Merge 0b9389fd6492d0c26c5ed16ba17d51d36c378016 into da08975ca851dcf7872012e33d49c21c1f907ebb

docs/configuring-playbook-element-call.md

@@ -0,0 +1,64 @@
+# Setting up Element Call (optional)
+
+The playbook can install and configure [Element Call](https://github.com/vector-im/element-call) for you.
+
+Element Call is a WebRTC-based video and voice calling platform that integrates with Matrix clients such as Element Web. It provides secure, decentralized communication with support for video calls, audio calls, and screen sharing.
+
+See the project's [documentation](https://github.com/vector-im/element-call) to learn more.
+
+## Decide on a domain and path
+
+By default, Element Call is configured to be served on the Matrix domain (`call.DOMAIN`, controlled by the `matrix_element_call_hostname` variable).
+
+This makes it easy to set it up, **without** having to adjust your DNS records manually.
+
+If you'd like to run Element Call on another hostname or path, use the `matrix_element_call_hostname` and `matrix_element_call_path_prefix` variables.
+
+## Adjusting DNS records
+
+If you've changed the default hostname, **you may need to adjust your DNS** records accordingly to point to the correct server.
+
+Ensure that the following DNS names have a public IP/FQDN:
+- `call.example.com`
+- `sfu.example.com`
+- `sfu-jwt.example.com`
+
+## Adjusting the playbook configuration
+
+NOTE: Enabling Element Call will automatically enable the [LiveKit JWT Service](configuring-playbook-livekit-jwt-service.md) and Livekit Server services.
+
+
+Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file:
+
+```yaml
+matrix_element_call_enabled: true
+```
+
+## Installing
+
+After configuring the playbook and potentially [adjusting your DNS records](#adjusting-dns-records), run the [installation](installing.md) command: `just install-all` or `just setup-all`
+
+## Usage
+
+Once installed, Element Call integrates seamlessly with Matrix clients like [Element Web](configuring-playbook-client-element-web.md). When the Element Call service is installed, the `/.well-known/matrix/client` file is also updated. A new `org.matrix.msc4143.rtc_foci` section is added to point to your LiveKit JWT service URL (e.g., `https://matrix.example.com/lk-jwt-service`).
+
+Additionally, the `/.well-known/element/element.json` file is created to help Element clients discover the Element Call URL (e.g., `https://call.example.com`).
+
+## Required Firewall and Port Forwarding Rules
+
+To ensure the services function correctly, the following firewall rules and port forwarding settings are required:
+
+LiveKit:
+
+- Forward UDP ports 50100:50120 to the Docker instance running LiveKit.
+- Forward TCP port 7881 to the Docker instance running LiveKit.
+
+Element Call:
+
+- Forward TCP port 443 to the server running Traefik (for Element Call).
+
+Ensure these ports are open and forwarded appropriately to allow traffic to flow correctly between the services.
+
+## Additional Information
+
+Refer to the Element Call documentation for more details on configuring and using Element Call.

docs/configuring-playbook-jwt-service.md

@@ -0,0 +1,40 @@
+# Setting up JWT Service (optional)
+
+The playbook can install and configure [LiveKit JWT Service](https://github.com/element-hq/lk-jwt-service) for you.
+
+LK-JWT-Service is currently used for a single reason: generate JWT tokens with a given identity for a given room, so that users can use them to authenticate against LiveKit SFU.
+
+See the project's [documentation](https://github.com/element-hq/lk-jwt-service/) to learn more.
+
+## Decide on a domain and path
+
+By default, JWT Service is configured to be served:
+
+- on the Matrix domain (`matrix.example.com`), configurable via `matrix_livekit_jwt_service_hostname`
+- under a `/lk-jwt-service` path prefix, configurable via `matrix_livekit_jwt_service_path_prefix`
+
+This makes it easy to set it up, **without** having to adjust your DNS records manually.
+
+## Adjusting DNS records
+
+If you've changed the default hostname, **you may need to adjust your DNS** records accordingly to point to the correct server.
+
+## Adjusting the playbook configuration
+
+Add the following configuration to your `inventory/host_vars/matrix.example.com/vars.yml` file:
+
+```yaml
+matrix_livekit_jwt_service_enabled: true
+```
+
+## Installing
+
+After configuring the playbook and potentially [adjusting your DNS records](#adjusting-dns-records), run the [installation](installing.md) command: `just install-all` or `just setup-all`
+
+## Usage
+
+Once installed, a new `org.matrix.msc4143.rtc_foci` section is added to the Element Web client to point to your JWT service URL (e.g., `https://matrix.example.com/lk-jwt-service`).
+
+## Additional Information
+
+Refer to the LiveKit JWT-Service documentation for more details on configuring and using JWT Service.

docs/configuring-playbook-livekit-server.md

@@ -0,0 +1,55 @@
+# Setting up LiveKit (optional)
+
+The playbook can install and configure [LiveKit](https://github.com/livekit/livekit) for you.
+
+LiveKit is an open source project that provides scalable, multi-user conferencing based on WebRTC. It's designed to provide everything you need to build real-time video audio data capabilities in your applications.
+
+See the project's [documentation](https://github.com/livekit/livekit) to learn more.
+
+## Decide on a domain and path
+
+By default, LiveKit is configured to be served on the Matrix domain (`sfu.example.com`, controlled by the `livekit_server_hostname` variable).
+
+This makes it easy to set it up, **without** having to adjust your DNS records manually.
+
+If you'd like to run Livekit on another hostname or path, use the `livekit_server_hostname` variable.
+
+## Adjusting DNS records
+
+If you've changed the default hostname, **you may need to adjust your DNS** records accordingly to point to the correct server.
+
+Ensure that the following DNS names have a public IP/FQDN:
+- `sfu.example.com`
+
+## Adjusting the playbook configuration
+
+Add the following configuration to your `inventory/host_vars/matrix.example.com/vars.yml` file:
+
+```yaml
+livekit_server_enabled: true
+
+# Set a secure key for LiveKit authentication
+livekit_server_dev_key: 'your-secure-livekit-key'
+```
+
+## Installing
+
+After configuring the playbook and potentially [adjusting your DNS records](#adjusting-dns-records), run the [installation](installing.md) command: `just install-all` or `just setup-all`
+
+## Usage
+Once installed, and in conjunction with Element Call and JWT Service, Livekit will become the WebRTC backend for all Element client calls.
+
+## Required Firewall and Port Forwarding Rules
+
+To ensure the services function correctly, the following firewall rules and port forwarding settings are required:
+
+LiveKit:
+
+- Forward UDP ports 50100:50200 to the Docker instance running LiveKit.
+- Forward TCP port 7881 to the Docker instance running LiveKit.
+
+Ensure these ports are open and forwarded appropriately to allow traffic to flow correctly between the services.
+
+## Additional Information
+
+Refer to the Livekit documentation for more details on configuring and using Livekit.

docs/configuring-playbook.md

@@ -212,6 +212,12 @@ Services that help you in administrating and monitoring your Matrix installation
 
 Various services that don't fit any other categories.
 
+- [Setting up the Element Call server](configuring-playbook-element-call.md) (optional)
+
+- [Setting up the LiveKit JWT Service](configuring-playbook-livekit-jwt-service.md) (optional)
+
+- [Setting up the Livekit server](configuring-playbook-livekit-server.md) (optional)
+
 - [Setting up Synapse Auto Invite Accept](configuring-playbook-synapse-auto-accept-invite.md)
 
 - [Setting up synapse-auto-compressor](configuring-playbook-synapse-auto-compressor.md) for compressing the database on Synapse homeservers

group_vars/matrix_servers

@@ -440,6 +440,12 @@ devture_systemd_service_manager_services_list_auto: |
     +
     ([{'name': 'matrix-pantalaimon.service', 'priority': 4000, 'groups': ['matrix', 'pantalaimon']}] if matrix_pantalaimon_enabled else [])
     +
+    ([{'name': 'matrix-element-call.service', 'priority': 4000, 'groups': ['matrix', 'element-call']}] if matrix_element_call_enabled else [])
+    +
+    ([{'name': 'matrix-livekit-jwt-service.service', 'priority': 3500, 'groups': ['matrix', 'livekit-jwt-service']}] if matrix_livekit_jwt_service_enabled else [])
+    +
+    ([{'name': (livekit_server_identifier + '.service'), 'priority': 3000, 'groups': ['matrix', 'livekit-server']}] if livekit_server_enabled else [])
+    +
     ([{'name': 'matrix-registration.service', 'priority': 4000, 'groups': ['matrix', 'registration', 'matrix-registration']}] if matrix_registration_enabled else [])
     +
     ([{'name': 'matrix-sliding-sync.service', 'priority': 1500, 'groups': ['matrix', 'sliding-sync']}] if matrix_sliding_sync_enabled else [])
@@ -4455,7 +4461,7 @@ keydb_arch: |-
 #
 ######################################################################
 
-valkey_enabled: "{{ matrix_synapse_workers_enabled or (matrix_hookshot_enabled and matrix_hookshot_experimental_encryption_enabled) }}"
+valkey_enabled: "{{ matrix_synapse_workers_enabled or (matrix_hookshot_enabled and matrix_hookshot_experimental_encryption_enabled) or matrix_element_call_enabled }}"
 
 valkey_identifier: matrix-valkey
 
@@ -4523,6 +4529,14 @@ matrix_client_element_enable_presence_by_hs_url: |-
 
 matrix_client_element_jitsi_preferred_domain: "{{ matrix_server_fqn_jitsi if jitsi_enabled else '' }}"
 
+matrix_client_element_features_feature_video_rooms: "{{ matrix_element_call_enabled }}"
+matrix_client_element_features_feature_group_calls: "{{ matrix_element_call_enabled }}"
+matrix_client_element_features_feature_element_call_video_rooms: "{{ matrix_element_call_enabled }}"
+matrix_client_element_features_feature_oidc_native_flow: "{{ matrix_authentication_service_enabled }}"
+
+matrix_client_element_element_call_enabled: "{{ matrix_element_call_enabled }}"
+matrix_client_element_element_call_url: "{{ matrix_element_call_public_url if matrix_element_call_enabled else '' }}"
+
 ######################################################################
 #
 # /matrix-client-element
@@ -5941,8 +5955,18 @@ matrix_static_files_file_matrix_client_property_m_tile_server_map_style_url: "{{
 # See: https://github.com/etkecc/synapse-admin/pull/126
 matrix_static_files_file_matrix_client_property_cc_etke_synapse_admin_auto: "{{ matrix_synapse_admin_configuration if matrix_homeserver_implementation == 'synapse' else {} }}"
 
