From da48a605bbb1eb9cd4b768774877449e35be52d3 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 3 Jan 2024 13:44:19 +0200 Subject: [PATCH] More progress on matrix-static-files role and cleaning up of matrix-base and matrix-nginx-proxy --- docs/configuring-well-known.md | 8 +- group_vars/matrix_servers | 12 +- roles/custom/matrix-base/defaults/main.yml | 130 ------------------ roles/custom/matrix-base/tasks/main.yml | 16 --- .../matrix-base/tasks/setup_well_known.yml | 14 -- .../matrix-base/tasks/validate_config.yml | 6 +- .../static-files/well-known/matrix-client.j2 | 51 ------- .../static-files/well-known/matrix-server.j2 | 4 - .../static-files/well-known/matrix-support.j2 | 7 - .../matrix-nginx-proxy/defaults/main.yml | 9 -- .../tasks/setup_well_known.yml | 25 ---- .../nginx/conf.d/matrix-base-domain.conf.j2 | 11 -- .../nginx/conf.d/matrix-domain.conf.j2 | 12 -- .../systemd/matrix-nginx-proxy.service.j2 | 1 - .../matrix-static-files/defaults/main.yml | 14 ++ .../tasks/self_check_well_known.yml | 15 +- .../tasks/self_check_well_known_file.yml | 4 +- ...cleanup_matrix_static_files_well_known.yml | 9 ++ .../matrix_playbook_migration/tasks/main.yml | 6 + .../tasks/validate_config.yml | 10 ++ 20 files changed, 59 insertions(+), 305 deletions(-) delete mode 100644 roles/custom/matrix-base/tasks/setup_well_known.yml delete mode 100644 roles/custom/matrix-base/templates/static-files/well-known/matrix-client.j2 delete mode 100644 roles/custom/matrix-base/templates/static-files/well-known/matrix-server.j2 delete mode 100644 roles/custom/matrix-base/templates/static-files/well-known/matrix-support.j2 delete mode 100644 roles/custom/matrix-nginx-proxy/tasks/setup_well_known.yml create mode 100644 roles/custom/matrix_playbook_migration/tasks/cleanup_matrix_static_files_well_known.yml diff --git a/docs/configuring-well-known.md b/docs/configuring-well-known.md index f52e4f612..024291e66 100644 --- a/docs/configuring-well-known.md +++ b/docs/configuring-well-known.md @@ -40,15 +40,15 @@ To learn how to set it up, read the Installing section below. [MSC 1929](https://github.com/matrix-org/matrix-spec-proposals/pull/1929) specifies a way to add contact details of admins, as well as a link to a support page for users who are having issues with the service. Automated services may also index this information and use it for abuse reports, etc. -The two playbook variables that you could look for, if you're interested in being an early adopter, are: `matrix_homeserver_admin_contacts` and `matrix_homeserver_support_url`. +The two playbook variables that you could look for, if you're interested in being an early adopter, are: `matrix_static_files_file_matrix_support_property_m_contacts` and `matrix_static_files_file_matrix_support_property_m_support_page`. Example snippet for `vars.yml`: ``` # Enable generation of `/.well-known/matrix/support`. -matrix_well_known_matrix_support_enabled: true +matrix_static_files_file_matrix_support_enabled: true # Homeserver admin contacts as per MSC 1929 https://github.com/matrix-org/matrix-spec-proposals/pull/1929 -matrix_homeserver_admin_contacts: +matrix_static_files_file_matrix_support_property_m_contacts: - matrix_id: "@admin1:{{ matrix_domain }}" email_address: admin@domain.tld role: m.role.admin @@ -58,7 +58,7 @@ matrix_homeserver_admin_contacts: - email_address: security@domain.tld role: m.role.security -matrix_homeserver_support_url: "https://example.domain.tld/support" +matrix_static_files_file_matrix_support_property_m_support_page: "https://example.domain.tld/support" ``` To learn how to set up `/.well-known/matrix/support` for the base domain, read the Installing section below. diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index f5039cec3..35bc3433a 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -2996,8 +2996,6 @@ matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled: "{{ matrix_ma1sd_ matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container: "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container }}" matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container: "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container }}" -matrix_nginx_proxy_self_check_validate_certificates: "{{ false if matrix_playbook_ssl_retrieval_method == 'self-signed' else true }}" - # OCSP stapling does not make sense when self-signed certificates are used. # See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1073 # and