), which participate in such tracking practices. # See: `matrix_livekit_server_content_permission_policy` -#matrix_livekit_server_floc_optout_enabled: true +matrix_livekit_server_floc_optout_enabled: false # Controls if HSTS preloading is enabled # @@ -112,4 +112,4 @@ matrix_livekit_server_systemd_required_services_list: "{{ [devture_systemd_docke # - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security # - https://hstspreload.org/#opt-in # See: `matrix_livekit_server_http_header_strict_transport_security` -#matrix_livekit_server_hsts_preload_enabled: true \ No newline at end of file +matrix_livekit_server_hsts_preload_enabled: true \ No newline at end of file diff --git a/roles/custom/matrix-livekit-server/templates/labels.j2 b/roles/custom/matrix-livekit-server/templates/labels.j2 index 141045f2f..c41b7ed01 100644 --- a/roles/custom/matrix-livekit-server/templates/labels.j2 +++ b/roles/custom/matrix-livekit-server/templates/labels.j2 @@ -20,12 +20,12 @@ traefik.http.middlewares.matrix-livekit-server-strip-prefix.stripprefix.prefixes {% set middlewares = middlewares + ['matrix-livekit-server-strip-prefix'] %} {% endif %} -#{% if matrix_livekit_server_container_labels_traefik_additional_response_headers.keys() | length > 0 %} -#{% for name, value in matrix_livekit_server_container_labels_traefik_additional_response_headers.items() %} -#traefik.http.middlewares.matrix-livekit-server-add-headers.headers.customresponseheaders.{{ name }}={{ value }} -#{% endfor %} -#{% set middlewares = middlewares + ['matrix-livekit-server-add-headers'] %} -#{% endif %} +{% if matrix_livekit_server_container_labels_traefik_additional_response_headers.keys() | length > 0 %} +{% for name, value in matrix_livekit_server_container_labels_traefik_additional_response_headers.items() %} +traefik.http.middlewares.matrix-livekit-server-add-headers.headers.customresponseheaders.{{ name }}={{ value }} +{% endfor %} +{% set middlewares = middlewares + ['matrix-livekit-server-add-headers'] %} +{% endif %} traefik.http.routers.matrix-livekit-server.rule={{ matrix_livekit_server_container_labels_traefik_rule }} {% if matrix_livekit_server_container_labels_traefik_priority | int > 0 %} From a6e3203398fbb6c28a98127ca59ed8ad112ca68c Mon Sep 17 00:00:00 2001 From: wjbeckett Date: Tue, 1 Oct 2024 22:20:50 +1000 Subject: [PATCH 102/108] updated docs, broke the well-known and element client modifications out to separate tasks. --- docs/configuring-playbook-element-call.md | 14 ++----- .../matrix-element-call/defaults/main.yml | 2 +- .../matrix-element-call/tasks/install.yml | 40 ++++--------------- .../tasks/update_element_web_config.yml | 27 +++++++++++++ .../tasks/update_well_known_client.yml | 21 ++++++++++ 5 files changed, 60 insertions(+), 44 deletions(-) create mode 100644 roles/custom/matrix-element-call/tasks/update_element_web_config.yml create mode 100644 roles/custom/matrix-element-call/tasks/update_well_known_client.yml diff --git a/docs/configuring-playbook-element-call.md b/docs/configuring-playbook-element-call.md index bd36357ab..188b06d5e 100644 --- a/docs/configuring-playbook-element-call.md +++ b/docs/configuring-playbook-element-call.md @@ -28,21 +28,15 @@ Ensure that the following DNS names have a public IP/FQDN: Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file: ```yaml +# Enable dependent services +keydb_enabled: true matrix_element_call_enabled: true +matrix_livekit_server_enabled: true +matrix_jwt_service_enabled: true # Set a secure key for LiveKit authentication matrix_element_call_livekit_dev_key: 'your-secure-livekit-key' ``` -## External databases - -If your setup utilizes an external database, you may need to adjust the default configuration for Redis used by Element Call. Modify the defaults in group_vars/matrix_servers.yml or host_vars to suit your setup: - -```yaml -matrix_element_call_redis_hostname: 'localhost' -matrix_element_call_redis_port: 6379 -matrix_element_call_redis_password: '' -``` - ## Installing After potentially adjusting DNS records and configuring the playbook, run the installation command again: ```yaml diff --git a/roles/custom/matrix-element-call/defaults/main.yml b/roles/custom/matrix-element-call/defaults/main.yml index 0a227a1bc..02c910734 100644 --- a/roles/custom/matrix-element-call/defaults/main.yml +++ b/roles/custom/matrix-element-call/defaults/main.yml @@ -5,7 +5,7 @@ matrix_element_call_enabled: false # Base path configuration matrix_element_call_base_path: "{{ matrix_base_data_path }}/element-call" matrix_homeserver_config_path: "{{ matrix_base_data_path }}/synapse/config/homeserver.yaml" -element_web_config_path: "{{ matrix_base_data_path }}/static-files/public/.well-known/matrix/client" +element_web_config_path: "{{ matrix_base_data_path }}/client-element/config.json" # Docker network configuration matrix_element_call_container_network: '' diff --git a/roles/custom/matrix-element-call/tasks/install.yml b/roles/custom/matrix-element-call/tasks/install.yml index 266a9407b..2c7aebf38 100644 --- a/roles/custom/matrix-element-call/tasks/install.yml +++ b/roles/custom/matrix-element-call/tasks/install.yml @@ -79,20 +79,10 @@ when: matrix_element_call_enabled | bool # Update the well-known client file for Element