+matrix_static_files_file_matrix_client_property_org_matrix_msc4143_rtc_foci_enabled: "{{ matrix_element_call_enabled }}"
+matrix_static_files_file_matrix_client_property_org_matrix_msc4143_rtc_foci_auto: |-
+  {{
+    (
+      [{'type': 'livekit', 'livekit_service_url': matrix_livekit_jwt_service_public_url}] if matrix_livekit_jwt_service_enabled else []
+    )
+  }}
+
 matrix_static_files_file_matrix_server_property_m_server: "{{ matrix_server_fqn_matrix_federation }}:{{ matrix_federation_public_port }}"
 
+matrix_static_files_file_element_element_json_property_call_widget_url: "{{ matrix_element_call_public_url if matrix_element_call_enabled else '' }}"
+
 matrix_static_files_scheme: "{{ 'https' if matrix_playbook_ssl_enabled else 'http' }}"
 
 matrix_static_files_self_check_hostname_matrix: "{{ matrix_server_fqn_matrix }}"
@@ -6049,3 +6073,126 @@ traefik_certs_dumper_ssl_dir_path: "{{ traefik_ssl_dir_path if traefik_enabled e
 # /traefik_certs_dumper                                                #
 #                                                                      #
 ########################################################################
+
+
+########################################################################
+#                                                                      #
+# matrix-element-call                                                  #
+#                                                                      #
+########################################################################
+
+matrix_element_call_enabled: false
+
+matrix_element_call_scheme: "{{ 'https' if matrix_playbook_ssl_enabled else 'http' }}"
+
+matrix_element_call_version: "latest"  # Default version; can be overridden in host_vars
+
+matrix_element_call_hostname: "call.{{ matrix_domain }}"  # Default hostname; should be overridden in host_vars if different
+matrix_element_call_path_prefix: "/"  # Path prefix for Element Call
+matrix_element_call_base_path: "{{ matrix_base_data_path }}/element-call"  # Base path for storing Element Call-related files
+matrix_element_call_container_image: "ghcr.io/element-hq/element-call:{{ matrix_element_call_version }}"
+matrix_element_call_container_image_name_prefix: ghcr.io/
+matrix_element_call_container_image_registry_prefix: ghcr.io/
+matrix_element_call_container_image_force_pull: true
+
+# Docker network configuration for Element Call
+matrix_element_call_container_network: "{{ matrix_addons_container_network }}"
+matrix_element_call_container_additional_networks: "{{ [matrix_playbook_reverse_proxyable_services_additional_network] if (matrix_element_call_container_labels_traefik_enabled and matrix_playbook_reverse_proxyable_services_additional_network) else [] }}"
+
+# Traefik Configuration for Element Call
+matrix_element_call_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}"
+matrix_element_call_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}"
+matrix_element_call_container_labels_traefik_entrypoints: "{{ traefik_entrypoint_primary }}"
+matrix_element_call_container_labels_traefik_tls_certResolver: "{{ traefik_certResolver_primary }}"
+
+########################################################################
+#                                                                      #
+# /matrix-element-call                                                 #
+#                                                                      #
+########################################################################
+
+########################################################################
+#                                                                      #
+# livekit-server                                                       #
+#                                                                      #
+########################################################################
+
+livekit_server_enabled: "{{ matrix_element_call_enabled }}"
+
+livekit_server_identifier: matrix-livekit-server
+
+livekit_server_uid: "{{ matrix_user_uid }}"
+livekit_server_gid: "{{ matrix_user_gid }}"
+
+livekit_server_base_path: "{{ matrix_base_data_path }}/livekit-server"
+
+livekit_server_hostname: "sfu.{{ matrix_domain }}"
+
+livekit_server_container_image_self_build: "{{ matrix_architecture not in ['arm64', 'amd64'] }}"
+
+livekit_server_container_network: "{{ matrix_addons_container_network }}"
+livekit_server_container_additional_networks_auto: "{{ [matrix_playbook_reverse_proxyable_services_additional_network] if (livekit_server_container_labels_traefik_enabled and matrix_playbook_reverse_proxyable_services_additional_network) else [] }}"
+
+livekit_server_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}"
+livekit_server_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}"
+livekit_server_container_labels_traefik_entrypoints: "{{ traefik_entrypoint_primary }}"
+livekit_server_container_labels_traefik_tls_certResolver: "{{ traefik_certResolver_primary }}"
+
+livekit_server_config_keys_auto: |-
+  {{
+    {}
+    | combine(
+      {matrix_livekit_jwt_service_environment_variable_livekit_key: matrix_livekit_jwt_service_environment_variable_livekit_secret}
+      if matrix_livekit_jwt_service_enabled else {}
+    )
+  }}
+
+########################################################################
+#                                                                      #
+# /livekit-server                                                      #
+#                                                                      #
+########################################################################
+
+
+########################################################################
+#                                                                      #
+# matrix-livekit-jwt-service                                           #
+#                                                                      #
+########################################################################
+
+matrix_livekit_jwt_service_enabled: "{{ matrix_element_call_enabled and livekit_server_enabled }}"
+
+matrix_livekit_jwt_service_scheme: "{{ 'https' if matrix_playbook_ssl_enabled else 'http' }}"
+
+matrix_livekit_jwt_service_hostname: "{{ matrix_server_fqn_matrix }}"
+matrix_livekit_jwt_service_path_prefix: "/lk-jwt-service"
+
+matrix_livekit_jwt_service_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm64'] }}"
+
+matrix_livekit_jwt_service_container_network: "{{ matrix_addons_container_network }}"
+
+matrix_livekit_jwt_service_container_additional_networks_auto: |
+  {{
+    (
+      ([matrix_playbook_reverse_proxyable_services_additional_network] if (matrix_livekit_jwt_service_container_labels_traefik_enabled and matrix_playbook_reverse_proxyable_services_additional_network) else [])
+      +
+      ([livekit_server_container_network] if livekit_server_enabled and (matrix_livekit_jwt_service_environment_variable_livekit_url == livekit_server_websocket_container_url and livekit_server_container_network != matrix_livekit_jwt_service_container_network) else [])
+    ) | unique
+  }}
+
+matrix_livekit_jwt_service_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}"
+matrix_livekit_jwt_service_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}"
+matrix_livekit_jwt_service_container_labels_traefik_entrypoints: "{{ traefik_entrypoint_primary }}"
+matrix_livekit_jwt_service_container_labels_traefik_tls_certResolver: "{{ traefik_certResolver_primary }}"
+
+matrix_livekit_jwt_service_environment_variable_livekit_url: "{{ livekit_server_websocket_container_url }}"
+
+matrix_livekit_jwt_service_environment_variable_livekit_key: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'lk.key', rounds=655555) | to_uuid }}"
+
+matrix_livekit_jwt_service_environment_variable_livekit_secret: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'lk.secret', rounds=655555) | to_uuid }}"
+
+########################################################################
+#                                                                      #
+# /matrix-livekit-jwt-service                                          #
+#                                                                      #
+########################################################################

roles/custom/matrix-client-element/defaults/main.yml

@@ -180,6 +180,67 @@ matrix_client_element_branding_auth_header_logo_url: "{{ matrix_client_element_w
 # URL to Wallpaper, shown in background of welcome page
 matrix_client_element_branding_welcome_background_url: ~  # noqa var-naming
 
+# Controls the `features` section of the Element Web configuration.
+matrix_client_element_features: "{{ matrix_client_element_features_default | combine(matrix_client_element_features_auto, recursive=True) | combine(matrix_client_element_features_custom, recursive=True) }}"
+matrix_client_element_features_default: |-
+  {{
+    {}
+
+    | combine(
+      {'feature_video_rooms': true} if matrix_client_element_features_feature_video_rooms else {}
+    )
+    | combine(
+      {'feature_group_calls': true} if matrix_client_element_features_feature_group_calls else {}
+    )
+    | combine(
+      {'feature_element_call_video_rooms': true} if matrix_client_element_features_feature_element_call_video_rooms else {}
+    )
+    | combine(
+      {'feature_oidc_native_flow': true} if matrix_client_element_features_feature_oidc_native_flow else {}
+    )
+  }}
+
+matrix_client_element_features_auto: {}
+matrix_client_element_features_custom: {}
+
+matrix_client_element_features_feature_video_rooms: false
+matrix_client_element_features_feature_group_calls: false
+matrix_client_element_features_feature_element_call_video_rooms: false
+matrix_client_element_features_feature_oidc_native_flow: false
+
+matrix_client_element_element_call_enabled: false
+matrix_client_element_element_call: "{{ matrix_client_element_element_call_default | combine(matrix_client_element_element_call_auto, recursive=True) | combine(matrix_client_element_element_call_custom, recursive=True) }}"
+matrix_client_element_element_call_default: |-
+  {{
+    {}
+    | combine(
+      {'url': matrix_client_element_element_call_url} if matrix_client_element_element_call_url else {}
+    )
+    | combine(
+      {'participant_limit': matrix_client_element_element_call_participant_limit} if matrix_client_element_element_call_participant_limit else {}
+    )
+    | combine(
+      {'brand': matrix_client_element_element_call_brand} if matrix_client_element_element_call_brand else {}
+    )
+    | combine(
+      {'use_exclusively': matrix_client_element_element_call_use_exclusively} if matrix_client_element_element_call_use_exclusively else {}
+    )
+  }}
+matrix_client_element_element_call_auto: {}
+matrix_client_element_element_call_custom: {}
+
+# Controls the `element_call.url` setting in the Element Web configuration.
+matrix_client_element_element_call_url: ''
+
+# Controls the `element_call.participant_limit` setting in the Element Web configuration.
+matrix_client_element_element_call_participant_limit: 8
+
+# Controls the `element_call.brand` setting in the Element Web configuration.
+matrix_client_element_element_call_brand: "Element Call"
+
+# Controls the `element_call.use_exclusively` setting in the Element Web configuration.
+matrix_client_element_element_call_use_exclusively: true
+
 matrix_client_element_page_template_welcome_path: "{{ role_path }}/templates/welcome.html.j2"
 
 # By default, there's no Element Web homepage (when logged in). If you wish to have one,

roles/custom/matrix-client-element/templates/config.json.j2

@@ -44,5 +44,7 @@
 		"auth_footer_links": {{ matrix_client_element_branding_auth_footer_links | to_json }},
 		"auth_header_logo_url": {{ matrix_client_element_branding_auth_header_logo_url | to_json }},
 		"welcome_background_url": {{ matrix_client_element_branding_welcome_background_url | to_json }}
-	}
+	},
+	"features": {{ matrix_client_element_features | to_json }},
+	"element_call": {{ (matrix_client_element_element_call if matrix_client_element_element_call_enabled else {}) | to_json }}
 }

roles/custom/matrix-element-call/defaults/main.yml

@@ -0,0 +1,120 @@
+---
+# Enable or disable matrix-element-call deployment
+matrix_element_call_enabled: false
+
+matrix_element_call_scheme: https
+matrix_element_call_hostname: "call.{{ matrix_domain }}"
+
+# Base path configuration
+matrix_element_call_base_path: "{{ matrix_base_data_path }}/element-call"
+
+# Docker network configuration
+matrix_element_call_container_network: ''
+matrix_element_call_container_http_host_bind_port: ''
+matrix_element_call_container_additional_networks: []  # No additional networks by default
+
+# Docker images
+matrix_element_call_image: "ghcr.io/element-hq/element-call:latest"
+
+# Ports
+matrix_element_call_port: "8093"
+
+# Traefik Configuration for Element Call
+matrix_element_call_container_labels_traefik_enabled: true
+matrix_element_call_container_labels_traefik_docker_network: "{{ matrix_element_call_container_network }}"
+matrix_element_call_container_labels_traefik_hostname: "{{ matrix_element_call_hostname }}"
+# The path prefix must either be `/` or not end with a slash (e.g. `/element`).
+matrix_element_call_container_labels_traefik_path_prefix: "{{ matrix_element_call_path_prefix }}"
+matrix_element_call_container_labels_traefik_rule: "Host(`{{ matrix_element_call_container_labels_traefik_hostname }}`){% if matrix_element_call_container_labels_traefik_path_prefix != '/' %} && PathPrefix(`{{ matrix_element_call_container_labels_traefik_path_prefix }}`){% endif %}"
+matrix_element_call_container_labels_traefik_priority: 0
+matrix_element_call_container_labels_traefik_entrypoints: web-secure
+matrix_element_call_container_labels_traefik_tls: "{{ matrix_element_call_container_labels_traefik_entrypoints != 'web' }}"
+matrix_element_call_container_labels_traefik_tls_certResolver: default  # noqa var-naming
+
+# Controls which additional headers to attach to all HTTP responses.
+# To add your own headers, use `matrix_element_call_container_labels_traefik_additional_response_headers_custom`
+matrix_element_call_container_labels_traefik_additional_response_headers: "{{ matrix_element_call_container_labels_traefik_additional_response_headers_auto | combine(matrix_element_call_container_labels_traefik_additional_response_headers_custom) }}"
+matrix_element_call_container_labels_traefik_additional_response_headers_auto: |
+  {{
+    {}
+    | combine ({'X-XSS-Protection': matrix_element_call_http_header_xss_protection} if matrix_element_call_http_header_xss_protection else {})
+    | combine ({'X-Frame-Options': matrix_element_call_http_header_frame_options} if matrix_element_call_http_header_frame_options else {})
+    | combine ({'X-Content-Type-Options': matrix_element_call_http_header_content_type_options} if matrix_element_call_http_header_content_type_options else {})
+    | combine ({'Content-Security-Policy': matrix_element_call_http_header_content_security_policy} if matrix_element_call_http_header_content_security_policy else {})
+    | combine ({'Permission-Policy': matrix_element_call_http_header_content_permission_policy} if matrix_element_call_http_header_content_permission_policy else {})
+    | combine ({'Strict-Transport-Security': matrix_element_call_http_header_strict_transport_security} if matrix_element_call_http_header_strict_transport_security and matrix_element_call_container_labels_traefik_tls else {})
+  }}
+matrix_element_call_container_labels_traefik_additional_response_headers_custom: {}
+
+# matrix_client_element_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file.
+# See `../templates/labels.j2` for details.
+#
+# Example:
+# matrix_client_element_container_labels_additional_labels: |
+#   my.label=1
+#   another.label="here"
+matrix_element_call_container_labels_additional_labels: ''
+
+# A list of extra arguments to pass to the container
+matrix_element_call_container_extra_arguments: []
+
+# Additional environment variables for the container
+matrix_element_call_environment_variables_additional: {}
+
+# List of systemd services that matrix-element-call.service depends on
+matrix_element_call_systemd_required_services_list: "{{ [devture_systemd_docker_base_docker_service_name] if devture_systemd_docker_base_docker_service_name else [] }}"
+
+# Specifies the value of the `X-XSS-Protection` header
+# Stops pages from loading when they detect reflected cross-site scripting (XSS) attacks.
+#
+# Learn more about it is here:
+# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
+# - https://portswigger.net/web-security/cross-site-scripting/reflected
+matrix_element_call_http_header_xss_protection: ''
+
+# Specifies the value of the `X-Frame-Options` header which controls whether framing can happen.
+# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+matrix_element_call_http_header_frame_options: ''
+
+# Specifies the value of the `X-Content-Type-Options` header.
+# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
+matrix_element_call_http_header_content_type_options: ''
+
+# Specifies the value of the `Content-Security-Policy` header.
+# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
+matrix_element_call_http_header_content_security_policy: ''
+
+# Specifies the value of the `Permission-Policy` header.
+# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permission-Policy
+matrix_element_call_http_header_content_permission_policy: ''
+
+# Specifies the value of the `Strict-Transport-Security` header.
+# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
+matrix_element_call_http_header_strict_transport_security: ''
+
+# Controls whether to send a "Permissions-Policy interest-cohort=();" header along with all responses
+#
+# Learn more about what it is here:
+# - https://www.eff.org/deeplinks/2021/03/googles-floc-terrible-idea
+# - https://paramdeo.com/blog/opting-your-website-out-of-googles-floc-network
+# - https://amifloced.org/
+#
+# Of course, a better solution is to just stop using browsers (like Chrome), which participate in such tracking practices.
+# See: `matrix_element_call_content_permission_policy`
+matrix_element_call_floc_optout_enabled: false
+
+# Controls if HSTS preloading is enabled
+#
+# In its strongest and recommended form, the [HSTS policy](https://www.chromium.org/hsts) includes all subdomains, and
+# indicates a willingness to be "preloaded" into browsers:
+# `Strict-Transport-Security: max-age=31536000; includeSubDomains; preload`
+# For more information visit:
+# - https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
+# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
+# - https://hstspreload.org/#opt-in
+# See: `matrix_element_call_http_header_strict_transport_security`
+matrix_element_call_hsts_preload_enabled: false
+
+# Enable or disable metrics collection
+matrix_element_call_metrics_enabled: false
+matrix_element_call_metrics_port: 2112

roles/custom/matrix-element-call/tasks/install.yml

@@ -0,0 +1,49 @@
+---
+# roles/custom/matrix-element-call/tasks/install.yml
+
+# Ensure Required Directories Exist
+- name: Ensure matrix-element-call paths exist
+  ansible.builtin.file:
+    path: "{{ item.path }}"
+    state: directory
+    mode: 0750
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+  with_items:
+    - path: "{{ matrix_element_call_base_path }}"
+    - path: "{{ matrix_base_data_path }}/static-files/public/.well-known/element"  # Directory for element.json
+
+# Ensure Configuration Files are in Place
+- name: Ensure Element Call config.json is in place
+  ansible.builtin.template:
+    src: "{{ role_path }}/templates/config.json.j2"
+    dest: "{{ matrix_element_call_base_path }}/config.json"
+    mode: 0640
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+
+- name: Ensure matrix-element-call Docker labels file is in place
+  ansible.builtin.template:
+    src: "{{ role_path }}/templates/labels.j2"
+    dest: "{{ matrix_element_call_base_path }}/labels"
+    mode: 0640
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+
+# Ensure Docker Images are Pulled
+- name: Ensure matrix-element-call Docker image is pulled
+  community.docker.docker_image:
+    name: "{{ matrix_element_call_container_image }}"
+    source: pull
+    force_source: "{{ matrix_element_call_container_image_force_pull }}"
+  register: element_call_image_result
+  retries: "{{ devture_playbook_help_container_retries_count }}"
+  delay: "{{ devture_playbook_help_container_retries_delay }}"
+  until: element_call_image_result is not failed
+
+# Systemd Services for Element Call
+- name: Ensure matrix-element-call systemd service is installed
+  ansible.builtin.template:
+    src: "{{ role_path }}/templates/systemd/matrix-element-call.service.j2"
+    dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-element-call.service"
+    mode: 0644

roles/custom/matrix-element-call/tasks/main.yml

@@ -0,0 +1,21 @@
+---
+# Main task file for matrix-element-call
+
+- tags:
+    - setup-all
+    - setup-element-call
+    - install-all
+    - install-element-call
+  block:
+    - when: matrix_element_call_enabled | bool
+      ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml"
+
+    - when: matrix_element_call_enabled | bool
+      ansible.builtin.include_tasks: "{{ role_path }}/tasks/install.yml"
+
+- tags:
+    - setup-all
+    - setup-element-call
+  block:
+    - when: not matrix_element_call_enabled | bool
+      ansible.builtin.include_tasks: "{{ role_path }}/tasks/uninstall.yml"

roles/custom/matrix-element-call/tasks/uninstall.yml

@@ -0,0 +1,21 @@
+---
+# Uninstall tasks for matrix-element-call
+
+- name: Stop and remove matrix-element-call container
+  community.docker.docker_container:
+    name: "matrix-element-call"
+    state: absent
+
+- name: Remove matrix-element-call systemd service
+  ansible.builtin.file:
+    path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-element-call.service"
+    state: absent
+
+- name: Remove matrix-element-call configuration files
+  ansible.builtin.file:
+    path: "{{ matrix_element_call_base_path }}"
+    state: absent
+
+- name: Reload systemd daemon
+  ansible.builtin.systemd:
+    daemon_reload: true

roles/custom/matrix-element-call/tasks/validate_config.yml

@@ -0,0 +1,12 @@
+---
+# Validate configuration for matrix-element-call
+
+- name: Fail if required matrix-element-call settings are not defined
+  ansible.builtin.fail:
+    msg: >
+      You need to define a required configuration setting (`{{ item.name }}`).
+  when: "item.when | bool and vars[item.name] == ''"
+  with_items:
+    - {'name': 'matrix_element_call_base_path', when: true}
+    - {'name': 'matrix_element_call_container_network', when: true}
+    - {'name': 'matrix_element_call_image', when: true}

roles/custom/matrix-element-call/templates/config.json.j2

@@ -0,0 +1,11 @@
+{
+  "default_server_config": {
+    "m.homeserver": {
+      "base_url": "{{ matrix_homeserver_url }}",
+      "server_name": "{{ matrix_domain }}"
+    }
+  },
+  "livekit": {
+    "livekit_service_url": "{{ matrix_livekit_jwt_service_public_url }}"
+  }
+}

