initial conduwuit support

group_vars/matrix_servers

@@ -232,7 +232,7 @@ matrix_addons_homeserver_client_api_url: "{{ ('http://' + matrix_playbook_revers
 matrix_addons_homeserver_systemd_services_list: "{{ ([traefik_identifier + '.service'] if matrix_playbook_reverse_proxy_type == 'playbook-managed-traefik' else []) if matrix_playbook_internal_matrix_client_api_traefik_entrypoint_enabled else matrix_homeserver_systemd_services_list }}"
 
 # Starting from version `0.6.0` Conduit natively supports some sync v3 (sliding-sync) features.
-matrix_homeserver_sliding_sync_url: "{{ matrix_sliding_sync_base_url if matrix_sliding_sync_enabled else (matrix_homeserver_url if matrix_homeserver_implementation in ['conduit'] else '') }}"
+matrix_homeserver_sliding_sync_url: "{{ matrix_sliding_sync_base_url if matrix_sliding_sync_enabled else (matrix_homeserver_url if matrix_homeserver_implementation in ['conduit', 'conduwuit'] else '') }}"
 
 ########################################################################
 #                                                                      #
@@ -553,6 +553,7 @@ matrix_homeserver_container_client_api_endpoint: |-
       'synapse': ('matrix-synapse-reverse-proxy-companion:8008' if matrix_synapse_reverse_proxy_companion_enabled | default(false) else ('matrix-synapse:'+ matrix_synapse_container_client_api_port | default('8008') | string)),
       'dendrite': ('matrix-dendrite:' + matrix_dendrite_http_bind_port | default('8008') | string),
       'conduit': ('matrix-conduit:' + matrix_conduit_port_number | default('8008') | string),
+      'conduwuit': ('matrix-conduwuit:' + matrix_conduwuit_port_number | default('8008') | string),
     }[matrix_homeserver_implementation]
   }}
 
@@ -562,6 +563,7 @@ matrix_homeserver_container_federation_api_endpoint: |-
       'synapse': ('matrix-synapse-reverse-proxy-companion:8048' if matrix_synapse_reverse_proxy_companion_enabled else ('matrix-synapse:'+ matrix_synapse_container_federation_api_plain_port | default('8008') | string)),
       'dendrite': ('matrix-dendrite:' + matrix_dendrite_http_bind_port | default('8008') | string),
       'conduit': ('matrix-conduit:' + matrix_conduit_port_number | default('8008') | string),
+      'conduwuit': ('matrix-conduwuit:' + matrix_conduwuit_port_number | default('8008') | string),
     }[matrix_homeserver_implementation]
   }}
 
@@ -5503,6 +5505,7 @@ grafana_default_home_dashboard_path: |-
       'synapse': ('/etc/grafana/dashboards/synapse.json' if matrix_synapse_metrics_enabled and matrix_synapse_metrics_enabled else ('/etc/grafana/dashboards/node-exporter-full.json' if prometheus_node_exporter_enabled else '')),
       'dendrite': ('/etc/grafana/dashboards/node-exporter-full.json' if prometheus_node_exporter_enabled else ''),
       'conduit': ('/etc/grafana/dashboards/node-exporter-full.json' if prometheus_node_exporter_enabled else ''),
+      'conduwuit': ('/etc/grafana/dashboards/node-exporter-full.json' if prometheus_node_exporter_enabled else ''),
     }[matrix_homeserver_implementation]
   }}
 
@@ -5560,6 +5563,7 @@ matrix_registration_shared_secret: |-
       'synapse': matrix_synapse_registration_shared_secret | default (''),
       'dendrite': matrix_dendrite_client_api_registration_shared_secret | default (''),
       'conduit': '',
+      'conduwuit': '',
     }[matrix_homeserver_implementation]
   }}
 
@@ -5804,6 +5808,66 @@ matrix_conduit_turn_password: "{{ matrix_coturn_lt_cred_mech_password if (matrix
 ######################################################################
 