https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1074 @@ -4599,21 +4597,17 @@ matrix_static_files_container_labels_traefik_docker_network: "{{ matrix_playbook matrix_static_files_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" matrix_static_files_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" -matrix_static_files_file_matrix_client_property_io_element_jitsi_preferred_domain: "{{ matrix_client_element_jitsi_preferred_domain }}" +matrix_static_files_file_matrix_client_property_io_element_jitsi_preferred_domain: "{{ matrix_server_fqn_jitsi if jitsi_enabled else '' }}" matrix_static_files_file_matrix_client_property_org_matrix_msc3575_proxy_url: "{{ matrix_homeserver_sliding_sync_url }}" matrix_static_files_file_matrix_client_property_m_tile_server_entries_enabled: "{{ matrix_client_element_location_sharing_enabled }}" matrix_static_files_file_matrix_client_property_m_tile_server_map_style_url: "https://{{ matrix_server_fqn_element }}/map_style.json" -matrix_static_files_file_matrix_client_property_io_element_e2ee_default: "{{ matrix_well_known_matrix_client_io_element_e2ee_default }}" -matrix_static_files_file_matrix_client_property_io_element_e2ee_secure_backup_required: "{{ matrix_well_known_matrix_client_io_element_e2ee_secure_backup_required }}" -matrix_static_files_file_matrix_client_property_io_element_e2ee_secure_backup_setup_methods: "{{ matrix_well_known_matrix_client_io_element_e2ee_secure_backup_setup_methods }}" - matrix_static_files_file_matrix_server_property_m_server: "{{ matrix_server_fqn_matrix_federation }}:{{ matrix_federation_public_port }}" -matrix_static_files_file_matrix_support_property_m_contacts: "{{ matrix_homeserver_admin_contacts }}" -matrix_static_files_file_matrix_support_property_m_support_page: "{{ matrix_homeserver_support_url }}" +matrix_static_files_self_check_hostname_matrix: "{{ matrix_server_fqn_matrix }}" +matrix_static_files_self_check_hostname_identity: "{{ matrix_domain }}" ######################################################################## # # diff --git a/roles/custom/matrix-base/defaults/main.yml b/roles/custom/matrix-base/defaults/main.yml index 57736aaff..a4e591997 100644 --- a/roles/custom/matrix-base/defaults/main.yml +++ b/roles/custom/matrix-base/defaults/main.yml @@ -52,21 +52,6 @@ matrix_bots_homeserver_systemd_services_list: "{{ matrix_homeserver_systemd_serv # Whether homeserver software is installed depends on other (`matrix_HOMESERVER_enabled`) variables - see `group_vars/matrix_servers`. matrix_homeserver_enabled: true -# Homeserver admin contacts and support page as per MSC 1929 -# See: https://github.com/matrix-org/matrix-spec-proposals/pull/1929 -# Users in form: -# matrix_homeserver_admin_contacts: -# - matrix_id: @admin:domain.tld -# email_address: admin@domain.tld -# role: admin -# - email_address: security@domain.tld -# role: security -# Also see: `matrix_well_known_matrix_support_enabled` -matrix_homeserver_admin_contacts: [] -# Url string like https://domain.tld/support.html -# Also see: `matrix_well_known_matrix_support_enabled` -matrix_homeserver_support_url: '' - # This will contain the homeserver implementation that is in use. # Valid values: synapse, dendrite, conduit # @@ -161,8 +146,6 @@ matrix_base_data_path_mode: "750" matrix_bin_path: "{{ matrix_base_data_path }}/bin" -matrix_static_files_base_path: "{{ matrix_base_data_path }}/static-files" - matrix_host_command_sleep: "/usr/bin/env sleep" matrix_host_command_chown: "/usr/bin/env chown" matrix_host_command_fusermount: "/usr/bin/env fusermount" @@ -203,122 +186,9 @@ matrix_identity_server_url: ~ matrix_integration_manager_rest_url: ~ matrix_integration_manager_ui_url: ~ -# The domain name where a Jitsi server is self-hosted. -# If set, `/.well-known/matrix/client` will suggest Element clients to use that Jitsi server. -# See: https://github.com/element-hq/element-web/blob/develop/docs/jitsi.md#configuring-element-to-use-your-self-hosted-jitsi-server -matrix_client_element_jitsi_preferred_domain: '' # noqa var-naming - -# Controls whether Element should use End-to-End Encryption by default. -# Setting this to false will update `/.well-known/matrix/client` and tell Element clients to avoid E2EE. -# See: https://github.com/element-hq/element-web/blob/develop/docs/e2ee.md -matrix_well_known_matrix_client_io_element_e2ee_default: true - -# Controls whether Element should require a secure backup set up before Element can be used. -# Setting