mirror/matrix-docker-ansible-deploy
1
0
Fork 0
mirror of https://github.com/spantaleev/matrix-docker-ansible-deploy.git synced 2025-01-14 20:27:18 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'spantaleev:master' into element-call-integration

Browse Source
This commit is contained in:
Backslash 2024-10-03 13:20:02 +10:00 committed by GitHub
commit b7e0a41134
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
62 changed files with 716 additions and 579 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
CHANGELOG.md
View File

@ -1,3 +1,19 @@
# 2024-09-27
## (BC Break) Postgres & Traefik roles have been relocated and variable names need adjustments
Various roles have been relocated from the [devture](https://github.com/devture) organization to the [mother-of-all-self-hosting](https://github.com/mother-of-all-self-hosting) organization.
Along with the relocation, the `devture_` prefix was dropped from their variable names, so you need to adjust your `vars.yml` configuration.
You need to do the following replacements:
- `devture_postgres_` -> `postgres_`
- `devture_traefik_` -> `traefik_`
As always, the playbook would let you know about this and point out any variables you may have missed.
# 2024-09-12
## Support for baibot
@ -118,7 +134,7 @@ If you're using the playbook's Traefik instance to reverse-proxy to some other s
If you've tweaked any of this playbook's `_path_prefix` variables and made them use a regular expression, you will now need to make additional adjustments. The playbook makes extensive use of `PathPrefix()` matchers in Traefik rules and `PathPrefix` does not support regular expressions anymore. To work around it, you may now need to override a whole `_traefik_rule` variable and switch it from [`PathPrefix` to `PathRegexp`](https://doc.traefik.io/traefik/routing/routers/#path-pathprefix-and-pathregexp).
If you're not using [matrix-media-repo](./docs/configuring-playbook-matrix-media-repo.md) (the only role we had to tweak to adapt it to Traefik v3), you **may potentially downgrade to Traefik v2** (if necessary) by adding `devture_traefik_verison: v2.11.4` to your configuration. People using `matrix-media-repo` cannot downgrade this way, because `matrix-media-repo` has been adjusted to use `PathRegexp` - a [routing matcher](https://doc.traefik.io/traefik/v2.11/routing/routers/#rule) that Traefik v2 does not understand.
If you're not using [matrix-media-repo](./docs/configuring-playbook-matrix-media-repo.md) (the only role we had to tweak to adapt it to Traefik v3), you **may potentially downgrade to Traefik v2** (if necessary) by adding `traefik_verison: v2.11.4` to your configuration. People using `matrix-media-repo` cannot downgrade this way, because `matrix-media-repo` has been adjusted to use `PathRegexp` - a [routing matcher](https://doc.traefik.io/traefik/v2.11/routing/routers/#rule) that Traefik v2 does not understand.
### HTTP/3 is enabled by default
@ -135,7 +151,7 @@ Still, if HTTP/3 cannot function correctly in your setup, it's best to disable a
To **disable HTTP/3**, you can use the following configuration:
```yml
devture_traefik_config_entrypoint_web_secure_http3_enabled: false
traefik_config_entrypoint_web_secure_http3_enabled: false
# Disabling HTTP/3 for the web-secure entrypoint (above),
# automatically disables it for the Matrix Federation entrypoint as well,
@ -457,9 +473,9 @@ Because [Traefik has an extra job now](#traefik-now-has-an-extra-job), you need
### People fronting Traefik with another reverse proxy need to do minor changes
We've already previously mentioned that you need to do some minor [configuration changes related to `devture_traefik_additional_entrypoints_auto`](#backward-compatibility-configuration-changes-required-for-people-fronting-the-integrated-reverse-proxy-webserver-with-another-reverse-proxy).
We've already previously mentioned that you need to do some minor [configuration changes related to `traefik_additional_entrypoints_auto`](#backward-compatibility-configuration-changes-required-for-people-fronting-the-integrated-reverse-proxy-webserver-with-another-reverse-proxy).
If you don't do these changes (switching from `devture_traefik_additional_entrypoints_auto` to multiple other variables), your Traefik setup will not automatically receive the new `matrix-internal-matrix-client-api` Traefik entrypoint and Traefik would not be able to perform [its new duty of connecting addons with the homeserver](#traefik-now-has-an-extra-job).
If you don't do these changes (switching from `traefik_additional_entrypoints_auto` to multiple other variables), your Traefik setup will not automatically receive the new `matrix-internal-matrix-client-api` Traefik entrypoint and Traefik would not be able to perform [its new duty of connecting addons with the homeserver](#traefik-now-has-an-extra-job).
### Supported reverse proxy types are now fewer
@ -572,17 +588,17 @@ I don't actively use all the ~100 components offered by the playbook (no one doe
If you're on the default setup (using the Traefik reverse-proxy as installed by the playbook), you don't need to do anything.
People who are [Fronting the integrated Traefik reverse-proxy webserver with another reverse-proxy](./docs/configuring-playbook-own-webserver.md#fronting-the-integrated-reverse-proxy-webserver-with-another-reverse-proxy), as per our previous instructions are redefining `devture_traefik_additional_entrypoints_auto` in their `vars.yml` configuration.
People who are [Fronting the integrated Traefik reverse-proxy webserver with another reverse-proxy](./docs/configuring-playbook-own-webserver.md#fronting-the-integrated-reverse-proxy-webserver-with-another-reverse-proxy), as per our previous instructions are redefining `traefik_additional_entrypoints_auto` in their `vars.yml` configuration.
Such a full variable redefinion is intrustive, because it prevents the playbook from injecting additional entrypoints into the Traefik webserver. In the future, the playbook may have a need to do so.
For this reason, we no longer recommend completely redefining `devture_traefik_additional_entrypoints_auto`.
The playbook now defines [various `matrix_playbook_public_matrix_federation_api_traefik_entrypoint_*` variables in the `defaults/main.yml` file](https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/roles/custom/matrix-base/defaults/main.yml) of the `matrix-base` role which can be used as a safer alternative to `devture_traefik_additional_entrypoints_auto`.
For this reason, we no longer recommend completely redefining `traefik_additional_entrypoints_auto`.
The playbook now defines [various `matrix_playbook_public_matrix_federation_api_traefik_entrypoint_*` variables in the `defaults/main.yml` file](https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/roles/custom/matrix-base/defaults/main.yml) of the `matrix-base` role which can be used as a safer alternative to `traefik_additional_entrypoints_auto`.
Adapt your configuration as seen below:
```diff
-devture_traefik_additional_entrypoints_auto:
-traefik_additional_entrypoints_auto:
- - name: matrix-federation
- port: 8449
- host_bind_port: '127.0.0.1:8449'
@ -711,7 +727,7 @@ From now on, the [Postgres Ansible role](https://github.com/devture/com.devture.
Our [Tuning PostgreSQL](docs/maintenance-postgres.md#tuning-postgresql) documentation page has details about how you can turn auto-tuning off or adjust the automatically-determined Postgres configuration parameters manually.
People who [enable load-balancing with Synapse workers](docs/configuring-playbook-synapse.md#load-balancing-with-workers) no longer need to increase the maximum number of Postgres connections manually (previously done via `devture_postgres_process_extra_arguments`). There's a new variable (`devture_postgres_max_connections`) for controlling this number and the playbook automatically raises its value from `200` to `500` for setups which enable workers.
People who [enable load-balancing with Synapse workers](docs/configuring-playbook-synapse.md#load-balancing-with-workers) no longer need to increase the maximum number of Postgres connections manually (previously done via `postgres_process_extra_arguments`). There's a new variable (`postgres_max_connections`) for controlling this number and the playbook automatically raises its value from `200` to `500` for setups which enable workers.
# 2023-08-31
@ -1070,7 +1086,7 @@ Unless we have some regression, **existing `matrix-nginx-proxy` users should be
```yaml
matrix_playbook_reverse_proxy_type: playbook-managed-traefik
devture_traefik_config_certificatesResolvers_acme_email: YOUR_EMAIL_ADDRESS
traefik_config_certificatesResolvers_acme_email: YOUR_EMAIL_ADDRESS
```
You may still need to keep certain old `matrix_nginx_proxy_*` variables (like `matrix_nginx_proxy_base_domain_serving_enabled`), even when using Traefik. For now, we recommend keeping all `matrix_nginx_proxy_*` variables just in case. In the future, reliance on `matrix-nginx-proxy` will be removed.
@ -1097,7 +1113,7 @@ As mentioned above, Traefik still reverse-proxies to some (most) services by goi
As Traefik support becomes complete and proves to be stable for a while, especially as a playbook default, we will **most likely remove `matrix-nginx-proxy` completely**. It will likely be some months before this happens though. Keeping support for both Traefik and nginx in the playbook will be a burden, especially with most of us running Traefik in the future. The Traefik role should do everything nginx does in a better and cleaner way. Users who use their own `nginx` server on the Matrix server will be inconvenienced, as nothing will generate ready-to-include nginx configuration for them. Still, we hope it won't be too hard to migrate their setup to another way of doing things, like:
- not using nginx anymore. A common reason for using nginx until now was that you were running other containers and you need your own nginx to reverse-proxy to all of them. Just switch them to Traefik as well.
- running Traefik in local-only mode (`devture_traefik_config_entrypoint_web_secure_enabled: false`) and using some nginx configuration which reverse-proxies to Traefik (we should introduce examples for this in `examples/nginx`).
- running Traefik in local-only mode (`traefik_config_entrypoint_web_secure_enabled: false`) and using some nginx configuration which reverse-proxies to Traefik (we should introduce examples for this in `examples/nginx`).
### How do I help?
@ -1107,7 +1123,7 @@ You can help by:
- **adding native Traefik support to a role** (requires adding Traefik labels, etc.) - for inspiration, see these roles ([prometheus_node_exporter](https://github.com/mother-of-all-self-hosting/ansible-role-prometheus-node-exporter), [prometheus_postgres_exporter](https://github.com/mother-of-all-self-hosting/ansible-role-prometheus-postgres-exporter)) and how they're hooked into the playbook via [group_vars/matrix_servers](group_vars/matrix_servers).
- **adding reverse-proxying examples for nginx users** in `examples/nginx`. People who insist on using their own `nginx` server on the same Matrix host, can run Traefik in local-only mode (`devture_traefik_config_entrypoint_web_secure_enabled: false`) and reverse-proxy to the Traefik server
- **adding reverse-proxying examples for nginx users** in `examples/nginx`. People who insist on using their own `nginx` server on the same Matrix host, can run Traefik in local-only mode (`traefik_config_entrypoint_web_secure_enabled: false`) and reverse-proxy to the Traefik server
# 2023-02-10
@ -1232,14 +1248,14 @@ See our [Setting up matrix-bot-chatgpt](docs/configuring-playbook-bot-chatgpt.md
Just like we've [replaced Postgres with an external role](#matrix-postgres-has-been-replaced-by-the-comdevtureansiblerolepostgres-external-role) on 2022-11-28, we're now replacing `matrix-postgres-backup` with an external role - [com.devture.ansible.role.postgres_backup](https://github.com/devture/com.devture.ansible.role.postgres_backup).
You'll need to rename your `matrix_postgres_backup`-prefixed variables such that they use a `devture_postgres_backup` prefix.
You'll need to rename your `matrix_postgres_backup`-prefixed variables such that they use a `postgres_backup` prefix.
