iartamonov/matrix-docker-ansible-deploy
1
0
Fork 0
mirror of https://github.com/spantaleev/matrix-docker-ansible-deploy.git synced 2026-04-08 15:24:36 +03:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: iartamonov:e60ef27bb8e1152dcad06f07cf489bfc17859a9a
Branches Tags
iartamonov:master iartamonov:renovate/ghcr.io-element-hq-element-web-1.x iartamonov:renovate/etherpad-2.x iartamonov:create-pull-request/i18n iartamonov:migration-validation-system iartamonov:copilot/update-exim-relay-docs iartamonov:renovate/matrixdotorg-sygnal-0.x iartamonov:synapse-user-register-wait-for iartamonov:remove-zulip-bridge iartamonov:stabilize-mas iartamonov:element-call-stack iartamonov:element-call-integration iartamonov:synapse-cache-tuning iartamonov:HarHarLinks/hookshot-encryption
...
compare: iartamonov:synapse-user-register-wait-for
Branches Tags
iartamonov:renovate/ghcr.io-element-hq-element-web-1.x iartamonov:renovate/etherpad-2.x iartamonov:master iartamonov:create-pull-request/i18n iartamonov:migration-validation-system iartamonov:copilot/update-exim-relay-docs iartamonov:renovate/matrixdotorg-sygnal-0.x iartamonov:synapse-user-register-wait-for iartamonov:remove-zulip-bridge iartamonov:stabilize-mas iartamonov:element-call-stack iartamonov:element-call-integration iartamonov:synapse-cache-tuning iartamonov:HarHarLinks/hookshot-encryption

112 Commits
e60ef27bb8 ... synapse-us

Author SHA1 Message Date
Aine
b18c1efd65 Synapse register user: wait for synapse to be available 2026-02-10 22:14:05 +00:00
Aine
4ec41c0b42 Merge pull request #4909 from spantaleev/renovate/ghcr.io-element-hq-element-web-1.x 
chore(deps): update ghcr.io/element-hq/element-web docker tag to v1.12.10
 2026-02-10 18:11:36 +00:00
renovate[bot]
0a08126324 chore(deps): update ghcr.io/element-hq/element-web docker tag to v1.12.10 2026-02-10 17:49:29 +00:00
renovate[bot]
482ef0fdf5 chore(deps): update ghcr.io/element-hq/synapse docker tag to v1.147.0 2026-02-10 16:51:46 +02:00
renovate[bot]
ca356c52e2 chore(deps): update ghcr.io/element-hq/matrix-authentication-service docker tag to v1.11.0 2026-02-10 16:51:09 +02:00
Slavi Pantaleev
ecf9befc32 Adapt to the all-at-once restart mode default in systemd_service_manager v2.0.0-0 
- `install-service` no longer forces `one-by-one` restart mode

- the coturn priority condition is flipped: only `one-by-one` mode
  needs the delayed priority (1500); all other modes (including
  the new `all-at-once` default) use the normal priority (900)

Ref:

- d42cd92045
- f3e658cca3/docs/restart-mode-comparison.md
- 36445fb419
- 750cb7e29e
 2026-02-10 16:41:41 +02:00
Slavi Pantaleev
750cb7e29e Upgrade systemd_service_manager (v1.1.0-0 -> v2.0.0-0) 2026-02-10 16:21:57 +02:00
Suguru Hirahara
815b9baec6 Update notes about self-hosting services with the MASH playbook 
Signed-off-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>
 2026-02-10 22:31:11 +09:00
Suguru Hirahara
1dcd4636ff Add a note about self-hosting echoip with the MASH playbook 
Reuse 3653f9f89b/docs/configuring-playbook-ssl-certificates.md

Signed-off-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>
 2026-02-10 22:28:08 +09:00
renovate[bot]
7f04231904 chore(deps): update ghcr.io/etkecc/baibot docker tag to v1.14.1 2026-02-10 15:18:02 +02:00
renovate[bot]
b0828528df chore(deps): update dependency ntfy to v2.17.0-0 2026-02-10 11:53:33 +02:00
Suguru Hirahara
96029bf916 Replace "EchoIP" with "echoip" 
cf. https://github.com/mpolden/echoip

Signed-off-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>
 2026-02-10 17:41:52 +09:00
Slavi Pantaleev
ace086056f Upgrade Postgres (v18.1-4 -> v18.1-5) 2026-02-09 21:24:48 +02:00
Slavi Pantaleev
0e8ef8ef10 Add retry logic for Synapse user registration on Connection refused 
When DB credentials change (derived from matrix_synapse_macaroon_secret_key),
a running Synapse container may fail to connect to its database and stop
serving requests. This causes register_new_matrix_user to fail with
"Connection refused" when the matrix-user-creator role tries to register users.

This extends the retry logic from 44b43a51b (which handled HMAC failures)
to also handle Connection refused errors: restart Synapse (picking up the
new config with updated credentials), wait for it to start, and retry.

Caused by c21a80d232

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-09 17:36:59 +02:00
Slavi Pantaleev
2c2738a48f Remove passlib dependency by making matrix-media-repo datastore IDs user-provided 
These IDs were incorrectly auto-derived from matrix_homeserver_generic_secret_key,
which is meant for secrets that are OK to change. Datastore IDs are static
identifiers that must never change after first use.

The playbook now requires users to explicitly set matrix_media_repo_datastore_file_id
(and matrix_media_repo_datastore_s3_id when S3 is enabled) in vars.yml, with
validation that fails early if they are missing.

This was the last usage of passlib, which is now removed from prerequisites.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-09 16:56:51 +02:00
Suguru Hirahara
09914bf338 Set ddclient_uid and ddclient_gid 
Signed-off-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>
 2026-02-09 19:49:59 +09:00
Slavi Pantaleev
44b43a51b9 Add retry logic for Synapse user registration on HMAC failure 
When the registration_shared_secret changes (derived from
matrix_synapse_macaroon_secret_key), a running Synapse container still
has the old secret in its config. This causes register_new_matrix_user
to fail with "HMAC incorrect" when the matrix-user-creator role tries
to register users.

This mirrors the approach from 2a581cce (which added similar retry
logic for the Matrix Authentication Service on database auth failure):
if the initial registration attempt fails with an HMAC error, restart
Synapse (picking up the new config with the updated secret), wait for
it to start, and retry.

Caused by c21a80d232

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-09 06:29:14 +02:00
Aine
5f8235f44a remove Zulip bridge 2026-02-08 20:34:56 +02:00
renovate[bot]
eb393b4eb8 chore(deps): update dependency setuptools to v82 2026-02-08 19:46:32 +02:00
Slavi Pantaleev
92c204394a Upgrade Postgres (v18.1-3 -> v18.1-4) 2026-02-08 18:46:36 +02:00
Slavi Pantaleev
a1015b6df2 Change salt for Whatsapp token secrets to make pre-commit happy 2026-02-08 18:43:10 +02:00
Slavi Pantaleev
2a581cce62 Add retry logic for MAS user registration on database auth failure 
When the Postgres role updates database passwords (e.g., due to a
change in the secret derivation method), the Matrix Authentication
Service container may still be running with old configuration that
references the previous password. This causes mas-cli to fail with
"password authentication failed" when the matrix-user-creator role
tries to register users.

Rather than adding config-change detection or eager restarts to the
MAS role, this adds targeted retry logic: if the initial registration
attempt fails with a database authentication error, restart the MAS
service (which picks up the new config with the updated password),
wait for it to start, and retry. The restart usually only triggers
once per run since subsequent user registrations succeed after the restart.

Related to c21a80d232

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-08 18:32:20 +02:00
Slavi Pantaleev
c21a80d232 Switch to fast single-round hashing for derived secrets 
Replace password_hash('sha512', rounds=655555) with hash('sha512')
for all 114 secret derivations in group_vars/matrix_servers.

The old method (655k rounds of SHA-512) was designed for protecting
low-entropy human passwords in /etc/shadow. For deriving secrets
from a high-entropy secret key, a single hash round is equally
secure - the security comes from the key's entropy, not the
computational cost. SHA-512 remains preimage-resistant regardless
of rounds.

This yields a major performance improvement: evaluating
postgres_managed_databases (which references multiple derived
database passwords) dropped from ~10.7s to ~0.6s on a fast mini
PC. The Postgres role evaluates this variable multiple times, and
other roles reference derived passwords too, so the cumulative
savings across a full playbook run are substantial.

All derived service passwords (database passwords, appservice
tokens, etc.) will change on the next run. The main/superuser
database password is not affected (it's hardcoded in inventory
variables). All services receive their new passwords in the same
run, so this should be seamless.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-08 18:15:02 +02:00
Suguru Hirahara
baa740fcda Relocate ddclient role to MASH organization (#4902) 
* Fetch ansible-role-ddclient from MASH project

Signed-off-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>

* Replace `matrix_dynamic_dns` with `ddclient`

Signed-off-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>

* Set `matrix-dynamic-dns` to `ddclient_identifier`

Signed-off-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>

* Remove `ddclient_container_network` in favor of the role's configuration

On the role the value of `ddclient_container_network` is set to `ddclient_identifier`, which is set to `matrix-dynamic-dns` on the playbook.

Signed-off-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>

* Replace `matrix-dynamic-dns` with `ddclient` on matrix_servers

Signed-off-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>

* Replace `ddclient_docker_image_*` with `ddclient_container_image_*`

Signed-off-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>

* Update `ddclient_container_image_*`

Signed-off-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>

* Move `ddclient_base_path` to matrix_servers

Signed-off-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>

* Move `ddclient_web_*` to matrix_servers

Signed-off-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>

* Remove `matrix-dynamic-dns` directory

Signed-off-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>

* Update configuring-playbook-dynamic-dns.md

Reuse 75e264f538/docs/services/ddclient.md

Signed-off-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>

* Fix a typo

Signed-off-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>

---------

Signed-off-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>
Co-authored-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>
 2026-02-08 16:34:35 +02:00
Suguru Hirahara
66d66f67f8 Remove obsolete X-Frame-Options 
Signed-off-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>
 2026-02-08 21:54:38 +09:00
renovate[bot]
c1a8ca6397 chore(deps): update dependency systemd_service_manager to v1.1.0-0 2026-02-08 09:38:49 +02:00
Suguru Hirahara
4310fb83c1 Remove ma1sd (#4898) 
* Remove ma1sd

Reuse 6d1ec58a82/docs/configuring-playbook-bridge-mautrix-instagram.md

Signed-off-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>

* Update configuring-playbook-ma1sd.pot

Signed-off-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>

* Update changelog entry date for ma1sd removal

---------

Signed-off-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>
Co-authored-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>
Co-authored-by: Slavi Pantaleev <slavi@devture.com>
 2026-02-08 09:35:51 +02:00
Suguru Hirahara
9320ef49fe Relocate Cinny role to MASH organization (#4900) 
* Use `ansible-role-cinny`

Signed-off-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>

* Replace `matrix-client-cinny` and `matrix_client_cinny` with `cinny`

Signed-off-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>

* Set `matrix-client-cinny` to `cinny_identifier`

Signed-off-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>

* Set `cinny_container_image_*`

Signed-off-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>

* Remove `cinny_container_image_registry_prefix_*`

Signed-off-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>

* Replace `cinny_data_path` with `cinny_base_path`

Signed-off-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>

* Move `cinny_hostname` to `matrix_servers`

Signed-off-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>

* Add `cinny_uid` and `cinny_gid`

Signed-off-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>

* Remove `matrix-client-cinny` in favor of ansible-role-cinny

Signed-off-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>

* Update CHANGELOG.md

Signed-off-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>

---------

Signed-off-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>
Co-authored-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>
 2026-02-07 11:01:04 +02:00
Slavi Pantaleev
cf6c5208e8 Fix cli-non-interactive syntax in uninstallation docs (add -c flag) 
The cli-non-interactive script passes arguments directly to psql, which
interprets positional arguments as database names, not SQL commands.
Without the -c flag, commands like:

  /matrix/postgres/bin/cli-non-interactive 'DROP DATABASE foo;'

fail with: FATAL: database "DROP DATABASE foo;" does not exist

The correct syntax requires -c to pass a command:

  /matrix/postgres/bin/cli-non-interactive -c 'DROP DATABASE foo;'

This mistake was originally introduced in c399992542
when the matrix-bridge-mautrix-hangouts role was removed. That commit's
uninstallation docs were then used as a template and the error propagated
to subsequent removal documentation for other bridges and components.
 2026-02-07 10:52:56 +02:00
renovate[bot]
e6168d8e9c chore(deps): update dependency setuptools to v81 2026-02-07 09:45:29 +02:00
Slavi Pantaleev
6d1ec58a82 Fix prometheus_postgres_exporter_port variable rename 
The variable was renamed to prometheus_postgres_exporter_container_http_port in
2b37e604cb

Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/4897

Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/4894
 2026-02-06 01:25:34 +02:00
Aine
adf521f8cb add matrix_synapse_email_enable_notifs and matrix_synapse_email_notif_for_new_users 2026-02-05 19:09:51 +00:00
Suguru Hirahara
4cfe5f8f3f Update related to the year 
Signed-off-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>
 2026-02-05 20:32:12 +02:00
Suguru Hirahara
72c8873d06 Remove matrix_homeserver_sliding_sync_url 
Signed-off-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>
 2026-02-05 20:32:12 +02:00
Suguru Hirahara
90129f75aa Remove sliding sync proxy 
Reuse 2b7a0453eb

Signed-off-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>
 2026-02-05 20:32:12 +02:00
Suguru Hirahara
c8920885f9 Replace valkey_container_http_port 
See: 36d4bd4548
Signed-off-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>
 2026-02-05 11:12:27 +02:00
renovate[bot]
1f0e33e07a chore(deps): update dependency prometheus_postgres_exporter to v0.19.0-0 2026-02-05 06:36:55 +02:00
renovate[bot]
8f6ae1f734 chore(deps): update nginx docker tag to v1.29.5 2026-02-05 06:36:46 +02:00
renovate[bot]
2c0688334f chore(deps): update dependency jitsi to v10741 2026-02-04 21:02:05 +02:00
renovate[bot]
d548f7ba8c chore(deps): update docker.io/metio/matrix-alertmanager-receiver docker tag to v2026.2.4 2026-02-04 10:46:09 +02:00
Slavi Pantaleev
a7ddb189b5 Add missing license file for whoami_sync_worker_router.js.j2 2026-02-04 04:26:15 +02:00
Slavi Pantaleev
7d4536cf78 Upgrade baibot (v1.13.0 -> v1.14.0) and add built-in tools configuration support 2026-02-04 04:21:47 +02:00
Slavi Pantaleev
93f6264466 Add CHANGELOG entry for whoami-based sync worker routing 2026-02-04 04:06:59 +02:00
Slavi Pantaleev
45c855c853 Remove old map-based user identifier extraction for sync workers 
The whoami-based approach is now the only implementation for sync worker routing.
It works with all token types (native Synapse, MAS, etc.) and is automatically
enabled when sync workers exist.

The old map-based approach only worked with native Synapse tokens (syt_<b64>_...)
and would give poor results with MAS or other auth systems.
 2026-02-04 04:06:59 +02:00
Slavi Pantaleev
5cc69ca7eb Add whoami-based sync worker routing for user-level sticky sessions 
This adds a new routing mechanism for sync workers that resolves access tokens
to usernames via Synapse's whoami endpoint, enabling true user-level sticky
routing regardless of which device or token is used.

Previously, sticky routing relied on parsing the username from native Synapse
tokens (`syt_<base64 username>_...`), which only works with native Synapse auth
and provides device-level stickiness at best. This new approach works with any
auth system (native Synapse, MAS, etc.) because Synapse handles token validation
internally.

Implementation uses nginx's auth_request module with an njs script because:
- The whoami lookup requires an async HTTP subrequest (ngx.fetch)
- js_set handlers must return synchronously and don't support async operations
- auth_request allows the async lookup to complete, then captures the result
  via response headers into nginx variables

The njs script:
- Extracts access tokens from Authorization header or query parameter
- Calls Synapse's whoami endpoint to resolve token -> username
- Caches results in a shared memory zone to minimize latency
- Returns the username via a `X-User-Identifier` header

The username is then used by nginx's upstream hash directive for consistent
worker selection. This leverages nginx's built-in health checking and failover.
 2026-02-04 04:06:59 +02:00
Aine
81f815d19b fix uid/gid vars for Synapse Admin 2026-02-03 21:40:11 +00:00
renovate[bot]
c63a0f984b chore(deps): update dependency valkey to v9.0.2-0 2026-02-03 22:53:35 +02:00
Aine
6c4b9bb3d7 Merge pull request #4886 from spantaleev/synapse-admin-etke53 
Synapse Admin v0.11.1-etke53
 2026-02-03 20:40:34 +00:00
Slavi Pantaleev
76e13f8200 Add native Sliding Sync (MSC3575) endpoint to worker routing 
The /_matrix/client/unstable/org.matrix.simplified_msc3575/sync endpoint
can be handled by generic workers, but Synapse's workers.md documentation
doesn't mention it. The code confirms it's worker-compatible:

- SlidingSyncRestServlet is registered via sync.register_servlets:
  https://github.com/element-hq/synapse/blob/0dfcffab0f/synapse/rest/client/sync.py#L1128-L1131

- sync.register_servlets is NOT in the worker exclusion list:
  https://github.com/element-hq/synapse/blob/0dfcffab0f/synapse/rest/__init__.py#L180-L194

- GenericWorkerStore includes SlidingSyncStore:
  https://github.com/element-hq/synapse/blob/0dfcffab0f/synapse/app/generic_worker.py#L168

This adds the endpoint to both:
- matrix_synapse_workers_sync_worker_client_server_endpoints (for specialized sync workers with sticky routing)
- matrix_synapse_workers_generic_worker_endpoints (documenting generic worker capability)
 2026-02-02 15:59:00 +02:00
renovate[bot]
aeea016e3c chore(deps): update dependency babel to v2.18.0 2026-02-01 19:25:08 +02:00
Aine
5bbb1930cb Synapse Admin i18n menu 2026-01-31 23:55:47 +00:00
renovate[bot]
2f66b7df94 chore(deps): update docker.io/metio/matrix-alertmanager-receiver docker tag to v2026.1.31 2026-01-31 12:58:55 +02:00
Aine
f621eb8018 Synapse Admin v0.11.1-etke53 2026-01-30 22:39:12 +00:00
renovate[bot]
3f0ff4c510 chore(deps): update halfshot/matrix-hookshot docker tag to v7.3.2 2026-01-30 21:15:05 +02:00
Slavi Pantaleev
b9631aea1c Upgrade ntfy (v2.16.0-0 -> v2.16.0-1) 2026-01-30 21:14:11 +02:00
Thom Wiggers
b1ff71266b Update matrix-appservice-irc to 4.0.0 with authenticated media proxy support 
- Upgrade from 1.0.1 to 4.0.0
- Add ircService.mediaProxy configuration for authenticated Matrix media
- Add Traefik integration for media proxy endpoint
- Generate signing key for authenticated media

Closes #3512

Co-authored-by: Jade Ellis <jade@ellis.link>
Co-authored-by: Slavi Pantaleev <slavi@devture.com>
 2026-01-29 12:08:59 +02:00
renovate[bot]
72d522b9f1 chore(deps): update dependency backup_borg to v1.4.3-2.1.1-0 2026-01-29 05:26:29 +02:00
renovate[bot]
67e650b5f9 chore(deps): update coturn/coturn docker tag to v4.8.0 2026-01-27 22:46:31 +02:00
Slavi Pantaleev
18b11eea3b Try versioning=loose for the Coturn container image definition for Renovate 
Ref: https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/4880#issuecomment-3807433691
 2026-01-27 22:40:47 +02:00
Sid Manat
fd6f72382d Upgrade Coturn (4.6.2-r11 -> 4.8.0-r0) 2026-01-27 22:24:54 +02:00
Slavi Pantaleev
460d46999f Make Synapse's enable_local_media_storage configurable 
Ref:
- https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/4882
- https://github.com/element-hq/synapse/pull/19204
- https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html#enable_local_media_storage

We default it to `true`, keeping up with upstream and the old behavior.

s3-storage-provider users may set `matrix_synapse_enable_local_media_storage` to `false`
to disable local file caching.
This likely comes at the expense of some performance.

For matrix-media-repo users, it likely doesn't matter what this is set to,
as for a matrix-media-repo setup, all media-related API endpoints are
captured and forwarded to matrix-media-repo (before reaching Synapse).
 2026-01-27 22:11:06 +02:00
renovate[bot]
93d110e61e chore(deps): update ghcr.io/element-hq/synapse docker tag to v1.146.0 2026-01-27 22:10:25 +02:00
renovate[bot]
6629867235 chore(deps): update ghcr.io/element-hq/matrix-authentication-service docker tag to v1.10.0 2026-01-27 21:18:40 +02:00
renovate[bot]
8a3c75b7bd chore(deps): update ghcr.io/element-hq/element-web docker tag to v1.12.9 2026-01-27 16:55:38 +02:00
renovate[bot]
b6bf91c150 chore(deps): update dependency etherpad to v2.6.1-0 2026-01-27 12:53:38 +02:00
renovate[bot]
b0e70f419f chore(deps): update dependency setuptools to v80.10.2 2026-01-26 08:15:49 +02:00
renovate[bot]
692c34ad9b chore(deps): update halfshot/matrix-hookshot docker tag to v7.3.1 2026-01-24 20:07:34 +02:00
Slavi Pantaleev
97c2915034 Upgrade baibot (v1.12.0 -> v1.13.0) 2026-01-23 00:52:36 +02:00
renovate[bot]
292397234a chore(deps): update dependency packaging to v26 2026-01-22 07:52:37 +02:00
renovate[bot]
82d6f3de2c chore(deps): update dependency setuptools to v80.10.1 2026-01-21 15:49:57 +02:00
renovate[bot]
cc9234d3ba chore(deps): update ghcr.io/etkecc/fluffychat-web docker tag to v2.4.0 2026-01-21 15:49:48 +02:00
renovate[bot]
47322a8d52 chore(deps): update docker.io/metio/matrix-alertmanager-receiver docker tag to v2026.1.21 2026-01-21 08:35:31 +02:00
Slavi Pantaleev
911031e2cf Add support for Hookshot static connections (new in v7.3.0) 
This adds the matrix_hookshot_connections variable for configuring
static webhook connections via the config file.

See: https://github.com/matrix-org/matrix-hookshot/pull/1102
 2026-01-20 16:10:30 +02:00
renovate[bot]
e01a79865c chore(deps): update halfshot/matrix-hookshot docker tag to v7.3.0 2026-01-20 15:38:23 +02:00
renovate[bot]
ab97b94245 chore(deps): update dependency ntfy to v2.16.0-0 2026-01-20 11:56:58 +02:00
renovate[bot]
c8fc504470 chore(deps): update dock.mau.dev/mautrix/whatsapp docker tag to v0.2601.0 2026-01-16 22:28:12 +02:00
renovate[bot]
a6c447ade3 chore(deps): update dock.mau.dev/mautrix/gmessages docker tag to v0.2601.0 2026-01-16 22:26:58 +02:00
renovate[bot]
aa69069627 chore(deps): update dock.mau.dev/mautrix/signal docker tag to v0.2601.0 2026-01-16 22:26:48 +02:00
renovate[bot]
fa22053bf1 chore(deps): update ansible/ansible-lint action to v26.1.1 2026-01-16 14:32:56 +02:00
renovate[bot]
a3ef7109b6 chore(deps): update dependency docker to v8 2026-01-15 21:29:26 +02:00
renovate[bot]
7c8a28d590 chore(deps): update ghcr.io/element-hq/lk-jwt-service docker tag to v0.4.1 2026-01-15 20:30:02 +02:00
renovate[bot]
28af19a1a7 chore(deps): update dependency myst-parser to v5 2026-01-15 14:44:50 +02:00
renovate[bot]
ea4b467cd3 chore(deps): update dependency livekit_server to v1.9.11-0 2026-01-15 14:43:30 +02:00
Slavi Pantaleev
bd6202eb65 Upgrade Traefik (v3.6.6-0 -> v3.6.7-1) and remove all (now-unnecessary) encodedCharacters_* setting overrides 
All these `encodedCharacters_*` settings default to `true` in Traefik v3.6.7,
so we don't need to override their values.

Ref: https://doc.traefik.io/traefik/v3.6/migrate/v3/#v367

Closes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/4835
 2026-01-15 14:40:38 +02:00
Aine
4d0cf32151 grafana: add /tmp tmpfs 2026-01-15 09:12:17 +00:00
renovate[bot]
1890f3a01a chore(deps): update dependency jitsi to v10710 2026-01-14 16:52:49 +02:00
Slavi Pantaleev
ac5dc5d44f Pull in some additional Synapse workers routing configuration 
Provoked by https://github.com/element-hq/synapse/pull/19281
which landed in Synapse v1.145.0, but we pull in a few other routes
that I noticed to be missing.
 2026-01-14 12:07:09 +02:00
renovate[bot]
a050107e0f chore(deps): update ghcr.io/element-hq/synapse docker tag to v1.145.0 2026-01-14 12:06:41 +02:00
renovate[bot]
41108b57e3 chore(deps): update docker.io/metio/matrix-alertmanager-receiver docker tag to v2026 2026-01-14 11:55:53 +02:00
renovate[bot]
78c7b61af8 chore(deps): update ghcr.io/element-hq/matrix-authentication-service docker tag to v1.9.0 2026-01-13 19:47:45 +02:00
renovate[bot]
b5c5f34ca4 chore(deps): update ghcr.io/element-hq/element-web docker tag to v1.12.8 2026-01-13 19:46:26 +02:00
Slavi Pantaleev
e1bf0aebd2 Upgrade LiveKit (v1.9.10-0 -> v1.9.10-1) 2026-01-12 10:10:14 +02:00
Slavi Pantaleev
8a02d791ea Add missing : to matrix_media_repo_redis_shards entry 
Ref: https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/4851#issuecomment-3732696383
 2026-01-10 15:10:09 +02:00
akdk7
dd54691137 Automatically integate matrix-media-repo with Valkey (if enabled) (#4851) 
* This push request is about handling Traefik ipallowlist to synapse-admin application.

It's my first push request. If I forgot something please let me know. :-)

* Changed position of variable and naming for better expandebility of traefik options

* Remove useless `noqa var-naming` comment and too many blank lines at the end of the file

* If redis ist enabled for matrix media repo it failes to connect to valkey due to inproper configuration.

* Updated solution for fixing MMR redis connection

* Clean up

* Update valkey_container_network condition

---------

Co-authored-by: AkDk7 <joerg@pannbacker.email>
Co-authored-by: Slavi Pantaleev <slavi@devture.com>
 2026-01-10 15:07:12 +02:00
renovate[bot]
a3a2c568d0 chore(deps): update dependency prometheus_node_exporter to v1.9.1-13 2026-01-09 15:12:53 +02:00
renovate[bot]
0bc84a7129 chore(deps): update dependency prometheus_postgres_exporter to v0.18.1-2 2026-01-09 15:12:45 +02:00
Aine
afe5b06771 Synapse Admin v0.11.1-etke52 2026-01-09 08:43:28 +00:00
renovate[bot]
e4d0d42f04 chore(deps): update dependency traefik_certs_dumper to v2.10.0-4 2026-01-09 08:50:29 +02:00
dependabot[bot]
91711669c6 Bump ansible/ansible-lint from 25.12.2 to 26.1.0 
Bumps [ansible/ansible-lint](https://github.com/ansible/ansible-lint) from 25.12.2 to 26.1.0.
- [Release notes](https://github.com/ansible/ansible-lint/releases)
- [Commits](https://github.com/ansible/ansible-lint/compare/v25.12.2...v26.1.0)

---
updated-dependencies:
- dependency-name: ansible/ansible-lint
  dependency-version: 26.1.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
 2026-01-08 18:43:23 +02:00
renovate[bot]
5fe789cd96 chore(deps): update dependency etherpad to v2.6.0-1 2026-01-08 18:43:00 +02:00
renovate[bot]
e4abe50daf chore(deps): update dependency grafana to v11.6.5-5 2026-01-08 18:42:38 +02:00
renovate[bot]
e70d0d7673 chore(deps): update dependency auxiliary to v1.0.0-6 2026-01-08 15:12:39 +02:00
renovate[bot]
ae88c51dd7 chore(deps): update dependency container_socket_proxy to v0.4.2-1 2026-01-08 15:12:21 +02:00
renovate[bot]
9d7c224021 chore(deps): update dependency prometheus to v3.9.1-0 2026-01-08 12:07:41 +02:00
renovate[bot]
65213ff497 chore(deps): update ghcr.io/jasonlaguidice/matrix-steam-bridge docker tag to v1.1.0 2026-01-08 06:56:55 +02:00
renovate[bot]
13727bc0a2 chore(deps): update dependency urllib3 to v2.6.3 2026-01-07 21:23:23 +02:00
renovate[bot]
ed87ef7e50 chore(deps): update dependency prometheus to v3.9.0-0 2026-01-07 11:09:11 +02:00
Aine
858a4ab555 Synapse Admin v0.11.1-etke51 2026-01-06 09:47:01 +00:00
Slavi Pantaleev
5f3f57197e Revert "Remove outdated warning about Postmoogle not working well with Matrix Authentication Service" 
This reverts commit 81b371e690.

Ref: 81b371e690 (commitcomment-173871096)
 2026-01-06 09:28:28 +02:00
renovate[bot]
4f00bb4789 chore(deps): update dependency certifi to v2026 2026-01-04 08:58:47 +02:00
renovate[bot]
5e558aab55 chore(deps): update dependency livekit_server to v1.9.10-0 2026-01-01 16:34:15 +02:00
renovate[bot]
e09d10419c chore(deps): update dependency sphinx to v9.1.0 2025-12-31 19:29:23 +02:00
128 changed files with 1446 additions and 3989 deletions
Expand all files Collapse all files

2
.github/workflows/matrix.yml vendored
View File

@@ -26,7 +26,7 @@ jobs:
uses: actions/checkout@v6
- name: Run ansible-lint
uses: ansible/ansible-lint@v25.12.2
uses: ansible/ansible-lint@v26.1.1
with:
args: "roles/custom"
setup_python: "true"

121
CHANGELOG.md
View File

@@ -1,3 +1,124 @@
# 2026-02-09
## (BC Break) matrix-media-repo datastore IDs are now required in `vars.yml`
**Affects**: users with [matrix-media-repo](docs/configuring-playbook-matrix-media-repo.md) enabled (`matrix_media_repo_enabled: true`)
The `matrix_media_repo_datastore_file_id` and `matrix_media_repo_datastore_s3_id` variables are no longer auto-configured with values. They must now be explicitly defined in your `vars.yml` file. The playbook will fail with a helpful error if they are not set (when needed).
These were never meant to be auto-configured. They were derived from `matrix_homeserver_generic_secret_key`, which is intended for secrets that are OK to change subsequently (and Ansible would assist in propagating these changes). matrix-media-repo datastore IDs are not secrets — they are static identifiers linking media to storage backends, and **must not change** after first use.
**For existing installations**, retrieve your current values from the server:
```sh
grep 'id:' /matrix/media-repo/config/media-repo.yaml
```
Then add to your `vars.yml`:
```yaml
matrix_media_repo_datastore_file_id: "YOUR_FILE_DATASTORE_ID_HERE"
# Only if you use S3 storage:
# matrix_media_repo_datastore_s3_id: "YOUR_S3_DATASTORE_ID_HERE"
```
**Why do this?**: This change allows us to **remove the [passlib](https://passlib.readthedocs.io/en/stable/index.html) Python library** from the [prerequisites](docs/prerequisites.md), as it was the last component that depended on it.
# 2026-02-08
## Zulip bridge has been removed from the playbook
Zulip bridge has been removed from the playbook, as it doesn't work, and the maintainer seems to have abandoned it. See [this issue](https://github.com/GearKite/MatrixZulipBridge/issues/23) for more context.
## Switched to faster secret derivation for service passwords
We've switched the method used for deriving service passwords (database passwords, appservice tokens, etc.) from the `matrix_homeserver_generic_secret_key` variable.
The old method used `password_hash('sha512', rounds=655555)` (655,555 rounds of SHA-512 hashing), which was designed for protecting low-entropy human passwords against brute-force attacks. For deriving secrets from an already high-entropy secret key, this many rounds provide no additional security - the secret key's entropy is what protects the derived passwords, not the computational cost of hashing.
The new method uses a single-round `hash('sha512')` with a unique salt per service. This is equally secure for this use case (SHA-512 remains preimage-resistant; brute-forcing a high-entropy key is infeasible regardless of rounds), while being dramatically faster.
On a fast mini PC, evaluating `postgres_managed_databases` (which references multiple database passwords) dropped from **~10.7 seconds to ~0.6 seconds**. The Postgres role evaluates this variable multiple times during a run, so the cumulative savings are significant. All other roles that reference derived passwords also benefit.
**What this means for users**: all derived service passwords (database passwords, appservice tokens, etc.) will change on the next playbook run. The main/superuser database password (`postgres_connection_password`) is not affected, as it is hardcoded in inventory variables rather than derived via hashing. All services will receive their new passwords as part of the same run, so this should be a seamless, non-user-impacting change.
## (BC Break) Dynamic DNS role has been relocated and variable names need adjustments
The role for Dynamic DNS has been relocated to the [mother-of-all-self-hosting](https://github.com/mother-of-all-self-hosting) organization.
Along with the relocation, the `matrix_dynamic_dns_` prefix on its variable names has been renamed to `ddclient_`, so you need to adjust your `vars.yml` configuration.
As always, the playbook would let you know about this and point out any variables you may have missed.
## ma1sd has been removed from the playbook
[ma1sd](./docs/configuring-playbook-ma1sd.md) has been removed from the playbook, as it has been unmaintained for a long time.
The playbook will let you know if you're using any `matrix_ma1sd_*` variables. You'll need to remove them from `vars.yml` and potentially [uninstall the component manually](./docs/configuring-playbook-ma1sd.md#uninstalling-the-component-manually).
Please note that some of the functions can be achieved with other components. For example, if you wish to implement LDAP integration, you might as well check out [the LDAP provider module for Synapse](./docs/configuring-playbook-ldap-auth.md) instead.
# 2026-02-07
## (BC Break) Cinny role has been relocated and variable names need adjustments
The role for Cinny has been relocated to the [mother-of-all-self-hosting](https://github.com/mother-of-all-self-hosting) organization.
Along with the relocation, the `matrix_client_cinny_` prefix was dropped from its variable names, so you need to adjust your `vars.yml` configuration.
You need to do the following replacement:
- `matrix_client_cinny_` -> `cinny_`
As always, the playbook would let you know about this and point out any variables you may have missed.
## The Sliding Sync proxy has been removed from the playbook
The [Sliding Sync proxy](./docs/configuring-playbook-sliding-sync-proxy.md) has been removed from the playbook, as it's been replaced with a different method (called Simplified Sliding Sync) integrated to newer homeservers by default (**Conduit** homeserver from version `0.6.0` or **Synapse** from version `1.114`).
The playbook will let you know if you're using any `matrix_sliding_sync_*` variables. You'll need to remove them from `vars.yml` and potentially [uninstall the proxy manually](./docs/configuring-playbook-sliding-sync-proxy.md#uninstalling-the-proxy-manually).
# 2026-02-04
## baibot now supports OpenAI's built-in tools (Web Search and Code Interpreter)
**TLDR**: if you're using the [OpenAI provider](https://github.com/etkecc/baibot/blob/main/docs/providers.md#openai) with [baibot](docs/configuring-playbook-bot-baibot.md), you can now enable [built-in tools](https://github.com/etkecc/baibot/blob/61d18b2/docs/features.md#%EF%B8%8F-built-in-tools-openai-only) (`web_search` and `code_interpreter`) to extend the model's capabilities.
These tools are **disabled by default** and can be enabled via Ansible variables for static agent configurations:
```yaml
matrix_bot_baibot_config_agents_static_definitions_openai_config_text_generation_tools_web_search: true
matrix_bot_baibot_config_agents_static_definitions_openai_config_text_generation_tools_code_interpreter: true
```
Users who define agents dynamically at runtime will need to [update their agents](https://github.com/etkecc/baibot/blob/61d18b2/docs/agents.md#updating-agents) to enable these tools. See the [baibot v1.14.0 changelog](https://github.com/etkecc/baibot/blob/61d18b2/CHANGELOG.md) for details.
## Whoami-based sync worker routing for improved sticky sessions for Synapse
Deployments using [Synapse workers](./docs/configuring-playbook-synapse.md#load-balancing-with-workers) now benefit from improved sync worker routing via a new whoami-based mechanism (making use of the [whoami Matrix Client-Server API](https://spec.matrix.org/v1.17/client-server-api/#get_matrixclientv3accountwhoami)).
Previously, sticky routing for sync workers relied on parsing usernames from access tokens, which only worked with native Synapse tokens (`syt_<base64 username>_...`). This approach failed for [Matrix Authentication Service](docs/configuring-playbook-matrix-authentication-service.md) (MAS) deployments, where tokens are opaque and don't contain username information. This resulted in device-level stickiness (same token → same worker) rather than user-level stickiness (same user → same worker regardless of device), leading to suboptimal cache utilization on sync workers.
The new implementation calls Synapse's `/whoami` endpoint to resolve access tokens to usernames, enabling proper user-level sticky routing regardless of the authentication system in use (native Synapse auth, MAS, etc.). Results are cached to minimize overhead.
This change:
- **Automatically enables** when sync workers are configured (no action required)
- **Works universally** with any authentication system
- **Replaces the old implementation** entirely to keep the codebase simple
- **Adds minimal overhead** (one cached internal subrequest per sync request) for non-MAS deployments
For debugging, you can enable verbose logging and/or response headers showing routing decisions:
```yaml
# Logs cache hits/misses and routing decisions to the container's stderr
matrix_synapse_reverse_proxy_companion_whoami_sync_worker_router_logging_enabled: true
# Adds X-Sync-Worker-Router-User-Identifier and X-Sync-Worker-Router-Upstream headers to sync responses
matrix_synapse_reverse_proxy_companion_whoami_sync_worker_router_debug_headers_enabled: true
```
# 2025-12-09
## Traefik Cert Dumper upgrade

