From bd405c410ac8cfabac6a8c0e7767df48dbd266ef Mon Sep 17 00:00:00 2001 From: Virkkunen Date: Sat, 26 Apr 2025 08:12:53 +0200 Subject: [PATCH] Add continuwuity support (#4267) * continuwuity support * continuwuity support * use main instead of commit tag * fix docker image link * migration from conduwuit * fix yaml lint * backup directories and linter fixes * linter fixes --- README.md | 1 + docs/configuring-playbook-continuwuity.md | 108 ++ docs/configuring-playbook.md | 2 + docs/container-images.md | 1 + docs/howto-srv-server-delegation.md | 2 +- group_vars/matrix_servers | 58 +- .../docs/configuring-playbook-continuwuity.po | 134 ++ roles/custom/matrix-base/defaults/main.yml | 2 +- .../matrix-base/tasks/validate_config.yml | 2 +- .../matrix-continuwuity/defaults/main.yml | 195 +++ .../matrix-continuwuity/tasks/install.yml | 64 + .../custom/matrix-continuwuity/tasks/main.yml | 40 + .../tasks/migrate_from_conduwuit.yml | 65 + .../tasks/self_check_client_api.yml | 28 + .../tasks/self_check_federation_api.yml | 32 + .../tasks/setup_install.yml | 63 + .../tasks/setup_uninstall.yml | 23 + .../matrix-continuwuity/tasks/uninstall.yml | 23 + .../tasks/validate_config.yml | 15 + .../templates/continuwuity.toml.j2 | 1546 +++++++++++++++++ .../matrix-continuwuity/templates/env.j2 | 1 + .../templates/env.j2.license | 3 + .../matrix-continuwuity/templates/labels.j2 | 173 ++ .../systemd/matrix-continuwuity.service.j2 | 51 + .../matrix-continuwuity.service.j2.license | 4 + .../custom/matrix-continuwuity/vars/main.yml | 9 + .../ensure_user_registered_continuwuity.yml | 10 + setup.yml | 1 + 28 files changed, 2652 insertions(+), 4 deletions(-) create mode 100644 docs/configuring-playbook-continuwuity.md create mode 100644 i18n/locales/bg/LC_MESSAGES/docs/configuring-playbook-continuwuity.po create mode 100644 roles/custom/matrix-continuwuity/defaults/main.yml create mode 100644 roles/custom/matrix-continuwuity/tasks/install.yml create mode 100644 roles/custom/matrix-continuwuity/tasks/main.yml create mode 100644 roles/custom/matrix-continuwuity/tasks/migrate_from_conduwuit.yml create mode 100644 roles/custom/matrix-continuwuity/tasks/self_check_client_api.yml create mode 100644 roles/custom/matrix-continuwuity/tasks/self_check_federation_api.yml create mode 100644 roles/custom/matrix-continuwuity/tasks/setup_install.yml create mode 100644 roles/custom/matrix-continuwuity/tasks/setup_uninstall.yml create mode 100644 roles/custom/matrix-continuwuity/tasks/uninstall.yml create mode 100644 roles/custom/matrix-continuwuity/tasks/validate_config.yml create mode 100644 roles/custom/matrix-continuwuity/templates/continuwuity.toml.j2 create mode 100644 roles/custom/matrix-continuwuity/templates/env.j2 create mode 100644 roles/custom/matrix-continuwuity/templates/env.j2.license create mode 100644 roles/custom/matrix-continuwuity/templates/labels.j2 create mode 100644 roles/custom/matrix-continuwuity/templates/systemd/matrix-continuwuity.service.j2 create mode 100644 roles/custom/matrix-continuwuity/templates/systemd/matrix-continuwuity.service.j2.license create mode 100644 roles/custom/matrix-continuwuity/vars/main.yml create mode 100644 roles/custom/matrix-user-creator/tasks/util/ensure_user_registered_continuwuity.yml diff --git a/README.md b/README.md index 47b4074c4..045a7b1a6 100644 --- a/README.md +++ b/README.md @@ -53,6 +53,7 @@ The homeserver is the backbone of your Matrix system. Choose one from the follow | [Synapse](https://github.com/element-hq/synapse) | ✅ | Storing your data and managing your presence in the [Matrix](http://matrix.org/) network | [Link](docs/configuring-playbook-synapse.md) | | [Conduit](https://conduit.rs) | ❌ | Storing your data and managing your presence in the [Matrix](http://matrix.org/) network. Conduit is a lightweight open-source server implementation of the Matrix Specification with a focus on easy setup and low system requirements | [Link](docs/configuring-playbook-conduit.md) | | [conduwuit](https://conduwuit.puppyirl.gay/) | ❌ | Storing your data and managing your presence in the [Matrix](http://matrix.org/) network. conduwuit is a fork of Conduit. | [Link](docs/configuring-playbook-conduwuit.md) | +| [continuwuity](https://continuwuity.org) | ❌ | Storing your data and managing your presence in the [Matrix](http://matrix.org/) network. continuwuity is a continuation of conduwuit. | [Link](docs/configuring-playbook-continuwuity.md) | | [Dendrite](https://github.com/element-hq/dendrite) | ❌ | Storing your data and managing your presence in the [Matrix](http://matrix.org/) network. Dendrite is a second-generation Matrix homeserver written in Go, an alternative to Synapse. | [Link](docs/configuring-playbook-dendrite.md) | ### Clients diff --git a/docs/configuring-playbook-continuwuity.md b/docs/configuring-playbook-continuwuity.md new file mode 100644 index 000000000..ac08f852e --- /dev/null +++ b/docs/configuring-playbook-continuwuity.md @@ -0,0 +1,108 @@ + + +# Configuring continuwuity (optional) + +The playbook can install and configure the [continuwuity](https://continuwuity.org) Matrix server for you. + +See the project's [documentation](https://continuwuity.org) to learn what it does and why it might be useful to you. + +By default, the playbook installs [Synapse](https://github.com/element-hq/synapse) as it's the only full-featured Matrix server at the moment. If that's okay, you can skip this document. + +💡 **Note**: continuwuity is a fork of [conduwuit](./configuring-playbook-conduwuit.md), which the playbook also supports. + +> [!WARNING] +> - **You can't switch an existing Matrix server's implementation** (e.g. Synapse -> continuwuity). Proceed below only if you're OK with losing data or you're dealing with a server on a new domain name, which hasn't participated in the Matrix federation yet. +> - **Homeserver implementations other than Synapse may not be fully functional**. The playbook may also not assist you in an optimal way (like it does with Synapse). Make yourself familiar with the downsides before proceeding + +## Adjusting the playbook configuration + +To use continuwuity, you **generally** need to adjust the `matrix_homeserver_implementation: synapse` configuration on your `inventory/host_vars/matrix.example.com/vars.yml` file as below: + +```yaml +matrix_homeserver_implementation: continuwuity + +# Registering users can only happen via the API, +# so it makes sense to enable it, at least initially. +matrix_continuwuity_config_allow_registration: true + +# Generate a strong registration token to protect the registration endpoint from abuse. +# You can create one with a command like `pwgen -s 64 1`. +matrix_continuwuity_config_registration_token: '' +``` + +### Extending the configuration + +There are some additional things you may wish to configure about the server. + +Take a look at: + +- `roles/custom/matrix-continuwuity/defaults/main.yml` for some variables that you can customize via your `vars.yml` file +- `roles/custom/matrix-continuwuity/templates/continuwuity.toml.j2` for the server's default configuration + +There are various Ansible variables that control settings in the `continuwuity.toml` file. + +If a specific setting you'd like to change does not have a dedicated Ansible variable, you can either submit a PR to us to add it, or you can [override the setting using an environment variable](https://continuwuity.org/configuration#environment-variables) using `matrix_continuwuity_environment_variables_extension`. For example: + +```yaml +matrix_continuwuity_environment_variables_extension: | + continuwuity_MAX_REQUEST_SIZE=50000000 + continuwuity_REQUEST_TIMEOUT=60 +``` + +## Creating the first user account + +Unlike other homeserver implementations (like Synapse and Dendrite), continuwuity does not support creating users via the command line or via the playbook. + +If you followed the instructions above (see [Adjusting the playbook configuration](#adjusting-the-playbook-configuration)), you should have registration enabled and protected by a registration token. + +This should allow you to create the first user account via any client (like [Element Web](./configuring-playbook-client-element-web.md)) which supports creating users. + +The **first user account that you create will be marked as an admin** and **will be automatically invited to an admin room**. + + +## Configuring bridges / appservices + +For other homeserver implementations (like Synapse and Dendrite), the playbook automatically registers appservices (for bridges, bots, etc.) with the homeserver. + +For continuwuity, you will have to manually register appservices using the [`!admin appservices register` command](https://continuwuity.org/appservices.html#set-up-the-appservice---general-instructions) sent to the server bot account. + +The server's bot account has a Matrix ID of `@conduit:example.com` (not `@continuwuity:example.com`!) due to continuwuity's historical legacy. +Your first user account would already have been invited to an admin room with this bot. + +Find the appservice file you'd like to register. This can be any `registration.yaml` file found in the `/matrix` directory, for example `/matrix/mautrix-signal/bridge/registration.yaml`. + +Then, send its content to the existing admin room: + + !admin appservices register + + ``` + as_token: + de.sorunome.msc2409.push_ephemeral: true + hs_token: + id: signal + namespaces: + aliases: + - exclusive: true + regex: ^#signal_.+:example\.org$ + users: + - exclusive: true + regex: ^@signal_.+:example\.org$ + - exclusive: true + regex: ^@signalbot:example\.org$ + rate_limited: false + sender_localpart: _bot_signalbot + url: http://matrix-mautrix-signal:29328 + ``` + +## Migrating from conduwuit + +Since continuwuity is a drop-in replacement for conduwuit, migration is possible. First, make sure that continuwuity is properly set up on your `vars.yml` and run the tag `just run-tags migrate-conduwuit` + +## Troubleshooting + +As with all other services, you can find the logs in [systemd-journald](https://www.freedesktop.org/software/systemd/man/systemd-journald.service.html) by logging in to the server with SSH and running `journalctl -fu matrix-continuwuity`. diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index 58cea52b9..34c8d698e 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -53,6 +53,8 @@ For a more custom setup, see the [Other configuration options](#other-configurat - [Configuring conduwuit](configuring-playbook-conduwuit.md), if you've switched to the [conduwuit](https://conduwuit.puppyirl.gay/) homeserver implementation + - [Configuring continuwuity](configuring-playbook-continuwuity.md), if you've switched to the [continuwuity](https://continuwuity.org) homeserver implementation + - [Configuring Dendrite](configuring-playbook-dendrite.md), if you've switched to the [Dendrite](https://matrix-org.github.io/dendrite) homeserver implementation - Server components: diff --git a/docs/container-images.md b/docs/container-images.md index b445cc001..953c39d5c 100644 --- a/docs/container-images.md +++ b/docs/container-images.md @@ -28,6 +28,7 @@ We try to stick to official images (provided by their respective projects) as mu | [Synapse](configuring-playbook-synapse.md) | [element-hq/synapse](https://ghcr.io/element-hq/synapse) | ✅ | Storing your data and managing your presence in the [Matrix](http://matrix.org/) network | | [Conduit](configuring-playbook-conduit.md) | [matrixconduit/matrix-conduit](https://hub.docker.com/r/matrixconduit/matrix-conduit) | ❌ | Storing your data and managing your presence in the [Matrix](http://matrix.org/) network. Conduit is a lightweight open-source server implementation of the Matrix Specification with a focus on easy setup and low system requirements | | [conduwuit](configuring-playbook-conduwuit.md) | [girlbossceo/conduwuit](https://ghcr.io/girlbossceo/conduwuit) | ❌ | Storing your data and managing your presence in the [Matrix](http://matrix.org/) network. conduwuit is a fork of Conduit. | +| [continuwuity](configuring-playbook-continuwuity.md) | [continuwuation/continuwuity](https://forgejo.ellis.link/continuwuation/continuwuity) | ❌ | Storing your data and managing your presence in the [Matrix](http://matrix.org/) network. continuwuity is a continuation of conduwuit. | | [Dendrite](configuring-playbook-dendrite.md) | [matrixdotorg/dendrite-monolith](https://hub.docker.com/r/matrixdotorg/dendrite-monolith/) | ❌ | Storing your data and managing your presence in the [Matrix](http://matrix.org/) network. Dendrite is a second-generation Matrix homeserver written in Go, an alternative to Synapse. | ## Clients diff --git a/docs/howto-srv-server-delegation.md b/docs/howto-srv-server-delegation.md index dda92b9a3..9d03588c7 100644 --- a/docs/howto-srv-server-delegation.md +++ b/docs/howto-srv-server-delegation.md @@ -26,7 +26,7 @@ The up-to-date list can be accessed on [traefik's documentation](https://doc.tra **Note**: the changes below instruct you how to do this for a basic Synapse installation. You will need to adapt the variable name and the content of the labels: -- if you're using another homeserver implementation (e.g. [Conduit](./configuring-playbook-conduit.md), [conduwuit](./configuring-playbook-conduwuit.md) or [Dendrite](./configuring-playbook-dendrite.md)) +- if you're using another homeserver implementation (e.g. [Conduit](./configuring-playbook-conduit.md), [conduwuit](./configuring-playbook-conduwuit.md), [continuwuity](./configuring-playbook-continuwuity.md) or [Dendrite](./configuring-playbook-dendrite.md)) - if you're using [Synapse with workers enabled](./configuring-playbook-synapse.md#load-balancing-with-workers) (`matrix_synapse_workers_enabled: true`). In that case, it's actually the `matrix-synapse-reverse-proxy-companion` service which has Traefik labels attached Also, all instructions below are from an older version of the playbook and may not work anymore. diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 9ed1ced91..45d2a81a4 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -243,7 +243,7 @@ matrix_addons_homeserver_client_api_url: "{{ ('http://' + matrix_playbook_revers matrix_addons_homeserver_systemd_services_list: "{{ ([traefik_identifier + '.service'] if matrix_playbook_reverse_proxy_type == 'playbook-managed-traefik' else []) if matrix_playbook_internal_matrix_client_api_traefik_entrypoint_enabled else matrix_homeserver_systemd_services_list }}" # Starting from version `0.6.0` Conduit natively supports some sync v3 (sliding-sync) features. -matrix_homeserver_sliding_sync_url: "{{ matrix_sliding_sync_base_url if matrix_sliding_sync_enabled else (matrix_homeserver_url if matrix_homeserver_implementation in ['conduit', 'conduwuit'] else '') }}" +matrix_homeserver_sliding_sync_url: "{{ matrix_sliding_sync_base_url if matrix_sliding_sync_enabled else (matrix_homeserver_url if matrix_homeserver_implementation in ['conduit', 'conduwuit', 'continuwuity'] else '') }}" ######################################################################## # # @@ -567,6 +567,7 @@ matrix_homeserver_container_client_api_endpoint: |- 'dendrite': ('matrix-dendrite:' + matrix_dendrite_http_bind_port | default('8008') | string), 'conduit': ('matrix-conduit:' + matrix_conduit_port_number | default('8008') | string), 'conduwuit': ('matrix-conduwuit:' + matrix_conduwuit_config_port_number | default('8008') | string), + 'continuwuity': ('matrix-continuwuity:' + matrix_continuwuity_config_port_number | default('8008') | string), }[matrix_homeserver_implementation] }} @@ -577,6 +578,7 @@ matrix_homeserver_container_federation_api_endpoint: |- 'dendrite': ('matrix-dendrite:' + matrix_dendrite_http_bind_port | default('8008') | string), 'conduit': ('matrix-conduit:' + matrix_conduit_port_number | default('8008') | string), 'conduwuit': ('matrix-conduwuit:' + matrix_conduwuit_config_port_number | default('8008') | string), + 'continuwuity': ('matrix-continuwuity:' + matrix_continuwuity_config_port_number | default('8008') | string), }[matrix_homeserver_implementation] }} @@ -5640,6 +5642,7 @@ grafana_default_home_dashboard_path: |- 'dendrite': ('/etc/grafana/dashboards/node-exporter-full.json' if prometheus_node_exporter_enabled else ''), 'conduit': ('/etc/grafana/dashboards/node-exporter-full.json' if prometheus_node_exporter_enabled else ''), 'conduwuit': ('/etc/grafana/dashboards/node-exporter-full.json' if prometheus_node_exporter_enabled else ''), + 'continuwuity': ('/etc/grafana/dashboards/node-exporter-full.json' if prometheus_node_exporter_enabled else ''), }[matrix_homeserver_implementation] }} @@ -5700,6 +5703,7 @@ matrix_registration_shared_secret: |- 'dendrite': matrix_dendrite_client_api_registration_shared_secret | default (''), 'conduit': '', 'conduwuit': '', + 'continuwuity': '', }[matrix_homeserver_implementation] }} @@ -5977,6 +5981,58 @@ matrix_conduwuit_self_check_validate_certificates: "{{ matrix_playbook_ssl_enabl ###################################################################### +###################################################################### +# +# matrix-continuwuity +# +###################################################################### + +matrix_continuwuity_enabled: "{{ matrix_homeserver_implementation == 'continuwuity' }}" + +matrix_continuwuity_hostname: "{{ matrix_server_fqn_matrix }}" + +matrix_continuwuity_config_allow_federation: "{{ matrix_homeserver_federation_enabled }}" + +matrix_continuwuity_docker_image_registry_prefix_upstream: "{{ matrix_container_global_registry_prefix_override if matrix_container_global_registry_prefix_override else matrix_continuwuity_docker_image_registry_prefix_upstream_default }}" + +matrix_continuwuity_container_network: "{{ matrix_homeserver_container_network }}" + +matrix_continuwuity_container_additional_networks_auto: | + {{ + ( + ([matrix_playbook_reverse_proxyable_services_additional_network] if matrix_continuwuity_container_labels_traefik_enabled and matrix_playbook_reverse_proxyable_services_additional_network else []) + ) | unique + }} + +matrix_continuwuity_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] and not matrix_synapse_workers_enabled }}" +matrix_continuwuity_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" +matrix_continuwuity_container_labels_traefik_entrypoints: "{{ traefik_entrypoint_primary }}" +matrix_continuwuity_container_labels_traefik_tls_certResolver: "{{ traefik_certResolver_primary }}" + +matrix_continuwuity_container_labels_public_client_root_redirection_enabled: "{{ matrix_continuwuity_container_labels_public_client_root_redirection_url != '' }}" +matrix_continuwuity_container_labels_public_client_root_redirection_url: "{{ (('https://' if matrix_playbook_ssl_enabled else 'http://') + matrix_server_fqn_element) if matrix_client_element_enabled else '' }}" + +matrix_continuwuity_container_labels_public_federation_api_traefik_hostname: "{{ matrix_server_fqn_matrix_federation }}" +matrix_continuwuity_container_labels_public_federation_api_traefik_entrypoints: "{{ matrix_federation_traefik_entrypoint_name }}" +matrix_continuwuity_container_labels_public_federation_api_traefik_tls: "{{ matrix_federation_traefik_entrypoint_tls }}" + +matrix_continuwuity_container_labels_internal_client_api_enabled: "{{ matrix_playbook_internal_matrix_client_api_traefik_entrypoint_enabled }}" +matrix_continuwuity_container_labels_internal_client_api_traefik_entrypoints: "{{ matrix_playbook_internal_matrix_client_api_traefik_entrypoint_name }}" + +matrix_continuwuity_config_turn_uris: "{{ matrix_coturn_turn_uris if matrix_coturn_enabled else [] }}" +matrix_continuwuity_config_turn_secret: "{{ matrix_coturn_turn_static_auth_secret if (matrix_coturn_enabled and matrix_coturn_authentication_method == 'auth-secret') else '' }}" +matrix_continuwuity_config_turn_username: "{{ matrix_coturn_lt_cred_mech_username if (matrix_coturn_enabled and matrix_coturn_authentication_method == 'lt-cred-mech') else '' }}" +matrix_continuwuity_config_turn_password: "{{ matrix_coturn_lt_cred_mech_password if (matrix_coturn_enabled and matrix_coturn_authentication_method == 'lt-cred-mech') else '' }}" + +matrix_continuwuity_self_check_validate_certificates: "{{ matrix_playbook_ssl_enabled }}" + +###################################################################### +# +# /matrix-continuwuity +# +###################################################################### + + ###################################################################### # # matrix-user-creator diff --git a/i18n/locales/bg/LC_MESSAGES/docs/configuring-playbook-continuwuity.po b/i18n/locales/bg/LC_MESSAGES/docs/configuring-playbook-continuwuity.po new file mode 100644 index 000000000..8e5129018 --- /dev/null +++ b/i18n/locales/bg/LC_MESSAGES/docs/configuring-playbook-continuwuity.po @@ -0,0 +1,134 @@ +# SOME DESCRIPTIVE TITLE. +# Copyright (C) 2018-2025, Slavi Pantaleev, Aine Etke, MDAD community +# members +# This file is distributed under the same license as the +# matrix-docker-ansible-deploy package. +# FIRST AUTHOR , 2025. +# +#, fuzzy +msgid "" +msgstr "" +"Project-Id-Version: matrix-docker-ansible-deploy \n" +"Report-Msgid-Bugs-To: \n" +"POT-Creation-Date: 2025-01-27 09:54+0200\n" +"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" +"Last-Translator: FULL NAME \n" +"Language: bg\n" +"Language-Team: bg \n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=utf-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Generated-By: Babel 2.16.0\n" + +#: ../../../docs/configuring-playbook-continuwuity.md:1 +msgid "Configuring continuwuity (optional)" +msgstr "" + +#: ../../../docs/configuring-playbook-continuwuity.md:3 +msgid "The playbook can install and configure the [continuwuity](https://continuwuity.org/) Matrix server for you." +msgstr "" + +#: ../../../docs/configuring-playbook-continuwuity.md:5 +msgid "See the project's [documentation](https://continuwuity.org/) to learn what it does and why it might be useful to you." +msgstr "" + +#: ../../../docs/configuring-playbook-continuwuity.md:7 +msgid "By default, the playbook installs [Synapse](https://github.com/element-hq/synapse) as it's the only full-featured Matrix server at the moment. If that's okay, you can skip this document." +msgstr "" + +#: ../../../docs/configuring-playbook-continuwuity.md:9 +msgid "💡 **Note**: continuwuity is a fork of [conduwuit](./configuring-playbook-conduwuit.md), which the playbook also supports." +msgstr "" + +#: ../../../docs/configuring-playbook-continuwuity.md:11 +msgid "⚠️ **Warnings**:" +msgstr "" + +#: ../../../docs/configuring-playbook-continuwuity.md:13 +msgid "**You can't switch an existing Matrix server's implementation** (e.g. Synapse -> continuwuity). Proceed below only if you're OK with losing data or you're dealing with a server on a new domain name, which hasn't participated in the Matrix federation yet." +msgstr "" + +#: ../../../docs/configuring-playbook-continuwuity.md:15 +msgid "**Homeserver implementations other than Synapse may not be fully functional**. The playbook may also not assist you in an optimal way (like it does with Synapse). Make yourself familiar with the downsides before proceeding" +msgstr "" + +#: ../../../docs/configuring-playbook-continuwuity.md:17 +msgid "Adjusting the playbook configuration" +msgstr "" + +#: ../../../docs/configuring-playbook-continuwuity.md:19 +msgid "To use continuwuity, you **generally** need to adjust the `matrix_homeserver_implementation: synapse` configuration on your `inventory/host_vars/matrix.example.com/vars.yml` file as below:" +msgstr "" + +#: ../../../docs/configuring-playbook-continuwuity.md:33 +msgid "Extending the configuration" +msgstr "" + +#: ../../../docs/configuring-playbook-continuwuity.md:35 +msgid "There are some additional things you may wish to configure about the server." +msgstr "" + +#: ../../../docs/configuring-playbook-continuwuity.md:37 +msgid "Take a look at:" +msgstr "" + +#: ../../../docs/configuring-playbook-continuwuity.md:39 +msgid "`roles/custom/matrix-continuwuity/defaults/main.yml` for some variables that you can customize via your `vars.yml` file" +msgstr "" + +#: ../../../docs/configuring-playbook-continuwuity.md:40 +msgid "`roles/custom/matrix-continuwuity/templates/continuwuity.toml.j2` for the server's default configuration" +msgstr "" + +#: ../../../docs/configuring-playbook-continuwuity.md:42 +msgid "There are various Ansible variables that control settings in the `continuwuity.toml` file." +msgstr "" + +#: ../../../docs/configuring-playbook-continuwuity.md:44 +msgid "If a specific setting you'd like to change does not have a dedicated Ansible variable, you can either submit a PR to us to add it, or you can [override the setting using an environment variable](https://continuwuity.org/configuration#environment-variables) using `matrix_continuwuity_environment_variables_extension`. For example:" +msgstr "" + +#: ../../../docs/configuring-playbook-continuwuity.md:52 +msgid "Creating the first user account" +msgstr "" + +#: ../../../docs/configuring-playbook-continuwuity.md:54 +msgid "Unlike other homeserver implementations (like Synapse and Dendrite), continuwuity does not support creating users via the command line or via the playbook." +msgstr "" + +#: ../../../docs/configuring-playbook-continuwuity.md:56 +msgid "If you followed the instructions above (see [Adjusting the playbook configuration](#adjusting-the-playbook-configuration)), you should have registration enabled and protected by a registration token." +msgstr "" + +#: ../../../docs/configuring-playbook-continuwuity.md:58 +msgid "This should allow you to create the first user account via any client (like [Element Web](./configuring-playbook-client-element-web.md)) which supports creating users." +msgstr "" + +#: ../../../docs/configuring-playbook-continuwuity.md:60 +msgid "The **first user account that you create will be marked as an admin** and **will be automatically invited to an admin room**." +msgstr "" + +#: ../../../docs/configuring-playbook-continuwuity.md:63 +msgid "Configuring bridges / appservices" +msgstr "" + +#: ../../../docs/configuring-playbook-continuwuity.md:65 +msgid "For other homeserver implementations (like Synapse and Dendrite), the playbook automatically registers appservices (for bridges, bots, etc.) with the homeserver." +msgstr "" + +#: ../../../docs/configuring-playbook-continuwuity.md:67 +msgid "For continuwuity, you will have to manually register appservices using the [`!admin appservices register` command](https://continuwuity.org/appservices#set-up-the-appservice---general-instructions) sent to the server bot account." +msgstr "" + +#: ../../../docs/configuring-playbook-continuwuity.md:69 +msgid "The server's bot account has a Matrix ID of `@conduit:example.com` (not `@continuwuity:example.com`!) due to continuwuity's historical legacy. Your first user account would already have been invited to an admin room with this bot." +msgstr "" + +#: ../../../docs/configuring-playbook-continuwuity.md:72 +msgid "Find the appservice file you'd like to register. This can be any `registration.yaml` file found in the `/matrix` directory, for example `/matrix/mautrix-signal/bridge/registration.yaml`." +msgstr "" + +#: ../../../docs/configuring-playbook-continuwuity.md:74 +msgid "Then, send its content to the existing admin room:" +msgstr "" diff --git a/roles/custom/matrix-base/defaults/main.yml b/roles/custom/matrix-base/defaults/main.yml index ce6943b35..9679208aa 100644 --- a/roles/custom/matrix-base/defaults/main.yml +++ b/roles/custom/matrix-base/defaults/main.yml @@ -81,7 +81,7 @@ matrix_monitoring_container_network: matrix-monitoring matrix_homeserver_enabled: true # This will contain the homeserver implementation that is in use. -# Valid values: synapse, dendrite, conduit, conduwuit +# Valid values: synapse, dendrite, conduit, conduwuit, continuwuity # # By default, we use Synapse, because it's the only full-featured Matrix server at the moment. # diff --git a/roles/custom/matrix-base/tasks/validate_config.yml b/roles/custom/matrix-base/tasks/validate_config.yml index 730b0d1d8..78202331a 100644 --- a/roles/custom/matrix-base/tasks/validate_config.yml +++ b/roles/custom/matrix-base/tasks/validate_config.yml @@ -13,7 +13,7 @@ - name: Fail if invalid homeserver implementation ansible.builtin.fail: msg: "You need to set a valid homeserver implementation in `matrix_homeserver_implementation`" - when: "matrix_homeserver_implementation not in ['synapse', 'dendrite', 'conduit', 'conduwuit']" + when: "matrix_homeserver_implementation not in ['synapse', 'dendrite', 'conduit', 'conduwuit', 'continuwuity']" - name: (Deprecation) Catch and report renamed settings ansible.builtin.fail: diff --git a/roles/custom/matrix-continuwuity/defaults/main.yml b/roles/custom/matrix-continuwuity/defaults/main.yml new file mode 100644 index 000000000..39e6bea33 --- /dev/null +++ b/roles/custom/matrix-continuwuity/defaults/main.yml @@ -0,0 +1,195 @@ +# SPDX-FileCopyrightText: 2025 MDAD project contributors +# SPDX-FileCopyrightText: 2025 Slavi Pantaleev +# +# SPDX-License-Identifier: AGPL-3.0-or-later + +--- +# continuwuity is a continuation of conduwuit (https://conduwuit.puppyirl.gay/). +# Project source code URL: https://forgejo.ellis.link/continuwuation/continuwuity/ +# See: https://continuwuity.org/ + +matrix_continuwuity_enabled: true + +matrix_continuwuity_hostname: '' + +matrix_continuwuity_docker_image: "{{ matrix_continuwuity_docker_image_registry_prefix }}/continuwuation/continuwuity:{{ matrix_continuwuity_docker_image_tag }}" +# renovate: datasource=docker depName=forgejo.ellis.link/continuwuation/-/packages/container/continuwuity/ +matrix_continuwuity_docker_image_tag: main +matrix_continuwuity_docker_image_force_pull: "{{ matrix_continuwuity_docker_image.endswith(':latest') }}" +matrix_continuwuity_docker_image_registry_prefix: "{{ matrix_continuwuity_docker_image_registry_prefix_upstream }}" +matrix_continuwuity_docker_image_registry_prefix_upstream: "{{ matrix_continuwuity_docker_image_registry_prefix_upstream_default }}" +matrix_continuwuity_docker_image_registry_prefix_upstream_default: forgejo.ellis.link + +matrix_continuwuity_base_path: "{{ matrix_base_data_path }}/continuwuity" +matrix_continuwuity_config_path: "{{ matrix_continuwuity_base_path }}/config" +matrix_continuwuity_data_path: "{{ matrix_continuwuity_base_path }}/data" + +matrix_continuwuity_config_port_number: 6167 + +matrix_continuwuity_tmp_directory_size_mb: 500 + +# List of systemd services that matrix-continuwuity.service depends on +matrix_continuwuity_systemd_required_services_list: "{{ matrix_continuwuity_systemd_required_services_list_default + matrix_continuwuity_systemd_required_services_list_auto + matrix_continuwuity_systemd_required_services_list_custom }}" +matrix_continuwuity_systemd_required_services_list_default: "{{ [devture_systemd_docker_base_docker_service_name] if devture_systemd_docker_base_docker_service_name else [] }}" +matrix_continuwuity_systemd_required_services_list_auto: [] +matrix_continuwuity_systemd_required_services_list_custom: [] + +# List of systemd services that matrix-continuwuity.service wants +matrix_continuwuity_systemd_wanted_services_list: [] + +# Controls how long to sleep for after starting the matrix-synapse container. +# +# Delaying, so that the homeserver can manage to fully start and various services +# that depend on it (`matrix_continuwuity_systemd_required_services_list` and `matrix_continuwuity_systemd_wanted_services_list`) +# may only start after the homeserver is up and running. +# +# This can be set to 0 to remove the delay. +matrix_continuwuity_systemd_service_post_start_delay_seconds: 3 + +# The base container network. It will be auto-created by this role if it doesn't exist already. +matrix_continuwuity_container_network: "" + +# A list of additional container networks that the container would be connected to. +# The role does not create