this to true will update `/.well-known/matrix/client` and tell Element require a secure backup. -# See: https://github.com/element-hq/element-web/blob/develop/docs/e2ee.md -matrix_well_known_matrix_client_io_element_e2ee_secure_backup_required: false - -# Controls which backup methods from ["key", "passphrase"] should be used, both is the default. -# Setting this to other then empty will update `/.well-known/matrix/client` and tell Element which method to use -# See: https://github.com/element-hq/element-web/blob/develop/docs/e2ee.md -matrix_well_known_matrix_client_io_element_e2ee_secure_backup_setup_methods: [] - -# Controls whether element related entries should be added to the client well-known. Override this to false to hide -# element related well-known entries. -# By default if any of the following change from their default this is set to true: -# `matrix_well_known_matrix_client_io_element_e2ee_default` -# `matrix_well_known_matrix_client_io_element_e2ee_secure_backup_required` -# `matrix_well_known_matrix_client_io_element_e2ee_secure_backup_setup_methods` -matrix_well_known_matrix_client_io_element_e2ee_entries_enabled: "{{ not matrix_well_known_matrix_client_io_element_e2ee_default or matrix_well_known_matrix_client_io_element_e2ee_secure_backup_required or matrix_well_known_matrix_client_io_element_e2ee_secure_backup_setup_methods | length > 0 }}" - -# Default `/.well-known/matrix/client` configuration - it covers the generic use case. -# You can customize it by controlling the various variables inside the template file that it references. -# -# For a more advanced customization, you can extend the default (see `matrix_well_known_matrix_client_configuration_extension_json`) -# or completely replace this variable with your own template. -# -# The side-effect of this lookup is that Ansible would even parse the JSON for us, returning a dict. -# This is unlike what it does when looking up YAML template files (no automatic parsing there). -matrix_well_known_matrix_client_configuration_default: "{{ lookup('template', 'templates/static-files/well-known/matrix-client.j2') }}" - -# Your custom JSON configuration for `/.well-known/matrix/client` should go to `matrix_well_known_matrix_client_configuration_extension_json`. -# This configuration extends the default starting configuration (`matrix_well_known_matrix_client_configuration_default`). -# -# You can override individual variables from the default configuration, or introduce new ones. -# -# If you need something more special, you can take full control by -# completely redefining `matrix_well_known_matrix_client_configuration`. -# -# Example configuration extension follows: -# -# matrix_well_known_matrix_client_configuration_extension_json: | -# { -# "io.element.call_behaviour": { -# "widget_build_url": "https://dimension.example.com/api/v1/dimension/bigbluebutton/widget_state" -# } -# } -matrix_well_known_matrix_client_configuration_extension_json: '{}' - -matrix_well_known_matrix_client_configuration_extension: "{{ matrix_well_known_matrix_client_configuration_extension_json | from_json if matrix_well_known_matrix_client_configuration_extension_json | from_json is mapping else {} }}" - -# Holds the final `/.well-known/matrix/client` configuration (a combination of the default and its extension). -# You most likely don't need to touch this variable. Instead, see `matrix_well_known_matrix_client_configuration_default` and `matrix_well_known_matrix_client_configuration_extension_json`. -matrix_well_known_matrix_client_configuration: "{{ matrix_well_known_matrix_client_configuration_default | combine(matrix_well_known_matrix_client_configuration_extension, recursive=True) }}" - -# Default `/.well-known/matrix/server` configuration - it covers the generic use case. -# You can customize it by controlling the various variables inside the template file that it references. -# -# For a more advanced customization, you can extend the default (see `matrix_well_known_matrix_server_configuration_extension_json`) -# or completely replace this variable with your own template. -# -# The side-effect of this lookup is that Ansible would even parse the JSON for us, returning a dict. -# This is unlike what it does when looking up YAML template files (no automatic parsing there). -matrix_well_known_matrix_server_configuration_default: "{{ lookup('template', 'templates/static-files/well-known/matrix-server.j2') }}" - -# Your custom JSON configuration