3
README.md
View File

@@ -79,7 +79,6 @@ Services that run on the server to make the various parts of your installation w
| [Traefik](https://doc.traefik.io/traefik/) | ✅ | Web server, listening on ports 80, 443 and 8448 - standing in front of all the other services. [Using your own webserver](docs/configuring-playbook-own-webserver.md) is also possible. | [Link](docs/configuring-playbook-traefik.md) |
| [Let's Encrypt](https://letsencrypt.org/) | ✅ | Free SSL certificate, which secures the connection to all components | [Link](docs/configuring-playbook-ssl-certificates.md) |
| [Exim](https://www.exim.org/) | ✅ | Mail server, through which all Matrix services send outgoing email (can be configured to relay through another SMTP server) | [Link](docs/configuring-playbook-email.md) |
| [ma1sd](https://github.com/ma1uta/ma1sd) | ❌ | Matrix Identity Server | [Link](docs/configuring-playbook-ma1sd.md)
| [ddclient](https://github.com/linuxserver/docker-ddclient) | ❌ | Dynamic DNS | [Link](docs/configuring-playbook-dynamic-dns.md) |
| [LiveKit Server](https://github.com/livekit/livekit) | ❌ | WebRTC server for audio/video calls | [Link](docs/configuring-playbook-livekit-server.md) |
| [Livekit JWT Service](https://github.com/livekit/livekit-jwt-service) | ❌ | JWT service for integrating [Element Call](./configuring-playbook-element-call.md) with [LiveKit Server](./configuring-playbook-livekit-server.md) | [Link](docs/configuring-playbook-livekit-jwt-service.md) |
@@ -134,7 +133,6 @@ Bridges can be used to connect your Matrix installation with third-party communi
| [matrix-sms-bridge](https://github.com/benkuly/matrix-sms-bridge) | ❌ | Bridge to SMS | [Link](docs/configuring-playbook-bridge-matrix-bridge-sms.md) |
| [matrix-steam-bridge](https://github.com/jasonlaguidice/matrix-steam-bridge) | ❌ | Bridge to [Steam](https://steampowered.com/) | [Link](docs/configuring-playbook-bridge-steam.md) |
| [matrix-wechat](https://github.com/duo/matrix-wechat) | ❌ | Bridge to [WeChat](https://www.wechat.com/) | [Link](docs/configuring-playbook-bridge-wechat.md) |
| [MatrixZulipBridge](https://github.com/GearKite/MatrixZulipBridge) | ❌ | Puppeting appservice bridge for [Zulip](https://zulip.com/) | [Link](docs/configuring-playbook-bridge-zulip.md) |
| [Heisenbridge](https://github.com/hifi/heisenbridge) | ❌ | Bouncer-style bridge to [IRC](https://wikipedia.org/wiki/Internet_Relay_Chat) | [Link](docs/configuring-playbook-bridge-heisenbridge.md) |
| [mx-puppet-groupme](https://gitlab.com/xangelix-pub/matrix/mx-puppet-groupme) | ❌ | Bridge to [GroupMe](https://groupme.com/) | [Link](docs/configuring-playbook-bridge-mx-puppet-groupme.md) |
| [mx-puppet-steam](https://codeberg.org/icewind/mx-puppet-steam) | ❌ | Bridge to [Steam](https://steamapp.com/) | [Link](docs/configuring-playbook-bridge-mx-puppet-steam.md) |
@@ -175,7 +173,6 @@ Various services that don't fit any other categories.
| Name | Default? | Description | Documentation |
| ---- | -------- | ----------- | ------------- |
| [sliding-sync](https://github.com/matrix-org/sliding-sync)| ❌ | (Superseded by Simplified Sliding Sync integrated into Synapse > `1.114` and Conduit > `0.6.0`) Sliding Sync support for clients which require it (e.g. old Element X versions before Simplified Sliding Sync was developed) | [Link](docs/configuring-playbook-sliding-sync-proxy.md) |
| [synapse_auto_accept_invite](https://github.com/matrix-org/synapse-auto-accept-invite) | ❌ | Synapse module to automatically accept invites | [Link](docs/configuring-playbook-synapse-auto-accept-invite.md) |
| [synapse_auto_compressor](https://github.com/matrix-org/rust-synapse-compress-state/#automated-tool-synapse_auto_compressor) | ❌ | Cli tool that automatically compresses `state_groups` database table in background | [Link](docs/configuring-playbook-synapse-auto-compressor.md) |
| [Matrix Corporal](https://github.com/devture/matrix-corporal) (advanced) | ❌ | Reconciliator and gateway for a managed Matrix server | [Link](docs/configuring-playbook-matrix-corporal.md) |

6
docs/configuring-playbook-bot-baibot.md
View File

@@ -243,6 +243,12 @@ matrix_bot_baibot_config_agents_static_definitions_openai_config_api_key: "YOUR_
# If you'd like to use another text-generation agent, uncomment and adjust:
# matrix_bot_baibot_config_agents_static_definitions_openai_config_text_generation_model_id: gpt-4.1
# Uncomment below to enable OpenAI's built-in tools.
# These tools are disabled by default. Enabling them may incur additional costs.
# See: https://github.com/etkecc/baibot/blob/61d18b2/docs/features.md#%EF%B8%8F-built-in-tools-openai-only
# matrix_bot_baibot_config_agents_static_definitions_openai_config_text_generation_tools_web_search: true
# matrix_bot_baibot_config_agents_static_definitions_openai_config_text_generation_tools_code_interpreter: true
```
Because this is a [statically](https://github.com/etkecc/baibot/blob/main/docs/configuration/README.md#static-configuration)-defined agent, it will be given a `static/` ID prefix and will be named `static/openai`.

2
docs/configuring-playbook-bridge-go-skype-bridge.md
View File

@@ -22,5 +22,5 @@ systemctl disable --now matrix-go-skype-bridge.service
rm -rf /matrix/go-skype-bridge
/matrix/postgres/bin/cli-non-interactive 'DROP DATABASE matrix_go_skype_bridge;'
/matrix/postgres/bin/cli-non-interactive -c 'DROP DATABASE matrix_go_skype_bridge;'
```

2
docs/configuring-playbook-bridge-mautrix-facebook.md
View File

@@ -28,5 +28,5 @@ systemctl disable --now matrix-mautrix-facebook.service
rm -rf /matrix/mautrix-facebook
/matrix/postgres/bin/cli-non-interactive 'DROP DATABASE matrix_mautrix_facebook;'
/matrix/postgres/bin/cli-non-interactive -c 'DROP DATABASE matrix_mautrix_facebook;'
```

2
docs/configuring-playbook-bridge-mautrix-hangouts.md
View File

@@ -23,5 +23,5 @@ systemctl disable --now matrix-mautrix-hangouts.service
rm -rf /matrix/mautrix-hangouts
/matrix/postgres/bin/cli-non-interactive 'DROP DATABASE matrix_mautrix_hangouts;'
/matrix/postgres/bin/cli-non-interactive -c 'DROP DATABASE matrix_mautrix_hangouts;'
```

2
docs/configuring-playbook-bridge-mautrix-instagram.md
View File

@@ -29,5 +29,5 @@ systemctl disable --now matrix-mautrix-instagram.service
rm -rf /matrix/mautrix-instagram
/matrix/postgres/bin/cli-non-interactive 'DROP DATABASE matrix_mautrix_instagram;'
/matrix/postgres/bin/cli-non-interactive -c 'DROP DATABASE matrix_mautrix_instagram;'
```

2
docs/configuring-playbook-bridge-mx-puppet-discord.md
View File

@@ -27,5 +27,5 @@ systemctl disable --now matrix-mx-puppet-discord.service
rm -rf /matrix/mx-puppet-discord
/matrix/postgres/bin/cli-non-interactive 'DROP DATABASE matrix_mx_puppet_discord;'
/matrix/postgres/bin/cli-non-interactive -c 'DROP DATABASE matrix_mx_puppet_discord;'
```

2
docs/configuring-playbook-bridge-mx-puppet-instagram.md
View File

@@ -26,5 +26,5 @@ systemctl disable --now matrix-mx-puppet-instagram.service
rm -rf /matrix/mx-puppet-instagram
/matrix/postgres/bin/cli-non-interactive 'DROP DATABASE matrix_mx_puppet_instagram;'
/matrix/postgres/bin/cli-non-interactive -c 'DROP DATABASE matrix_mx_puppet_instagram;'
```

2
docs/configuring-playbook-bridge-mx-puppet-slack.md
View File

@@ -29,5 +29,5 @@ systemctl disable --now matrix-mx-puppet-slack.service
rm -rf /matrix/mx-puppet-slack
/matrix/postgres/bin/cli-non-interactive 'DROP DATABASE matrix_mx_puppet_slack;'
/matrix/postgres/bin/cli-non-interactive -c 'DROP DATABASE matrix_mx_puppet_slack;'
```

2
docs/configuring-playbook-bridge-mx-puppet-twitter.md
View File

@@ -25,5 +25,5 @@ systemctl disable --now matrix-mx-puppet-twitter.service
rm -rf /matrix/mx-puppet-twitter
/matrix/postgres/bin/cli-non-interactive 'DROP DATABASE matrix_mx_puppet_twitter;'
/matrix/postgres/bin/cli-non-interactive -c 'DROP DATABASE matrix_mx_puppet_twitter;'
```

83
docs/configuring-playbook-bridge-zulip.md
View File

@@ -1,83 +0,0 @@
<!--
SPDX-FileCopyrightText: 2021 - 2024 Slavi Pantaleev
SPDX-FileCopyrightText: 2021 Toni Spets
SPDX-FileCopyrightText: 2024 - 2025 Suguru Hirahara
SPDX-License-Identifier: AGPL-3.0-or-later
-->
# Setting up a Zulip bridge (optional)
The playbook can install and configure [MatrixZulipBridge](https://github.com/GearKite/MatrixZulipBridge) for you.
See the project's [documentation](https://github.com/GearKite/MatrixZulipBridge/blob/main/README.md) to learn what it does and why it might be useful to you.
## Adjusting DNS records (optional)
By default, this playbook installs the Zulip bridge on the `matrix.` subdomain, at the `/zulip` path (https://matrix.example.com/zulip). This makes it easy to install it, because it **doesn't require additional DNS records to be set up**. If that's okay, you can skip this section.
If you wish to adjust it, see the section [below](#adjusting-the-zulip-bridge-url-optional) for details about DNS configuration.
## Adjusting the playbook configuration
To enable the Zulip bridge, add the following configuration to your `inventory/host_vars/matrix.example.com/vars.yml` file:
```yaml
matrix_zulip_bridge_enabled: true
# Uncomment to add one or more admins to this bridge:
#
# matrix_zulip_bridge_owner:
# - '@yourAdminAccount:{{ matrix_domain }}'
#
# … unless you've made yourself an admin of all bots/bridges like this:
#
# matrix_admin: '@yourAdminAccount:{{ matrix_domain }}'
```
### Adjusting the Zulip bridge URL (optional)
By tweaking the `matrix_zulip_bridge_hostname` and `matrix_zulip_bridge_path_prefix` variables, you can easily make the service available at a **different hostname and/or path** than the default one.
Example additional configuration for your `vars.yml` file:
```yaml
# Change the default hostname and path prefix
matrix_zulip_bridge_hostname: zulip.example.com
matrix_zulip_bridge_path_prefix: /
```
If you've changed the default hostname, you may need to create a CNAME record for the Zulip bridge domain (`zulip.example.com`), which targets `matrix.example.com`.
When setting, replace `example.com` with your own.
### Extending the configuration
There are some additional things you may wish to configure about the bridge.
Take a look at:
- `roles/custom/matrix-bridge-zulip/defaults/main.yml` for some variables that you can customize via your `vars.yml` file
## Installing
After configuring the playbook and potentially [adjusting your DNS records](#adjusting-dns-records), run the playbook with [playbook tags](playbook-tags.md) as below:
<!-- NOTE: let this conservative command run (instead of install-all) to make it clear that failure of the command means something is clearly broken. -->
```sh
ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start
```
The shortcut commands with the [`just` program](just.md) are also available: `just install-all` or `just setup-all`
`just install-all` is useful for maintaining your setup quickly ([2x-5x faster](../CHANGELOG.md#2x-5x-performance-improvements-in-playbook-runtime) than `just setup-all`) when its components remain unchanged. If you adjust your `vars.yml` to remove other components, you'd need to run `just setup-all`, or these components will still remain installed. Note these shortcuts run the `ensure-matrix-users-created` tag too.
## Usage
To use the bridge, you need to start a chat with `@zulipbot:example.com` (where `example.com` is your base domain, not the `matrix.` domain). If the bridge ignores you and a DM is not accepted then the owner setting may be wrong.
If you encounter issues or feel lost you can join the project room at [#matrixzulipbridge:shema.lv](https://matrix.to/#/#matrixzulipbridge:shema.lv) for help.
## Troubleshooting
As with all other services, you can find the logs in [systemd-journald](https://www.freedesktop.org/software/systemd/man/systemd-journald.service.html) by logging in to the server with SSH and running `journalctl -fu matrix-bridge-zulip`.

14
docs/configuring-playbook-client-cinny.md
View File

@@ -27,26 +27,26 @@ When setting, replace `example.com` with your own.
To enable Cinny, add the following configuration to your `inventory/host_vars/matrix.example.com/vars.yml` file:
```yaml
matrix_client_cinny_enabled: true
cinny_enabled: true
```
### Adjusting the Cinny URL (optional)
By tweaking the `matrix_client_cinny_hostname` variable, you can easily make the service available at a **different hostname** than the default one.
By tweaking the `cinny_hostname` variable, you can easily make the service available at a **different hostname** than the default one.
Example additional configuration for your `vars.yml` file:
```yaml
# Switch to a different domain (`app.example.com`) than the default one (`cinny.example.com`)
matrix_client_cinny_hostname: "app.{{ matrix_domain }}"
cinny_hostname: "app.{{ matrix_domain }}"
# Expose under the /cinny subpath
# matrix_client_cinny_path_prefix: /cinny
# cinny_path_prefix: /cinny
```
After changing the domain, **you may need to adjust your DNS** records to point the Cinny domain to the Matrix server.
**Note**: while there is a `matrix_client_cinny_path_prefix` variable for changing the path where Cinny is served, overriding it is [not possible](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/3701), because Cinny requires an application rebuild (with a tweaked build config) to be functional under a custom path. You'd need to serve Cinny at a dedicated subdomain.
**Note**: while there is a `cinny_path_prefix` variable for changing the path where Cinny is served, overriding it is [not possible](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/3701), because Cinny requires an application rebuild (with a tweaked build config) to be functional under a custom path. You'd need to serve Cinny at a dedicated subdomain.
### Extending the configuration
@@ -54,8 +54,8 @@ There are some additional things you may wish to configure about the component.
Take a look at:
- `roles/custom/matrix-client-cinny/defaults/main.yml` for some variables that you can customize via your `vars.yml` file
- `roles/custom/matrix-client-cinny/templates/config.json.j2` for the component's default configuration. You can override settings (even those that don't have dedicated playbook variables) using the `matrix_client_cinny_configuration_extension_json` variable
- `roles/galaxy/cinny/defaults/main.yml` for some variables that you can customize via your `vars.yml` file
- `roles/galaxy/cinny/templates/config.json.j2` for the component's default configuration. You can override settings (even those that don't have dedicated playbook variables) using the `cinny_configuration_extension_json` variable
## Installing

39
docs/configuring-playbook-dynamic-dns.md
View File

@@ -1,7 +1,20 @@
<!--
SPDX-FileCopyrightText: 2020 Aaron Raimist
SPDX-FileCopyrightText: 2020 Chris van Dijk
SPDX-FileCopyrightText: 2020 Dominik Zajac
SPDX-FileCopyrightText: 2020 Mickaël Cornière
SPDX-FileCopyrightText: 2020 Scott Crossen
SPDX-FileCopyrightText: 2020 Slavi Pantaleev
SPDX-FileCopyrightText: 2024 - 2025 Suguru Hirahara
SPDX-FileCopyrightText: 2020-2024 MDAD project contributors
SPDX-FileCopyrightText: 2020-2024 Slavi Pantaleev
SPDX-FileCopyrightText: 2022 François Darveau
SPDX-FileCopyrightText: 2022 Julian Foad
SPDX-FileCopyrightText: 2022 Warren Bailey
SPDX-FileCopyrightText: 2023 Antonis Christofides
SPDX-FileCopyrightText: 2023 Felix Stupp
SPDX-FileCopyrightText: 2023 Julian-Samuel Gebühr
SPDX-FileCopyrightText: 2023 Pierre 'McFly' Marty
SPDX-FileCopyrightText: 2024 Tiz
SPDX-FileCopyrightText: 2024-2026 Suguru Hirahara
SPDX-License-Identifier: AGPL-3.0-or-later
-->
@@ -12,6 +25,10 @@ The playbook can configure Dynamic DNS with [ddclient](https://github.com/ddc
Most cloud providers / ISPs will charge you extra for a static IP address. If you're not hosting a highly reliable homeserver you can workaround this via dynamic DNS.
For details about configuring the [Ansible role for ddclient](https://github.com/mother-of-all-self-hosting/ansible-role-ddclient), you can check them via:
- 🌐 [the role's documentation](https://github.com/mother-of-all-self-hosting/ansible-role-ddclient/blob/main/docs/configuring-ddclient.md) online
- 📁 `roles/galaxy/ddclient/docs/configuring-ddclient.md` locally, if you have [fetched the Ansible roles](../installing.md)
## Prerequisite
You'll need to authenticate with your DNS provider somehow, in most cases this is simply a username and password but can differ from provider to provider. Please consult with your providers documentation and the upstream [ddclient documentation](https://github.com/ddclient/ddclient/blob/main/ddclient.conf.in) to determine what you'll need to provide to authenticate.
@@ -21,17 +38,23 @@ You'll need to authenticate with your DNS provider somehow, in most cases this i
To enable dynamic DNS, add the following configuration to your `inventory/host_vars/matrix.example.com/vars.yml` file:
```yaml
matrix_dynamic_dns_enabled: true
ddclient_enabled: true
matrix_dynamic_dns_domain_configurations:
ddclient_domain_configurations:
- provider: example.net
protocol: dyndn2
protocol: dyndns2
username: YOUR_USERNAME_HERE
password: YOUR_PASSWORD_HERE
domain: "{{ matrix_domain }}"
```
Keep in mind that certain providers may require a different configuration of the `matrix_dynamic_dns_domain_configurations` variable, for provider specific examples see the [upstream documentation](https://github.com/ddclient/ddclient/blob/main/ddclient.conf.in).
Keep in mind that certain providers may require a different configuration of the `ddclient_domain_configurations` variable, for provider specific examples see the [upstream documentation](https://github.com/ddclient/ddclient/blob/main/ddclient.conf.in).
### Configuring the endpoint to obtain IP address (optional)
The playbook sets the default endpoint for obtaining the IP address to `https://cloudflare.com/cdn-cgi/trace`. You can replace it by specifying yours to `ddclient_web` and `ddclient_web_skip` if necessary.
Refer to [this section](https://github.com/mother-of-all-self-hosting/ansible-role-ddclient/blob/main/docs/configuring-ddclient.md#setting-the-endpoint-to-obtain-ip-address-optional) for more information.
### Extending the configuration
@@ -39,7 +62,7 @@ There are some additional things you may wish to configure about the component.
Take a look at:
- `roles/custom/matrix-dynamic-dns/defaults/main.yml` for some variables that you can customize via your `vars.yml` file
- `roles/galaxy/ddclient/defaults/main.yml` for some variables that you can customize via your `vars.yml` file
## Installing
@@ -63,4 +86,4 @@ Additional resources:
## Troubleshooting
As with all other services, you can find the logs in [systemd-journald](https://www.freedesktop.org/software/systemd/man/systemd-journald.service.html) by logging in to the server with SSH and running `journalctl -fu matrix-dynamic-dns`. However, due to an [upstream issue](https://github.com/linuxserver/docker-ddclient/issues/54#issuecomment-1153143132) the logging output is not always complete. For advanced debugging purposes running the `ddclient` tool outside of the container is useful via the following: `ddclient -file ./ddclient.conf -daemon=0 -debug -verbose -noquiet`.
See [this section](https://github.com/mother-of-all-self-hosting/ansible-role-ddclient/blob/main/docs/configuring-ddclient.md#troubleshooting) on the role's documentation for details.

2
docs/configuring-playbook-federation.md
View File

@@ -44,7 +44,7 @@ matrix_homeserver_federation_enabled: false
With that, your server's users will only be able to talk among themselves, but not to anyone who is on another server.
**Disabling federation does not necessarily disable the federation port** (`8448`). Services like [Dimension](configuring-playbook-dimension.md) and [ma1sd](configuring-playbook-ma1sd.md) normally rely on `openid` APIs exposed on that port. Even if you disable federation and only if necessary, we may still be exposing the federation port and serving the `openid` APIs there. To override this and completely disable Synapse's federation port use:
**Disabling federation does not necessarily disable the federation port** (`8448`). Services like [Dimension](configuring-playbook-dimension.md) normally rely on `openid` APIs exposed on that port. Even if you disable federation and only if necessary, we may still be exposing the federation port and serving the `openid` APIs there. To override this and completely disable Synapse's federation port use:
```yaml
matrix_homeserver_federation_enabled: false

185
docs/configuring-playbook-ma1sd.md
View File

@@ -1,176 +1,37 @@
<!--
SPDX-FileCopyrightText: 2018 - 2024 Slavi Pantaleev
SPDX-FileCopyrightText: 2019 - 2020 MDAD project contributors
SPDX-FileCopyrightText: 2018-2025 Slavi Pantaleev
SPDX-FileCopyrightText: 2019 Eduardo Beltrame
SPDX-FileCopyrightText: 2019 Noah Fleischmann
SPDX-FileCopyrightText: 2020 Justin Croonenberghs
SPDX-FileCopyrightText: 2019-2022, 2024 MDAD project contributors
SPDX-FileCopyrightText: 2020 Hugues Morisset
SPDX-FileCopyrightText: 2020 Marcel Partap
SPDX-FileCopyrightText: 2024 - 2025 Suguru Hirahara
SPDX-FileCopyrightText: 2020 Tulir Asokan
SPDX-FileCopyrightText: 2020, 2023 Justin Croonenberghs
SPDX-FileCopyrightText: 2022 Dennis Ciba
SPDX-FileCopyrightText: 2022 Vladimir Panteleev
SPDX-FileCopyrightText: 2023 Kuba Orlik
SPDX-FileCopyrightText: 2023 Pierre 'McFly' Marty
SPDX-FileCopyrightText: 2023 Samuel Meenzen
SPDX-FileCopyrightText: 2024 Fabio Bonelli
SPDX-FileCopyrightText: 2024-2026 Suguru Hirahara
SPDX-License-Identifier: AGPL-3.0-or-later
-->
# Setting up ma1sd Identity Server (optional)
# Setting up ma1sd Identity Server (optional, removed)
> [!WARNING]
> Since ma1sd has been unmaintained for years (the latest commit and release being from 2021) and the future of identity server's role in the Matrix specification is uncertain, **we recommend not bothering with installing it unless it's the only way you can do what you need to do**.
>
> Please note that certain things can be achieved with other components. For example, if you wish to implement LDAP integration, you might as well check out [the LDAP provider module for Synapse](./configuring-playbook-ldap-auth.md) instead.
🪦 The playbook used to be able to install and configure the [ma1sd](https://github.com/ma1uta/ma1sd) Identity Server, but no longer includes this component, as it has been unmaintained for a long time.
The playbook can configure the [ma1sd](https://github.com/ma1uta/ma1sd) Identity Server for you. It is a fork of [mxisd](https://github.com/kamax-io/mxisd) which was pronounced end of life 2019-06-21.
Please note that some of the functions can be achieved with other components. For example, if you wish to implement LDAP integration, you might as well check out [the LDAP provider module for Synapse](./configuring-playbook-ldap-auth.md) instead.
ma1sd is used for 3PIDs (3rd party identifiers like E-mail and phone numbers) and some [enhanced features](https://github.com/ma1uta/ma1sd/#features). It is private by default, potentially at the expense of user discoverability.
## Uninstalling the component manually
See the project's [documentation](https://github.com/ma1uta/ma1sd/blob/master/README.md) to learn what it does and why it might be useful to you.
If you still have the ma1sd Identity Server installed on your Matrix server, the playbook can no longer help you uninstall it and you will need to do it manually. To uninstall manually, run these commands on the server:
## Prerequisites
### Open Matrix Federation port
Enabling the ma1sd service will automatically reconfigure your Synapse homeserver to expose the `openid` API endpoints on the Matrix Federation port (usually `8448`), even if [federation](configuring-playbook-federation.md) is disabled. If you enable the component, make sure that the port is accessible.
## Adjusting DNS records
To make the ma1sd Identity Server enable its federation features, set up a SRV record that looks like this:
- Name: `_matrix-identity._tcp` (use this text as-is)
- Content: `10 0 443 matrix.example.com` (replace `example.com` with your own)
See [ma1sd's documentation](https://github.com/ma1uta/ma1sd/wiki/mxisd-and-your-privacy#choices-are-never-easy) for information on the privacy implications of setting up this SRV record.
When setting up a SRV record, if you are asked for a service and protocol instead of a hostname split the host value from the table where the period is. For example use service as `_matrix-identity` and protocol as `_tcp`.
**Note**: This `_matrix-identity._tcp` SRV record for the identity server is different from the `_matrix._tcp` that can be used for Synapse delegation. See [howto-server-delegation.md](howto-server-delegation.md) for more information about delegation.
## Adjusting the playbook configuration
To enable ma1sd, add the following configuration to your `inventory/host_vars/matrix.example.com/vars.yml` file:
```yaml
matrix_ma1sd_enabled: true
```
### Matrix.org lookup forwarding
To ensure maximum discovery, you can make your identity server also forward lookups to the central matrix.org Identity server (at the cost of potentially leaking all your contacts information).
Enabling this is discouraged and you'd better [learn more](https://github.com/ma1uta/ma1sd/blob/master/docs/features/identity.md#lookups) before proceeding.
To enable matrix.org forwarding, add the following configuration to your `vars.yml` file:
```yaml
matrix_ma1sd_matrixorg_forwarding_enabled: true
```
### Extending the configuration
There are some additional things you may wish to configure about the component.
Take a look at:
- `roles/custom/matrix-ma1sd/defaults/main.yml` for some variables that you can customize via your `vars.yml` file. You can override settings (even those that don't have dedicated playbook variables) using the `matrix_ma1sd_configuration_extension_yaml` variable
You can refer to the [ma1sd website](https://github.com/ma1uta/ma1sd) for more details and configuration options.
#### Customizing email templates
If you'd like to change the default email templates used by ma1sd, take a look at the `matrix_ma1sd_threepid_medium_email_custom_` variables (in the `roles/custom/matrix-ma1sd/defaults/main.yml` file.
#### ma1sd-controlled Registration
To use the [Registration](https://github.com/ma1uta/ma1sd/blob/master/docs/features/registration.md) feature of ma1sd, you can make use of the following variables:
- `matrix_synapse_enable_registration` — to enable user-initiated registration in Synapse
- `matrix_synapse_enable_registration_captcha` — to validate registering users using reCAPTCHA, as described in the [enabling reCAPTCHA](configuring-captcha.md) documentation.
- `matrix_synapse_registrations_require_3pid` — a list of 3pid types (among `'email'`, `'msisdn'`) required by the Synapse server for registering
- variables prefixed with `matrix_ma1sd_container_labels_` (e.g. `matrix_ma1sd_container_labels_matrix_client_3pid_registration_enabled`) — to configure the Traefik reverse-proxy to capture and send registration requests to ma1sd (instead of Synapse), so it can apply its additional functionality
- `matrix_ma1sd_configuration_extension_yaml` — to configure ma1sd as required. See the [Registration feature's docs](https://github.com/ma1uta/ma1sd/blob/master/docs/features/registration.md) for inspiration. Also see the [Additional features](#additional-features) section below to learn more about how to use `matrix_ma1sd_configuration_extension_yaml`.
**Note**: For this to work, either the homeserver needs to [federate](configuring-playbook-federation.md) or the `openid` APIs need to exposed on the federation port. When federation is disabled and ma1sd is enabled, we automatically expose the `openid` APIs (only!) on the federation port. Make sure the federation port (usually `https://matrix.example.com:8448`) is whitelisted in your firewall (even if you don't actually use/need federation).
#### Authentication
[Authentication](https://github.com/ma1uta/ma1sd/blob/master/docs/features/authentication.md) provides the possibility to use your own [Identity Stores](https://github.com/ma1uta/ma1sd/blob/master/docs/stores/README.md) (for example LDAP) to authenticate users on your Homeserver.
To enable authentication against an LDAP server, add the following configuration to your `vars.yml` file:
```yaml
matrix_synapse_ext_password_provider_rest_auth_enabled: true
# matrix-ma1sd is the hostname of the ma1sd Docker container
matrix_synapse_ext_password_provider_rest_auth_endpoint: "http://matrix-ma1sd:8090"
matrix_ma1sd_configuration_extension_yaml: |
ldap:
enabled: true
connection:
host: ldapHostnameOrIp
tls: false
port: 389
baseDNs: ['OU=Users,DC=example,DC=org']
bindDn: CN=My ma1sd User,OU=Users,DC=example,DC=org
bindPassword: TheUserPassword
```
#### Example: SMS verification
If your use case requires mobile verification, it is quite simple to integrate ma1sd with [Twilio](https://www.twilio.com/), an online telephony services gateway. Their prices are reasonable for low-volume projects and integration can be done with the following configuration:
```yaml
matrix_ma1sd_configuration_extension_yaml: |
threepid:
medium:
msisdn:
connectors:
twilio:
account_sid: '<secret-SID>'
auth_token: '<secret-token>'
number: '+<msisdn-number>'
```
#### Example: Open Registration for every Domain
If you want to open registration for any domain, you have to setup the allowed domains with ma1sd's `blacklist` and `whitelist`. The default behavior when neither the `blacklist`, nor the `whitelist` match, is to allow registration. Beware: you can't block toplevel domains (aka `.xy`) because the internal architecture of ma1sd doesn't allow that.
```yaml
matrix_ma1sd_configuration_extension_yaml: |
register:
policy:
allowed: true
threepid:
email:
domain:
blacklist: ~
whitelist: ~
```
## Installing
After configuring the playbook, run it with [playbook tags](playbook-tags.md) as below:
<!-- NOTE: let this conservative command run (instead of install-all) to make it clear that failure of the command means something is clearly broken. -->
```sh
ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start
```
The shortcut commands with the [`just` program](just.md) are also available: `just install-all` or `just setup-all`
`just install-all` is useful for maintaining your setup quickly ([2x-5x faster](../CHANGELOG.md#2x-5x-performance-improvements-in-playbook-runtime) than `just setup-all`) when its components remain unchanged. If you adjust your `vars.yml` to remove other components, you'd need to run `just setup-all`, or these components will still remain installed. Note these shortcuts run the `ensure-matrix-users-created` tag too.
## Troubleshooting
If email address validation emails sent by ma1sd are not reaching you, you should look into [Adjusting email-sending settings](configuring-playbook-email.md).
As with all other services, you can find the logs in [systemd-journald](https://www.freedesktop.org/software/systemd/man/systemd-journald.service.html) by logging in to the server with SSH and running `journalctl -fu matrix-ma1sd`.
### Increase logging verbosity
If you want to increase the verbosity, add the following configuration to your `vars.yml` file and re-run the playbook:
```yaml
# See: https://github.com/ma1uta/ma1sd/blob/master/docs/troubleshooting.md#increase-verbosity
matrix_ma1sd_verbose_logging: true
systemctl disable --now matrix-ma1sd.service
rm -rf /matrix/ma1sd
/matrix/postgres/bin/cli-non-interactive 'DROP DATABASE matrix_ma1sd;'
```

4
docs/configuring-playbook-matrix-authentication-service.md
View File

@@ -57,6 +57,10 @@ This section details what you can expect when switching to the Matrix Authentica
- [Reminder bot](configuring-playbook-bot-matrix-reminder-bot.md) seems to be losing some of its state on each restart and may reschedule old reminders once again
- [Postmoogle](./configuring-playbook-bridge-postmoogle.md) works the first time around, but it consistently fails after restarting:
> cannot initialize matrix bot error="olm account is marked as shared, keys seem to have disappeared from the server"
-**Encrypted appservices** do not work yet (related to [MSC4190](https://github.com/matrix-org/matrix-spec-proposals/pull/4190) and [PR 17705 for Synapse](https://github.com/element-hq/synapse/pull/17705)), so all bridges/bots that rely on encryption will fail to start (see [this issue](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/3658) for Hookshot). You can use these bridges/bots only if you **keep end-to-bridge encryption disabled** (which is the default setting).
- ⚠️ [Migrating an existing Synapse homeserver to Matrix Authentication Service](#migrating-an-existing-synapse-homeserver-to-matrix-authentication-service) is **possible**, but requires **some playbook-assisted manual work**. Migration is **reversible with no or minor issues if done quickly enough**, but as users start logging in (creating new login sessions) via the new MAS setup, disabling MAS and reverting back to the Synapse user database will cause these new sessions to break.