Call (adding RTC FOCI) -- name: Update the existing well-known client file for Element Call (RTC FOCI) - ansible.builtin.blockinfile: - path: "{{ matrix_base_data_path }}/static-files/public/.well-known/matrix/client" - block: | - "org.matrix.msc4143.rtc_foci": [ - { - "type": "livekit", - "livekit_service_url": "{{ matrix_jwt_service_url }}" - } - ] - marker: "# ANSIBLE MANAGED BLOCK - Element Call RTC FOCI" - mode: '0644' - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" +- name: Update the well-known client file for Element Call + ansible.builtin.include_tasks: update_well_known_client.yml + when: matrix_element_call_enabled | bool + # Create .well-known/element/element.json for Element Call - name: Create the well-known element.json file @@ -105,22 +95,6 @@ # Update Element Web config.json with Element Call settings - name: Update Element Web config.json - ansible.builtin.blockinfile: - path: "{{ element_web_config_path }}" - block: | - "features": { - "feature_video_rooms": true, - "feature_new_room_decoration_ui": true, - "feature_group_calls": true, - "feature_element_call_video_rooms": true - }, - "element_call": { - "url": "https://{{ matrix_element_call_domain }}", - "participant_limit": 8, - "brand": "Element Call", - "use_exclusively": true - } - marker: "# ANSIBLE MANAGED BLOCK - Element Call settings" - mode: '0644' - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" + ansible.builtin.include_tasks: "tasks/update_element_web_config.yml" + when: matrix_element_call_enabled | bool + diff --git a/roles/custom/matrix-element-call/tasks/update_element_web_config.yml b/roles/custom/matrix-element-call/tasks/update_element_web_config.yml new file mode 100644 index 000000000..3025b432e --- /dev/null +++ b/roles/custom/matrix-element-call/tasks/update_element_web_config.yml @@ -0,0 +1,27 @@ +- name: Update Element Web config.json settings + vars: + additional_settings: | + { + "features": { + "feature_video_rooms": true, + "feature_new_room_decoration_ui": true, + "feature_group_calls": true, + "feature_element_call_video_rooms": true + }, + "element_call": { + "url": "https://{{ matrix_element_call_domain }}", + "participant_limit": 8, + "brand": "Element Call", + "use_exclusively": true + } + } + set_fact: + updated_element_web_config: "{{ (element_web_config_content.content | b64decode | from_json) | combine(additional_settings | from_json, recursive=True) }}" + +- name: Write updated Element Web config.json + copy: + content: "{{ updated_element_web_config | to_nice_json }}" + dest: "{{ element_web_config_path }}" + mode: '0644' + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" diff --git a/roles/custom/matrix-element-call/tasks/update_well_known_client.yml b/roles/custom/matrix-element-call/tasks/update_well_known_client.yml new file mode 100644 index 000000000..96d568c4c --- /dev/null +++ b/roles/custom/matrix-element-call/tasks/update_well_known_client.yml @@ -0,0 +1,21 @@ +--- +- name: Read the existing well-known client file + ansible.builtin.slurp: + path: "{{ matrix_base_data_path }}/static-files/public/.well-known/matrix/client" + register: client_file_content + +- name: Load the existing JSON content + ansible.builtin.set_fact: + client_json: "{{ client_file_content['content'] | b64decode | from_json }}" + +- name: Update the existing well-known client file for Element Call (RTC FOCI) + ansible.builtin.set_fact: + updated_client_json: "{{ client_json | combine({'org.matrix.msc4143.rtc_foci': [{'type': 'livekit', 'livekit_service_url': matrix_jwt_service_url}]}, recursive=True) }}" + +- name: Write the updated well-known client file + ansible.builtin.copy: + content: "{{ updated_client_json | to_nice_json }}" + dest: "{{ matrix_base_data_path }}/static-files/public/.well-known/matrix/client" + mode: '0644' + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" From f684719b2a732d846aa5f6d145aed6d8a45596c3 Mon Sep 17 00:00:00 2001 From: wjbeckett Date: Tue, 1 Oct 2024 22:30:09 +1000 Subject: [PATCH 103/108] fixed error with element client update task --- .../matrix-element-call/tasks/install.yml | 3 +- .../tasks/update_element_web_config.yml | 55 +++++++++++-------- 2 files changed, 35 insertions(+), 23 deletions(-) diff --git a/roles/custom/matrix-element-call/tasks/install.yml b/roles/custom/matrix-element-call/tasks/install.yml index 2c7aebf38..dd401e89c 100644 --- a/roles/custom/matrix-element-call/tasks/install.yml +++ b/roles/custom/matrix-element-call/tasks/install.yml @@ -80,7 +80,7 @@ # Update the well-known client file for Element Call (adding RTC FOCI) - name: Update the well-known client file for Element Call - ansible.builtin.include_tasks: update_well_known_client.yml + ansible.builtin.include_tasks: "tasks/update_well_known_client.yml" when: matrix_element_call_enabled | bool @@ -98,3 +98,4 @@ ansible.builtin.include_tasks: "tasks/update_element_web_config.yml" when: matrix_element_call_enabled | bool + diff --git a/roles/custom/matrix-element-call/tasks/update_element_web_config.yml b/roles/custom/matrix-element-call/tasks/update_element_web_config.yml index 3025b432e..6dd318c24 100644 --- a/roles/custom/matrix-element-call/tasks/update_element_web_config.yml +++ b/roles/custom/matrix-element-call/tasks/update_element_web_config.yml @@ -1,27 +1,38 @@ +- name: Load Element Web config.json content + ansible.builtin.slurp: + src: "{{ element_web_config_path }}" + register: element_web_config_content_raw + ignore_errors: no + +- name: Parse Element Web config.json content + ansible.builtin.set_fact: + element_web_config_content: "{{ element_web_config_content_raw['content'] | b64decode | from_json }}" + when: element_web_config_content_raw is defined and element_web_config_content_raw['content'] is defined + - name: Update Element Web config.json settings - vars: - additional_settings: | - { - "features": { - "feature_video_rooms": true, - "feature_new_room_decoration_ui": true, - "feature_group_calls": true, - "feature_element_call_video_rooms": true - }, - "element_call": { - "url": "https://{{ matrix_element_call_domain }}", - "participant_limit": 8, - "brand": "Element Call", - "use_exclusively": true - } - } - set_fact: - updated_element_web_config: "{{ (element_web_config_content.content | b64decode | from_json) | combine(additional_settings | from_json, recursive=True) }}" - -- name: Write updated Element Web config.json - copy: - content: "{{ updated_element_web_config | to_nice_json }}" + ansible.builtin.set_fact: + element_web_config_content: + "{{ element_web_config_content | combine({ + 'features': { + 'feature_video_rooms': true, + 'feature_new_room_decoration_ui': true, + 'feature_group_calls': true, + 'feature_element_call_video_rooms': true + }, + 'element_call': { + 'url': 'https://{{ matrix_element_call_domain }}', + 'participant_limit': 8, + 'brand': 'Element Call', + 'use_exclusively': true + } + }, recursive=True) }}" + when: element_web_config_content is defined + +- name: Write updated Element Web config.json back to disk + ansible.builtin.copy: + content: "{{ element_web_config_content | to_nice_json }}" dest: "{{ element_web_config_path }}" mode: '0644' owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" + when: element_web_config_content is defined From 1e6698cb994b360b06b4d101bad4412cace6f3cc Mon Sep 17 00:00:00 2001 From: wjbeckett Date: Wed, 2 Oct 2024 13:27:02 +1000 Subject: [PATCH 104/108] updated documentation or the new roles. --- docs/configuring-playbook-jwt-service.md | 45 +++++++++++++++++ docs/configuring-playbook-livekit-server.md | 56 +++++++++++++++++++++ docs/configuring-playbook.md | 4 ++ 3 files changed, 105 insertions(+) create mode 100644 docs/configuring-playbook-jwt-service.md create mode 100644 docs/configuring-playbook-livekit-server.md diff --git a/docs/configuring-playbook-jwt-service.md b/docs/configuring-playbook-jwt-service.md new file mode 100644 index 000000000..7910c0920 --- /dev/null +++ b/docs/configuring-playbook-jwt-service.md @@ -0,0 +1,45 @@ +# Setting up JWT Service (optional) + +The playbook can install and configure [JWT Service](https://github.com/element-hq/lk-jwt-service) for you. + +LK-JWT-Service is currently used for a single reason: generate JWT tokens with a given identity for a given room, so that users can use them to authenticate against LiveKit SFU. + +See the project's [documentation](https://github.com/element-hq/lk-jwt-service/) to learn more. + +## Decide on a domain and path + +By default, JWT Service is configured to be served on the Matrix domain (`sfu-jwt.DOMAIN`, controlled by the `matrix_jwt-service_hostname` variable). + +This makes it easy to set it up, **without** having to adjust your DNS records manually. + +If you'd like to run JWT Service on another hostname or path, use the `matrix_jwt-service_hostname` variable. + +## Adjusting DNS records + +If you've changed the default hostname, **you may need to adjust your DNS** records accordingly to point to the correct server. + +Ensure that the following DNS names have a public IP/FQDN: +- `sfu-jwt.DOMAIN` + +## Adjusting the playbook configuration + +Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file: + +```yaml +matrix_jwt_service_enabled: true +# Set a secure key for LiveKit authentication +matrix_element_call_livekit_dev_key: 'your-secure-livekit-key' +``` + +## Installing +After potentially adjusting DNS records and configuring the playbook, run the installation command again: +```yaml +ansible-playbook -i inventory setup.yml +``` + +## Usage +Once installed, a new `org.matrix.msc4143.rtc_foci` section is added to the element web client to point to your JWT service URL (e.g., `https://sfu-jwt.DOMAIN`). + +## Additional Information + +Refer to the JWT-Service documentation for more details on configuring and using JWT Service. \ No newline at end of file diff --git a/docs/configuring-playbook-livekit-server.md b/docs/configuring-playbook-livekit-server.md new file mode 100644 index 000000000..dd1b4b229 --- /dev/null +++ b/docs/configuring-playbook-livekit-server.md @@ -0,0 +1,56 @@ +# Setting up Livekit (optional) + +The playbook can install and configure [Livekit](https://github.com/livekit/livekit) for you. + +LiveKit is an open source project that provides scalable, multi-user conferencing based on WebRTC. It's designed to provide everything you need to build real-time video audio data capabilities in your applications. + +See the project's [documentation](https://github.com/livekit/livekit) to learn more. + +## Decide on a domain and path + +By default, Livekit is configured to be served on the Matrix domain (`sfu.DOMAIN`, controlled by the `matrix_livekit_server_hostname` variable). + +This makes it easy to set it up, **without** having to adjust your DNS records manually. + +If you'd like to run Livekit on another hostname or path, use the `matrix_livekit_server_hostname` variable. + +## Adjusting DNS records + +If you've changed the default hostname, **you may need to adjust your DNS** records accordingly to point to the correct server. + +Ensure that the following DNS names have a public IP/FQDN: +- `sfu.DOMAIN` + +## Adjusting the playbook configuration + +Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file: + +```yaml +matrix_livekit_server_enabled: true +# Set a secure key for LiveKit authentication +matrix_element_call_livekit_dev_key: 'your-secure-livekit-key' +``` + +## Installing +After potentially adjusting DNS records and configuring the playbook, run the installation command again: +```yaml +ansible-playbook -i inventory setup.yml +``` + +## Usage +Once installed, and in conjunction with Element Call and JWT Service, Livekit will become the WebRTC backend for all Element client calls. + +## Required Firewall and Port Forwarding Rules + +To ensure the services function correctly, the following firewall rules and port forwarding settings are required: + +LiveKit: + + • Forward UDP ports 50100:50200 to the Docker instance running LiveKit. + • Forward TCP port 7881 to the Docker instance running LiveKit. + +Ensure these ports are open and forwarded appropriately to allow traffic to flow correctly between the services. + +## Additional Information + +Refer to the Livekit documentation for more details on configuring and using Livekit. \ No newline at end of file diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index fb0704e08..fc75ceaa6 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -234,3 +234,7 @@ When you're done with all the configuration you'd like to do, continue with [Ins - [Setting up Prometheus Alertmanager integration via matrix-alertmanager-receiver](configuring-playbook-alertmanager-receiver.md) (optional) - [Setting up the Element Call server](configuring-playbook-element-call.md) (optional) + +- [Setting up the JWT Service](configuring-playbook-jwt-service.md) (optional) + +- [Setting up the Livekit server](configuring-playbook-livekit-server.md) (optional) From a03f5985a536e461653bfc30dc6ccc8372180d25 Mon Sep 17 00:00:00 2001 From: wjbeckett Date: Thu, 3 Oct 2024 12:38:34 +1000 Subject: [PATCH 105/108] removed trailing whitespaces --- docs/configuring-playbook-livekit-server.md | 2 +- group_vars/matrix_servers | 3 +-- roles/custom/matrix-element-call/defaults/main.yml | 2 +- roles/custom/matrix-element-call/tasks/install.yml | 4 +--- roles/custom/matrix-element-call/tasks/main.yml | 2 +- roles/custom/matrix-element-call/tasks/uninstall.yml | 2 +- .../matrix-element-call/tasks/update_element_web_config.yml | 5 +++-- .../matrix-element-call/tasks/update_well_known_client.yml | 2 +- roles/custom/matrix-element-call/tasks/validate_config.yml | 2 +- roles/custom/matrix-element-call/templates/config.json.j2 | 2 +- .../matrix-element-call/templates/element-call-labels.j2 | 2 +- .../templates/systemd/matrix-element-call.service.j2 | 2 +- .../matrix-element-call/templates/well_known_element.json.j2 | 2 +- roles/custom/matrix-jwt-service/defaults/main.yml | 2 +- roles/custom/matrix-jwt-service/tasks/main.yml | 2 +- roles/custom/matrix-jwt-service/tasks/uninstall.yml | 2 +- roles/custom/matrix-jwt-service/tasks/validate_config.yml | 2 +- roles/custom/matrix-jwt-service/templates/labels.j2 | 2 +- .../templates/systemd/matrix-jwt-service.service.j2 | 3 ++- roles/custom/matrix-livekit-server/tasks/main.yml | 2 +- roles/custom/matrix-livekit-server/tasks/uninstall.yml | 2 +- roles/custom/matrix-livekit-server/tasks/validate_config.yml | 2 +- roles/custom/matrix-livekit-server/templates/labels.j2 | 2 +- roles/custom/matrix-livekit-server/templates/livekit.yaml.j2 | 2 +- .../templates/systemd/matrix-livekit-server.service.j2 | 2 +- 25 files changed, 28 insertions(+), 29 deletions(-) diff --git a/docs/configuring-playbook-livekit-server.md b/docs/configuring-playbook-livekit-server.md index dd1b4b229..309d9ecf3 100644 --- a/docs/configuring-playbook-livekit-server.md +++ b/docs/configuring-playbook-livekit-server.md @@ -38,7 +38,7 @@ ansible-playbook -i inventory setup.yml ``` ## Usage -Once installed, and in conjunction with Element Call and JWT Service, Livekit will become the WebRTC backend for all Element client calls. +Once installed, and in conjunction with Element Call and JWT Service, Livekit will become the WebRTC backend for all Element client calls. ## Required Firewall and Port Forwarding Rules diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 97c5e3b41..3df71e737 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -5901,7 +5901,6 @@ matrix_element_call_container_labels_traefik_docker_network: "{{ matrix_playbook matrix_element_call_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" matrix_element_call_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" - ######################################################################## # # # /matrix-element-call # @@ -5919,7 +5918,7 @@ matrix_livekit_server_enabled: false # Default is false; should be enabled in h matrix_livekit_server_version: "latest" # Default version; can be overridden in host_vars matrix_livekit_server_scheme: "https" matrix_livekit_server_hostname: "sfu.{{ matrix_domain }}" # Default hostname; should be overridden in host_vars if different -matrix_livekit_server_path_prefix: "/" +matrix_livekit_server_path_prefix: "/" matrix_livekit_server_base_path: "{{ matrix_base_data_path }}/livekit-server" matrix_livekit_server_container_image: "livekit/livekit-server:{{ matrix_livekit_server_version }}" matrix_livekit_server_container_image_force_pull: true diff --git a/roles/custom/matrix-element-call/defaults/main.yml b/roles/custom/matrix-element-call/defaults/main.yml index 02c910734..567553179 100644 --- a/roles/custom/matrix-element-call/defaults/main.yml +++ b/roles/custom/matrix-element-call/defaults/main.yml @@ -122,4 +122,4 @@ matrix_element_call_hsts_preload_enabled: false # Enable or disable metrics collection matrix_element_call_metrics_enabled: false -matrix_element_call_metrics_port: 2112 +matrix_element_call_metrics_port: 2112 \ No newline at end of file diff --git a/roles/custom/matrix-element-call/tasks/install.yml b/roles/custom/matrix-element-call/tasks/install.yml index dd401e89c..ca6b5903b 100644 --- a/roles/custom/matrix-element-call/tasks/install.yml +++ b/roles/custom/matrix-element-call/tasks/install.yml @@ -96,6 +96,4 @@ # Update Element Web config.json with Element Call settings - name: Update Element Web config.json ansible.builtin.include_tasks: "tasks/update_element_web_config.yml" - when: matrix_element_call_enabled | bool - - + when: matrix_element_call_enabled | bool \ No newline at end of file diff --git a/roles/custom/matrix-element-call/tasks/main.yml b/roles/custom/matrix-element-call/tasks/main.yml index ad50c2d96..183c0c6ed 100644 --- a/roles/custom/matrix-element-call/tasks/main.yml +++ b/roles/custom/matrix-element-call/tasks/main.yml @@ -18,4 +18,4 @@ - setup-element-call block: - when: not matrix_element_call_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/uninstall.yml" + ansible.builtin.include_tasks: "{{ role_path }}/tasks/uninstall.yml" \ No newline at end of file diff --git a/roles/custom/matrix-element-call/tasks/uninstall.yml b/roles/custom/matrix-element-call/tasks/uninstall.yml index 184f88ac2..c93837b63 100644 --- a/roles/custom/matrix-element-call/tasks/uninstall.yml +++ b/roles/custom/matrix-element-call/tasks/uninstall.yml @@ -18,4 +18,4 @@ - name: Reload systemd daemon ansible.builtin.systemd: - daemon_reload: true + daemon_reload: true \ No newline at end of file diff --git a/roles/custom/matrix-element-call/tasks/update_element_web_config.yml b/roles/custom/matrix-element-call/tasks/update_element_web_config.yml index 6dd318c24..d4471e7e4 100644 --- a/roles/custom/matrix-element-call/tasks/update_element_web_config.yml +++ b/roles/custom/matrix-element-call/tasks/update_element_web_config.yml @@ -1,8 +1,9 @@ +--- - name: Load Element Web config.json content ansible.builtin.slurp: src: "{{ element_web_config_path }}" register: element_web_config_content_raw - ignore_errors: no + ignore_errors: false - name: Parse Element Web config.json content ansible.builtin.set_fact: @@ -35,4 +36,4 @@ mode: '0644' owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" - when: element_web_config_content is defined + when: element_web_config_content is defined \ No newline at end of file diff --git a/roles/custom/matrix-element-call/tasks/update_well_known_client.yml b/roles/custom/matrix-element-call/tasks/update_well_known_client.yml index 96d568c4c..bcf3f726b 100644 --- a/roles/custom/matrix-element-call/tasks/update_well_known_client.yml +++ b/roles/custom/matrix-element-call/tasks/update_well_known_client.yml @@ -18,4 +18,4 @@ dest: "{{ matrix_base_data_path }}/static-files/public/.well-known/matrix/client" mode: '0644' owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" + group: "{{ matrix_user_groupname }}" \ No newline at end of file diff --git a/roles/custom/matrix-element-call/tasks/validate_config.yml b/roles/custom/matrix-element-call/tasks/validate_config.yml index 084e510d6..3b6712727 100644 --- a/roles/custom/matrix-element-call/tasks/validate_config.yml +++ b/roles/custom/matrix-element-call/tasks/validate_config.yml @@ -9,4 +9,4 @@ with_items: - {'name': 'matrix_element_call_base_path', when: true} - {'name': 'matrix_element_call_container_network', when: true} - - {'name': 'matrix_element_call_image', when: true} + - {'name': 'matrix_element_call_image', when: true} \ No newline at end of file diff --git a/roles/custom/matrix-element-call/templates/config.json.j2 b/roles/custom/matrix-element-call/templates/config.json.j2 index e58648e50..e10fc4f61 100644 --- a/roles/custom/matrix-element-call/templates/config.json.j2 +++ b/roles/custom/matrix-element-call/templates/config.json.j2 @@ -8,4 +8,4 @@ "livekit": { "livekit_service_url": "{{ matrix_jwt_service_url }}" } -} +} \ No newline at end of file diff --git a/roles/custom/matrix-element-call/templates/element-call-labels.j2 b/roles/custom/matrix-element-call/templates/element-call-labels.j2 index cfc5c72f7..685a56294 100644 --- a/roles/custom/matrix-element-call/templates/element-call-labels.j2 +++ b/roles/custom/matrix-element-call/templates/element-call-labels.j2 @@ -43,4 +43,4 @@ traefik.http.routers.matrix-element-call.tls.certResolver={{ matrix_element_call {% endif %} -{{ matrix_element_call_container_labels_additional_labels }} +{{ matrix_element_call_container_labels_additional_labels }} \ No newline at end of file diff --git a/roles/custom/matrix-element-call/templates/systemd/matrix-element-call.service.j2 b/roles/custom/matrix-element-call/templates/systemd/matrix-element-call.service.j2 index 791c62ddc..dcb3fa7c2 100644 --- a/roles/custom/matrix-element-call/templates/systemd/matrix-element-call.service.j2 +++ b/roles/custom/matrix-element-call/templates/systemd/matrix-element-call.service.j2 @@ -43,4 +43,4 @@ RestartSec=30 SyslogIdentifier=matrix-element-call [Install] -WantedBy=multi-user.target +WantedBy=multi-user.target \ No newline at end of file diff --git a/roles/custom/matrix-element-call/templates/well_known_element.json.j2 b/roles/custom/matrix-element-call/templates/well_known_element.json.j2 index eae63cf83..01146e656 100644 --- a/roles/custom/matrix-element-call/templates/well_known_element.json.j2 +++ b/roles/custom/matrix-element-call/templates/well_known_element.json.j2 @@ -2,4 +2,4 @@ "call": { "widget_url": "https://{{ matrix_element_call_domain }}" } -} +} \ No newline at end of file diff --git a/roles/custom/matrix-jwt-service/defaults/main.yml b/roles/custom/matrix-jwt-service/defaults/main.yml index 97d58a273..ee95afefd 100644 --- a/roles/custom/matrix-jwt-service/defaults/main.yml +++ b/roles/custom/matrix-jwt-service/defaults/main.yml @@ -16,7 +16,7 @@ matrix_jwt_service_image: "ghcr.io/element-hq/lk-jwt-service:latest-ci" # Ports matrix_jwt_service_port: "8881" -# jwt configuration +# jwt configuration matrix_jwt_service_hostname: "sfu-jwt.{{ matrix_domain }}" matrix_jwt_service_url: "https://sfu-jwt.{{ matrix_domain }}" diff --git a/roles/custom/matrix-jwt-service/tasks/main.yml b/roles/custom/matrix-jwt-service/tasks/main.yml index ee74a8967..8fbe41d58 100644 --- a/roles/custom/matrix-jwt-service/tasks/main.yml +++ b/roles/custom/matrix-jwt-service/tasks/main.yml @@ -18,4 +18,4 @@ - setup-jwt-service block: - when: not matrix_jwt_service_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/uninstall.yml" + ansible.builtin.include_tasks: "{{ role_path }}/tasks/uninstall.yml" \ No newline at end of file diff --git a/roles/custom/matrix-jwt-service/tasks/uninstall.yml b/roles/custom/matrix-jwt-service/tasks/uninstall.yml index 550c82951..7338d5b95 100644 --- a/roles/custom/matrix-jwt-service/tasks/uninstall.yml +++ b/roles/custom/matrix-jwt-service/tasks/uninstall.yml @@ -19,4 +19,4 @@ - name: Reload systemd daemon ansible.builtin.systemd: - daemon_reload: true + daemon_reload: true \ No newline at end of file diff --git a/roles/custom/matrix-jwt-service/tasks/validate_config.yml b/roles/custom/matrix-jwt-service/tasks/validate_config.yml index a0105e940..38e39ad60 100644 --- a/roles/custom/matrix-jwt-service/tasks/validate_config.yml +++ b/roles/custom/matrix-jwt-service/tasks/validate_config.yml @@ -9,4 +9,4 @@ with_items: - {'name': 'matrix_jwt_service_base_path', when: true} - {'name': 'matrix_jwt_service_container_network', when: true} - - {'name': 'matrix_jwt_service_image', when: true} + - {'name': 'matrix_jwt_service_image', when: true} \ No newline at end of file diff --git a/roles/custom/matrix-jwt-service/templates/labels.j2 b/roles/custom/matrix-jwt-service/templates/labels.j2 index b547e1952..6db772236 100644 --- a/roles/custom/matrix-jwt-service/templates/labels.j2 +++ b/roles/custom/matrix-jwt-service/templates/labels.j2 @@ -43,4 +43,4 @@ traefik.http.routers.matrix-jwt-service.tls.certResolver={{ matrix_jwt_service_c {% endif %} -{{ matrix_jwt_service_container_labels_additional_labels }} +{{ matrix_jwt_service_container_labels_additional_labels }} \ No newline at end of file diff --git a/roles/custom/matrix-jwt-service/templates/systemd/matrix-jwt-service.service.j2 b/roles/custom/matrix-jwt-service/templates/systemd/matrix-jwt-service.service.j2 index bdf36635a..b940e75a2 100644 --- a/roles/custom/matrix-jwt-service/templates/systemd/matrix-jwt-service.service.j2 +++ b/roles/custom/matrix-jwt-service/templates/systemd/matrix-jwt-service.service.j2 @@ -1,3 +1,4 @@ +#jinja2: lstrip_blocks: "True" [Unit] Description=Matrix JWT Service After=docker.service @@ -36,4 +37,4 @@ RestartSec=30 SyslogIdentifier=matrix-jwt-service [Install] -WantedBy=multi-user.target +WantedBy=multi-user.target \ No newline at end of file diff --git a/roles/custom/matrix-livekit-server/tasks/main.yml b/roles/custom/matrix-livekit-server/tasks/main.yml index 255906c75..1884596b8 100644 --- a/roles/custom/matrix-livekit-server/tasks/main.yml +++ b/roles/custom/matrix-livekit-server/tasks/main.yml @@ -18,4 +18,4 @@ - setup-livekit-server block: - when: not matrix_livekit_server_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/uninstall.yml" + ansible.builtin.include_tasks: "{{ role_path }}/tasks/uninstall.yml" \ No newline at end of file diff --git a/roles/custom/matrix-livekit-server/tasks/uninstall.yml b/roles/custom/matrix-livekit-server/tasks/uninstall.yml index 371db5c83..0709dca12 100644 --- a/roles/custom/matrix-livekit-server/tasks/uninstall.yml +++ b/roles/custom/matrix-livekit-server/tasks/uninstall.yml @@ -18,4 +18,4 @@ - name: Reload systemd daemon ansible.builtin.systemd: - daemon_reload: true + daemon_reload: true \ No newline at end of file diff --git a/roles/custom/matrix-livekit-server/tasks/validate_config.yml b/roles/custom/matrix-livekit-server/tasks/validate_config.yml index 7fdfa0511..ddf750b9b 100644 --- a/roles/custom/matrix-livekit-server/tasks/validate_config.yml +++ b/roles/custom/matrix-livekit-server/tasks/validate_config.yml @@ -10,4 +10,4 @@ - {'name': 'matrix_livekit_server_base_path', when: true} - {'name': 'matrix_livekit_server_container_network', when: true} - {'name': 'matrix_livekit_server_image', when: true} - - {'name': 'matrix_livekit_server_image', when: true} + - {'name': 'matrix_livekit_server_image', when: true} \ No newline at end of file diff --git a/roles/custom/matrix-livekit-server/templates/labels.j2 b/roles/custom/matrix-livekit-server/templates/labels.j2 index c41b7ed01..77a3ce426 100644 --- a/roles/custom/matrix-livekit-server/templates/labels.j2 +++ b/roles/custom/matrix-livekit-server/templates/labels.j2 @@ -43,4 +43,4 @@ traefik.http.routers.matrix-livekit-server.tls.certResolver={{ matrix_livekit_se {% endif %} -{{ matrix_livekit_server_container_labels_additional_labels }} +{{ matrix_livekit_server_container_labels_additional_labels }} \ No newline at end of file diff --git a/roles/custom/matrix-livekit-server/templates/livekit.yaml.j2 b/roles/custom/matrix-livekit-server/templates/livekit.yaml.j2 index 492a12214..77ac841a8 100644 --- a/roles/custom/matrix-livekit-server/templates/livekit.yaml.j2 +++ b/roles/custom/matrix-livekit-server/templates/livekit.yaml.j2 @@ -17,4 +17,4 @@ turn: external_tls: true keys: - devkey: "{{ matrix_livekit_server_livekit_dev_key }}" + devkey: "{{ matrix_livekit_server_livekit_dev_key }}" \ No newline at end of file diff --git a/roles/custom/matrix-livekit-server/templates/systemd/matrix-livekit-server.service.j2 b/roles/custom/matrix-livekit-server/templates/systemd/matrix-livekit-server.service.j2 index 30505a2dc..ddaa35181 100644 --- a/roles/custom/matrix-livekit-server/templates/systemd/matrix-livekit-server.service.j2 +++ b/roles/custom/matrix-livekit-server/templates/systemd/matrix-livekit-server.service.j2 @@ -31,4 +31,4 @@ RestartSec=30 SyslogIdentifier=matrix-livekit-server [Install] -WantedBy=multi-user.target +WantedBy=multi-user.target \ No newline at end of file From 1906d61c39eae8b8be44722a857b7a90d494bb4f Mon Sep 17 00:00:00 2001 From: wjbeckett Date: Thu, 3 Oct 2024 13:25:40 +1000 Subject: [PATCH 106/108] updated traefik label to be in line with the latest change from devture_traefik_ to traefik_ --- group_vars/matrix_servers | 12 ++++++------ .../templates/element-call-labels.j2 | 2 +- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 62d3b3407..d4f0cc07f 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -5898,8 +5898,8 @@ matrix_element_call_container_additional_networks: "{{ [matrix_playbook_reverse_ # Traefik Configuration for Element Call matrix_element_call_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}" matrix_element_call_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" -matrix_element_call_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" -matrix_element_call_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" +matrix_element_call_container_labels_traefik_entrypoints: "{{ traefik_entrypoint_primary }}" +matrix_element_call_container_labels_traefik_tls_certResolver: "{{ traefik_certResolver_primary }}" ######################################################################## # # @@ -5930,8 +5930,8 @@ matrix_livekit_server_container_additional_networks: "{{ [matrix_playbook_revers # Traefik Configuration for Livekit matrix_livekit_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}" matrix_livekit_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" -matrix_livekit_server_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" -matrix_livekit_server_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" +matrix_livekit_server_container_labels_traefik_entrypoints: "{{ traefik_entrypoint_primary }}" +matrix_livekit_server_container_labels_traefik_tls_certResolver: "{{ traefik_certResolver_primary }}" # LiveKit Service Configuration matrix_livekit_server_livekit_dev_key: "{{ matrix_livekit_server_dev_key }}" # LiveKit dev key @@ -5967,8 +5967,8 @@ matrix_jwt_service_container_additional_networks: "{{ [matrix_playbook_reverse_p # Traefik Configuration for JWT Service matrix_jwt_service_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}" matrix_jwt_service_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" -matrix_jwt_service_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" -matrix_jwt_service_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" +matrix_jwt_service_container_labels_traefik_entrypoints: "{{ traefik_entrypoint_primary }}" +matrix_jwt_service_container_labels_traefik_tls_certResolver: "{{ traefik_certResolver_primary }}" # JWT Service Configuration matrix_jwt_service_url: "https://sfu-jwt.{{ matrix_domain }}" # Default JWT service URL; adjust as needed diff --git a/roles/custom/matrix-element-call/templates/element-call-labels.j2 b/roles/custom/matrix-element-call/templates/element-call-labels.j2 index 685a56294..014add79a 100644 --- a/roles/custom/matrix-element-call/templates/element-call-labels.j2 +++ b/roles/custom/matrix-element-call/templates/element-call-labels.j2 @@ -25,7 +25,7 @@ traefik.http.middlewares.matrix-element-call-strip-prefix.stripprefix.prefixes={ traefik.http.middlewares.matrix-element-call-add-headers.headers.customresponseheaders.{{ name }}={{ value }} {% endfor %} {% set middlewares = middlewares + ['matrix-element-call-add-headers'] %} - {% endif %} +{% endif %} traefik.http.routers.matrix-element-call.rule={{ matrix_element_call_container_labels_traefik_rule }} {% if matrix_element_call_container_labels_traefik_priority | int > 0 %} From e18b28136cb8055574cc2f1367c7d6a784afb770 Mon Sep 17 00:00:00 2001 From: wjbeckett Date: Thu, 3 Oct 2024 15:28:56 +1000 Subject: [PATCH 107/108] Updated Element call docs with dependent services and fixed typo. --- docs/configuring-playbook-element-call.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/docs/configuring-playbook-element-call.md b/docs/configuring-playbook-element-call.md index 188b06d5e..6a6b5a496 100644 --- a/docs/configuring-playbook-element-call.md +++ b/docs/configuring-playbook-element-call.md @@ -25,6 +25,9 @@ Ensure that the following DNS names have a public IP/FQDN: ## Adjusting the playbook configuration +NOTE: Element call is dependent on two other services for it to function as intended. In orter to utilise Element Call you need to also enable the [JWT Service](configuring-playbook-jwt-service.md) and [Livekit Server](configuring-playbook-livekit-server.md). + + Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file: ```yaml @@ -34,7 +37,7 @@ matrix_element_call_enabled: true matrix_livekit_server_enabled: true matrix_jwt_service_enabled: true # Set a secure key for LiveKit authentication -matrix_element_call_livekit_dev_key: 'your-secure-livekit-key' +matrix_livekit_server_dev_key: 'your-secure-livekit-key' ``` ## Installing From fa2a913d39fb5f89dfc2f1017a266878aa5825b0 Mon Sep 17 00:00:00 2001 From: wjbeckett Date: Thu, 3 Oct 2024 16:20:54 +1000 Subject: [PATCH 108/108] fixing issue with element call domain not being expanded when writing the element web config.json. --- .../tasks/update_element_web_config.yml | 53 ++++++++++--------- 1 file changed, 27 insertions(+), 26 deletions(-) diff --git a/roles/custom/matrix-element-call/tasks/update_element_web_config.yml b/roles/custom/matrix-element-call/tasks/update_element_web_config.yml index d4471e7e4..2dead411e 100644 --- a/roles/custom/matrix-element-call/tasks/update_element_web_config.yml +++ b/roles/custom/matrix-element-call/tasks/update_element_web_config.yml @@ -1,39 +1,40 @@ ---- -- name: Load Element Web config.json content +- name: Read Element Web config.json ansible.builtin.slurp: src: "{{ element_web_config_path }}" - register: element_web_config_content_raw - ignore_errors: false + register: element_web_config_content -- name: Parse Element Web config.json content +- name: Load JSON data from config.json ansible.builtin.set_fact: - element_web_config_content: "{{ element_web_config_content_raw['content'] | b64decode | from_json }}" - when: element_web_config_content_raw is defined and element_web_config_content_raw['content'] is defined + element_web_config: "{{ element_web_config_content['content'] | b64decode | from_json }}" -- name: Update Element Web config.json settings +- name: Update Element Call configuration in config.json ansible.builtin.set_fact: - element_web_config_content: - "{{ element_web_config_content | combine({ - 'features': { - 'feature_video_rooms': true, - 'feature_new_room_decoration_ui': true, - 'feature_group_calls': true, - 'feature_element_call_video_rooms': true - }, - 'element_call': { - 'url': 'https://{{ matrix_element_call_domain }}', - 'participant_limit': 8, - 'brand': 'Element Call', - 'use_exclusively': true + updated_element_call_config: > + {{ + { + "element_call": { + "url": "https://{{ matrix_element_call_domain }}", + "participant_limit": 8, + "brand": "Element Call", + "use_exclusively": true + }, + "features": { + "feature_video_rooms": true, + "feature_new_room_decoration_ui": true, + "feature_group_calls": true, + "feature_element_call_video_rooms": true + } } - }, recursive=True) }}" - when: element_web_config_content is defined + }} + +- name: Merge updated Element Call configuration with existing config.json + ansible.builtin.set_fact: + element_web_config: "{{ element_web_config | combine(updated_element_call_config, recursive=True) }}" -- name: Write updated Element Web config.json back to disk +- name: Write updated Element Web config.json ansible.builtin.copy: - content: "{{ element_web_config_content | to_nice_json }}" + content: "{{ element_web_config | to_nice_json }}" dest: "{{ element_web_config_path }}" mode: '0644' owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" - when: element_web_config_content is defined \ No newline at end of file