for `/.well-known/matrix/server` should go to `matrix_well_known_matrix_server_configuration_extension_json`. -# This configuration extends the default starting configuration (`matrix_well_known_matrix_server_configuration_default`). -# -# You can override individual variables from the default configuration, or introduce new ones. -# -# If you need something more special, you can take full control by -# completely redefining `matrix_well_known_matrix_server_configuration`. -# -# Example configuration extension follows: -# -# matrix_well_known_matrix_server_configuration_extension_json: | -# { -# "something": "another" -# } -matrix_well_known_matrix_server_configuration_extension_json: '{}' - -matrix_well_known_matrix_server_configuration_extension: "{{ matrix_well_known_matrix_server_configuration_extension_json | from_json if matrix_well_known_matrix_server_configuration_extension_json | from_json is mapping else {} }}" - -# Holds the final `/.well-known/matrix/server` configuration (a combination of the default and its extension). -# You most likely don't need to touch this variable. Instead, see `matrix_well_known_matrix_server_configuration_default` and `matrix_well_known_matrix_server_configuration_extension_json`. -matrix_well_known_matrix_server_configuration: "{{ matrix_well_known_matrix_server_configuration_default | combine(matrix_well_known_matrix_server_configuration_extension, recursive=True) }}" - -# The side-effect of this lookup is that Ansible would even parse the JSON for us, returning a dict. -# This is unlike what it does when looking up YAML template files (no automatic parsing there). -matrix_well_known_matrix_support_configuration_default: "{{ lookup('template', 'templates/static-files/well-known/matrix-support.j2') }}" - -matrix_well_known_matrix_support_configuration_extension_json: '{}' - -matrix_well_known_matrix_support_configuration_extension: "{{ matrix_well_known_matrix_support_configuration_extension_json | from_json if matrix_well_known_matrix_support_configuration_extension_json | from_json is mapping else {} }}" - -# Holds the final `/.well-known/matrix/support` configuration (a combination of the default and its extension). -# You most likely don't need to touch this variable. Instead, see `matrix_well_known_matrix_support_configuration_default` and `matrix_well_known_matrix_support_configuration_extension_json`. -matrix_well_known_matrix_support_configuration: "{{ matrix_well_known_matrix_support_configuration_default | combine(matrix_well_known_matrix_support_configuration_extension, recursive=True) }}" - # The Docker network that all services would be put into matrix_docker_network: "matrix" -# Controls whether a `/.well-known/matrix/support` file is generated and used at all. -# For details about this file, see the spec: https://github.com/matrix-org/matrix-spec-proposals/pull/1929 -# -# This is not enabled by default, as for it to be useful, other information is necessary. -# See `matrix_homeserver_admin_contacts`, `matrix_homeserver_support_url`, etc. -matrix_well_known_matrix_support_enabled: false - matrix_homeserver_container_extra_arguments_auto: [] matrix_homeserver_app_service_config_files_auto: [] diff --git a/roles/custom/matrix-base/tasks/main.yml b/roles/custom/matrix-base/tasks/main.yml index 13ef11d5c..7351d1b8a 100644 --- a/roles/custom/matrix-base/tasks/main.yml +++ b/roles/custom/matrix-base/tasks/main.yml @@ -21,19 +21,3 @@ - common block: - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_matrix_base.yml" - -- tags: - - setup-all - - setup-ma1sd - - setup-synapse - - setup-dendrite - - setup-conduit - - setup-nginx-proxy - - install-all - - install-ma1sd - - install-synapse - - install-dendrite - - install-conduit - - install-nginx-proxy - block: - - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_well_known.yml" diff --git a/roles/custom/matrix-base/tasks/setup_well_known.yml b/roles/custom/matrix-base/tasks/setup_well_known.yml deleted file mode 100644 index 6ceddd8cf..000000000 --- a/roles/custom/matrix-base/tasks/setup_well_known.yml +++ /dev/null @@ -1,14 +0,0 @@ ---- -# We need others to be able to read these directories too, -# so that matrix-nginx-proxy's nginx user can access the files. -# -# For running with another webserver, we recommend being part of the `matrix` group. -- name: Ensure Matrix static-files path exists - ansible.builtin.file: - path: "{{ item }}" - state: directory - mode: 0755 