 
+######################################################################
+#
+# matrix-conduwuit
+#
+######################################################################
+
+matrix_conduwuit_enabled: "{{ matrix_homeserver_implementation == 'conduwuit' }}"
+
+matrix_conduwuit_hostname: "{{ matrix_server_fqn_matrix }}"
+
+matrix_conduwuit_allow_federation: "{{ matrix_homeserver_federation_enabled }}"
+
+matrix_conduwuit_container_network: "{{ matrix_homeserver_container_network }}"
+
+matrix_conduwuit_container_additional_networks_auto: |
+  {{
+    (
+      ([matrix_playbook_reverse_proxyable_services_additional_network] if matrix_conduwuit_container_labels_traefik_enabled and matrix_playbook_reverse_proxyable_services_additional_network else [])
+    ) | unique
+  }}
+
+matrix_conduwuit_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] and not matrix_synapse_workers_enabled }}"
+matrix_conduwuit_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}"
+matrix_conduwuit_container_labels_traefik_entrypoints: "{{ traefik_entrypoint_primary }}"
+matrix_conduwuit_container_labels_traefik_tls_certResolver: "{{ traefik_certResolver_primary }}"
+
+matrix_conduwuit_container_labels_public_client_root_redirection_enabled: "{{ matrix_conduwuit_container_labels_public_client_root_redirection_url != '' }}"
+matrix_conduwuit_container_labels_public_client_root_redirection_url: "{{ (('https://' if matrix_playbook_ssl_enabled else 'http://') + matrix_server_fqn_element) if matrix_client_element_enabled else '' }}"
+
+matrix_conduwuit_container_labels_public_federation_api_traefik_hostname: "{{ matrix_server_fqn_matrix_federation }}"
+matrix_conduwuit_container_labels_public_federation_api_traefik_entrypoints: "{{ matrix_federation_traefik_entrypoint_name }}"
+matrix_conduwuit_container_labels_public_federation_api_traefik_tls: "{{ matrix_federation_traefik_entrypoint_tls }}"
+
+matrix_conduwuit_container_labels_internal_client_api_enabled: "{{ matrix_playbook_internal_matrix_client_api_traefik_entrypoint_enabled }}"
+matrix_conduwuit_container_labels_internal_client_api_traefik_entrypoints: "{{ matrix_playbook_internal_matrix_client_api_traefik_entrypoint_name }}"
+
+matrix_conduwuit_turn_uris: |
+  {{
+    ([
+      'turns:' + matrix_server_fqn_matrix + '?transport=udp',
+      'turns:' + matrix_server_fqn_matrix + '?transport=tcp',
+    ] if matrix_coturn_enabled and matrix_coturn_tls_enabled else [])
+    +
+    ([
+      'turn:' + matrix_server_fqn_matrix + '?transport=udp',
+      'turn:' + matrix_server_fqn_matrix + '?transport=tcp',
+    ] if matrix_coturn_enabled else [])
+  }}
+
+matrix_conduwuit_turn_secret: "{{ matrix_coturn_turn_static_auth_secret if (matrix_coturn_enabled and matrix_coturn_authentication_method == 'auth-secret') else '' }}"
+matrix_conduwuit_turn_username: "{{ matrix_coturn_lt_cred_mech_username if (matrix_coturn_enabled and matrix_coturn_authentication_method == 'lt-cred-mech') else '' }}"
+matrix_conduwuit_turn_password: "{{ matrix_coturn_lt_cred_mech_password if (matrix_coturn_enabled and matrix_coturn_authentication_method == 'lt-cred-mech') else '' }}"
+
+######################################################################
+#
+# /matrix-conduwuit
+#
+######################################################################
+
+
 ######################################################################
 #
 # matrix-user-creator

roles/custom/matrix-base/defaults/main.yml

@@ -49,7 +49,7 @@ matrix_monitoring_container_network: matrix-monitoring
 matrix_homeserver_enabled: true
 
 # This will contain the homeserver implementation that is in use.
-# Valid values: synapse, dendrite, conduit
+# Valid values: synapse, dendrite, conduit, conduwuit
 #
 # By default, we use Synapse, because it's the only full-featured Matrix server at the moment.
 #

roles/custom/matrix-base/tasks/validate_config.yml

@@ -3,7 +3,7 @@
 - name: Fail if invalid homeserver implementation
   ansible.builtin.fail:
     msg: "You need to set a valid homeserver implementation in `matrix_homeserver_implementation`"
-  when: "matrix_homeserver_implementation not in ['synapse', 'dendrite', 'conduit']"
+  when: "matrix_homeserver_implementation not in ['synapse', 'dendrite', 'conduit', 'conduwuit']"
 
 - name: (Deprecation) Catch and report renamed settings
   ansible.builtin.fail:

roles/custom/matrix-conduwuit/defaults/main.yml

@@ -0,0 +1,147 @@
+---
+# Conduwuit is a fork of Conduit, powered by Matrix
+# Project source code URL: https://github.com/girlbossceo/conduwuit
+# See: https://conduwuit.puppyirl.gay/
+
+matrix_conduwuit_enabled: true
+
+matrix_conduwuit_hostname: ''
+
+matrix_conduwuit_docker_image: "{{ matrix_conduwuit_docker_image_name_prefix }}girlbossceo/conduwuit:{{ matrix_conduwuit_docker_image_tag }}"
+matrix_conduwuit_docker_image_name_prefix: "docker.io/"
+# renovate: datasource=docker depName=matrixconduwuit/matrix-conduwuit
+matrix_conduwuit_docker_image_tag: "main"
+matrix_conduwuit_docker_image_force_pull: "{{ matrix_conduwuit_docker_image.endswith(':latest') }}"
+
+matrix_conduwuit_base_path: "{{ matrix_base_data_path }}/conduwuit"
+matrix_conduwuit_config_path: "{{ matrix_conduwuit_base_path }}/config"
+matrix_conduwuit_data_path: "{{ matrix_conduwuit_base_path }}/data"
+
+matrix_conduwuit_port_number: 6167
+
+matrix_conduwuit_tmp_directory_size_mb: 500
+
+# List of systemd services that matrix-conduwuit.service depends on
+matrix_conduwuit_systemd_required_services_list: "{{ matrix_conduwuit_systemd_required_services_list_default + matrix_conduwuit_systemd_required_services_list_auto + matrix_conduwuit_systemd_required_services_list_custom }}"
+matrix_conduwuit_systemd_required_services_list_default: "{{ [devture_systemd_docker_base_docker_service_name] if devture_systemd_docker_base_docker_service_name else [] }}"
+matrix_conduwuit_systemd_required_services_list_auto: []
+matrix_conduwuit_systemd_required_services_list_custom: []
+
+# List of systemd services that matrix-conduwuit.service wants
+matrix_conduwuit_systemd_wanted_services_list: []
+
+# Controls how long to sleep for after starting the matrix-synapse container.
+#
+# Delaying, so that the homeserver can manage to fully start and various services
+# that depend on it (`matrix_conduwuit_systemd_required_services_list` and `matrix_conduwuit_systemd_wanted_services_list`)
+# may only start after the homeserver is up and running.
+#
+# This can be set to 0 to remove the delay.
+matrix_conduwuit_systemd_service_post_start_delay_seconds: 3
+
+# The base container network. It will be auto-created by this role if it doesn't exist already.
+matrix_conduwuit_container_network: ""
+
+# A list of additional container networks that the container would be connected to.
+# The role does not create these networks, so make sure they already exist.
+# Use this to expose this container to another reverse proxy, which runs in a different container network.
+matrix_conduwuit_container_additional_networks: "{{ matrix_conduwuit_container_additional_networks_auto + matrix_conduwuit_container_additional_networks_custom }}"
+matrix_conduwuit_container_additional_networks_auto: []
+matrix_conduwuit_container_additional_networks_custom: []
+
+# matrix_conduwuit_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container.
+# See `../templates/labels.j2` for details.
+#
+# To inject your own other container labels, see `matrix_conduwuit_container_labels_additional_labels`.
+matrix_conduwuit_container_labels_traefik_enabled: true
+matrix_conduwuit_container_labels_traefik_docker_network: "{{ matrix_conduwuit_container_network }}"
+matrix_conduwuit_container_labels_traefik_entrypoints: web-secure
+matrix_conduwuit_container_labels_traefik_tls_certResolver: default  # noqa var-naming
+
+# Controls whether labels will be added for handling the root (/) path on a public Traefik entrypoint.
+matrix_conduwuit_container_labels_public_client_root_enabled: true
+matrix_conduwuit_container_labels_public_client_root_traefik_hostname: "{{ matrix_conduwuit_hostname }}"
+matrix_conduwuit_container_labels_public_client_root_traefik_rule: "Host(`{{ matrix_conduwuit_container_labels_public_client_root_traefik_hostname }}`) && Path(`/`)"
+matrix_conduwuit_container_labels_public_client_root_traefik_priority: 0
+matrix_conduwuit_container_labels_public_client_root_traefik_entrypoints: "{{ matrix_conduwuit_container_labels_traefik_entrypoints }}"
+matrix_conduwuit_container_labels_public_client_root_traefik_tls: "{{ matrix_conduwuit_container_labels_public_client_root_traefik_entrypoints != 'web' }}"
+matrix_conduwuit_container_labels_public_client_root_traefik_tls_certResolver: "{{ matrix_conduwuit_container_labels_traefik_tls_certResolver }}"  # noqa var-naming
+matrix_conduwuit_container_labels_public_client_root_redirection_enabled: false
+matrix_conduwuit_container_labels_public_client_root_redirection_url: ""
+
+# Controls whether labels will be added that expose the Client-Server API on a public Traefik entrypoint.
+matrix_conduwuit_container_labels_public_client_api_enabled: true
+matrix_conduwuit_container_labels_public_client_api_traefik_hostname: "{{ matrix_conduwuit_hostname }}"
+matrix_conduwuit_container_labels_public_client_api_traefik_path_prefix: /_matrix
+matrix_conduwuit_container_labels_public_client_api_traefik_rule: "Host(`{{ matrix_conduwuit_container_labels_public_client_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_conduwuit_container_labels_public_client_api_traefik_path_prefix }}`)"
+matrix_conduwuit_container_labels_public_client_api_traefik_priority: 0
+matrix_conduwuit_container_labels_public_client_api_traefik_entrypoints: "{{ matrix_conduwuit_container_labels_traefik_entrypoints }}"
+matrix_conduwuit_container_labels_public_client_api_traefik_tls: "{{ matrix_conduwuit_container_labels_public_client_api_traefik_entrypoints != 'web' }}"
+matrix_conduwuit_container_labels_public_client_api_traefik_tls_certResolver: "{{ matrix_conduwuit_container_labels_traefik_tls_certResolver }}"  # noqa var-naming
+
+# Controls whether labels will be added that expose the Client-Server API on the internal Traefik entrypoint.
+# This is similar to `matrix_conduwuit_container_labels_public_client_api_enabled`, but the entrypoint and intent is different.
+matrix_conduwuit_container_labels_internal_client_api_enabled: false
+matrix_conduwuit_container_labels_internal_client_api_traefik_path_prefix: "{{ matrix_conduwuit_container_labels_public_client_api_traefik_path_prefix }}"
+matrix_conduwuit_container_labels_internal_client_api_traefik_rule: "PathPrefix(`{{ matrix_conduwuit_container_labels_internal_client_api_traefik_path_prefix }}`)"
+matrix_conduwuit_container_labels_internal_client_api_traefik_priority: "{{ matrix_conduwuit_container_labels_public_client_api_traefik_priority }}"
+matrix_conduwuit_container_labels_internal_client_api_traefik_entrypoints: ""
+
+# Controls whether labels will be added that expose the Server-Server API (Federation API) on a public Traefik entrypoint.
+matrix_conduwuit_container_labels_public_federation_api_enabled: "{{ matrix_conduwuit_allow_federation }}"
+matrix_conduwuit_container_labels_public_federation_api_traefik_hostname: "{{ matrix_conduwuit_hostname }}"
+matrix_conduwuit_container_labels_public_federation_api_traefik_path_prefix: /_matrix
+matrix_conduwuit_container_labels_public_federation_api_traefik_rule: "Host(`{{ matrix_conduwuit_container_labels_public_federation_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_conduwuit_container_labels_public_federation_api_traefik_path_prefix }}`)"
+matrix_conduwuit_container_labels_public_federation_api_traefik_priority: 0
+matrix_conduwuit_container_labels_public_federation_api_traefik_entrypoints: ''
+# TLS is force-enabled here, because the spec (https://spec.matrix.org/v1.9/server-server-api/#tls) says that the federation API must use HTTPS.
+matrix_conduwuit_container_labels_public_federation_api_traefik_tls: true
+matrix_conduwuit_container_labels_public_federation_api_traefik_tls_certResolver: "{{ matrix_conduwuit_container_labels_traefik_tls_certResolver }}"  # noqa var-naming
+
+# matrix_conduwuit_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file.
+# See `../templates/labels.j2` for details.
+#
+# Example:
+# matrix_conduwuit_container_labels_additional_labels: |
+#   my.label=1
+#   another.label="here"
+matrix_conduwuit_container_labels_additional_labels: ''
+
+# Extra arguments for the Docker container
+matrix_conduwuit_container_extra_arguments: []
+
+# Specifies which template files to use when configuring conduwuit.
+# If you'd like to have your own different configuration, feel free to copy and paste
+# the original files into your inventory (e.g. in `inventory/host_vars/matrix.example.com/`)
+# and then change the specific host's `vars.yml` file like this:
+# matrix_conduwuit_template_conduwuit_config: "{{ playbook_dir }}/inventory/host_vars/matrix.example.com/conduwuit.toml.j2"
+matrix_conduwuit_template_conduwuit_config: "{{ role_path }}/templates/conduwuit.toml.j2"
+
+# Max size for uploads, in bytes
+matrix_conduwuit_max_request_size: 20_000_000
+
+# Maximum number of open files for conduwuit's embedded RocksDB database
+# See https://github.com/facebook/rocksdb/wiki/RocksDB-Tuning-Guide#tuning-other-options
+# By default, conduwuit uses a relatively low value of 20.
+matrix_conduwuit_rocksdb_max_open_files: 64
+
+# Enables registration. If set to false, no users can register on this server.
+matrix_conduwuit_allow_registration: false
+
+matrix_conduwuit_allow_federation: true
+
+# Enable the display name lightning bolt on registration.
+matrix_conduwuit_enable_lightning_bolt: true
+
+matrix_conduwuit_trusted_servers:
+ - "matrix.org"
+
+# How many requests conduwuit sends to other servers at the same time
+matrix_conduwuit_max_concurrent_requests: 100
+
+# TURN integration.
+# See: https://gitlab.com/famedly/conduwuit/-/blob/next/TURN.md
+matrix_conduwuit_turn_uris: []
+matrix_conduwuit_turn_secret: ''
+matrix_conduwuit_turn_username: ''
+matrix_conduwuit_turn_password: ''