these networks, so make sure they already exist. +# Use this to expose this container to another reverse proxy, which runs in a different container network. +matrix_continuwuity_container_additional_networks: "{{ matrix_continuwuity_container_additional_networks_auto + matrix_continuwuity_container_additional_networks_custom }}" +matrix_continuwuity_container_additional_networks_auto: [] +matrix_continuwuity_container_additional_networks_custom: [] + +# matrix_continuwuity_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container. +# See `../templates/labels.j2` for details. +# +# To inject your own other container labels, see `matrix_continuwuity_container_labels_additional_labels`. +matrix_continuwuity_container_labels_traefik_enabled: true +matrix_continuwuity_container_labels_traefik_docker_network: "{{ matrix_continuwuity_container_network }}" +matrix_continuwuity_container_labels_traefik_entrypoints: web-secure +matrix_continuwuity_container_labels_traefik_tls_certResolver: default # noqa var-naming + +# Controls whether labels will be added for handling the root (/) path on a public Traefik entrypoint. +matrix_continuwuity_container_labels_public_client_root_enabled: true +matrix_continuwuity_container_labels_public_client_root_traefik_hostname: "{{ matrix_continuwuity_hostname }}" +matrix_continuwuity_container_labels_public_client_root_traefik_rule: "Host(`{{ matrix_continuwuity_container_labels_public_client_root_traefik_hostname }}`) && Path(`/`)" +matrix_continuwuity_container_labels_public_client_root_traefik_priority: 0 +matrix_continuwuity_container_labels_public_client_root_traefik_entrypoints: "{{ matrix_continuwuity_container_labels_traefik_entrypoints }}" +matrix_continuwuity_container_labels_public_client_root_traefik_tls: "{{ matrix_continuwuity_container_labels_public_client_root_traefik_entrypoints != 'web' }}" +matrix_continuwuity_container_labels_public_client_root_traefik_tls_certResolver: "{{ matrix_continuwuity_container_labels_traefik_tls_certResolver }}" # noqa var-naming +matrix_continuwuity_container_labels_public_client_root_redirection_enabled: false +matrix_continuwuity_container_labels_public_client_root_redirection_url: "" + +# Controls whether labels will be added that expose the Client-Server API on a public Traefik entrypoint. +matrix_continuwuity_container_labels_public_client_api_enabled: true +matrix_continuwuity_container_labels_public_client_api_traefik_hostname: "{{ matrix_continuwuity_hostname }}" +matrix_continuwuity_container_labels_public_client_api_traefik_path_prefix: /_matrix +matrix_continuwuity_container_labels_public_client_api_traefik_rule: "Host(`{{ matrix_continuwuity_container_labels_public_client_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_continuwuity_container_labels_public_client_api_traefik_path_prefix }}`)" +matrix_continuwuity_container_labels_public_client_api_traefik_priority: 0 +matrix_continuwuity_container_labels_public_client_api_traefik_entrypoints: "{{ matrix_continuwuity_container_labels_traefik_entrypoints }}" +matrix_continuwuity_container_labels_public_client_api_traefik_tls: "{{ matrix_continuwuity_container_labels_public_client_api_traefik_entrypoints != 'web' }}" +matrix_continuwuity_container_labels_public_client_api_traefik_tls_certResolver: "{{ matrix_continuwuity_container_labels_traefik_tls_certResolver }}" # noqa var-naming + +# Controls whether labels will be added that expose the Client-Server API on the internal Traefik entrypoint. +# This is similar to `matrix_continuwuity_container_labels_public_client_api_enabled`, but the entrypoint and intent is different. +matrix_continuwuity_container_labels_internal_client_api_enabled: false +matrix_continuwuity_container_labels_internal_client_api_traefik_path_prefix: "{{ matrix_continuwuity_container_labels_public_client_api_traefik_path_prefix }}" +matrix_continuwuity_container_labels_internal_client_api_traefik_rule: "PathPrefix(`{{ matrix_continuwuity_container_labels_internal_client_api_traefik_path_prefix }}`)" +matrix_continuwuity_container_labels_internal_client_api_traefik_priority: "{{ matrix_continuwuity_container_labels_public_client_api_traefik_priority }}" +matrix_continuwuity_container_labels_internal_client_api_traefik_entrypoints: "" + +# Controls whether labels will be added that expose the Server-Server API (Federation API) on a public Traefik entrypoint. +matrix_continuwuity_container_labels_public_federation_api_enabled: "{{ matrix_continuwuity_config_allow_federation }}" +matrix_continuwuity_container_labels_public_federation_api_traefik_hostname: "{{ matrix_continuwuity_hostname }}" +matrix_continuwuity_container_labels_public_federation_api_traefik_path_prefix: /_matrix +matrix_continuwuity_container_labels_public_federation_api_traefik_rule: "Host(`{{ matrix_continuwuity_container_labels_public_federation_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_continuwuity_container_labels_public_federation_api_traefik_path_prefix }}`)" +matrix_continuwuity_container_labels_public_federation_api_traefik_priority: 0 +matrix_continuwuity_container_labels_public_federation_api_traefik_entrypoints: '' +# TLS is force-enabled here, because the spec (https://spec.matrix.org/v1.9/server-server-api/#tls) says that the federation API must use HTTPS. +matrix_continuwuity_container_labels_public_federation_api_traefik_tls: true +matrix_continuwuity_container_labels_public_federation_api_traefik_tls_certResolver: "{{ matrix_continuwuity_container_labels_traefik_tls_certResolver }}" # noqa var-naming + +# Controls whether labels will be added that expose the `/_continuwuity` path prefix on a public Traefik entrypoint. +matrix_continuwuity_container_labels_public_continuwuity_api_enabled: true +matrix_continuwuity_container_labels_public_continuwuity_api_traefik_hostname: "{{ matrix_continuwuity_hostname }}" +matrix_continuwuity_container_labels_public_continuwuity_api_traefik_path_prefix: /_continuwuity +matrix_continuwuity_container_labels_public_continuwuity_api_traefik_rule: "Host(`{{ matrix_continuwuity_container_labels_public_continuwuity_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_continuwuity_container_labels_public_continuwuity_api_traefik_path_prefix }}`)" +matrix_continuwuity_container_labels_public_continuwuity_api_traefik_priority: 0 +matrix_continuwuity_container_labels_public_continuwuity_api_traefik_entrypoints: "{{ matrix_continuwuity_container_labels_traefik_entrypoints }}" +matrix_continuwuity_container_labels_public_continuwuity_api_traefik_tls: "{{ matrix_continuwuity_container_labels_public_continuwuity_api_traefik_entrypoints != 'web' }}" +matrix_continuwuity_container_labels_public_continuwuity_api_traefik_tls_certResolver: "{{ matrix_continuwuity_container_labels_traefik_tls_certResolver }}" # noqa var-naming + +# matrix_continuwuity_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file. +# See `../templates/labels.j2` for details. +# +# Example: +# matrix_continuwuity_container_labels_additional_labels: | +# my.label=1 +# another.label="here" +matrix_continuwuity_container_labels_additional_labels: '' + +# Extra arguments for the Docker container +matrix_continuwuity_container_extra_arguments: [] + +# Specifies which template files to use when configuring continuwuity. +# If you'd like to have your own different configuration, feel free to copy and paste +# the original files into your inventory (e.g. in `inventory/host_vars/matrix.example.com/`) +# and then change the specific host's `vars.yml` file like this: +# matrix_continuwuity_template_continuwuity_config: "{{ playbook_dir }}/inventory/host_vars/matrix.example.com/continuwuity.toml.j2" +matrix_continuwuity_template_continuwuity_config: "{{ role_path }}/templates/continuwuity.toml.j2" + +# Max size for uploads, in bytes +matrix_continuwuity_config_server_name: "{{ matrix_domain }}" + +# Max size for uploads, in bytes +matrix_continuwuity_config_max_request_size: 20_000_000 + +# Enables registration. If set to false, no users can register on this server. +matrix_continuwuity_config_allow_registration: false + +# Controls the `yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse` setting. +# This is only used when `matrix_continuwuity_config_allow_registration` is set to true and no registration token is configured. +matrix_continuwuity_config_yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse: false + +# Controls the `registration_token` setting. +# When registration is enabled (`matrix_continuwuity_config_allow_registration`) you: +# - either need to set a token to protect registration from abuse +# - or you need to enable the `yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse` setting +# (see `matrix_continuwuity_config_yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse`), +# to allow registration without any form of 2nd-step. +matrix_continuwuity_config_registration_token: '' + +# Controls the `new_user_displayname_suffix` setting. +# This is the suffix that will be added to the displayname of new users. +# Upstream defaults this to "🏳️‍⚧️", but we keep this consistent across all homeserver implementations and do not enable a suffix. +matrix_continuwuity_config_new_user_displayname_suffix: "" + +# Controls the `allow_check_for_updates` setting. +matrix_continuwuity_config_allow_check_for_updates: false + +# Controls the `emergency_password` setting. +matrix_continuwuity_config_emergency_password: '' + +# Controls the `allow_federation` setting. +matrix_continuwuity_config_allow_federation: true + +matrix_continuwuity_trusted_servers: + - "matrix.org" + +matrix_continuwuity_config_log: "info,state_res=warn,rocket=off,_=off,sled=off" + +# TURN integration. +# See: https://continuwuity.org/turn +matrix_continuwuity_config_turn_uris: [] +matrix_continuwuity_config_turn_secret: '' +matrix_continuwuity_config_turn_username: '' +matrix_continuwuity_config_turn_password: '' + +# Controls whether the self-check feature should validate SSL certificates. +matrix_continuwuity_self_check_validate_certificates: true + +# Additional environment variables to pass to the container. +# +# Environment variables take priority over settings in the configuration file. +# +# Example: +# matrix_continuwuity_environment_variables_extension: | +# continuwuity_MAX_REQUEST_SIZE=50000000 +# continuwuity_REQUEST_TIMEOUT=60 +matrix_continuwuity_environment_variables_extension: '' diff --git a/roles/custom/matrix-continuwuity/tasks/install.yml b/roles/custom/matrix-continuwuity/tasks/install.yml new file mode 100644 index 000000000..19aaff4f2 --- /dev/null +++ b/roles/custom/matrix-continuwuity/tasks/install.yml @@ -0,0 +1,64 @@ +# SPDX-FileCopyrightText: 2025 Slavi Pantaleev +# +# SPDX-License-Identifier: AGPL-3.0-or-later + +--- + +- name: Ensure continuwuity config path exists + ansible.builtin.file: + path: "{{ matrix_continuwuity_config_path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure continuwuity data path exists + ansible.builtin.file: + path: "{{ matrix_continuwuity_data_path }}" + state: directory + mode: 0770 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure continuwuity configuration installed + ansible.builtin.template: + src: "{{ matrix_continuwuity_template_continuwuity_config }}" + dest: "{{ matrix_continuwuity_config_path }}/continuwuity.toml" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure continuwuity support files installed + ansible.builtin.template: + src: "{{ role_path }}/templates/{{ item }}.j2" + dest: "{{ matrix_continuwuity_base_path }}/{{ item }}" + mode: 0640 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - labels + - env + +- name: Ensure continuwuity container network is created + community.general.docker_network: + enable_ipv6: "{{ devture_systemd_docker_base_ipv6_enabled }}" + name: "{{ matrix_continuwuity_container_network }}" + driver: bridge + driver_options: "{{ devture_systemd_docker_base_container_networks_driver_options }}" + +- name: Ensure continuwuity container image is pulled + community.docker.docker_image: + name: "{{ matrix_continuwuity_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_continuwuity_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_continuwuity_docker_image_force_pull }}" + register: result + retries: "{{ devture_playbook_help_container_retries_count }}" + delay: "{{ devture_playbook_help_container_retries_delay }}" + until: result is not failed + +- name: Ensure matrix-continuwuity.service installed + ansible.builtin.template: + src: "{{ role_path }}/templates/systemd/matrix-continuwuity.service.j2" + dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-continuwuity.service" + mode: 0644 diff --git a/roles/custom/matrix-continuwuity/tasks/main.yml b/roles/custom/matrix-continuwuity/tasks/main.yml new file mode 100644 index 000000000..d51b2fff3 --- /dev/null +++ b/roles/custom/matrix-continuwuity/tasks/main.yml @@ -0,0 +1,40 @@ +# SPDX-FileCopyrightText: 2025 MDAD project contributors +# SPDX-FileCopyrightText: 2025 Slavi Pantaleev +# +# SPDX-License-Identifier: AGPL-3.0-or-later + +--- + +- tags: + - setup-all + - setup-continuwuity + - install-all + - install-continuwuity + block: + - when: matrix_continuwuity_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" + + - when: matrix_continuwuity_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/install.yml" + +- tags: + - setup-all + - setup-continuwuity + block: + - when: not matrix_continuwuity_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/uninstall.yml" + +- tags: + - self-check + block: + - when: matrix_continuwuity_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/self_check_client_api.yml" + + - when: matrix_continuwuity_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/self_check_federation_api.yml" + +- tags: + - migrate-conduwuit + block: + - when: matrix_continuwuity_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/migrate_from_conduwuit.yml" diff --git a/roles/custom/matrix-continuwuity/tasks/migrate_from_conduwuit.yml b/roles/custom/matrix-continuwuity/tasks/migrate_from_conduwuit.yml new file mode 100644 index 000000000..311d5613c --- /dev/null +++ b/roles/custom/matrix-continuwuity/tasks/migrate_from_conduwuit.yml @@ -0,0 +1,65 @@ +# SPDX-FileCopyrightText: 2025 Slavi Pantaleev +# +# SPDX-License-Identifier: AGPL-3.0-or-later + +--- + +# This migrates the conduwuit server implementation (`/matrix/conduwuit`) to continuwuity (`/matrix/continuwuity`), +# +# Here, we merely backup the fresh continuwuity folder, relocate conduwuit directory to continuwuity (`/matrix/conduwuit`) +# +# and restore continuwuity labels. + +- name: Check existence of conduwuit directory + ansible.builtin.stat: + path: "{{ matrix_base_data_path }}/conduwuit" + register: matrix_conduwuit_directory_stat + +- name: Check existence of continuwuity directory + ansible.builtin.stat: + path: "{{ matrix_base_data_path }}/continuwuity" + register: matrix_continuwuity_directory_stat + +- when: > + matrix_conduwuit_directory_stat.stat.exists | bool and + matrix_continuwuity_directory_stat.stat.exists | bool + block: + - name: Ensure matrix-continuwuity.service systemd service is stopped + ansible.builtin.systemd: + name: matrix-continuwuity + state: stopped + enabled: false + daemon_reload: true + + - name: Ensure continuwuity directory is backed up + ansible.builtin.command: + cmd: "mv {{ matrix_base_data_path }}/continuwuity {{ matrix_base_data_path }}/continuwuity_old" + creates: "{{ matrix_base_data_path }}/continuwuity_old" + removes: "{{ matrix_base_data_path }}/continuwuity" + + - name: Ensure conduwuit directory contents are copied to continuwuity + ansible.builtin.copy: + src: "{{ matrix_base_data_path }}/conduwuit/" + dest: "{{ matrix_base_data_path }}/continuwuity" + remote_src: true + mode: preserve + + - name: Ensure conduwuit.toml file is renamed + ansible.builtin.command: + cmd: "mv {{ matrix_base_data_path }}/continuwuity/config/conduwuit.toml {{ matrix_base_data_path }}/continuwuity/config/continuwuity.toml" + removes: "{{ matrix_base_data_path }}/continuwuity/config/conduwuit.toml" + + - name: Ensure continuwuity labels are restored + ansible.builtin.copy: + src: "{{ matrix_base_data_path }}/continuwuity_old/labels" + dest: "{{ matrix_base_data_path }}/continuwuity/labels" + remote_src: true + force: true + mode: preserve + + - name: Ensure matrix-continuwuity.service systemd service is started + ansible.builtin.systemd: + name: matrix-continuwuity + state: started + enabled: true + daemon_reload: true diff --git a/roles/custom/matrix-continuwuity/tasks/self_check_client_api.yml b/roles/custom/matrix-continuwuity/tasks/self_check_client_api.yml new file mode 100644 index 000000000..566769a2f --- /dev/null +++ b/roles/custom/matrix-continuwuity/tasks/self_check_client_api.yml @@ -0,0 +1,28 @@ +# SPDX-FileCopyrightText: 2025 Slavi Pantaleev +# SPDX-FileCopyrightText: 2025 Suguru Hirahara +# +# SPDX-License-Identifier: AGPL-3.0-or-later + +--- + +- name: Check Matrix Client API + ansible.builtin.uri: + url: "{{ matrix_continuwuity_client_api_url_endpoint_public }}" + follow_redirects: none + validate_certs: "{{ matrix_continuwuity_self_check_validate_certificates }}" + register: result_matrix_continuwuity_client_api + ignore_errors: true + check_mode: false + when: matrix_continuwuity_enabled | bool + delegate_to: 127.0.0.1 + become: false + +- name: Fail if Matrix Client API not working + ansible.builtin.fail: + msg: "Failed checking Matrix Client API is up at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ matrix_continuwuity_client_api_url_endpoint_public }}`). Is continuwuity running? Is port 443 open in your firewall? Full error: {{ result_matrix_continuwuity_client_api }}" + when: "matrix_continuwuity_enabled | bool and (result_matrix_continuwuity_client_api.failed or 'json' not in result_matrix_continuwuity_client_api)" + +- name: Report working Matrix Client API + ansible.builtin.debug: + msg: "The Matrix Client API at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ matrix_continuwuity_client_api_url_endpoint_public }}`) is working" + when: matrix_continuwuity_enabled | bool diff --git a/roles/custom/matrix-continuwuity/tasks/self_check_federation_api.yml b/roles/custom/matrix-continuwuity/tasks/self_check_federation_api.yml new file mode 100644 index 000000000..000a4b608 --- /dev/null +++ b/roles/custom/matrix-continuwuity/tasks/self_check_federation_api.yml @@ -0,0 +1,32 @@ +# SPDX-FileCopyrightText: 2025 Slavi Pantaleev +# +# SPDX-License-Identifier: AGPL-3.0-or-later + +--- + +- name: Check Matrix Federation API + ansible.builtin.uri: + url: "{{ matrix_synapse_federation_api_url_endpoint_public }}" + follow_redirects: none + validate_certs: "{{ matrix_synapse_self_check_validate_certificates }}" + register: result_matrix_synapse_federation_api + ignore_errors: true + check_mode: false + when: matrix_synapse_enabled | bool + delegate_to: 127.0.0.1 + become: false + +- name: Fail if Matrix Federation API not working + ansible.builtin.fail: + msg: "Failed checking Matrix Federation API is up at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ matrix_synapse_federation_api_url_endpoint_public }}`). Is Synapse running? Is port {{ matrix_federation_public_port }} open in your firewall? Full error: {{ result_matrix_synapse_federation_api }}" + when: "matrix_synapse_enabled | bool and matrix_synapse_federation_enabled | bool and (result_matrix_synapse_federation_api.failed or 'json' not in result_matrix_synapse_federation_api)" + +- name: Fail if Matrix Federation API unexpectedly enabled + ansible.builtin.fail: + msg: "Matrix Federation API is up at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ matrix_synapse_federation_api_url_endpoint_public }}`) despite being disabled." + when: "matrix_synapse_enabled | bool and not matrix_synapse_federation_enabled | bool and not result_matrix_synapse_federation_api.failed" + +- name: Report working Matrix Federation API + ansible.builtin.debug: + msg: "The Matrix Federation API at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ matrix_synapse_federation_api_url_endpoint_public }}`) is working" + when: "matrix_synapse_enabled | bool and matrix_synapse_federation_enabled | bool" diff --git a/roles/custom/matrix-continuwuity/tasks/setup_install.yml b/roles/custom/matrix-continuwuity/tasks/setup_install.yml new file mode 100644 index 000000000..8b86cb216 --- /dev/null +++ b/roles/custom/matrix-continuwuity/tasks/setup_install.yml @@ -0,0 +1,63 @@ +# SPDX-FileCopyrightText: 2025 MDAD project contributors +# +# SPDX-License-Identifier: AGPL-3.0-or-later + +--- + +- name: Ensure continuwuity config path exists + ansible.builtin.file: + path: "{{ matrix_continuwuity_config_path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure continuwuity data path exists + ansible.builtin.file: + path: "{{ matrix_continuwuity_data_path }}" + state: directory + mode: 0770 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure continuwuity configuration installed + ansible.builtin.template: + src: "{{ matrix_continuwuity_template_continuwuity_config }}" + dest: "{{ matrix_continuwuity_config_path }}/continuwuity.toml" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure continuwuity support files installed + ansible.builtin.template: + src: "{{ role_path }}/templates/{{ item }}.j2" + dest: "{{ matrix_continuwuity_base_path }}/{{ item }}" + mode: 0640 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - labels + +- name: Ensure continuwuity container network is created + community.general.docker_network: + enable_ipv6: "{{ devture_systemd_docker_base_ipv6_enabled }}" + name: "{{ matrix_continuwuity_container_network }}" + driver: bridge + driver_options: "{{ devture_systemd_docker_base_container_networks_driver_options }}" + +- name: Ensure continuwuity container image is pulled + community.docker.docker_image: + name: "{{ matrix_continuwuity_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_continuwuity_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_continuwuity_docker_image_force_pull }}" + register: result + retries: "{{ devture_playbook_help_container_retries_count }}" + delay: "{{ devture_playbook_help_container_retries_delay }}" + until: result is not failed + +- name: Ensure matrix-continuwuity.service installed + ansible.builtin.template: + src: "{{ role_path }}/templates/systemd/matrix-continuwuity.service.j2" + dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-continuwuity.service" + mode: 0644 diff --git a/roles/custom/matrix-continuwuity/tasks/setup_uninstall.yml b/roles/custom/matrix-continuwuity/tasks/setup_uninstall.yml new file mode 100644 index 000000000..6386a88d6 --- /dev/null +++ b/roles/custom/matrix-continuwuity/tasks/setup_uninstall.yml @@ -0,0 +1,23 @@ +# SPDX-FileCopyrightText: 2025 MDAD project contributors +# +# SPDX-License-Identifier: AGPL-3.0-or-later + +--- + +- name: Check existence of matrix-continuwuity service + ansible.builtin.stat: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-continuwuity.service" + register: matrix_continuwuity_service_stat + +- when: matrix_continuwuity_service_stat.stat.exists | bool + block: + - name: Ensure matrix-continuwuity is stopped + ansible.builtin.systemd: + name: matrix-continuwuity + state: stopped + daemon_reload: true + + - name: Ensure matrix-continuwuity.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-continuwuity.service" + state: absent diff --git a/roles/custom/matrix-continuwuity/tasks/uninstall.yml b/roles/custom/matrix-continuwuity/tasks/uninstall.yml new file mode 100644 index 000000000..9d10bfaac --- /dev/null +++ b/roles/custom/matrix-continuwuity/tasks/uninstall.yml @@ -0,0 +1,23 @@ +# SPDX-FileCopyrightText: 2025 Slavi Pantaleev +# +# SPDX-License-Identifier: AGPL-3.0-or-later + +--- + +- name: Check existence of matrix-continuwuity service + ansible.builtin.stat: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-continuwuity.service" + register: matrix_continuwuity_service_stat + +- when: matrix_continuwuity_service_stat.stat.exists | bool + block: + - name: Ensure matrix-continuwuity is stopped + ansible.builtin.systemd: + name: matrix-continuwuity + state: stopped + daemon_reload: true + + - name: Ensure matrix-continuwuity.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-continuwuity.service" + state: absent diff --git a/roles/custom/matrix-continuwuity/tasks/validate_config.yml b/roles/custom/matrix-continuwuity/tasks/validate_config.yml new file mode 100644 index 000000000..e4c199bfb --- /dev/null +++ b/roles/custom/matrix-continuwuity/tasks/validate_config.yml @@ -0,0 +1,15 @@ +# SPDX-FileCopyrightText: 2025 MDAD project contributors +# +# SPDX-License-Identifier: AGPL-3.0-or-later + +--- + +- name: Fail if required continuwuity settings not defined + ansible.builtin.fail: + msg: >- + You need to define a required configuration setting (`{{ item.name }}`). + when: "item.when | bool and vars[item.name] == ''" + with_items: + - {'name': 'matrix_continuwuity_hostname', when: true} + - {'name': 'matrix_continuwuity_container_network', when: true} + - {'name': 'matrix_continuwuity_container_labels_internal_client_api_traefik_entrypoints', when: "{{ matrix_continuwuity_container_labels_internal_client_api_enabled }}"} diff --git a/roles/custom/matrix-continuwuity/templates/continuwuity.toml.j2 b/roles/custom/matrix-continuwuity/templates/continuwuity.toml.j2 new file mode 100644 index 000000000..6e353a1ae --- /dev/null +++ b/roles/custom/matrix-continuwuity/templates/continuwuity.toml.j2 @@ -0,0 +1,1546 @@ +{# +SPDX-FileCopyrightText: 2025 MDAD project contributors +SPDX-FileCopyrightText: 2025 Slavi Pantaleev +SPDX-FileCopyrightText: 2025 Suguru Hirahara + +SPDX-License-Identifier: AGPL-3.0-or-later +#} + +### continuwuity Configuration +### See: +### https://continuwuity.org/configuration + +[global] + +# The server_name is the pretty name of this server. It is used as a +# suffix for user and room IDs/aliases. +# +# See the docs for reverse proxying and delegation: +# https://continuwuity.org/deploying/generic#setting-up-the-reverse-proxy +# +# Also see the `[global.well_known]` config section at the very bottom. +# +# Examples of delegation: +# - https://puppygock.gay/.well-known/matrix/server +# - https://puppygock.gay/.well-known/matrix/client +# +# YOU NEED TO EDIT THIS. THIS CANNOT BE CHANGED AFTER WITHOUT A DATABASE +# WIPE. +# +# example: "continuwuity.woof" +# +server_name = {{ matrix_continuwuity_config_server_name | to_json }} + +# The default address (IPv4 or IPv6) continuwuity will listen on. +# +# If you are using Docker or a container NAT networking setup, this must +# be "0.0.0.0". +# +# To listen on multiple addresses, specify a vector e.g. ["127.0.0.1", +# "::1"] +# +address = "0.0.0.0" + +# The port(s) continuwuity will listen on. +# +# For reverse proxying, see: +# https://continuwuity.org/deploying/generic#setting-up-the-reverse-proxy +# +# If you are using Docker, don't change this, you'll need to map an +# external port to this. +# +# To listen on multiple ports, specify a vector e.g. [8080, 8448] +# +port = {{ matrix_continuwuity_config_port_number }} + +# The UNIX socket continuwuity will listen on. +# +# continuwuity cannot listen on both an IP address and a UNIX socket. If +# listening on a UNIX socket, you MUST remove/comment the `address` key. +# +# Remember to make sure that your reverse proxy has access to this socket +# file, either by adding your reverse proxy to the 'continuwuity' group or +# granting world R/W permissions with `unix_socket_perms` (666 minimum). +# +# example: "/run/continuwuity/continuwuity.sock" +# +#unix_socket_path = + +# The default permissions (in octal) to create the UNIX socket with. +# +#unix_socket_perms = 660 + +# This is the only directory where continuwuity will save its data, including +# media. Note: this was previously "/var/lib/matrix-conduit". +# +# YOU NEED TO EDIT THIS. +# +# example: "/var/lib/continuwuity" +# +database_path = "/var/lib/continuwuity" + +# continuwuity supports online database backups using RocksDB's Backup engine +# API. To use this, set a database backup path that continuwuity can write +# to. +# +# For more information, see: +# https://continuwuity.org/maintenance.html#backups +# +# example: "/opt/continuwuity-db-backups" +# +#database_backup_path = + +# The amount of online RocksDB database backups to keep/retain, if using +# "database_backup_path", before deleting the oldest one. +# +#database_backups_to_keep = 1 + +# Text which will be added to the end of the user's displayname upon +# registration with a space before the text. In Conduit, this was the +# lightning bolt emoji. +# +# To disable, set this to "" (an empty string). +# +# The default is the trans pride flag. +# +# example: "🏳️‍⚧️" +# +new_user_displayname_suffix = {{ matrix_continuwuity_config_new_user_displayname_suffix | to_json }} + +# If enabled, continuwuity will send a simple GET request periodically to +# `https://pupbrain.dev/check-for-updates/stable` for any new +# announcements made. Despite the name, this is not an update check +# endpoint, it is simply an announcement check endpoint. +# +# This is disabled by default as this is rarely used except for security +# updates or major updates. +# +allow_check_for_updates = {{ matrix_continuwuity_config_allow_check_for_updates | to_json }} + +# Set this to any float value to multiply continuwuity's in-memory LRU caches +# with such as "auth_chain_cache_capacity". +# +# May be useful if you have significant memory to spare to increase +# performance. +# +# If you have low memory, reducing this may be viable. +# +# By default, the individual caches such as "auth_chain_cache_capacity" +# are scaled by your CPU core count. +# +#cache_capacity_modifier = 1.0 + +# Set this to any float value in megabytes for continuwuity to tell the +# database engine that this much memory is available for database read +# caches. +# +# May be useful if you have significant memory to spare to increase +# performance. +# +# Similar to the individual LRU caches, this is scaled up with your CPU +# core count. +# +# This defaults to 128.0 + (64.0 * CPU core count). +# +#db_cache_capacity_mb = varies by system + +# Set this to any float value in megabytes for continuwuity to tell the +# database engine that this much memory is available for database write +# caches. +# +# May be useful if you have significant memory to spare to increase +# performance. +# +# Similar to the individual LRU caches, this is scaled up with your CPU +# core count. +# +# This defaults to 48.0 + (4.0 * CPU core count). +# +#db_write_buffer_capacity_mb = varies by system + +# This item is undocumented. Please contribute documentation for it. +# +#pdu_cache_capacity = varies by system + +# This item is undocumented. Please contribute documentation for it. +# +#auth_chain_cache_capacity = varies by system + +# This item is undocumented. Please contribute documentation for it. +# +#shorteventid_cache_capacity = varies by system + +# This item is undocumented. Please contribute documentation for it. +# +#eventidshort_cache_capacity = varies by system + +# This item is undocumented. Please contribute documentation for it. +# +#eventid_pdu_cache_capacity = varies by system + +# This item is undocumented. Please contribute documentation for it. +# +#shortstatekey_cache_capacity = varies by system + +# This item is undocumented. Please contribute documentation for it. +# +#statekeyshort_cache_capacity = varies by system + +# This item is undocumented. Please contribute documentation for it. +# +#servernameevent_data_cache_capacity = varies by system + +# This item is undocumented. Please contribute documentation for it. +# +#server_visibility_cache_capacity = varies by system + +# This item is undocumented. Please contribute documentation for it. +# +#user_visibility_cache_capacity = varies by system + +# This item is undocumented. Please contribute documentation for it. +# +#stateinfo_cache_capacity = varies by system + +# This item is undocumented. Please contribute documentation for it. +# +#roomid_spacehierarchy_cache_capacity = varies by system + +# Maximum entries stored in DNS memory-cache. The size of an entry may +# vary so please take care if raising this value excessively. Only +# decrease this when using an external DNS cache. Please note that +# systemd-resolved does *not* count as an external cache, even when +# configured to do so. +# +#dns_cache_entries = 32768 + +# Minimum time-to-live in seconds for entries in the DNS cache. The +# default may appear high to most administrators; this is by design as the +# majority of NXDOMAINs are correct for a long time (e.g. the server is no +# longer running Matrix). Only decrease this if you are using an external +# DNS cache. +# +#dns_min_ttl = 10800 + +# Minimum time-to-live in seconds for NXDOMAIN entries in the DNS cache. +# This value is critical for the server to federate efficiently. +# NXDOMAIN's are assumed to not be returning to the federation and +# aggressively cached rather than constantly rechecked. +# +# Defaults to 3 days as these are *very rarely* false negatives. +# +#dns_min_ttl_nxdomain = 259200 + +# Number of DNS nameserver retries after a timeout or error. +# +#dns_attempts = 10 + +# The number of seconds to wait for a reply to a DNS query. Please note +# that recursive queries can take up to several seconds for some domains, +# so this value should not be too low, especially on slower hardware or +# resolvers. +# +#dns_timeout = 10 + +# Fallback to TCP on DNS errors. Set this to false if unsupported by +# nameserver. +# +#dns_tcp_fallback = true + +# Enable to query all nameservers until the domain is found. Referred to +# as "trust_negative_responses" in hickory_resolver. This can avoid +# useless DNS queries if the first nameserver responds with NXDOMAIN or +# an empty NOERROR response. +# +#query_all_nameservers = true + +# Enable using *only* TCP for querying your specified nameservers instead +# of UDP. +# +# If you are running continuwuity in a container environment, this config +# option may need to be enabled. For more details, see: +# https://continuwuity.org/troubleshooting#potential-dns-issues-when-using-docker +# +#query_over_tcp_only = false + +# DNS A/AAAA record lookup strategy +# +# Takes a number of one of the following options: +# 1 - Ipv4Only (Only query for A records, no AAAA/IPv6) +# +# 2 - Ipv6Only (Only query for AAAA records, no A/IPv4) +# +# 3 - Ipv4AndIpv6 (Query for A and AAAA records in parallel, uses whatever +# returns a successful response first) +# +# 4 - Ipv6thenIpv4 (Query for AAAA record, if that fails then query the A +# record) +# +# 5 - Ipv4thenIpv6 (Query for A record, if that fails then query the AAAA +# record) +# +# If you don't have IPv6 networking, then for better DNS performance it +# may be suitable to set this to Ipv4Only (1) as you will never ever use +# the AAAA record contents even if the AAAA record is successful instead +# of the A record. +# +#ip_lookup_strategy = 5 + +# Max request size for file uploads in bytes. Defaults to 20MB. +# +max_request_size = {{ matrix_continuwuity_config_max_request_size }} + +# This item is undocumented. Please contribute documentation for it. +# +#max_fetch_prev_events = 192 + +# Default/base connection timeout (seconds). This is used only by URL +# previews and update/news endpoint checks. +# +#request_conn_timeout = 10 + +# Default/base request timeout (seconds). The time waiting to receive more +# data from another server. This is used only by URL previews, +# update/news, and misc endpoint checks. +# +#request_timeout = 35 + +# Default/base request total timeout (seconds). The time limit for a whole +# request. This is set very high to not cancel healthy requests while +# serving as a backstop. This is used only by URL previews and update/news +# endpoint checks. +# +#request_total_timeout = 320 + +# Default/base idle connection pool timeout (seconds). This is used only +# by URL previews and update/news endpoint checks. +# +#request_idle_timeout = 5 + +# Default/base max idle connections per host. This is used only by URL +# previews and update/news endpoint checks. Defaults to 1 as generally the +# same open connection can be re-used. +# +#request_idle_per_host = 1 + +# Federation well-known resolution connection timeout (seconds). +# +#well_known_conn_timeout = 6 + +# Federation HTTP well-known resolution request timeout (seconds). +# +#well_known_timeout = 10 + +# Federation client request timeout (seconds). You most definitely want +# this to be high to account for extremely large room joins, slow +# homeservers, your own resources etc. +# +#federation_timeout = 300 + +# Federation client idle connection pool timeout (seconds). +# +#federation_idle_timeout = 25 + +# Federation client max idle connections per host. Defaults to 1 as +# generally the same open connection can be re-used. +# +#federation_idle_per_host = 1 + +# Federation sender request timeout (seconds). The time it takes for the +# remote server to process sent transactions can take a while. +# +#sender_timeout = 180 + +# Federation sender idle connection pool timeout (seconds). +# +#sender_idle_timeout = 180 + +# Federation sender transaction retry backoff limit (seconds). +# +#sender_retry_backoff_limit = 86400 + +# Appservice URL request connection timeout. Defaults to 35 seconds as +# generally appservices are hosted within the same network. +# +#appservice_timeout = 35 + +# Appservice URL idle connection pool timeout (seconds). +# +#appservice_idle_timeout = 300 + +# Notification gateway pusher idle connection pool timeout. +# +#pusher_idle_timeout = 15 + +# Enables registration. If set to false, no users can register on this +# server. +# +# If set to true without a token configured, users can register with no +# form of 2nd-step only if you set the following option to true: +# `yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse` +# +# If you would like registration only via token reg, please configure +# `registration_token` or `registration_token_file`. +# +allow_registration = {{ matrix_continuwuity_config_allow_registration | to_json }} + +yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse = {{ matrix_continuwuity_config_yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse | to_json }} + +allow_federation = {{ matrix_continuwuity_config_allow_federation | to_json }} + +# This item is undocumented. Please contribute documentation for it. +# +#yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse = false + +# A static registration token that new users will have to provide when +# creating an account. If unset and `allow_registration` is true, +# registration is open without any condition. +# +# YOU NEED TO EDIT THIS OR USE registration_token_file. +# +# example: "o&^uCtes4HPf0Vu@F20jQeeWE7" +# +registration_token = {{ matrix_continuwuity_config_registration_token | to_json }} + +# Path to a file on the system that gets read for the registration token. +# this config option takes precedence/priority over "registration_token". +# +# continuwuity must be able to access the file, and it must not be empty +# +# example: "/etc/continuwuity/.reg_token" +# +#registration_token_file = + +# Controls whether encrypted rooms and events are allowed. +# +#allow_encryption = true + +# Controls whether federation is allowed or not. It is not recommended to +# disable this after the fact due to potential federation breakage. +# +#allow_federation = true + +# This item is undocumented. Please contribute documentation for it. +# +#federation_loopback = false + +# Set this to true to require authentication on the normally +# unauthenticated profile retrieval endpoints (GET) +# "/_matrix/client/v3/profile/{userId}". +# +# This can prevent profile scraping. +# +#require_auth_for_profile_requests = false + +# Set this to true to allow your server's public room directory to be +# federated. Set this to false to protect against /publicRooms spiders, +# but will forbid external users from viewing your server's public room +# directory. If federation is disabled entirely (`allow_federation`), this +# is inherently false. +# +#allow_public_room_directory_over_federation = false + +# Set this to true to allow your server's public room directory to be +# queried without client authentication (access token) through the Client +# APIs. Set this to false to protect against /publicRooms spiders. +# +#allow_public_room_directory_without_auth = false + +# Allow guests/unauthenticated users to access TURN credentials. +# +# This is the equivalent of Synapse's `turn_allow_guests` config option. +# This allows any unauthenticated user to call the endpoint +# `/_matrix/client/v3/voip/turnServer`. +# +# It is unlikely you need to enable this as all major clients support +# authentication for this endpoint and prevents misuse of your TURN server +# from potential bots. +# +#turn_allow_guests = false + +# Set this to true to lock down your server's public room directory and +# only allow admins to publish rooms to the room directory. Unpublishing +# is still allowed by all users with this enabled. +# +#lockdown_public_room_directory = false + +# Set this to true to allow federating device display names / allow +# external users to see your device display name. If federation is +# disabled entirely (`allow_federation`), this is inherently false. For +# privacy reasons, this is best left disabled. +# +#allow_device_name_federation = false + +# Config option to allow or disallow incoming federation requests that +# obtain the profiles of our local users from +# `/_matrix/federation/v1/query/profile` +# +# Increases privacy of your local user's such as display names, but some +# remote users may get a false "this user does not exist" error when they +# try to invite you to a DM or room. Also can protect against profile +# spiders. +# +# This is inherently false if `allow_federation` is disabled +# +#allow_inbound_profile_lookup_federation_requests = true + +# Allow standard users to create rooms. Appservices and admins are always +# allowed to create rooms +# +#allow_room_creation = true + +# Set to false to disable users from joining or creating room versions +# that aren't officially supported by continuwuity. +# +# continuwuity officially supports room versions 6 - 11. +# +# continuwuity has slightly experimental (though works fine in practice) +# support for versions 3 - 5. +# +#allow_unstable_room_versions = true + +# Default room version continuwuity will create rooms with. +# +# Per spec, room version 10 is the default. +# +#default_room_version = 10 + +# This item is undocumented. Please contribute documentation for it. +# +#allow_jaeger = false + +# This item is undocumented. Please contribute documentation for it. +# +#jaeger_filter = "info" + +# If the 'perf_measurements' compile-time feature is enabled, enables +# collecting folded stack trace profile of tracing spans using +# tracing_flame. The resulting profile can be visualized with inferno[1], +# speedscope[2], or a number of other tools. +# +# [1]: https://github.com/jonhoo/inferno +# [2]: www.speedscope.app +# +#tracing_flame = false + +# This item is undocumented. Please contribute documentation for it. +# +#tracing_flame_filter = "info" + +# This item is undocumented. Please contribute documentation for it. +# +#tracing_flame_output_path = "./tracing.folded" + +# Examples: +# +# - No proxy (default): +# +# proxy = "none" +# +# - For global proxy, create the section at the bottom of this file: +# +# [global.proxy] +# global = { url = "socks5h://localhost:9050" } +# +# - To proxy some domains: +# +# [global.proxy] +# [[global.proxy.by_domain]] +# url = "socks5h://localhost:9050" +# include = ["*.onion", "matrix.myspecial.onion"] +# exclude = ["*.myspecial.onion"] +# +# Include vs. Exclude: +# +# - If include is an empty list, it is assumed to be `["*"]`. +# +# - If a domain matches both the exclude and include list, the proxy will +# only be used if it was included because of a more specific rule than +# it was excluded. In the above example, the proxy would be used for +# `ordinary.onion`, `matrix.myspecial.onion`, but not +# `hello.myspecial.onion`. +# +#proxy = "none" + +# Servers listed here will be used to gather public keys of other servers +# (notary trusted key servers). +# +# Currently, continuwuity doesn't support inbound batched key requests, so +# this list should only contain other Synapse servers. +# +# example: ["matrix.org", "envs.net", "constellatory.net", "tchncs.de"] +# +trusted_servers = {{ matrix_continuwuity_trusted_servers | to_json }} + +# Whether to query the servers listed in trusted_servers first or query +# the origin server first. For best security, querying the origin server +# first is advised to minimize the exposure to a compromised trusted +# server. For maximum federation/join performance this can be set to true, +# however other options exist to query trusted servers first under +# specific high-load circumstances and should be evaluated before setting +# this to true. +# +#query_trusted_key_servers_first = false + +# Whether to query the servers listed in trusted_servers first +# specifically on room joins. This option limits the exposure to a +# compromised trusted server to room joins only. The join operation +# requires gathering keys from many origin servers which can cause +# significant delays. Therefor this defaults to true to mitigate +# unexpected delays out-of-the-box. The security-paranoid or those willing +# to tolerate delays are advised to set this to false. Note that setting +# query_trusted_key_servers_first to true causes this option to be +# ignored. +# +#query_trusted_key_servers_first_on_join = true + +# Only query trusted servers for keys and never the origin server. This is +# intended for clusters or custom deployments using their trusted_servers +# as forwarding-agents to cache and deduplicate requests. Notary servers +# do not act as forwarding-agents by default, therefor do not enable this +# unless you know exactly what you are doing. +# +#only_query_trusted_key_servers = false + +# Maximum number of keys to request in each trusted server batch query. +# +#trusted_server_batch_size = 1024 + +# Max log level for continuwuity. Allows debug, info, warn, or error. +# +# See also: +# https://docs.rs/tracing-subscriber/latest/tracing_subscriber/filter/struct.EnvFilter.html#directives +# +# **Caveat**: +# For release builds, the tracing crate is configured to only implement +# levels higher than error to avoid unnecessary overhead in the compiled +# binary from trace macros. For debug builds, this restriction is not +# applied. +# +log = {{ matrix_continuwuity_config_log | to_json }} + +# Output logs with ANSI colours. +# +#log_colors = true + +# Configures the span events which will be outputted with the log. +# +#log_span_events = "none" + +# Configures whether continuwuity_LOG EnvFilter matches values using regular +# expressions. See the tracing_subscriber documentation on Directives. +# +#log_filter_regex = true + +# Toggles the display of ThreadId in tracing log output. +# +#log_thread_ids = false + +# OpenID token expiration/TTL in seconds. +# +# These are the OpenID tokens that are primarily used for Matrix account +# integrations (e.g. Vector Integrations in Element), *not* OIDC/OpenID +# Connect/etc. +# +#openid_token_ttl = 3600 + +# Allow an existing session to mint a login token for another client. +# This requires interactive authentication, but has security ramifications +# as a malicious client could use the mechanism to spawn more than one +# session. +# Enabled by default. +# +#login_via_existing_session = true + +# Login token expiration/TTL in milliseconds. +# +# These are short-lived tokens for the m.login.token endpoint. +# This is used to allow