18
docs/configuring-playbook-matrix-media-repo.md
View File

@@ -24,8 +24,21 @@ To enable matrix-media-repo, add the following configuration to your `inventory/
```yaml
matrix_media_repo_enabled: true
# Any unique alphanumeric string. Cannot be changed after first use.
# For new installations, generate one with: pwgen -s 64 1
# For existing installations, see below.
matrix_media_repo_datastore_file_id: "CHANGE_ME_TO_A_UNIQUE_VALUE"
```
**For existing installations**: retrieve the current datastore ID from the server's config file before proceeding:
```sh
grep 'id:' /matrix/media-repo/config/media-repo.yaml
```
Then use that value for `matrix_media_repo_datastore_file_id`. This is not a secret — it is a plain identifier used by matrix-media-repo to link media files to their storage backend.
By default, the media-repo will use the local filesystem for data storage. You can alternatively use a `s3` cloud backend as well. Access token caching is also enabled by default since the logout endpoints are proxied through the media repo.
### Enable metrics
@@ -109,6 +122,11 @@ matrix_media_repo_admins: []
matrix_media_repo_datastore_file_for_kinds: ["thumbnails", "remote_media", "local_media", "archives"]
matrix_media_repo_datastore_s3_for_kinds: []
# Required when S3 storage is enabled (matrix_media_repo_datastore_s3_for_kinds is non-empty).
# Any unique alphanumeric string. Cannot be changed after first use.
# For new installations, generate one with: pwgen -s 64 1
# matrix_media_repo_datastore_s3_id: ""
# The s3 uploader needs a temporary location to buffer files to reduce memory usage on
# small file uploads. If the file size is unknown, the file is written to this location
# before being uploaded to s3 (then the file is deleted). If you aren't concerned about

9
docs/configuring-playbook-rest-auth.md
View File

@@ -18,7 +18,7 @@ Add the following configuration to your `inventory/host_vars/matrix.example.com/
```yaml
matrix_synapse_ext_password_provider_rest_auth_enabled: true
matrix_synapse_ext_password_provider_rest_auth_endpoint: "http://matrix-ma1sd:8090"
matrix_synapse_ext_password_provider_rest_auth_endpoint: SET_YOUR_ENDPOINT_HERE
matrix_synapse_ext_password_provider_rest_auth_registration_enforce_lowercase: false
matrix_synapse_ext_password_provider_rest_auth_registration_profile_name_autofill: true
matrix_synapse_ext_password_provider_rest_auth_login_profile_name_autofill: false
@@ -47,9 +47,4 @@ The shortcut commands with the [`just` program](just.md) are also available: `ju
## Usage
### Use ma1sd Identity Server for the backend (not recommended)
This module does not provide direct integration with any backend. For the backend you can use [ma1sd](https://github.com/ma1uta/ma1sd) Identity Server, which can be configured with the playbook.
> [!WARNING]
> We recommend not bothering with installing ma1sd as it has been unmaintained for years. If you wish to install it anyway, consult the [ma1sd Identity Server configuration](configuring-playbook-ma1sd.md).
This module does not provide direct integration with any backend. Please prepare one by yourself for it.

95
docs/configuring-playbook-sliding-sync-proxy.md
View File

@@ -1,95 +1,32 @@
<!--
SPDX-FileCopyrightText: 2023 - 2024 Slavi Pantaleev
SPDX-FileCopyrightText: 2019 Eduardo Beltrame
SPDX-FileCopyrightText: 2019-2025 Slavi Pantaleev
SPDX-FileCopyrightText: 2020 Tulir Asokan
SPDX-FileCopyrightText: 2021, 2024 MDAD project contributors
SPDX-FileCopyrightText: 2022 Dennis Ciba
SPDX-FileCopyrightText: 2022 Vladimir Panteleev
SPDX-FileCopyrightText: 2023 Justin Croonenberghs
SPDX-FileCopyrightText: 2023 Kuba Orlik
SPDX-FileCopyrightText: 2023 Pierre 'McFly' Marty
SPDX-FileCopyrightText: 2023 Samuel Meenzen
SPDX-FileCopyrightText: 2024 - 2025 Suguru Hirahara
SPDX-FileCopyrightText: 2024 Fabio Bonelli
SPDX-FileCopyrightText: 2024 MDAD project contributors
SPDX-FileCopyrightText: 2024-2026 Suguru Hirahara
SPDX-License-Identifier: AGPL-3.0-or-later
-->
# Setting up the Sliding Sync proxy (optional)
# Setting up the Sliding Sync proxy (optional, removed)
**Note**: The sliding-sync proxy is **not required** anymore as it's been replaced with a different method (called Simplified Sliding Sync) which is integrated into newer homeservers by default (**Conduit** homeserver from version `0.6.0` or **Synapse** from version `1.114`). This component and documentation remain here for historical purposes, but **installing this old sliding-sync proxy is generally not recommended anymore**.
🪦 The playbook used to be able to install and configure the [sliding-sync](https://github.com/matrix-org/sliding-sync) proxy, but no longer includes this component, as it's been replaced with a different method (called Simplified Sliding Sync) integrated to newer homeservers by default (**Conduit** homeserver from version `0.6.0` or **Synapse** from version `1.114`).
The playbook can install and configure [sliding-sync](https://github.com/matrix-org/sliding-sync) proxy for you.
## Uninstalling the proxy manually
Sliding Sync is an implementation of [MSC3575](https://github.com/matrix-org/matrix-spec-proposals/blob/kegan/sync-v3/proposals/3575-sync.md) and a prerequisite for running Element X clients ([Element X iOS](https://github.com/element-hq/element-x-ios) and [Element X Android](https://github.com/element-hq/element-x-android)). See the project's [documentation](https://github.com/matrix-org/sliding-sync) to learn more.
If you still have the Sliding Sync proxy installed on your Matrix server, the playbook can no longer help you uninstall it and you will need to do it manually. To uninstall manually, run these commands on the server:
## Adjusting DNS records (optional)
By default, this playbook installs the Sliding Sync proxy on the `matrix.` subdomain, at the `/sliding-sync` path (https://matrix.example.com/sliding-sync). This makes it easy to install it, because it **doesn't require additional DNS records to be set up**. If that's okay, you can skip this section.
If you wish to adjust it, see the section [below](#adjusting-the-sliding-sync-proxy-url-optional) for details about DNS configuration.
## Adjusting the playbook configuration
To enable Sliding Sync proxy, add the following configuration to your `inventory/host_vars/matrix.example.com/vars.yml` file:
```yaml
matrix_sliding_sync_enabled: true
```
### Adjusting the Sliding Sync proxy URL (optional)
By tweaking the `matrix_sliding_sync_hostname` and `matrix_sliding_sync_path_prefix` variables, you can easily make the service available at a **different hostname and/or path** than the default one.
Example additional configuration for your `vars.yml` file:
```yaml
# Change the default hostname and path prefix
matrix_sliding_sync_hostname: ss.example.com
matrix_sliding_sync_path_prefix: /
```
If you've changed the default hostname, you may need to create a CNAME record for the Sliding Sync proxy domain (`ss.example.com`), which targets `matrix.example.com`.
When setting, replace `example.com` with your own.
### Extending the configuration
There are some additional things you may wish to configure about the component.
Take a look at:
- `roles/custom/matrix-sliding-sync/defaults/main.yml` for some variables that you can customize via your `vars.yml` file
## Installing
After configuring the playbook and potentially [adjusting your DNS records](#adjusting-dns-records), run the playbook with [playbook tags](playbook-tags.md) as below:
<!-- NOTE: let this conservative command run (instead of install-all) to make it clear that failure of the command means something is clearly broken. -->
```sh
ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start
systemctl disable --now matrix-sliding-sync.service
rm -rf /matrix/sliding-sync
/matrix/postgres/bin/cli-non-interactive -c 'DROP DATABASE matrix_sliding_sync;'
```
The shortcut commands with the [`just` program](just.md) are also available: `just install-all` or `just setup-all`
`just install-all` is useful for maintaining your setup quickly ([2x-5x faster](../CHANGELOG.md#2x-5x-performance-improvements-in-playbook-runtime) than `just setup-all`) when its components remain unchanged. If you adjust your `vars.yml` to remove other components, you'd need to run `just setup-all`, or these components will still remain installed. Note these shortcuts run the `ensure-matrix-users-created` tag too.
### External databases
Please note that, if your setup utilizes an external database, you must also establish configuration for the sliding sync proxy. Alter the defaults below to suit your configuration:
```yaml
matrix_sliding_sync_database_username: 'matrix_sliding_sync'
matrix_sliding_sync_database_password: ''
matrix_sliding_sync_database_hostname: ''
matrix_sliding_sync_database_port: 5432
matrix_sliding_sync_database_name: 'matrix_sliding_sync'
```
## Usage
You **don't need to do anything special** to make use of the Sliding Sync proxy. Simply open your client which supports Sliding Sync (like Element X) and log in.
When the Sliding Sync proxy is [installed](#installing), your `/.well-known/matrix/client` file is also updated. A new `org.matrix.msc3575.proxy` section and `url` property are added there and made to point to your Sliding Sync proxy's base URL (e.g. `https://matrix.example.com/sliding-sync`).
This allows clients which support Sliding Sync to detect the Sliding Sync proxy's URL and make use of it.
## Troubleshooting
As with all other services, you can find the logs in [systemd-journald](https://www.freedesktop.org/software/systemd/man/systemd-journald.service.html) by logging in to the server with SSH and running `journalctl -fu matrix-sliding-sync`.

2
docs/configuring-playbook-ssl-certificates.md
View File

@@ -17,7 +17,7 @@ By default, the playbook retrieves and automatically renews free SSL certificate
- This guide is intended to be referred for configuring the integrated Traefik server with regard to SSL certificates retrieval. If you're using [your own webserver](configuring-playbook-own-webserver.md), consult its documentation about how to configure it.
- Let's Encrypt ends the expiration notification email service on June 4, 2025 (see: [the official announcement](https://letsencrypt.org/2025/01/22/ending-expiration-emails/)), and it recommends using a third party service for those who want to receive expiration notifications. If you are looking for a self-hosting service, you may be interested in a monitoring tool such as [Update Kuma](https://github.com/louislam/uptime-kuma/).
The [Mother-of-All-Self-Hosting (MASH)](https://github.com/mother-of-all-self-hosting/mash-playbook) Ansible playbook can be used to install and manage an Uptime Kuma instance. See [this page](https://github.com/mother-of-all-self-hosting/mash-playbook/blob/main/docs/services/uptime-kuma.md) for the instruction to install it with the MASH playbook. If you are wondering how to use the MASH playbook for your Matrix server, refer [this page](https://github.com/mother-of-all-self-hosting/mash-playbook/blob/main/docs/setting-up-services-on-mdad-server.md).
The [Mother-of-All-Self-Hosting (MASH)](https://github.com/mother-of-all-self-hosting/mash-playbook) Ansible playbook can be used to install and manage an Uptime Kuma instance. See [this page](https://github.com/mother-of-all-self-hosting/mash-playbook/blob/main/docs/services/uptime-kuma.md) for the instruction to install it with the playbook. If you are wondering how to use it for your Matrix server, refer to [this page](https://github.com/mother-of-all-self-hosting/mash-playbook/blob/main/docs/setting-up-services-on-mdad-server.md) for the overview.
## Use staging Let's Encrypt certificates

14
docs/configuring-playbook-turn.md
View File

@@ -1,9 +1,12 @@
<!--
SPDX-FileCopyrightText: 2019 - 2024 Slavi Pantaleev
SPDX-FileCopyrightText: 2018-2024 Slavi Pantaleev
SPDX-FileCopyrightText: 2020 Aaron Raimist
SPDX-FileCopyrightText: 2020 Christian Wolf
SPDX-FileCopyrightText: 2020 MDAD project contributors
SPDX-FileCopyrightText: 2020 Marcel Partap
SPDX-FileCopyrightText: 2024 - 2025 Suguru Hirahara
SPDX-FileCopyrightText: 2020-2024 MDAD project contributors
SPDX-FileCopyrightText: 2022 Alejo Diaz
SPDX-FileCopyrightText: 2022 Julian Foad
SPDX-FileCopyrightText: 2024-2026 Suguru Hirahara
SPDX-License-Identifier: AGPL-3.0-or-later
-->
@@ -26,7 +29,10 @@ If you'd rather use a local IP for `ansible_host`, add the following configurati
matrix_coturn_turn_external_ip_address: "YOUR_PUBLIC_IP"
```
If you'd like to rely on external IP address auto-detection (not recommended unless you need it), set an empty value to the variable. The playbook will automatically contact an [EchoIP](https://github.com/mpolden/echoip)-compatible service (`https://ifconfig.co/json` by default) to determine your server's IP address. This API endpoint is configurable via the `matrix_coturn_turn_external_ip_address_auto_detection_echoip_service_url` variable.
If you'd like to rely on external IP address auto-detection (not recommended unless you need it), set an empty value to the variable. The playbook will automatically contact an [echoip](https://github.com/mpolden/echoip)-compatible service (`https://ifconfig.co/json` by default) to determine your server's IP address. This API endpoint is configurable via the `matrix_coturn_turn_external_ip_address_auto_detection_echoip_service_url` variable.
>[!NOTE]
> You can self-host the echoip service by using the [Mother-of-All-Self-Hosting (MASH)](https://github.com/mother-of-all-self-hosting/mash-playbook) Ansible playbook. See [this page](https://github.com/mother-of-all-self-hosting/mash-playbook/blob/main/docs/services/echoip.md) for the instruction to install it with the playbook. If you are wondering how to use it for your Matrix server, refer to [this page](https://github.com/mother-of-all-self-hosting/mash-playbook/blob/main/docs/setting-up-services-on-mdad-server.md) for the overview.
If your server has multiple external IP addresses, the coturn role offers a different variable for specifying them:

6
docs/configuring-playbook.md
View File

@@ -70,8 +70,6 @@ For a more custom setup, see the [Other configuration options](#other-configurat
- [Adjusting email-sending settings](configuring-playbook-email.md)
- [Setting up ma1sd Identity Server](configuring-playbook-ma1sd.md)
- [Setting up Dynamic DNS](configuring-playbook-dynamic-dns.md)
- Server connectivity:
@@ -188,8 +186,6 @@ Bridges can be used to connect your Matrix installation with third-party communi
- [Setting up WeChat bridging](configuring-playbook-bridge-wechat.md)
- [Setting up Zulip bridging](configuring-playbook-bridge-zulip.md)
### Bots
Bots provide various additional functionality to your installation.
@@ -277,6 +273,8 @@ Various services that don't fit any other categories.
- [Setting up Go Skype Bridge bridging](configuring-playbook-bridge-go-skype-bridge.md) (removed; Skype has been discontinued since May 2025)
- [Setting up ma1sd Identity Server](configuring-playbook-ma1sd.md) (removed; this component has been unmaintained for a long time, so it has been removed from the playbook.)
- [Setting up matrix-bot-chatgpt](configuring-playbook-bot-chatgpt.md) (unmaintained; the bridge's author suggests taking a look at [baibot](https://github.com/etkecc/baibot) as a replacement, which can also be [installed using this playbook](configuring-playbook-bot-baibot.md))
- [Setting up Mautrix Facebook bridging](configuring-playbook-bridge-mautrix-facebook.md) (deprecated in favor of the Messenger/Instagram bridge with [mautrix-meta-messenger](configuring-playbook-bridge-mautrix-meta-messenger.md))

5
docs/container-images.md
View File

@@ -53,7 +53,6 @@ Services that run on the server to make the various parts of your installation w
| [Traefik](configuring-playbook-traefik.md) | [Traefik](https://hub.docker.com/_/traefik/) | ✅ | Web server, listening on ports 80, 443 and 8448 — standing in front of all the other services. [Using your own webserver](configuring-playbook-own-webserver.md) is also possible. |
| [Let's Encrypt](configuring-playbook-ssl-certificates.md) | [certbot/certbot](https://hub.docker.com/r/certbot/certbot/) | ✅ | [Certbot](https://certbot.eff.org/) tool for obtaining SSL certificates from [Let's Encrypt](https://letsencrypt.org/) |
| [Exim](configuring-playbook-email.md) | [devture/exim-relay](https://hub.docker.com/r/devture/exim-relay/) | ✅ | Mail server, through which all Matrix services send outgoing email (can be configured to relay through another SMTP server) |
| [ma1sd](configuring-playbook-ma1sd.md) | [ma1uta/ma1sd](https://hub.docker.com/r/ma1uta/ma1sd/) | ❌ | Matrix Identity Server |
| [ddclient](configuring-playbook-dynamic-dns.md) | [linuxserver/ddclient](https://hub.docker.com/r/linuxserver/ddclient) | ❌ | Update dynamic DNS entries for accounts on Dynamic DNS Network Service Provider |
| [LiveKit Server](configuring-playbook-livekit-server.md) | [livekit/livekit-server](https://hub.docker.com/r/livekit/livekit-server/) | ❌ | WebRTC server for audio/video calls |
| [Livekit JWT Service](configuring-playbook-livekit-jwt-service.md) | [element-hq/lk-jwt-service](https://ghcr.io/element-hq/lk-jwt-service) | ❌ | JWT service for integrating [Element Call](./configuring-playbook-element-call.md) with [LiveKit Server](./configuring-playbook-livekit-server.md) |
@@ -107,7 +106,6 @@ Bridges can be used to connect your Matrix installation with third-party communi
| [matrix-hookshot](configuring-playbook-bridge-hookshot.md) | [halfshot/matrix-hookshot](https://hub.docker.com/r/halfshot/matrix-hookshot) | ❌ | Bridge for generic webhooks and multiple project management services, such as GitHub, GitLab, Figma, and Jira in particular |
| [matrix-sms-bridge](configuring-playbook-bridge-matrix-bridge-sms.md) | [folivonet/matrix-sms-bridge](https://hub.docker.com/repository/docker/folivonet/matrix-sms-bridge) | ❌ | Bridge to SMS |
| [matrix-wechat](configuring-playbook-bridge-wechat.md) | [lxduo/matrix-wechat](https://hub.docker.com/r/lxduo/matrix-wechat) | ❌ | Bridge to [WeChat](https://www.wechat.com/) |
| [MatrixZulipBridge](configuring-playbook-bridge-zulip.md) | [GearKite/MatrixZulipBridge](https://ghcr.io/gearkite/matrixzulipbridge) | ❌ | Puppeting appservice bridge for [Zulip](https://zulip.com/) |
| [Heisenbridge](configuring-playbook-bridge-heisenbridge.md) | [hif1/heisenbridge](https://hub.docker.com/r/hif1/heisenbridge) | ❌ | Bouncer-style bridge to [IRC](https://wikipedia.org/wiki/Internet_Relay_Chat) |
| [mx-puppet-groupme](configuring-playbook-bridge-mx-puppet-groupme.md) | [xangelix/mx-puppet-groupme](https://hub.docker.com/r/xangelix/mx-puppet-groupme) | ❌ | Bridge to [GroupMe](https://groupme.com/) |
| [matrix-steam-bridge](configuring-playbook-bridge-steam.md) | [jasonlaguidice/matrix-steam-bridge](https://github.com/jasonlaguidice/matrix-steam-bridge/pkgs/container/matrix-steam-bridge) | ❌ | Bridge to [Steam](https://steampowered.com/) |
@@ -153,7 +151,6 @@ Various services that don't fit any other categories.
| Service | Container image | Default? | Description |
| ------- | --------------- | -------- | ----------- |
| [sliding-sync](configuring-playbook-sliding-sync-proxy.md) | [matrix-org/sliding-sync](https://ghcr.io/matrix-org/sliding-sync) | ❌ | Sliding Sync support for clients which require it (like old Element X versions, before it got switched to Simplified Sliding Sync) |
| [synapse_auto_accept_invite](configuring-playbook-synapse-auto-accept-invite.md) | (N/A) | ❌ | Synapse module to automatically accept invites |
| [synapse_auto_compressor](configuring-playbook-synapse-auto-compressor.md) | [mb-saces/rust-synapse-tools](https://gitlab.com/mb-saces/rust-synapse-tools/container_registry) | ❌ | Cli tool that automatically compresses Synapse's `state_groups` database table in background |
| [Matrix Corporal](configuring-playbook-matrix-corporal.md) (advanced) | [devture/matrix-corporal](https://hub.docker.com/r/devture/matrix-corporal/) | ❌ | Reconciliator and gateway for a managed Matrix server |
@@ -178,6 +175,7 @@ The list of the deprecated or unmaintained services is available [here](configur
| [Dimension](configuring-playbook-dimension.md) | [turt2live/matrix-dimension](https://hub.docker.com/r/turt2live/matrix-dimension) | ❌ | Open source integration manager for Matrix clients |
| [Email2Matrix](configuring-playbook-email2matrix.md) | [devture/email2matrix](https://hub.docker.com/r/devture/email2matrix/) | ❌ | Bridge for relaying emails to Matrix rooms |
| [Go-NEB](configuring-playbook-bot-go-neb.md) | [matrixdotorg/go-neb](https://hub.docker.com/r/matrixdotorg/go-neb) | ❌ | Multi functional bot written in Go |
| [ma1sd](configuring-playbook-ma1sd.md) | [ma1uta/ma1sd](https://hub.docker.com/r/ma1uta/ma1sd/) | ❌ | Matrix Identity Server |
| [matrix-appservice-webhooks](configuring-playbook-bridge-appservice-webhooks.md) | [turt2live/matrix-appservice-webhooks](https://hub.docker.com/r/turt2live/matrix-appservice-webhooks) | ❌ | Bridge for slack compatible webhooks ([ConcourseCI](https://concourse-ci.org/), [Slack](https://slack.com/) etc. pp.) |
| [matrix-chatgpt-bot](configuring-playbook-bot-chatgpt.md) | [matrixgpt/matrix-chatgpt-bot](https://ghcr.io/matrixgpt/matrix-chatgpt-bot) | ❌ | Accessing ChatGPT via your favourite Matrix client |
| [mautrix-facebook](configuring-playbook-bridge-mautrix-facebook.md) | [mautrix/facebook](https://mau.dev/mautrix/facebook/container_registry) | ❌ | Bridge to [Facebook](https://facebook.com/) |
@@ -186,3 +184,4 @@ The list of the deprecated or unmaintained services is available [here](configur
| [mx-puppet-instagram](configuring-playbook-bridge-mx-puppet-instagram.md) | [sorunome/mx-puppet-instagram](https://hub.docker.com/r/sorunome/mx-puppet-instagram) | ❌ | Bridge for Instagram-DMs ([Instagram](https://www.instagram.com/)) |
| [mx-puppet-slack](configuring-playbook-bridge-mx-puppet-slack.md) | [mx-puppet/slack/mx-puppet-slack](https://gitlab.com/mx-puppet/slack/mx-puppet-slack/container_registry) | ❌ | Bridge to [Slack](https://slack.com) |
| [mx-puppet-twitter](configuring-playbook-bridge-mx-puppet-twitter.md) | [sorunome/mx-puppet-twitter](https://hub.docker.com/r/sorunome/mx-puppet-twitter) | ❌ | Bridge for Twitter-DMs ([Twitter](https://twitter.com/)) |
| [sliding-sync](configuring-playbook-sliding-sync-proxy.md) | [matrix-org/sliding-sync](https://ghcr.io/matrix-org/sliding-sync) | ❌ | Sliding Sync support for clients which require it (like old Element X versions, before it got switched to Simplified Sliding Sync) |

2
docs/prerequisites.md
View File

@@ -23,8 +23,6 @@ We will be using `example.com` as the domain in the following instruction. Pleas
- [Ansible](http://ansible.com/) program. It's used to run this playbook and configures your server for you. Take a look at [our guide about Ansible](ansible.md) for more information, as well as [version requirements](ansible.md#supported-ansible-versions) and alternative ways to run Ansible.
- [passlib](https://passlib.readthedocs.io/en/stable/index.html) Python library. See [this official documentation](https://passlib.readthedocs.io/en/stable/install.html#installation-instructions) for an instruction to install it. On most distros, you need to install some `python-passlib` or `py3-passlib` package, etc.
- [`git`](https://git-scm.com/) as the recommended way to download the playbook. `git` may also be required on the server if you will be [self-building](self-building.md) components.
- [`just`](https://github.com/casey/just) for running `just roles`, `just update`, etc. (see [`justfile`](../justfile)), although you can also run these commands manually. Take a look at this documentation for more information: [Running `just` commands](just.md).

3
docs/self-building.md
View File

@@ -29,12 +29,11 @@ Possibly outdated list of roles where self-building the Docker image is currentl
- `matrix-synapse-admin`
- `matrix-client-element`
- `matrix-client-hydrogen`
- `matrix-client-cinny`
- `cinny`
- `matrix-registration`
- `matrix-coturn`
- `matrix-corporal`
- `matrix-dimension`
- `matrix-ma1sd`
- `exim-relay`
- `matrix-bridge-hookshot`
- `matrix-bridge-appservice-irc`

595
group_vars/matrix_servers
View File

File diff suppressed because it is too large Load Diff

14
i18n/requirements.txt
View File

@@ -1,6 +1,6 @@
alabaster==1.0.0
babel==2.17.0
certifi==2025.11.12
babel==2.18.0
certifi==2026.1.4
charset-normalizer==3.4.4
click==8.3.1
docutils==0.22.4
@@ -12,14 +12,14 @@ markdown-it-py==4.0.0
MarkupSafe==3.0.3
mdit-py-plugins==0.5.0
mdurl==0.1.2
myst-parser==4.0.1
packaging==25.0
myst-parser==5.0.0
packaging==26.0
Pygments==2.19.2
PyYAML==6.0.3
requests==2.32.5
setuptools==80.9.0
setuptools==82.0.0
snowballstemmer==3.0.1
Sphinx==9.0.4
Sphinx==9.1.0
sphinx-intl==2.3.2
sphinx-markdown-builder==0.6.9
sphinxcontrib-applehelp==2.0.0
@@ -30,4 +30,4 @@ sphinxcontrib-qthelp==2.0.0
sphinxcontrib-serializinghtml==2.0.0
tabulate==0.9.0
uc-micro-py==1.0.3
urllib3==2.6.2
urllib3==2.6.3

2
i18n/translation-templates/docs/configuring-playbook-dynamic-dns.pot
View File

@@ -45,7 +45,7 @@ msgid "To enable dynamic DNS, add the following configuration to your `inventory
msgstr ""
#: ../../../docs/configuring-playbook-dynamic-dns.md:34
msgid "Keep in mind that certain providers may require a different configuration of the `matrix_dynamic_dns_domain_configurations` variable, for provider specific examples see the [upstream documentation](https://github.com/ddclient/ddclient/blob/main/ddclient.conf.in)."
msgid "Keep in mind that certain providers may require a different configuration of the `ddclient_domain_configurations` variable, for provider specific examples see the [upstream documentation](https://github.com/ddclient/ddclient/blob/main/ddclient.conf.in)."
msgstr ""
#: ../../../docs/configuring-playbook-dynamic-dns.md:36

206
i18n/translation-templates/docs/configuring-playbook-ma1sd.pot
View File

@@ -1,5 +1,5 @@
# SOME DESCRIPTIVE TITLE.
# Copyright (C) 2018-2025, Slavi Pantaleev, Aine Etke, MDAD community members
# Copyright (C) 2018-2026, Slavi Pantaleev, Aine Etke, MDAD community members
# This file is distributed under the same license as the matrix-docker-ansible-deploy package.
# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
#
@@ -8,7 +8,7 @@ msgid ""
msgstr ""
"Project-Id-Version: matrix-docker-ansible-deploy \n"
"Report-Msgid-Bugs-To: \n"
"POT-Creation-Date: 2025-11-06 23:09+0900\n"
"POT-Creation-Date: 2026-02-06 16:30+0900\n"
"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
"Language-Team: LANGUAGE <LL@li.org>\n"
@@ -16,214 +16,22 @@ msgstr ""
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
#: ../../../docs/configuring-playbook-ma1sd.md:12
msgid "Setting up ma1sd Identity Server (optional)"
msgstr ""
#: ../../../docs/configuring-playbook-ma1sd.md:14
msgid "[!WARNING] Since ma1sd has been unmaintained for years (the latest commit and release being from 2021) and the future of identity server's role in the Matrix specification is uncertain, **we recommend not bothering with installing it unless it's the only way you can do what you need to do**."
msgstr ""
#: ../../../docs/configuring-playbook-ma1sd.md:17
msgid "Please note that certain things can be achieved with other components. For example, if you wish to implement LDAP integration, you might as well check out [the LDAP provider module for Synapse](./configuring-playbook-ldap-auth.md) instead."
msgstr ""
#: ../../../docs/configuring-playbook-ma1sd.md:19
msgid "The playbook can configure the [ma1sd](https://github.com/ma1uta/ma1sd) Identity Server for you. It is a fork of [mxisd](https://github.com/kamax-io/mxisd) which was pronounced end of life 2019-06-21."
msgstr ""
#: ../../../docs/configuring-playbook-ma1sd.md:21
msgid "ma1sd is used for 3PIDs (3rd party identifiers like E-mail and phone numbers) and some [enhanced features](https://github.com/ma1uta/ma1sd/#features). It is private by default, potentially at the expense of user discoverability."
msgid "Setting up ma1sd Identity Server (optional, removed)"
msgstr ""
#: ../../../docs/configuring-playbook-ma1sd.md:23
msgid "See the project's [documentation](https://github.com/ma1uta/ma1sd/blob/master/README.md) to learn what it does and why it might be useful to you."
msgid "🪦 The playbook used to be able to install and configure the [ma1sd](https://github.com/ma1uta/ma1sd) Identity Server, but no longer includes this component, as it has been unmaintained for a long time."
msgstr ""
#: ../../../docs/configuring-playbook-ma1sd.md:25
msgid "Prerequisites"
msgid "Please note that some of the functions can be achieved with other components. For example, if you wish to implement LDAP integration, you might as well check out [the LDAP provider module for Synapse](./configuring-playbook-ldap-auth.md) instead."
msgstr ""
#: ../../../docs/configuring-playbook-ma1sd.md:27
msgid "Open Matrix Federation port"
msgid "Uninstalling the component manually"
msgstr ""
#: ../../../docs/configuring-playbook-ma1sd.md:29
msgid "Enabling the ma1sd service will automatically reconfigure your Synapse homeserver to expose the `openid` API endpoints on the Matrix Federation port (usually `8448`), even if [federation](configuring-playbook-federation.md) is disabled. If you enable the component, make sure that the port is accessible."
msgstr ""
#: ../../../docs/configuring-playbook-ma1sd.md:31
msgid "Adjusting DNS records"
msgstr ""
#: ../../../docs/configuring-playbook-ma1sd.md:33
msgid "To make the ma1sd Identity Server enable its federation features, set up a SRV record that looks like this:"
msgstr ""
#: ../../../docs/configuring-playbook-ma1sd.md:35
msgid "Name: `_matrix-identity._tcp` (use this text as-is)"
msgstr ""
#: ../../../docs/configuring-playbook-ma1sd.md:36
msgid "Content: `10 0 443 matrix.example.com` (replace `example.com` with your own)"
msgstr ""
#: ../../../docs/configuring-playbook-ma1sd.md:38
msgid "See [ma1sd's documentation](https://github.com/ma1uta/ma1sd/wiki/mxisd-and-your-privacy#choices-are-never-easy) for information on the privacy implications of setting up this SRV record."
msgstr ""
#: ../../../docs/configuring-playbook-ma1sd.md:40
msgid "When setting up a SRV record, if you are asked for a service and protocol instead of a hostname split the host value from the table where the period is. For example use service as `_matrix-identity` and protocol as `_tcp`."
msgstr ""
#: ../../../docs/configuring-playbook-ma1sd.md:42
msgid "**Note**: This `_matrix-identity._tcp` SRV record for the identity server is different from the `_matrix._tcp` that can be used for Synapse delegation. See [howto-server-delegation.md](howto-server-delegation.md) for more information about delegation."
msgstr ""
#: ../../../docs/configuring-playbook-ma1sd.md:44
msgid "Adjusting the playbook configuration"
msgstr ""
#: ../../../docs/configuring-playbook-ma1sd.md:46
msgid "To enable ma1sd, add the following configuration to your `inventory/host_vars/matrix.example.com/vars.yml` file:"
msgstr ""
#: ../../../docs/configuring-playbook-ma1sd.md:52
msgid "Matrix.org lookup forwarding"
msgstr ""
#: ../../../docs/configuring-playbook-ma1sd.md:54
msgid "To ensure maximum discovery, you can make your identity server also forward lookups to the central matrix.org Identity server (at the cost of potentially leaking all your contacts information)."
msgstr ""
#: ../../../docs/configuring-playbook-ma1sd.md:56
msgid "Enabling this is discouraged and you'd better [learn more](https://github.com/ma1uta/ma1sd/blob/master/docs/features/identity.md#lookups) before proceeding."
msgstr ""
#: ../../../docs/configuring-playbook-ma1sd.md:58
msgid "To enable matrix.org forwarding, add the following configuration to your `vars.yml` file:"
msgstr ""
#: ../../../docs/configuring-playbook-ma1sd.md:64
msgid "Extending the configuration"
msgstr ""
#: ../../../docs/configuring-playbook-ma1sd.md:66
msgid "There are some additional things you may wish to configure about the component."
msgstr ""
#: ../../../docs/configuring-playbook-ma1sd.md:68
msgid "Take a look at:"
msgstr ""
#: ../../../docs/configuring-playbook-ma1sd.md:70
msgid "`roles/custom/matrix-ma1sd/defaults/main.yml` for some variables that you can customize via your `vars.yml` file. You can override settings (even those that don't have dedicated playbook variables) using the `matrix_ma1sd_configuration_extension_yaml` variable"
msgstr ""
#: ../../../docs/configuring-playbook-ma1sd.md:72
msgid "You can refer to the [ma1sd website](https://github.com/ma1uta/ma1sd) for more details and configuration options."
msgstr ""
#: ../../../docs/configuring-playbook-ma1sd.md:74
msgid "Customizing email templates"
msgstr ""
#: ../../../docs/configuring-playbook-ma1sd.md:76
msgid "If you'd like to change the default email templates used by ma1sd, take a look at the `matrix_ma1sd_threepid_medium_email_custom_` variables (in the `roles/custom/matrix-ma1sd/defaults/main.yml` file."
msgstr ""
#: ../../../docs/configuring-playbook-ma1sd.md:78
msgid "ma1sd-controlled Registration"
msgstr ""
#: ../../../docs/configuring-playbook-ma1sd.md:80
msgid "To use the [Registration](https://github.com/ma1uta/ma1sd/blob/master/docs/features/registration.md) feature of ma1sd, you can make use of the following variables:"
msgstr ""
#: ../../../docs/configuring-playbook-ma1sd.md:82
msgid "`matrix_synapse_enable_registration` — to enable user-initiated registration in Synapse"
msgstr ""
#: ../../../docs/configuring-playbook-ma1sd.md:84
msgid "`matrix_synapse_enable_registration_captcha` — to validate registering users using reCAPTCHA, as described in the [enabling reCAPTCHA](configuring-captcha.md) documentation."
msgstr ""
#: ../../../docs/configuring-playbook-ma1sd.md:86
msgid "`matrix_synapse_registrations_require_3pid` — a list of 3pid types (among `'email'`, `'msisdn'`) required by the Synapse server for registering"
msgstr ""
#: ../../../docs/configuring-playbook-ma1sd.md:88
msgid "variables prefixed with `matrix_ma1sd_container_labels_` (e.g. `matrix_ma1sd_container_labels_matrix_client_3pid_registration_enabled`) — to configure the Traefik reverse-proxy to capture and send registration requests to ma1sd (instead of Synapse), so it can apply its additional functionality"
msgstr ""
#: ../../../docs/configuring-playbook-ma1sd.md:90
msgid "`matrix_ma1sd_configuration_extension_yaml` — to configure ma1sd as required. See the [Registration feature's docs](https://github.com/ma1uta/ma1sd/blob/master/docs/features/registration.md) for inspiration. Also see the [Additional features](#additional-features) section below to learn more about how to use `matrix_ma1sd_configuration_extension_yaml`."
msgstr ""
#: ../../../docs/configuring-playbook-ma1sd.md:92
msgid "**Note**: For this to work, either the homeserver needs to [federate](configuring-playbook-federation.md) or the `openid` APIs need to exposed on the federation port. When federation is disabled and ma1sd is enabled, we automatically expose the `openid` APIs (only!) on the federation port. Make sure the federation port (usually `https://matrix.example.com:8448`) is whitelisted in your firewall (even if you don't actually use/need federation)."
msgstr ""
#: ../../../docs/configuring-playbook-ma1sd.md:94
msgid "Authentication"
msgstr ""
#: ../../../docs/configuring-playbook-ma1sd.md:96
msgid "[Authentication](https://github.com/ma1uta/ma1sd/blob/master/docs/features/authentication.md) provides the possibility to use your own [Identity Stores](https://github.com/ma1uta/ma1sd/blob/master/docs/stores/README.md) (for example LDAP) to authenticate users on your Homeserver."
msgstr ""
#: ../../../docs/configuring-playbook-ma1sd.md:98
msgid "To enable authentication against an LDAP server, add the following configuration to your `vars.yml` file:"
msgstr ""
#: ../../../docs/configuring-playbook-ma1sd.md:118
msgid "Example: SMS verification"
msgstr ""
#: ../../../docs/configuring-playbook-ma1sd.md:120
msgid "If your use case requires mobile verification, it is quite simple to integrate ma1sd with [Twilio](https://www.twilio.com/), an online telephony services gateway. Their prices are reasonable for low-volume projects and integration can be done with the following configuration:"
msgstr ""
#: ../../../docs/configuring-playbook-ma1sd.md:134
msgid "Example: Open Registration for every Domain"
msgstr ""
#: ../../../docs/configuring-playbook-ma1sd.md:136
msgid "If you want to open registration for any domain, you have to setup the allowed domains with ma1sd's `blacklist` and `whitelist`. The default behavior when neither the `blacklist`, nor the `whitelist` match, is to allow registration. Beware: you can't block toplevel domains (aka `.xy`) because the internal architecture of ma1sd doesn't allow that."
msgstr ""
#: ../../../docs/configuring-playbook-ma1sd.md:150
msgid "Installing"
msgstr ""
#: ../../../docs/configuring-playbook-ma1sd.md:152
msgid "After configuring the playbook, run it with [playbook tags](playbook-tags.md) as below:"
msgstr ""
#: ../../../docs/configuring-playbook-ma1sd.md:159
msgid "The shortcut commands with the [`just` program](just.md) are also available: `just install-all` or `just setup-all`"
msgstr ""
#: ../../../docs/configuring-playbook-ma1sd.md:161
msgid "`just install-all` is useful for maintaining your setup quickly ([2x-5x faster](../CHANGELOG.md#2x-5x-performance-improvements-in-playbook-runtime) than `just setup-all`) when its components remain unchanged. If you adjust your `vars.yml` to remove other components, you'd need to run `just setup-all`, or these components will still remain installed. Note these shortcuts run the `ensure-matrix-users-created` tag too."
msgstr ""
#: ../../../docs/configuring-playbook-ma1sd.md:163
msgid "Troubleshooting"
msgstr ""
#: ../../../docs/configuring-playbook-ma1sd.md:165
msgid "If email address validation emails sent by ma1sd are not reaching you, you should look into [Adjusting email-sending settings](configuring-playbook-email.md)."
msgstr ""
#: ../../../docs/configuring-playbook-ma1sd.md:167
msgid "As with all other services, you can find the logs in [systemd-journald](https://www.freedesktop.org/software/systemd/man/systemd-journald.service.html) by logging in to the server with SSH and running `journalctl -fu matrix-ma1sd`."
msgstr ""
#: ../../../docs/configuring-playbook-ma1sd.md:169
msgid "Increase logging verbosity"
msgstr ""
#: ../../../docs/configuring-playbook-ma1sd.md:171
msgid "If you want to increase the verbosity, add the following configuration to your `vars.yml` file and re-run the playbook:"
msgid "If you still have the ma1sd Identity Server installed on your Matrix server, the playbook can no longer help you uninstall it and you will need to do it manually. To uninstall manually, run these commands on the server:"
msgstr ""