roles/custom/matrix-conduwuit/tasks/main.yml

@@ -0,0 +1,20 @@
+---
+
+- tags:
+    - setup-all
+    - setup-conduwuit
+    - install-all
+    - install-conduwuit
+  block:
+    - when: matrix_conduwuit_enabled | bool
+      ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml"
+
+    - when: matrix_conduwuit_enabled | bool
+      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml"
+
+- tags:
+    - setup-all
+    - setup-conduwuit
+  block:
+    - when: not matrix_conduwuit_enabled | bool
+      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"

roles/custom/matrix-conduwuit/tasks/setup_install.yml

@@ -0,0 +1,59 @@
+---
+
+- name: Ensure conduwuit config path exists
+  ansible.builtin.file:
+    path: "{{ matrix_conduwuit_config_path }}"
+    state: directory
+    mode: 0750
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+
+- name: Ensure conduwuit data path exists
+  ansible.builtin.file:
+    path: "{{ matrix_conduwuit_data_path }}"
+    state: directory
+    mode: 0770
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+
+- name: Ensure conduwuit configuration installed
+  ansible.builtin.template:
+    src: "{{ matrix_conduwuit_template_conduwuit_config }}"
+    dest: "{{ matrix_conduwuit_config_path }}/conduwuit.toml"
+    mode: 0644
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+
+- name: Ensure conduwuit support files installed
+  ansible.builtin.template:
+    src: "{{ role_path }}/templates/{{ item }}.j2"
+    dest: "{{ matrix_conduwuit_base_path }}/{{ item }}"
+    mode: 0640
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+  with_items:
+    - labels
+
+- name: Ensure conduwuit container network is created
+  community.general.docker_network:
+    enable_ipv6: "{{ devture_systemd_docker_base_ipv6_enabled }}"
+    name: "{{ matrix_conduwuit_container_network }}"
+    driver: bridge
+    driver_options: "{{ devture_systemd_docker_base_container_networks_driver_options }}"
+
+- name: Ensure conduwuit container image is pulled
+  community.docker.docker_image:
+    name: "{{ matrix_conduwuit_docker_image }}"
+    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
+    force_source: "{{ matrix_conduwuit_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
+    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_conduwuit_docker_image_force_pull }}"
+  register: result
+  retries: "{{ devture_playbook_help_container_retries_count }}"
+  delay: "{{ devture_playbook_help_container_retries_delay }}"
+  until: result is not failed
+
+- name: Ensure matrix-conduwuit.service installed
+  ansible.builtin.template:
+    src: "{{ role_path }}/templates/systemd/matrix-conduwuit.service.j2"
+    dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-conduwuit.service"
+    mode: 0644

roles/custom/matrix-conduwuit/tasks/setup_uninstall.yml

@@ -0,0 +1,19 @@
+---
+
+- name: Check existence of matrix-conduwuit service
+  ansible.builtin.stat:
+    path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-conduwuit.service"
+  register: matrix_conduwuit_service_stat
+
+- when: matrix_conduwuit_service_stat.stat.exists | bool
+  block:
+    - name: Ensure matrix-conduwuit is stopped
+      ansible.builtin.systemd:
+        name: matrix-conduwuit
+        state: stopped
+        daemon_reload: true
+
+    - name: Ensure matrix-conduwuit.service doesn't exist
+      ansible.builtin.file:
+        path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-conduwuit.service"
+        state: absent

roles/custom/matrix-conduwuit/tasks/validate_config.yml

@@ -0,0 +1,11 @@
+---
+
+- name: Fail if required conduwuit settings not defined
+  ansible.builtin.fail:
+    msg: >-
+      You need to define a required configuration setting (`{{ item.name }}`).
+  when: "item.when | bool and vars[item.name] == ''"
+  with_items:
+    - {'name': 'matrix_conduwuit_hostname', when: true}
+    - {'name': 'matrix_conduwuit_container_network', when: true}
+    - {'name': 'matrix_conduwuit_container_labels_internal_client_api_traefik_entrypoints', when: "{{ matrix_conduwuit_container_labels_internal_client_api_enabled }}"}

roles/custom/matrix-conduwuit/templates/conduwuit.toml.j2

@@ -0,0 +1,67 @@
+# =============================================================================
+#  This is the official example config for Conduwuit.
+#  If you use it for your server, you will need to adjust it to your own needs.
+#  At the very least, change the server_name field!
+# =============================================================================
+
+
+[global]
+# The server_name is the pretty name of this server. It is used as a suffix for user
+# and room IDs. Examples: matrix.org, puppyirl.gay
+
+# The Conduwuit server needs all /_matrix/ requests to be reachable at
+# https://example.com/ on port 443 (client-server) and 8448 (federation).
+
+# If that's not possible for you, you can create /.well-known files to redirect
+# requests. See
+# https://matrix.org/docs/spec/client_server/latest#get-well-known-matrix-client
+# and
+# https://matrix.org/docs/spec/server_server/r0.1.4#get-well-known-matrix-server
+# for more information
+
+server_name = "{{ matrix_domain }}"
+
+# This is the only directory where Conduwuit will save its data
+database_path = "/var/lib/matrix-conduwuit/"
+database_backend = "rocksdb"
+
+# The port Conduwuit will be running on. You need to set up a reverse proxy in
+# your web server (e.g. apache or nginx), so all requests to /_matrix on port
+# 443 and 8448 will be forwarded to the Conduwuit instance running on this port
+# Docker users: Don't change this, you'll need to map an external port to this.
+port = {{ matrix_conduwuit_port_number }}
+
+# Max size for uploads
+max_request_size = {{ matrix_conduwuit_max_request_size }}
+
+# Max number of open files for the RocksDB database
+rocksdb_max_open_files = {{ matrix_conduwuit_rocksdb_max_open_files }}
+
+# Enables registration. If set to false, no users can register on this server.
+allow_registration = {{ matrix_conduwuit_allow_registration | to_json }}
+
+allow_federation = {{ matrix_conduwuit_allow_federation | to_json }}
+
+# Enable the display name lightning bolt on registration.
+enable_lightning_bolt = {{ matrix_conduwuit_enable_lightning_bolt | to_json }}
+
+trusted_servers = {{ matrix_conduwuit_trusted_servers | to_json }}
+
+max_concurrent_requests = {{ matrix_conduwuit_max_concurrent_requests }}
+
+log = "info,state_res=warn,rocket=off,_=off,sled=off"
+
+address = "0.0.0.0"
+
+turn_uris = {{ matrix_conduwuit_turn_uris | to_json }}
+
+{% if matrix_conduwuit_turn_secret != '' %}
+turn_secret = {{ matrix_conduwuit_turn_secret | to_json }}
+{% endif %}
+
+# If you have your TURN server configured to use a username and password
+# you can provide these information too. In this case comment out `turn_secret above`!
+{% if matrix_conduwuit_turn_username != '' or matrix_conduwuit_turn_password != '' %}
+turn_username = {{ matrix_conduwuit_turn_username | to_json }}
+turn_password = {{ matrix_conduwuit_turn_password | to_json }}
+{% endif %}

roles/custom/matrix-conduwuit/templates/labels.j2

@@ -0,0 +1,134 @@
+{% if matrix_conduwuit_container_labels_traefik_enabled %}
+traefik.enable=true
+
+{% if matrix_conduwuit_container_labels_traefik_docker_network %}
+traefik.docker.network={{ matrix_conduwuit_container_labels_traefik_docker_network }}
+{% endif %}
+
+traefik.http.services.matrix-conduwuit.loadbalancer.server.port={{ matrix_conduwuit_port_number }}
+
+
+{% if matrix_conduwuit_container_labels_public_client_root_enabled %}
+############################################################
+#                                                          #
+# Public Root path (/)                                     #
+#                                                          #
+############################################################
+
+{% set client_root_middlewares = [] %}
+
+{% if matrix_conduwuit_container_labels_public_client_root_redirection_enabled %}
+{% set client_root_middlewares = client_root_middlewares + ['matrix-conduwuit-client-root-redirect'] %}
+traefik.http.middlewares.matrix-conduwuit-client-root-redirect.redirectregex.regex=(.*)
+traefik.http.middlewares.matrix-conduwuit-client-root-redirect.redirectregex.replacement={{ matrix_conduwuit_container_labels_public_client_root_redirection_url }}
+{% endif %}
+
+traefik.http.routers.matrix-conduwuit-public-client-root.rule={{ matrix_conduwuit_container_labels_public_client_root_traefik_rule }}
+
+traefik.http.routers.matrix-conduwuit-public-client-root.middlewares={{ client_root_middlewares | join(',') }}
+
+{% if matrix_conduwuit_container_labels_public_client_root_traefik_priority | int > 0 %}
+traefik.http.routers.matrix-conduwuit-public-client-root.priority={{ matrix_conduwuit_container_labels_public_client_root_traefik_priority }}
+{% endif %}
+
+traefik.http.routers.matrix-conduwuit-public-client-root.service=matrix-conduwuit
+traefik.http.routers.matrix-conduwuit-public-client-root.entrypoints={{ matrix_conduwuit_container_labels_public_client_root_traefik_entrypoints }}
+traefik.http.routers.matrix-conduwuit-public-client-root.tls={{ matrix_conduwuit_container_labels_public_client_root_traefik_tls | to_json }}
+
+{% if matrix_conduwuit_container_labels_public_client_root_traefik_tls %}
+traefik.http.routers.matrix-conduwuit-public-client-root.tls.certResolver={{ matrix_conduwuit_container_labels_public_client_root_traefik_tls_certResolver }}
+{% endif %}
+
+############################################################
+#                                                          #
+# /Public Root path (/)                                    #
+#                                                          #
+############################################################
+{% endif %}
+
+
+{% if matrix_conduwuit_container_labels_public_client_api_enabled %}
+############################################################
+#                                                          #
+# Public Client-API (/_matrix)                             #
+#                                                          #
+############################################################
+
+traefik.http.routers.matrix-conduwuit-public-client-api.rule={{ matrix_conduwuit_container_labels_public_client_api_traefik_rule }}
+
+{% if matrix_conduwuit_container_labels_public_client_api_traefik_priority | int > 0 %}
+traefik.http.routers.matrix-conduwuit-public-client-api.priority={{ matrix_conduwuit_container_labels_public_client_api_traefik_priority }}
+{% endif %}
+
+traefik.http.routers.matrix-conduwuit-public-client-api.service=matrix-conduwuit
+traefik.http.routers.matrix-conduwuit-public-client-api.entrypoints={{ matrix_conduwuit_container_labels_public_client_api_traefik_entrypoints }}
+
+traefik.http.routers.matrix-conduwuit-public-client-api.tls={{ matrix_conduwuit_container_labels_public_client_api_traefik_tls | to_json }}
+{% if matrix_conduwuit_container_labels_public_client_api_traefik_tls %}
+traefik.http.routers.matrix-conduwuit-public-client-api.tls.certResolver={{ matrix_conduwuit_container_labels_public_client_api_traefik_tls_certResolver }}
+{% endif %}
+
+############################################################
+#                                                          #
+# /Public Client-API (/_matrix)                            #
+#                                                          #
+############################################################
+{% endif %}
+
+
+{% if matrix_conduwuit_container_labels_internal_client_api_enabled %}
+############################################################
+#                                                          #
+# Internal Client-API (/_matrix)                           #
+#                                                          #
+############################################################
+
+traefik.http.routers.matrix-conduwuit-internal-client-api.rule={{ matrix_conduwuit_container_labels_internal_client_api_traefik_rule }}
+
+{% if matrix_conduwuit_container_labels_internal_client_api_traefik_priority | int > 0 %}
+traefik.http.routers.matrix-conduwuit-internal-client-api.priority={{ matrix_conduwuit_container_labels_internal_client_api_traefik_priority }}
+{% endif %}
+
+traefik.http.routers.matrix-conduwuit-internal-client-api.service=matrix-conduwuit
+traefik.http.routers.matrix-conduwuit-internal-client-api.entrypoints={{ matrix_conduwuit_container_labels_internal_client_api_traefik_entrypoints }}
+
+############################################################
+#                                                          #
+# /Internal Client-API (/_matrix)                          #
+#                                                          #
+############################################################
+{% endif %}
+
+
+{% if matrix_conduwuit_container_labels_public_federation_api_enabled %}
+############################################################
+#                                                          #
+# Public Federation-API (/_matrix)                         #
+#                                                          #
+############################################################
+
+traefik.http.routers.matrix-conduwuit-public-federation-api.rule={{ matrix_conduwuit_container_labels_public_federation_api_traefik_rule }}
+
+{% if matrix_conduwuit_container_labels_public_federation_api_traefik_priority | int > 0 %}
+traefik.http.routers.matrix-conduwuit-public-federation-api.priority={{ matrix_conduwuit_container_labels_public_federation_api_traefik_priority }}
+{% endif %}
+
+traefik.http.routers.matrix-conduwuit-public-federation-api.service=matrix-conduwuit
+traefik.http.routers.matrix-conduwuit-public-federation-api.entrypoints={{ matrix_conduwuit_container_labels_public_federation_api_traefik_entrypoints }}
+
+traefik.http.routers.matrix-conduwuit-public-federation-api.tls={{ matrix_conduwuit_container_labels_public_federation_api_traefik_tls | to_json }}
+{% if matrix_conduwuit_container_labels_public_federation_api_traefik_tls %}
+traefik.http.routers.matrix-conduwuit-public-federation-api.tls.certResolver={{ matrix_conduwuit_container_labels_public_federation_api_traefik_tls_certResolver }}
+{% endif %}
+
+############################################################
+#                                                          #
+# /Public Federation-API (/_matrix)                        #
+#                                                          #
+############################################################
+{% endif %}
+
+
+{% endif %}
+
+{{ matrix_conduwuit_container_labels_additional_labels }}

roles/custom/matrix-conduwuit/templates/systemd/matrix-conduwuit.service.j2

@@ -0,0 +1,51 @@
+#jinja2: lstrip_blocks: "True"
+[Unit]
+Description=Conduwuit Matrix homeserver
+{% for service in matrix_conduwuit_systemd_required_services_list %}
+Requires={{ service }}
+After={{ service }}
+{% endfor %}
+
+[Service]
+Type=simple
+Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}"
+ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-conduwuit 2>/dev/null || true'
+ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-conduwuit 2>/dev/null || true'
+
+ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \
+			--rm \
+			--name=matrix-conduwuit \
+			--log-driver=none \
+			--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
+			--cap-drop=ALL \
+			--read-only \
+			--tmpfs=/tmp:rw,noexec,nosuid,size={{ matrix_conduwuit_tmp_directory_size_mb }}m \
+			--network={{ matrix_conduwuit_container_network }} \
+			--env conduwuit_CONFIG=/etc/matrix-conduwuit/conduwuit.toml \
+			--label-file={{ matrix_conduwuit_base_path }}/labels \
+			--mount type=bind,src={{ matrix_conduwuit_data_path }},dst=/var/lib/matrix-conduwuit \
+			--mount type=bind,src={{ matrix_conduwuit_config_path }},dst=/etc/matrix-conduwuit,ro \
+			{% for arg in matrix_conduwuit_container_extra_arguments %}
+			{{ arg }} \
+			{% endfor %}
+			{{ matrix_conduwuit_docker_image }}
+
+{% for network in matrix_conduwuit_container_additional_networks %}
+ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-conduwuit
+{% endfor %}
+
+ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-conduwuit
+
+{% if matrix_conduwuit_systemd_service_post_start_delay_seconds != 0 %}
+ExecStartPost=-{{ matrix_host_command_sleep }} {{ matrix_conduwuit_systemd_service_post_start_delay_seconds }}
+{% endif %}
+
+ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-conduwuit 2>/dev/null || true'
+ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-conduwuit 2>/dev/null || true'
+ExecReload={{ devture_systemd_docker_base_host_command_docker }} exec matrix-conduwuit /bin/sh -c 'kill -HUP 1'
+Restart=always
+RestartSec=30
+SyslogIdentifier=matrix-conduwuit
+
+[Install]
+WantedBy=multi-user.target

roles/custom/matrix-conduwuit/vars/main.yml

@@ -0,0 +1,3 @@
+---
+matrix_conduwuit_client_api_url_endpoint_public: "{{ 'https' if matrix_playbook_ssl_enabled else 'http' }}://{{ matrix_conduwuit_hostname }}/_matrix/client/versions"
+matrix_conduwuit_federation_api_url_endpoint_public: "{{ 'https' if matrix_playbook_ssl_enabled else 'http' }}://{{ matrix_conduwuit_hostname }}:{{ matrix_federation_public_port }}/_matrix/federation/v1/version"

roles/custom/matrix-user-creator/tasks/util/ensure_user_registered_conduwuit.yml

@@ -0,0 +1,5 @@
+---
+
+- name: Ensure Conduwuit user registered - {{ user.username | quote }}
+  ansible.builtin.debug:
+    msg: "Not registering user. To register Conduwuit users, message the Conduwuit bot"

roles/custom/matrix_playbook_migration/tasks/validate_config.yml

@@ -302,6 +302,14 @@
         - {'old': 'matrix_nginx_proxy_proxy_conduit_federation_api_addr_with_container', 'new': '<removed>'}
         - {'old': 'matrix_nginx_proxy_proxy_conduit_federation_api_addr_sans_container', 'new': '<removed>'}
         - {'old': 'matrix_nginx_proxy_proxy_conduit_additional_server_configuration_blocks', 'new': '<removed>'}
+        - {'old': 'matrix_nginx_proxy_proxy_conduwuit_enabled', 'new': 'matrix_conduwuit_container_labels_traefik_enabled'}
+        - {'old': 'matrix_nginx_proxy_proxy_conduwuit_block_federation_api_on_client_port', 'new': '<not supported anymore - the /_matrix/federation endpoints are now also being served on the Client-Server API port>'}
+        - {'old': 'matrix_nginx_proxy_proxy_conduwuit_federation_api_enabled', 'new': 'matrix_conduwuit_container_labels_public_federation_api_enabled'}
+        - {'old': 'matrix_nginx_proxy_proxy_conduwuit_client_api_addr_with_container', 'new': '<removed>'}
+        - {'old': 'matrix_nginx_proxy_proxy_conduwuit_client_api_addr_sans_container', 'new': '<removed>'}
+        - {'old': 'matrix_nginx_proxy_proxy_conduwuit_federation_api_addr_with_container', 'new': '<removed>'}
+        - {'old': 'matrix_nginx_proxy_proxy_conduwuit_federation_api_addr_sans_container', 'new': '<removed>'}
+        - {'old': 'matrix_nginx_proxy_proxy_conduwuit_additional_server_configuration_blocks', 'new': '<removed>'}
         - {'old': 'matrix_nginx_proxy_proxy_dendrite_enabled', 'new': 'matrix_dendrite_container_labels_traefik_enabled'}
         - {'old': 'matrix_nginx_proxy_proxy_dendrite_block_federation_api_on_client_port', 'new': '<not supported anymore - the /_matrix/federation endpoints are now also being served on the Client-Server API port>'}
         - {'old': 'matrix_nginx_proxy_proxy_dendrite_federation_api_enabled', 'new': 'matrix_dendrite_container_labels_public_federation_api_enabled'}

setup.yml

@@ -106,6 +106,7 @@
     - custom/matrix-synapse-reverse-proxy-companion
     - custom/matrix-dendrite
     - custom/matrix-conduit
+    - custom/matrix-conduwuit
     - custom/matrix-synapse-admin
     - custom/matrix-synapse-usage-exporter
     - galaxy/prometheus_node_exporter