# 2022-11-28
## matrix-postgres has been replaced by the com.devture.ansible.role.postgres external role
**TLDR**: the tasks that install the integrated Postgres server now live in an external role - [com.devture.ansible.role.postgres](https://github.com/devture/com.devture.ansible.role.postgres). You'll need to run `make roles` to install it, and to also rename your `matrix_postgres`-prefixed variables to use a `devture_postgres` prefix (e.g. `matrix_postgres_connection_password` -> `devture_postgres_connection_password`). All your data will still be there! Some scripts have moved (`/usr/local/bin/matrix-postgres-cli` -> `/matrix/postgres/bin/cli`).
**TLDR**: the tasks that install the integrated Postgres server now live in an external role - [com.devture.ansible.role.postgres](https://github.com/devture/com.devture.ansible.role.postgres). You'll need to run `make roles` to install it, and to also rename your `matrix_postgres`-prefixed variables to use a `devture_postgres` prefix (e.g. `matrix_postgres_connection_password` -> `postgres_connection_password`). All your data will still be there! Some scripts have moved (`/usr/local/bin/matrix-postgres-cli` -> `/matrix/postgres/bin/cli`).
The `matrix-postgres` role that has been part of the playbook for a long time has been replaced with the [com.devture.ansible.role.postgres](https://github.com/devture/com.devture.ansible.role.postgres) role. This was done as part of our work to [use external roles for some things](#the-playbook-now-uses-external-roles-for-some-things) for better code re-use and maintainability.

70
docs/configuring-playbook-bot-draupnir.md
View File

@ -123,7 +123,75 @@ ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start
## Usage
You can refer to the upstream [documentation](https://github.com/the-draupnir-project/Draupnir) for additional ways to use and configure draupnir. Check out their [quickstart guide](https://github.com/the-draupnir-project/Draupnir/blob/main/docs/moderators.md#quick-usage) for some basic commands you can give to the bot.
You can refer to the upstream [documentation](https://the-draupnir-project.github.io/draupnir-documentation/) for additional ways to use and configure Draupnir and for a more detailed usage guide.
Below is a **non-exhaustive quick-start guide** for the impatient.
### Making Draupnir join and protect a room
Draupnir can be told to self-join public rooms, but it's better to follow this flow which works well for all kinds of rooms:
1. Invite the bot to the room manually ([inviting Draupnir to rooms](https://the-draupnir-project.github.io/draupnir-documentation/moderator/managing-protected-rooms#inviting-draupnir-to-rooms)). Before joining, the bot *may* ask for confirmation in the Management Room
2. [Give the bot permissions to do its job](#giving-draupnir-permissions-to-do-its-job)
3. Tell it to protect the room (using the [rooms command](https://the-draupnir-project.github.io/draupnir-documentation/moderator/managing-protected-rooms#using-the-draupnir-rooms-command)) by sending the following command to the Management Room: `!draupnir rooms add !ROOM_ID:DOMAIN`
To have Draupnir provide useful room protection, you need do to a bit more work (at least the first time around).
You may wish to [Subscribe to a public policy list](#subscribing-to-a-public-policy-list), [Create your own own policy and rules](#creating-your-own-policy-lists-and-rules) and [Enabling built-in protections](#enabling-built-in-protections).
### Giving Draupnir permissions to do its job
For Draupnir to do its job, you need to [give it permissions](https://the-draupnir-project.github.io/draupnir-documentation/moderator/managing-protected-rooms#giving-draupnir-permissions) in rooms it's protecting. This involves **giving it an Administrator power level**.
**We recommend setting this power level as soon as the bot joins your room** (and before you create new rules), so that it can apply rules as soon as they are available. If the bot is under-privileged, it may fail to apply protections and may not retry for a while (or until your restart it).
### Subscribing to a public policy list
We recommend **subscribing to a public [policy list](https://the-draupnir-project.github.io/draupnir-documentation/concepts/policy-lists)** using the [watch command](https://the-draupnir-project.github.io/draupnir-documentation/moderator/managing-policy-lists#using-draupnirs-watch-command-to-subscribe-to-policy-rooms).
Polcy lists are maintained in Matrix rooms. A popular policy list is maintained in the public `#community-moderation-effort-bl:neko.dev` room.
You can tell Draupnir to subscribe to it by sending the following command to the Management Room: `!draupnir watch #community-moderation-effort-bl:neko.dev`
#### Creating your own policy lists and rules
We also recommend **creating your own policy lists** with the [list create](https://the-draupnir-project.github.io/draupnir-documentation/moderator/managing-policy-lists#using-draupnirs-list-create-command-to-create-a-policy-room) command.
You can do so by sending the following command to the Management Room: `!draupnir list create my-bans my-bans-bl`. This will create a policy list having a name (shortcode) of `my-bans` and stored in a public `#my-bans-bl:DOMAIN` room on your server. As soon as you run this command, the bot will invite you to the policy list room.
A policy list does nothing by itself, so the next step is **adding some rules to your policy list**. Policies target a so-called `entity` (one of: `user`, `room` or `server`). These entities are mentioned on the [policy lists](https://the-draupnir-project.github.io/draupnir-documentation/concepts/policy-lists) documentation page and in the Matrix Spec [here](https://spec.matrix.org/v1.11/client-server-api/#mban-recommendation).
The simplest and most useful entity to target is `user`. Below are a few examples using the [ban command](https://the-draupnir-project.github.io/draupnir-documentation/moderator/managing-users#the-ban-command) and targeting users.
To create rules, you run commands in the Management Room (**not** in the policy list room).
- (ban a single user on a given homeserver): `!draupnir ban @someone:example.com my-bans Rude to others`
- (ban all users on a given homeserver by using a [wildcard](https://the-draupnir-project.github.io/draupnir-documentation/moderator/managing-users#wildcards)): `!draupnir ban @*:example.org my-bans Spam server - all users are fake`
As a result of running these commands, you may observe:
- Draupnir creating `m.policy.rule.user` state events in the `#my-bans-bl:DOMAIN` room on your server
- applying these rules against all rooms that Draupnir is an Administrator in
You can undo bans with the [unban command](https://the-draupnir-project.github.io/draupnir-documentation/moderator/managing-users#the-unban-command).
### Enabling built-in protections
You can also **turn on various built-in [protections](https://the-draupnir-project.github.io/draupnir-documentation/protections)** like `JoinWaveShortCircuit` ("If X amount of users join in Y time, set the room to invite-only").
To **see which protections are available and which are enabled**, send a `!draupnir protections` command to the Management Room.
To **see the configuration options for a given protection**, send a `!draupnir config get PROTECTION_NAME` (e.g. `!draupnir config get JoinWaveShortCircuit`).
To **set a specific option for a given protection**, send a command like this: `!draupnir config set PROTECTION_NAME.OPTION VALUE` (e.g. `!draupnir config set JoinWaveShortCircuit.timescaleMinutes 30`).
To **enable a given protection**, send a command like this: `!draupnir enable PROTECTION_NAME` (e.g. `!draupnir enable JoinWaveShortCircuit`).
To **disable a given protection**, send a command like this: `!draupnir disable PROTECTION_NAME` (e.g. `!draupnir disable JoinWaveShortCircuit`).
## Extending the configuration
You can configure additional options by adding the `matrix_bot_draupnir_configuration_extension_yaml` variable to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file.

2
docs/configuring-playbook-external-postgres.md
View File

@ -10,7 +10,7 @@ If you'd like to use an external PostgreSQL server that you manage, you can edit
If you'd like to use an external Postgres server, use a custom `vars.yml` configuration like this:
```yaml
devture_postgres_enabled: false
postgres_enabled: false
# Rewire Synapse to use your external Postgres server
matrix_synapse_database_host: "your-postgres-server-hostname"

8
docs/configuring-playbook-jitsi.md
View File

@ -227,20 +227,20 @@ To make Traefik reverse-proxy to these additional JVBs (living on other hosts),
# Traefik proxying for additional JVBs. These can't be configured using Docker
# labels, like the first JVB is, because they run on different hosts, so we add
# the necessary configuration to the file provider.
devture_traefik_provider_configuration_extension_yaml: |
traefik_provider_configuration_extension_yaml: |
http:
routers:
{% for host in groups['jitsi_jvb_servers'] %}
additional-{{ hostvars[host]['jitsi_jvb_server_id'] }}-router:
entryPoints:
- "{{ devture_traefik_entrypoint_primary }}"
- "{{ traefik_entrypoint_primary }}"
rule: "Host(`{{ jitsi_hostname }}`) && PathPrefix(`/colibri-ws/{{ hostvars[host]['jitsi_jvb_server_id'] }}/`)"
service: additional-{{ hostvars[host]['jitsi_jvb_server_id'] }}-service
{% if devture_traefik_entrypoint_primary != 'web' %}
{% if traefik_entrypoint_primary != 'web' %}
tls:
certResolver: "{{ devture_traefik_certResolver_primary }}"
certResolver: "{{ traefik_certResolver_primary }}"
{% endif %}

8
docs/configuring-playbook-matrix-media-repo.md
View File

@ -123,7 +123,7 @@ To import the Synapse media store, you're supposed to invoke the `import_synapse
This guide here is adapted from the [upstream documentation about the import_synapse script](https://github.com/turt2live/matrix-media-repo#importing-media-from-synapse).
Run the following command on the server (after replacing `devture_postgres_connection_password` in it with the value found in your `vars.yml` file):
Run the following command on the server (after replacing `postgres_connection_password` in it with the value found in your `vars.yml` file):
```sh
docker exec -it matrix-media-repo \
@ -132,7 +132,7 @@ docker exec -it matrix-media-repo \
-dbHost matrix-postgres \
-dbPort 5432 \
-dbUsername matrix \
-dbPassword devture_postgres_connection_password
-dbPassword postgres_connection_password
```
Enter `1` for the Machine ID when prompted (you are not doing any horizontal scaling) unless you know what you're doing.
@ -145,7 +145,7 @@ If you're using the [Dendrite](configuring-playbook-dendrite.md) homeserver inst
To import the Dendrite media store, you're supposed to invoke the `import_dendrite` tool which is part of the matrix-media-repo container image. Your Dendrite database is called `dendrite_mediaapi` by default, unless you've changed it by modifying `matrix_dendrite_media_api_database`.
Run the following command on the server (after replacing `devture_postgres_connection_password` in it with the value found in your `vars.yml` file):
Run the following command on the server (after replacing `postgres_connection_password` in it with the value found in your `vars.yml` file):
```sh
docker exec -it matrix-media-repo \
@ -154,7 +154,7 @@ docker exec -it matrix-media-repo \
-dbHost matrix-postgres \
-dbPort 5432 \
-dbUsername matrix \
-dbPassword devture_postgres_connection_password
-dbPassword postgres_connection_password
```
Enter `1` for the Machine ID when prompted (you are not doing any horizontal scaling) unless you know what you're doing.

18
docs/configuring-playbook-own-webserver.md
View File

@ -21,7 +21,7 @@ To have the playbook install and use Traefik, use configuration like this (as se
```yaml
matrix_playbook_reverse_proxy_type: playbook-managed-traefik
devture_traefik_config_certificatesResolvers_acme_email: YOUR_EMAIL_ADDRESS
traefik_config_certificatesResolvers_acme_email: YOUR_EMAIL_ADDRESS
```
Traefik will manage SSL certificates for all services seamlessly.