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - with_items: - - "{{ matrix_static_files_base_path }}/.well-known/matrix" diff --git a/roles/custom/matrix-base/tasks/validate_config.yml b/roles/custom/matrix-base/tasks/validate_config.yml index 740fc839a..33cce48cd 100644 --- a/roles/custom/matrix-base/tasks/validate_config.yml +++ b/roles/custom/matrix-base/tasks/validate_config.yml @@ -18,9 +18,9 @@ - {'old': 'hostname_riot', 'new': 'matrix_server_fqn_element'} - {'old': 'matrix_server_fqn_riot', 'new': 'matrix_server_fqn_element'} - {'old': 'matrix_local_bin_path', 'new': ''} - - {'old': 'matrix_client_element_e2ee_default', 'new': 'matrix_well_known_matrix_client_io_element_e2ee_default'} - - {'old': 'matrix_client_element_e2ee_secure_backup_required', 'new': 'matrix_well_known_matrix_client_io_element_e2ee_secure_backup_required'} - - {'old': 'matrix_client_element_e2ee_secure_backup_setup_methods', 'new': 'matrix_well_known_matrix_client_io_element_e2ee_secure_backup_setup_methods'} + - {'old': 'matrix_client_element_e2ee_default', 'new': 'matrix_static_files_file_matrix_client_property_io_element_e2ee_default'} + - {'old': 'matrix_client_element_e2ee_secure_backup_required', 'new': 'matrix_static_files_file_matrix_client_property_io_element_e2ee_secure_backup_required'} + - {'old': 'matrix_client_element_e2ee_secure_backup_setup_methods', 'new': 'matrix_static_files_file_matrix_client_property_io_element_e2ee_secure_backup_setup_methods'} # We have a dedicated check for this variable, because we'd like to have a custom (friendlier) message. - name: Fail if matrix_homeserver_generic_secret_key is undefined diff --git a/roles/custom/matrix-base/templates/static-files/well-known/matrix-client.j2 b/roles/custom/matrix-base/templates/static-files/well-known/matrix-client.j2 deleted file mode 100644 index 96c301a89..000000000 --- a/roles/custom/matrix-base/templates/static-files/well-known/matrix-client.j2 +++ /dev/null @@ -1,51 +0,0 @@ -#jinja2: lstrip_blocks: "True" -{ - "m.homeserver": { - "base_url": "{{ matrix_homeserver_url }}" - } - {% if matrix_identity_server_url %}, - "m.identity_server": { - "base_url": "{{ matrix_identity_server_url }}" - } - {% endif %} - {% if matrix_integration_manager_rest_url and matrix_integration_manager_ui_url %}, - "m.integrations": { - "managers": [ - { - "api_url": "{{ matrix_integration_manager_rest_url }}", - "ui_url": "{{ matrix_integration_manager_ui_url }}" - } - ] - } - {% endif %} - {% if matrix_client_element_jitsi_preferred_domain %}, - "io.element.jitsi": { - "preferredDomain": {{ matrix_client_element_jitsi_preferred_domain|to_json }} - }, - "im.vector.riot.jitsi": { - "preferredDomain": {{ matrix_client_element_jitsi_preferred_domain|to_json }} - } - {% endif %} - {% if matrix_homeserver_sliding_sync_url %}, - "org.matrix.msc3575.proxy": { - "url": "{{ matrix_homeserver_sliding_sync_url }}" - } - {% endif %} - {% if matrix_client_element_location_sharing_enabled %}, - "m.tile_server": { - "map_style_url": "https://{{ matrix_server_fqn_element }}/map_style.json" - } - {% endif %} - {% if matrix_well_known_matrix_client_io_element_e2ee_entries_enabled %}, - "io.element.e2ee": { - "default": {{ matrix_well_known_matrix_client_io_element_e2ee_default|to_json }}, - "secure_backup_required": {{ matrix_well_known_matrix_client_io_element_e2ee_secure_backup_required|to_json }}, - "secure_backup_setup_methods": {{ matrix_well_known_matrix_client_io_element_e2ee_secure_backup_setup_methods|to_json }} - } - {% endif %} - {% if matrix_well_known_matrix_client_io_element_e2ee_entries_enabled %}, - "im.vector.riot.e2ee": { - "default": {{ matrix_well_known_matrix_client_io_element_e2ee_default|to_json }} - } - {% endif %} -} diff --git a/roles/custom/matrix-base/templates/static-files/well-known/matrix-server.j2 b/roles/custom/matrix-base/templates/static-files/well-known/matrix-server.j2 deleted file mode 100644 index 3bc7346d2..000000000 --- a/roles/custom/matrix-base/templates/static-files/well-known/matrix-server.j2 +++ /dev/null @@ -1,4 +0,0 @@ -#jinja2: lstrip_blocks: "True" -{ - "m.server": "{{ matrix_server_fqn_matrix_federation }}:{{ matrix_federation_public_port }}" -} diff --git a/roles/custom/matrix-base/templates/static-files/well-known/matrix-support.j2 b/roles/custom/matrix-base/templates/static-files/well-known/matrix-support.j2 deleted file mode 100644 index fab05fba5..000000000 --- a/roles/custom/matrix-base/templates/static-files/well-known/matrix-support.j2 +++ /dev/null @@ -1,7 +0,0 @@ -#jinja2: lstrip_blocks: "True" -{ - "contacts": {{ matrix_homeserver_admin_contacts|to_json }} - {% if matrix_homeserver_support_url %}, - "support_page": {{ matrix_homeserver_support_url|to_json }} - {% endif %} -} diff --git a/roles/custom/matrix-nginx-proxy/defaults/main.yml b/roles/custom/matrix-nginx-proxy/defaults/main.yml index 360644809..9b94db2e8 100644 --- a/roles/custom/matrix-nginx-proxy/defaults/main.yml +++ b/roles/custom/matrix-nginx-proxy/defaults/main.yml @@ -568,15 +568,6 @@ matrix_nginx_proxy_ssl_ciphers: "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_ # you may wish to set this to '$proxy_add_x_forwarded_for' instead. matrix_nginx_proxy_x_forwarded_for: '$remote_addr' -# Controls whether the self-check feature should validate SSL certificates. -matrix_nginx_proxy_self_check_validate_certificates: true - -# Controls whether redirects will be followed when checking the `/.well-known/matrix/client` resource. -# -# As per the spec (https://matrix.org/docs/spec/client_server/r0.6.0#well-known-uri), it shouldn't be, -# so we default to not following redirects as well. -matrix_nginx_proxy_self_check_well_known_matrix_client_follow_redirects: none - # For OCSP purposes, we need to define a resolver at the `server{}` level or `http{}` level (we do the latter). # # Otherwise, we get warnings like this: diff --git a/roles/custom/matrix-nginx-proxy/tasks/setup_well_known.yml b/roles/custom/matrix-nginx-proxy/tasks/setup_well_known.yml deleted file mode 100644 index 11e941bd4..000000000 --- a/roles/custom/matrix-nginx-proxy/tasks/setup_well_known.yml +++ /dev/null @@ -1,25 +0,0 @@ ---- -- ansible.builtin.set_fact: - matrix_well_known_file_path: "{{ matrix_static_files_base_path }}/.well-known/matrix/client" - -# We need others to be able to read these directories too, -# so that matrix-nginx-proxy's nginx user can access the files. -# -# For running with another webserver, we recommend being part of the `matrix` group. -- name: Ensure Matrix static-files path exists - ansible.builtin.file: - path: "{{ item }}" - state: directory - mode: 0755 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - with_items: - - "{{ matrix_static_files_base_path }}/.well-known/matrix" - -- name: Ensure Matrix /.well-known/matrix/client configured - ansible.builtin.template: - src: "{{ role_path }}/templates/well-known/matrix-client.j2" - dest: "{{ matrix_static_files_base_path }}/.well-known/matrix" - mode: 0644 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" diff --git a/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2 b/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2 index 07350b1a0..63d573d73 100644 --- a/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2 +++ b/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2 @@ -24,17 +24,6 @@ {% for configuration_block in matrix_nginx_proxy_proxy_domain_additional_server_configuration_blocks %} {{- configuration_block }} {% endfor %} - - location /.well-known/matrix { - root {{ matrix_static_files_base_path }}; - {# - A somewhat long expires value is used to prevent outages - in case this is unreachable due to network failure. - #} - expires 4h; - default_type application/json; - add_header Access-Control-Allow-Origin *; - } {% endmacro %} server { diff --git a/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 b/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 index d9e2d1037..78431c4f2 100644 --- a/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 +++ b/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 @@ -29,18 +29,6 @@ add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}"; - location /.well-known/matrix { - root {{ matrix_static_files_base_path }}; - {# - A somewhat long expires value is used to prevent outages - in case this is unreachable due to network failure or - due to the base domain's server completely dying. - #} - expires 4h; - default_type application/json; - add_header Access-Control-Allow-Origin *; - } - {% if matrix_nginx_proxy_proxy_matrix_nginx_status_enabled %} {{ render_nginx_status_location_block(matrix_nginx_proxy_proxy_matrix_nginx_status_allowed_addresses) }} {% endif %} diff --git a/roles/custom/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 b/roles/custom/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 index bd4bbb1df..9ab567343 100755 --- a/roles/custom/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 +++ b/roles/custom/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 @@ -41,7 +41,6 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ {% if matrix_ssl_retrieval_method != 'none' %} --mount type=bind,src={{ matrix_ssl_config_dir_path }},dst={{ matrix_ssl_config_dir_path }},ro \ {% endif %} - --mount type=bind,src={{ matrix_static_files_base_path }},dst={{ matrix_static_files_base_path }},ro \ {% for volume in matrix_nginx_proxy_container_additional_volumes %} -v {{ volume.src }}:{{ volume.dst }}:{{ volume.options }} \ {% endfor %} diff --git a/roles/custom/matrix-static-files/defaults/main.yml b/roles/custom/matrix-static-files/defaults/main.yml index eb885621d..510e2edbd 100644 --- a/roles/custom/matrix-static-files/defaults/main.yml +++ b/roles/custom/matrix-static-files/defaults/main.yml @@ -112,6 +112,9 @@ matrix_static_files_file_matrix_client_property_m_integrations_managers_api_url: matrix_static_files_file_matrix_client_property_m_integrations_managers_ui_url: "{{ matrix_integration_manager_ui_url }}" # Controls the io.element.jitsi/preferredDomain property in the /.well-known/matrix/client file +# This specifies the domain name where a Jitsi server is self-hosted. +# If set, `/.well-known/matrix/client` will suggest Element clients to use that Jitsi server. +# See: https://github.com/element-hq/element-web/blob/develop/docs/jitsi.md#configuring-element-to-use-your-self-hosted-jitsi-server matrix_static_files_file_matrix_client_property_io_element_jitsi_preferred_domain: "" # Controls the org.matrix.msc3575.proxy/url (sliding sync) property in the /.well-known/matrix/client file @@ -295,6 +298,17 @@ matrix_static_files_file_matrix_support_configuration: "{{ matrix_static_files_f # # ######################################################################## +# Controls whether the self-check feature should validate SSL certificates. +matrix_static_files_self_check_validate_certificates: true + +matrix_static_files_self_check_hostname_matrix: '' +matrix_static_files_self_check_hostname_identity: '' + +# Controls whether redirects will be followed when checking the `/.well-known/matrix/client` resource. +# +# As per the spec (https://matrix.org/docs/spec/client_server/r0.6.0#well-known-uri), it shouldn't be, +# so we default to not following redirects as well. +matrix_static_files_self_check_well_known_matrix_client_follow_redirects: none # TODO - review this one # Specifies where requests for the root URI (`/`) on the `matrix.` domain should be redirected. diff --git a/roles/custom/matrix-static-files/tasks/self_check_well_known.yml b/roles/custom/matrix-static-files/tasks/self_check_well_known.yml index d419d370d..ed0958b91 100644 --- a/roles/custom/matrix-static-files/tasks/self_check_well_known.yml +++ b/roles/custom/matrix-static-files/tasks/self_check_well_known.yml @@ -1,27 +1,28 @@ --- -# TODO - migrate these variables and deprecate the old ones +# TODO - deprecate the old variables in the matrix-nginx-proxy role -- name: Determine well-known files to check (Matrix) +- name: Determine well-known files to check (start with /.well-known/matrix/client) ansible.builtin.set_fact: well_known_file_checks: - path: /.well-known/matrix/client purpose: Client Discovery cors: true - follow_redirects: "{{ matrix_nginx_proxy_self_check_well_known_matrix_client_follow_redirects }}" - validate_certs: "{{ matrix_nginx_proxy_self_check_validate_certificates }}" + follow_redirects: "{{ matrix_static_files_self_check_well_known_matrix_client_follow_redirects }}" + validate_certs: "{{ matrix_static_files_self_check_validate_certificates }}" - when: matrix_well_known_matrix_server_enabled | bool block: - - ansible.builtin.set_fact: + - name: Prepare /.well-known/matrix/server to well-known files to check, if enabled + ansible.builtin.set_fact: well_known_file_check_matrix_server: path: /.well-known/matrix/server purpose: Server Discovery cors: false follow_redirects: safe - validate_certs: "{{ matrix_nginx_proxy_self_check_validate_certificates }}" + validate_certs: "{{ matrix_static_files_self_check_validate_certificates }}" - - name: Determine domains that we require certificates for (ma1sd) + - name: Inject /.well-known/matrix/server to well-known files to check, if enabled ansible.builtin.set_fact: well_known_file_checks: "{{ well_known_file_checks + [well_known_file_check_matrix_server] }}" diff --git a/roles/custom/matrix-static-files/tasks/self_check_well_known_file.yml