roles/custom/matrix-element-call/templates/labels.j2

@@ -0,0 +1,46 @@
+{% if matrix_element_call_container_labels_traefik_enabled %}
+traefik.enable=true
+
+# Network configuration for Traefik
+{% if matrix_element_call_container_labels_traefik_docker_network %}
+traefik.docker.network={{ matrix_element_call_container_labels_traefik_docker_network }}
+{% endif %}
+
+traefik.http.services.matrix-element-call.loadbalancer.server.port=8080
+
+{% set middlewares = [] %}
+
+# Path prefix handling for Element Call
+{% if matrix_element_call_container_labels_traefik_path_prefix != '/' %}
+traefik.http.middlewares.matrix-element-call-slashless-redirect.redirectregex.regex=({{ matrix_element_call_container_labels_traefik_path_prefix | quote }})$
+traefik.http.middlewares.matrix-element-call-slashless-redirect.redirectregex.replacement=${1}/
+{% set middlewares = middlewares + ['matrix-element-call-slashless-redirect'] %}
+
+traefik.http.middlewares.matrix-element-call-strip-prefix.stripprefix.prefixes={{ matrix_element_call_container_labels_traefik_path_prefix }}
+{% set middlewares = middlewares + ['matrix-element-call-strip-prefix'] %}
+{% endif %}
+
+{% if matrix_element_call_container_labels_traefik_additional_response_headers.keys() | length > 0 %}
+{% for name, value in matrix_element_call_container_labels_traefik_additional_response_headers.items() %}
+traefik.http.middlewares.matrix-element-call-add-headers.headers.customresponseheaders.{{ name }}={{ value }}
+{% endfor %}
+{% set middlewares = middlewares + ['matrix-element-call-add-headers'] %}
+{% endif %}
+
+traefik.http.routers.matrix-element-call.rule={{ matrix_element_call_container_labels_traefik_rule }}
+{% if matrix_element_call_container_labels_traefik_priority | int > 0 %}
+traefik.http.routers.matrix-element-call.priority={{ matrix_element_call_container_labels_traefik_priority }}
+{% endif %}
+traefik.http.routers.matrix-element-call.service=matrix-element-call
+{% if middlewares | length > 0 %}
+traefik.http.routers.matrix-element-call.middlewares={{ middlewares | join(',') }}
+{% endif %}
+traefik.http.routers.matrix-element-call.entrypoints={{ matrix_element_call_container_labels_traefik_entrypoints }}
+traefik.http.routers.matrix-element-call.tls={{ matrix_element_call_container_labels_traefik_tls | to_json }}
+{% if matrix_element_call_container_labels_traefik_tls %}
+traefik.http.routers.matrix-element-call.tls.certResolver={{ matrix_element_call_container_labels_traefik_tls_certResolver }}
+{% endif %}
+
+{% endif %}
+
+{{ matrix_element_call_container_labels_additional_labels }}

roles/custom/matrix-element-call/templates/systemd/matrix-element-call.service.j2

@@ -0,0 +1,46 @@
+#jinja2: lstrip_blocks: "True"
+[Unit]
+Description=Matrix Element Call Service
+{% for service in matrix_client_element_systemd_required_services_list %}
+Requires={{ service }}
+After={{ service }}
+{% endfor %}
+DefaultDependencies=no
+
+[Service]
+Type=simple
+Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}"
+ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-element-call 2>/dev/null || true'
+ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-element-call 2>/dev/null || true'
+
+ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \
+    --rm \
+    --name=matrix-element-call \
+    --log-driver=none \
+    --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
+    --cap-drop=ALL \
+    --network={{ matrix_element_call_container_network }} \
+    --mount type=bind,src={{ matrix_element_call_base_path }}/config.json,dst=/app/config.json,ro \
+    {% if matrix_element_call_container_http_host_bind_port %}
+    -p {{ matrix_element_call_container_http_host_bind_port }}:8080 \
+    {% endif %}
+    --label-file={{ matrix_element_call_base_path }}/labels \
+    {% for arg in matrix_element_call_container_extra_arguments %}
+    {{ arg }} \
+    {% endfor %}
+    {{ matrix_element_call_image }}
+
+{% for network in matrix_element_call_container_additional_networks %}
+ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-element-call
+{% endfor %}
+
+ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-element-call
+
+ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-element-call 2>/dev/null || true'
+ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-element-call 2>/dev/null || true'
+Restart=always
+RestartSec=30
+SyslogIdentifier=matrix-element-call
+
+[Install]
+WantedBy=multi-user.target

roles/custom/matrix-element-call/vars/main.yml

@@ -0,0 +1,3 @@
+---
+
+matrix_element_call_public_url: "{{ matrix_element_call_scheme }}://{{ matrix_element_call_hostname }}"

roles/custom/matrix-livekit-jwt-service/defaults/main.yml

@@ -0,0 +1,81 @@
+---
+
+# Project source code URL: https://github.com/element-hq/lk-jwt-service
+
+matrix_livekit_jwt_service_enabled: false
+
+matrix_livekit_jwt_service_scheme: https
+matrix_livekit_jwt_service_hostname: ""
+matrix_livekit_jwt_service_path_prefix: "/lk-jwt-service"
+
+matrix_livekit_jwt_service_base_path: "{{ matrix_base_data_path }}/livekit-jwt-service"
+
+matrix_livekit_jwt_service_container_network: ''
+
+matrix_livekit_jwt_service_container_http_host_bind_port: ''
+
+matrix_livekit_jwt_service_container_additional_networks: "{{ (matrix_livekit_jwt_service_container_additional_networks_auto + matrix_livekit_jwt_service_container_additional_networks_custom) | unique }}"
+matrix_livekit_jwt_service_container_additional_networks_auto: []
+matrix_livekit_jwt_service_container_additional_networks_custom: []
+
+# renovate: datasource=docker depName=ghcr.io/element-hq/lk-jwt-service
+matrix_livekit_jwt_service_version: latest-ci
+
+matrix_livekit_jwt_service_container_image_self_build: false
+matrix_livekit_jwt_service_container_repo: "https://github.com/element-hq/lk-jwt-service.git"
+matrix_livekit_jwt_service_container_repo_version: "{{ 'main' if matrix_livekit_jwt_service_version in ['latest', 'latest-ci'] else livekit_server_version }}"
+matrix_livekit_jwt_service_container_src_files_path: "{{ matrix_livekit_jwt_service_base_path }}/container-src"
+
+matrix_livekit_jwt_service_container_image: "{{ matrix_livekit_jwt_service_container_image_name_prefix }}element-hq/lk-jwt-service:{{ matrix_livekit_jwt_service_version }}"
+matrix_livekit_jwt_service_container_image_name_prefix: "{{ 'localhost/' if matrix_livekit_jwt_service_container_image_self_build else 'ghcr.io/' }}"
+matrix_livekit_jwt_service_container_image_force_pull: "{{ matrix_livekit_jwt_service_container_image.endswith(':latest') }}"
+
+matrix_livekit_jwt_service_container_labels_traefik_enabled: true
+matrix_livekit_jwt_service_container_labels_traefik_docker_network: "{{ matrix_livekit_jwt_service_container_network }}"
+matrix_livekit_jwt_service_container_labels_traefik_hostname: "{{ matrix_livekit_jwt_service_hostname }}"
+# The path prefix must either be `/` or not end with a slash (e.g. `/lk-jwt-service`).
+matrix_livekit_jwt_service_container_labels_traefik_path_prefix: "{{ matrix_livekit_jwt_service_path_prefix }}"
+matrix_livekit_jwt_service_container_labels_traefik_rule: "Host(`{{ matrix_livekit_jwt_service_container_labels_traefik_hostname }}`){% if matrix_livekit_jwt_service_container_labels_traefik_path_prefix != '/' %} && PathPrefix(`{{ matrix_livekit_jwt_service_container_labels_traefik_path_prefix }}`){% endif %}"
+matrix_livekit_jwt_service_container_labels_traefik_priority: 0
+matrix_livekit_jwt_service_container_labels_traefik_entrypoints: web-secure
+matrix_livekit_jwt_service_container_labels_traefik_tls: "{{ matrix_livekit_jwt_service_container_labels_traefik_entrypoints != 'web' }}"
+matrix_livekit_jwt_service_container_labels_traefik_tls_certResolver: default  # noqa var-naming
+
+# Controls which additional headers to attach to all HTTP responses.
+# To add your own headers, use `matrix_livekit_jwt_service_container_labels_traefik_additional_response_headers_custom`
+matrix_livekit_jwt_service_container_labels_traefik_additional_response_headers: "{{ matrix_livekit_jwt_service_container_labels_traefik_additional_response_headers_auto | combine(matrix_livekit_jwt_service_container_labels_traefik_additional_response_headers_custom) }}"
+matrix_livekit_jwt_service_container_labels_traefik_additional_response_headers_auto: {}
+matrix_livekit_jwt_service_container_labels_traefik_additional_response_headers_custom: {}
+
+# matrix_client_element_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file.
+# See `../templates/labels.j2` for details.
+#
+# Example:
+# matrix_client_element_container_labels_additional_labels: |
+#   my.label=1
+#   another.label="here"
+matrix_livekit_jwt_service_container_labels_additional_labels: ''
+
+# A list of extra arguments to pass to the container
+matrix_livekit_jwt_service_container_extra_arguments: []
+
+# Controls the LK_JWT_PORT environment variable
+matrix_livekit_jwt_service_environment_variable_lk_jwt_port: 8080
+
+# Controls the LIVEKIT_KEY environment variable
+matrix_livekit_jwt_service_environment_variable_livekit_key: ""
+
+# Controls the LIVEKIT_URL environment variable
+matrix_livekit_jwt_service_environment_variable_livekit_url: ""
+
+# Controls the LIVEKIT_SECRET environment variable
+matrix_livekit_jwt_service_environment_variable_livekit_secret: ""
+
+# Additional environment variables for the container
+matrix_livekit_jwt_service_environment_variables_additional: {}
+
+# List of systemd services that LiveKit JWT Service service depends on
+matrix_livekit_jwt_service_systemd_required_services_list: "{{ matrix_livekit_jwt_service_systemd_required_services_list_default + matrix_livekit_jwt_service_systemd_required_services_list_auto + matrix_livekit_jwt_service_systemd_required_services_list_custom }}"
+matrix_livekit_jwt_service_systemd_required_services_list_default: "{{ [devture_systemd_docker_base_docker_service_name] if devture_systemd_docker_base_docker_service_name else [] }}"
+matrix_livekit_jwt_service_systemd_required_services_list_auto: []
+matrix_livekit_jwt_service_systemd_required_services_list_custom: []

roles/custom/matrix-livekit-jwt-service/tasks/install.yml

@@ -0,0 +1,69 @@
+---
+
+- name: Ensure LiveKit JWT Service paths exist
+  ansible.builtin.file:
+    path: "{{ item.path }}"
+    state: directory
+    mode: 0750
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+  with_items:
+    - path: "{{ matrix_livekit_jwt_service_base_path }}"
+
+- name: Ensure LiveKit JWT Service support files installed
+  ansible.builtin.template:
+    src: "{{ role_path }}/templates/{{ item }}.j2"
+    dest: "{{ matrix_livekit_jwt_service_base_path }}/{{ item }}"
+    mode: 0640
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+  with_items:
+    - env
+    - labels
+
+- name: Ensure LiveKit JWT Service container image is pulled
+  community.docker.docker_image:
+    name: "{{ matrix_livekit_jwt_service_container_image }}"
+    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
+    force_source: "{{ matrix_livekit_jwt_service_container_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
+    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_livekit_jwt_service_container_image_force_pull }}"
+  when: "not matrix_livekit_jwt_service_container_image_self_build | bool"
+  register: result
+  retries: "{{ devture_playbook_help_container_retries_count }}"
+  delay: "{{ devture_playbook_help_container_retries_delay }}"
+  until: result is not failed
+
+- when: "matrix_livekit_jwt_service_container_image_self_build | bool"
+  block:
+    - name: Ensure LiveKit JWT Service repository is present on self-build
+      ansible.builtin.git:
+        repo: "{{ matrix_livekit_jwt_service_container_repo }}"
+        version: "{{ matrix_livekit_jwt_service_container_repo_version }}"
+        dest: "{{ matrix_livekit_jwt_service_container_src_files_path }}"
+        force: "yes"
+      become: true
+      become_user: "{{ matrix_user_username }}"
+      register: matrix_livekit_jwt_service_git_pull_results
+
+    - name: Ensure LiveKit JWT Service container image is built
+      community.docker.docker_image:
+        name: "{{ matrix_livekit_jwt_service_container_image }}"
+        source: build
+        force_source: "{{ matrix_livekit_jwt_service_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
+        force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_livekit_jwt_service_git_pull_results.changed }}"
+        build:
+          dockerfile: Dockerfile
+          path: "{{ matrix_livekit_jwt_service_container_src_files_path }}"
+          pull: true
+
+- name: Ensure LiveKit JWT Service container network is created
+  community.general.docker_network:
+    enable_ipv6: "{{ devture_systemd_docker_base_ipv6_enabled }}"
+    name: "{{ matrix_livekit_jwt_service_container_network }}"
+    driver: bridge
+
+- name: Ensure LiveKit JWT Service systemd service is installed
+  ansible.builtin.template:
+    src: "{{ role_path }}/templates/systemd/matrix-livekit-jwt-service.service.j2"
+    dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-livekit-jwt-service.service"
+    mode: 0644

roles/custom/matrix-livekit-jwt-service/tasks/main.yml

@@ -0,0 +1,20 @@
+---
+
+- tags:
+    - setup-all
+    - setup-jwt-service
+    - install-all
+    - install-livekit-jwt-service
+  block:
+    - when: matrix_livekit_jwt_service_enabled | bool
+      ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml"
+
+    - when: matrix_livekit_jwt_service_enabled | bool
+      ansible.builtin.include_tasks: "{{ role_path }}/tasks/install.yml"
+
+- tags:
+    - setup-all
+    - setup-livekit-jwt-service
+  block:
+    - when: not matrix_livekit_jwt_service_enabled | bool
+      ansible.builtin.include_tasks: "{{ role_path }}/tasks/uninstall.yml"

roles/custom/matrix-livekit-jwt-service/tasks/uninstall.yml

@@ -0,0 +1,25 @@
+---
+
+- name: Check existence of LiveKit JWT Service systemd service
+  ansible.builtin.stat:
+    path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-livekit-jwt-service.service"
+  register: matrix_livekit_jwt_service_service_stat
+
+- when: matrix_livekit_jwt_service_service_stat.stat.exists | bool
+  block:
+    - name: Ensure LiveKit JWT Service systemd service is stopped
+      ansible.builtin.service:
+        name: matrix-livekit-jwt-service
+        state: stopped
+        enabled: false
+        daemon_reload: true
+
+    - name: Ensure LiveKit JWT Service systemd service doesn't exist
+      ansible.builtin.file:
+        path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-livekit-jwt-service.service"
+        state: absent
+
+    - name: Ensure LiveKit JWT Service paths don't exist
+      ansible.builtin.file:
+        path: "{{ matrix_livekit_jwt_service_base_path }}"
+        state: absent

roles/custom/matrix-livekit-jwt-service/tasks/validate_config.yml

@@ -0,0 +1,13 @@
+---
+
+- name: Fail if required LiveKit JWT Service settings are not defined
+  ansible.builtin.fail:
+    msg: >
+      You need to define a required configuration setting (`{{ item.name }}`).
+  when: "item.when | bool and vars[item.name] | length == 0"
+  with_items:
+    - {'name': 'matrix_livekit_jwt_service_hostname', when: true}
+    - {'name': 'matrix_livekit_jwt_service_container_network', when: true}
+    - {'name': 'matrix_livekit_jwt_service_environment_variable_livekit_key', when: true}
+    - {'name': 'matrix_livekit_jwt_service_environment_variable_livekit_url', when: true}
+    - {'name': 'matrix_livekit_jwt_service_environment_variable_livekit_secret', when: true}

roles/custom/matrix-livekit-jwt-service/templates/env.j2

@@ -0,0 +1,7 @@
+LK_JWT_PORT={{ matrix_livekit_jwt_service_environment_variable_lk_jwt_port | int | to_json }}
+
+LIVEKIT_KEY={{ matrix_livekit_jwt_service_environment_variable_livekit_key }}
+LIVEKIT_URL={{ matrix_livekit_jwt_service_environment_variable_livekit_url }}
+LIVEKIT_SECRET={{ matrix_livekit_jwt_service_environment_variable_livekit_secret }}
+
+{{ matrix_livekit_jwt_service_environment_variables_additional }}

roles/custom/matrix-livekit-jwt-service/templates/labels.j2

@@ -0,0 +1,48 @@
+{% if matrix_element_call_container_labels_traefik_enabled %}
+traefik.enable=true
+
+traefik.docker.network={{ matrix_livekit_jwt_service_container_labels_traefik_docker_network }}
+
+traefik.http.services.matrix-livekit-jwt-service.loadbalancer.server.port={{ matrix_livekit_jwt_service_environment_variable_lk_jwt_port }}
+
+{% set middlewares = [] %}
+
+{% if matrix_livekit_jwt_service_container_labels_traefik_path_prefix != '/' %}
+traefik.http.middlewares.matrix-livekit-jwt-service-slashless-redirect.redirectregex.regex=({{ matrix_livekit_jwt_service_container_labels_traefik_path_prefix | quote }})$
+traefik.http.middlewares.matrix-livekit-jwt-service-slashless-redirect.redirectregex.replacement=${1}/
+{% set middlewares = middlewares + ['matrix-livekit-jwt-service-slashless-redirect'] %}
+
+traefik.http.middlewares.matrix-livekit-jwt-service-strip-prefix.stripprefix.prefixes={{ matrix_livekit_jwt_service_container_labels_traefik_path_prefix }}
+{% set middlewares = middlewares + ['matrix-livekit-jwt-service-strip-prefix'] %}
+{% endif %}
+
+{% if matrix_livekit_jwt_service_container_labels_traefik_additional_response_headers.keys() | length > 0 %}
+{% for name, value in matrix_livekit_jwt_service_container_labels_traefik_additional_response_headers.items() %}
+traefik.http.middlewares.matrix-livekit-jwt-service-add-headers.headers.customresponseheaders.{{ name }}={{ value }}
+{% endfor %}
+{% set middlewares = middlewares + ['matrix-livekit-jwt-service-add-headers'] %}
+{% endif %}
+
+traefik.http.routers.matrix-livekit-jwt-service.rule={{ matrix_livekit_jwt_service_container_labels_traefik_rule }}
+
+{% if matrix_livekit_jwt_service_container_labels_traefik_priority | int > 0 %}
+traefik.http.routers.matrix-livekit-jwt-service.priority={{ matrix_livekit_jwt_service_container_labels_traefik_priority }}
+{% endif %}
+
+traefik.http.routers.matrix-livekit-jwt-service.service=matrix-livekit-jwt-service
+
+{% if middlewares | length > 0 %}
+traefik.http.routers.matrix-livekit-jwt-service.middlewares={{ middlewares | join(',') }}
+{% endif %}
+
+traefik.http.routers.matrix-livekit-jwt-service.entrypoints={{ matrix_livekit_jwt_service_container_labels_traefik_entrypoints }}
+
+traefik.http.routers.matrix-livekit-jwt-service.tls={{ matrix_livekit_jwt_service_container_labels_traefik_tls | to_json }}
+
+{% if matrix_livekit_jwt_service_container_labels_traefik_tls %}
+traefik.http.routers.matrix-livekit-jwt-service.tls.certResolver={{ matrix_livekit_jwt_service_container_labels_traefik_tls_certResolver }}
+{% endif %}
+
+{% endif %}
+
+{{ matrix_livekit_jwt_service_container_labels_additional_labels }}

roles/custom/matrix-livekit-jwt-service/templates/systemd/matrix-livekit-jwt-service.service.j2

@@ -0,0 +1,42 @@
+#jinja2: lstrip_blocks: "True"
+[Unit]
+Description=Matrix LiveKit JWT Service
+{% for service in matrix_livekit_jwt_service_systemd_required_services_list %}
+After={{ service }}
+Requires={{ service }}
+{% endfor %}
+
+[Service]
+Type=simple
+Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}"
+ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-livekit-jwt-service 2>/dev/null || true'
+ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-livekit-jwt-service 2>/dev/null || true'
+
+ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \
+    --rm \
+    --name=matrix-livekit-jwt-service \
+    --log-driver=none \
+    --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
+    --cap-drop=ALL \
+    --network={{ matrix_livekit_jwt_service_container_network }} \
+    {% if matrix_livekit_jwt_service_container_http_host_bind_port %}
+    -p {{ matrix_livekit_jwt_service_container_http_host_bind_port }}:{{ matrix_livekit_jwt_service_environment_variable_lk_jwt_port }} \
+    {% endif %}
+    --env-file={{ matrix_livekit_jwt_service_base_path }}/env \
+    --label-file={{ matrix_livekit_jwt_service_base_path }}/labels \
+    {{ matrix_livekit_jwt_service_container_image }}
+
+{% for network in matrix_livekit_jwt_service_container_additional_networks %}
+ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-livekit-jwt-service
+{% endfor %}
+
+ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-livekit-jwt-service
+
+ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-livekit-jwt-service 2>/dev/null || true'
+ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-jwt-service 2>/dev/null || true'
+Restart=always
+RestartSec=30
+SyslogIdentifier=matrix-livekit-jwt-service
+
+[Install]
+WantedBy=multi-user.target

roles/custom/matrix-livekit-jwt-service/vars/main.yml

@@ -0,0 +1,3 @@
+---
+
+matrix_livekit_jwt_service_public_url: "{{ matrix_livekit_jwt_service_scheme }}://{{ matrix_livekit_jwt_service_hostname }}"

roles/custom/matrix-livekit-server/defaults/main.yml

@@ -0,0 +1,211 @@
+---
+
+# Project source code URL: https://github.com/livekit/livekit
+
+livekit_server_enabled: false
+
+livekit_server_identifier: livekit-server
+
+livekit_server_uid: ''
+livekit_server_gid: ''
+
+livekit_server_base_path: "/{{ livekit_server_identifier }}"
+livekit_server_config_path: "{{ livekit_server_base_path }}/config"
+
+# renovate: datasource=docker depName=docker.io/livekit/livekit-server
+livekit_server_version: v1.8.0
+
+livekit_server_scheme: https
+livekit_server_hostname: ""
+livekit_server_path_prefix: /
+
+livekit_server_container_network: "{{ livekit_server_identifier }}"
+
+livekit_server_container_additional_networks: "{{ livekit_server_container_additional_networks_auto + livekit_server_container_additional_networks_custom }}"
+livekit_server_container_additional_networks_auto: []
+livekit_server_container_additional_networks_custom: []
+
+# Controls whether the LiveKit Server container exposes its RCT TCP port (`livekit_server_config_rtc_tcp_port`)
+#
+# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:5349"), or empty string to not expose.
+livekit_server_container_rtc_tcp_host_bind_port: "{{ livekit_server_config_rtc_tcp_port if livekit_server_container_network != 'host' else '' }}"
+
+# Controls whether the LiveKit Server container exposes its RTC UDP port range and which interface to do it on.
+#
+# Takes an interface "<ip address>" (e.g. "127.0.0.1"), or empty string to listen on all interfaces.
+# Takes a null/none value (`~`) or 'none' (as a string) to prevent listening.
+#
+# The UDP port-range itself is specified using `livekit_server_config_rtc_port_range_start` and `livekit_server_config_rtc_port_range_end`.
+livekit_server_container_rtc_range_listen_interface: "{{ '' if livekit_server_container_network != 'host' else 'none' }}"
+
+livekit_server_container_image_self_build: false
+livekit_server_container_repo: "https://github.com/livekit/livekit.git"
+livekit_server_container_repo_version: "{{ 'main' if livekit_server_version == 'latest' else livekit_server_version }}"
+livekit_server_container_src_files_path: "{{ livekit_server_base_path }}/container-src"
+
+livekit_server_container_image: "{{ livekit_server_container_image_name_prefix }}livekit/livekit-server:{{ livekit_server_version }}"
+livekit_server_container_image_name_prefix: "{{ 'localhost/' if livekit_server_container_image_self_build else 'docker.io/' }}"
+livekit_server_container_image_force_pull: "{{ livekit_server_container_image.endswith(':latest') }}"
+
+livekit_server_container_labels_traefik_enabled: true
+livekit_server_container_labels_traefik_docker_network: "{{ livekit_server_container_network }}"
+livekit_server_container_labels_traefik_hostname: "{{ livekit_server_hostname }}"
+# The path prefix must either be `/` or not end with a slash (e.g. `/element`).
+livekit_server_container_labels_traefik_path_prefix: "{{ livekit_server_path_prefix }}"
+livekit_server_container_labels_traefik_rule: "Host(`{{ livekit_server_container_labels_traefik_hostname }}`){% if livekit_server_container_labels_traefik_path_prefix != '/' %} && PathPrefix(`{{ livekit_server_container_labels_traefik_path_prefix }}`){% endif %}"
+livekit_server_container_labels_traefik_priority: 0
+livekit_server_container_labels_traefik_entrypoints: web-secure
+livekit_server_container_labels_traefik_tls: "{{ livekit_server_container_labels_traefik_entrypoints != 'web' }}"
+livekit_server_container_labels_traefik_tls_certResolver: default  # noqa var-naming
+
+# Controls which additional headers to attach to all HTTP responses.
+# To add your own headers, use `livekit_server_container_labels_traefik_additional_response_headers_custom`
+livekit_server_container_labels_traefik_additional_response_headers: "{{ livekit_server_container_labels_traefik_additional_response_headers_auto | combine(livekit_server_container_labels_traefik_additional_response_headers_custom) }}"
+livekit_server_container_labels_traefik_additional_response_headers_auto: |
+  {{
+    {}
+    | combine ({'X-XSS-Protection': livekit_server_http_header_xss_protection} if livekit_server_http_header_xss_protection else {})
+    | combine ({'X-Frame-Options': livekit_server_http_header_frame_options} if livekit_server_http_header_frame_options else {})
+    | combine ({'X-Content-Type-Options': livekit_server_http_header_content_type_options} if livekit_server_http_header_content_type_options else {})
+    | combine ({'Content-Security-Policy': livekit_server_http_header_content_security_policy} if livekit_server_http_header_content_security_policy else {})
+    | combine ({'Permission-Policy': livekit_server_http_header_content_permission_policy} if livekit_server_http_header_content_permission_policy else {})
+    | combine ({'Strict-Transport-Security': livekit_server_http_header_strict_transport_security} if livekit_server_http_header_strict_transport_security and livekit_server_container_labels_traefik_tls else {})
+  }}
+livekit_server_container_labels_traefik_additional_response_headers_custom: {}
+
+# livekit_server_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file.
+# See `../templates/labels.j2` for details.
+#
+# Example:
+# livekit_server_container_labels_additional_labels: |
+#   my.label=1
+#   another.label="here"
+livekit_server_container_labels_additional_labels: ''
+
+# A list of extra arguments to pass to the container
+livekit_server_container_extra_arguments: []
+
+# Additional environment variables for the container
+livekit_server_environment_variables_additional: {}
+
+# List of systemd services that LiveKit Server service depends on
+livekit_server_systemd_required_services_list: "{{ livekit_server_systemd_required_services_list_default + livekit_server_systemd_required_services_list_auto + livekit_server_systemd_required_services_list_custom }}"
+livekit_server_systemd_required_services_list_default: "{{ [devture_systemd_docker_base_docker_service_name] if devture_systemd_docker_base_docker_service_name else [] }}"
+livekit_server_systemd_required_services_list_auto: []
+livekit_server_systemd_required_services_list_custom: []
+
+# Specifies the value of the `X-XSS-Protection` header
+# Stops pages from loading when they detect reflected cross-site scripting (XSS) attacks.
+#
+# Learn more about it is here:
+# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
+# - https://portswigger.net/web-security/cross-site-scripting/reflected
+livekit_server_http_header_xss_protection: ''
+
+# Specifies the value of the `X-Frame-Options` header which controls whether framing can happen.
+# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+livekit_server_http_header_frame_options: ''
+
+# Specifies the value of the `X-Content-Type-Options` header.
+# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
+livekit_server_http_header_content_type_options: ''
+
+# Specifies the value of the `Content-Security-Policy` header.
+# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
+livekit_server_http_header_content_security_policy: ''
+
+# Specifies the value of the `Permission-Policy` header.
+# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permission-Policy
+livekit_server_http_header_content_permission_policy: ''
+
+# Specifies the value of the `Strict-Transport-Security` header.
+# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
+livekit_server_http_header_strict_transport_security: ''
+
+# Controls whether to send a "Permissions-Policy interest-cohort=();" header along with all responses
+#
+# Learn more about what it is here:
+# - https://www.eff.org/deeplinks/2021/03/googles-floc-terrible-idea
+# - https://paramdeo.com/blog/opting-your-website-out-of-googles-floc-network
+# - https://amifloced.org/
+#
+# Of course, a better solution is to just stop using browsers (like Chrome), which participate in such tracking practices.
+# See: `livekit_server_content_permission_policy`
+livekit_server_floc_optout_enabled: false
+
+# Controls if HSTS preloading is enabled
+#
+# In its strongest and recommended form, the [HSTS policy](https://www.chromium.org/hsts) includes all subdomains, and
+# indicates a willingness to be "preloaded" into browsers:
+# `Strict-Transport-Security: max-age=31536000; includeSubDomains; preload`
+# For more information visit:
+# - https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
+# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
+# - https://hstspreload.org/#opt-in
+# See: `livekit_server_http_header_strict_transport_security`
+livekit_server_hsts_preload_enabled: true
+
+# Holds the final LiveKit Server configuration (a combination of the default and its extension).
+# You most likely don't need to touch this variable. Instead, see `livekit_server_configuration_yaml` or `livekit_server_configuration_extension_yaml`.
+livekit_server_configuration: "{{ livekit_server_configuration_yaml | from_yaml | combine(livekit_server_configuration_extension, recursive=True) }}"
+
+# Default LiveKit Server configuration template which covers the generic use case.
+# You can customize it by controlling the various variables inside it.
+#
+# For a more advanced customization, you can extend the default (see `livekit_server_configuration_extension_yaml`)
+# or completely replace this variable with your own template.
+livekit_server_configuration_yaml: "{{ lookup('template', 'templates/config.yaml.j2') }}"
+
+livekit_server_configuration_extension_yaml: |
+  # Your custom YAML configuration for LiveKit Server goes here.
+  # This configuration extends the default starting configuration (`livekit_server_configuration_yaml`).
+  #
+  # You can override individual variables from the default configuration, or introduce new ones.
+  #
+  # If you need something more special, you can take full control by
+  # completely redefining `livekit_server_configuration_yaml`.
+  #
+  # Example configuration extension follows:
+  #
+  # logging:
+  #   level: debug
+
+livekit_server_configuration_extension: "{{ livekit_server_configuration_extension_yaml | from_yaml if livekit_server_configuration_extension_yaml | from_yaml is mapping else {} }}"
+
+# Controls the `port` configuration property.
+livekit_server_config_port: 7880
+
+# Controls the `rtc.tcp_port` configuration property
+livekit_server_config_rtc_tcp_port: 7881
+
+# Controls the `rtc.port_range_start` configuration property
+livekit_server_config_rtc_port_range_start: 50100
+
+# Controls the `rtc.port_range_end` configuration property
+livekit_server_config_rtc_port_range_end: 50120
+
+# Controls the `rtc.use_external_ip` configuration property.
+# When set to true, attempts to discover the host's public IP via STUN.
+# This is useful for cloud environments such as AWS & Google where hosts have an internal IP that maps to an external one.
+livekit_server_config_rtc_use_external_ip: true
+
+# Controls the `keys` configuration property.
+livekit_server_config_keys: "{{ livekit_server_config_keys_auto | combine(livekit_server_config_keys_custom, recursive=True) }}"
+livekit_server_config_keys_auto: {}
+livekit_server_config_keys_custom: {}
+
+# Controls the `logging.level` configuration property.
+# Known values: debug, info, warn, error
+livekit_server_config_logging_level: info
+
+# Controls the `logging.pion_level` configuration property
+livekit_server_config_logging_pion_level: error
+
+# Controls the `logging.json` configuration property.
+# When set to true, emits json fields.
+livekit_server_config_logging_json: false
+
+# Controls the `logging.sample` configuration property.
+# For production setups, enables sampling algorithm.
+# See: https://github.com/uber-go/zap/blob/master/FAQ.md#why-sample-application-logs
+livekit_server_config_logging_sample: false

roles/custom/matrix-livekit-server/tasks/install.yml

@@ -0,0 +1,77 @@
+---
+
+- name: Ensure LiveKit Server paths exist
+  ansible.builtin.file:
+    path: "{{ item.path }}"
+    state: directory
+    mode: 0750
+    owner: "{{ livekit_server_uid }}"
+    group: "{{ livekit_server_gid }}"
+  with_items:
+    - {path: "{{ livekit_server_base_path }}", when: true}
+    - {path: "{{ livekit_server_config_path }}", when: true}
+    - {path: "{{ livekit_server_container_src_files_path }}", when: "{{ livekit_server_container_image_self_build }}"}
+  when: "item.when | bool"
+
+- name: Ensure LiveKit Server configuration installed
+  ansible.builtin.copy:
+    content: "{{ livekit_server_configuration | to_nice_yaml(indent=2, width=999999) }}"
+    dest: "{{ livekit_server_config_path }}/config.yaml"
+    mode: 0640
+    owner: "{{ livekit_server_uid }}"
+    group: "{{ livekit_server_gid }}"
+
+- name: Ensure LiveKit Server labels file installed
+  ansible.builtin.template:
+    src: "{{ role_path }}/templates/labels.j2"
+    dest: "{{ livekit_server_base_path }}/labels"
+    mode: 0640
+    owner: "{{ livekit_server_uid }}"
+    group: "{{ livekit_server_gid }}"
+
+- name: Ensure LiveKit Server container image is pulled
+  community.docker.docker_image:
+    name: "{{ livekit_server_container_image }}"
+    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
+    force_source: "{{ livekit_server_container_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
+    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else livekit_server_container_image_force_pull }}"
+  when: "not livekit_server_container_image_self_build | bool"
+  register: result
+  retries: "{{ devture_playbook_help_container_retries_count }}"
+  delay: "{{ devture_playbook_help_container_retries_delay }}"
+  until: result is not failed
+
+- when: "livekit_server_container_image_self_build | bool"
+  block:
+    - name: Ensure LiveKit Server repository is present on self-build
+      ansible.builtin.git:
+        repo: "{{ livekit_server_container_repo }}"
+        version: "{{ livekit_server_container_repo_version }}"
+        dest: "{{ livekit_server_container_src_files_path }}"
+        force: "yes"
+      become: true
+      become_user: "{{ matrix_user_username }}"
+      register: livekit_server_git_pull_results
+
+    - name: Ensure LiveKit Server container image is built
+      community.docker.docker_image:
+        name: "{{ livekit_server_container_image }}"
+        source: build
+        force_source: "{{ livekit_server_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
+        force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else livekit_server_git_pull_results.changed }}"
+        build:
+          dockerfile: Dockerfile
+          path: "{{ livekit_server_container_src_files_path }}"
+          pull: true
+
+- name: Ensure LiveKit Server container network is created
+  community.general.docker_network:
+    enable_ipv6: "{{ devture_systemd_docker_base_ipv6_enabled }}"
+    name: "{{ livekit_server_container_network }}"
+    driver: bridge
+
+- name: Ensure LiveKit Server systemd service is installed
+  ansible.builtin.template:
+    src: "{{ role_path }}/templates/systemd/livekit-server.service.j2"
+    dest: "{{ devture_systemd_docker_base_systemd_path }}/{{ livekit_server_identifier }}.service"
+    mode: 0644

roles/custom/matrix-livekit-server/tasks/main.yml

@@ -0,0 +1,20 @@
+---
+
+- tags:
+    - setup-all
+    - setup-livekit-server
+    - install-all
+    - install-livekit-server
+  block:
+    - when: livekit_server_enabled | bool
+      ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml"
+
+    - when: livekit_server_enabled | bool
+      ansible.builtin.include_tasks: "{{ role_path }}/tasks/install.yml"
+
+- tags:
+    - setup-all
+    - setup-livekit-server
+  block:
+    - when: not livekit_server_enabled | bool
+      ansible.builtin.include_tasks: "{{ role_path }}/tasks/uninstall.yml"

roles/custom/matrix-livekit-server/tasks/uninstall.yml

@@ -0,0 +1,25 @@
+---
+
+- name: Check existence of LiveKit Server service
+  ansible.builtin.stat:
+    path: "{{ devture_systemd_docker_base_systemd_path }}/{{ livekit_server_identifier }}.service"
+  register: livekit_server_service_stat
+
+- when: livekit_server_service_stat.stat.exists | bool
+  block:
+    - name: Ensure LiveKit Server is stopped
+      ansible.builtin.service:
+        name: "{{ livekit_server_identifier }}"
+        state: stopped
+        enabled: false
+        daemon_reload: true
+
+    - name: Ensure LiveKit Server systemd service doesn't exist
+      ansible.builtin.file:
+        path: "{{ devture_systemd_docker_base_systemd_path }}/{{ livekit_server_identifier }}.service"
+        state: absent
+
+    - name: Ensure LiveKit Server paths don't exist
+      ansible.builtin.file:
+        path: "{{ livekit_server_base_path }}"
+        state: absent

roles/custom/matrix-livekit-server/tasks/validate_config.yml

@@ -0,0 +1,12 @@
+---
+
+- name: Fail if required LiveKit Server settings are not defined
+  ansible.builtin.fail:
+    msg: >
+      You need to define a required configuration setting (`{{ item.name }}`).
+  when: "item.when | bool and vars[item.name] | length == 0"
+  with_items:
+    - {'name': 'livekit_server_hostname', when: true}
+    - {'name': 'livekit_server_identifier', when: true}
+    - {'name': 'livekit_server_uid', when: true}
+    - {'name': 'livekit_server_gid', when: true}

roles/custom/matrix-livekit-server/templates/config.yaml.j2

@@ -0,0 +1,27 @@
+port: {{ livekit_server_config_port | int | to_json }}
+
+bind_addresses:
+  - "0.0.0.0"
+
+rtc:
+  tcp_port: {{ livekit_server_config_rtc_tcp_port | int | to_json }}
+  port_range_start: {{ livekit_server_config_rtc_port_range_start | int | to_json }}
+  port_range_end: {{ livekit_server_config_rtc_port_range_end | int | to_json }}
+  use_external_ip: {{ livekit_server_config_rtc_use_external_ip | to_json }}
+
+turn:
+  enabled: false
+  domain: localhost
+  cert_file: ""
+  key_file: ""
+  tls_port: 5349
+  udp_port: 443
+  external_tls: true
+
+keys: {{ livekit_server_config_keys | to_json }}
+
+logging:
+  level: {{ livekit_server_config_logging_level | to_json }}
+  pion_level: {{ livekit_server_config_logging_pion_level | to_json }}
+  json: {{ livekit_server_config_logging_json | to_json }}
+  sample: {{ livekit_server_config_logging_sample | to_json }}

roles/custom/matrix-livekit-server/templates/labels.j2

@@ -0,0 +1,49 @@
+{% if livekit_server_container_labels_traefik_enabled %}
+traefik.enable=true
+
+{% if livekit_server_container_labels_traefik_docker_network %}
+traefik.docker.network={{ livekit_server_container_labels_traefik_docker_network }}
+{% endif %}
+
+traefik.http.services.{{ livekit_server_identifier }}.loadbalancer.server.port={{ livekit_server_config_port }}
+
+{% set middlewares = [] %}
+
+{% if livekit_server_container_labels_traefik_path_prefix != '/' %}
+traefik.http.middlewares.{{ livekit_server_identifier }}-slashless-redirect.redirectregex.regex=({{ livekit_server_container_labels_traefik_path_prefix | quote }})$
+traefik.http.middlewares.{{ livekit_server_identifier }}-slashless-redirect.redirectregex.replacement=${1}/
+{% set middlewares = middlewares + [livekit_server_identifier + '-server-slashless-redirect'] %}
+
+traefik.http.middlewares.{{ livekit_server_identifier }}-strip-prefix.stripprefix.prefixes={{ livekit_server_container_labels_traefik_path_prefix }}
+{% set middlewares = middlewares + [livekit_server_identifier + '-strip-prefix'] %}
+{% endif %}
+
+{% if livekit_server_container_labels_traefik_additional_response_headers.keys() | length > 0 %}
+{% for name, value in livekit_server_container_labels_traefik_additional_response_headers.items() %}
+traefik.http.middlewares.{{ livekit_server_identifier }}-add-headers.headers.customresponseheaders.{{ name }}={{ value }}
+{% endfor %}
+{% set middlewares = middlewares + [livekit_server_identifier + '-add-headers'] %}
+{% endif %}
+
+traefik.http.routers.{{ livekit_server_identifier }}.rule={{ livekit_server_container_labels_traefik_rule }}
+
+{% if livekit_server_container_labels_traefik_priority | int > 0 %}
+traefik.http.routers.{{ livekit_server_identifier }}.priority={{ livekit_server_container_labels_traefik_priority }}
+{% endif %}
+
+traefik.http.routers.{{ livekit_server_identifier }}.service={{ livekit_server_identifier }}
+
+{% if middlewares | length > 0 %}
+traefik.http.routers.{{ livekit_server_identifier }}.middlewares={{ middlewares | join(',') }}
+{% endif %}
+
+traefik.http.routers.{{ livekit_server_identifier }}.entrypoints={{ livekit_server_container_labels_traefik_entrypoints }}
+
+traefik.http.routers.{{ livekit_server_identifier }}.tls={{ livekit_server_container_labels_traefik_tls | to_json }}
+{% if livekit_server_container_labels_traefik_tls %}
+traefik.http.routers.{{ livekit_server_identifier }}.tls.certResolver={{ livekit_server_container_labels_traefik_tls_certResolver }}
+{% endif %}
+
+{% endif %}
+
+{{ livekit_server_container_labels_additional_labels }}

roles/custom/matrix-livekit-server/templates/systemd/livekit-server.service.j2

@@ -0,0 +1,46 @@
+#jinja2: lstrip_blocks: "True"
+[Unit]
+Description=LiveKit Server
+{% for service in livekit_server_systemd_required_services_list %}
+After={{ service }}
+Requires={{ service }}
+{% endfor %}
+
+[Service]
+Type=simple
+Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}"
+ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} {{ livekit_server_identifier }} 2>/dev/null || true'
+ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm {{ livekit_server_identifier }} 2>/dev/null || true'
+
+ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \
+	--rm \
+	--name={{ livekit_server_identifier }} \
+	--log-driver=none \
+	--user={{ livekit_server_uid }}:{{ livekit_server_gid }} \
+	--cap-drop=ALL \
+	--network={{ livekit_server_container_network }} \
+	{% if livekit_server_container_rtc_tcp_host_bind_port != '' %}
+	-p {{ livekit_server_container_rtc_tcp_host_bind_port }}:{{ livekit_server_config_rtc_tcp_port }} \
+	{% endif %}
+	{% if livekit_server_container_rtc_range_listen_interface is not in [none, 'none'] %}
+	-p {{ livekit_server_container_rtc_range_listen_interface }}{{ ':' if livekit_server_container_rtc_range_listen_interface else '' }}{{ livekit_server_config_rtc_port_range_start }}-{{ livekit_server_config_rtc_port_range_end }}:{{ livekit_server_config_rtc_port_range_start }}-{{ livekit_server_config_rtc_port_range_end }}/udp \
+	{% endif %}
+	--mount type=bind,src={{ livekit_server_config_path }}/config.yaml,dst=/livekit-config.yaml,ro \
+	--label-file={{ livekit_server_base_path }}/labels \
+	{{ livekit_server_container_image }} \
+	--dev --config /livekit-config.yaml
+
+{% for network in livekit_server_container_additional_networks %}
+ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} {{ livekit_server_identifier }}
+{% endfor %}
+
+ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach {{ livekit_server_identifier }}
+
+ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} {{ livekit_server_identifier }} 2>/dev/null || true'
+ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm {{ livekit_server_identifier }} 2>/dev/null || true'
+Restart=always
+RestartSec=30
+SyslogIdentifier={{ livekit_server_identifier }}
+
+[Install]
+WantedBy=multi-user.target

roles/custom/matrix-livekit-server/vars/main.yml

@@ -0,0 +1,3 @@
+livekit_server_public_url: "{{ livekit_server_scheme }}://{{ livekit_server_hostname }}{{ livekit_server_path_prefix }}"
+
+livekit_server_websocket_container_url: "ws://{{ livekit_server_identifier }}:{{ livekit_server_config_port}}"

roles/custom/matrix-static-files/defaults/main.yml

@@ -15,6 +15,7 @@ matrix_static_files_config_path: "{{ matrix_static_files_base_path }}/config"
 matrix_static_files_public_path: "{{ matrix_static_files_base_path }}/public"
 matrix_static_files_public_well_known_path: "{{ matrix_static_files_public_path }}/.well-known"
 matrix_static_files_public_well_known_matrix_path: "{{ matrix_static_files_public_well_known_path }}/matrix"
+matrix_static_files_public_well_known_element_path: "{{ matrix_static_files_public_well_known_path }}/element"
 
 # List of systemd services that matrix-static-files.service depends on
 matrix_static_files_systemd_required_services_list: "{{ [devture_systemd_docker_base_docker_service_name] if devture_systemd_docker_base_docker_service_name else [] }}"
@@ -203,6 +204,16 @@ matrix_static_files_file_matrix_client_property_cc_etke_synapse_admin: "{{ matri
 matrix_static_files_file_matrix_client_property_cc_etke_synapse_admin_auto: {}
 matrix_static_files_file_matrix_client_property_cc_etke_synapse_admin_custom: {}
 
+# Controls whether `org.matrix.msc4143.rtc_foci`-related entries should be added to the client well-known.
+# By default, if there are entries in `matrix_static_files_file_matrix_client_property_org_matrix_msc4143_rtc_foci`, we show them (by enabling this).
+matrix_static_files_file_matrix_client_property_org_matrix_msc4143_rtc_foci_enabled: "{{ matrix_static_files_file_matrix_client_property_org_matrix_msc4143_rtc_foci | default({}) | dict2items | length > 0 }}"
+
+# Controls the org.matrix.msc4143.rtc_foci property in the /.well-known/matrix/client file.
+# See `matrix_static_files_file_matrix_client_property_org_matrix_msc4143_rtc_foci_enabled`
+matrix_static_files_file_matrix_client_property_org_matrix_msc4143_rtc_foci: "{{ matrix_static_files_file_matrix_client_property_org_matrix_msc4143_rtc_foci_auto | combine(matrix_static_files_file_matrix_client_property_org_matrix_msc4143_rtc_foci_custom, recursive=True) }}"
+matrix_static_files_file_matrix_client_property_org_matrix_msc4143_rtc_foci_auto: {}
+matrix_static_files_file_matrix_client_property_org_matrix_msc4143_rtc_foci_custom: {}
+
 # Default /.well-known/matrix/client configuration template which covers the generic use case.
 # You can customize it by controlling the various variables inside it.
 #
@@ -350,6 +361,56 @@ matrix_static_files_file_matrix_support_configuration: "{{ matrix_static_files_f
 ########################################################################
 
 
+########################################################################
+#                                                                      #
+# Related to /.well-known/element/element.json                         #
+#                                                                      #
+########################################################################
+
+# Controls whether a `/.well-known/element/element.json` file is generated and used at all.
+matrix_static_files_file_element_element_json_enabled: true
+
+# Controls the call.widget_url property in the /.well-known/element/element.json file
+matrix_static_files_file_element_element_json_property_call_widget_url: ''
+
+# Default /.well-known/element/element.json configuration template which covers the generic use case.
+# You can customize it by controlling the various variables inside it.
+#
+# For a more advanced customization, you can extend the default (see `matrix_static_files_file_matrix_support_configuration_extension_json`)
+# or completely replace this variable with your own template.
+matrix_static_files_file_element_element_json_configuration_json: "{{ lookup('template', 'templates/public/.well-known/element/element.json.j2') }}"
+
+# Your custom JSON configuration for /.well-known/element/element.json should go to `matrix_static_files_file_element_element_json_configuration_extension_json`.
+# This configuration extends the default starting configuration (`matrix_static_files_file_matrix_support_configuration_extension_json`).
+#
+# You can override individual variables from the default configuration, or introduce new ones.
+#
+# If you need something more special, you can take full control by
+# completely redefining `matrix_static_files_file_matrix_support_configuration_json`.
+#
+# Example configuration extension follows:
+#
+# matrix_static_files_file_element_element_json_configuration_extension_json: |
+#   {
+#     "call": {
+#       "url": "value"
+#     }
+#   }
+matrix_static_files_file_element_element_json_configuration_extension_json: '{}'
+
+matrix_static_files_file_element_element_json_configuration_extension: "{{ matrix_static_files_file_element_element_json_configuration_extension_json | from_json if matrix_static_files_file_element_element_json_configuration_extension_json | from_json is mapping else {} }}"
+
+# Holds the final /.well-known/matrix/support configuration (a combination of the default and its extension).
+# You most likely don't need to touch this variable. Instead, see `matrix_static_files_file_element_element_json_configuration_json` or `matrix_static_files_file_element_element_json_configuration_extension_json`.
+matrix_static_files_file_element_element_json_configuration: "{{ matrix_static_files_file_element_element_json_configuration_json | combine(matrix_static_files_file_element_element_json_configuration_extension, recursive=True) }}"
+
+########################################################################
+#                                                                      #
+# /Related to /.well-known/element/element.json                        #
+#                                                                      #
+########################################################################
+
+
 ########################################################################
 #                                                                      #
 # Related to index.html                                                #

roles/custom/matrix-static-files/tasks/install.yml

@@ -2,17 +2,19 @@
 
 - name: Ensure matrix-static-files paths exist
   ansible.builtin.file:
-    path: "{{ item }}"
+    path: "{{ item.path }}"
     state: directory
     mode: 0750
     owner: "{{ matrix_user_username }}"
     group: "{{ matrix_user_groupname }}"
   with_items:
-    - "{{ matrix_static_files_base_path }}"
-    - "{{ matrix_static_files_config_path }}"
-    - "{{ matrix_static_files_public_path }}"
-    - "{{ matrix_static_files_public_well_known_path }}"
-    - "{{ matrix_static_files_public_well_known_matrix_path }}"
+    - {path: "{{ matrix_static_files_base_path }}", when: true}
+    - {path: "{{ matrix_static_files_config_path }}", when: true}
+    - {path: "{{ matrix_static_files_public_path }}", when: true}
+    - {path: "{{ matrix_static_files_public_well_known_path }}", when: true}
+    - {path: "{{ matrix_static_files_public_well_known_matrix_path }}", when: true}
+    - {path: "{{ matrix_static_files_public_well_known_element_path }}", when: true}
+  when: "item.when | bool"
 
 - name: Ensure matrix-static-files is configured
   ansible.builtin.template:
@@ -52,6 +54,10 @@
       dest: "{{ matrix_static_files_public_well_known_matrix_path }}/support"
       when: "{{ matrix_static_files_file_matrix_support_enabled }}"
 
+    - content: "{{ matrix_static_files_file_element_element_json_configuration | to_nice_json }}"
+      dest: "{{ matrix_static_files_public_well_known_element_path }}/element.json"
+      when: "{{ matrix_static_files_file_element_element_json_enabled }}"
+
     # This one will not be deleted if `matrix_static_files_file_index_html_enabled` flips to `false`.
     # See the comment for `matrix_static_files_file_index_html_enabled` to learn why.
     - content: "{{ matrix_static_files_file_index_html_template }}"
@@ -70,6 +76,12 @@
     state: absent
   when: "not matrix_static_files_file_matrix_support_enabled | bool"
 
+- name: Ensure /.well-known/element/element.json file deleted if not enabled
+  ansible.builtin.file:
+    path: "{{ matrix_static_files_public_well_known_element_path }}/element.json"
+    state: absent
+  when: "not matrix_static_files_file_element_element_json_enabled | bool"
+
 - name: Ensure matrix-static-files container image is pulled
   community.docker.docker_image:
     name: "{{ matrix_static_files_container_image }}"

roles/custom/matrix-static-files/templates/public/.well-known/element/element.json.j2

@@ -0,0 +1,7 @@
+{
+	{% if matrix_static_files_file_element_element_json_property_call_widget_url %}
+	"call": {
+		"widget_url": {{ matrix_static_files_file_element_element_json_property_call_widget_url | to_json }}
+	}
+	{% endif %}
+}

roles/custom/matrix-static-files/templates/public/.well-known/matrix/client.j2

@@ -57,4 +57,7 @@
 	{% if matrix_static_files_file_matrix_client_property_cc_etke_synapse_admin_enabled %},
 	"cc.etke.synapse-admin": {{ matrix_static_files_file_matrix_client_property_cc_etke_synapse_admin | to_json }}
 	{% endif %}
+	{% if matrix_static_files_file_matrix_client_property_org_matrix_msc4143_rtc_foci_enabled %},
+	"org.matrix.msc4143.rtc_foci": {{ matrix_static_files_file_matrix_client_property_org_matrix_msc4143_rtc_foci | to_json }}
+	{% endif %}
 }

setup.yml

@@ -133,6 +133,9 @@
     - custom/matrix-coturn
     - custom/matrix-media-repo
     - custom/matrix-pantalaimon
+    - custom/matrix-element-call
+    - custom/matrix-livekit-server
+    - custom/matrix-livekit-jwt-service
 
     - role: galaxy/postgres_backup