@ -38,7 +38,7 @@ matrix_playbook_reverse_proxy_type: other-traefik-container
# Adjust to point to your Traefik container
matrix_playbook_reverse_proxy_hostname: name-of-your-traefik-container
devture_traefik_certs_dumper_ssl_dir_path: "/path/to/your/traefiks/acme.json/directory"
traefik_certs_dumper_ssl_dir_path: "/path/to/your/traefiks/acme.json/directory"
# Uncomment and tweak the variable below if the name of your federation entrypoint is different
# than the default value (matrix-federation).
@ -148,18 +148,18 @@ matrix_playbook_ssl_enabled: true
# Disable the web-secure (port 443) endpoint, which also disables SSL certificate retrieval.
# This has the side-effect of also automatically disabling TLS for the matrix-federation entrypoint
# (by toggling `matrix_federation_traefik_entrypoint_tls`).
devture_traefik_config_entrypoint_web_secure_enabled: false
traefik_config_entrypoint_web_secure_enabled: false
# If your reverse-proxy runs on another machine, consider using `0.0.0.0:81`, just `81` or `SOME_IP_ADDRESS_OF_THIS_MACHINE:81`
devture_traefik_container_web_host_bind_port: '127.0.0.1:81'
traefik_container_web_host_bind_port: '127.0.0.1:81'
# We bind to `127.0.0.1` by default (see above), so trusting `X-Forwarded-*` headers from
# a reverse-proxy running on the local machine is safe enough.
# If you're publishing the port (`devture_traefik_container_web_host_bind_port` above) to a public network interface:
# - remove the `devture_traefik_config_entrypoint_web_forwardedHeaders_insecure` variable definition below
# - uncomment and adjust the `devture_traefik_config_entrypoint_web_forwardedHeaders_trustedIPs` line below
devture_traefik_config_entrypoint_web_forwardedHeaders_insecure: true
# devture_traefik_config_entrypoint_web_forwardedHeaders_trustedIPs: ['IP-ADDRESS-OF-YOUR-REVERSE-PROXY']
# If you're publishing the port (`traefik_container_web_host_bind_port` above) to a public network interface:
# - remove the `traefik_config_entrypoint_web_forwardedHeaders_insecure` variable definition below
# - uncomment and adjust the `traefik_config_entrypoint_web_forwardedHeaders_trustedIPs` line below
traefik_config_entrypoint_web_forwardedHeaders_insecure: true
# traefik_config_entrypoint_web_forwardedHeaders_trustedIPs: ['IP-ADDRESS-OF-YOUR-REVERSE-PROXY']
# Expose the federation entrypoint on a custom port (other than port 8448, which is normally used publicly).
#

16
docs/configuring-playbook-postgres-backup.md
View File

@ -10,7 +10,7 @@ For a more complete backup solution (one that includes not only Postgres, but al
Minimal working configuration (`inventory/host_vars/matrix.DOMAIN/vars.yml`) to enable Postgres backup:
```yaml
devture_postgres_backup_enabled: true
postgres_backup_enabled: true
```
Refer to the table below for additional configuration variables and their default values.
@ -18,13 +18,13 @@ Refer to the table below for additional configuration variables and their defaul
| Name | Default value | Description |
| :-------------------------------- | :--------------------------- | :--------------------------------------------------------------- |
|`devture_postgres_backup_enabled`|`false`|Set to true to use [docker-postgres-backup-local](https://github.com/prodrigestivill/docker-postgres-backup-local) to create automatic database backups|
|`devture_postgres_backup_schedule`| `'@daily'` |Cron-schedule specifying the interval between postgres backups.|
|`devture_postgres_backup_keep_days`|`7`|Number of daily backups to keep|
|`devture_postgres_backup_keep_weeks`|`4`|Number of weekly backups to keep|
|`devture_postgres_backup_keep_months`|`12`|Number of monthly backups to keep|
|`devture_postgres_backup_base_path` | `"{{ matrix_base_data_path }}/postgres-backup"` | Base path for postgres-backup. Also see `devture_postgres_backup_data_path` |
|`devture_postgres_backup_data_path` | `"{{ devture_postgres_backup_base_path }}/data"` | Storage path for postgres-backup database backups |
|`postgres_backup_enabled`|`false`|Set to true to use [docker-postgres-backup-local](https://github.com/prodrigestivill/docker-postgres-backup-local) to create automatic database backups|
|`postgres_backup_schedule`| `'@daily'` |Cron-schedule specifying the interval between postgres backups.|
|`postgres_backup_keep_days`|`7`|Number of daily backups to keep|
|`postgres_backup_keep_weeks`|`4`|Number of weekly backups to keep|
|`postgres_backup_keep_months`|`12`|Number of monthly backups to keep|
|`postgres_backup_base_path` | `"{{ matrix_base_data_path }}/postgres-backup"` | Base path for postgres-backup. Also see `postgres_backup_data_path` |
|`postgres_backup_data_path` | `"{{ postgres_backup_base_path }}/data"` | Storage path for postgres-backup database backups |
## Installing

26
docs/configuring-playbook-ssl-certificates.md
View File

@ -12,7 +12,7 @@ For testing purposes, you may wish to use staging certificates provide by Let's
You can do this with the following configuration:
```yaml
devture_traefik_config_certificatesResolvers_acme_use_staging: true
traefik_config_certificatesResolvers_acme_use_staging: true
```
@ -23,7 +23,7 @@ For testing or other purposes, you may wish to install services without SSL term
You can do this with the following configuration:
```yaml
devture_traefik_config_entrypoint_web_secure_enabled: false
traefik_config_entrypoint_web_secure_enabled: false
```
@ -46,16 +46,16 @@ To use your own SSL certificates with Traefik, you need to:
```yaml
# Disable ACME / Let's Encrypt support.
devture_traefik_config_certificatesResolvers_acme_enabled: false
traefik_config_certificatesResolvers_acme_enabled: false
# Disabling ACME support (above) automatically disables the creation of the SSL directory.
# Force-enable it here, because we'll add our certificate files there.
devture_traefik_ssl_dir_enabled: true
traefik_ssl_dir_enabled: true
# Tell Traefik to load our custom configuration file (certificates.yml).
# The file is created below, in `aux_file_definitions`.
# The `/config/..` path is an in-container path, not a path on the host (like `/matrix/traefik/config`). Do not change it!
devture_traefik_configuration_extension_yaml: |
traefik_configuration_extension_yaml: |
providers:
file:
filename: /config/certificates.yml
@ -66,7 +66,7 @@ devture_traefik_configuration_extension_yaml: |
aux_file_definitions:
# Create the privkey.pem file on the server by
# uploading a file from the computer where Ansible is running.
- dest: "{{ devture_traefik_ssl_dir_path }}/privkey.pem"
- dest: "{{ traefik_ssl_dir_path }}/privkey.pem"
src: /path/on/your/Ansible/computer/to/privkey.pem
# Alternatively, comment out `src` above and uncomment the lines below to provide the certificate content inline.
# Note the indentation level.
@ -76,7 +76,7 @@ aux_file_definitions:
# Create the cert.pem file on the server
# uploading a file from the computer where Ansible is running.
- dest: "{{ devture_traefik_ssl_dir_path }}/cert.pem"
- dest: "{{ traefik_ssl_dir_path }}/cert.pem"
src: /path/on/your/Ansible/computer/to/cert.pem
# Alternatively, comment out `src` above and uncomment the lines below to provide the certificate content inline.
# Note the indentation level.
@ -86,7 +86,7 @@ aux_file_definitions:
# Create the custom Traefik configuration.
# The `/ssl/..` paths below are in-container paths, not paths on the host (/`matrix/traefik/ssl/..`). Do not change them!
- dest: "{{ devture_traefik_config_dir_path }}/certificates.yml"
- dest: "{{ traefik_config_dir_path }}/certificates.yml"
content: |
tls:
certificates:
@ -109,12 +109,12 @@ You can configure Traefik to use the [DNS-01 challenge type](https://letsencrypt
This is an example for how to edit the `vars.yml` file if you're using Cloudflare:
```yaml
devture_traefik_config_certificatesResolvers_acme_dnsChallenge_enabled: true
devture_traefik_config_certificatesResolvers_acme_dnsChallenge_provider: "cloudflare"
devture_traefik_config_certificatesResolvers_acme_dnsChallenge_delayBeforeCheck: 60
devture_traefik_config_certificatesResolvers_acme_dnsChallenge_resolvers:
traefik_config_certificatesResolvers_acme_dnsChallenge_enabled: true
traefik_config_certificatesResolvers_acme_dnsChallenge_provider: "cloudflare"
traefik_config_certificatesResolvers_acme_dnsChallenge_delayBeforeCheck: 60
traefik_config_certificatesResolvers_acme_dnsChallenge_resolvers:
- "1.1.1.1:53"
devture_traefik_environment_variables_additional_variables: |
traefik_environment_variables_additional_variables: |
CF_API_EMAIL=redacted
CF_ZONE_API_TOKEN=redacted
CF_DNS_API_TOKEN=redacted

2
docs/configuring-playbook-synapse.md
View File

@ -75,7 +75,7 @@ The only thing you **cannot** do is mix [generic workers](#generic-workers) and
#### Effect of enabling workers on the rest of your server
When Synapse workers are enabled, the integrated [Postgres database is tuned](maintenance-postgres.md#tuning-postgresql), so that the maximum number of Postgres connections are increased from `200` to `500`. If you need to decrease or increase the number of maximum Postgres connections further, use the `devture_postgres_max_connections` variable.
When Synapse workers are enabled, the integrated [Postgres database is tuned](maintenance-postgres.md#tuning-postgresql), so that the maximum number of Postgres connections are increased from `200` to `500`. If you need to decrease or increase the number of maximum Postgres connections further, use the `postgres_max_connections` variable.
A separate Ansible role (`matrix-synapse-reverse-proxy-companion`) and component handles load-balancing for workers. This role/component is automatically enabled when you enable workers. Make sure to use the `setup-all` tag (not `install-all`!) during the playbook's [installation](./installing.md) process, especially if you're disabling workers, so that components may be installed/uninstalled correctly.

36
docs/configuring-playbook-traefik.md
View File

@ -12,7 +12,7 @@ See the dedicated [Adjusting SSL certificate retrieval](configuring-playbook-ssl
## Increase logging verbosity
```yaml
devture_traefik_config_log_level: DEBUG
traefik_config_log_level: DEBUG
```
## Disable access logs
@ -20,7 +20,7 @@ devture_traefik_config_log_level: DEBUG
This will disable access logging.
```yaml
devture_traefik_config_accessLog_enabled: false
traefik_config_accessLog_enabled: false
```
## Enable Traefik Dashboard
@ -28,23 +28,23 @@ devture_traefik_config_accessLog_enabled: false
This will enable a Traefik [Dashboard](https://doc.traefik.io/traefik/operations/dashboard/) UI at `https://matrix.DOMAIN/dashboard/` (note the trailing `/`).