b/roles/custom/matrix-static-files/tasks/self_check_well_known_file.yml index 95a43dead..983ce1049 100644 --- a/roles/custom/matrix-static-files/tasks/self_check_well_known_file.yml +++ b/roles/custom/matrix-static-files/tasks/self_check_well_known_file.yml @@ -1,8 +1,8 @@ --- - ansible.builtin.set_fact: - well_known_url_matrix: "https://{{ matrix_server_fqn_matrix }}{{ well_known_file_check.path }}" - well_known_url_identity: "https://{{ matrix_domain }}{{ well_known_file_check.path }}" + well_known_url_matrix: "https://{{ matrix_static_files_self_check_hostname_matrix }}{{ well_known_file_check.path }}" + well_known_url_identity: "https://{{ matrix_static_files_self_check_hostname_identity }}{{ well_known_file_check.path }}" # These well-known files may be served without a `Content-Type: application/json` header, # so we can't rely on the uri module's automatic parsing of JSON. diff --git a/roles/custom/matrix_playbook_migration/tasks/cleanup_matrix_static_files_well_known.yml b/roles/custom/matrix_playbook_migration/tasks/cleanup_matrix_static_files_well_known.yml new file mode 100644 index 000000000..9e95826bd --- /dev/null +++ b/roles/custom/matrix_playbook_migration/tasks/cleanup_matrix_static_files_well_known.yml @@ -0,0 +1,9 @@ +--- + +# Files used to be installed by the `matrix-base` role into `/matrix/static-files/.well-known/*`. +# Such files are now generated by the `matrix-static-files` role into a slightly different path: `/matrix/static-files/public/.well-known/*`. + +- name: Ensure old /matrix/static-files/.well-known files are deleted + ansible.builtin.file: + path: "{{ matrix_base_data_path }}/static-files/.well-known" + state: absent diff --git a/roles/custom/matrix_playbook_migration/tasks/main.yml b/roles/custom/matrix_playbook_migration/tasks/main.yml index d6b24c395..55decd881 100644 --- a/roles/custom/matrix_playbook_migration/tasks/main.yml +++ b/roles/custom/matrix_playbook_migration/tasks/main.yml @@ -21,6 +21,12 @@ block: - ansible.builtin.include_tasks: "{{ role_path }}/tasks/cleanup_usr_local_bin.yml" +- tags: + - setup-all + - install-all + block: + - ansible.builtin.include_tasks: "{{ role_path }}/tasks/cleanup_matrix_static_files_well_known.yml" + - when: devture_traefik_enabled | bool tags: - setup-all diff --git a/roles/custom/matrix_playbook_migration/tasks/validate_config.yml b/roles/custom/matrix_playbook_migration/tasks/validate_config.yml index dcbc8e67e..3a45a907f 100644 --- a/roles/custom/matrix_playbook_migration/tasks/validate_config.yml +++ b/roles/custom/matrix_playbook_migration/tasks/validate_config.yml @@ -67,6 +67,16 @@ - {'old': 'matrix_well_known_matrix_server_enabled', 'new': 'matrix_static_files_file_matrix_server_enabled'} - {'old': 'matrix_well_known_matrix_support_enabled', 'new': 'matrix_static_files_file_matrix_support_enabled'} + - {'old': 'matrix_homeserver_admin_contacts', 'new': 'matrix_static_files_file_matrix_support_property_m_contacts'} + - {'old': 'matrix_homeserver_support_url', 'new': 'matrix_static_files_file_matrix_support_property_m_support_page'} + - {'old': 'matrix_well_known_matrix_client_io_element_e2ee_default', 'new': 'matrix_static_files_file_matrix_client_property_io_element_e2ee_default'} + - {'old': 'matrix_well_known_matrix_client_io_element_e2ee_secure_backup_required', 'new': 'matrix_static_files_file_matrix_client_property_io_element_e2ee_secure_backup_required'} + - {'old': 'matrix_well_known_matrix_client_io_element_e2ee_secure_backup_setup_methods', 'new': 'matrix_static_files_file_matrix_client_property_io_element_e2ee_secure_backup_setup_methods'} + - {'old': 'matrix_well_known_matrix_client_configuration_extension_json', 'new': 'matrix_static_files_file_matrix_client_configuration_extension_json'} + - {'old': 'matrix_well_known_matrix_server_configuration_extension_json', 'new': 'matrix_static_files_file_matrix_server_configuration_extension_json'} + - {'old': 'matrix_well_known_matrix_support_configuration_extension_json', 'new': 'matrix_static_files_file_matrix_support_configuration_extension_json'} + - {'old': 'matrix_nginx_proxy_self_check_validate_certificates', 'new': 'matrix_static_files_self_check_validate_certificates'} + - {'old': 'matrix_nginx_proxy_self_check_well_known_matrix_client_follow_redirects', 'new': 'matrix_static_files_self_check_well_known_matrix_client_follow_redirects'} - name: (Deprecation) Catch and report matrix_postgres variables ansible.builtin.fail: