separated livekit and jwt to separate roles

roles/custom/matrix-jwt-service/defaults/main.yml

@@ -0,0 +1,118 @@
+---
+# Enable or disable matrix-element-call deployment
+matrix_jwt_service_enabled: false
+
+# Base path configuration
+matrix_jwt_service_base_path: "{{ matrix_base_data_path }}/jwt-service"
+matrix_homeserver_config_path: "{{ matrix_base_data_path }}/synapse/config/homeserver.yaml"
+
+# Docker network configuration
+matrix_jwt_service_container_network: ''
+matrix_jwt_service_container_http_host_bind_port: ''
+matrix_jwt_service_container_additional_networks: []  # No additional networks by default
+
+# Docker images
+matrix_jwt_service_image: "ghcr.io/element-hq/lk-jwt-service:latest-ci"
+
+# Ports
+matrix_jwt_service_port: "8881"
+
+# jwt configuration 
+matrix_jwt_service_hostname: "sfu-jwt.{{ matrix_domain }}"
+matrix_jwt_service_url: "https://sfu-jwt.{{ matrix_domain }}"
+
+# Traefik Configuration for JWT Service
+matrix_jwt_service_container_labels_traefik_enabled: true
+matrix_jwt_service_container_labels_traefik_docker_network: "{{ matrix_jwt_service_container_network }}"
+matrix_jwt_service_container_labels_traefik_hostname: "{{ matrix_jwt_service_hostname }}"
+# The path prefix must either be `/` or not end with a slash (e.g. `/element`).
+matrix_jwt_service_container_labels_traefik_path_prefix: "{{ matrix_jwt_service_path_prefix }}"
+matrix_jwt_service_container_labels_traefik_rule: "Host(`{{ matrix_jwt_service_container_labels_traefik_hostname }}`){% if matrix_jwt_service_container_labels_traefik_path_prefix != '/' %} && PathPrefix(`{{ matrix_jwt_service_container_labels_traefik_path_prefix }}`){% endif %}"
+matrix_jwt_service_container_labels_traefik_priority: 0
+matrix_jwt_service_container_labels_traefik_entrypoints: web-secure
+matrix_jwt_service_container_labels_traefik_tls: "{{ matrix_jwt_service_container_labels_traefik_entrypoints != 'web' }}"
+matrix_jwt_service_container_labels_traefik_tls_certResolver: default  # noqa var-naming
+
+# Controls which additional headers to attach to all HTTP responses.
+# To add your own headers, use `matrix_jwt_service_container_labels_traefik_additional_response_headers_custom`
+matrix_jwt_service_container_labels_traefik_additional_response_headers: "{{ matrix_jwt_service_container_labels_traefik_additional_response_headers_auto | combine(matrix_jwt_service_container_labels_traefik_additional_response_headers_custom) }}"
+matrix_jwt_service_container_labels_traefik_additional_response_headers_auto: |
+  {{
+    {}
+    | combine ({'X-XSS-Protection': matrix_jwt_service_http_header_xss_protection} if matrix_jwt_service_http_header_xss_protection else {})
+    | combine ({'X-Frame-Options': matrix_jwt_service_http_header_frame_options} if matrix_jwt_service_http_header_frame_options else {})
+    | combine ({'X-Content-Type-Options': matrix_jwt_service_http_header_content_type_options} if matrix_jwt_service_http_header_content_type_options else {})
+    | combine ({'Content-Security-Policy': matrix_jwt_service_http_header_content_security_policy} if matrix_jwt_service_http_header_content_security_policy else {})
+    | combine ({'Permission-Policy': matrix_jwt_service_http_header_content_permission_policy} if matrix_jwt_service_http_header_content_permission_policy else {})
+    | combine ({'Strict-Transport-Security': matrix_jwt_service_http_header_strict_transport_security} if matrix_jwt_service_http_header_strict_transport_security and matrix_jwt_service_container_labels_traefik_tls else {})
+  }}
+matrix_jwt_service_container_labels_traefik_additional_response_headers_custom: {}
+
+# matrix_client_element_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file.
+# See `../templates/labels.j2` for details.
+#
+# Example:
+# matrix_client_element_container_labels_additional_labels: |
+#   my.label=1
+#   another.label="here"
+matrix_jwt_service_container_labels_additional_labels: ''
+
+# A list of extra arguments to pass to the container
+matrix_jwt_service_container_extra_arguments: []
+
+# Additional environment variables for the container
+matrix_jwt_service_environment_variables_additional: {}
+
+# List of systemd services that matrix-element-call.service depends on
+matrix_jwt_service_systemd_required_services_list: "{{ [devture_systemd_docker_base_docker_service_name] if devture_systemd_docker_base_docker_service_name else [] }}"
+
+# Specifies the value of the `X-XSS-Protection` header
+# Stops pages from loading when they detect reflected cross-site scripting (XSS) attacks.
+#
+# Learn more about it is here:
+# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
+# - https://portswigger.net/web-security/cross-site-scripting/reflected
+matrix_jwt_service_http_header_xss_protection: "1; mode=block"
+
+# Specifies the value of the `X-Frame-Options` header which controls whether framing can happen.
+# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+matrix_jwt_service_http_header_frame_options: SAMEORIGIN
+
+# Specifies the value of the `X-Content-Type-Options` header.
+# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
+matrix_jwt_service_http_header_content_type_options: nosniff
+
+# Specifies the value of the `Content-Security-Policy` header.
+# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
+matrix_jwt_service_http_header_content_security_policy: frame-ancestors 'self'
+
+# Specifies the value of the `Permission-Policy` header.
+# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permission-Policy
+matrix_jwt_service_http_header_content_permission_policy: "{{ 'interest-cohort=()' if matrix_jwt_service_floc_optout_enabled else '' }}"
+
+# Specifies the value of the `Strict-Transport-Security` header.
+# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
+matrix_jwt_service_http_header_strict_transport_security: "max-age=31536000; includeSubDomains{{ '; preload' if matrix_jwt_service_hsts_preload_enabled else '' }}"
+
+# Controls whether to send a "Permissions-Policy interest-cohort=();" header along with all responses
+#
+# Learn more about what it is here:
+# - https://www.eff.org/deeplinks/2021/03/googles-floc-terrible-idea
+# - https://paramdeo.com/blog/opting-your-website-out-of-googles-floc-network
+# - https://amifloced.org/
+#
+# Of course, a better solution is to just stop using browsers (like Chrome), which participate in such tracking practices.
+# See: `matrix_jwt_service_content_permission_policy`
+matrix_jwt_service_floc_optout_enabled: true
+
+# Controls if HSTS preloading is enabled
+#
+# In its strongest and recommended form, the [HSTS policy](https://www.chromium.org/hsts) includes all subdomains, and
+# indicates a willingness to be "preloaded" into browsers:
+# `Strict-Transport-Security: max-age=31536000; includeSubDomains; preload`
+# For more information visit:
+# - https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
+# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
+# - https://hstspreload.org/#opt-in
+# See: `matrix_jwt_service_http_header_strict_transport_security`
+matrix_jwt_service_hsts_preload_enabled: false

roles/custom/matrix-jwt-service/tasks/install.yml

@@ -0,0 +1,46 @@
+---
+# roles/custom/matrix-jwt-service/tasks/install.yml
+
+# Ensure Required Directories Exist
+- name: Ensure matrix-jwt-service paths exist
+  ansible.builtin.file:
+    path: "{{ item.path }}"
+    state: directory
+    mode: 0750
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+  with_items:
+    - path: "{{ matrix_jwt_service_base_path }}"
+
+- name: Ensure matrix-jwt-service environment file is in place
+  ansible.builtin.template:
+    src: "{{ role_path }}/templates/env.j2"
+    dest: "{{ matrix_jwt_service_base_path }}/env"
+    mode: 0640
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+
+- name: Ensure JWT Service labels file is in place
+  ansible.builtin.template:
+    src: "{{ role_path }}/templates/labels.j2"
+    dest: "{{ matrix_jwt_service_base_path }}/labels"
+    mode: 0640
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+
+# Ensure Docker Images are Pulled
+- name: Ensure jwt-service Docker image is pulled
+  community.docker.docker_image:
+    name: "{{ matrix_jwt_service_image }}"
+    source: pull
+  register: jwt_image_result
+  retries: 3
+  delay: 10
+  until: jwt_image_result is not failed
+
+# Systemd Services for JWT Service
+- name: Ensure jwt-service systemd service is installed
+  ansible.builtin.template:
+    src: "{{ role_path }}/templates/systemd/matrix-jwt-service.service.j2"
+    dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-jwt-service.service"
+    mode: 0644

roles/custom/matrix-jwt-service/tasks/main.yml

@@ -0,0 +1,21 @@
+---
+# Main task file for matrix-element-call
+
+- tags:
+    - setup-all
+    - setup-jwt-service
+    - install-all
+    - install-wt-service
+  block:
+    - when: matrix_jwt_service_enabled | bool
+      ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml"
+
+    - when: matrix_jwt_service_enabled | bool
+      ansible.builtin.include_tasks: "{{ role_path }}/tasks/install.yml"
+
+- tags:
+    - setup-all
+    - setup-jwt-service
+  block:
+    - when: not matrix_jwt_service_enabled | bool
+      ansible.builtin.include_tasks: "{{ role_path }}/tasks/uninstall.yml"

roles/custom/matrix-jwt-service/tasks/uninstall.yml

@@ -0,0 +1,22 @@
+---
+# Uninstall tasks for matrix-jwt-service
+
+
+- name: Stop and remove jwt-service container
+  community.docker.docker_container:
+    name: "matrix-jwt-service"
+    state: absent
+
+- name: Remove jwt-service systemd service
+  ansible.builtin.file:
+    path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-jwt-service.service"
+    state: absent
+
+- name: Remove matrix-jwt-service configuration files
+  ansible.builtin.file:
+    path: "{{ matrix_jwt_service_base_path }}"
+    state: absent
+
+- name: Reload systemd daemon
+  ansible.builtin.systemd:
+    daemon_reload: true

roles/custom/matrix-jwt-service/tasks/validate_config.yml

@@ -0,0 +1,12 @@
+---
+# Validate configuration for matrix-jwt-service
+
+- name: Fail if required matrix-jwt-service settings are not defined
+  ansible.builtin.fail:
+    msg: >
+      You need to define a required configuration setting (`{{ item.name }}`).
+  when: "item.when | bool and vars[item.name] == ''"
+  with_items:
+    - {'name': 'matrix_jwt_service_base_path', when: true}
+    - {'name': 'matrix_jwt_service_container_network', when: true}
+    - {'name': 'matrix_jwt_service_image', when: true}

roles/custom/matrix-jwt-service/templates/env.j2

@@ -0,0 +1,4 @@
+# Environment variables for JWT Service
+LIVEKIT_KEY=devkey
+LIVEKIT_URL=wss://{{ matrix_livekit_server_hostname }}:443
+LIVEKIT_SECRET={{ matrix_element_call_jwt_secret }}

roles/custom/matrix-jwt-service/templates/labels.j2

@@ -0,0 +1,46 @@
+{% if matrix_element_call_container_labels_traefik_enabled %}
+traefik.enable=true
+
+# Network configuration for Traefik
+{% if matrix_jwt_service_container_labels_traefik_docker_network %}
+traefik.docker.network={{ matrix_jwt_service_container_labels_traefik_docker_network }}
+{% endif %}
+
+traefik.http.services.matrix-jwt-service.loadbalancer.server.port=8080
+
+{% set middlewares = [] %}
+
+# Path prefix handling for JWT
+{% if matrix_jwt_service_container_labels_traefik_path_prefix != '/' %}
+traefik.http.middlewares.matrix-jwt-service-slashless-redirect.redirectregex.regex=({{ matrix_jwt_service_container_labels_traefik_path_prefix | quote }})$
+traefik.http.middlewares.matrix-jwt-service-slashless-redirect.redirectregex.replacement=${1}/
+{% set middlewares = middlewares + ['matrix-jwt-service-slashless-redirect'] %}
+
+traefik.http.middlewares.matrix-jwt-service-strip-prefix.stripprefix.prefixes={{ matrix_jwt_service_container_labels_traefik_path_prefix }}
+{% set middlewares = middlewares + ['matrix-jwt-service-strip-prefix'] %}
+{% endif %}
+
+{% if matrix_jwt_service_container_labels_traefik_additional_response_headers.keys() | length > 0 %}
+{% for name, value in matrix_jwt_service_container_labels_traefik_additional_response_headers.items() %}
+traefik.http.middlewares.matrix-jwt-service-add-headers.headers.customresponseheaders.{{ name }}={{ value }}
+{% endfor %}
+{% set middlewares = middlewares + ['matrix-jwt-service-add-headers'] %}
+{% endif %}
+
+traefik.http.routers.matrix-jwt-service.rule={{ matrix_jwt_service_container_labels_traefik_rule }}
+{% if matrix_jwt_service_container_labels_traefik_priority | int > 0 %}
+traefik.http.routers.matrix-jwt-service.priority={{ matrix_jwt_service_container_labels_traefik_priority }}
+{% endif %}
+traefik.http.routers.matrix-jwt-service.service=matrix-jwt-service
+{% if middlewares | length > 0 %}
+traefik.http.routers.matrix-jwt-service.middlewares={{ middlewares | join(',') }}
+{% endif %}
+traefik.http.routers.matrix-jwt-service.entrypoints={{ matrix_jwt_service_container_labels_traefik_entrypoints }}
+traefik.http.routers.matrix-jwt-service.tls={{ matrix_jwt_service_container_labels_traefik_tls | to_json }}
+{% if matrix_jwt_service_container_labels_traefik_tls %}
+traefik.http.routers.matrix-jwt-service.tls.certResolver={{ matrix_jwt_service_container_labels_traefik_tls_certResolver }}
+{% endif %}
+
+{% endif %}
+
+{{ matrix_jwt_service_container_labels_additional_labels }}

roles/custom/matrix-jwt-service/templates/systemd/matrix-jwt-service.service.j2

@@ -0,0 +1,37 @@
+[Unit]
+Description=Matrix JWT Service
+After=docker.service
+Requires=docker.service
+
+[Service]
+Type=simple
+Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}"
+ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-jwt-service 2>/dev/null || true'
+ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-jwt-service 2>/dev/null || true'
+
+ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \
+    --rm \
+    --name=matrix-jwt-service \
+    --log-driver=none \
+    --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
+    --cap-drop=ALL \
+    --network={{ matrix_jwt_service_container_network }} \
+    -p {{ matrix_jwt_service_port }}:8080 \
+    --env-file={{ matrix_jwt_service_base_path }}/env \
+    --label-file={{ matrix_jwt_service_base_path }}/labels \
+    {{ matrix_jwt_service_image }}
+
+{% for network in matrix_jwt_service_container_additional_networks %}
+ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-jwt-service
+{% endfor %}
+
+ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-jwt-service
+
+ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-jwt-service 2>/dev/null || true'
+ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-jwt-service 2>/dev/null || true'
+Restart=always
+RestartSec=30
+SyslogIdentifier=matrix-jwt-service
+
+[Install]
+WantedBy=multi-user.target