```yaml
devture_traefik_dashboard_enabled: true
devture_traefik_dashboard_hostname: "{{ matrix_server_fqn_matrix }}"
devture_traefik_dashboard_basicauth_enabled: true
devture_traefik_dashboard_basicauth_user: YOUR_USERNAME_HERE
devture_traefik_dashboard_basicauth_password: YOUR_PASSWORD_HERE
traefik_dashboard_enabled: true
traefik_dashboard_hostname: "{{ matrix_server_fqn_matrix }}"
traefik_dashboard_basicauth_enabled: true
traefik_dashboard_basicauth_user: YOUR_USERNAME_HERE
traefik_dashboard_basicauth_password: YOUR_PASSWORD_HERE
```
**WARNING**: Enabling the dashboard on a hostname you use for something else (like `matrix_server_fqn_matrix` in the configuration above) may cause conflicts. Enabling the Traefik Dashboard makes Traefik capture all `/dashboard` and `/api` requests and forward them to itself. If any of the services hosted on the same hostname requires any of these 2 URL prefixes, you will experience problems. So far, we're not aware of any playbook services which occupy these endpoints and are likely to cause conflicts.
## Additional configuration
Use the `devture_traefik_configuration_extension_yaml` variable provided by the Traefik Ansible role to override or inject additional settings, even when no dedicated variable exists.
Use the `traefik_configuration_extension_yaml` variable provided by the Traefik Ansible role to override or inject additional settings, even when no dedicated variable exists.
```yaml
# This is a contrived example.
# You can enable and secure the Dashboard using dedicated variables. See above.
devture_traefik_configuration_extension_yaml: |
traefik_configuration_extension_yaml: |
api:
dashboard: true
```
@ -66,8 +66,8 @@ First, we have to adjust the static configuration of Traefik, so that we can add
```yaml
# We enable all config files in the /config/ folder to be loaded.
# `/config` is the path as it appears in the Traefik container.
# On the host, it's actually `/matrix/traefik/config` (as defined in `devture_traefik_config_dir_path`).
devture_traefik_configuration_extension_yaml: |
# On the host, it's actually `/matrix/traefik/config` (as defined in `traefik_config_dir_path`).
traefik_configuration_extension_yaml: |
providers:
file:
directory: /config/
@ -79,7 +79,7 @@ If you are using a self-signed certificate on your webserver, you can tell Traef
```yaml
# We enable all config files in the /config/ folder to be loaded and
devture_traefik_configuration_extension_yaml: |
traefik_configuration_extension_yaml: |
providers:
file:
directory: /config/
@ -90,11 +90,11 @@ devture_traefik_configuration_extension_yaml: |
```
Next, you have to add a new dynamic configuration file for Traefik that contains the actual information of the server using the `aux_file_definitions` variable. In this example, we will terminate SSL at the Traefik instance and connect to the other server via HTTPS. Traefik will now take care of managing the certificates.
Next, you have to add a new dynamic configuration file for Traefik that contains the actual information of the server using the `aux_file_definitions` variable. In this example, we will terminate SSL at the Traefik instance and connect to the other server via HTTPS. Traefik will now take care of managing the certificates.
```yaml
aux_file_definitions:
- dest: "{{ devture_traefik_config_dir_path }}/provider_my_fancy_website.yml"
- dest: "{{ traefik_config_dir_path }}/provider_my_fancy_website.yml"
content: |
http:
routers:
@ -117,7 +117,7 @@ If you do not want to terminate SSL at the Traefik instance (for example, becaus
```yaml
aux_file_definitions:
- dest: "{{ devture_traefik_config_dir_path }}/providers_my_fancy_website.yml"
- dest: "{{ traefik_config_dir_path }}/providers_my_fancy_website.yml"
content: |
tcp:
routers:
@ -134,9 +134,9 @@ aux_file_definitions:
```
Changing the `url` to one with an `http://` prefix would allow to connect to the server via HTTP.
With these changes, all TCP traffic will be reverse-proxied to the target system.
With these changes, all TCP traffic will be reverse-proxied to the target system.
**WARNING**: This configuration might lead to problems or need additional steps when a [certbot](https://certbot.eff.org/) behind Traefik also tries to manage [Let's Encrypt](https://letsencrypt.org/) certificates, as Traefik captures all traffic to ```PathPrefix(`/.well-known/acme-challenge/`)```.
**WARNING**: This configuration might lead to problems or need additional steps when a [certbot](https://certbot.eff.org/) behind Traefik also tries to manage [Let's Encrypt](https://letsencrypt.org/) certificates, as Traefik captures all traffic to ```PathPrefix(`/.well-known/acme-challenge/`)```.
## Traefik behind a `proxy_protocol` reverse-proxy
@ -144,7 +144,7 @@ With these changes, all TCP traffic will be reverse-proxied to the target system
If you run a reverse-proxy which speaks `proxy_protocol`, add the following to your configuration file:
```yaml
devture_traefik_configuration_extension_yaml: |
traefik_configuration_extension_yaml: |
entryPoints:
web-secure:
proxyProtocol:

34
docs/howto-srv-server-delegation.md
View File

@ -58,29 +58,29 @@ We cannot just disable the default resolver as that would disable SSL in quite a
```yaml
# 1. Add a new ACME configuration without having to disable the default one, since it would have a wide range of side effects
devture_traefik_configuration_extension_yaml: |
traefik_configuration_extension_yaml: |
certificatesResolvers:
dns:
acme:
# To use a staging endpoint for testing purposes, uncomment the line below.
# caServer: https://acme-staging-v02.api.letsencrypt.org/directory
email: {{ devture_traefik_config_certificatesResolvers_acme_email | to_json }}
email: {{ traefik_config_certificatesResolvers_acme_email | to_json }}
dnsChallenge:
provider: cloudflare
resolvers:
- "1.1.1.1:53"
- "8.8.8.8:53"
storage: {{ devture_traefik_config_certificatesResolvers_acme_storage | to_json }}
storage: {{ traefik_config_certificatesResolvers_acme_storage | to_json }}
# 2. Configure the environment variables needed by Rraefik to automate the ACME DNS Challenge (example for Cloudflare)
devture_traefik_environment_variables: |
traefik_environment_variables: |
CF_API_EMAIL=redacted
CF_ZONE_API_TOKEN=redacted
CF_DNS_API_TOKEN=redacted
LEGO_DISABLE_CNAME_SUPPORT=true
# 3. Instruct the playbook to use the new ACME configuration
devture_traefik_certResolver_primary: dns
traefik_certResolver_primary: dns
```
## Adjust Coturn's configuration
@ -105,16 +105,16 @@ matrix_coturn_container_additional_volumes: |
(
[
{
'src': (devture_traefik_certs_dumper_dumped_certificates_dir_path + '/*.' + matrix_domain + '/certificate.crt'),
'src': (traefik_certs_dumper_dumped_certificates_dir_path + '/*.' + matrix_domain + '/certificate.crt'),
'dst': '/certificate.crt',
'options': 'ro',
},
{
'src': (devture_traefik_certs_dumper_dumped_certificates_dir_path + '/*.' + matrix_domain + '/privatekey.key'),
'src': (traefik_certs_dumper_dumped_certificates_dir_path + '/*.' + matrix_domain + '/privatekey.key'),
'dst': '/privatekey.key',
'options': 'ro',
},
] if matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] and devture_traefik_certs_dumper_enabled and matrix_coturn_tls_enabled else []
] if matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] and traefik_certs_dumper_enabled and matrix_coturn_tls_enabled else []
)
}}
```
@ -124,7 +124,7 @@ matrix_coturn_container_additional_volumes: |
```yaml
# Choosing the reverse proxy implementation
matrix_playbook_reverse_proxy_type: playbook-managed-traefik
devture_traefik_config_certificatesResolvers_acme_email: redacted@example.com
traefik_config_certificatesResolvers_acme_email: redacted@example.com
# To serve the federation from any domain, as long as the path matches
matrix_synapse_container_labels_public_federation_api_traefik_rule: PathPrefix(`/_matrix/federation`)
@ -135,25 +135,25 @@ matrix_synapse_container_labels_additional_labels: |
traefik.http.routers.matrix-synapse-federation-api.tls.domains.sans="*.example.com"
# Add a new ACME configuration without having to disable the default one, since it would have a wide range of side effects
devture_traefik_configuration_extension_yaml: |
traefik_configuration_extension_yaml: |
certificatesResolvers:
dns:
acme:
# To use a staging endpoint for testing purposes, uncomment the line below.
# caServer: https://acme-staging-v02.api.letsencrypt.org/directory
email: {{ devture_traefik_config_certificatesResolvers_acme_email | to_json }}
email: {{ traefik_config_certificatesResolvers_acme_email | to_json }}
dnsChallenge:
provider: cloudflare
resolvers:
- "1.1.1.1:53"
- "8.8.8.8:53"
storage: {{ devture_traefik_config_certificatesResolvers_acme_storage | to_json }}
storage: {{ traefik_config_certificatesResolvers_acme_storage | to_json }}
# Instruct thep laybook to use the new ACME configuration
devture_traefik_certResolver_primary: "dns"
traefik_certResolver_primary: "dns"
# Configure the environment variables needed by Traefik to automate the ACME DNS Challenge (example for Cloudflare)
devture_traefik_environment_variables: |
traefik_environment_variables: |
CF_API_EMAIL=redacted
CF_ZONE_API_TOKEN=redacted
CF_DNS_API_TOKEN=redacted
@ -168,16 +168,16 @@ matrix_coturn_container_additional_volumes: |
(
[
{
'src': (devture_traefik_certs_dumper_dumped_certificates_dir_path + '/*.' + matrix_domain + '/certificate.crt'),
'src': (traefik_certs_dumper_dumped_certificates_dir_path + '/*.' + matrix_domain + '/certificate.crt'),
'dst': '/certificate.crt',
'options': 'ro',
},
{
'src': (devture_traefik_certs_dumper_dumped_certificates_dir_path + '/*.' + matrix_domain + '/privatekey.key'),
'src': (traefik_certs_dumper_dumped_certificates_dir_path + '/*.' + matrix_domain + '/privatekey.key'),
'dst': '/privatekey.key',
'options': 'ro',
},
] if matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] and devture_traefik_certs_dumper_enabled and matrix_coturn_tls_enabled else []
] if matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] and traefik_certs_dumper_enabled and matrix_coturn_tls_enabled else []
)
}}
```

8
docs/maintenance-postgres.md
View File

@ -107,12 +107,12 @@ Example: `--extra-vars="postgres_dump_name=matrix-postgres-dump.sql"`
PostgreSQL can be [tuned](https://wiki.postgresql.org/wiki/Tuning_Your_PostgreSQL_Server) to make it run faster. This is done by passing extra arguments to the Postgres process.
The [Postgres Ansible role](https://github.com/devture/com.devture.ansible.role.postgres) **already does some tuning by default**, which matches the [tuning logic](https://github.com/le0pard/pgtune/blob/master/src/features/configuration/configurationSlice.js) done by websites like https://pgtune.leopard.in.ua/.
You can manually influence some of the tuning variables . These parameters (variables) are injected via the `devture_postgres_postgres_process_extra_arguments_auto` variable.
You can manually influence some of the tuning variables . These parameters (variables) are injected via the `postgres_postgres_process_extra_arguments_auto` variable.
Most users should be fine with the automatically-done tuning. However, you may wish to:
- **adjust the automatically-determined tuning parameters manually**: change the values for the tuning variables defined in the Postgres role's [default configuration file](https://github.com/devture/com.devture.ansible.role.postgres/blob/main/defaults/main.yml) (see `devture_postgres_max_connections`, `devture_postgres_data_storage` etc). These variables are ultimately passed to Postgres via a `devture_postgres_postgres_process_extra_arguments_auto` variable
- **adjust the automatically-determined tuning parameters manually**: change the values for the tuning variables defined in the Postgres role's [default configuration file](https://github.com/devture/com.devture.ansible.role.postgres/blob/main/defaults/main.yml) (see `postgres_max_connections`, `postgres_data_storage` etc). These variables are ultimately passed to Postgres via a `postgres_postgres_process_extra_arguments_auto` variable
- **turn automatically-performed tuning off**: override it like this: `devture_postgres_postgres_process_extra_arguments_auto: []`
- **turn automatically-performed tuning off**: override it like this: `postgres_postgres_process_extra_arguments_auto: []`
- **add additional tuning parameters**: define your additional Postgres configuration parameters in `devture_postgres_postgres_process_extra_arguments_custom`. See `devture_postgres_postgres_process_extra_arguments_auto` defined in the Postgres role's [default configuration file](https://github.com/devture/com.devture.ansible.role.postgres/blob/main/defaults/main.yml) for inspiration
- **add additional tuning parameters**: define your additional Postgres configuration parameters in `postgres_postgres_process_extra_arguments_custom`. See `postgres_postgres_process_extra_arguments_auto` defined in the Postgres role's [default configuration file](https://github.com/devture/com.devture.ansible.role.postgres/blob/main/defaults/main.yml) for inspiration

4
examples/vars.yml
View File

@ -34,13 +34,13 @@ matrix_playbook_reverse_proxy_type: playbook-managed-traefik
# you won't be required to define this variable (see `docs/configuring-playbook-ssl-certificates.md`).
#
# Example value: someone@example.com
devture_traefik_config_certificatesResolvers_acme_email: ''
traefik_config_certificatesResolvers_acme_email: ''
# A Postgres password to use for the superuser Postgres user (called `matrix` by default).
#
# The playbook creates additional Postgres users and databases (one for each enabled service)
# using this superuser account.
devture_postgres_connection_password: ''
postgres_connection_password: ''
# By default, we configure Coturn's external IP address using the value specified for `ansible_host` in your `inventory/hosts` file.
# If this value is an external IP address, you can skip this section.

804
group_vars/matrix_servers
View File

File diff suppressed because it is too large Load Diff

20
requirements.yml
View File

@ -22,10 +22,10 @@
version: v4.98-r0-1-1
name: exim_relay
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-grafana.git
version: v11.1.4-1
version: v11.1.7-0
name: grafana
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-jitsi.git
version: v9646-1
version: v9753-0
name: jitsi
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-keydb.git
version: v6.3.4-3
@ -42,11 +42,11 @@
- src: git+https://github.com/devture/com.devture.ansible.role.playbook_state_preserver.git
version: ff2fd42e1c1a9e28e3312bbd725395f9c2fc7f16
name: playbook_state_preserver
- src: git+https://github.com/devture/com.devture.ansible.role.postgres.git
version: v16.4-0
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-postgres.git
version: v17.0-1
name: postgres
- src: git+https://github.com/devture/com.devture.ansible.role.postgres_backup.git
version: ccfd8db07fd8725119f0e06ba5144b8f58a67890
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-postgres-backup.git
version: v16-0
name: postgres_backup
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus.git
version: v2.54.1-1
@ -69,9 +69,9 @@
- src: git+https://github.com/devture/com.devture.ansible.role.timesync.git
version: v1.0.0-0
name: timesync
- src: git+https://github.com/devture/com.devture.ansible.role.traefik.git
version: v3.1.3-1
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-traefik.git
version: v3.1.3-2
name: traefik
- src: git+https://github.com/devture/com.devture.ansible.role.traefik_certs_dumper.git
version: v2.8.3-4
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-traefik-certs-dumper.git
version: v2.8.3-5
name: traefik_certs_dumper

2
roles/custom/matrix-alertmanager-receiver/defaults/main.yml
View File

@ -6,7 +6,7 @@
matrix_alertmanager_receiver_enabled: true
# renovate: datasource=docker depName=docker.io/metio/matrix-alertmanager-receiver
matrix_alertmanager_receiver_version: 2024.9.18
matrix_alertmanager_receiver_version: 2024.10.2
matrix_alertmanager_receiver_scheme: https

10
roles/custom/matrix-base/defaults/main.yml
View File

@ -216,15 +216,15 @@ matrix_metrics_exposure_http_basic_auth_users: ''
#
# - `playbook-managed-traefik`
# - the playbook will run a managed Traefik instance (matrix-traefik)
# - Traefik will do SSL termination, unless you disable it (e.g. `devture_traefik_config_entrypoint_web_secure_enabled: false`)
# - if SSL termination is enabled (as it is by default), you need to populate: `devture_traefik_config_certificatesResolvers_acme_email`
# - Traefik will do SSL termination, unless you disable it (e.g. `traefik_config_entrypoint_web_secure_enabled: false`)
# - if SSL termination is enabled (as it is by default), you need to populate: `traefik_config_certificatesResolvers_acme_email`
#
# - `other-traefik-container`
# - this playbook will not install Traefik
# - nevertheless, the playbook expects that you would install Traefik yourself via other means
# - you should make sure your Traefik configuration is compatible with what the playbook would have configured (web, web-secure, matrix-federation entrypoints, etc.)
# - you need to set `matrix_playbook_reverse_proxyable_services_additional_network` to the name of your Traefik network
# - Traefik certs dumper will be enabled by default (`devture_traefik_certs_dumper_enabled`). You need to point it to your Traefik's SSL certificates (`devture_traefik_certs_dumper_ssl_dir_path`)
# - Traefik certs dumper will be enabled by default (`traefik_certs_dumper_enabled`). You need to point it to your Traefik's SSL certificates (`traefik_certs_dumper_ssl_dir_path`)
#
# - `none`
# - no reverse-proxy will be installed
@ -244,7 +244,7 @@ matrix_playbook_reverse_proxyable_services_additional_network: "{{ matrix_playbo
# Controls if various services think if SSL is enabled or not.
# Disabling this does not actually disable Treafik's web-secure entrypoint and TLS termination settings.
# For that, you'd need to use another variable (`devture_traefik_config_entrypoint_web_secure_enabled`).
# For that, you'd need to use another variable (`traefik_config_entrypoint_web_secure_enabled`).
# This variable merely serves as an indicator if SSL is used or not.
matrix_playbook_ssl_enabled: true
@ -302,7 +302,7 @@ matrix_playbook_public_matrix_federation_api_traefik_entrypoint_definition:
#
# Routers enabled on this entrypoint should use Traefik rules which do NOT do Host-matching (Host/HostRegexp),
# because addon services (e.g. bridges, bots) cannot properly pass a `Host` HTTP header when making
# requests to the endpoint's address (e.g. `http://devture-traefik:8008/`).
# requests to the endpoint's address (e.g. `http://matrix-traefik:8008/`).
# This entrypoint only aims to handle a single "virtual host" - one dealing with the homeserver's Client-Server API.
matrix_playbook_internal_matrix_client_api_traefik_entrypoint_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}"
matrix_playbook_internal_matrix_client_api_traefik_entrypoint_name: matrix-internal-matrix-client-api

2
roles/custom/matrix-bot-baibot/defaults/main.yml
View File

@ -11,7 +11,7 @@ matrix_bot_baibot_container_repo_version: "{{ 'main' if matrix_bot_baibot_versio
matrix_bot_baibot_container_src_files_path: "{{ matrix_base_data_path }}/baibot/container-src"
# renovate: datasource=docker depName=ghcr.io/etkecc/baibot
matrix_bot_baibot_version: v1.1.1
matrix_bot_baibot_version: v1.2.0
matrix_bot_baibot_container_image: "{{ matrix_bot_baibot_container_image_name_prefix }}etkecc/baibot:{{ matrix_bot_baibot_version }}"
matrix_bot_baibot_container_image_name_prefix: "{{ 'localhost/' if matrix_bot_baibot_container_image_self_build else 'ghcr.io/' }}"
matrix_bot_baibot_container_image_force_pull: "{{ matrix_bot_baibot_container_image.endswith(':latest') }}"

2
roles/custom/matrix-bot-buscarron/tasks/setup_install.yml
View File

@ -15,7 +15,7 @@
name: galaxy/com.devture.ansible.role.postgres
tasks_from: migrate_db_to_postgres
vars:
devture_postgres_db_migration_request:
postgres_db_migration_request:
src: "{{ matrix_bot_buscarron_sqlite_database_path_local }}"
dst: "{{ matrix_bot_buscarron_database_connection_string }}"
caller: "{{ role_path | basename }}"

2
roles/custom/matrix-bot-honoroit/tasks/setup_install.yml
View File

@ -15,7 +15,7 @@
name: galaxy/com.devture.ansible.role.postgres
tasks_from: migrate_db_to_postgres
vars:
devture_postgres_db_migration_request:
postgres_db_migration_request:
src: "{{ matrix_bot_honoroit_sqlite_database_path_local }}"
dst: "{{ matrix_bot_honoroit_database_connection_string }}"
caller: "{{ role_path | basename }}"

2
roles/custom/matrix-bot-matrix-reminder-bot/tasks/setup_install.yml
View File

@ -16,7 +16,7 @@
name: galaxy/com.devture.ansible.role.postgres
tasks_from: migrate_db_to_postgres
vars:
devture_postgres_db_migration_request:
postgres_db_migration_request:
src: "{{ matrix_bot_matrix_reminder_bot_sqlite_database_path_local }}"
dst: "{{ matrix_bot_matrix_reminder_bot_database_connection_string }}"
caller: "{{ role_path | basename }}"

2
roles/custom/matrix-bot-mjolnir/defaults/main.yml
View File

@ -5,7 +5,7 @@
matrix_bot_mjolnir_enabled: true
# renovate: datasource=docker depName=matrixdotorg/mjolnir
matrix_bot_mjolnir_version: "v1.7.0"
matrix_bot_mjolnir_version: "v1.8.1"
matrix_bot_mjolnir_container_image_self_build: false
matrix_bot_mjolnir_container_image_self_build_repo: "https://github.com/matrix-org/mjolnir.git"

2
roles/custom/matrix-bot-postmoogle/tasks/setup_install.yml
View File

@ -12,7 +12,7 @@
name: galaxy/com.devture.ansible.role.postgres
tasks_from: migrate_db_to_postgres
vars:
devture_postgres_db_migration_request:
postgres_db_migration_request:
src: "{{ matrix_bot_postmoogle_sqlite_database_path_local }}"
dst: "{{ matrix_bot_postmoogle_database_connection_string }}"
caller: "{{ role_path | basename }}"

2
roles/custom/matrix-bridge-appservice-discord/tasks/setup_install.yml
View File

@ -16,7 +16,7 @@
name: galaxy/com.devture.ansible.role.postgres
tasks_from: migrate_db_to_postgres
vars:
devture_postgres_db_migration_request:
postgres_db_migration_request:
src: "{{ matrix_appservice_discord_sqlite_database_path_local }}"
dst: "{{ matrix_appservice_discord_database_connString }}"
caller: "{{ role_path | basename }}"

6
roles/custom/matrix-bridge-appservice-irc/tasks/migrate_nedb_to_postgres.yml
View File

@ -2,8 +2,8 @@
- name: Fail if Postgres not enabled
ansible.builtin.fail:
msg: "Postgres via the com.devture.ansible.role.postgres role is not enabled (`devture_postgres_enabled`). Cannot migrate."
when: "not devture_postgres_enabled | bool"
msg: "Postgres via the com.devture.ansible.role.postgres role is not enabled (`postgres_enabled`). Cannot migrate."
when: "not postgres_enabled | bool"
# Defaults
@ -16,7 +16,7 @@
- name: Ensure Postgres is started
ansible.builtin.service:
name: "{{ devture_postgres_identifier }}"
name: "{{ postgres_identifier }}"
state: started
daemon_reload: true
register: postgres_service_start_result

6
roles/custom/matrix-bridge-appservice-slack/tasks/migrate_nedb_to_postgres.yml
View File

@ -2,8 +2,8 @@
- name: Fail if Postgres not enabled
ansible.builtin.fail:
msg: "Postgres via the com.devture.ansible.role.postgres role is not enabled (`devture_postgres_enabled`). Cannot migrate."
when: "not devture_postgres_enabled | bool"
msg: "Postgres via the com.devture.ansible.role.postgres role is not enabled (`postgres_enabled`). Cannot migrate."
when: "not postgres_enabled | bool"
# Defaults
@ -16,7 +16,7 @@
- name: Ensure Postgres is started
ansible.builtin.service:
name: "{{ devture_postgres_identifier }}"
name: "{{ postgres_identifier }}"
state: started
daemon_reload: true
register: postgres_service_start_result

2
roles/custom/matrix-bridge-go-skype-bridge/tasks/setup_install.yml
View File

@ -16,7 +16,7 @@
name: galaxy/com.devture.ansible.role.postgres
tasks_from: migrate_db_to_postgres
vars:
devture_postgres_db_migration_request:
postgres_db_migration_request:
src: "{{ matrix_go_skype_bridge_sqlite_database_path_local }}"
dst: "{{ matrix_go_skype_bridge_database_connection_string }}"
caller: "{{ role_path | basename }}"

1
roles/custom/matrix-bridge-hookshot/defaults/main.yml
View File

@ -153,6 +153,7 @@ matrix_hookshot_jira_oauth_redirect_uri: "{{ matrix_hookshot_urlprefix }}{{ matr
# No need to change these
matrix_hookshot_generic_enabled: true
matrix_hookshot_generic_outbound: true
matrix_hookshot_generic_enableHttpGet: false # noqa var-naming
# Default value of matrix_hookshot_generic_endpoint: "/hookshot/webhooks"
matrix_hookshot_generic_endpoint: "{{ matrix_hookshot_webhook_endpoint }}/webhook"

1
roles/custom/matrix-bridge-hookshot/templates/config.yml.j2
View File

@ -74,6 +74,7 @@ generic:
# (Optional) Support for generic webhook events. `allowJsTransformationFunctions` will allow users to write short transformation snippets in code, and thus is unsafe in untrusted environments
#
enabled: {{ matrix_hookshot_generic_enabled | to_json }}
outbound: {{ matrix_hookshot_generic_outbound | to_json }}
enableHttpGet: {{ matrix_hookshot_generic_enableHttpGet | to_json }}
urlPrefix: {{ matrix_hookshot_generic_urlPrefix | to_json }}
userIdPrefix: {{ matrix_hookshot_generic_userIdPrefix | to_json }}

2
roles/custom/matrix-bridge-mautrix-discord/tasks/setup_install.yml
View File

@ -16,7 +16,7 @@
name: galaxy/com.devture.ansible.role.postgres
tasks_from: migrate_db_to_postgres
vars:
devture_postgres_db_migration_request:
postgres_db_migration_request:
src: "{{ matrix_mautrix_discord_sqlite_database_path_local }}"
dst: "{{ matrix_mautrix_discord_database_connection_string }}"
caller: "{{ role_path | basename }}"

2
roles/custom/matrix-bridge-mautrix-facebook/tasks/setup_install.yml
View File

@ -16,7 +16,7 @@
name: galaxy/com.devture.ansible.role.postgres
tasks_from: migrate_db_to_postgres
vars:
devture_postgres_db_migration_request:
postgres_db_migration_request:
src: "{{ matrix_mautrix_facebook_sqlite_database_path_local }}"
dst: "{{ matrix_mautrix_facebook_database_connection_string }}"
caller: "{{ role_path | basename }}"

2
roles/custom/matrix-bridge-mautrix-gmessages/tasks/setup_install.yml
View File

@ -16,7 +16,7 @@
name: galaxy/com.devture.ansible.role.postgres
tasks_from: migrate_db_to_postgres
vars:
devture_postgres_db_migration_request:
postgres_db_migration_request:
src: "{{ matrix_mautrix_gmessages_sqlite_database_path_local }}"
dst: "{{ matrix_mautrix_gmessages_database_connection_string }}"
caller: "{{ role_path | basename }}"

2
roles/custom/matrix-bridge-mautrix-googlechat/tasks/setup_install.yml
View File

@ -16,7 +16,7 @@
name: galaxy/com.devture.ansible.role.postgres
tasks_from: migrate_db_to_postgres
vars:
devture_postgres_db_migration_request:
postgres_db_migration_request:
src: "{{ matrix_mautrix_googlechat_sqlite_database_path_local }}"
dst: "{{ matrix_mautrix_googlechat_database_connection_string }}"
caller: "{{ role_path | basename }}"

2
roles/custom/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml
View File

@ -16,7 +16,7 @@
name: galaxy/com.devture.ansible.role.postgres
tasks_from: migrate_db_to_postgres
vars:
devture_postgres_db_migration_request:
postgres_db_migration_request:
src: "{{ matrix_mautrix_hangouts_sqlite_database_path_local }}"
dst: "{{ matrix_mautrix_hangouts_database_connection_string }}"
caller: "{{ role_path | basename }}"

2
roles/custom/matrix-bridge-mautrix-meta-instagram/tasks/install.yml
View File

@ -16,7 +16,7 @@
name: galaxy/com.devture.ansible.role.postgres
tasks_from: migrate_db_to_postgres
vars:
devture_postgres_db_migration_request:
postgres_db_migration_request:
src: "{{ matrix_mautrix_meta_instagram_sqlite_database_path_local }}"
dst: "{{ matrix_mautrix_meta_instagram_database_connection_string }}"
caller: "{{ role_path | basename }}"

2
roles/custom/matrix-bridge-mautrix-meta-messenger/tasks/install.yml
View File

@ -16,7 +16,7 @@
name: galaxy/com.devture.ansible.role.postgres
tasks_from: migrate_db_to_postgres
vars:
devture_postgres_db_migration_request:
postgres_db_migration_request:
src: "{{ matrix_mautrix_meta_messenger_sqlite_database_path_local }}"
dst: "{{ matrix_mautrix_meta_messenger_database_connection_string }}"
caller: "{{ role_path | basename }}"

2
roles/custom/matrix-bridge-mautrix-signal/tasks/setup_install.yml
View File

@ -16,7 +16,7 @@
name: galaxy/com.devture.ansible.role.postgres
tasks_from: migrate_db_to_postgres
vars:
devture_postgres_db_migration_request:
postgres_db_migration_request:
src: "{{ matrix_mautrix_signal_sqlite_database_path_local }}"
dst: "{{ matrix_mautrix_signal_database_connection_string }}"
caller: "{{ role_path | basename }}"

3
roles/custom/matrix-bridge-mautrix-slack/defaults/main.yml
View File

@ -148,6 +148,9 @@ matrix_mautrix_slack_registration: "{{ matrix_mautrix_slack_registration_yaml |
matrix_mautrix_slack_bridge_encryption_allow: "{{ matrix_bridges_encryption_enabled }}"
matrix_mautrix_slack_bridge_encryption_default: "{{ matrix_bridges_encryption_default }}"
matrix_mautrix_slack_bridge_encryption_key_sharing_allow: "{{ matrix_mautrix_slack_bridge_encryption_allow }}"
# This pickle key value is backward-compatible with the old bridge.
# See: https://github.com/mautrix/slack/releases/tag/v0.1.0
matrix_mautrix_slack_bridge_encryption_pickle_key: maunium.net/go/mautrix-whatsapp
matrix_mautrix_slack_provisioning_shared_secret: ''
matrix_mautrix_slack_public_media_signing_key: ''

2
roles/custom/matrix-bridge-mautrix-slack/tasks/setup_install.yml
View File

@ -16,7 +16,7 @@
name: galaxy/com.devture.ansible.role.postgres
tasks_from: migrate_db_to_postgres
vars:
devture_postgres_db_migration_request:
postgres_db_migration_request:
src: "{{ matrix_mautrix_slack_sqlite_database_path_local }}"
dst: "{{ matrix_mautrix_slack_database_connection_string }}"
caller: "{{ role_path | basename }}"

2
roles/custom/matrix-bridge-mautrix-slack/templates/config.yaml.j2
View File

@ -376,7 +376,7 @@ encryption:
allow_key_sharing: {{ matrix_mautrix_slack_bridge_encryption_key_sharing_allow | to_json }}
# Pickle key for encrypting encryption keys in the bridge database.
# If set to generate, a random key will be generated.
pickle_key: generate
pickle_key: {{ matrix_mautrix_slack_bridge_encryption_pickle_key | to_json }}
# Options for deleting megolm sessions from the bridge.
delete_keys:
# Beeper-specific: delete outbound sessions when hungryserv confirms

2
roles/custom/matrix-bridge-mautrix-telegram/tasks/setup_install.yml
View File

@ -16,7 +16,7 @@
name: galaxy/com.devture.ansible.role.postgres
tasks_from: migrate_db_to_postgres
vars:
devture_postgres_db_migration_request:
postgres_db_migration_request:
src: "{{ matrix_mautrix_telegram_sqlite_database_path_local }}"
dst: "{{ matrix_mautrix_telegram_database_connection_string }}"
caller: "{{ role_path | basename }}"

2
roles/custom/matrix-bridge-mautrix-whatsapp/tasks/setup_install.yml
View File

@ -16,7 +16,7 @@
name: galaxy/com.devture.ansible.role.postgres
tasks_from: migrate_db_to_postgres
vars:
devture_postgres_db_migration_request:
postgres_db_migration_request:
src: "{{ matrix_mautrix_whatsapp_sqlite_database_path_local }}"
dst: "{{ matrix_mautrix_whatsapp_database_connection_string }}"
caller: "{{ role_path | basename }}"

2
roles/custom/matrix-bridge-mx-puppet-discord/tasks/setup_install.yml
View File

@ -50,7 +50,7 @@
name: galaxy/com.devture.ansible.role.postgres
tasks_from: migrate_db_to_postgres
vars:
devture_postgres_db_migration_request:
postgres_db_migration_request:
src: "{{ matrix_mx_puppet_discord_sqlite_database_path_local }}"
dst: "{{ matrix_mx_puppet_discord_database_connection_string }}"
caller: "{{ role_path | basename }}"

2
roles/custom/matrix-bridge-mx-puppet-groupme/tasks/setup_install.yml
View File

@ -51,7 +51,7 @@
name: galaxy/com.devture.ansible.role.postgres
tasks_from: migrate_db_to_postgres
vars:
devture_postgres_db_migration_request:
postgres_db_migration_request:
src: "{{ matrix_mx_puppet_groupme_sqlite_database_path_local }}"
dst: "{{ matrix_mx_puppet_groupme_database_connection_string }}"
caller: "{{ role_path | basename }}"

2
roles/custom/matrix-bridge-mx-puppet-instagram/tasks/setup_install.yml
View File

@ -16,7 +16,7 @@
name: galaxy/com.devture.ansible.role.postgres
tasks_from: migrate_db_to_postgres
vars:
devture_postgres_db_migration_request:
postgres_db_migration_request:
src: "{{ matrix_mx_puppet_instagram_sqlite_database_path_local }}"
dst: "{{ matrix_mx_puppet_instagram_database_connection_string }}"
caller: "{{ role_path | basename }}"

2
roles/custom/matrix-bridge-mx-puppet-slack/tasks/setup_install.yml
View File

@ -44,7 +44,7 @@
name: galaxy/com.devture.ansible.role.postgres
tasks_from: migrate_db_to_postgres
vars:
devture_postgres_db_migration_request:
postgres_db_migration_request:
src: "{{ matrix_mx_puppet_slack_sqlite_database_path_local }}"
dst: "{{ matrix_mx_puppet_slack_database_connection_string }}"
caller: "{{ role_path | basename }}"

2
roles/custom/matrix-bridge-mx-puppet-steam/tasks/setup_install.yml
View File

@ -51,7 +51,7 @@
name: galaxy/com.devture.ansible.role.postgres
tasks_from: migrate_db_to_postgres
vars:
devture_postgres_db_migration_request:
postgres_db_migration_request:
src: "{{ matrix_mx_puppet_steam_sqlite_database_path_local }}"
dst: "{{ matrix_mx_puppet_steam_database_connection_string }}"
caller: "{{ role_path | basename }}"

2
roles/custom/matrix-bridge-mx-puppet-twitter/tasks/setup_install.yml
View File

@ -51,7 +51,7 @@
name: galaxy/com.devture.ansible.role.postgres
tasks_from: migrate_db_to_postgres
vars:
devture_postgres_db_migration_request:
postgres_db_migration_request:
src: "{{ matrix_mx_puppet_twitter_sqlite_database_path_local }}"
dst: "{{ matrix_mx_puppet_twitter_database_connection_string }}"
caller: "{{ role_path | basename }}"

2
roles/custom/matrix-client-element/defaults/main.yml
View File

@ -11,7 +11,7 @@ matrix_client_element_container_image_self_build_repo: "https://github.com/eleme
matrix_client_element_container_image_self_build_low_memory_system_patch_enabled: "{{ ansible_memtotal_mb < 4096 }}"
# renovate: datasource=docker depName=vectorim/element-web
matrix_client_element_version: v1.11.78
matrix_client_element_version: v1.11.79
matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}"
matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_container_global_registry_prefix }}"

2
roles/custom/matrix-dendrite/templates/systemd/matrix-dendrite.service.j2
View File

@ -16,7 +16,7 @@ Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}"
ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-dendrite 2>/dev/null || true'
ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-dendrite 2>/dev/null || true'
{% if (devture_postgres_identifier + '.service') in matrix_dendrite_systemd_required_services_list %}
{% if (postgres_identifier + '.service') in matrix_dendrite_systemd_required_services_list %}
# Dendrite is too quick to start in relation to its Postgres dependency.
# Delay Dendrite startup to avoid failing with: "failed to connect to accounts db" ("pq: the database system is starting up").
ExecStartPre={{ matrix_host_command_sleep }} 5

2
roles/custom/matrix-dimension/tasks/setup_install.yml
View File

@ -55,7 +55,7 @@
name: galaxy/com.devture.ansible.role.postgres
tasks_from: migrate_db_to_postgres
vars:
devture_postgres_db_migration_request:
postgres_db_migration_request:
src: "{{ matrix_dimension_sqlite_database_path_local }}"
dst: "{{ matrix_dimension_database_connection_string }}"
caller: "{{ role_path | basename }}"

2
roles/custom/matrix-ma1sd/tasks/setup_install.yml
View File

@ -31,7 +31,7 @@
name: galaxy/com.devture.ansible.role.postgres
tasks_from: migrate_db_to_postgres
vars:
devture_postgres_db_migration_request:
postgres_db_migration_request:
src: "{{ matrix_ma1sd_sqlite_database_path_local }}"
dst: "{{ matrix_ma1sd_database_connection_string }}"
caller: "{{ role_path | basename }}"

2
roles/custom/matrix-registration/tasks/setup_install.yml
View File

@ -16,7 +16,7 @@
name: galaxy/com.devture.ansible.role.postgres
tasks_from: migrate_db_to_postgres
vars:
devture_postgres_db_migration_request:
postgres_db_migration_request:
src: "{{ matrix_registration_sqlite_database_path_local }}"
dst: "{{ matrix_registration_database_connection_string }}"
caller: "{{ role_path | basename }}"

5
roles/custom/matrix-synapse-admin/defaults/main.yml
View File

@ -14,7 +14,7 @@ matrix_synapse_admin_container_image_self_build: false
matrix_synapse_admin_container_image_self_build_repo: "https://github.com/etkecc/synapse-admin.git"
# renovate: datasource=docker depName=ghcr.io/etkecc/synapse-admin
matrix_synapse_admin_version: v0.10.3-etke16
matrix_synapse_admin_version: v0.10.3-etke17
matrix_synapse_admin_docker_image: "{{ matrix_synapse_admin_docker_image_name_prefix }}etkecc/synapse-admin:{{ matrix_synapse_admin_version }}"
matrix_synapse_admin_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_admin_container_image_self_build else 'ghcr.io/' }}"
matrix_synapse_admin_docker_image_force_pull: "{{ matrix_synapse_admin_docker_image.endswith(':latest') }}"
@ -175,6 +175,9 @@ matrix_synapse_admin_configuration: "{{ matrix_synapse_admin_configuration_defau
# restricts the homeserver(s), so that the user can no longer define a homeserver manually during login.
matrix_synapse_admin_config_restrictBaseUrl: "{{ [matrix_homeserver_url] }}" # noqa var-naming
# Controls the supportURL configuration setting, which, if defined, replaces the default link to the Synapse Admin GitHub repository.
matrix_synapse_admin_config_supportURL: '' # noqa var-naming
# Controls the asManagedUsers configuration setting (managed by playbook), which, if defined,
# restricts modifications of the specified users (e.g., bridge-managed).
# You should use JS regex syntax to match the user IDs.

3
roles/custom/matrix-synapse-admin/templates/config.json.j2
View File

@ -1,4 +1,5 @@
{
"restrictBaseUrl": {{ matrix_synapse_admin_config_restrictBaseUrl | to_json }},
"asManagedUsers": {{ matrix_synapse_admin_config_asManagedUsers | to_json }}
"asManagedUsers": {{ matrix_synapse_admin_config_asManagedUsers | to_json }},
"supportURL": {{ matrix_synapse_admin_config_supportURL | to_json }},
}

2
roles/custom/matrix-synapse/defaults/main.yml
View File

@ -16,7 +16,7 @@ matrix_synapse_enabled: true
matrix_synapse_github_org_and_repo: element-hq/synapse
# renovate: datasource=docker depName=ghcr.io/element-hq/synapse
matrix_synapse_version: v1.115.0
matrix_synapse_version: v1.116.0
matrix_synapse_username: ''
matrix_synapse_uid: ''

12
roles/custom/matrix-synapse/tasks/rust-synapse-compress-state/compress_room.yml
View File

@ -9,7 +9,7 @@
{{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-rust-synapse-compress-state-compress-room
--user={{ matrix_synapse_uid }}:{{ matrix_synapse_gid }}
--cap-drop=ALL
--network={{ devture_postgres_container_network }}
--network={{ postgres_container_network }}
--mount type=bind,src={{ matrix_synapse_rust_synapse_compress_state_base_path }},dst=/work
{{ matrix_synapse_rust_synapse_compress_state_docker_image }}
{{ matrix_synapse_rust_synapse_compress_state_synapse_compress_state_in_container_path }} -t -o /work/state-compressor.sql
@ -31,15 +31,15 @@
ansible.builtin.set_fact:
matrix_synapse_rust_synapse_compress_state_psql_import_command: >-
{{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-rust-synapse-compress-state-psql-import
--user={{ devture_postgres_uid }}:{{ devture_postgres_gid }}
--user={{ postgres_uid }}:{{ postgres_gid }}
--cap-drop=ALL
--network={{ devture_postgres_container_network }}
--env-file={{ devture_postgres_base_path }}/env-postgres-psql
--network={{ postgres_container_network }}
--env-file={{ postgres_base_path }}/env-postgres-psql
--mount type=bind,src={{ matrix_synapse_rust_synapse_compress_state_base_path }},dst=/work,ro
--entrypoint=/bin/sh
{{ devture_postgres_container_image_latest }}
{{ postgres_container_image_latest }}
-c "cat /work/state-compressor.sql |
psql -v ON_ERROR_STOP=1 -h {{ devture_postgres_connection_hostname }} -d {{ matrix_synapse_database_database }}"
psql -v ON_ERROR_STOP=1 -h {{ postgres_connection_hostname }} -d {{ matrix_synapse_database_database }}"
- name: Import compression SQL into Postgres
ansible.builtin.command: "{{ matrix_synapse_rust_synapse_compress_state_psql_import_command }}"

6
roles/custom/matrix-synapse/tasks/rust-synapse-compress-state/main.yml
View File

@ -3,8 +3,8 @@
- name: Fail if Postgres not enabled
ansible.builtin.fail:
msg: "Postgres via the com.devture.ansible.role.postgres role is not enabled (`devture_postgres_enabled`). Cannot use rust-synapse-compress-state."
when: "not devture_postgres_enabled | bool"
msg: "Postgres via the com.devture.ansible.role.postgres role is not enabled (`postgres_enabled`). Cannot use rust-synapse-compress-state."
when: "not postgres_enabled | bool"
# Defaults
@ -57,7 +57,7 @@
- name: Generate rust-synapse-compress-state room find SQL command
ansible.builtin.set_fact:
matrix_synapse_rust_synapse_compress_state_find_rooms_command: >-
{{ devture_postgres_bin_path }}/cli-non-interactive --dbname={{ matrix_synapse_database_database | quote }} -c "SELECT array_to_json(array_agg(row_to_json (r))) FROM (SELECT room_id, count(*) AS count FROM state_groups_state GROUP BY room_id HAVING count(*) > {{ matrix_synapse_rust_synapse_compress_state_min_state_groups_required }} ORDER BY count DESC) r;"
{{ postgres_bin_path }}/cli-non-interactive --dbname={{ matrix_synapse_database_database | quote }} -c "SELECT array_to_json(array_agg(row_to_json (r))) FROM (SELECT room_id, count(*) AS count FROM state_groups_state GROUP BY room_id HAVING count(*) > {{ matrix_synapse_rust_synapse_compress_state_min_state_groups_required }} ORDER BY count DESC) r;"
- name: Find rooms eligible for compression with rust-synapse-compress-state
ansible.builtin.command: "{{ matrix_synapse_rust_synapse_compress_state_find_rooms_command }}"

6
roles/custom/matrix-synapse/tasks/update_user_password.yml
View File

@ -13,11 +13,11 @@
- name: Fail if not using integrated Postgres database
ansible.builtin.fail:
msg: "This command is working only when Postgres is installed via the the integrated com.devture.ansible.role.postgres role"
when: "not devture_postgres_enabled | bool"
when: "not postgres_enabled | bool"
- name: Ensure Postgres is started
ansible.builtin.service:
name: "{{ devture_postgres_identifier }}"
name: "{{ postgres_identifier }}"
state: started
daemon_reload: true
register: postgres_start_result
@ -42,7 +42,7 @@
- name: Generate user password-change SQL command
ansible.builtin.set_fact:
matrix_synapse_user_password_change_command: >-
{{ devture_postgres_bin_path }}/cli-non-interactive --dbname={{ matrix_synapse_database_database | quote }} -c "UPDATE users SET password_hash='{{ password_hash.stdout }}' WHERE name = '@{{ username }}:{{ matrix_domain }}'"
{{ postgres_bin_path }}/cli-non-interactive --dbname={{ matrix_synapse_database_database | quote }} -c "UPDATE users SET password_hash='{{ password_hash.stdout }}' WHERE name = '@{{ username }}:{{ matrix_domain }}'"
- name: Update user password hash
ansible.builtin.command:

14
roles/custom/matrix_playbook_migration/tasks/devture_traefik_to_matrix_traefik.yml
View File

@ -1,20 +1,20 @@
---
# This migrates Traefik from the old path (`/devture-traefik`) to the new path (`/matrix/traefik`, controlled by `devture_traefik_base_path`),
# and from the old hardcoded systemd service name (`devture-traefik.service`) to the new one (`matrix-traefik.service`, controlled by `devture_traefik_identifier`).
# This migrates Traefik from the old path (`/devture-traefik`) to the new path (`/matrix/traefik`, controlled by `traefik_base_path`),
# and from the old hardcoded systemd service name (`devture-traefik.service`) to the new one (`matrix-traefik.service`, controlled by `traefik_identifier`).
#
# Here, we merely disable (and stop) the old systemd service and relocate the data (`/devture-traefik` directory).
# The Traefik role itself (running later) will then ensure this data is up-to-date and will set up the new systemd service.
# It only makes sense to migrate if the identifier or path are different than the default (what we were using before).
- when: "devture_traefik_identifier != 'devture-traefik' or devture_traefik_base_path != '/devture-traefik'"
- when: "traefik_identifier != 'devture-traefik' or traefik_base_path != '/devture-traefik'"
block:
- name: Check existence of devture-traefik.service systemd service
ansible.builtin.stat:
path: "{{ devture_systemd_docker_base_systemd_path }}/devture-traefik.service"
register: devture_traefik_service_stat
register: traefik_service_stat
- when: devture_traefik_service_stat.stat.exists | bool
- when: traefik_service_stat.stat.exists | bool
block:
- name: Ensure devture-traefik.service systemd service is stopped
ansible.builtin.systemd:
@ -25,8 +25,8 @@
- name: Ensure Traefik directory relocated
ansible.builtin.command:
cmd: "mv /devture-traefik {{ devture_traefik_base_path }}"
creates: "{{ devture_traefik_base_path }}"
cmd: "mv /devture-traefik {{ traefik_base_path }}"
creates: "{{ traefik_base_path }}"
removes: "/devture-traefik"
- name: Ensure Traefik systemd service doesn't exist

2
roles/custom/matrix_playbook_migration/tasks/main.yml
View File

@ -61,7 +61,7 @@
block:
- ansible.builtin.include_tasks: "{{ role_path }}/tasks/migrate_matrix_mailer.yml"
- when: devture_traefik_enabled | bool
- when: traefik_enabled | bool
tags:
- setup-all
- install-all

54
roles/custom/matrix_playbook_migration/tasks/validate_config.yml
View File

@ -36,8 +36,8 @@
- {'old': 'matrix_systemd_services_autostart_enabled', 'new': 'devture_systemd_service_manager_services_autostart_enabled'}
- {'old': 'matrix_prometheus_node_exporter_metrics_proxying_enabled', 'new': '<prometheus_node_exporter_container_labels_traefik_enabled or matrix_metrics_exposure_enabled>'}
- {'old': 'matrix_prometheus_postgres_exporter_metrics_proxying_enabled', 'new': '<prometheus_postgres_exporter_container_labels_traefik_enabled or matrix_metrics_exposure_enabled>'}
- {'old': 'matrix_playbook_traefik_certs_dumper_role_enabled', 'new': 'devture_traefik_certs_dumper_enabled'}
- {'old': 'matrix_playbook_traefik_role_enabled', 'new': 'devture_traefik_enabled'}
- {'old': 'matrix_playbook_traefik_certs_dumper_role_enabled', 'new': 'traefik_certs_dumper_enabled'}
- {'old': 'matrix_playbook_traefik_role_enabled', 'new': 'traefik_enabled'}
# Most important variables from the old Prometheus role here, for people who miss the changelog entry
- {'old': 'matrix_prometheus_enabled', 'new': 'prometheus_enabled'}
@ -72,7 +72,7 @@
The matrix-postgres-backup role in the playbook has been replaced with the com.devture.ansible.role.postgres_backup role (https://github.com/devture/com.devture.ansible.role.postgres_backup).
The new role is pretty much the same, but uses differently named variables.
Please change your configuration (vars.yml) to rename all `matrix_postgres`-prefixed variables (`matrix_postgres_*` -> `devture_postgres_*`).
Please change your configuration (vars.yml) to rename all `matrix_postgres`-prefixed variables (`matrix_postgres_*` -> `postgres_*`).
The following variables in your configuration need to be renamed: {{ vars | dict2items | selectattr('key', 'match', 'matrix_postgres_.*') | map (attribute='key') | join(', ') }}
when: "vars | dict2items | selectattr('key', 'match', 'matrix_postgres_.*') | list | items2dict"
@ -300,7 +300,7 @@
- {'old': 'matrix_nginx_proxy_proxy_synapse_federation_api_addr_sans_container', 'new': '<removed>'}
- {'old': 'matrix_nginx_proxy_proxy_synapse_additional_server_configuration_blocks', 'new': '<removed>'}
- {'old': 'matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks', 'new': '<removed>'}
- {'old': 'matrix_nginx_proxy_access_log_enabled', 'new': 'devture_traefik_config_accessLog_enabled'}
- {'old': 'matrix_nginx_proxy_access_log_enabled', 'new': 'traefik_config_accessLog_enabled'}
- {'old': 'matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_hostname', 'new': 'matrix_server_fqn_matrix_federation'}
- {'old': 'etherpad_nginx_proxy_dimension_integration_enabled', 'new': '<removed>'}
- {'old': 'etherpad_nginx_proxy_dimension_integration_path_prefix', 'new': '<removed>'}
@ -310,7 +310,7 @@
- {'old': 'matrix_prometheus_services_proxy_connect_prometheus_postgres_exporter_matrix_nginx_proxy_not_enabled_proxy_pass_host', 'new': '<removed>'}
- {'old': 'matrix_docker_network', 'new': '<removed in favor of various other variables - matrix_addons_container_network, matrix_monitoring_container_network, matrix_homeserver_container_network, etc.>'}
- {'old': 'matrix_playbook_ssl_retrieval_method', 'new': '<removed; see docs/configuring-playbook-ssl-certificates.md for alternatives>'}
- {'old': 'matrix_ssl_lets_encrypt_support_email', 'new': 'devture_traefik_config_certificatesResolvers_acme_email'}
- {'old': 'matrix_ssl_lets_encrypt_support_email', 'new': 'traefik_config_certificatesResolvers_acme_email'}
- {'old': 'matrix_federation_traefik_entrypoint', 'new': 'matrix_federation_traefik_entrypoint_name'}
- when: matrix_playbook_migration_matrix_nginx_proxy_leftover_variable_validation_checks_enabled | bool
@ -362,3 +362,47 @@
msg: >-
We found usage of the following variables which are now removed: {{ matrix_playbook_migration_matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_oidc_vars.keys() | join(', ') }}
when: "matrix_playbook_migration_matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_oidc_vars | length > 0"
- name: (Deprecation) Catch and report devture_postgres_backup variables
ansible.builtin.fail:
msg: |-
The postgres-backup role in the playbook now lives under the MASH organization (https://github.com/mother-of-all-self-hosting/ansible-role-postgres-backup).
The new role is pretty much the same, but uses differently named variables.
Please change your configuration (vars.yml) to rename all `devture_postgres_backup_`-prefixed variables (`devture_postgres_backup_*` -> `postgres_backup_*`).
The following variables in your configuration need to be renamed: {{ vars | dict2items | selectattr('key', 'match', 'devture_postgres_backup_.*') | map (attribute='key') | join(', ') }}
when: "vars | dict2items | selectattr('key', 'match', 'devture_postgres_backup_.*') | list | items2dict"
- name: (Deprecation) Catch and report devture_postgres variables
ansible.builtin.fail:
msg: |-
The postgres role in the playbook now lives under the MASH organization (https://github.com/mother-of-all-self-hosting/ansible-role-postgres).
The new role is pretty much the same, but uses differently named variables.
Please change your configuration (vars.yml) to rename all `devture_postgres_`-prefixed variables (`devture_postgres_*` -> `postgres_*`).
The following variables in your configuration need to be renamed: {{ vars | dict2items | selectattr('key', 'match', 'devture_postgres_.*') | map (attribute='key') | join(', ') }}
when: "vars | dict2items | selectattr('key', 'match', 'devture_postgres_.*') | list | items2dict"
- name: (Deprecation) Catch and report traefik_certs_dumper variables
ansible.builtin.fail:
msg: |-
The traefik-certs-dumper role in the playbook now lives under the MASH organization (https://github.com/mother-of-all-self-hosting/ansible-role-traefik-certs-dumper).
The new role is pretty much the same, but uses differently named variables.
Please change your configuration (vars.yml) to rename all `devture_traefik_certs_dumper_`-prefixed variables (`devture_traefik_certs_dumper_*` -> `traefik_certs_dumper_*`).
The following variables in your configuration need to be renamed: {{ vars | dict2items | selectattr('key', 'match', 'devture_traefik_certs_dumper_.*') | map (attribute='key') | join(', ') }}
when: "vars | dict2items | selectattr('key', 'match', 'devture_traefik_certs_dumper_.*') | list | items2dict"
- name: (Deprecation) Catch and report devture_traefik variables
ansible.builtin.fail:
msg: |-
The traefik role in the playbook now lives under the MASH organization (https://github.com/mother-of-all-self-hosting/ansible-role-traefik).
The new role is pretty much the same, but uses differently named variables.
Please change your configuration (vars.yml) to rename all `devture_traefik_`-prefixed variables (`devture_traefik_*` -> `traefik_*`).
The following variables in your configuration need to be renamed: {{ vars | dict2items | selectattr('key', 'match', 'devture_traefik_.*') | map (attribute='key') | join(', ') }}
when: "vars | dict2items | selectattr('key', 'match', 'devture_traefik_.*') | list | items2dict"