existing sessions to create new sessions. +# see login_via_existing_session. +# +#login_token_ttl = 120000 + +# Static TURN username to provide the client if not using a shared secret +# ("turn_secret"), It is recommended to use a shared secret over static +# credentials. +# +#turn_username = false + +# Static TURN password to provide the client if not using a shared secret +# ("turn_secret"). It is recommended to use a shared secret over static +# credentials. +# +#turn_password = false + +# Vector list of TURN URIs/servers to use. +# +# Replace "example.turn.uri" with your TURN domain, such as the coturn +# "realm" config option. If using TURN over TLS, replace the URI prefix +# "turn:" with "turns:". +# +# example: ["turn:example.turn.uri?transport=udp", +# "turn:example.turn.uri?transport=tcp"] +# +turn_uris = {{ matrix_continuwuity_config_turn_uris | to_json }} + +# TURN secret to use for generating the HMAC-SHA1 hash apart of username +# and password generation. +# +# This is more secure, but if needed you can use traditional static +# username/password credentials. +# +#turn_secret = false +{% if matrix_continuwuity_config_turn_secret != '' %} +turn_secret = {{ matrix_continuwuity_config_turn_secret | to_json }} +{% endif %} + +# If you have your TURN server configured to use a username and password +# you can provide these information too. In this case comment out `turn_secret above`! +{% if matrix_continuwuity_config_turn_username != '' or matrix_continuwuity_config_turn_password != '' %} +turn_username = {{ matrix_continuwuity_config_turn_username | to_json }} +turn_password = {{ matrix_continuwuity_config_turn_password | to_json }} +{% endif %} + +# TURN secret to use that's read from the file path specified. +# +# This takes priority over "turn_secret" first, and falls back to +# "turn_secret" if invalid or failed to open. +# +# example: "/etc/continuwuity/.turn_secret" +# +#turn_secret_file = + +# TURN TTL, in seconds. +# +#turn_ttl = 86400 + +# List/vector of room IDs or room aliases that continuwuity will make newly +# registered users join. The rooms specified must be rooms that you have +# joined at least once on the server, and must be public. +# +# example: ["#continuwuity:puppygock.gay", +# "!eoIzvAvVwY23LPDay8:puppygock.gay"] +# +#auto_join_rooms = [] + +# Config option to automatically deactivate the account of any user who +# attempts to join a: +# - banned room +# - forbidden room alias +# - room alias or ID with a forbidden server name +# +# This may be useful if all your banned lists consist of toxic rooms or +# servers that no good faith user would ever attempt to join, and +# to automatically remediate the problem without any admin user +# intervention. +# +# This will also make the user leave all rooms. Federation (e.g. remote +# room invites) are ignored here. +# +# Defaults to false as rooms can be banned for non-moderation-related +# reasons and this performs a full user deactivation. +# +#auto_deactivate_banned_room_attempts = false + +# RocksDB log level. This is not the same as continuwuity's log level. This +# is the log level for the RocksDB engine/library which show up in your +# database folder/path as `LOG` files. continuwuity will log RocksDB errors +# as normal through tracing or panics if severe for safety. +# +#rocksdb_log_level = "error" + +# This item is undocumented. Please contribute documentation for it. +# +#rocksdb_log_stderr = false + +# Max RocksDB `LOG` file size before rotating in bytes. Defaults to 4MB in +# bytes. +# +#rocksdb_max_log_file_size = 4194304 + +# Time in seconds before RocksDB will forcibly rotate logs. +# +#rocksdb_log_time_to_roll = 0 + +# Set this to true to use RocksDB config options that are tailored to HDDs +# (slower device storage). +# +# It is worth noting that by default, continuwuity will use RocksDB with +# Direct IO enabled. *Generally* speaking this improves performance as it +# bypasses buffered I/O (system page cache). However there is a potential +# chance that Direct IO may cause issues with database operations if your +# setup is uncommon. This has been observed with FUSE filesystems, and +# possibly ZFS filesystem. RocksDB generally deals/corrects these issues +# but it cannot account for all setups. If you experience any weird +# RocksDB issues, try enabling this option as it turns off Direct IO and +# feel free to report in the continuwuity Matrix room if this option fixes +# your DB issues. +# +# For more information, see: +# https://github.com/facebook/rocksdb/wiki/Direct-IO +# +#rocksdb_optimize_for_spinning_disks = false + +# Enables direct-io to increase database performance via unbuffered I/O. +# +# For more details about direct I/O and RockDB, see: +# https://github.com/facebook/rocksdb/wiki/Direct-IO +# +# Set this option to false if the database resides on a filesystem which +# does not support direct-io like FUSE, or any form of complex filesystem +# setup such as possibly ZFS. +# +#rocksdb_direct_io = true + +# Amount of threads that RocksDB will use for parallelism on database +# operations such as cleanup, sync, flush, compaction, etc. Set to 0 to +# use all your logical threads. Defaults to your CPU logical thread count. +# +#rocksdb_parallelism_threads = varies by system + +# Maximum number of LOG files RocksDB will keep. This must *not* be set to +# 0. It must be at least 1. Defaults to 3 as these are not very useful +# unless troubleshooting/debugging a RocksDB bug. +# +#rocksdb_max_log_files = 3 + +# Type of RocksDB database compression to use. +# +# Available options are "zstd", "zlib", "bz2", "lz4", or "none". +# +# It is best to use ZSTD as an overall good balance between +# speed/performance, storage, IO amplification, and CPU usage. For more +# performance but less compression (more storage used) and less CPU usage, +# use LZ4. +# +# For more details, see: +# https://github.com/facebook/rocksdb/wiki/Compression +# +# "none" will disable compression. +# +#rocksdb_compression_algo = "zstd" + +# Level of compression the specified compression algorithm for RocksDB to +# use. +# +# Default is 32767, which is internally read by RocksDB as the default +# magic number and translated to the library's default compression level +# as they all differ. See their `kDefaultCompressionLevel`. +# +#rocksdb_compression_level = 32767 + +# Level of compression the specified compression algorithm for the +# bottommost level/data for RocksDB to use. Default is 32767, which is +# internally read by RocksDB as the default magic number and translated to +# the library's default compression level as they all differ. See their +# `kDefaultCompressionLevel`. +# +# Since this is the bottommost level (generally old and least used data), +# it may be desirable to have a very high compression level here as it's +# less likely for this data to be used. Research your chosen compression +# algorithm. +# +#rocksdb_bottommost_compression_level = 32767 + +# Whether to enable RocksDB's "bottommost_compression". +# +# At the expense of more CPU usage, this will further compress the +# database to reduce more storage. It is recommended to use ZSTD +# compression with this for best compression results. This may be useful +# if you're trying to reduce storage usage from the database. +# +# See https://github.com/facebook/rocksdb/wiki/Compression for more details. +# +#rocksdb_bottommost_compression = false + +# Database recovery mode (for RocksDB WAL corruption). +# +# Use this option when the server reports corruption and refuses to start. +# Set mode 2 (PointInTime) to cleanly recover from this corruption. The +# server will continue from the last good state, several seconds or +# minutes prior to the crash. Clients may have to run "clear-cache & +# reload" to account for the rollback. Upon success, you may reset the +# mode back to default and restart again. Please note in some cases the +# corruption error may not be cleared for at least 30 minutes of operation +# in PointInTime mode. +# +# As a very last ditch effort, if PointInTime does not fix or resolve +# anything, you can try mode 3 (SkipAnyCorruptedRecord) but this will +# leave the server in a potentially inconsistent state. +# +# The default mode 1 (TolerateCorruptedTailRecords) will automatically +# drop the last entry in the database if corrupted during shutdown, but +# nothing more. It is extraordinarily unlikely this will desynchronize +# clients. To disable any form of silent rollback set mode 0 +# (AbsoluteConsistency). +# +# The options are: +# 0 = AbsoluteConsistency +# 1 = TolerateCorruptedTailRecords (default) +# 2 = PointInTime (use me if trying to recover) +# 3 = SkipAnyCorruptedRecord (you now voided your continuwuity warranty) +# +# For more information on these modes, see: +# https://github.com/facebook/rocksdb/wiki/WAL-Recovery-Modes +# +# For more details on recovering a corrupt database, see: +# https://continuwuity.org/troubleshooting.html#database-corruption +# +#rocksdb_recovery_mode = 1 + +# Enables or disables paranoid SST file checks. This can improve RocksDB +# database consistency at a potential performance impact due to further +# safety checks ran. +# +# For more information, see: +# https://github.com/facebook/rocksdb/wiki/Online-Verification#columnfamilyoptionsparanoid_file_checks +# +#rocksdb_paranoid_file_checks = false + +# Database repair mode (for RocksDB SST corruption). +# +# Use this option when the server reports corruption while running or +# panics. If the server refuses to start use the recovery mode options +# first. Corruption errors containing the acronym 'SST' which occur after +# startup will likely require this option. +# +# - Backing up your database directory is recommended prior to running the +# repair. +# +# - Disabling repair mode and restarting the server is recommended after +# running the repair. +# +# See https://continuwuity.org/troubleshooting.html#database-corruption for more details on recovering a corrupt database. +# +#rocksdb_repair = false + +# This item is undocumented. Please contribute documentation for it. +# +#rocksdb_read_only = false + +# This item is undocumented. Please contribute documentation for it. +# +#rocksdb_secondary = false + +# Enables idle CPU priority for compaction thread. This is not enabled by +# default to prevent compaction from falling too far behind on busy +# systems. +# +#rocksdb_compaction_prio_idle = false + +# Enables idle IO priority for compaction thread. This prevents any +# unexpected lag in the server's operation and is usually a good idea. +# Enabled by default. +# +#rocksdb_compaction_ioprio_idle = true + +# Disables RocksDB compaction. You should never ever have to set this +# option to true. If you for some reason find yourself needing to use this +# option as part of troubleshooting or a bug, please reach out to us in +# the continuwuity Matrix room with information and details. +# +# Disabling compaction will lead to a significantly bloated and +# explosively large database, gradually poor performance, unnecessarily +# excessive disk read/writes, and slower shutdowns and startups. +# +#rocksdb_compaction = true + +# Level of statistics collection. Some admin commands to display database +# statistics may require this option to be set. Database performance may +# be impacted by higher settings. +# +# Option is a number ranging from 0 to 6: +# 0 = No statistics. +# 1 = No statistics in release mode (default). +# 2 to 3 = Statistics with no performance impact. +# 3 to 5 = Statistics with possible performance impact. +# 6 = All statistics. +# +#rocksdb_stats_level = 1 + +# This is a password that can be configured that will let you login to the +# server bot account (currently `@conduit`) for emergency troubleshooting +# purposes such as recovering/recreating your admin room, or inviting +# yourself back. +# +# See https://continuwuity.org/troubleshooting.html#lost-access-to-admin-room for other ways to get back into your admin room. +# +# Once this password is unset, all sessions will be logged out for +# security purposes. +# +# example: "F670$2CP@Hw8mG7RY1$%!#Ic7YA" +# +emergency_password = {{ matrix_continuwuity_config_emergency_password | to_json }} + +# This item is undocumented. Please contribute documentation for it. +# +#notification_push_path = "/_matrix/push/v1/notify" + +# Allow local (your server only) presence updates/requests. +# +# Note that presence on continuwuity is very fast unlike Synapse's. If using +# outgoing presence, this MUST be enabled. +# +#allow_local_presence = true + +# Allow incoming federated presence updates/requests. +# +# This option receives presence updates from other servers, but does not +# send any unless `allow_outgoing_presence` is true. Note that presence on +# continuwuity is very fast unlike Synapse's. +# +#allow_incoming_presence = true + +# Allow outgoing presence updates/requests. +# +# This option sends presence updates to other servers, but does not +# receive any unless `allow_incoming_presence` is true. Note that presence +# on continuwuity is very fast unlike Synapse's. If using outgoing presence, +# you MUST enable `allow_local_presence` as well. +# +#allow_outgoing_presence = true + +# How many seconds without presence updates before you become idle. +# Defaults to 5 minutes. +# +#presence_idle_timeout_s = 300 + +# How many seconds without presence updates before you become offline. +# Defaults to 30 minutes. +# +#presence_offline_timeout_s = 1800 + +# Enable the presence idle timer for remote users. +# +# Disabling is offered as an optimization for servers participating in +# many large rooms or when resources are limited. Disabling it may cause +# incorrect presence states (i.e. stuck online) to be seen for some remote +# users. +# +#presence_timeout_remote_users = true + +# Allow receiving incoming read receipts from remote servers. +# +#allow_incoming_read_receipts = true + +# Allow sending read receipts to remote servers. +# +#allow_outgoing_read_receipts = true + +# Allow outgoing typing updates to federation. +# +#allow_outgoing_typing = true + +# Allow incoming typing updates from federation. +# +#allow_incoming_typing = true + +# Maximum time federation user can indicate typing. +# +#typing_federation_timeout_s = 30 + +# Minimum time local client can indicate typing. This does not override a +# client's request to stop typing. It only enforces a minimum value in +# case of no stop request. +# +#typing_client_timeout_min_s = 15 + +# Maximum time local client can indicate typing. +# +#typing_client_timeout_max_s = 45 + +# Set this to true for continuwuity to compress HTTP response bodies using +# zstd. This option does nothing if continuwuity was not built with +# `zstd_compression` feature. Please be aware that enabling HTTP +# compression may weaken TLS. Most users should not need to enable this. +# See https://breachattack.com/ and https://wikipedia.org/wiki/BREACH +# before deciding to enable this. +# +#zstd_compression = false + +# Set this to true for continuwuity to compress HTTP response bodies using +# gzip. This option does nothing if continuwuity was not built with +# `gzip_compression` feature. Please be aware that enabling HTTP +# compression may weaken TLS. Most users should not need to enable this. +# See https://breachattack.com/ and https://wikipedia.org/wiki/BREACH before +# deciding to enable this. +# +# If you are in a large amount of rooms, you may find that enabling this +# is necessary to reduce the significantly large response bodies. +# +#gzip_compression = false + +# Set this to true for continuwuity to compress HTTP response bodies using +# brotli. This option does nothing if continuwuity was not built with +# `brotli_compression` feature. Please be aware that enabling HTTP +# compression may weaken TLS. Most users should not need to enable this. +# See https://breachattack.com/ and https://wikipedia.org/wiki/BREACH +# before deciding to enable this. +# +#brotli_compression = false + +# Set to true to allow user type "guest" registrations. Some clients like +# Element attempt to register guest users automatically. +# +#allow_guest_registration = false + +# Set to true to log guest registrations in the admin room. Note that +# these may be noisy or unnecessary if you're a public homeserver. +# +#log_guest_registrations = false + +# Set to true to allow guest registrations/users to auto join any rooms +# specified in `auto_join_rooms`. +# +#allow_guests_auto_join_rooms = false + +# Enable the legacy unauthenticated Matrix media repository endpoints. +# These endpoints consist of: +# - /_matrix/media/*/config +# - /_matrix/media/*/upload +# - /_matrix/media/*/preview_url +# - /_matrix/media/*/download/* +# - /_matrix/media/*/thumbnail/* +# +# The authenticated equivalent endpoints are always enabled. +# +# Defaults to true for now, but this is highly subject to change, likely +# in the next release. +# +#allow_legacy_media = true + +# This item is undocumented. Please contribute documentation for it. +# +#freeze_legacy_media = true + +# Check consistency of the media directory at startup: +# 1. When `media_compat_file_link` is enabled, this check will upgrade +# media when switching back and forth between Conduit and continuwuity. +# Both options must be enabled to handle this. +# 2. When media is deleted from the directory, this check will also delete +# its database entry. +# +# If none of these checks apply to your use cases, and your media +# directory is significantly large setting this to false may reduce +# startup time. +# +#media_startup_check = true + +# Enable backward-compatibility with Conduit's media directory by creating +# symlinks of media. +# +# This option is only necessary if you plan on using Conduit again. +# Otherwise setting this to false reduces filesystem clutter and overhead +# for managing these symlinks in the directory. This is now disabled by +# default. You may still return to upstream Conduit but you have to run +# continuwuity at least once with this set to true and allow the +# media_startup_check to take place before shutting down to return to +# Conduit. +# +#media_compat_file_link = false + +# Prune missing media from the database as part of the media startup +# checks. +# +# This means if you delete files from the media directory the +# corresponding entries will be removed from the database. This is +# disabled by default because if the media directory is accidentally moved +# or inaccessible, the metadata entries in the database will be lost with +# sadness. +# +#prune_missing_media = false + +# Vector list of servers that continuwuity will refuse to download remote +# media from. +# +#prevent_media_downloads_from = [] + +# List of forbidden server names that we will block incoming AND outgoing +# federation with, and block client room joins / remote user invites. +# +# This check is applied on the room ID, room alias, sender server name, +# sender user's server name, inbound federation X-Matrix origin, and +# outbound federation handler. +# +# Basically "global" ACLs. +# +#forbidden_remote_server_names = [] + +# List of forbidden server names that we will block all outgoing federated +# room directory requests for. Useful for preventing our users from +# wandering into bad servers or spaces. +# +#forbidden_remote_room_directory_server_names = [] + +# Vector list of IPv4 and IPv6 CIDR ranges / subnets *in quotes* that you +# do not want continuwuity to send outbound requests to. Defaults to +# RFC1918, unroutable, loopback, multicast, and testnet addresses for +# security. +# +# Please be aware that this is *not* a guarantee. You should be using a +# firewall with zones as doing this on the application layer may have +# bypasses. +# +# Currently this does not account for proxies in use like Synapse does. +# +# To disable, set this to be an empty vector (`[]`). +# +# Defaults to: +# ["127.0.0.0/8", "10.0.0.0/8", "172.16.0.0/12", +# "192.168.0.0/16", "100.64.0.0/10", "192.0.0.0/24", "169.254.0.0/16", +# "192.88.99.0/24", "198.18.0.0/15", "192.0.2.0/24", "198.51.100.0/24", +# "203.0.113.0/24", "224.0.0.0/4", "::1/128", "fe80::/10", "fc00::/7", +# "2001:db8::/32", "ff00::/8", "fec0::/10"] +# +#ip_range_denylist = + +# Optional IP address or network interface-name to bind as the source of +# URL preview requests. If not set, it will not bind to a specific +# address or interface. +# +# Interface names only supported on Linux, Android, and Fuchsia platforms; +# all other platforms can specify the IP address. To list the interfaces +# on your system, use the command `ip link show`. +# +# example: `"eth0"` or `"1.2.3.4"` +# +#url_preview_bound_interface = + +# Vector list of domains allowed to send requests to for URL previews. +# +# This is a *contains* match, not an explicit match. Putting "google.com" +# will match "https://google.com" and +# "http://mymaliciousdomainexamplegoogle.com" Setting this to "*" will +# allow all URL previews. Please note that this opens up significant +# attack surface to your server, you are expected to be aware of the risks +# by doing so. +# +#url_preview_domain_contains_allowlist = [] + +# Vector list of explicit domains allowed to send requests to for URL +# previews. +# +# This is an *explicit* match, not a contains match. Putting "google.com" +# will match "https://google.com", "http://google.com", but not +# "https://mymaliciousdomainexamplegoogle.com". Setting this to "*" will +# allow all URL previews. Please note that this opens up significant +# attack surface to your server, you are expected to be aware of the risks +# by doing so. +# +#url_preview_domain_explicit_allowlist = [] + +# Vector list of explicit domains not allowed to send requests to for URL +# previews. +# +# This is an *explicit* match, not a contains match. Putting "google.com" +# will match "https://google.com", "http://google.com", but not +# "https://mymaliciousdomainexamplegoogle.com". The denylist is checked +# first before allowlist. Setting this to "*" will not do anything. +# +#url_preview_domain_explicit_denylist = [] + +# Vector list of URLs allowed to send requests to for URL previews. +# +# Note that this is a *contains* match, not an explicit match. Putting +# "google.com" will match "https://google.com/", +# "https://google.com/url?q=https://mymaliciousdomainexample.com", and +# "https://mymaliciousdomainexample.com/hi/google.com" Setting this to "*" +# will allow all URL previews. Please note that this opens up significant +# attack surface to your server, you are expected to be aware of the risks +# by doing so. +# +#url_preview_url_contains_allowlist = [] + +# Maximum amount of bytes allowed in a URL preview body size when +# spidering. Defaults to 256KB in bytes. +# +#url_preview_max_spider_size = 256000 + +# Option to decide whether you would like to run the domain allowlist +# checks (contains and explicit) on the root domain or not. Does not apply +# to URL contains allowlist. Defaults to false. +# +# Example usecase: If this is enabled and you have "wikipedia.org" allowed +# in the explicit and/or contains domain allowlist, it will allow all +# subdomains under "wikipedia.org" such as "en.m.wikipedia.org" as the +# root domain is checked and matched. Useful if the domain contains +# allowlist is still too broad for you but you still want to allow all the +# subdomains under a root domain. +# +#url_preview_check_root_domain = false + +# List of forbidden room aliases and room IDs as strings of regex +# patterns. +# +# Regex can be used or explicit contains matches can be done by just +# specifying the words (see example). +# +# This is checked upon room alias creation, custom room ID creation if +# used, and startup as warnings if any room aliases in your database have +# a forbidden room alias/ID. +# +# example: ["19dollarfortnitecards", "b[4a]droom"] +# +#forbidden_alias_names = [] + +# List of forbidden username patterns/strings. +# +# Regex can be used or explicit contains matches can be done by just +# specifying the words (see example). +# +# This is checked upon username availability check, registration, and +# startup as warnings if any local users in your database have a forbidden +# username. +# +# example: ["administrator", "b[a4]dusernam[3e]"] +# +#forbidden_usernames = [] + +# Retry failed and incomplete messages to remote servers immediately upon +# startup. This is called bursting. If this is disabled, said messages may +# not be delivered until more messages are queued for that server. Do not +# change this option unless server resources are extremely limited or the +# scale of the server's deployment is huge. Do not disable this unless you +# know what you are doing. +# +#startup_netburst = true + +# Messages are dropped and not reattempted. The `startup_netburst` option +# must be enabled for this value to have any effect. Do not change this +# value unless you know what you are doing. Set this value to -1 to +# reattempt every message without trimming the queues; this may consume +# significant disk. Set this value to 0 to drop all messages without any +# attempt at redelivery. +# +#startup_netburst_keep = 50 + +# Block non-admin local users from sending room invites (local and +# remote), and block non-admin users from receiving remote room invites. +# +# Admins are always allowed to send and receive all room invites. +# +#block_non_admin_invites = false + +# Allow admins to enter commands in rooms other than "#admins" (admin +# room) by prefixing your message with "\!admin" or "\\!admin" followed up +# a normal continuwuity admin command. The reply will be publicly visible to +# the room, originating from the sender. +# +# example: \\!admin debug ping puppygock.gay +# +#admin_escape_commands = true + +# Automatically activate the continuwuity admin room console / CLI on +# startup. This option can also be enabled with `--console` continuwuity +# argument. +# +#admin_console_automatic = false + +# List of admin commands to execute on startup. +# +# This option can also be configured with the `--execute` continuwuity +# argument and can take standard shell commands and environment variables +# +# For example: `./continuwuity --execute "server admin-notice continuwuity has +# started up at $(date)"` +# +# example: admin_execute = ["debug ping puppygock.gay", "debug echo hi"]` +# +#admin_execute = [] + +# Ignore errors in startup commands. +# +# If false, continuwuity will error and fail to start if an admin execute +# command (`--execute` / `admin_execute`) fails. +# +#admin_execute_errors_ignore = false + +# Controls the max log level for admin command log captures (logs +# generated from running admin commands). Defaults to "info" on release +# builds, else "debug" on debug builds. +# +#admin_log_capture = "info" + +# The default room tag to apply on the admin room. +# +# On some clients like Element, the room tag "m.server_notice" is a +# special pinned room at the very bottom of your room list. The continuwuity +# admin room can be pinned here so you always have an easy-to-access +# shortcut dedicated to your admin room. +# +#admin_room_tag = "m.server_notice" + +# Sentry.io crash/panic reporting, performance monitoring/metrics, etc. +# This is NOT enabled by default. continuwuity's default Sentry reporting +# endpoint domain is `o4506996327251968.ingest.us.sentry.io`. +# +#sentry = false + +# Sentry reporting URL, if a custom one is desired. +# +#sentry_endpoint = "https://fe2eb4536aa04949e28eff3128d64757@o4506996327251968.ingest.us.sentry.io/4506996334657536" + +# Report your continuwuity server_name in Sentry.io crash reports and +# metrics. +# +#sentry_send_server_name = false + +# Performance monitoring/tracing sample rate for Sentry.io. +# +# Note that too high values may impact performance, and can be disabled by +# setting it to 0.0 (0%) This value is read as a percentage to Sentry, +# represented as a decimal. Defaults to 15% of traces (0.15) +# +#sentry_traces_sample_rate = 0.15 + +# Whether to attach a stacktrace to Sentry reports. +# +#sentry_attach_stacktrace = false + +# Send panics to Sentry. This is true by default, but Sentry has to be +# enabled. The global `sentry` config option must be enabled to send any +# data. +# +#sentry_send_panic = true + +# Send errors to sentry. This is true by default, but sentry has to be +# enabled. This option is only effective in release-mode; forced to false +# in debug-mode. +# +#sentry_send_error = true + +# Controls the tracing log level for Sentry to send things like +# breadcrumbs and transactions +# +#sentry_filter = "info" + +# Enable the tokio-console. This option is only relevant to developers. +# +# For more information, see: +# https://continuwuity.org/development.html#debugging-with-tokio-console +# +#tokio_console = false + +# This item is undocumented. Please contribute documentation for it. +# +#test = false + +# Controls whether admin room notices like account registrations, password +# changes, account deactivations, room directory publications, etc will be +# sent to the admin room. Update notices and normal admin command +# responses will still be sent. +# +#admin_room_notices = true + +# Enable database pool affinity support. On supporting systems, block +# device queue topologies are detected and the request pool is optimized +# for the hardware; db_pool_workers is determined automatically. +# +#db_pool_affinity = true + +# Sets the number of worker threads in the frontend-pool of the database. +# This number should reflect the I/O capabilities of the system, +# such as the queue-depth or the number of simultaneous requests in +# flight. Defaults to 32 or four times the number of CPU cores, whichever +# is greater. +# +# Note: This value is only used if db_pool_affinity is disabled or not +# detected on the system, otherwise it is determined automatically. +# +#db_pool_workers = 32 + +# When db_pool_affinity is enabled and detected, the size of any worker +# group will not exceed the determined value. This is necessary when +# thread-pooling approach does not scale to the full capabilities of +# high-end hardware; using detected values without limitation could +# degrade performance. +# +# The value is multiplied by the number of cores which share a device +# queue, since group workers can be scheduled on any of those cores. +# +#db_pool_workers_limit = 64 + +# Determines the size of the queues feeding the database's frontend-pool. +# The size of the queue is determined by multiplying this value with the +# number of pool workers. When this queue is full, tokio tasks conducting +# requests will yield until space is available; this is good for +# flow-control by avoiding buffer-bloat, but can inhibit throughput if +# too low. +# +#db_pool_queue_mult = 4 + +# Sets the initial value for the concurrency of streams. This value simply +# allows overriding the default in the code. The default is 32, which is +# the same as the default in the code. Note this value is itself +# overridden by the computed stream_width_scale, unless that is disabled; +# this value can serve as a fixed-width instead. +# +#stream_width_default = 32 + +# Scales the stream width starting from a base value detected for the +# specific system. The base value is the database pool worker count +# determined from the hardware queue size (e.g. 32 for SSD or 64 or 128+ +# for NVMe). This float allows scaling the width up or down by multiplying +# it (e.g. 1.5, 2.0, etc). The maximum result can be the size of the pool +# queue (see: db_pool_queue_mult) as any larger value will stall the tokio +# task. The value can also be scaled down (e.g. 0.5) to improve +# responsiveness for many users at the cost of throughput for each. +# +# Setting this value to 0.0 causes the stream width to be fixed at the +# value of stream_width_default. The default scale is 1.0 to match the +# capabilities detected for the system. +# +#stream_width_scale = 1.0 + +# Sets the initial amplification factor. This controls batch sizes of +# requests made by each pool worker, multiplying the throughput of each +# stream. This value is somewhat abstract from specific hardware +# characteristics and can be significantly larger than any thread count or +# queue size. This is because each database query may require several +# index lookups, thus many database queries in a batch may make progress +# independently while also sharing index and data blocks which may or may +# not be cached. It is worthwhile to submit huge batches to reduce +# complexity. The maximum value is 32768, though sufficient hardware is +# still advised for that. +# +#stream_amplification = 1024 + +# Number of sender task workers; determines sender parallelism. Default is +# '0' which means the value is determined internally, likely matching the +# number of tokio worker-threads or number of cores, etc. Override by +# setting a non-zero value. +# +#sender_workers = 0 + +[global.well_known] + +# The server URL that the client well-known file will serve. This should +# not contain a port, and should just be a valid HTTPS URL. +# +# example: "https://matrix.example.com" +# +#client = + +# The server base domain of the URL with a specific port that the server +# well-known file will serve. This should contain a port at the end, and +# should not be a URL. +# +# example: "matrix.example.com:443" +# +#server = + +# This item is undocumented. Please contribute documentation for it. +# +#support_page = + +# This item is undocumented. Please contribute documentation for it. +# +#support_role = + +# This item is undocumented. Please contribute documentation for it. +# +#support_email = + +# This item is undocumented. Please contribute documentation for it. +# +#support_mxid = diff --git a/roles/custom/matrix-continuwuity/templates/env.j2 b/roles/custom/matrix-continuwuity/templates/env.j2 new file mode 100644 index 000000000..885bd1b53 --- /dev/null +++ b/roles/custom/matrix-continuwuity/templates/env.j2 @@ -0,0 +1 @@ +{{ matrix_continuwuity_environment_variables_extension }} diff --git a/roles/custom/matrix-continuwuity/templates/env.j2.license b/roles/custom/matrix-continuwuity/templates/env.j2.license new file mode 100644 index 000000000..a149c4232 --- /dev/null +++ b/roles/custom/matrix-continuwuity/templates/env.j2.license @@ -0,0 +1,3 @@ +SPDX-FileCopyrightText: 2025 Slavi Pantaleev + +SPDX-License-Identifier: AGPL-3.0-or-later diff --git a/roles/custom/matrix-continuwuity/templates/labels.j2 b/roles/custom/matrix-continuwuity/templates/labels.j2 new file mode 100644 index 000000000..4852e48f5 --- /dev/null +++ b/roles/custom/matrix-continuwuity/templates/labels.j2 @@ -0,0 +1,173 @@ +{# +SPDX-FileCopyrightText: 2025 MDAD project contributors +SPDX-FileCopyrightText: 2025 Slavi Pantaleev +SPDX-FileCopyrightText: 2025 Suguru Hirahara + +SPDX-License-Identifier: AGPL-3.0-or-later +#} + +{% if matrix_continuwuity_container_labels_traefik_enabled %} +traefik.enable=true + +{% if matrix_continuwuity_container_labels_traefik_docker_network %} +traefik.docker.network={{ matrix_continuwuity_container_labels_traefik_docker_network }} +{% endif %} + +traefik.http.services.matrix-continuwuity.loadbalancer.server.port={{ matrix_continuwuity_config_port_number }} + + +{% if matrix_continuwuity_container_labels_public_client_root_enabled %} +############################################################ +# # +# Public Root path (/) # +# # +############################################################ + +{% set client_root_middlewares = [] %} + +{% if matrix_continuwuity_container_labels_public_client_root_redirection_enabled %} +{% set client_root_middlewares = client_root_middlewares + ['matrix-continuwuity-client-root-redirect'] %} +traefik.http.middlewares.matrix-continuwuity-client-root-redirect.redirectregex.regex=(.*) +traefik.http.middlewares.matrix-continuwuity-client-root-redirect.redirectregex.replacement={{ matrix_continuwuity_container_labels_public_client_root_redirection_url }} +{% endif %} + +traefik.http.routers.matrix-continuwuity-public-client-root.rule={{ matrix_continuwuity_container_labels_public_client_root_traefik_rule }} + +traefik.http.routers.matrix-continuwuity-public-client-root.middlewares={{ client_root_middlewares | join(',') }} + +{% if matrix_continuwuity_container_labels_public_client_root_traefik_priority | int > 0 %} +traefik.http.routers.matrix-continuwuity-public-client-root.priority={{ matrix_continuwuity_container_labels_public_client_root_traefik_priority }} +{% endif %} + +traefik.http.routers.matrix-continuwuity-public-client-root.service=matrix-continuwuity +traefik.http.routers.matrix-continuwuity-public-client-root.entrypoints={{ matrix_continuwuity_container_labels_public_client_root_traefik_entrypoints }} +traefik.http.routers.matrix-continuwuity-public-client-root.tls={{ matrix_continuwuity_container_labels_public_client_root_traefik_tls | to_json }} + +{% if matrix_continuwuity_container_labels_public_client_root_traefik_tls %} +traefik.http.routers.matrix-continuwuity-public-client-root.tls.certResolver={{ matrix_continuwuity_container_labels_public_client_root_traefik_tls_certResolver }} +{% endif %} + +############################################################ +# # +# /Public Root path (/) # +# # +############################################################ +{% endif %} + + +{% if matrix_continuwuity_container_labels_public_client_api_enabled %} +############################################################ +# # +# Public Client-API (/_matrix) # +# # +############################################################ + +traefik.http.routers.matrix-continuwuity-public-client-api.rule={{ matrix_continuwuity_container_labels_public_client_api_traefik_rule }} + +{% if matrix_continuwuity_container_labels_public_client_api_traefik_priority | int > 0 %} +traefik.http.routers.matrix-continuwuity-public-client-api.priority={{ matrix_continuwuity_container_labels_public_client_api_traefik_priority }} +{% endif %} + +traefik.http.routers.matrix-continuwuity-public-client-api.service=matrix-continuwuity +traefik.http.routers.matrix-continuwuity-public-client-api.entrypoints={{ matrix_continuwuity_container_labels_public_client_api_traefik_entrypoints }} + +traefik.http.routers.matrix-continuwuity-public-client-api.tls={{ matrix_continuwuity_container_labels_public_client_api_traefik_tls | to_json }} +{% if matrix_continuwuity_container_labels_public_client_api_traefik_tls %} +traefik.http.routers.matrix-continuwuity-public-client-api.tls.certResolver={{ matrix_continuwuity_container_labels_public_client_api_traefik_tls_certResolver }} +{% endif %} + +############################################################ +# # +# /Public Client-API (/_matrix) # +# # +############################################################ +{% endif %} + + +{% if matrix_continuwuity_container_labels_internal_client_api_enabled %} +############################################################ +# # +# Internal Client-API (/_matrix) # +# # +############################################################ + +traefik.http.routers.matrix-continuwuity-internal-client-api.rule={{ matrix_continuwuity_container_labels_internal_client_api_traefik_rule }} + +{% if matrix_continuwuity_container_labels_internal_client_api_traefik_priority | int > 0 %} +traefik.http.routers.matrix-continuwuity-internal-client-api.priority={{ matrix_continuwuity_container_labels_internal_client_api_traefik_priority }} +{% endif %} + +traefik.http.routers.matrix-continuwuity-internal-client-api.service=matrix-continuwuity +traefik.http.routers.matrix-continuwuity-internal-client-api.entrypoints={{ matrix_continuwuity_container_labels_internal_client_api_traefik_entrypoints }} + +############################################################ +# # +# /Internal Client-API (/_matrix) # +# # +############################################################ +{% endif %} + + +{% if matrix_continuwuity_container_labels_public_federation_api_enabled %} +############################################################ +# # +# Public Federation-API (/_matrix) # +# # +############################################################ + +traefik.http.routers.matrix-continuwuity-public-federation-api.rule={{ matrix_continuwuity_container_labels_public_federation_api_traefik_rule }} + +{% if matrix_continuwuity_container_labels_public_federation_api_traefik_priority | int > 0 %} +traefik.http.routers.matrix-continuwuity-public-federation-api.priority={{ matrix_continuwuity_container_labels_public_federation_api_traefik_priority }} +{% endif %} + +traefik.http.routers.matrix-continuwuity-public-federation-api.service=matrix-continuwuity +traefik.http.routers.matrix-continuwuity-public-federation-api.entrypoints={{ matrix_continuwuity_container_labels_public_federation_api_traefik_entrypoints }} + +traefik.http.routers.matrix-continuwuity-public-federation-api.tls={{ matrix_continuwuity_container_labels_public_federation_api_traefik_tls | to_json }} +{% if matrix_continuwuity_container_labels_public_federation_api_traefik_tls %} +traefik.http.routers.matrix-continuwuity-public-federation-api.tls.certResolver={{ matrix_continuwuity_container_labels_public_federation_api_traefik_tls_certResolver }} +{% endif %} + +############################################################ +# # +# /Public Federation-API (/_matrix) # +# # +############################################################ +{% endif %} + + + + +{% if matrix_continuwuity_container_labels_public_continuwuity_api_enabled %} +############################################################ +# # +# Public continuwuity-API (/_continuwuity) # +# # +############################################################ + +traefik.http.routers.matrix-continuwuity-public-continuwuity-api.rule={{ matrix_continuwuity_container_labels_public_continuwuity_api_traefik_rule }} + +{% if matrix_continuwuity_container_labels_public_continuwuity_api_traefik_priority | int > 0 %} +traefik.http.routers.matrix-continuwuity-public-continuwuity-api.priority={{ matrix_continuwuity_container_labels_public_continuwuity_api_traefik_priority }} +{% endif %} + +traefik.http.routers.matrix-continuwuity-public-continuwuity-api.service=matrix-continuwuity +traefik.http.routers.matrix-continuwuity-public-continuwuity-api.entrypoints={{ matrix_continuwuity_container_labels_public_continuwuity_api_traefik_entrypoints }} + +traefik.http.routers.matrix-continuwuity-public-continuwuity-api.tls={{ matrix_continuwuity_container_labels_public_continuwuity_api_traefik_tls | to_json }} +{% if matrix_continuwuity_container_labels_public_continuwuity_api_traefik_tls %} +traefik.http.routers.matrix-continuwuity-public-continuwuity-api.tls.certResolver={{ matrix_continuwuity_container_labels_public_continuwuity_api_traefik_tls_certResolver }} +{% endif %} + +############################################################ +# # +# /Public continuwuity-API (/_continuwuity) # +# # +############################################################ +{% endif %} + + +{% endif %} + +{{ matrix_continuwuity_container_labels_additional_labels }} diff --git a/roles/custom/matrix-continuwuity/templates/systemd/matrix-continuwuity.service.j2 b/roles/custom/matrix-continuwuity/templates/systemd/matrix-continuwuity.service.j2 new file mode 100644 index 000000000..572b14882 --- /dev/null +++ b/roles/custom/matrix-continuwuity/templates/systemd/matrix-continuwuity.service.j2 @@ -0,0 +1,51 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=continuwuity Matrix homeserver +{% for service in matrix_continuwuity_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} + +[Service] +Type=simple +Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" +ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop -t {{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-continuwuity 2>/dev/null || true' +ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-continuwuity 2>/dev/null || true' + +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ + --rm \ + --name=matrix-continuwuity \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --read-only \ + --tmpfs=/tmp:rw,noexec,nosuid,size={{ matrix_continuwuity_tmp_directory_size_mb }}m \ + --network={{ matrix_continuwuity_container_network }} \ + --env continuwuity_CONFIG=/etc/continuwuity/continuwuity.toml \ + --label-file={{ matrix_continuwuity_base_path }}/labels \ + --mount type=bind,src={{ matrix_continuwuity_data_path }},dst=/var/lib/continuwuity \ + --mount type=bind,src={{ matrix_continuwuity_config_path }},dst=/etc/continuwuity,ro \ + {% for arg in matrix_continuwuity_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + {{ matrix_continuwuity_docker_image }} + +{% for network in matrix_continuwuity_container_additional_networks %} +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-continuwuity +{% endfor %} + +ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-continuwuity + +{% if matrix_continuwuity_systemd_service_post_start_delay_seconds != 0 %} +ExecStartPost=-{{ matrix_host_command_sleep }} {{ matrix_continuwuity_systemd_service_post_start_delay_seconds }} +{% endif %} + +ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop -t {{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-continuwuity 2>/dev/null || true' +ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-continuwuity 2>/dev/null || true' +ExecReload={{ devture_systemd_docker_base_host_command_docker }} exec matrix-continuwuity /bin/sh -c 'kill -HUP 1' +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-continuwuity + +[Install] +WantedBy=multi-user.target diff --git a/roles/custom/matrix-continuwuity/templates/systemd/matrix-continuwuity.service.j2.license b/roles/custom/matrix-continuwuity/templates/systemd/matrix-continuwuity.service.j2.license new file mode 100644 index 000000000..6fe7fc50c --- /dev/null +++ b/roles/custom/matrix-continuwuity/templates/systemd/matrix-continuwuity.service.j2.license @@ -0,0 +1,4 @@ +SPDX-FileCopyrightText: 2025 MDAD project contributors +SPDX-FileCopyrightText: 2025 Slavi Pantaleev + +SPDX-License-Identifier: AGPL-3.0-or-later diff --git a/roles/custom/matrix-continuwuity/vars/main.yml b/roles/custom/matrix-continuwuity/vars/main.yml new file mode 100644 index 000000000..d51a37c72 --- /dev/null +++ b/roles/custom/matrix-continuwuity/vars/main.yml @@ -0,0 +1,9 @@ +# SPDX-FileCopyrightText: 2025 MDAD project contributors +# SPDX-FileCopyrightText: 2025 Slavi Pantaleev +# +# SPDX-License-Identifier: AGPL-3.0-or-later + +--- + +matrix_continuwuity_client_api_url_endpoint_public: "{{ 'https' if matrix_playbook_ssl_enabled else 'http' }}://{{ matrix_continuwuity_hostname }}/_matrix/client/versions" +matrix_continuwuity_federation_api_url_endpoint_public: "{{ 'https' if matrix_playbook_ssl_enabled else 'http' }}://{{ matrix_continuwuity_hostname }}:{{ matrix_federation_public_port }}/_matrix/federation/v1/version" diff --git a/roles/custom/matrix-user-creator/tasks/util/ensure_user_registered_continuwuity.yml b/roles/custom/matrix-user-creator/tasks/util/ensure_user_registered_continuwuity.yml new file mode 100644 index 000000000..f5b4c320d --- /dev/null +++ b/roles/custom/matrix-user-creator/tasks/util/ensure_user_registered_continuwuity.yml @@ -0,0 +1,10 @@ +# SPDX-FileCopyrightText: 2025 Slavi Pantaleev +# SPDX-FileCopyrightText: 2025 Suguru Hirahara +# +# SPDX-License-Identifier: AGPL-3.0-or-later + +--- + +- name: Ensure continuwuity user registered - {{ user.username | quote }} + ansible.builtin.debug: + msg: "Not registering user. To register continuwuity users, message the continuwuity bot" diff --git a/setup.yml b/setup.yml index b5aa83412..76aa726a4 100644 --- a/setup.yml +++ b/setup.yml @@ -105,6 +105,7 @@ - custom/matrix-dendrite - custom/matrix-conduit - custom/matrix-conduwuit + - custom/matrix-continuwuity - custom/matrix-synapse-admin - custom/matrix-synapse-usage-exporter - galaxy/prometheus_node_exporter