3
justfile
View File

@@ -50,8 +50,7 @@ install-all *extra_args: (run-tags "install-all,ensure-matrix-users-created,star
install-service service *extra_args:
{{ just_executable() }} --justfile "{{ justfile() }}" run \
--tags=install-{{ service }},start-group \
--extra-vars=group={{ service }} \
--extra-vars=devture_systemd_service_manager_service_restart_mode=one-by-one {{ extra_args }}
--extra-vars=group={{ service }} {{ extra_args }}
# Runs the playbook with --tags=setup-all,ensure-matrix-users-created,start and optional arguments
setup-all *extra_args: (run-tags "setup-all,ensure-matrix-users-created,start" extra_args)

41
requirements.yml
View File

@@ -1,37 +1,44 @@
---
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-aux.git
version: v1.0.0-5
version: v1.0.0-6
name: auxiliary
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-backup_borg.git
version: v1.4.3-2.0.13-0
version: v1.4.3-2.1.1-0
name: backup_borg
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-cinny.git
version: v4.10.2-1
name: cinny
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-container-socket-proxy.git
version: v0.4.2-0
version: v0.4.2-1
name: container_socket_proxy
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-ddclient.git
version: v4.0.0-0
name: ddclient
activation_prefix: ddclient_
- src: git+https://github.com/geerlingguy/ansible-role-docker
version: 7.9.0
version: 8.0.0
name: docker
- src: git+https://github.com/devture/com.devture.ansible.role.docker_sdk_for_python.git
version: 542a2d68db4e9a8e9bb4b508052760b900c7dce6
name: docker_sdk_for_python
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-etherpad.git
version: v2.6.0-0
version: v2.6.1-0
name: etherpad
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-exim-relay.git
version: v4.98.1-r0-2-2
name: exim_relay
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-grafana.git
version: v11.6.5-4
version: v11.6.5-6
name: grafana
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-jitsi.git
version: v10655-0
version: v10741-0
name: jitsi
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-livekit-server.git
version: v1.9.9-0
version: v1.9.11-0
name: livekit_server
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-ntfy.git
version: v2.15.0-0
version: v2.17.0-0
name: ntfy
- src: git+https://github.com/devture/com.devture.ansible.role.playbook_help.git
version: 8630e4f1749bcb659c412820f754473f09055052
@@ -43,35 +50,35 @@
version: dd6e15246b7a9a2d921e0b3f9cd8a4a917a1bb2f
name: playbook_state_preserver
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-postgres.git
version: v18.1-3
version: v18.1-5
name: postgres
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-postgres-backup.git
version: v18-0
name: postgres_backup
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus.git
version: v3.8.1-0
version: v3.9.1-0
name: prometheus
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus-node-exporter.git
version: v1.9.1-12
version: v1.9.1-13
name: prometheus_node_exporter
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus-postgres-exporter.git
version: v0.18.1-1
version: v0.19.0-0
name: prometheus_postgres_exporter
- src: git+https://github.com/devture/com.devture.ansible.role.systemd_docker_base.git
version: v1.4.1-0
name: systemd_docker_base
- src: git+https://github.com/devture/com.devture.ansible.role.systemd_service_manager.git
version: v1.0.0-4
version: v2.0.0-0
name: systemd_service_manager
- src: git+https://github.com/devture/com.devture.ansible.role.timesync.git
version: v1.1.0-1
name: timesync
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-traefik.git
version: v3.6.6-0
version: v3.6.7-1
name: traefik
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-traefik-certs-dumper.git
version: v2.10.0-3
version: v2.10.0-4
name: traefik_certs_dumper
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-valkey.git
version: v9.0.1-0
version: v9.0.2-0
name: valkey

2
roles/custom/matrix-alertmanager-receiver/defaults/main.yml
View File

@@ -11,7 +11,7 @@
matrix_alertmanager_receiver_enabled: true
# renovate: datasource=docker depName=docker.io/metio/matrix-alertmanager-receiver
matrix_alertmanager_receiver_version: 2025.12.24
matrix_alertmanager_receiver_version: 2026.2.4
matrix_alertmanager_receiver_scheme: https

2
roles/custom/matrix-authentication-service/defaults/main.yml
View File

@@ -22,7 +22,7 @@ matrix_authentication_service_container_repo_version: "{{ 'main' if matrix_authe
matrix_authentication_service_container_src_files_path: "{{ matrix_base_data_path }}/matrix-authentication-service/container-src"
# renovate: datasource=docker depName=ghcr.io/element-hq/matrix-authentication-service
matrix_authentication_service_version: 1.8.0
matrix_authentication_service_version: 1.11.0
matrix_authentication_service_container_image_registry_prefix: "{{ 'localhost/' if matrix_authentication_service_container_image_self_build else matrix_authentication_service_container_image_registry_prefix_upstream }}"
matrix_authentication_service_container_image_registry_prefix_upstream: "{{ matrix_authentication_service_container_image_registry_prefix_upstream_default }}"
matrix_authentication_service_container_image_registry_prefix_upstream_default: "ghcr.io/"

55
roles/custom/matrix-base/defaults/main.yml
View File

@@ -109,7 +109,7 @@ matrix_server_fqn_element: "element.{{ matrix_domain }}"
# This is where you access the Hydrogen web client from (if enabled via matrix_client_hydrogen_enabled; disabled by default).
matrix_server_fqn_hydrogen: "hydrogen.{{ matrix_domain }}"
# This is where you access the Cinny web client from (if enabled via matrix_client_cinny_enabled; disabled by default).
# This is where you access the Cinny web client from (if enabled via cinny_enabled; disabled by default).
matrix_server_fqn_cinny: "cinny.{{ matrix_domain }}"
# This is where you access the SchildiChat Web from (if enabled via matrix_client_schildichat_enabled; disabled by default).
@@ -234,12 +234,6 @@ matrix_homeserver_container_federation_url: "http://{{ matrix_homeserver_contain
# This likely gets overridden elsewhere.
matrix_homeserver_container_federation_api_endpoint: ""
# Specifies the public url of the Sync v3 (sliding-sync) API.
# This will be used to set the `org.matrix.msc3575.proxy` property in `/.well-known/matrix/client`.
# Once the API is stabilized, this will no longer be required.
# See MSC3575: https://github.com/matrix-org/matrix-spec-proposals/blob/kegan/sync-v3/proposals/3575-sync.md
matrix_homeserver_sliding_sync_url: ""
matrix_identity_server_url: ~
matrix_integration_manager_rest_url: ~
@@ -321,13 +315,6 @@ matrix_playbook_public_matrix_federation_api_traefik_entrypoint_port: "{{ matrix
matrix_playbook_public_matrix_federation_api_traefik_entrypoint_host_bind_port: "{{ matrix_federation_public_port }}"
matrix_playbook_public_matrix_federation_api_traefik_entrypoint_host_bind_port_udp: "{{ matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http3_advertisedPort if matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http3_enabled else '' }}"
matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config: "{{ (matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_default | combine(matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_auto)) | combine(matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_custom, recursive=True) }}"
# Traefik v3.6.3+ blocks encoded characters in request paths by default for security.
# Matrix API endpoints require encoded slashes and hashes in endpoints containing room IDs, room aliases, etc.
# Ref:
# - https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/4798
# - https://doc.traefik.io/traefik/migrate/v3/#v364
matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http_encodedCharacters_allowEncodedSlash: true # noqa: var-naming[pattern]
matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http_encodedCharacters_allowEncodedHash: true # noqa: var-naming[pattern]
matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http3_enabled: true
matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http3_advertisedPort: "{{ matrix_playbook_public_matrix_federation_api_traefik_entrypoint_port }}" # noqa var-naming
matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_transport_respondingTimeouts_readTimeout: "{{ traefik_config_entrypoint_web_secure_transport_respondingTimeouts_readTimeout }}" # noqa var-naming
@@ -337,19 +324,6 @@ matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_default:
{{
{}
| combine(
(
{
'http': {
'encodedCharacters': {
'allowEncodedSlash': matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http_encodedCharacters_allowEncodedSlash,
'allowEncodedHash': matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http_encodedCharacters_allowEncodedHash,
}
}
}
)
)
| combine(
(
(
@@ -394,7 +368,7 @@ matrix_playbook_public_matrix_federation_api_traefik_entrypoint_definition:
# This entrypoint provides local addons (e.g. bridges, bots, etc.) with the ability to easily & quickly communicate with the homeserver and/or related software.
# Such services can reach the homeserver over the public internet (e.g. https://matrix.example.com), but this is slow due to networking and SSL-termination.
# Talking directly to the homeserver (e.g. `http://matrix-synapse:8008`) is another option, but does not allow other homeserver-related software
# (e.g. identity servers like ma1sd, media repository servers like matrix-media-repo, firewalls like matrix-corporal)
# (e.g. media repository servers like matrix-media-repo, firewalls like matrix-corporal)
# to register itself for certain homeserver routes.
#
# For example: when matrix-media-repo is enabled, it wishes to handle `/_matrix/media` both publicly and internally.
@@ -412,30 +386,7 @@ matrix_playbook_internal_matrix_client_api_traefik_entrypoint_name: matrix-inter
matrix_playbook_internal_matrix_client_api_traefik_entrypoint_port: 8008
matrix_playbook_internal_matrix_client_api_traefik_entrypoint_host_bind_port: ''
matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config: "{{ (matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_default | combine(matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_auto)) | combine(matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_custom, recursive=True) }}"
# Traefik v3.6.3+ blocks encoded characters in request paths by default for security.
# Matrix API endpoints require encoded slashes and hashes in endpoints containing room IDs, room aliases, etc.
# Ref:
# - https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/4798
# - https://doc.traefik.io/traefik/migrate/v3/#v364
matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_http_encodedCharacters_allowEncodedSlash: true # noqa: var-naming[pattern]
matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_http_encodedCharacters_allowEncodedHash: true # noqa: var-naming[pattern]
matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_default: |
{{
{}
| combine(
(
{
'http': {
'encodedCharacters': {
'allowEncodedSlash': matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_http_encodedCharacters_allowEncodedSlash,
'allowEncodedHash': matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_http_encodedCharacters_allowEncodedHash,
}
}
}
)
)
}}
matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_default: {}
matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_auto: {}
matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_custom: {}

5
roles/custom/matrix-base/tasks/validate_config.yml
View File

@@ -36,6 +36,11 @@
- {'old': 'matrix_container_global_registry_prefix', 'new': '<no global variable anymore; you need to override the `_registry_prefix` variable in each component separately>'}
- {'old': 'matrix_user_username', 'new': 'matrix_user_name'}
- {'old': 'matrix_user_groupname', 'new': 'matrix_group_name'}
- {'old': 'matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http_encodedCharacters_allowEncodedSlash', 'new': '<removed>'}
- {'old': 'matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http_encodedCharacters_allowEncodedHash', 'new': '<removed>'}
- {'old': 'matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_http_encodedCharacters_allowEncodedSlash', 'new': '<removed>'}
- {'old': 'matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_http_encodedCharacters_allowEncodedHash', 'new': '<removed>'}
# We have a dedicated check for this variable, because we'd like to have a custom (friendlier) message.
- name: Fail if matrix_homeserver_generic_secret_key is undefined

7
roles/custom/matrix-bot-baibot/defaults/main.yml
View File

@@ -17,7 +17,7 @@ matrix_bot_baibot_container_repo_version: "{{ 'main' if matrix_bot_baibot_versio
matrix_bot_baibot_container_src_files_path: "{{ matrix_base_data_path }}/baibot/container-src"
# renovate: datasource=docker depName=ghcr.io/etkecc/baibot
matrix_bot_baibot_version: v1.12.0
matrix_bot_baibot_version: v1.14.1
matrix_bot_baibot_container_image: "{{ matrix_bot_baibot_container_image_registry_prefix }}etkecc/baibot:{{ matrix_bot_baibot_version }}"
matrix_bot_baibot_container_image_registry_prefix: "{{ 'localhost/' if matrix_bot_baibot_container_image_self_build else matrix_bot_baibot_container_image_registry_prefix_upstream }}"
matrix_bot_baibot_container_image_registry_prefix_upstream: "{{ matrix_bot_baibot_container_image_registry_prefix_upstream_default }}"
@@ -395,6 +395,11 @@ matrix_bot_baibot_config_agents_static_definitions_openai_config_text_generation
matrix_bot_baibot_config_agents_static_definitions_openai_config_text_generation_max_response_tokens: ~
matrix_bot_baibot_config_agents_static_definitions_openai_config_text_generation_max_completion_tokens: 128000
matrix_bot_baibot_config_agents_static_definitions_openai_config_text_generation_max_context_tokens: 400000
# Built-in tools configuration (OpenAI only).
# These tools extend the model's capabilities but are disabled by default following upstream defaults.
# See: https://github.com/etkecc/baibot/blob/main/docs/features.md#%EF%B8%8F-built-in-tools-openai-only
matrix_bot_baibot_config_agents_static_definitions_openai_config_text_generation_tools_web_search: false
matrix_bot_baibot_config_agents_static_definitions_openai_config_text_generation_tools_code_interpreter: false
matrix_bot_baibot_config_agents_static_definitions_openai_config_speech_to_text_enabled: true
matrix_bot_baibot_config_agents_static_definitions_openai_config_speech_to_text_model_id: whisper-1

3
roles/custom/matrix-bot-baibot/templates/provider/openai-config.yml.j2
View File

@@ -15,6 +15,9 @@ text_generation:
max_completion_tokens: {{ matrix_bot_baibot_config_agents_static_definitions_openai_config_text_generation_max_completion_tokens | int | to_json }}
{% endif %}
max_context_tokens: {{ matrix_bot_baibot_config_agents_static_definitions_openai_config_text_generation_max_context_tokens | int | to_json }}
tools:
web_search: {{ matrix_bot_baibot_config_agents_static_definitions_openai_config_text_generation_tools_web_search | to_json }}
code_interpreter: {{ matrix_bot_baibot_config_agents_static_definitions_openai_config_text_generation_tools_code_interpreter | to_json }}
{% endif %}
{% if matrix_bot_baibot_config_agents_static_definitions_openai_config_speech_to_text_enabled %}

5
roles/custom/matrix-bot-go-neb/defaults/main.yml
View File

@@ -76,7 +76,6 @@ matrix_bot_go_neb_container_labels_traefik_additional_response_headers_auto: |
{{
{}
| combine ({'X-XSS-Protection': matrix_bot_go_neb_http_header_xss_protection} if matrix_bot_go_neb_http_header_xss_protection else {})
| combine ({'X-Frame-Options': matrix_bot_go_neb_http_header_frame_options} if matrix_bot_go_neb_http_header_frame_options else {})
| combine ({'X-Content-Type-Options': matrix_bot_go_neb_http_header_content_type_options} if matrix_bot_go_neb_http_header_content_type_options else {})
| combine ({'Content-Security-Policy': matrix_bot_go_neb_http_header_content_security_policy} if matrix_bot_go_neb_http_header_content_security_policy else {})
| combine ({'Permission-Policy': matrix_bot_go_neb_http_header_content_permission_policy} if matrix_bot_go_neb_http_header_content_permission_policy else {})
@@ -113,10 +112,6 @@ matrix_bot_go_neb_systemd_wanted_services_list: []
# - https://portswigger.net/web-security/cross-site-scripting/reflected
matrix_bot_go_neb_http_header_xss_protection: "1; mode=block"
# Specifies the value of the `X-Frame-Options` header which controls whether framing can happen.
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
matrix_bot_go_neb_http_header_frame_options: SAMEORIGIN
# Specifies the value of the `X-Content-Type-Options` header.
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
matrix_bot_go_neb_http_header_content_type_options: nosniff

189
roles/custom/matrix-bridge-appservice-irc/defaults/main.yml
View File

@@ -8,7 +8,7 @@
# SPDX-FileCopyrightText: 2019 Lyubomir Popov
# SPDX-FileCopyrightText: 2019 Sylvia van Os
# SPDX-FileCopyrightText: 2020 John Goerzen
# SPDX-FileCopyrightText: 2021 - 2023 Thom Wiggers
# SPDX-FileCopyrightText: 2021 - 2026 Thom Wiggers
# SPDX-FileCopyrightText: 2021 Ahmad Haghighi
# SPDX-FileCopyrightText: 2021 Joseph Walton-Rivers
# SPDX-FileCopyrightText: 2021 Panagiotis Georgiadis
@@ -33,7 +33,7 @@ matrix_appservice_irc_docker_src_files_path: "{{ matrix_base_data_path }}/appser
# matrix_appservice_irc_version used to contain the full Docker image tag (e.g. `release-X.X.X`).
# It's a bare version number now. We try to somewhat retain compatibility below.
# renovate: datasource=docker depName=docker.io/matrixdotorg/matrix-appservice-irc
matrix_appservice_irc_version: 1.0.1
matrix_appservice_irc_version: 4.0.0
matrix_appservice_irc_docker_image: "{{ matrix_appservice_irc_docker_image_registry_prefix }}matrixdotorg/matrix-appservice-irc:{{ matrix_appservice_irc_docker_image_tag }}"
matrix_appservice_irc_docker_image_registry_prefix: "{{ 'localhost/' if matrix_appservice_irc_container_image_self_build else matrix_appservice_irc_docker_image_registry_prefix_upstream }}"
matrix_appservice_irc_docker_image_registry_prefix_upstream: "{{ matrix_appservice_irc_docker_image_registry_prefix_upstream_default }}"
@@ -46,8 +46,15 @@ matrix_appservice_irc_config_path: "{{ matrix_appservice_irc_base_path }}/config
matrix_appservice_irc_data_path: "{{ matrix_appservice_irc_base_path }}/data"
matrix_appservice_irc_homeserver_url: ""
matrix_appservice_irc_homeserver_media_url: '{{ matrix_homeserver_url }}'
matrix_appservice_irc_homeserver_domain: '{{ matrix_domain }}'
# ircService.mediaProxy configuration for serving publicly accessible URLs to authenticated Matrix media
matrix_appservice_irc_ircService_mediaProxy_bindPort: 11111 # noqa var-naming
matrix_appservice_irc_ircService_mediaProxy_publicUrl_scheme: https # noqa var-naming
matrix_appservice_irc_ircService_mediaProxy_publicUrl_hostname: '{{ matrix_server_fqn_matrix }}' # noqa var-naming
matrix_appservice_irc_ircService_mediaProxy_publicUrl_pathPrefix: '/irc/' # noqa var-naming
matrix_appservice_irc_ircService_mediaProxy_publicUrl: "{{ matrix_appservice_irc_ircService_mediaProxy_publicUrl_scheme }}://{{ matrix_appservice_irc_ircService_mediaProxy_publicUrl_hostname }}{{ matrix_appservice_irc_ircService_mediaProxy_publicUrl_pathPrefix }}" # noqa var-naming
matrix_appservice_irc_homeserver_enablePresence: true # noqa var-naming
matrix_appservice_irc_appservice_address: 'http://matrix-appservice-irc:9999'
@@ -89,20 +96,25 @@ matrix_appservice_irc_ircService_servers: [] # noqa var-naming
# # It is also used in the Third Party Lookup API as the instance `desc`
# # property, where each server is an instance.
# name: "ExampleNet"
# # Additional addresses to connect to, used for load balancing between IRCDs.
# additionalAddresses: [ "irc2.example.com" ]
# # Typically additionalAddresses would be in addition to the address key given above,
# # but some configurations wish to exclusively use additional addresses while reserving
# # the top key for identification purposes. Set this to true to exclusively use the
# # additionalAddresses array when connecting to servers.
# onlyAdditionalAddresses: false
# #
# # [DEPRECATED] Use `name`, above, instead.
# # A human-readable description string
# # description: "Example.com IRC network"
#
# # An ID for uniquely identifying this server amongst other servers being bridged.
# # networkId: "example"
# # URL to an icon used as the network icon whenever this network appear in
# # a network list. (Like in the Riot room directory, for instance.)
# # icon: https://example.com/images/hash.png
#
# # MXC URL to an icon used as the network icon whenever this network appear in
# # a network list. (Like in the Element room directory, for instance.)
# # icon: mxc://matrix.org/LpsSLrbANVrEIEOgEaVteItf
#
# # The port to connect to. Optional.
# port: 6697
# # Whether to use SSL or not. Default: false.
@@ -115,19 +127,26 @@ matrix_appservice_irc_ircService_servers: [] # noqa var-naming
# # Whether to allow expired certs when connecting to the IRC server.
# # Usually this should be off. Default: false.
# allowExpiredCerts: false
# # A specific CA to trust instead of the default CAs. Optional.
# #ca: |
# # -----BEGIN CERTIFICATE-----
# # …
# # -----END CERTIFICATE-----
#
# # Set additional TLS options for the connections to the IRC server.
# #tlsOptions:
# # A specific CA to trust instead of the default CAs. Optional.
# #ca: |
# # -----BEGIN CERTIFICATE-----
# # ...
# # -----END CERTIFICATE-----
# # Server name for the SNI (Server Name Indication) TLS extension. If the address you
# # are using does not report the correct certificate name, you can override it here.
# # servername: real.server.name
# # ...or any options in https://nodejs.org/api/tls.html#tls_tls_connect_options_callback
#
# #
# # The connection password to send for all clients as a PASS (or SASL, if enabled above) command. Optional.
# # password: 'pa$$w0rd'
# #
# # Whether or not to send connection/error notices to real Matrix users. Default: true.
# sendConnectionMessages: true
#
# quitDebounce:
# # Whether parts due to net-splits are debounced for delayMs, to allow
# # time for the netsplit to resolve itself. A netsplit is detected as being
@@ -147,13 +166,13 @@ matrix_appservice_irc_ircService_servers: [] # noqa var-naming
# delayMinMs: 3600000 # 1h
# # Default: 7200000, = 2h
# delayMaxMs: 7200000 # 2h
#
# # A map for conversion of IRC user modes to Matrix power levels. This enables bridging
# # of IRC ops to Matrix power levels only, it does not enable the reverse. If a user has
# # been given multiple modes, the one that maps to the highest power level will be used.
# modePowerMap:
# o: 50
# v: 1
# botConfig:
# # Enable the presence of the bot in IRC channels. The bot serves as the entity
# # which maps from IRC -> Matrix. You can disable the bot entirely which
@@ -176,6 +195,8 @@ matrix_appservice_irc_ircService_servers: [] # noqa var-naming
# enabled: true
# # The nickname to give the AS bot.
# nick: "MatrixBot"
# # The username to give to the AS bot. Defaults to "matrixbot"
# username: "matrixbot"
# # The password to give to NickServ or IRC Server for this nick. Optional.
# # password: "helloworld"
# #
@@ -184,7 +205,7 @@ matrix_appservice_irc_ircService_servers: [] # noqa var-naming
# # real Matrix users in them, even if there is a mapping for the channel.
# # Default: true
# joinChannelsIfNoUsers: true
#
# # Configuration for PMs / private 1:1 communications between users.
# privateMessages:
# # Enable the ability for PMs to be sent to/from IRC/Matrix.
@@ -193,12 +214,12 @@ matrix_appservice_irc_ircService_servers: [] # noqa var-naming
# # Prevent Matrix users from sending PMs to the following IRC nicks.
# # Optional. Default: [].
# # exclude: ["Alice", "Bob"] # NOT YET IMPLEMENTED
#
# # Should created Matrix PM rooms be federated? If false, only users on the
# # HS attached to this AS will be able to interact with this room.
# # Optional. Default: true.
# federate: true
#
# # Configuration for mappings not explicitly listed in the 'mappings'
# # section.
# dynamicChannels:
@@ -212,27 +233,34 @@ matrix_appservice_irc_ircService_servers: [] # noqa var-naming
# # Should the AS publish the new Matrix room to the public room list so
# # anyone can see it? Default: true.
# published: true
# # Publish the rooms to the homeserver directory, as oppose to the appservice
# # room directory. Only used if `published` is on.
# # Default: false
# useHomeserverDirectory: true
# # What should the join_rule be for the new Matrix room? If 'public',
# # anyone can join the room. If 'invite', only users with an invite can
# # join the room. Note that if an IRC channel has +k or +i set on it,
# # join_rules will be set to 'invite' until these modes are removed.
# # Default: "public".
# joinRule: public
# # This will set the m.room.related_groups state event in newly created rooms
# # with the given groupId. This means flares will show up on IRC users in those rooms.
# # This should be set to the same thing as namespaces.users.group_id in irc_registration.
# # This does not alter existing rooms.
# # Leaving this option empty will not set the event.
# groupId: +myircnetwork:localhost
# # Should created Matrix rooms be federated? If false, only users on the
# # HS attached to this AS will be able to interact with this room.
# # Default: true.
# federate: true
# # Force this room version when creating IRC channels. Beware if the homeserver doesn't
# # support the room version then the request will fail. By default, no version is requested.
# # roomVersion: "1"
# # The room alias template to apply when creating new aliases. This only
# # applies if createAlias is 'true'. The following variables are exposed:
# # $SERVER => The IRC server address (e.g. "irc.example.com")
# # $CHANNEL => The IRC channel (e.g. "#python")
# # This MUST have $CHANNEL somewhere in it.
# #
# # In certain circumstances you might want to bridge your whole IRC network as a
# # homeserver (e.g. #matrix:libera.chat). For these use cases, you can set the
# # template to just be $CHANNEL. Doing so will preclude you from supporting
# # other prefix characters though.
# #
# # Default: '#irc_$SERVER_$CHANNEL'
# aliasTemplate: "#irc_$CHANNEL"
# # A list of user IDs which the AS bot will send invites to in response
@@ -244,7 +272,11 @@ matrix_appservice_irc_ircService_servers: [] # noqa var-naming
# # Prevent the given list of channels from being mapped under any
# # circumstances.
# # exclude: ["#foo", "#bar"]
#
# # excludedUsers:
# # - regex: "@.*:evilcorp.com"
# # kickReason: "We don't like Evilcorp"
#
# # Configuration for controlling how Matrix and IRC membership lists are
# # synced.
# membershipLists:
@@ -253,12 +285,12 @@ matrix_appservice_irc_ircService_servers: [] # noqa var-naming
# # synced. This must be enabled for anything else in this section to take
# # effect. Default: false.
# enabled: false
#
# # Syncing membership lists at startup can result in hundreds of members to
# # process all at once. This timer drip feeds membership entries at the
# # specified rate. Default: 10000. (10s)
# floodDelayMs: 10000
#
# global:
# ircToMatrix:
# # Get a snapshot of all real IRC users on a channel (via NAMES) and
@@ -267,7 +299,14 @@ matrix_appservice_irc_ircService_servers: [] # noqa var-naming
# # Make virtual Matrix clients join and leave rooms as their real IRC
# # counterparts join/part channels. Default: false.
# incremental: false
# # Should the bridge check if all Matrix users are connected to IRC and
# # joined to the channel before relaying messages into the room.
# #
# # This is considered a safety net to avoid any leakages by the bridge to
# # unconnected users, but given it ignores all IRC messages while users
# # are still connecting it may be overkill.
# requireMatrixJoined: false
#
# matrixToIrc:
# # Get a snapshot of all real Matrix users in the room and join all of
# # them to the mapped IRC channel on startup. Default: false.
@@ -276,21 +315,32 @@ matrix_appservice_irc_ircService_servers: [] # noqa var-naming
# # counterparts join/leave rooms. Make sure your 'maxClients' value is
# # high enough! Default: false.
# incremental: false
#
# # Apply specific rules to Matrix rooms. Only matrix-to-IRC takes effect.
# rooms:
# - room: "!qporfwt:localhost"
# matrixToIrc:
# initial: false
# incremental: false
#
# # Apply specific rules to IRC channels. Only IRC-to-matrix takes effect.
# channels:
# - channel: "#foo"
# ircToMatrix:
# initial: false
# incremental: false
# requireMatrixJoined: false
#
# # Should the bridge ignore users which are not considered active on the bridge
# # during startup
# ignoreIdleUsersOnStartup:
# enabled: true
# # How many hours can a user be considered idle for before they are considered
# # ignoreable
# idleForHours: 720
# # A regex which will exclude matching MXIDs from this check.
# exclude: "foobar"
#
# mappings:
# # 1:many mappings from IRC channels to room IDs on this IRC server.
# # The Matrix room must already exist. Your Matrix client should expose
@@ -300,27 +350,27 @@ matrix_appservice_irc_ircService_servers: [] # noqa var-naming
# # Channel key/password to use. Optional. If provided, Matrix users do
# # not need to know the channel key in order to join the channel.
# # key: "secret"
#
# # Configuration for virtual Matrix users. The following variables are
# # exposed:
# # $NICK => The IRC nick
# # $SERVER => The IRC server address (e.g. "irc.example.com")
# matrixClients:
# # The user ID template to use when creating virtual Matrix users. This
# # MUST have $NICK somewhere in it.
# # MUST start with an @ and have $NICK somewhere in it.
# # Optional. Default: "@$SERVER_$NICK".
# # Example: "@irc.example.com_Alice:example.com"
# userTemplate: "@irc_$NICK"
# # The display name to use for created Matrix clients. This should have
# # $NICK somewhere in it if it is specified. Can also use $SERVER to
# # insert the IRC domain.
# # Optional. Default: "$NICK (IRC)". Example: "Alice (IRC)"
# displayName: "$NICK (IRC)"
# # Optional. Default: "$NICK". Example: "Alice"
# displayName: "$NICK"
# # Number of tries a client can attempt to join a room before the request
# # is discarded. You can also use -1 to never retry or 0 to never give up.
# # Optional. Default: -1
# joinAttempts: -1
#
# # Configuration for virtual IRC users. The following variables are exposed:
# # $LOCALPART => The user ID localpart ("alice" in @alice:localhost)
# # $USERID => The user ID
@@ -349,9 +399,20 @@ matrix_appservice_irc_ircService_servers: [] # noqa var-naming
# # connected user. If not specified, all users will connect from the same
# # (default) address. This may require additional OS-specific work to allow
# # for the node process to bind to multiple different source addresses
# # e.g IP_FREEBIND on Linux, which requires an LD_PRELOAD with the library
# # Linux kernels 4.3+ support sysctl net.ipv6.ip_nonlocal_bind=1
# # Older kernels will need IP_FREEBIND, which requires an LD_PRELOAD with the library
# # https://github.com/matrix-org/freebindfree as Node does not expose setsockopt.
# # prefix: "2001:0db8:85a3::" # modify appropriately
#
# # Optional. Define blocks of IPv6 addresses for different homeservers
# # which can be used to restrict users of those homeservers to a given
# # IP. These blocks should be considered immutable once set, as changing
# # the startFrom value will NOT adjust existing IP addresses.
# # Changing the startFrom value to a lower value may conflict with existing clients.
# # Multiple homeservers may NOT share blocks.
# blocks:
# - homeserver: another-server.org
# startFrom: '10:0000'
# #
# # The maximum amount of time in seconds that the client can exist
# # without sending another message before being disconnected. Use 0 to
@@ -388,12 +449,36 @@ matrix_appservice_irc_ircService_servers: [] # noqa var-naming
# # through the bridge e.g. caller ID as there is no way to /ACCEPT.
# # Default: "" (no user modes)
# # userModes: "R"
# # The format of the realname defined for users, either mxid or reverse-mxid
# realnameFormat: "mxid"
# # The minimum time to wait between connection attempts if we were disconnected
# # due to throttling.
# # pingTimeoutMs: 600000
# # The rate at which to send pings to the IRCd if the client is being quiet for a while.
# # Whilst the IRCd *should* be sending pings to us to keep the connection alive, it appears
# # that sometimes they don't get around to it and end up ping timing us out.
# # pingRateMs: 60000
# # Choose which conditions the IRC bridge should kick Matrix users for. Decisions to this from
# # defaults should be taken with care as it may dishonestly represent Matrix users on the IRC
# # network, and cause your bridge to be banned.
# kickOn:
# # Kick a Matrix user from a bridged room if they fail to join the IRC channel.
# channelJoinFailure: true
# # Kick a Matrix user from ALL rooms if they are unable to get connected to IRC.
# ircConnectionFailure: true
# # Kick a Matrix user from ALL rooms if they choose to QUIT the IRC network.
# userQuit: true
# Controls whether the matrix-appservice-discord container exposes its HTTP port (tcp/9999 in the container).
# Controls whether the matrix-appservice-irc container exposes its HTTP port (tcp/9999 in the container).
#
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:9999"), or empty string to not expose.
matrix_appservice_irc_container_http_host_bind_port: ''
# Controls whether the matrix-appservice-irc container exposes its media proxy HTTP port.
#
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:11111"), or empty string to not expose.
matrix_appservice_irc_container_media_proxy_host_bind_port: ''
matrix_appservice_irc_container_network: ""
matrix_appservice_irc_container_additional_networks: "{{ matrix_appservice_irc_container_additional_networks_auto + matrix_appservice_irc_container_additional_networks_custom }}"
@@ -403,6 +488,26 @@ matrix_appservice_irc_container_additional_networks_custom: []
# A list of extra arguments to pass to the container
matrix_appservice_irc_container_extra_arguments: []
# matrix_appservice_irc_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container.
# To inject your own other container labels, see `matrix_appservice_irc_container_labels_additional_labels`.
matrix_appservice_irc_container_labels_traefik_enabled: true
matrix_appservice_irc_container_labels_traefik_docker_network: "{{ matrix_appservice_irc_container_network }}"
matrix_appservice_irc_container_labels_traefik_entrypoints: web-secure
matrix_appservice_irc_container_labels_traefik_tls_certResolver: default # noqa var-naming
# Controls whether Traefik labels for the media proxy will be applied
matrix_appservice_irc_container_labels_media_proxy_enabled: true
# Derived from publicUrl_pathPrefix, stripping any trailing slash (unless it's just "/")
matrix_appservice_irc_container_labels_media_proxy_traefik_path_prefix: "{{ '/' if matrix_appservice_irc_ircService_mediaProxy_publicUrl_pathPrefix == '/' else matrix_appservice_irc_ircService_mediaProxy_publicUrl_pathPrefix.rstrip('/') }}"
matrix_appservice_irc_container_labels_media_proxy_traefik_rule: "Host(`{{ matrix_appservice_irc_ircService_mediaProxy_publicUrl_hostname }}`) && PathPrefix(`{{ matrix_appservice_irc_container_labels_media_proxy_traefik_path_prefix }}`)"
matrix_appservice_irc_container_labels_media_proxy_traefik_priority: 2000
matrix_appservice_irc_container_labels_media_proxy_traefik_entrypoints: "{{ matrix_appservice_irc_container_labels_traefik_entrypoints }}"
matrix_appservice_irc_container_labels_media_proxy_traefik_tls: "{{ matrix_appservice_irc_container_labels_media_proxy_traefik_entrypoints != 'web' }}"
matrix_appservice_irc_container_labels_media_proxy_traefik_tls_certResolver: "{{ matrix_appservice_irc_container_labels_traefik_tls_certResolver }}" # noqa var-naming
# matrix-appservice-irc container additional labels
matrix_appservice_irc_container_labels_additional_labels: ''
# List of systemd services that matrix-appservice-irc.service depends on.
matrix_appservice_irc_systemd_required_services_list: "{{ matrix_appservice_irc_systemd_required_services_list_default + matrix_appservice_irc_systemd_required_services_list_auto + matrix_appservice_irc_systemd_required_services_list_custom }}"
matrix_appservice_irc_systemd_required_services_list_default: "{{ [devture_systemd_docker_base_docker_service_name] if devture_systemd_docker_base_docker_service_name else [] }}"

46
roles/custom/matrix-bridge-appservice-irc/tasks/setup_install.yml
View File

@@ -1,5 +1,6 @@
# SPDX-FileCopyrightText: 2019 - 2022 MDAD project contributors
# SPDX-FileCopyrightText: 2019 - 2024 Slavi Pantaleev
# SPDX-FileCopyrightText: 2019 - 2026 Slavi Pantaleev
# SPDX-FileCopyrightText: 2025 - 2026 Thom Wiggers
# SPDX-FileCopyrightText: 2019 Dan Arnfield
# SPDX-FileCopyrightText: 2020 Chris van Dijk
# SPDX-FileCopyrightText: 2021 Panagiotis Georgiadis
@@ -121,6 +122,14 @@
owner: "{{ matrix_user_name }}"
group: "{{ matrix_group_name }}"
- name: Ensure Matrix Appservice IRC labels file installed
ansible.builtin.template:
src: "{{ role_path }}/templates/labels.j2"
dest: "{{ matrix_appservice_irc_base_path }}/labels"
mode: 0644
owner: "{{ matrix_user_name }}"
group: "{{ matrix_group_name }}"
- name: Generate Appservice IRC passkey if it doesn't exist
ansible.builtin.shell:
cmd: "{{ matrix_host_command_openssl }} genpkey -out {{ matrix_appservice_irc_data_path }}/passkey.pem -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:2048"
@@ -128,6 +137,41 @@
become: true
become_user: "{{ matrix_user_name }}"
- name: Check if an authenticated media signing key exists
ansible.builtin.stat:
path: "{{ matrix_appservice_irc_data_path }}/auth-media.jwk"
register: matrix_appservice_irc_stat_auth_media_key
- when: not matrix_appservice_irc_stat_auth_media_key.stat.exists
block:
- name: Generate IRC appservice signing key for authenticated media
community.docker.docker_container:
name: "create-auth-media-jwk-key"
image: "{{ matrix_appservice_irc_docker_image }}"
cleanup: true
network_mode: none
entrypoint: "/usr/local/bin/node"
command: >
-e "const webcrypto = require('node:crypto');
async function main() {
const key = await webcrypto.subtle.generateKey({
name: 'HMAC',
hash: 'SHA-512',
}, true, ['sign', 'verify']);
console.log(JSON.stringify(await webcrypto.subtle.exportKey('jwk', key), undefined, 4));
}
main().then(() => process.exit(0)).catch(err => { throw err });"
detach: false
register: matrix_appservice_irc_jwk_result
- name: Write auth media signing key to file
ansible.builtin.copy:
content: "{{ matrix_appservice_irc_jwk_result.container.Output }}"
dest: "{{ matrix_appservice_irc_data_path }}/auth-media.jwk"
mode: "0644"
owner: "{{ matrix_user_name }}"
group: "{{ matrix_group_name }}"
# In the past, we used to generate the passkey.pem file with root, so permissions may not be okay.
# Fix it.
- name: (Migration) Ensure Appservice IRC passkey permissions are okay

24
roles/custom/matrix-bridge-appservice-irc/tasks/validate_config.yml
View File

@@ -44,3 +44,27 @@
- {'old': 'matrix_appservice_irc_container_expose_client_server_api_port', 'new': '<superseded by matrix_appservice_irc_container_http_host_bind_port>'}
- {'old': 'matrix_appservice_irc_container_self_build', 'new': 'matrix_appservice_irc_container_image_self_build'}
- {'old': 'matrix_appservice_irc_docker_image_name_prefix', 'new': 'matrix_appservice_irc_docker_image_registry_prefix'}
- {'old': 'matrix_appservice_irc_homeserver_media_url', 'new': '<removed; media proxying now uses matrix_appservice_irc_ircService_mediaProxy_publicUrl>'}
- name: Fail if matrix_appservice_irc_ircService_mediaProxy_publicUrl_pathPrefix does not start with a slash
ansible.builtin.fail:
msg: >-
matrix_appservice_irc_ircService_mediaProxy_publicUrl_pathPrefix (`{{ matrix_appservice_irc_ircService_mediaProxy_publicUrl_pathPrefix }}`) must start with a slash (e.g. `/` or `/irc/`).
when: "matrix_appservice_irc_ircService_mediaProxy_publicUrl_pathPrefix[0] != '/'"
- name: Fail if matrix_appservice_irc_ircService_mediaProxy_publicUrl_pathPrefix does not end with a slash
ansible.builtin.fail:
msg: >-
matrix_appservice_irc_ircService_mediaProxy_publicUrl_pathPrefix (`{{ matrix_appservice_irc_ircService_mediaProxy_publicUrl_pathPrefix }}`) must end with a slash (e.g. `/` or `/irc/`).
when: "matrix_appservice_irc_ircService_mediaProxy_publicUrl_pathPrefix[-1] != '/'"
- when: matrix_appservice_irc_container_labels_traefik_enabled | bool
block:
# We ensure it doesn't end with a slash, because we handle both (slash and no-slash).
# Knowing that the path_prefix does not end with a slash ensures we know how to set these routes up
# without having to do "does it end with a slash" checks elsewhere.
- name: Fail if matrix_appservice_irc_container_labels_media_proxy_traefik_path_prefix ends with a slash
ansible.builtin.fail:
msg: >-
matrix_appservice_irc_container_labels_media_proxy_traefik_path_prefix (`{{ matrix_appservice_irc_container_labels_media_proxy_traefik_path_prefix }}`) must either be `/` or not end with a slash (e.g. `/irc`).
when: "matrix_appservice_irc_container_labels_media_proxy_traefik_path_prefix != '/' and matrix_appservice_irc_container_labels_media_proxy_traefik_path_prefix[-1] == '/'"

83
roles/custom/matrix-bridge-appservice-irc/templates/config.yaml.j2
View File

@@ -1,14 +1,13 @@
#jinja2: lstrip_blocks: True
#
# Based on https://github.com/matrix-org/matrix-appservice-irc/blob/8daebec7779a2480180cbc4c293838de649aab36/config.sample.yaml
#
# Configuration specific to AS registration. Unless other marked, all fields
# are *REQUIRED*.
# Unless otherwise specified, these keys CANNOT be hot-reloaded.
homeserver:
# The URL to the home server for client-server API calls, also used to form the
# media URLs as displayed in bridged IRC channels:
url: {{ matrix_appservice_irc_homeserver_url }}
#
# The URL of the homeserver hosting media files. This is only used to transform
# mxc URIs to http URIs when bridging m.room.[file|image] events. Optional. By
# default, this is the homeserver URL, specified above.
#
media_url: {{ matrix_appservice_irc_homeserver_media_url }}
# The URL to the home server for client-server API calls
url: "{{ matrix_appservice_irc_homeserver_url }}"
# Drop Matrix messages which are older than this number of seconds, according to
# the event's origin_server_ts.
@@ -20,18 +19,29 @@ homeserver:
# clock times and hence produce different origin_server_ts values, which may be old
# enough to cause *all* events from the homeserver to be dropped.
# Default: 0 (don't ever drop)
# This key CAN be hot-reloaded.
# dropMatrixMessagesAfterSecs: 300 # 5 minutes
# The 'domain' part for user IDs on this home server. Usually (but not always)
# is the "domain name" part of the HS URL.
domain: {{ matrix_appservice_irc_homeserver_domain }}
domain: "{{ matrix_appservice_irc_homeserver_domain }}"
# Should presence be enabled for Matrix clients on this bridge. If disabled on the
# homeserver then it should also be disabled here to avoid excess traffic.
# Default: true
enablePresence: {{ matrix_appservice_irc_homeserver_enablePresence|to_json }}
# Which port should the appservice bind to. Can be overridden by the one provided in the
# command line! Optional.
# bindPort: 8090
# Use this option to force the appservice to listen on another hostname for transactions.
# This is NOT your synapse hostname. E.g. use 127.0.0.1 to only listen locally. Optional.
# bindHostname: 0.0.0.0
# Configuration specific to the IRC service
ircService:
# WARNING: The bridge needs to send plaintext passwords to the IRC server, it cannot
# send a password hash. As a result, passwords (NOT hashes) are stored encrypted in
# the database.
@@ -50,11 +60,18 @@ ircService:
# Cache this many Matrix events in memory to be used for m.relates_to messages (usually replies).
eventCacheSize: 4096
# All server keys can be hot-reloaded, however existing IRC connections
# will not have changes applied to them.
servers: {{ matrix_appservice_irc_ircService_servers|to_json }}
# present relevant UI to the user. MSC2346
bridgeInfoState:
enabled: false
initial: false
# Configuration for an ident server. If you are running a public bridge it is
# advised you setup an ident server so IRC mods can ban specific Matrix users
# rather than the application service itself.
# This key CANNOT be hot-reloaded
ident:
# True to listen for Ident requests and respond with the
# Matrix user's user_id (converted to ASCII, respecting RFC 1413).
@@ -71,6 +88,10 @@ ircService:
# Default: 0.0.0.0
address: "::"
# Encoding fallback - which text encoding to try if text is not UTF-8. Default: not set.
# List of supported encodings: https://www.npmjs.com/package/iconv#supported-encodings
# encodingFallback: "ISO-8859-15"
# Configuration for logging. Optional. Default: console debug level logging
# only.
logging:
@@ -87,33 +108,42 @@ ircService:
# to rotations.
maxFiles: 5
# Optional. Enable Prometheus metrics. If this is enabled, you MUST install `prom-client`:
# $ npm install prom-client@6.3.0
# Metrics will then be available via GET /metrics on the bridge listening port (-p).
# This key CANNOT be hot-reloaded
metrics:
# Whether to actually enable the metric endpoint. Default: false
enabled: true
# Which port to listen on (omit to listen on the bindPort)
#port: 7001
# Which hostname to listen on (omit to listen on 127.0.0.1), requires port to be set
host: 127.0.0.1
# When determining activeness of remote and matrix users, cut off at this number of hours.
userActivityThresholdHours: 72 # 3 days
# When collecting remote user active times, which "buckets" should be used. Defaults are given below.
# The bucket name is formed of a duration and a period. (h=hours,d=days,w=weeks).
remoteUserAgeBuckets:
- "1h"
- "1d"
- "1w"
# Configuration for the provisioning API.
#
# GET /_matrix/provision/link
# GET /_matrix/provision/unlink
# GET /_matrix/provision/listlinks
#
# This key CANNOT be hot-reloaded
provisioning:
# True to enable the provisioning HTTP endpoint. Default: false.
enabled: false
# The number of seconds to wait before giving up on getting a response from
# an IRC channel operator. If the channel operator does not respond within the
# allotted time period, the provisioning request will fail.
# Default: 300 seconds (5 mins)
requestTimeoutSeconds: 300
# Whether to enable hosting the setup widget page. Default: false.
widget: false
# Config for the media proxy, required to serve publicly accessible URLs to authenticated Matrix media
mediaProxy:
# To generate a .jwk file:
# $ node src/generate-signing-key.js > signingkey.jwk
signingKeyPath: "/data/auth-media.jwk"
# How long should the generated URLs be valid for
ttlSeconds: 604800
# The port for the media proxy to listen on
bindPort: {{ matrix_appservice_irc_ircService_mediaProxy_bindPort | to_json }}
# The publicly accessible URL to the media proxy
publicUrl: {{ matrix_appservice_irc_ircService_mediaProxy_publicUrl | to_json }}
# Options here are generally only applicable to large-scale bridges and may have
# consequences greater than other options in this configuration file.
@@ -122,13 +152,18 @@ advanced:
# however for large bridges it is important to rate limit the bridge to avoid
# accidentally overloading the homeserver. Defaults to 1000, which should be
# enough for the vast majority of use cases.
# This key CAN be hot-reloaded
maxHttpSockets: 1000
# Max size of an appservice transaction payload, in bytes. Defaults to 10Mb
# This key CANNOT be hot-reloaded.
maxTxnSize: 10000000
# Use an external database to store bridge state.
# This key CANNOT be hot-reloaded.
database:
# database engine (must be 'postgres' or 'nedb'). Default: nedb
engine: {{ matrix_appservice_irc_database_engine|to_json }}
# Either a PostgreSQL connection string, or a path to the NeDB storage directory.
# For postgres, it must start with postgres://
# For NeDB, it must start with nedb://. The path is relative to the project directory.
connectionString: {{ matrix_appservice_irc_database_connectionString|to_json }}
connectionString: {{ matrix_appservice_irc_database_connectionString | to_json }}

63
roles/custom/matrix-bridge-appservice-irc/templates/labels.j2 Normal file
View File

@@ -0,0 +1,63 @@
{#
SPDX-FileCopyrightText: 2025 Jade Ellis
SPDX-FileCopyrightText: 2025 - 2026 Thom Wiggers
SPDX-FileCopyrightText: 2026 Slavi Pantaleev
SPDX-License-Identifier: AGPL-3.0-or-later
#}
{% if matrix_appservice_irc_container_labels_traefik_enabled and matrix_appservice_irc_container_labels_media_proxy_enabled %}
traefik.enable=true
{% if matrix_appservice_irc_container_labels_traefik_docker_network %}
traefik.docker.network={{ matrix_appservice_irc_container_labels_traefik_docker_network }}
{% endif %}
traefik.http.services.matrix-appservice-irc-media-proxy.loadbalancer.server.port={{ matrix_appservice_irc_ircService_mediaProxy_bindPort }}
############################################################
# #
# IRC Bridge Media Proxy #
# #
############################################################
{% set middlewares = [] %}
traefik.http.routers.matrix-appservice-irc-media-proxy.rule={{ matrix_appservice_irc_container_labels_media_proxy_traefik_rule }}
{% if matrix_appservice_irc_container_labels_media_proxy_traefik_path_prefix != '/' %}
traefik.http.middlewares.matrix-appservice-irc-media-proxy-slashless-redirect.redirectregex.regex=({{ matrix_appservice_irc_container_labels_media_proxy_traefik_path_prefix | quote }})$
traefik.http.middlewares.matrix-appservice-irc-media-proxy-slashless-redirect.redirectregex.replacement=${1}/
{% set middlewares = middlewares + ['matrix-appservice-irc-media-proxy-slashless-redirect'] %}
{% endif %}
{% if matrix_appservice_irc_container_labels_media_proxy_traefik_path_prefix != '/' %}
traefik.http.middlewares.matrix-appservice-irc-media-proxy-strip-prefix.stripprefix.prefixes={{ matrix_appservice_irc_container_labels_media_proxy_traefik_path_prefix }}
{% set middlewares = middlewares + ['matrix-appservice-irc-media-proxy-strip-prefix'] %}
{% endif %}
{% if matrix_appservice_irc_container_labels_media_proxy_traefik_priority | int > 0 %}
traefik.http.routers.matrix-appservice-irc-media-proxy.priority={{ matrix_appservice_irc_container_labels_media_proxy_traefik_priority }}
{% endif %}
traefik.http.routers.matrix-appservice-irc-media-proxy.service=matrix-appservice-irc-media-proxy
traefik.http.routers.matrix-appservice-irc-media-proxy.entrypoints={{ matrix_appservice_irc_container_labels_media_proxy_traefik_entrypoints }}
{% if middlewares | length > 0 %}
traefik.http.routers.matrix-appservice-irc-media-proxy.middlewares={{ middlewares | join(',') }}
{% endif %}
traefik.http.routers.matrix-appservice-irc-media-proxy.tls={{ matrix_appservice_irc_container_labels_media_proxy_traefik_tls | to_json }}
{% if matrix_appservice_irc_container_labels_media_proxy_traefik_tls %}
traefik.http.routers.matrix-appservice-irc-media-proxy.tls.certResolver={{ matrix_appservice_irc_container_labels_media_proxy_traefik_tls_certResolver }}
{% endif %}
############################################################
# #
# /IRC Bridge Media Proxy #
# #
############################################################
{% endif %}
{{ matrix_appservice_irc_container_labels_additional_labels }}

4
roles/custom/matrix-bridge-appservice-irc/templates/systemd/matrix-appservice-irc.service.j2
View File

@@ -26,8 +26,12 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \
{% if matrix_appservice_irc_container_http_host_bind_port %}
-p {{ matrix_appservice_irc_container_http_host_bind_port }}:9999 \
{% endif %}
{% if matrix_appservice_irc_container_media_proxy_host_bind_port %}
-p {{ matrix_appservice_irc_container_media_proxy_host_bind_port }}:{{ matrix_appservice_irc_ircService_mediaProxy_bindPort }} \
{% endif %}
--mount type=bind,src={{ matrix_appservice_irc_config_path }},dst=/config \
--mount type=bind,src={{ matrix_appservice_irc_data_path }},dst=/data \
--label-file={{ matrix_appservice_irc_base_path }}/labels \
{% for arg in matrix_appservice_irc_container_extra_arguments %}
{{ arg }} \
{% endfor %}

14
roles/custom/matrix-bridge-hookshot/defaults/main.yml
View File

@@ -29,7 +29,7 @@ matrix_hookshot_container_additional_networks_auto: []
matrix_hookshot_container_additional_networks_custom: []
# renovate: datasource=docker depName=halfshot/matrix-hookshot
matrix_hookshot_version: 7.2.0
matrix_hookshot_version: 7.3.2
matrix_hookshot_docker_image: "{{ matrix_hookshot_docker_image_registry_prefix }}matrix-org/matrix-hookshot:{{ matrix_hookshot_version }}"
matrix_hookshot_docker_image_registry_prefix: "{{ 'localhost/' if matrix_hookshot_container_image_self_build else matrix_hookshot_docker_image_registry_prefix_upstream }}"
@@ -242,6 +242,18 @@ matrix_hookshot_widgets_branding_widgetTitle: "Hookshot Configuration" # noqa
# level: admin
matrix_hookshot_permissions: []
# Static connections that can be configured by an administrator, as documented here:
# https://matrix-org.github.io/matrix-hookshot/latest/usage/static_connections.html
# Currently only generic webhooks are supported.
# Example:
# matrix_hookshot_connections:
# - connectionType: uk.half-shot.matrix-hookshot.generic.hook
# stateKey: my-unique-webhook-id
# roomId: "!room-id"
# state:
# name: My Static Webhook
matrix_hookshot_connections: []
matrix_hookshot_bot_displayname: Hookshot Bot
matrix_hookshot_bot_avatar: 'mxc://half-shot.uk/2876e89ccade4cb615e210c458e2a7a6883fe17d'

1
roles/custom/matrix-bridge-hookshot/templates/config.yaml.j2
View File

@@ -137,6 +137,7 @@ widgets:
{% if matrix_hookshot_permissions %}
permissions: {{ matrix_hookshot_permissions | to_json }}
{% endif %}
connections: {{ matrix_hookshot_connections | to_json }}
listeners:
# (Optional) HTTP Listener configuration.
# Bind resource endpoints to ports and addresses.

2
roles/custom/matrix-bridge-mautrix-gmessages/defaults/main.yml
View File

@@ -18,7 +18,7 @@ matrix_mautrix_gmessages_container_image_self_build_repo: "https://github.com/ma
matrix_mautrix_gmessages_container_image_self_build_branch: "{{ 'main' if matrix_mautrix_gmessages_version == 'latest' else matrix_mautrix_gmessages_version }}"
# renovate: datasource=docker depName=dock.mau.dev/mautrix/gmessages
matrix_mautrix_gmessages_version: v0.2511.0
matrix_mautrix_gmessages_version: v0.2601.0
# See: https://mau.dev/mautrix/gmessages/container_registry
matrix_mautrix_gmessages_docker_image: "{{ matrix_mautrix_gmessages_docker_image_registry_prefix }}mautrix/gmessages:{{ matrix_mautrix_gmessages_version }}"

2
roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml
View File

@@ -25,7 +25,7 @@ matrix_mautrix_signal_container_image_self_build_repo: "https://mau.dev/mautrix/
matrix_mautrix_signal_container_image_self_build_branch: "{{ 'main' if matrix_mautrix_signal_version == 'latest' else matrix_mautrix_signal_version }}"
# renovate: datasource=docker depName=dock.mau.dev/mautrix/signal
matrix_mautrix_signal_version: v0.2512.0
matrix_mautrix_signal_version: v0.2601.0
# See: https://mau.dev/mautrix/signal/container_registry
matrix_mautrix_signal_docker_image: "{{ matrix_mautrix_signal_docker_image_registry_prefix }}mautrix/signal:{{ matrix_mautrix_signal_docker_image_tag }}"

2
roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml
View File

@@ -28,7 +28,7 @@ matrix_mautrix_whatsapp_container_image_self_build_repo: "https://mau.dev/mautri
matrix_mautrix_whatsapp_container_image_self_build_branch: "{{ 'master' if matrix_mautrix_whatsapp_version == 'latest' else matrix_mautrix_whatsapp_version }}"
# renovate: datasource=docker depName=dock.mau.dev/mautrix/whatsapp
matrix_mautrix_whatsapp_version: v0.2512.0
matrix_mautrix_whatsapp_version: v0.2601.0
# See: https://mau.dev/mautrix/whatsapp/container_registry
matrix_mautrix_whatsapp_docker_image: "{{ matrix_mautrix_whatsapp_docker_image_registry_prefix }}mautrix/whatsapp:{{ matrix_mautrix_whatsapp_version }}"

2
roles/custom/matrix-bridge-steam/defaults/main.yml
View File

@@ -13,7 +13,7 @@ matrix_steam_bridge_container_image_self_build_repo: "https://github.com/jasonla
matrix_steam_bridge_container_image_self_build_repo_version: "{{ 'main' if matrix_steam_bridge_version == 'latest' else matrix_steam_bridge_version }}"
# renovate: datasource=docker depName=ghcr.io/jasonlaguidice/matrix-steam-bridge
matrix_steam_bridge_version: 1.0.8
matrix_steam_bridge_version: 1.1.0
matrix_steam_bridge_docker_image: "{{ matrix_steam_bridge_docker_image_registry_prefix }}jasonlaguidice/matrix-steam-bridge:{{ matrix_steam_bridge_version }}"
matrix_steam_bridge_docker_image_registry_prefix: "{{ 'localhost/' if matrix_steam_bridge_container_image_self_build else matrix_steam_bridge_docker_image_registry_prefix_upstream }}"
matrix_steam_bridge_docker_image_registry_prefix_upstream: "{{ matrix_steam_bridge_docker_image_registry_prefix_upstream_default }}"

122
roles/custom/matrix-bridge-zulip/defaults/main.yml
View File

@@ -1,122 +0,0 @@
# SPDX-FileCopyrightText: 2021 - 2022 Toni Spets
# SPDX-FileCopyrightText: 2022 - 2023 Nikita Chernyi
# SPDX-FileCopyrightText: 2022 - 2025 Slavi Pantaleev
# SPDX-FileCopyrightText: 2022 MDAD project contributors
# SPDX-FileCopyrightText: 2022 Marko Weltzer
# SPDX-FileCopyrightText: 2023 Samuel Meenzen
# SPDX-FileCopyrightText: 2024 - 2025 Suguru Hirahara
#
# SPDX-License-Identifier: AGPL-3.0-or-later
---
# MatrixZulipBridge is a puppeting appservice bridge for Zulip
# Project source code URL: https://github.com/GearKite/MatrixZulipBridge
matrix_zulip_bridge_enabled: true
matrix_zulip_bridge_scheme: https
matrix_zulip_bridge_hostname: "{{ matrix_server_fqn_matrix }}"
matrix_zulip_bridge_path_prefix: "/zulip"
# renovate: datasource=docker depName=ghcr.io/gearkite/matrixzulipbridge
matrix_zulip_bridge_version: v0.4.1
matrix_zulip_bridge_docker_image: "{{ matrix_zulip_bridge_docker_image_registry_prefix }}gearkite/matrixzulipbridge:{{ matrix_zulip_bridge_version }}"
matrix_zulip_bridge_docker_image_registry_prefix: "{{ matrix_zulip_bridge_docker_image_registry_prefix_upstream }}"
matrix_zulip_bridge_docker_image_registry_prefix_upstream: "{{ matrix_zulip_bridge_docker_image_registry_prefix_upstream_default }}"
matrix_zulip_bridge_docker_image_registry_prefix_upstream_default: ghcr.io/
matrix_zulip_bridge_docker_image_force_pull: "{{ matrix_zulip_bridge_docker_image.endswith(':latest') }}"
matrix_zulip_bridge_base_path: "{{ matrix_base_data_path }}/zulip"
matrix_zulip_bridge_container_network: ""
# The port number in the container
matrix_zulip_bridge_container_http_port: 9898
matrix_zulip_bridge_container_additional_networks: "{{ matrix_zulip_bridge_container_additional_networks_auto + matrix_zulip_bridge_container_additional_networks_custom }}"
matrix_zulip_bridge_container_additional_networks_auto: []
matrix_zulip_bridge_container_additional_networks_custom: []
# Controls how long to wait for the container to stop gracefully before killing it.
# We use a small value here, because this container does not seem to handle the SIGTERM signal.
matrix_zulip_bridge_container_stop_grace_time_seconds: 1
# matrix_zulip_bridge_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container.
# See `../templates/labels.j2` for details.
#
# To inject your own other container labels, see `matrix_zulip_bridge_container_labels_additional_labels`.
matrix_zulip_bridge_container_labels_traefik_enabled: true
matrix_zulip_bridge_container_labels_traefik_docker_network: "{{ matrix_zulip_bridge_container_network }}"
matrix_zulip_bridge_container_labels_traefik_hostname: "{{ matrix_zulip_bridge_hostname }}"
matrix_zulip_bridge_container_labels_traefik_path_prefix: "{{ matrix_zulip_bridge_path_prefix }}"
matrix_zulip_bridge_container_labels_traefik_entrypoints: web-secure
matrix_zulip_bridge_container_labels_traefik_tls_certResolver: default # noqa var-naming
# Controls if the media router is enabled
matrix_zulip_bridge_container_labels_traefik_media_enabled: true
matrix_zulip_bridge_container_labels_traefik_media_hostname: "{{ matrix_zulip_bridge_container_labels_traefik_hostname }}"
# The path prefix must either be `/` or not end with a slash (e.g. `/zulip`).
matrix_zulip_bridge_container_labels_traefik_media_path_prefix: "{{ '' if matrix_zulip_bridge_container_labels_traefik_path_prefix == '/' else (matrix_zulip_bridge_container_labels_traefik_path_prefix) }}/_bridge_zulip/media"
matrix_zulip_bridge_container_labels_traefik_media_rule: "Host(`{{ matrix_zulip_bridge_container_labels_traefik_media_hostname }}`){% if matrix_zulip_bridge_container_labels_traefik_media_path_prefix != '/' %} && PathPrefix(`{{ matrix_zulip_bridge_container_labels_traefik_media_path_prefix }}`){% endif %}"
matrix_zulip_bridge_container_labels_traefik_media_priority: 0
matrix_zulip_bridge_container_labels_traefik_media_entrypoints: "{{ matrix_zulip_bridge_container_labels_traefik_entrypoints }}"
matrix_zulip_bridge_container_labels_traefik_media_tls: "{{ matrix_zulip_bridge_container_labels_traefik_media_entrypoints != 'web' }}"
matrix_zulip_bridge_container_labels_traefik_media_tls_certResolver: "{{ matrix_zulip_bridge_container_labels_traefik_tls_certResolver }}" # noqa var-naming
# matrix_zulip_bridge_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file.
# See `../templates/labels.j2` for details.
#
# Example:
# matrix_zulip_bridge_container_labels_additional_labels: |
# my.label=1
# another.label="here"
matrix_zulip_bridge_container_labels_additional_labels: ''
# A list of extra arguments to pass to the container
matrix_zulip_bridge_container_extra_arguments: []
# List of systemd services that service depends on.
matrix_zulip_bridge_systemd_required_services_list: "{{ matrix_zulip_bridge_systemd_required_services_list_default + matrix_zulip_bridge_systemd_required_services_list_auto + matrix_zulip_bridge_systemd_required_services_list_custom }}"
matrix_zulip_bridge_systemd_required_services_list_default: "{{ [devture_systemd_docker_base_docker_service_name] if devture_systemd_docker_base_docker_service_name else [] }}"
matrix_zulip_bridge_systemd_required_services_list_auto: []
matrix_zulip_bridge_systemd_required_services_list_custom: []
# List of systemd services that service wants
matrix_zulip_bridge_systemd_wanted_services_list: []
matrix_zulip_bridge_homeserver_url: ""
matrix_zulip_bridge_appservice_token: ''
matrix_zulip_bridge_homeserver_token: ''
matrix_zulip_bridge_config_media_url: "{{ matrix_zulip_bridge_scheme }}://{{ matrix_zulip_bridge_hostname }}"
# This matches the hardcoded `DEFAULT_MEDIA_PATH` in MatrixZulipBridge, but uses `matrix_zulip_bridge_path_prefix` as the path prefix.
# See: https://github.com/GearKite/MatrixZulipBridge/blob/2ba51f3da2ad8bd33460c953ef91a9cfc585a2d4/matrixzulipbridge/__main__.py#L87
matrix_zulip_bridge_config_media_path: "{{ matrix_zulip_bridge_container_labels_traefik_media_path_prefix }}/v3/download/{netloc}{path}{filename}"
matrix_zulip_bridge_config_media_key: "{{ matrix_zulip_bridge_homeserver_token }}"
matrix_zulip_bridge_config_displayname: "Zulip bridge bot"
matrix_zulip_bridge_registration_yaml_bridge_zulip:
media_url: "{{ matrix_zulip_bridge_config_media_url }}"
media_path: "{{ matrix_zulip_bridge_config_media_path }}"
media_key: "{{ matrix_zulip_bridge_config_media_key }}"
displayname: "{{ matrix_zulip_bridge_config_displayname }}"
# Default registration file consumed by both the homeserver and MatrixZulipBridge.
# Besides registration information, it contains configuration (see the Zulip bridge key).
matrix_zulip_bridge_registration_yaml:
id: zulip
url: http://matrix-zulip-bridge:{{ matrix_zulip_bridge_container_http_port }}
as_token: "{{ matrix_zulip_bridge_appservice_token }}"
hs_token: "{{ matrix_zulip_bridge_homeserver_token }}"
rate_limited: false
sender_localpart: zulipbot
namespaces:
users:
- regex: '@zulip_.*'
exclusive: true
aliases: []
rooms: []
zulipbridge: "{{ matrix_zulip_bridge_registration_yaml_bridge_zulip }}"
matrix_zulip_bridge_registration: "{{ matrix_zulip_bridge_registration_yaml | from_yaml }}"

29
roles/custom/matrix-bridge-zulip/tasks/main.yml
View File

@@ -1,29 +0,0 @@
# SPDX-FileCopyrightText: 2021 Toni Spets
# SPDX-FileCopyrightText: 2022 - 2024 Slavi Pantaleev
# SPDX-FileCopyrightText: 2022 Marko Weltzer
# SPDX-FileCopyrightText: 2025 Suguru Hirahara
#
# SPDX-License-Identifier: AGPL-3.0-or-later
---
- name: Perform the Zulip bridge installation tasks
when: matrix_zulip_bridge_enabled | bool
tags:
- setup-all
- setup-bridge-zulip
- install-all
- install-bridge-zulip
block:
- name: Validate the Zulip bridge configuration
ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml"
- name: Install the Zulip bridge
ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml"
- name: Perform the Zulip bridge uninstallation tasks
when: not matrix_zulip_bridge_enabled | bool
tags:
- setup-all
- setup-bridge-zulip
block:
- name: Uninstall the Zulip bridge
ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"

62
roles/custom/matrix-bridge-zulip/tasks/setup_install.yml
View File

@@ -1,62 +0,0 @@
# SPDX-FileCopyrightText: 2021 Toni Spets
# SPDX-FileCopyrightText: 2022 - 2024 Slavi Pantaleev
# SPDX-FileCopyrightText: 2022 Jim Myhrberg
# SPDX-FileCopyrightText: 2022 Marko Weltzer
# SPDX-FileCopyrightText: 2022 Nikita Chernyi
# SPDX-FileCopyrightText: 2022 Sebastian Gumprich
# SPDX-FileCopyrightText: 2024 David Mehren
#
# SPDX-License-Identifier: AGPL-3.0-or-later
---
- name: Ensure the Zulip bridge image is pulled
community.docker.docker_image:
name: "{{ matrix_zulip_bridge_docker_image }}"
source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
force_source: "{{ matrix_zulip_bridge_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_zulip_bridge_docker_image_force_pull }}"
register: result
retries: "{{ devture_playbook_help_container_retries_count }}"
delay: "{{ devture_playbook_help_container_retries_delay }}"
until: result is not failed
- name: Ensure the Zulip bridge paths exist
ansible.builtin.file:
path: "{{ item }}"
state: directory
mode: "0750"
owner: "{{ matrix_user_name }}"
group: "{{ matrix_group_name }}"
with_items:
- "{{ matrix_zulip_bridge_base_path }}"
- name: Ensure the Zulip bridge registration.yaml installed if provided
ansible.builtin.copy:
content: "{{ matrix_zulip_bridge_registration | to_nice_yaml(indent=2, width=999999) }}"
dest: "{{ matrix_zulip_bridge_base_path }}/registration.yaml"
mode: "0644"
owner: "{{ matrix_user_name }}"
group: "{{ matrix_group_name }}"
- name: Ensure the Zulip bridge support files installed
ansible.builtin.template:
src: "{{ role_path }}/templates/{{ item }}.j2"
dest: "{{ matrix_zulip_bridge_base_path }}/{{ item }}"
mode: "0640"
owner: "{{ matrix_user_name }}"
group: "{{ matrix_group_name }}"
with_items:
- labels
- name: Ensure the Zulip bridge container network is created
community.general.docker_network:
enable_ipv6: "{{ devture_systemd_docker_base_ipv6_enabled }}"
name: "{{ matrix_zulip_bridge_container_network }}"
driver: bridge
driver_options: "{{ devture_systemd_docker_base_container_networks_driver_options }}"
- name: Ensure matrix-zulip-bridge.service installed
ansible.builtin.template:
src: "{{ role_path }}/templates/systemd/matrix-zulip-bridge.service.j2"
dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-zulip-bridge.service"
mode: "0644"

26
roles/custom/matrix-bridge-zulip/tasks/setup_uninstall.yml
View File

@@ -1,26 +0,0 @@
# SPDX-FileCopyrightText: 2021 - 2022 Slavi Pantaleev
# SPDX-FileCopyrightText: 2021 Michael Sasser
# SPDX-FileCopyrightText: 2021 Toni Spets
# SPDX-FileCopyrightText: 2022 Marko Weltzer
#
# SPDX-License-Identifier: AGPL-3.0-or-later
---
- name: Check existence of matrix-bridge-zulip service
ansible.builtin.stat:
path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-zulip-bridge.service"
register: matrix_zulip_bridge_service_stat
- when: matrix_zulip_bridge_service_stat.stat.exists | bool
block:
- name: Ensure matrix-bridge-zulip is stopped
ansible.builtin.service:
name: matrix-zulip-bridge
state: stopped
enabled: false
daemon_reload: true
- name: Ensure matrix-zulip-bridge.service doesn't exist
ansible.builtin.file:
path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-zulip-bridge.service"
state: absent

14
roles/custom/matrix-bridge-zulip/tasks/validate_config.yml
View File

@@ -1,14 +0,0 @@
# SPDX-FileCopyrightText: 2024 Slavi Pantaleev
# SPDX-FileCopyrightText: 2024 Suguru Hirahara
#
# SPDX-License-Identifier: AGPL-3.0-or-later
---
- name: Fail if required the Zulip bridge settings not defined
ansible.builtin.fail:
msg: >-
You need to define a required configuration setting (`{{ item.name }}`).
when: "item.when | bool and lookup('vars', item.name, default='') | string | length == 0"
with_items:
- {"name": "matrix_zulip_bridge_container_network", when: true}
- {"name": "matrix_zulip_bridge_homeserver_url", when: true}

58
roles/custom/matrix-bridge-zulip/templates/labels.j2
View File

@@ -1,58 +0,0 @@
{#
SPDX-FileCopyrightText: 2024 Slavi Pantaleev
SPDX-License-Identifier: AGPL-3.0-or-later
#}
{% if matrix_zulip_bridge_container_labels_traefik_enabled %}
traefik.enable=true
{% if matrix_zulip_bridge_container_labels_traefik_docker_network %}
traefik.docker.network={{ matrix_zulip_bridge_container_labels_traefik_docker_network }}
{% endif %}
traefik.http.services.matrix-zulip-bridge.loadbalancer.server.port={{ matrix_zulip_bridge_container_http_port }}
{% set middlewares = [] %}
{% if matrix_zulip_bridge_container_labels_traefik_path_prefix != '/' %}
traefik.http.middlewares.matrix-bridge-zulip-strip-prefix.stripprefix.prefixes={{ matrix_zulip_bridge_container_labels_traefik_path_prefix }}
{% set middlewares = middlewares + ['matrix-bridge-zulip-strip-prefix'] %}
{% endif %}
{% if matrix_zulip_bridge_container_labels_traefik_media_enabled %}
##########################################################################
# #
# Media #
# #
##########################################################################
traefik.http.routers.matrix-bridge-zulip-media.rule={{ matrix_zulip_bridge_container_labels_traefik_media_rule }}
{% if matrix_zulip_bridge_container_labels_traefik_media_priority | int > 0 %}
traefik.http.routers.matrix-bridge-zulip-media.priority={{ matrix_zulip_bridge_container_labels_traefik_media_priority }}
{% endif %}
{% if middlewares | length > 0 %}
traefik.http.routers.matrix-bridge-zulip-media.middlewares={{ middlewares | join(',') }}
{% endif %}
traefik.http.routers.matrix-bridge-zulip-media.service=matrix-bridge-zulip
traefik.http.routers.matrix-bridge-zulip-media.entrypoints={{ matrix_zulip_bridge_container_labels_traefik_entrypoints }}
traefik.http.routers.matrix-bridge-zulip-media.tls={{ matrix_zulip_bridge_container_labels_traefik_media_tls | to_json }}
{% if matrix_zulip_bridge_container_labels_traefik_media_entrypoints %}
traefik.http.routers.matrix-bridge-zulip-media.tls.certResolver={{ matrix_zulip_bridge_container_labels_traefik_media_tls_certResolver }}
{% endif %}
##########################################################################
# #
# /Media #
# #
##########################################################################
{% endif %}
{% endif %}
{{ matrix_zulip_bridge_container_labels_additional_labels }}

60
roles/custom/matrix-bridge-zulip/templates/systemd/matrix-zulip-bridge.service.j2
View File

@@ -1,60 +0,0 @@
{#
SPDX-FileCopyrightText: 2021 Toni Spets
SPDX-FileCopyrightText: 2022 - 2025 Slavi Pantaleev
SPDX-FileCopyrightText: 2025 Suguru Hirahara
SPDX-License-Identifier: AGPL-3.0-or-later
#}
[Unit]
Description=a puppeting appservice bridge for Zulip
{% for service in matrix_zulip_bridge_systemd_required_services_list %}
Requires={{ service }}
After={{ service }}
{% endfor %}
{% for service in matrix_zulip_bridge_systemd_wanted_services_list %}
Wants={{ service }}
{% endfor %}
DefaultDependencies=no
[Service]
Type=simple
Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}"
ExecStartPre=-{{ devture_systemd_docker_base_host_command_docker }} stop -t {{ matrix_zulip_bridge_container_stop_grace_time_seconds }} matrix-bridge-zulip
ExecStartPre=-{{ devture_systemd_docker_base_host_command_docker }} rm matrix-bridge-zulip
ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \
--rm \
--name=matrix-bridge-zulip \
--log-driver=none \
--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
--cap-drop=ALL \
--network={{ matrix_zulip_bridge_container_network }} \
--mount type=bind,src={{ matrix_zulip_bridge_base_path }},dst=/config \
--label-file={{ matrix_zulip_bridge_base_path }}/labels \
{% for arg in matrix_zulip_bridge_container_extra_arguments %}
{{ arg }} \
{% endfor %}
{{ matrix_zulip_bridge_docker_image }} \
{% if matrix_zulip_bridge_owner %}
-o {{ matrix_zulip_bridge_owner }} \
{% endif %}
--config /config/registration.yaml \
--listen-address 0.0.0.0 \
--listen-port {{ matrix_zulip_bridge_container_http_port }} \
{{ matrix_zulip_bridge_homeserver_url }}
{% for network in matrix_zulip_bridge_container_additional_networks %}
ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-bridge-zulip
{% endfor %}
ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-bridge-zulip
ExecStop=-{{ devture_systemd_docker_base_host_command_docker }} stop -t {{ matrix_zulip_bridge_container_stop_grace_time_seconds }} matrix-bridge-zulip
ExecStop=-{{ devture_systemd_docker_base_host_command_docker }} rm matrix-bridge-zulip
Restart=always
RestartSec=30
SyslogIdentifier=matrix-bridge-zulip
[Install]
WantedBy=multi-user.target

209
roles/custom/matrix-client-cinny/defaults/main.yml
View File

@@ -1,209 +0,0 @@
# SPDX-FileCopyrightText: 2022 - 2024 Nikita Chernyi
# SPDX-FileCopyrightText: 2022 - 2024 Slavi Pantaleev
# SPDX-FileCopyrightText: 2022 László Várady
# SPDX-FileCopyrightText: 2022 MDAD project contributors
# SPDX-FileCopyrightText: 2022 Marko Weltzer
# SPDX-FileCopyrightText: 2023 Samuel Meenzen
# SPDX-FileCopyrightText: 2024 Suguru Hirahara
#
# SPDX-License-Identifier: AGPL-3.0-or-later
---
# Project source code URL: https://github.com/ajbura/cinny
matrix_client_cinny_enabled: true
matrix_client_cinny_container_image_self_build: false
matrix_client_cinny_container_image_self_build_repo: "https://github.com/ajbura/cinny.git"
# renovate: datasource=docker depName=ajbura/cinny
matrix_client_cinny_version: v4.10.2
matrix_client_cinny_docker_image: "{{ matrix_client_cinny_docker_image_registry_prefix }}ajbura/cinny:{{ matrix_client_cinny_version }}"
matrix_client_cinny_docker_image_registry_prefix: "{{ 'localhost/' if matrix_client_cinny_container_image_self_build else matrix_client_cinny_docker_image_registry_prefix_upstream }}"
matrix_client_cinny_docker_image_registry_prefix_upstream: "{{ matrix_client_cinny_docker_image_registry_prefix_upstream_default }}"
matrix_client_cinny_docker_image_registry_prefix_upstream_default: docker.io/
matrix_client_cinny_docker_image_force_pull: "{{ matrix_client_cinny_docker_image.endswith(':latest') }}"
matrix_client_cinny_data_path: "{{ matrix_base_data_path }}/client-cinny"
matrix_client_cinny_docker_src_files_path: "{{ matrix_client_cinny_data_path }}/docker-src"
# The base container network
matrix_client_cinny_container_network: ''
# A list of additional container networks that the container would be connected to.
# The role does not create these networks, so make sure they already exist.
# Use this to expose this container to a reverse proxy, which runs in a different container network.
matrix_client_cinny_container_additional_networks: []
# Controls whether the container exposes its HTTP port (tcp/8080 in the container).
#
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:8768"), or empty string to not expose.
matrix_client_cinny_container_http_host_bind_port: ''
# matrix_client_cinny_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container.
# See `../templates/labels.j2` for details.
#
# To inject your own other container labels, see `matrix_client_cinny_container_labels_additional_labels`.
matrix_client_cinny_container_labels_traefik_enabled: true
matrix_client_cinny_container_labels_traefik_docker_network: "{{ matrix_client_cinny_container_network }}"
matrix_client_cinny_container_labels_traefik_hostname: "{{ matrix_client_cinny_hostname }}"
# The path prefix must either be `/` or not end with a slash (e.g. `/cinny`).
matrix_client_cinny_container_labels_traefik_path_prefix: "{{ matrix_client_cinny_path_prefix }}"
matrix_client_cinny_container_labels_traefik_rule: "Host(`{{ matrix_client_cinny_container_labels_traefik_hostname }}`){% if matrix_client_cinny_container_labels_traefik_path_prefix != '/' %} && PathPrefix(`{{ matrix_client_cinny_container_labels_traefik_path_prefix }}`){% endif %}"
matrix_client_cinny_container_labels_traefik_priority: 0
matrix_client_cinny_container_labels_traefik_entrypoints: web-secure
matrix_client_cinny_container_labels_traefik_tls: "{{ matrix_client_cinny_container_labels_traefik_entrypoints != 'web' }}"
matrix_client_cinny_container_labels_traefik_tls_certResolver: default # noqa var-naming
# Controls whether a compression middleware will be injected into the middlewares list.
# This compression middleware is supposed to be defined elsewhere (using labels or a File provider, etc.) and is merely referenced by this router.
matrix_client_cinny_container_labels_traefik_compression_middleware_enabled: false
matrix_client_cinny_container_labels_traefik_compression_middleware_name: ""
# Controls which additional headers to attach to all HTTP responses.
# To add your own headers, use `matrix_client_cinny_container_labels_traefik_additional_response_headers_custom`
matrix_client_cinny_container_labels_traefik_additional_response_headers: "{{ matrix_client_cinny_container_labels_traefik_additional_response_headers_auto | combine(matrix_client_cinny_container_labels_traefik_additional_response_headers_custom) }}"
matrix_client_cinny_container_labels_traefik_additional_response_headers_auto: |
{{
{}
| combine ({'X-XSS-Protection': matrix_client_cinny_http_header_xss_protection} if matrix_client_cinny_http_header_xss_protection else {})
| combine ({'X-Frame-Options': matrix_client_cinny_http_header_frame_options} if matrix_client_cinny_http_header_frame_options else {})
| combine ({'X-Content-Type-Options': matrix_client_cinny_http_header_content_type_options} if matrix_client_cinny_http_header_content_type_options else {})
| combine ({'Content-Security-Policy': matrix_client_cinny_http_header_content_security_policy} if matrix_client_cinny_http_header_content_security_policy else {})
| combine ({'Permission-Policy': matrix_client_cinny_http_header_content_permission_policy} if matrix_client_cinny_http_header_content_permission_policy else {})
| combine ({'Strict-Transport-Security': matrix_client_cinny_http_header_strict_transport_security} if matrix_client_cinny_http_header_strict_transport_security and matrix_client_cinny_container_labels_traefik_tls else {})
}}
matrix_client_cinny_container_labels_traefik_additional_response_headers_custom: {}
# matrix_client_cinny_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file.
# See `../templates/labels.j2` for details.
#
# Example:
# matrix_client_cinny_container_labels_additional_labels: |
# my.label=1
# another.label="here"
matrix_client_cinny_container_labels_additional_labels: ''
# A list of extra arguments to pass to the container
matrix_client_cinny_container_extra_arguments: []
# List of systemd services that matrix-client-cinny.service depends on
matrix_client_cinny_systemd_required_services_list: "{{ [devture_systemd_docker_base_docker_service_name] if devture_systemd_docker_base_docker_service_name else [] }}"
# Specifies the value of the `X-XSS-Protection` header
# Stops pages from loading when they detect reflected cross-site scripting (XSS) attacks.
#
# Learn more about it is here:
# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
# - https://portswigger.net/web-security/cross-site-scripting/reflected
matrix_client_cinny_http_header_xss_protection: "1; mode=block"
# Specifies the value of the `X-Frame-Options` header which controls whether framing can happen.
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
matrix_client_cinny_http_header_frame_options: SAMEORIGIN
# Specifies the value of the `X-Content-Type-Options` header.
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
matrix_client_cinny_http_header_content_type_options: nosniff
# Specifies the value of the `Content-Security-Policy` header.
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
matrix_client_cinny_http_header_content_security_policy: frame-ancestors 'self'
# Specifies the value of the `Permission-Policy` header.
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permission-Policy
matrix_client_cinny_http_header_content_permission_policy: "{{ 'interest-cohort=()' if matrix_client_cinny_floc_optout_enabled else '' }}"
# Specifies the value of the `Strict-Transport-Security` header.
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
matrix_client_cinny_http_header_strict_transport_security: "max-age=31536000; includeSubDomains{{ '; preload' if matrix_client_cinny_hsts_preload_enabled else '' }}"
# Controls whether to send a "Permissions-Policy interest-cohort=();" header along with all responses
#
# Learn more about what it is here:
# - https://www.eff.org/deeplinks/2021/03/googles-floc-terrible-idea
# - https://paramdeo.com/blog/opting-your-website-out-of-googles-floc-network
# - https://amifloced.org/
#
# Of course, a better solution is to just stop using browsers (like Chrome), which participate in such tracking practices.
# See: `matrix_client_cinny_content_permission_policy`
matrix_client_cinny_floc_optout_enabled: true
# Controls if HSTS preloading is enabled
#
# In its strongest and recommended form, the [HSTS policy](https://www.chromium.org/hsts) includes all subdomains, and
# indicates a willingness to be "preloaded" into browsers:
# `Strict-Transport-Security: max-age=31536000; includeSubDomains; preload`
# For more information visit:
# - https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
# - https://hstspreload.org/#opt-in
# See: `matrix_client_cinny_http_header_strict_transport_security`
matrix_client_cinny_hsts_preload_enabled: false
matrix_client_cinny_scheme: https
# The hostname at which Cinny is served.
# Only works with with Traefik reverse-proxying.
matrix_client_cinny_hostname: "{{ matrix_server_fqn_cinny }}"
# The path at which Cinny is exposed.
# This value must either be `/` or not end with a slash (e.g. `/cinny`).
matrix_client_cinny_path_prefix: /
# Controls whether the self-check feature should validate SSL certificates.
matrix_client_cinny_self_check_validate_certificates: true
# Default homeserver URL to use in the `config.json` file.
# See `matrix_client_cinny_config_homeserverList`.
matrix_client_cinny_default_hs_url: ""
# Controls whether the Cinny access log is enabled
matrix_client_cinny_access_log_enabled: true
# Controls the `defaultHomeserver` value in the `config.json` file.
matrix_client_cinny_config_defaultHomeserver: 0 # noqa var-naming
# Controls the `homeserverList` value in the `config.json` file.
matrix_client_cinny_config_homeserverList: "{{ [matrix_client_cinny_default_hs_url] }}" # noqa var-naming
# Controls the `allowCustomHomeservers` value in the `config.json` file.
matrix_client_cinny_config_allowCustomHomeservers: true # noqa var-naming
# Controls the `featuredCommunities.spaces` value in the `config.json` file.
matrix_client_cinny_config_featuredCommunities_spaces: [] # noqa var-naming
# Controls the `featuredCommunities.rooms` value in the `config.json` file.
matrix_client_cinny_config_featuredCommunities_rooms: [] # noqa var-naming
# Controls the `featuredCommunities.servers` value in the `config.json` file.
matrix_client_cinny_config_featuredCommunities_servers: ["matrix.org"] # noqa var-naming
# Controls the `featuredCommunities.openAsDefault` value in the `config.json` file.
matrix_client_cinny_config_featuredCommunities_openAsDefault: false # noqa var-naming
# Default Cinny configuration template which covers the generic use case.
# You can customize it by controlling the various variables inside it.
#
# For a more advanced customization, you can extend the default (see `matrix_client_cinny_configuration_extension_json`)
# or completely replace this variable with your own template.
#
# The side-effect of this lookup is that Ansible would even parse the JSON for us, returning a dict.
# This is unlike what it does when looking up YAML template files (no automatic parsing there).
matrix_client_cinny_configuration_default: "{{ lookup('template', 'templates/config.json.j2', convert_data=False) | from_json }}"
# Your custom JSON configuration for Cinny should go to `matrix_client_cinny_configuration_extension_json`.
# This configuration extends the default starting configuration (`matrix_client_cinny_configuration_default`).
#
# You can override individual variables from the default configuration, or introduce new ones.
#
# If you need something more special, you can take full control by
# completely redefining `matrix_client_cinny_configuration_default`.
matrix_client_cinny_configuration_extension_json: '{}'
matrix_client_cinny_configuration_extension: "{{ matrix_client_cinny_configuration_extension_json | from_json if matrix_client_cinny_configuration_extension_json | from_json is mapping else {} }}"
# Holds the final Cinny configuration (a combination of the default and its extension).
# You most likely don't need to touch this variable. Instead, see `matrix_client_cinny_configuration_default`.
matrix_client_cinny_configuration: "{{ matrix_client_cinny_configuration_default | combine(matrix_client_cinny_configuration_extension, recursive=True) }}"

32
roles/custom/matrix-client-cinny/tasks/main.yml
View File

@@ -1,32 +0,0 @@
# SPDX-FileCopyrightText: 2022 - 2023 Slavi Pantaleev
# SPDX-FileCopyrightText: 2022 MDAD project contributors
# SPDX-FileCopyrightText: 2022 Marko Weltzer
#
# SPDX-License-Identifier: AGPL-3.0-or-later
---
- tags:
- setup-all
- setup-client-cinny
- install-all
- install-client-cinny
block:
- when: matrix_client_cinny_enabled | bool
ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml"
- when: matrix_client_cinny_enabled | bool
ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml"
- tags:
- setup-all
- setup-client-cinny
block:
- when: not matrix_client_cinny_enabled | bool
ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"
- tags:
- self-check
block:
- when: matrix_client_cinny_enabled | bool
ansible.builtin.include_tasks: "{{ role_path }}/tasks/self_check.yml"

30
roles/custom/matrix-client-cinny/tasks/self_check.yml
View File

@@ -1,30 +0,0 @@
# SPDX-FileCopyrightText: 2022 - 2024 Slavi Pantaleev
# SPDX-FileCopyrightText: 2022 MDAD project contributors
# SPDX-FileCopyrightText: 2022 Marko Weltzer
#
# SPDX-License-Identifier: AGPL-3.0-or-later
---
- ansible.builtin.set_fact:
matrix_client_cinny_url_endpoint_public: "{{ matrix_client_cinny_scheme }}://{{ matrix_client_cinny_hostname }}{{ matrix_client_cinny_path_prefix }}/config.json"
- name: Check Cinny
ansible.builtin.uri:
url: "{{ matrix_client_cinny_url_endpoint_public }}"
follow_redirects: none
validate_certs: "{{ matrix_client_cinny_self_check_validate_certificates }}"
register: matrix_client_cinny_self_check_result
check_mode: false
ignore_errors: true
delegate_to: 127.0.0.1
become: false
- name: Fail if Cinny not working
ansible.builtin.fail:
msg: "Failed checking Cinny is up at `{{ matrix_client_cinny_hostname }}` (checked endpoint: `{{ matrix_client_cinny_url_endpoint_public }}`). Is Cinny running? Is port 443 open in your firewall? Full error: {{ matrix_client_cinny_self_check_result }}"
when: "matrix_client_cinny_self_check_result.failed or 'json' not in matrix_client_cinny_self_check_result"
- name: Report working Cinny
ansible.builtin.debug:
msg: "Cinny at `{{ matrix_client_cinny_hostname }}` is working (checked endpoint: `{{ matrix_client_cinny_url_endpoint_public }}`)"

87
roles/custom/matrix-client-cinny/tasks/setup_install.yml
View File

@@ -1,87 +0,0 @@
# SPDX-FileCopyrightText: 2022 - 2024 Slavi Pantaleev
# SPDX-FileCopyrightText: 2022 MDAD project contributors
# SPDX-FileCopyrightText: 2022 Marko Weltzer
# SPDX-FileCopyrightText: 2022 Nikita Chernyi
# SPDX-FileCopyrightText: 2022 Sebastian Gumprich
# SPDX-FileCopyrightText: 2024 David Mehren
#
# SPDX-License-Identifier: AGPL-3.0-or-later
---
- name: Ensure Cinny paths exists
ansible.builtin.file:
path: "{{ item.path }}"
state: directory
mode: 0750
owner: "{{ matrix_user_name }}"
group: "{{ matrix_group_name }}"
with_items:
- {path: "{{ matrix_client_cinny_data_path }}", when: true}
- {path: "{{ matrix_client_cinny_docker_src_files_path }}", when: "{{ matrix_client_cinny_container_image_self_build }}"}
when: "item.when | bool"
- name: Ensure Cinny Docker image is pulled
community.docker.docker_image:
name: "{{ matrix_client_cinny_docker_image }}"
source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
force_source: "{{ matrix_client_cinny_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_client_cinny_docker_image_force_pull }}"
when: "not matrix_client_cinny_container_image_self_build | bool"
register: result
retries: "{{ devture_playbook_help_container_retries_count }}"
delay: "{{ devture_playbook_help_container_retries_delay }}"
until: result is not failed
- name: Ensure Cinny repository is present on self-build
ansible.builtin.git:
repo: "{{ matrix_client_cinny_container_image_self_build_repo }}"
dest: "{{ matrix_client_cinny_docker_src_files_path }}"
version: "{{ matrix_client_cinny_docker_image.split(':')[1] }}"
force: "yes"
become: true
become_user: "{{ matrix_user_name }}"
register: matrix_client_cinny_git_pull_results
when: "matrix_client_cinny_container_image_self_build | bool"
- name: Ensure Cinny configuration installed
ansible.builtin.copy:
content: "{{ matrix_client_cinny_configuration | to_nice_json }}"
dest: "{{ matrix_client_cinny_data_path }}/config.json"
mode: 0644
owner: "{{ matrix_user_name }}"
group: "{{ matrix_group_name }}"
- name: Ensure Cinny additional config files installed
ansible.builtin.template:
src: "{{ item.src }}"
dest: "{{ matrix_client_cinny_data_path }}/{{ item.name }}"
mode: 0644
owner: "{{ matrix_user_name }}"
group: "{{ matrix_group_name }}"
with_items:
- {src: "{{ role_path }}/templates/nginx.conf.j2", name: "nginx.conf"}
- {src: "{{ role_path }}/templates/labels.j2", name: "labels"}
- name: Ensure Cinny Docker image is built
community.docker.docker_image:
name: "{{ matrix_client_cinny_docker_image }}"
source: build
force_source: "{{ matrix_client_cinny_git_pull_results.changed }}"
build:
dockerfile: Dockerfile
path: "{{ matrix_client_cinny_docker_src_files_path }}"
pull: true
when: "matrix_client_cinny_container_image_self_build | bool"
- name: Ensure Cinny container network is created
community.general.docker_network:
enable_ipv6: "{{ devture_systemd_docker_base_ipv6_enabled }}"
name: "{{ matrix_client_cinny_container_network }}"
driver: bridge
driver_options: "{{ devture_systemd_docker_base_container_networks_driver_options }}"
- name: Ensure matrix-client-cinny.service installed
ansible.builtin.template:
src: "{{ role_path }}/templates/systemd/matrix-client-cinny.service.j2"
dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-client-cinny.service"
mode: 0644

31
roles/custom/matrix-client-cinny/tasks/setup_uninstall.yml
View File

@@ -1,31 +0,0 @@
# SPDX-FileCopyrightText: 2022 MDAD project contributors
# SPDX-FileCopyrightText: 2022 Marko Weltzer
# SPDX-FileCopyrightText: 2022 Sebastian Gumprich
# SPDX-FileCopyrightText: 2022 Slavi Pantaleev
#
# SPDX-License-Identifier: AGPL-3.0-or-later
---
- name: Check existence of matrix-client-cinny.service
ansible.builtin.stat:
path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-client-cinny.service"
register: matrix_client_cinny_service_stat
- when: matrix_client_cinny_service_stat.stat.exists | bool
block:
- name: Ensure matrix-client-cinny is stopped
ansible.builtin.service:
name: matrix-client-cinny
state: stopped
enabled: false
daemon_reload: true
- name: Ensure matrix-client-cinny.service doesn't exist
ansible.builtin.file:
path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-client-cinny.service"
state: absent
- name: Ensure Cinny paths doesn't exist
ansible.builtin.file:
path: "{{ matrix_client_cinny_data_path }}"
state: absent

51
roles/custom/matrix-client-cinny/tasks/validate_config.yml
View File

@@ -1,51 +0,0 @@
# SPDX-FileCopyrightText: 2022 - 2024 Slavi Pantaleev
# SPDX-FileCopyrightText: 2022 MDAD project contributors
#
# SPDX-License-Identifier: AGPL-3.0-or-later
---
- name: Fail if required Cinny settings not defined
ansible.builtin.fail:
msg: >
You need to define a required configuration setting (`{{ item }}`) to use Cinny.
when: "item.when | bool and lookup('vars', item.name, default='') | string | length == 0"
with_items:
- {'name': 'matrix_client_cinny_default_hs_url', when: true}
- {'name': 'matrix_client_cinny_container_network', when: true}
- {'name': 'matrix_client_cinny_container_labels_traefik_compression_middleware_name', when: "{{ matrix_client_cinny_container_labels_traefik_compression_middleware_enabled }}"}
- name: (Deprecation) Catch and report renamed Cinny variables
ansible.builtin.fail:
msg: >-
The variable `{{ item.old }}` is deprecated. Please use `{{ item.new }}` instead.
when: "lookup('ansible.builtin.varnames', ('^' + item.old + '$'), wantlist=True) | length > 0"
with_items:
- {'old': 'matrix_client_cinny_container_image_name_prefix', 'new': 'matrix_client_cinny_container_image_registry_prefix'}
- name: Fail if matrix_client_cinny_path_prefix is not /
ansible.builtin.fail:
msg: >-
`matrix_client_cinny_path_prefix` is set to `{{ matrix_client_cinny_path_prefix }}` in your configuration, but Cinny no longer supports hosting under a path prefix without an application rebuild.
Consider removing your `matrix_client_cinny_path_prefix` override and adjusting the Cinny hostname via `matrix_server_fqn_cinny` or `matrix_client_cinny_hostname`.
See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/3701
when: "matrix_client_cinny_path_prefix != '/'"
- when: matrix_client_cinny_container_labels_traefik_enabled | bool
block:
- name: Fail if required matrix-client-cinny Traefik settings not defined
ansible.builtin.fail:
msg: >-
You need to define a required configuration setting (`{{ item }}`).
when: "lookup('vars', item, default='') == ''"
with_items:
- matrix_client_cinny_container_labels_traefik_hostname
- matrix_client_cinny_container_labels_traefik_path_prefix
# We ensure it doesn't end with a slash, because we handle both (slash and no-slash).
# Knowing that `matrix_client_cinny_container_labels_traefik_path_prefix` does not end with a slash
# ensures we know how to set these routes up without having to do "does it end with a slash" checks elsewhere.
- name: Fail if matrix_client_cinny_container_labels_traefik_path_prefix ends with a slash
ansible.builtin.fail:
msg: >-
matrix_client_cinny_container_labels_traefik_path_prefix (`{{ matrix_client_cinny_container_labels_traefik_path_prefix }}`) must either be `/` or not end with a slash (e.g. `/cinny`).
when: "matrix_client_cinny_container_labels_traefik_path_prefix != '/' and matrix_client_cinny_container_labels_traefik_path_prefix[-1] == '/'"

11
roles/custom/matrix-client-cinny/templates/config.json.j2
View File

@@ -1,11 +0,0 @@
{
"defaultHomeserver": {{ matrix_client_cinny_config_defaultHomeserver | to_json }},
"homeserverList": {{ matrix_client_cinny_config_homeserverList | to_json }},
"allowCustomHomeservers": {{ matrix_client_cinny_config_allowCustomHomeservers | to_json }},
"featuredCommunities": {
"spaces": {{ matrix_client_cinny_config_featuredCommunities_spaces | to_json }},
"rooms": {{ matrix_client_cinny_config_featuredCommunities_rooms | to_json }},
"servers": {{ matrix_client_cinny_config_featuredCommunities_servers | to_json }},
"openAsDefault": {{ matrix_client_cinny_config_featuredCommunities_openAsDefault | to_json }}
}
}

4
roles/custom/matrix-client-cinny/templates/config.json.j2.license
View File

@@ -1,4 +0,0 @@
SPDX-FileCopyrightText: 2022 MDAD project contributors
SPDX-FileCopyrightText: 2022 Slavi Pantaleev
SPDX-License-Identifier: AGPL-3.0-or-later

56
roles/custom/matrix-client-cinny/templates/labels.j2
View File

@@ -1,56 +0,0 @@
{#
SPDX-FileCopyrightText: 2023 - 2024 Slavi Pantaleev
SPDX-License-Identifier: AGPL-3.0-or-later
#}
{% if matrix_client_cinny_container_labels_traefik_enabled %}
traefik.enable=true
{% if matrix_client_cinny_container_labels_traefik_docker_network %}
traefik.docker.network={{ matrix_client_cinny_container_labels_traefik_docker_network }}
{% endif %}
traefik.http.services.matrix-client-cinny.loadbalancer.server.port=8080
{% set middlewares = [] %}
{% if matrix_client_cinny_container_labels_traefik_compression_middleware_enabled %}
{% set middlewares = middlewares + [matrix_client_cinny_container_labels_traefik_compression_middleware_name] %}
{% endif %}
{% if matrix_client_cinny_container_labels_traefik_path_prefix != '/' %}
traefik.http.middlewares.matrix-client-cinny-slashless-redirect.redirectregex.regex=({{ matrix_client_cinny_container_labels_traefik_path_prefix | quote }})$
traefik.http.middlewares.matrix-client-cinny-slashless-redirect.redirectregex.replacement=${1}/
{% set middlewares = middlewares + ['matrix-client-cinny-slashless-redirect'] %}
{% endif %}
{% if matrix_client_cinny_container_labels_traefik_path_prefix != '/' %}
traefik.http.middlewares.matrix-client-cinny-strip-prefix.stripprefix.prefixes={{ matrix_client_cinny_container_labels_traefik_path_prefix }}
{% set middlewares = middlewares + ['matrix-client-cinny-strip-prefix'] %}
{% endif %}
{% if matrix_client_cinny_container_labels_traefik_additional_response_headers.keys() | length > 0 %}
{% for name, value in matrix_client_cinny_container_labels_traefik_additional_response_headers.items() %}
traefik.http.middlewares.matrix-client-cinny-add-headers.headers.customresponseheaders.{{ name }}={{ value }}
{% endfor %}
{% set middlewares = middlewares + ['matrix-client-cinny-add-headers'] %}
{% endif %}
traefik.http.routers.matrix-client-cinny.rule={{ matrix_client_cinny_container_labels_traefik_rule }}
{% if matrix_client_cinny_container_labels_traefik_priority | int > 0 %}
traefik.http.routers.matrix-client-cinny.priority={{ matrix_client_cinny_container_labels_traefik_priority }}
{% endif %}
traefik.http.routers.matrix-client-cinny.service=matrix-client-cinny
{% if middlewares | length > 0 %}
traefik.http.routers.matrix-client-cinny.middlewares={{ middlewares | join(',') }}
{% endif %}
traefik.http.routers.matrix-client-cinny.entrypoints={{ matrix_client_cinny_container_labels_traefik_entrypoints }}
traefik.http.routers.matrix-client-cinny.tls={{ matrix_client_cinny_container_labels_traefik_tls | to_json }}
{% if matrix_client_cinny_container_labels_traefik_tls %}
traefik.http.routers.matrix-client-cinny.tls.certResolver={{ matrix_client_cinny_container_labels_traefik_tls_certResolver }}
{% endif %}
{% endif %}
{{ matrix_client_cinny_container_labels_additional_labels }}

75
roles/custom/matrix-client-cinny/templates/nginx.conf.j2
View File

@@ -1,75 +0,0 @@
#jinja2: lstrip_blocks: True
# This is a custom nginx configuration file that we use in the container (instead of the default one),
# because it allows us to run nginx with a non-root user.
#
# For this to work, the default vhost file (`/etc/nginx/conf.d/default.conf`) also needs to be removed.
# (mounting `/dev/null` over `/etc/nginx/conf.d/default.conf` works well)
#
# The following changes have been done compared to a default nginx configuration file:
# - default server port is changed (80 -> 8080), so that a non-root user can bind it
# - various temp paths are changed to `/tmp`, so that a non-root user can write to them
# - the `user` directive was removed, as we don't want nginx to switch users
worker_processes 1;
error_log /var/log/nginx/error.log warn;
pid /tmp/nginx.pid;
events {
worker_connections 1024;
}
http {
proxy_temp_path /tmp/proxy_temp;
client_body_temp_path /tmp/client_temp;
fastcgi_temp_path /tmp/fastcgi_temp;
uwsgi_temp_path /tmp/uwsgi_temp;
scgi_temp_path /tmp/scgi_temp;
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
{% if matrix_client_cinny_access_log_enabled %}
access_log /var/log/nginx/access.log main;
{% else %}
access_log off;
{% endif %}
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
server {
listen 8080;
server_name localhost;
root /usr/share/nginx/html;
location / {
# Inspired by: https://raw.githubusercontent.com/cinnyapp/cinny/dev/docker-nginx.conf
root /usr/share/nginx/html;
rewrite ^/config.json$ /config.json break;
rewrite ^/manifest.json$ /manifest.json break;
rewrite ^.*/olm.wasm$ /olm.wasm break;
rewrite ^/sw.js$ /sw.js break;
rewrite ^/pdf.worker.min.js$ /pdf.worker.min.js break;
rewrite ^/public/(.*)$ /public/$1 break;
rewrite ^/assets/(.*)$ /assets/$1 break;
rewrite ^(.+)$ /index.html break;
}
}
}

5
roles/custom/matrix-client-cinny/templates/nginx.conf.j2.license
View File

@@ -1,5 +0,0 @@
SPDX-FileCopyrightText: 2019 - 2024 Slavi Pantaleev
SPDX-FileCopyrightText: 2022 MDAD project contributors
SPDX-FileCopyrightText: 2024 James Reilly
SPDX-License-Identifier: AGPL-3.0-or-later

50
roles/custom/matrix-client-cinny/templates/systemd/matrix-client-cinny.service.j2
View File

@@ -1,50 +0,0 @@
#jinja2: lstrip_blocks: True
[Unit]
Description=Matrix Cinny Client
{% for service in matrix_client_cinny_systemd_required_services_list %}
Requires={{ service }}
After={{ service }}
{% endfor %}
DefaultDependencies=no
[Service]
Type=simple
Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}"
ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop -t {{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-client-cinny 2>/dev/null || true'
ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-client-cinny 2>/dev/null || true'
ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \
--rm \
--name=matrix-client-cinny \
--log-driver=none \
--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
--cap-drop=ALL \
--read-only \
--network={{ matrix_client_cinny_container_network }} \
{% if matrix_client_cinny_container_http_host_bind_port %}
-p {{ matrix_client_cinny_container_http_host_bind_port }}:8080 \
{% endif %}
--label-file={{ matrix_client_cinny_data_path }}/labels \
--tmpfs=/tmp:rw,noexec,nosuid,size=10m \
--mount type=bind,src={{ matrix_client_cinny_data_path }}/nginx.conf,dst=/etc/nginx/nginx.conf,ro \
--mount type=bind,src={{ matrix_client_cinny_data_path }}/config.json,dst=/app/config.json,ro \
{% for arg in matrix_client_cinny_container_extra_arguments %}
{{ arg }} \
{% endfor %}
{{ matrix_client_cinny_docker_image }}
{% for network in matrix_client_cinny_container_additional_networks %}
ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-client-cinny
{% endfor %}
ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-client-cinny
ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop -t {{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-client-cinny 2>/dev/null || true'
ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-client-cinny 2>/dev/null || true'
Restart=always
RestartSec=30
SyslogIdentifier=matrix-client-cinny
[Install]
WantedBy=multi-user.target

4
roles/custom/matrix-client-cinny/templates/systemd/matrix-client-cinny.service.j2.license
View File

@@ -1,4 +0,0 @@
SPDX-FileCopyrightText: 2022 - 2025 Slavi Pantaleev
SPDX-FileCopyrightText: 2022 MDAD project contributors
SPDX-License-Identifier: AGPL-3.0-or-later

7
roles/custom/matrix-client-element/defaults/main.yml
View File

@@ -29,7 +29,7 @@ matrix_client_element_container_image_self_build_repo: "https://github.com/eleme
matrix_client_element_container_image_self_build_low_memory_system_patch_enabled: "{{ ansible_facts['memtotal_mb'] < 4096 }}"
# renovate: datasource=docker depName=ghcr.io/element-hq/element-web
matrix_client_element_version: v1.12.7
matrix_client_element_version: v1.12.10
matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_registry_prefix }}element-hq/element-web:{{ matrix_client_element_version }}"
matrix_client_element_docker_image_registry_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_client_element_docker_image_registry_prefix_upstream }}"
@@ -87,7 +87,6 @@ matrix_client_element_container_labels_traefik_additional_response_headers_auto:
{{
{}
| combine ({'X-XSS-Protection': matrix_client_element_http_header_xss_protection} if matrix_client_element_http_header_xss_protection else {})
| combine ({'X-Frame-Options': matrix_client_element_http_header_frame_options} if matrix_client_element_http_header_frame_options else {})
| combine ({'X-Content-Type-Options': matrix_client_element_http_header_content_type_options} if matrix_client_element_http_header_content_type_options else {})
| combine ({'Content-Security-Policy': matrix_client_element_http_header_content_security_policy} if matrix_client_element_http_header_content_security_policy else {})
| combine ({'Permission-Policy': matrix_client_element_http_header_content_permission_policy} if matrix_client_element_http_header_content_permission_policy else {})
@@ -123,10 +122,6 @@ matrix_client_element_container_healthcheck_cmd: ""
# - https://portswigger.net/web-security/cross-site-scripting/reflected
matrix_client_element_http_header_xss_protection: "1; mode=block"
# Specifies the value of the `X-Frame-Options` header which controls whether framing can happen.
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
matrix_client_element_http_header_frame_options: SAMEORIGIN
# Specifies the value of the `X-Content-Type-Options` header.
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
matrix_client_element_http_header_content_type_options: nosniff

7
roles/custom/matrix-client-fluffychat/defaults/main.yml
View File

@@ -13,7 +13,7 @@ matrix_client_fluffychat_container_image_self_build_repo: "https://github.com/et
matrix_client_fluffychat_container_image_self_build_version: "{{ 'main' if matrix_client_fluffychat_version == 'latest' else matrix_client_fluffychat_version }}"
# renovate: datasource=docker depName=ghcr.io/etkecc/fluffychat-web
matrix_client_fluffychat_version: v2.3.0
matrix_client_fluffychat_version: v2.4.0
matrix_client_fluffychat_docker_image: "{{ matrix_client_fluffychat_docker_image_registry_prefix }}etkecc/fluffychat-web:{{ matrix_client_fluffychat_version }}"
matrix_client_fluffychat_docker_image_registry_prefix: "{{ 'localhost/' if matrix_client_fluffychat_container_image_self_build else matrix_client_fluffychat_docker_image_registry_prefix_upstream }}"
matrix_client_fluffychat_docker_image_registry_prefix_upstream: "{{ matrix_client_fluffychat_docker_image_registry_prefix_upstream_default }}"
@@ -66,7 +66,6 @@ matrix_client_fluffychat_container_labels_traefik_additional_response_headers_au
{{
{}
| combine ({'X-XSS-Protection': matrix_client_fluffychat_http_header_xss_protection} if matrix_client_fluffychat_http_header_xss_protection else {})
| combine ({'X-Frame-Options': matrix_client_fluffychat_http_header_frame_options} if matrix_client_fluffychat_http_header_frame_options else {})
| combine ({'X-Content-Type-Options': matrix_client_fluffychat_http_header_content_type_options} if matrix_client_fluffychat_http_header_content_type_options else {})
| combine ({'Content-Security-Policy': matrix_client_fluffychat_http_header_content_security_policy} if matrix_client_fluffychat_http_header_content_security_policy else {})
| combine ({'Permission-Policy': matrix_client_fluffychat_http_header_content_permission_policy} if matrix_client_fluffychat_http_header_content_permission_policy else {})
@@ -100,10 +99,6 @@ matrix_client_fluffychat_systemd_required_services_list_custom: []
# - https://portswigger.net/web-security/cross-site-scripting/reflected
matrix_client_fluffychat_http_header_xss_protection: "1; mode=block"
# Specifies the value of the `X-Frame-Options` header which controls whether framing can happen.
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
matrix_client_fluffychat_http_header_frame_options: SAMEORIGIN
# Specifies the value of the `X-Content-Type-Options` header.
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
matrix_client_fluffychat_http_header_content_type_options: nosniff

5
roles/custom/matrix-client-hydrogen/defaults/main.yml
View File

@@ -68,7 +68,6 @@ matrix_client_hydrogen_container_labels_traefik_additional_response_headers_auto
{{
{}
| combine ({'X-XSS-Protection': matrix_client_hydrogen_http_header_xss_protection} if matrix_client_hydrogen_http_header_xss_protection else {})
| combine ({'X-Frame-Options': matrix_client_hydrogen_http_header_frame_options} if matrix_client_hydrogen_http_header_frame_options else {})
| combine ({'X-Content-Type-Options': matrix_client_hydrogen_http_header_content_type_options} if matrix_client_hydrogen_http_header_content_type_options else {})
| combine ({'Content-Security-Policy': matrix_client_hydrogen_http_header_content_security_policy} if matrix_client_hydrogen_http_header_content_security_policy else {})
| combine ({'Permission-Policy': matrix_client_hydrogen_http_header_content_permission_policy} if matrix_client_hydrogen_http_header_content_permission_policy else {})
@@ -99,10 +98,6 @@ matrix_client_hydrogen_systemd_required_services_list: "{{ [devture_systemd_dock
# - https://portswigger.net/web-security/cross-site-scripting/reflected
matrix_client_hydrogen_http_header_xss_protection: "1; mode=block"
# Specifies the value of the `X-Frame-Options` header which controls whether framing can happen.
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
matrix_client_hydrogen_http_header_frame_options: SAMEORIGIN
# Specifies the value of the `X-Content-Type-Options` header.
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
matrix_client_hydrogen_http_header_content_type_options: nosniff

5
roles/custom/matrix-client-schildichat/defaults/main.yml
View File

@@ -64,7 +64,6 @@ matrix_client_schildichat_container_labels_traefik_additional_response_headers_a
{{
{}
| combine ({'X-XSS-Protection': matrix_client_schildichat_http_header_xss_protection} if matrix_client_schildichat_http_header_xss_protection else {})
| combine ({'X-Frame-Options': matrix_client_schildichat_http_header_frame_options} if matrix_client_schildichat_http_header_frame_options else {})
| combine ({'X-Content-Type-Options': matrix_client_schildichat_http_header_content_type_options} if matrix_client_schildichat_http_header_content_type_options else {})
| combine ({'Content-Security-Policy': matrix_client_schildichat_http_header_content_security_policy} if matrix_client_schildichat_http_header_content_security_policy else {})
| combine ({'Permission-Policy': matrix_client_schildichat_http_header_content_permission_policy} if matrix_client_schildichat_http_header_content_permission_policy else {})
@@ -95,10 +94,6 @@ matrix_client_schildichat_systemd_required_services_list: "{{ [devture_systemd_d
# - https://portswigger.net/web-security/cross-site-scripting/reflected
matrix_client_schildichat_http_header_xss_protection: "1; mode=block"
# Specifies the value of the `X-Frame-Options` header which controls whether framing can happen.
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
matrix_client_schildichat_http_header_frame_options: SAMEORIGIN
# Specifies the value of the `X-Content-Type-Options` header.
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
matrix_client_schildichat_http_header_content_type_options: nosniff

10
roles/custom/matrix-coturn/defaults/main.yml
View File

@@ -18,15 +18,15 @@
matrix_coturn_enabled: true
matrix_coturn_hostname: ''
matrix_coturn_hostname: ""
matrix_coturn_container_image_self_build: false
matrix_coturn_container_image_self_build_repo: "https://github.com/coturn/coturn"
matrix_coturn_container_image_self_build_repo_version: "docker/{{ matrix_coturn_version }}"
matrix_coturn_container_image_self_build_repo_dockerfile_path: "docker/coturn/alpine/Dockerfile"
# renovate: datasource=docker depName=coturn/coturn
matrix_coturn_version: 4.6.2-r11
# renovate: datasource=docker depName=coturn/coturn versioning=loose
matrix_coturn_version: 4.8.0
matrix_coturn_docker_image: "{{ matrix_coturn_docker_image_registry_prefix }}coturn/coturn:{{ matrix_coturn_version }}-alpine"
matrix_coturn_docker_image_registry_prefix: "{{ 'localhost/' if matrix_coturn_container_image_self_build else matrix_coturn_docker_image_registry_prefix_upstream }}"
matrix_coturn_docker_image_registry_prefix_upstream: "{{ matrix_coturn_docker_image_registry_prefix_upstream_default }}"
@@ -139,7 +139,7 @@ matrix_coturn_lt_cred_mech_password: ""
# The external IP address of the machine where coturn is.
# If do not define an IP address here or in `matrix_coturn_turn_external_ip_addresses`, auto-detection via an EchoIP service will be done.
# See `matrix_coturn_turn_external_ip_address_auto_detection_enabled`
matrix_coturn_turn_external_ip_address: ''
matrix_coturn_turn_external_ip_address: ""
matrix_coturn_turn_external_ip_addresses: "{{ [matrix_coturn_turn_external_ip_address] if matrix_coturn_turn_external_ip_address != '' else [] }}"
# Controls whether external IP address auto-detection should be attempted.
@@ -218,7 +218,7 @@ matrix_coturn_response_origin_only_with_rfc5780_enabled: true
# simple-log
# aux-server=1.2.3.4
# relay-ip=4.3.2.1
matrix_coturn_additional_configuration: ''
matrix_coturn_additional_configuration: ""
# To enable TLS, you need to provide paths to certificates.
# Paths defined in `matrix_coturn_tls_cert_path` and `matrix_coturn_tls_key_path` are in-container paths.

79
roles/custom/matrix-dynamic-dns/defaults/main.yml
View File

@@ -1,79 +0,0 @@
# SPDX-FileCopyrightText: 2020 - 2025 Slavi Pantaleev
# SPDX-FileCopyrightText: 2020 Scott Crossen
# SPDX-FileCopyrightText: 2021 - 2022 MDAD project contributors
# SPDX-FileCopyrightText: 2021 Ahmad Haghighi
# SPDX-FileCopyrightText: 2022 Marko Weltzer
# SPDX-FileCopyrightText: 2022 Nikita Chernyi
# SPDX-FileCopyrightText: 2023 Samuel Meenzen
#
# SPDX-License-Identifier: AGPL-3.0-or-later
---
# Project source code URL: https://github.com/linuxserver/docker-ddclient
# Whether dynamic dns is enabled
matrix_dynamic_dns_enabled: true
# The dynamic dns daemon interval
matrix_dynamic_dns_daemon_interval: '300'
# renovate: datasource=docker depName=linuxserver/ddclient versioning=semver
matrix_dynamic_dns_version: 4.0.0
# The docker container to use when in mode
matrix_dynamic_dns_docker_image: "{{ matrix_dynamic_dns_docker_image_registry_prefix }}linuxserver/ddclient:{{ matrix_dynamic_dns_version }}"
matrix_dynamic_dns_docker_image_registry_prefix: "{{ 'localhost/' if matrix_dynamic_dns_container_image_self_build else matrix_dynamic_dns_docker_image_registry_prefix_upstream }}"
matrix_dynamic_dns_docker_image_registry_prefix_upstream: "{{ matrix_dynamic_dns_docker_image_registry_prefix_upstream_default }}"
matrix_dynamic_dns_docker_image_registry_prefix_upstream_default: docker.io/
# The image to force pull
matrix_dynamic_dns_docker_image_force_pull: "{{ matrix_dynamic_dns_docker_image.endswith(':latest') }}"
matrix_dynamic_dns_container_network: ''
matrix_dynamic_dns_container_additional_networks: "{{ matrix_dynamic_dns_container_additional_networks_auto + matrix_dynamic_dns_container_additional_networks_custom }}"
matrix_dynamic_dns_container_additional_networks_auto: []
matrix_dynamic_dns_container_additional_networks_custom: []
# List of extra arguments to pass to the container mode
matrix_dynamic_dns_container_extra_arguments: []
# List of wanted services when running in mode
matrix_dynamic_dns_systemd_wanted_services_list: []
# List of required services when running in mode
matrix_dynamic_dns_systemd_required_services_list: "{{ [devture_systemd_docker_base_docker_service_name] if devture_systemd_docker_base_docker_service_name else [] }}"
# Build the container from source when running in mode
matrix_dynamic_dns_container_image_self_build: false
matrix_dynamic_dns_container_image_self_build_repo: "https://github.com/linuxserver/docker-ddclient.git"
matrix_dynamic_dns_container_image_self_build_repo_branch: "{{ matrix_dynamic_dns_version }}"
# Config paths
matrix_dynamic_dns_base_path: "{{ matrix_base_data_path }}/dynamic-dns"
matrix_dynamic_dns_config_path: "{{ matrix_dynamic_dns_base_path }}/config"
matrix_dynamic_dns_docker_src_files_path: "{{ matrix_dynamic_dns_base_path }}/docker-src"
# Config options
matrix_dynamic_dns_use: "web"
# The endpoint to use to determine your external IP
matrix_dynamic_dns_web: "https://cloudflare.com/cdn-cgi/trace"
# The field to extract the IP from
# If your endpoint defined in `matrix_dynamic_dns_web` doesn't need this, just set it to ""
matrix_dynamic_dns_web_skip: "ip="
matrix_dynamic_dns_additional_configuration_blocks: []
# Holds the configurations (the domains to update DNS for, the providers they use, etc.)
#
# Example:
# matrix_dynamic_dns_domain_configurations:
# - provider: domains.google.com
# protocol: dyndn2
# username: XXXXXXXXXXXXXXXX
# password: XXXXXXXXXXXXXXXX
# domain: "{{ matrix_domain }}"
matrix_dynamic_dns_domain_configurations: []

26
roles/custom/matrix-dynamic-dns/tasks/main.yml
View File

@@ -1,26 +0,0 @@
# SPDX-FileCopyrightText: 2020 Scott Crossen
# SPDX-FileCopyrightText: 2022 - 2023 Slavi Pantaleev
# SPDX-FileCopyrightText: 2022 Marko Weltzer
#
# SPDX-License-Identifier: AGPL-3.0-or-later
---
- tags:
- setup-all
- setup-dynamic-dns
- install-all
- install-dynamic-dns
block:
- when: matrix_dynamic_dns_enabled | bool
ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml"
- when: matrix_dynamic_dns_enabled | bool
ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml"
- tags:
- setup-all
- setup-dynamic-dns
block:
- when: not matrix_dynamic_dns_enabled | bool
ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"

79
roles/custom/matrix-dynamic-dns/tasks/setup_install.yml
View File

@@ -1,79 +0,0 @@
# SPDX-FileCopyrightText: 2020 - 2024 Slavi Pantaleev
# SPDX-FileCopyrightText: 2020 Scott Crossen
# SPDX-FileCopyrightText: 2022 Marko Weltzer
# SPDX-FileCopyrightText: 2022 Nikita Chernyi
# SPDX-FileCopyrightText: 2022 Sebastian Gumprich
# SPDX-FileCopyrightText: 2024 David Mehren
#
# SPDX-License-Identifier: AGPL-3.0-or-later
---
- name: Ensure Dynamic DNS image is pulled
community.docker.docker_image:
name: "{{ matrix_dynamic_dns_docker_image }}"
source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
force_source: "{{ matrix_dynamic_dns_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_dynamic_dns_docker_image_force_pull }}"
when: matrix_dynamic_dns_enabled | bool and not matrix_dynamic_dns_container_image_self_build
register: result
retries: "{{ devture_playbook_help_container_retries_count }}"
delay: "{{ devture_playbook_help_container_retries_delay }}"
until: result is not failed
- name: Ensure Dynamic DNS paths exist
ansible.builtin.file:
path: "{{ item.path }}"
state: directory
mode: 0751
owner: "{{ matrix_user_name }}"
group: "{{ matrix_group_name }}"
with_items:
- {path: "{{ matrix_dynamic_dns_base_path }}", when: true}
- {path: "{{ matrix_dynamic_dns_config_path }}", when: true}
- {path: "{{ matrix_dynamic_dns_docker_src_files_path }}", when: "{{ matrix_dynamic_dns_container_image_self_build }}"}
when: matrix_dynamic_dns_enabled | bool and item.when | bool
- name: Ensure Dynamic DNS repository is present on self build
ansible.builtin.git:
repo: "{{ matrix_dynamic_dns_container_image_self_build_repo }}"
version: "{{ matrix_dynamic_dns_container_image_self_build_repo_branch }}"
dest: "{{ matrix_dynamic_dns_docker_src_files_path }}"
force: "yes"
become: true
become_user: "{{ matrix_user_name }}"
register: matrix_dynamic_dns_git_pull_results
when: "matrix_dynamic_dns_enabled | bool and matrix_dynamic_dns_container_image_self_build | bool"
- name: Ensure Dynamic DNS Docker image is built
community.docker.docker_image:
name: "{{ matrix_dynamic_dns_docker_image }}"
source: build
force_source: "{{ matrix_dynamic_dns_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_dynamic_dns_git_pull_results.changed }}"
build:
dockerfile: Dockerfile
path: "{{ matrix_dynamic_dns_docker_src_files_path }}"
pull: true
when: "matrix_dynamic_dns_enabled | bool and matrix_dynamic_dns_container_image_self_build | bool"
- name: Ensure Dynamic DNS ddclient.conf installed
ansible.builtin.template:
src: "{{ role_path }}/templates/ddclient.conf.j2"
dest: "{{ matrix_dynamic_dns_config_path }}/ddclient.conf"
mode: 0644
owner: "{{ matrix_user_name }}"
group: "{{ matrix_group_name }}"
- name: Ensure matrix-dynamic-dns container network is created
community.general.docker_network:
enable_ipv6: "{{ devture_systemd_docker_base_ipv6_enabled }}"
name: "{{ matrix_dynamic_dns_container_network }}"
driver: bridge
driver_options: "{{ devture_systemd_docker_base_container_networks_driver_options }}"
- name: Ensure matrix-dynamic-dns.service installed
ansible.builtin.template:
src: "{{ role_path }}/templates/systemd/matrix-dynamic-dns.service.j2"
dest: "/etc/systemd/system/matrix-dynamic-dns.service"
mode: 0644

26
roles/custom/matrix-dynamic-dns/tasks/setup_uninstall.yml
View File

@@ -1,26 +0,0 @@
# SPDX-FileCopyrightText: 2020 - 2022 Slavi Pantaleev
# SPDX-FileCopyrightText: 2020 Scott Crossen
# SPDX-FileCopyrightText: 2022 Marko Weltzer
#
# SPDX-License-Identifier: AGPL-3.0-or-later
---
- name: Check existence of matrix-dynamic-dns service
ansible.builtin.stat:
path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-dynamic-dns.service"
register: matrix_dynamic_dns_service_stat
- when: matrix_dynamic_dns_service_stat.stat.exists | bool
block:
- name: Ensure matrix-dynamic-dns is stopped
ansible.builtin.service:
name: matrix-dynamic-dns
state: stopped
enabled: false
daemon_reload: true
- name: Ensure matrix-dynamic-dns.service doesn't exist
ansible.builtin.file:
path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-dynamic-dns.service"
state: absent

37
roles/custom/matrix-dynamic-dns/tasks/validate_config.yml
View File

@@ -1,37 +0,0 @@
# SPDX-FileCopyrightText: 2020 - 2025 Slavi Pantaleev
# SPDX-FileCopyrightText: 2020 Scott Crossen
#
# SPDX-License-Identifier: AGPL-3.0-or-later
---
- name: Fail if no matrix-dynamic-dns configurations specified
ansible.builtin.fail:
msg: >-
You need to define at least one configuration in `matrix_dynamic_dns_domain_configurations` for using matrix-dynamic-dns.
when: "matrix_dynamic_dns_domain_configurations | length == 0"
- name: Fail if required matrix-dynamic-dns settings not defined in configuration blocks
ansible.builtin.fail:
msg: >-
One of the configurations in matrix_dynamic_dns_domain_configurations is missing a required key (domain, protocol).
when: "'domain' not in configuration or 'protocol' not in configuration"
with_items: "{{ matrix_dynamic_dns_domain_configurations }}"
loop_control:
loop_var: configuration
- name: Fail if required matrix-dynamic-dns settings not defined
ansible.builtin.fail:
msg: >-
You need to define a required configuration setting (`{{ item.name }}`).
when: "item.when | bool and lookup('vars', item.name, default='') | string | length == 0"
with_items:
- {'name': 'matrix_dynamic_dns_container_network', when: true}
- name: (Deprecation) Catch and report renamed matrix-dynamic-dns variables
ansible.builtin.fail:
msg: >-
The variable `{{ item.old }}` is deprecated. Please use `{{ item.new }}` instead.
when: "lookup('ansible.builtin.varnames', ('^' + item.old + '$'), wantlist=True) | length > 0"
with_items:
- {'old': 'matrix_dynamic_dns_container_image_name_prefix', 'new': 'matrix_dynamic_dns_docker_image_registry_prefix'}

78
roles/custom/matrix-dynamic-dns/templates/ddclient.conf.j2
View File

@@ -1,78 +0,0 @@
{#
SPDX-FileCopyrightText: 2020 Scott Crossen
SPDX-FileCopyrightText: 2022 Slavi Pantaleev
SPDX-License-Identifier: AGPL-3.0-or-later
#}
daemon={{ matrix_dynamic_dns_daemon_interval }}
syslog=no
pid=/var/run/ddclient/ddclient.pid
ssl=yes
use={{ matrix_dynamic_dns_use }}
web='{{ matrix_dynamic_dns_web }}'
{% if matrix_dynamic_dns_web_skip %}
web-skip='{{ matrix_dynamic_dns_web_skip }}'
{% endif %}
{% for matrix_dynamic_dns_additional_configuration in matrix_dynamic_dns_additional_configuration_blocks %}
{{ matrix_dynamic_dns_additional_configuration }}
{% endfor %}
{% for dynamic_dns_domain_configuration in matrix_dynamic_dns_domain_configurations %}
protocol={{ dynamic_dns_domain_configuration.protocol }}
{% if 'apikey' in dynamic_dns_domain_configuration %}
apikey={{ dynamic_dns_domain_configuration.apikey }}
{% endif %}
{% if 'secretapikey' in dynamic_dns_domain_configuration %}
secretapikey={{ dynamic_dns_domain_configuration.secretapikey }}
{% endif %}
{% if 'rootdomain' in dynamic_dns_domain_configuration %}
root-domain={{ dynamic_dns_domain_configuration.rootdomain }}
{% endif %}
{% if 'provider' in dynamic_dns_domain_configuration %}
server={{ dynamic_dns_domain_configuration.provider }}
{% endif %}
{% if 'username' in dynamic_dns_domain_configuration %}
login='{{ dynamic_dns_domain_configuration.username }}'
{% endif %}
{% if 'password' in dynamic_dns_domain_configuration %}
password='{{ dynamic_dns_domain_configuration.password }}'
{% endif %}
{% if 'static' in dynamic_dns_domain_configuration %}
static=yes
{% endif %}
{% if 'custom' in dynamic_dns_domain_configuration %}
custom=yes
{% endif %}
{% if 'zone' in dynamic_dns_domain_configuration %}
zone={{ dynamic_dns_domain_configuration.zone }}
{% endif %}
{% if 'ttl' in dynamic_dns_domain_configuration %}
ttl={{ dynamic_dns_domain_configuration.ttl }}
{% endif %}
{% if 'mx' in dynamic_dns_domain_configuration %}
mx={{ dynamic_dns_domain_configuration.mx }}
{% endif %}
{% if 'wildcard' in dynamic_dns_domain_configuration %}
wildcard=yes
{% endif %}
{% if 'script' in dynamic_dns_domain_configuration %}
script={{ dynamic_dns_domain_configuration.script }}
{% endif %}
{{ dynamic_dns_domain_configuration.domain }}
{% endfor %}

46
roles/custom/matrix-dynamic-dns/templates/systemd/matrix-dynamic-dns.service.j2
View File

@@ -1,46 +0,0 @@
#jinja2: lstrip_blocks: True
[Unit]
Description=Matrix Dynamic DNS
{% for service in matrix_dynamic_dns_systemd_required_services_list %}
Requires={{ service }}
After={{ service }}
{% endfor %}
{% for service in matrix_dynamic_dns_systemd_wanted_services_list %}
Wants={{ service }}
{% endfor %}
DefaultDependencies=no
[Service]
Type=simple
Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}"
ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop -t {{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-dynamic-dns 2>/dev/null || true'
ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-dynamic-dns 2>/dev/null || true'
ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \
--rm \
--name=matrix-dynamic-dns \
--log-driver=none \
--network={{ matrix_dynamic_dns_container_network }} \
-e PUID={{ matrix_user_uid }} \
-e PGID={{ matrix_user_gid }} \
--mount type=bind,src={{ matrix_dynamic_dns_config_path }},dst=/config \
{% for arg in matrix_dynamic_dns_container_extra_arguments %}
{{ arg }} \
{% endfor %}
{{ matrix_dynamic_dns_docker_image }}
{% for network in matrix_dynamic_dns_container_additional_networks %}
ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-dynamic-dns
{% endfor %}
ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-dynamic-dns
ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop -t {{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-dynamic-dns 2>/dev/null || true'
ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-dynamic-dns 2>/dev/null || true'
Restart=always
RestartSec=30
SyslogIdentifier=matrix-dynamic-dns
[Install]
WantedBy=multi-user.target

4
roles/custom/matrix-dynamic-dns/templates/systemd/matrix-dynamic-dns.service.j2.license
View File

@@ -1,4 +0,0 @@
SPDX-FileCopyrightText: 2020 - 2025 Slavi Pantaleev
SPDX-FileCopyrightText: 2020 Scott Crossen
SPDX-License-Identifier: AGPL-3.0-or-later

2
roles/custom/matrix-livekit-jwt-service/defaults/main.yml
View File

@@ -25,7 +25,7 @@ matrix_livekit_jwt_service_container_additional_networks_auto: []
matrix_livekit_jwt_service_container_additional_networks_custom: []
# renovate: datasource=docker depName=ghcr.io/element-hq/lk-jwt-service
matrix_livekit_jwt_service_version: 0.4.0
matrix_livekit_jwt_service_version: 0.4.1
matrix_livekit_jwt_service_container_image_self_build: false
matrix_livekit_jwt_service_container_repo: "https://github.com/element-hq/lk-jwt-service.git"

250
roles/custom/matrix-ma1sd/defaults/main.yml
View File

@@ -1,250 +0,0 @@
# SPDX-FileCopyrightText: 2020 - 2022 MDAD project contributors
# SPDX-FileCopyrightText: 2020 - 2024 Slavi Pantaleev
# SPDX-FileCopyrightText: 2020 Marcel Partap
# SPDX-FileCopyrightText: 2020 Matt Cengia
# SPDX-FileCopyrightText: 2021 Aaron Raimist
# SPDX-FileCopyrightText: 2021 Ahmad Haghighi
# SPDX-FileCopyrightText: 2021 boris runakov
# SPDX-FileCopyrightText: 2022 Marko Weltzer
# SPDX-FileCopyrightText: 2022 Nikita Chernyi
# SPDX-FileCopyrightText: 2023 Samuel Meenzen
# SPDX-FileCopyrightText: 2024 - 2025 Suguru Hirahara
#
# SPDX-License-Identifier: AGPL-3.0-or-later
---
# ma1sd is a Federated Matrix Identity Server
# Project source code URL: https://github.com/ma1uta/ma1sd
matrix_ma1sd_enabled: true
matrix_ma1sd_scheme: https
matrix_ma1sd_hostname: ''
matrix_ma1sd_container_image_self_build: false
matrix_ma1sd_container_image_self_build_repo: "https://github.com/ma1uta/ma1sd.git"
matrix_ma1sd_container_image_self_build_branch: "{{ matrix_ma1sd_version }}"
# renovate: datasource=docker depName=ma1uta/ma1sd
matrix_ma1sd_version: "2.5.0"
matrix_ma1sd_docker_image: "{{ matrix_ma1sd_docker_image_registry_prefix }}ma1uta/ma1sd:{{ matrix_ma1sd_version }}"
matrix_ma1sd_docker_image_registry_prefix: "{{ 'localhost/' if matrix_ma1sd_container_image_self_build else matrix_ma1sd_docker_image_registry_prefix_upstream }}"
matrix_ma1sd_docker_image_registry_prefix_upstream: "{{ matrix_ma1sd_docker_image_registry_prefix_upstream_default }}"
matrix_ma1sd_docker_image_registry_prefix_upstream_default: "docker.io/"
matrix_ma1sd_docker_image_force_pull: "{{ matrix_ma1sd_docker_image.endswith(':latest') }}"
matrix_ma1sd_base_path: "{{ matrix_base_data_path }}/ma1sd"
# We need the docker src directory to be named ma1sd. See: https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/588
matrix_ma1sd_docker_src_files_path: "{{ matrix_ma1sd_base_path }}/docker-src/ma1sd"
matrix_ma1sd_config_path: "{{ matrix_ma1sd_base_path }}/config"
matrix_ma1sd_data_path: "{{ matrix_ma1sd_base_path }}/data"
matrix_ma1sd_container_port: 8090
# Controls whether the matrix-ma1sd container exposes its HTTP port (tcp/{{ matrix_ma1sd_container_port }} in the container).
#
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:8090"), or empty string to not expose.
matrix_ma1sd_container_http_host_bind_port: ''
# A list of extra arguments to pass to the container
matrix_ma1sd_container_extra_arguments: []
# List of systemd services that matrix-ma1sd.service depends on
matrix_ma1sd_systemd_required_services_list: "{{ matrix_ma1sd_systemd_required_services_list_default + matrix_ma1sd_systemd_required_services_list_auto + matrix_ma1sd_systemd_required_services_list_custom }}"
matrix_ma1sd_systemd_required_services_list_default: "{{ [devture_systemd_docker_base_docker_service_name] if devture_systemd_docker_base_docker_service_name else [] }}"
matrix_ma1sd_systemd_required_services_list_auto: []
matrix_ma1sd_systemd_required_services_list_custom: []
# List of systemd services that matrix-ma1sd.service wants
matrix_ma1sd_systemd_wanted_services_list: "{{ matrix_ma1sd_systemd_wanted_services_list_default + matrix_ma1sd_systemd_wanted_services_list_auto + matrix_ma1sd_systemd_wanted_services_list_custom }}"
matrix_ma1sd_systemd_wanted_services_list_default: []
matrix_ma1sd_systemd_wanted_services_list_auto: []
matrix_ma1sd_systemd_wanted_services_list_custom: []
# The base container network. It will be auto-created by this role if it doesn't exist already.
matrix_ma1sd_container_network: ""
# A list of additional container networks that matrix-ma1sd would be connected to.
# The playbook does not create these networks, so make sure they already exist.
#
# Use this to expose matrix-ma1sd to another docker network, that matrix-ma1sd might have to reach for authentication (e.g. an ldap instance)
matrix_ma1sd_container_additional_networks: "{{ matrix_ma1sd_container_additional_networks_auto + matrix_ma1sd_container_additional_networks_custom }}"
matrix_ma1sd_container_additional_networks_auto: []
matrix_ma1sd_container_additional_networks_custom: []
# matrix_ma1sd_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container.
# See `../templates/labels.j2` for details.
#
# To inject your own other container labels, see `matrix_ma1sd_container_labels_additional_labels`.
matrix_ma1sd_container_labels_traefik_enabled: true
matrix_ma1sd_container_labels_traefik_docker_network: "{{ matrix_ma1sd_container_network }}"
matrix_ma1sd_container_labels_traefik_entrypoints: web-secure
matrix_ma1sd_container_labels_traefik_tls_certResolver: default # noqa var-naming
# Controls whether labels will be added that expose ma1sd's /_matrix/identity endpoints
matrix_ma1sd_container_labels_matrix_identity_enabled: "{{ matrix_ma1sd_container_labels_traefik_enabled }}"
matrix_ma1sd_container_labels_matrix_identity_hostname: "{{ matrix_ma1sd_hostname }}"
matrix_ma1sd_container_labels_matrix_identity_path_prefix: "/_matrix/identity"
matrix_ma1sd_container_labels_matrix_identity_traefik_rule: "Host(`{{ matrix_ma1sd_container_labels_matrix_identity_hostname }}`) && PathPrefix(`{{ matrix_ma1sd_container_labels_matrix_identity_path_prefix }}`)"
matrix_ma1sd_container_labels_matrix_identity_traefik_priority: 0
matrix_ma1sd_container_labels_matrix_identity_traefik_entrypoints: "{{ matrix_ma1sd_container_labels_traefik_entrypoints }}"
matrix_ma1sd_container_labels_matrix_identity_traefik_tls: "{{ matrix_ma1sd_container_labels_matrix_identity_traefik_entrypoints != 'web' }}"
matrix_ma1sd_container_labels_matrix_identity_traefik_tls_certResolver: "{{ matrix_ma1sd_container_labels_traefik_tls_certResolver }}" # noqa var-naming
# Controls whether labels will be added that expose ma1sd's /_matrix/client/VERSION/user_directory/search endpoint
matrix_ma1sd_container_labels_matrix_client_user_directory_search_enabled: "{{ matrix_ma1sd_container_labels_traefik_enabled }}"
matrix_ma1sd_container_labels_matrix_client_user_directory_search_hostname: "{{ matrix_ma1sd_hostname }}"
matrix_ma1sd_container_labels_matrix_client_user_directory_search_path_regexp: "/_matrix/client/(?P<version>(r0|v3))/user_directory/search"
matrix_ma1sd_container_labels_matrix_client_user_directory_search_traefik_rule: "Host(`{{ matrix_ma1sd_container_labels_matrix_client_user_directory_search_hostname }}`) && PathRegexp(`{{ matrix_ma1sd_container_labels_matrix_client_user_directory_search_path_regexp }}`)"
matrix_ma1sd_container_labels_matrix_client_user_directory_search_traefik_priority: 0
matrix_ma1sd_container_labels_matrix_client_user_directory_search_traefik_entrypoints: "{{ matrix_ma1sd_container_labels_traefik_entrypoints }}"
matrix_ma1sd_container_labels_matrix_client_user_directory_search_traefik_tls: "{{ matrix_ma1sd_container_labels_matrix_client_user_directory_search_traefik_entrypoints != 'web' }}"
matrix_ma1sd_container_labels_matrix_client_user_directory_search_traefik_tls_certResolver: "{{ matrix_ma1sd_container_labels_traefik_tls_certResolver }}" # noqa var-naming
# Controls whether labels will be added that expose ma1sd's /_matrix/client/VERSION/register/TYPE/requestToken endpoints
# This allows another service to control registrations involving 3PIDs.
# To learn more, see: https://github.com/ma1uta/ma1sd/blob/master/docs/features/registration.md
matrix_ma1sd_container_labels_matrix_client_3pid_registration_enabled: false
matrix_ma1sd_container_labels_matrix_client_3pid_registration_hostname: "{{ matrix_ma1sd_hostname }}"
matrix_ma1sd_container_labels_matrix_client_3pid_registration_path_regexp: "/_matrix/client/(?P<version>(r0|v3))/register/(?P<type>(email|msisdn))/requestToken"
matrix_ma1sd_container_labels_matrix_client_3pid_registration_traefik_rule: "Host(`{{ matrix_ma1sd_container_labels_matrix_client_3pid_registration_hostname }}`) && PathRegexp(`{{ matrix_ma1sd_container_labels_matrix_client_3pid_registration_path_regexp }}`)"
matrix_ma1sd_container_labels_matrix_client_3pid_registration_traefik_priority: 0
matrix_ma1sd_container_labels_matrix_client_3pid_registration_traefik_entrypoints: "{{ matrix_ma1sd_container_labels_traefik_entrypoints }}"
matrix_ma1sd_container_labels_matrix_client_3pid_registration_traefik_tls: "{{ matrix_ma1sd_container_labels_matrix_client_3pid_registration_traefik_entrypoints != 'web' }}"
matrix_ma1sd_container_labels_matrix_client_3pid_registration_traefik_tls_certResolver: "{{ matrix_ma1sd_container_labels_traefik_tls_certResolver }}" # noqa var-naming
# matrix_ma1sd_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file.
# See `../templates/labels.j2` for details.
#
# Example:
# matrix_ma1sd_container_labels_additional_labels: |
# my.label=1
# another.label="here"
matrix_ma1sd_container_labels_additional_labels: ''
# Your identity server is private by default.
# To ensure maximum discovery, you can make your identity server
# also forward lookups to the central matrix.org Identity server
# (at the cost of potentially leaking all your contacts information).
# Enabling this is discouraged. Learn more here: https://github.com/ma1uta/ma1sd/blob/master/docs/features/identity.md#lookups
matrix_ma1sd_matrixorg_forwarding_enabled: false
# Database-related configuration fields.
#
# To use SQLite, stick to these defaults.
#
# To use Postgres:
# - change the engine (`matrix_ma1sd_database_engine: 'postgres'`)
# - adjust your database credentials via the `matrix_ma1sd_database_*` variables
matrix_ma1sd_database_engine: 'sqlite'
matrix_ma1sd_sqlite_database_path_local: "{{ matrix_ma1sd_data_path }}/ma1sd.db"
matrix_ma1sd_sqlite_database_path_in_container: "/var/ma1sd/ma1sd.db"
matrix_ma1sd_database_username: 'matrix_ma1sd'
matrix_ma1sd_database_password: 'some-password'
matrix_ma1sd_database_hostname: ''
matrix_ma1sd_database_port: 5432
matrix_ma1sd_database_name: 'matrix_ma1sd'
matrix_ma1sd_database_connection_string: 'postgresql://{{ matrix_ma1sd_database_username }}:{{ matrix_ma1sd_database_password }}@{{ matrix_ma1sd_database_hostname }}:{{ matrix_ma1sd_database_port }}/{{ matrix_ma1sd_database_name }}'
# ma1sd has several supported identity stores.
# One of them is storing identities directly in Synapse's database.
# Learn more here: https://github.com/ma1uta/ma1sd/blob/master/docs/stores/synapse.md
matrix_ma1sd_synapsesql_enabled: false
matrix_ma1sd_synapsesql_type: ""
matrix_ma1sd_synapsesql_connection: ""
# Setting up email-sending settings is required for using ma1sd.
matrix_ma1sd_threepid_medium_email_identity_from: "matrix@{{ matrix_domain }}"
matrix_ma1sd_threepid_medium_email_connectors_smtp_host: ""
matrix_ma1sd_threepid_medium_email_connectors_smtp_port: 587
matrix_ma1sd_threepid_medium_email_connectors_smtp_tls: 1
matrix_ma1sd_threepid_medium_email_connectors_smtp_login: ""
matrix_ma1sd_threepid_medium_email_connectors_smtp_password: ""
# DNS overwrites are useful for telling ma1sd how it can reach the homeserver directly.
# Useful when reverse-proxying certain URLs (e.g. `/_matrix/client/r0/user_directory/search`) to ma1sd,
# so that ma1sd can rewrite the original URL to one that would reach the homeserver.
matrix_ma1sd_dns_overwrite_enabled: false
matrix_ma1sd_dns_overwrite_homeserver_client_name: "{{ matrix_server_fqn_matrix }}"
matrix_ma1sd_dns_overwrite_homeserver_client_value: ""
# Override the default session templates
# To use this, fill in the template variables with the full desired template as a multi-line YAML variable
#
# More info:
# https://github.com/ma1uta/ma1sd/blob/master/docs/threepids/session/session-views.md
matrix_ma1sd_view_session_custom_templates_enabled: false
# Defaults to: https://github.com/ma1uta/ma1sd/blob/master/src/main/resources/templates/session/tokenSubmitSuccess.html
matrix_ma1sd_view_session_custom_onTokenSubmit_success_template: "" # noqa var-naming
# Defaults to: https://github.com/ma1uta/ma1sd/blob/master/src/main/resources/templates/session/tokenSubmitFailure.html
matrix_ma1sd_view_session_custom_onTokenSubmit_failure_template: "" # noqa var-naming
# Override the default email templates
# To use this, fill in the template variables with the full desired template as a multi-line YAML variable
#
# More info:
# https://github.com/ma1uta/ma1sd/blob/master/docs/threepids/notification/template-generator.md
# https://github.com/ma1uta/ma1sd/tree/master/src/main/resources/threepids/email
matrix_ma1sd_threepid_medium_email_custom_templates_enabled: false
# Defaults to: https://github.com/ma1uta/ma1sd/blob/master/src/main/resources/threepids/email/invite-template.eml
matrix_ma1sd_threepid_medium_email_custom_invite_template: ""
# Defaults to: https://github.com/ma1uta/ma1sd/blob/master/src/main/resources/threepids/email/validate-template.eml
matrix_ma1sd_threepid_medium_email_custom_session_validation_template: ""
# Defaults to: https://github.com/ma1uta/ma1sd/blob/master/src/main/resources/threepids/email/unbind-notification.eml
matrix_ma1sd_threepid_medium_email_custom_session_unbind_notification_template: ""
# Defaults to: https://github.com/ma1uta/ma1sd/blob/master/src/main/resources/threepids/email/mxid-template.eml
matrix_ma1sd_threepid_medium_email_custom_matrixid_template: ""
matrix_ma1sd_self_check_endpoint_url: "{{ matrix_ma1sd_scheme }}://{{ matrix_ma1sd_hostname }}/_matrix/identity/api/v1"
# Controls whether the self-check feature should validate SSL certificates.
matrix_ma1sd_self_check_validate_certificates: true
# Controls ma1sd logging verbosity for troubleshooting.
#
# See: https://github.com/ma1uta/ma1sd/blob/master/docs/troubleshooting.md#increase-verbosity
matrix_ma1sd_verbose_logging: false
# Setting up support for API prefixes
matrix_ma1sd_v1_enabled: true
matrix_ma1sd_v2_enabled: true
# Fix for missing 3PIDS bug
matrix_ma1sd_hashing_enabled: true
# Default ma1sd configuration template which covers the generic use case.
# You can customize it by controlling the various variables inside it.
#
# For a more advanced customization, you can extend the default (see `matrix_ma1sd_configuration_extension_yaml`)
# or completely replace this variable with your own template.
matrix_ma1sd_configuration_yaml: "{{ lookup('template', 'templates/ma1sd.yaml.j2') }}"
matrix_ma1sd_configuration_extension_yaml: |
# Your custom YAML configuration for ma1sd goes here.
# This configuration extends the default starting configuration (`matrix_ma1sd_configuration_yaml`).
#
# You can override individual variables from the default configuration, or introduce new ones.
#
# If you need something more special, you can take full control by
# completely redefining `matrix_ma1sd_configuration_yaml`.
#
# Example configuration extension follows:
#
# ldap:
# enabled: true
# connection:
# host: ldapHostnameOrIp
# tls: false
# port: 389
# baseDNs: ['OU=Users,DC=example,DC=org']
# bindDn: CN=My Ma1sd User,OU=Users,DC=example,DC=org
# bindPassword: TheUserPassword
matrix_ma1sd_configuration_extension: "{{ matrix_ma1sd_configuration_extension_yaml | from_yaml if matrix_ma1sd_configuration_extension_yaml | from_yaml is mapping else {} }}"
# Holds the final ma1sd configuration (a combination of the default and its extension).
# You most likely don't need to touch this variable. Instead, see `matrix_ma1sd_configuration_yaml`.
matrix_ma1sd_configuration: "{{ matrix_ma1sd_configuration_yaml | from_yaml | combine(matrix_ma1sd_configuration_extension, recursive=True) }}"

33
roles/custom/matrix-ma1sd/tasks/main.yml
View File

@@ -1,33 +0,0 @@
# SPDX-FileCopyrightText: 2020 - 2024 Slavi Pantaleev
# SPDX-FileCopyrightText: 2020 Marcel Partap
# SPDX-FileCopyrightText: 2022 Marko Weltzer
#
# SPDX-License-Identifier: AGPL-3.0-or-later
---
- tags:
- setup-all
- setup-ma1sd
- install-all
- install-ma1sd
block:
- when: matrix_ma1sd_enabled | bool
ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml"
- when: matrix_ma1sd_enabled | bool
ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml"
- tags:
- setup-all
- setup-ma1sd
block:
- when: not matrix_ma1sd_enabled | bool
ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"
- tags:
- self-check
- self-check-ma1sd
block:
- when: matrix_ma1sd_enabled | bool
ansible.builtin.include_tasks: "{{ role_path }}/tasks/self_check.yml"

28
roles/custom/matrix-ma1sd/tasks/self_check.yml
View File

@@ -1,28 +0,0 @@
# SPDX-FileCopyrightText: 2020 MDAD project contributors
# SPDX-FileCopyrightText: 2020 Marcel Partap
# SPDX-FileCopyrightText: 2022 - 2024 Slavi Pantaleev
# SPDX-FileCopyrightText: 2022 Marko Weltzer
#
# SPDX-License-Identifier: AGPL-3.0-or-later
---
- name: Check ma1sd Identity Service
ansible.builtin.uri:
url: "{{ matrix_ma1sd_self_check_endpoint_url }}"
follow_redirects: none
validate_certs: "{{ matrix_ma1sd_self_check_validate_certificates }}"
check_mode: false
register: result_ma1sd
ignore_errors: true
delegate_to: 127.0.0.1
become: false
- name: Fail if ma1sd Identity Service not working
ansible.builtin.fail:
msg: "Failed checking ma1sd is up at `{{ matrix_ma1sd_hostname }}` (checked endpoint: `{{ matrix_ma1sd_self_check_endpoint_url }}`). Is ma1sd running? Is port 443 open in your firewall? Full error: {{ result_ma1sd }}"
when: "result_ma1sd.failed or 'json' not in result_ma1sd"
- name: Report working ma1sd Identity Service
ansible.builtin.debug:
msg: "ma1sd at `{{ matrix_ma1sd_hostname }}` is working (checked endpoint: `{{ matrix_ma1sd_self_check_endpoint_url }}`)"

167
roles/custom/matrix-ma1sd/tasks/setup_install.yml
View File

@@ -1,167 +0,0 @@
# SPDX-FileCopyrightText: 2020 - 2024 Slavi Pantaleev
# SPDX-FileCopyrightText: 2020 Chris van Dijk
# SPDX-FileCopyrightText: 2020 Marcel Partap
# SPDX-FileCopyrightText: 2020 Matt Cengia
# SPDX-FileCopyrightText: 2020 Stuart Mumford
# SPDX-FileCopyrightText: 2022 Jim Myhrberg
# SPDX-FileCopyrightText: 2022 MDAD project contributors
# SPDX-FileCopyrightText: 2022 Marko Weltzer
# SPDX-FileCopyrightText: 2022 Nikita Chernyi
# SPDX-FileCopyrightText: 2022 Sebastian Gumprich
# SPDX-FileCopyrightText: 2024 David Mehren
#
# SPDX-License-Identifier: AGPL-3.0-or-later
---
- name: Ensure ma1sd paths exist
ansible.builtin.file:
path: "{{ item.path }}"
state: directory
mode: 0750
owner: "{{ matrix_user_name }}"
group: "{{ matrix_group_name }}"
with_items:
- {path: "{{ matrix_ma1sd_config_path }}", when: true}
- {path: "{{ matrix_ma1sd_data_path }}", when: true}
- {path: "{{ matrix_ma1sd_docker_src_files_path }}", when: "{{ matrix_ma1sd_container_image_self_build }}"}
when: "item.when | bool"
# These (SQLite -> Postgres) migration tasks are usually at the top,
# but we'd like to run them after `migrate_mxisd.yml`, which requires the ma1sd paths to exist.
- ansible.builtin.set_fact:
matrix_ma1sd_requires_restart: false
- when: "matrix_ma1sd_database_engine == 'postgres'"
block:
- name: Check if an SQLite database already exists
ansible.builtin.stat:
path: "{{ matrix_ma1sd_sqlite_database_path_local }}"
register: matrix_ma1sd_sqlite_database_path_local_stat_result
- when: "matrix_ma1sd_sqlite_database_path_local_stat_result.stat.exists | bool"
block:
- ansible.builtin.include_role:
name: galaxy/postgres
tasks_from: migrate_db_to_postgres
vars:
postgres_db_migration_request:
src: "{{ matrix_ma1sd_sqlite_database_path_local }}"
dst: "{{ matrix_ma1sd_database_connection_string }}"
caller: "{{ role_path | basename }}"
engine_variable_name: 'matrix_ma1sd_database_engine'
engine_old: 'sqlite'
systemd_services_to_stop: ['matrix-ma1sd.service']
pgloader_options: ['--with "quote identifiers"']
- ansible.builtin.set_fact:
matrix_ma1sd_requires_restart: true
- name: Ensure ma1sd image is pulled
community.docker.docker_image:
name: "{{ matrix_ma1sd_docker_image }}"
source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
force_source: "{{ matrix_ma1sd_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_ma1sd_docker_image_force_pull }}"
when: "not matrix_ma1sd_container_image_self_build | bool"
register: result
retries: "{{ devture_playbook_help_container_retries_count }}"
delay: "{{ devture_playbook_help_container_retries_delay }}"
until: result is not failed
- when: "matrix_ma1sd_container_image_self_build | bool"
block:
- name: Ensure ma1sd repository is present on self-build
ansible.builtin.git:
repo: "{{ matrix_ma1sd_container_image_self_build_repo }}"
dest: "{{ matrix_ma1sd_docker_src_files_path }}"
version: "{{ matrix_ma1sd_container_image_self_build_branch }}"
force: "yes"
become: true
become_user: "{{ matrix_user_name }}"
register: matrix_ma1sd_git_pull_results
- name: Ensure ma1sd container image is built
ansible.builtin.command:
cmd: |-
{{ devture_systemd_docker_base_host_command_docker }} buildx build
--tag={{ matrix_ma1sd_docker_image }}
--file={{ matrix_ma1sd_docker_src_files_path }}/Dockerfile
{{ matrix_ma1sd_docker_src_files_path }}
changed_when: true
- name: Ensure ma1sd config installed
ansible.builtin.copy:
content: "{{ matrix_ma1sd_configuration | to_nice_yaml(indent=2, width=999999) }}"
dest: "{{ matrix_ma1sd_config_path }}/ma1sd.yaml"
mode: 0644
owner: "{{ matrix_user_name }}"
group: "{{ matrix_group_name }}"
- name: Ensure custom view templates are installed, if any
ansible.builtin.copy:
content: "{{ item.value }}"
dest: "{{ matrix_ma1sd_config_path }}/{{ item.location }}"
mode: 0644
owner: "{{ matrix_user_name }}"
group: "{{ matrix_group_name }}"
with_items:
- {value: "{{ matrix_ma1sd_view_session_custom_onTokenSubmit_success_template }}", location: 'tokenSubmitSuccess.html'}
- {value: "{{ matrix_ma1sd_view_session_custom_onTokenSubmit_failure_template }}", location: 'tokenSubmitFailure.html'}
when: "matrix_ma1sd_view_session_custom_templates_enabled | bool and item.value"
- name: Ensure custom email templates are installed, if any
ansible.builtin.copy:
content: "{{ item.value }}"
dest: "{{ matrix_ma1sd_config_path }}/{{ item.location }}"
mode: 0644
owner: "{{ matrix_user_name }}"
group: "{{ matrix_group_name }}"
with_items:
- {value: "{{ matrix_ma1sd_threepid_medium_email_custom_invite_template }}", location: 'invite-template.eml'}
- {value: "{{ matrix_ma1sd_threepid_medium_email_custom_session_validation_template }}", location: 'validate-template.eml'}
- {value: "{{ matrix_ma1sd_threepid_medium_email_custom_session_unbind_notification_template }}", location: 'unbind-notification.eml'}
- {value: "{{ matrix_ma1sd_threepid_medium_email_custom_matrixid_template }}", location: 'mxid-template.eml'}
when: "matrix_ma1sd_threepid_medium_email_custom_templates_enabled | bool and item.value"
# Only cleaning up for people who define the respective templates
- name: (Cleanup) Ensure custom email templates are not in data/ anymore (we've put them in config/)
ansible.builtin.file:
path: "{{ matrix_ma1sd_data_path }}/{{ item.location }}"
state: absent
with_items:
- {value: "{{ matrix_ma1sd_threepid_medium_email_custom_invite_template }}", location: 'invite-template.eml'}
- {value: "{{ matrix_ma1sd_threepid_medium_email_custom_session_validation_template }}", location: 'validate-template.eml'}
- {value: "{{ matrix_ma1sd_threepid_medium_email_custom_session_unbind_notification_template }}", location: 'unbind-notification.eml'}
- {value: "{{ matrix_ma1sd_threepid_medium_email_custom_matrixid_template }}", location: 'mxid-template.eml'}
when: "matrix_ma1sd_threepid_medium_email_custom_templates_enabled | bool and item.value"
- name: Ensure ma1sd support files installed
ansible.builtin.template:
src: "{{ role_path }}/templates/{{ item }}.j2"
dest: "{{ matrix_ma1sd_base_path }}/{{ item }}"
mode: 0640
owner: "{{ matrix_user_name }}"
group: "{{ matrix_group_name }}"
with_items:
- labels
- name: Ensure ma1sd container network is created
community.general.docker_network:
enable_ipv6: "{{ devture_systemd_docker_base_ipv6_enabled }}"
name: "{{ matrix_ma1sd_container_network }}"
driver: bridge
driver_options: "{{ devture_systemd_docker_base_container_networks_driver_options }}"
- name: Ensure matrix-ma1sd.service installed
ansible.builtin.template:
src: "{{ role_path }}/templates/systemd/matrix-ma1sd.service.j2"
dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-ma1sd.service"
mode: 0644
- name: Ensure matrix-ma1sd.service restarted, if necessary
ansible.builtin.service:
name: "matrix-ma1sd.service"
state: restarted
daemon_reload: true
when: "matrix_ma1sd_requires_restart | bool"

31
roles/custom/matrix-ma1sd/tasks/setup_uninstall.yml
View File

@@ -1,31 +0,0 @@
# SPDX-FileCopyrightText: 2020 - 2024 Slavi Pantaleev
# SPDX-FileCopyrightText: 2022 Marko Weltzer
# SPDX-FileCopyrightText: 2022 Sebastian Gumprich
#
# SPDX-License-Identifier: AGPL-3.0-or-later
---
- name: Check existence of matrix-ma1sd service
ansible.builtin.stat:
path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-ma1sd.service"
register: matrix_ma1sd_service_stat
- when: matrix_ma1sd_service_stat.stat.exists | bool
block:
- name: Ensure matrix-ma1sd is stopped
ansible.builtin.service:
name: matrix-ma1sd
state: stopped
enabled: false
daemon_reload: true
- name: Ensure matrix-ma1sd.service doesn't exist
ansible.builtin.file:
path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-ma1sd.service"
state: absent
- name: Ensure Matrix ma1sd paths don't exist
ansible.builtin.file:
path: "{{ matrix_ma1sd_base_path }}"
state: absent

86
roles/custom/matrix-ma1sd/tasks/validate_config.yml
View File

@@ -1,86 +0,0 @@
# SPDX-FileCopyrightText: 2020 - 2025 Slavi Pantaleev
# SPDX-FileCopyrightText: 2020 Marcel Partap
# SPDX-FileCopyrightText: 2021 boris runakov
# SPDX-FileCopyrightText: 2025 Suguru Hirahara
#
# SPDX-License-Identifier: AGPL-3.0-or-later
---
- name: (Deprecation) Warn about ma1sd variables that are not used anymore
ansible.builtin.fail:
msg: >
The `{{ item }}` variable defined in your configuration is not used by this playbook anymore!
You'll need to adapt to the new way of extending ma1sd configuration.
See the CHANGELOG and the `matrix_ma1sd_configuration_extension_yaml` variable for more information and examples.
when: "lookup('ansible.builtin.varnames', ('^' + item + '$'), wantlist=True) | length > 0"
with_items:
- 'matrix_ma1sd_ldap_enabled'
- 'matrix_ma1sd_ldap_connection_host'
- 'matrix_ma1sd_ldap_connection_tls'
- 'matrix_ma1sd_ldap_connection_port'
- 'matrix_ma1sd_ldap_connection_baseDn'
- 'matrix_ma1sd_ldap_connection_baseDns'
- 'matrix_ma1sd_ldap_connection_bindDn'
- 'matrix_ma1sd_ldap_connection_bindPassword'
- 'matrix_ma1sd_ldap_filter'
- 'matrix_ma1sd_ldap_attribute_uid_type'
- 'matrix_ma1sd_ldap_attribute_uid_value'
- 'matrix_ma1sd_ldap_connection_bindPassword'
- 'matrix_ma1sd_ldap_attribute_name'
- 'matrix_ma1sd_ldap_attribute_threepid_email'
- 'matrix_ma1sd_ldap_attribute_threepid_msisdn'
- 'matrix_ma1sd_ldap_identity_filter'
- 'matrix_ma1sd_ldap_identity_medium'
- 'matrix_ma1sd_ldap_auth_filter'
- 'matrix_ma1sd_ldap_directory_filter'
- 'matrix_ma1sd_template_config'
- 'matrix_ma1sd_architecture'
- name: Ensure ma1sd configuration does not contain any dot-notation keys
ansible.builtin.fail:
msg: >
Since version 1.3.0, ma1sd will not accept property-style configuration keys.
You have defined a key (`{{ item.key }}`) which contains a dot.
Instead, use nesting. See: https://github.com/ma1uta/ma1sd/wiki/Upgrade-Notes#v130
when: "'.' in item.key"
with_dict: "{{ matrix_ma1sd_configuration }}"
- name: Fail if required ma1sd settings not defined
ansible.builtin.fail:
msg: >
You need to define a required configuration setting (`{{ item.name }}`).
when: "item.when | bool and lookup('vars', item.name, default='') | string | length == 0"
with_items:
- {'name': 'matrix_ma1sd_hostname', when: true}
- {'name': 'matrix_ma1sd_threepid_medium_email_connectors_smtp_host', when: true}
- {'name': 'matrix_ma1sd_dns_overwrite_homeserver_client_value', when: true}
- {'name': 'matrix_ma1sd_database_hostname', when: "{{ matrix_ma1sd_database_engine == 'postgres' }}"}
- {'name': 'matrix_ma1sd_container_network', when: true}
- {'name': 'matrix_ma1sd_container_labels_matrix_identity_hostname', when: "{{ matrix_ma1sd_container_labels_matrix_identity_enabled }}"}
- {'name': 'matrix_ma1sd_container_labels_matrix_identity_path_prefix', when: "{{ matrix_ma1sd_container_labels_matrix_identity_enabled }}"}
- {'name': 'matrix_ma1sd_container_labels_matrix_client_user_directory_search_hostname', when: "{{ matrix_ma1sd_container_labels_matrix_client_user_directory_search_enabled }}"}
- {'name': 'matrix_ma1sd_container_labels_matrix_client_user_directory_search_path_regexp', when: "{{ matrix_ma1sd_container_labels_matrix_client_user_directory_search_enabled }}"}
- {'name': 'matrix_ma1sd_container_labels_matrix_client_3pid_registration_path_regexp', when: "{{ matrix_ma1sd_container_labels_matrix_client_3pid_registration_enabled }}"}
- name: (Deprecation) Catch and report renamed ma1sd variables
ansible.builtin.fail:
msg: >-
Your configuration contains a variable, which now has a different name.
Please rename the variable (`{{ item.old }}` -> `{{ item.new }}`) on your configuration file (vars.yml).
when: "lookup('ansible.builtin.varnames', ('^' + item.old + '$'), wantlist=True) | length > 0"
with_items:
- {'old': 'matrix_ma1sd_container_expose_port', 'new': '<superseded by matrix_ma1sd_container_http_host_bind_port>'}
- {'old': 'matrix_ma1sd_threepid_medium_email_custom_unbind_fraudulent_template', 'new': 'matrix_ma1sd_threepid_medium_email_custom_session_unbind_notification_template'}
- {'old': 'matrix_ma1sd_default_port', 'new': 'matrix_ma1sd_container_port'}
- {'old': 'matrix_ma1sd_container_labels_matrix_client_user_directory_search_path', 'new': 'matrix_ma1sd_container_labels_matrix_client_user_directory_search_path_regexp'}
- {'old': 'matrix_ma1sd_container_labels_matrix_client_3pid_registration_path', 'new': 'matrix_ma1sd_container_labels_matrix_client_3pid_registration_path_regexp'}
- {'old': 'matrix_ma1sd_docker_image_name_prefix', 'new': 'matrix_ma1sd_docker_image_registry_prefix'}
- name: (Deprecation) Catch and report mxisd variables
ansible.builtin.fail:
msg: >-
mxisd is deprecated and has been replaced with ma1sd (https://github.com/ma1uta/ma1sd), a compatible fork.
The playbook will migrate your existing mxisd configuration and data automatically, but you need to adjust variable names.
Please rename these variables (`matrix_mxisd_*` -> `matrix_ma1sd_*`) on your configuration file (vars.yml): {{ lookup('ansible.builtin.varnames', '^matrix_mxisd_.+', wantlist=True) | join(', ') }}
when: "lookup('ansible.builtin.varnames', '^matrix_mxisd_.+', wantlist=True) | length > 0"

124
roles/custom/matrix-ma1sd/templates/labels.j2
View File

@@ -1,124 +0,0 @@
{#
SPDX-FileCopyrightText: 2024 Slavi Pantaleev
SPDX-License-Identifier: AGPL-3.0-or-later
#}
{% if matrix_ma1sd_container_labels_traefik_enabled %}
traefik.enable=true
{% if matrix_ma1sd_container_labels_traefik_docker_network %}
traefik.docker.network={{ matrix_ma1sd_container_labels_traefik_docker_network }}
{% endif %}
traefik.http.services.matrix-ma1sd.loadbalancer.server.port={{ matrix_ma1sd_container_port }}
{% if matrix_ma1sd_container_labels_matrix_identity_enabled %}
############################################################
# #
# Matrix Identity APIs (/_matrix/identity) #
# #
############################################################
traefik.http.routers.matrix-ma1sd-matrix-identity.rule={{ matrix_ma1sd_container_labels_matrix_identity_traefik_rule }}
{% if matrix_ma1sd_container_labels_matrix_identity_traefik_priority | int > 0 %}
traefik.http.routers.matrix-ma1sd-matrix-identity.priority={{ matrix_ma1sd_container_labels_matrix_identity_traefik_priority }}
{% endif %}
traefik.http.routers.matrix-ma1sd-matrix-identity.service=matrix-ma1sd
traefik.http.routers.matrix-ma1sd-matrix-identity.entrypoints={{ matrix_ma1sd_container_labels_matrix_identity_traefik_entrypoints }}
traefik.http.routers.matrix-ma1sd-matrix-identity.tls={{ matrix_ma1sd_container_labels_matrix_identity_traefik_tls | to_json }}
{% if matrix_ma1sd_container_labels_matrix_identity_traefik_tls %}
traefik.http.routers.matrix-ma1sd-matrix-identity.tls.certResolver={{ matrix_ma1sd_container_labels_matrix_identity_traefik_tls_certResolver }}
{% endif %}
############################################################
# #
# /Matrix Identity APIs (/_matrix/identity) #
# #
############################################################
{% endif %}
{% if matrix_ma1sd_container_labels_matrix_client_user_directory_search_enabled %}
############################################################
# #
# Matrix Client user-directory search API endpoint #
# (/_matrix/client/VERSION/user_directory/search) #
# #
############################################################
# ma1sd only supports /_matrix/client/r0/user_directory/search
# while we potentially handle /_matrix/client/v3/user_directory/search as well,
# so we need to transparently reroute.
traefik.http.middlewares.matrix-ma1sd-matrix-client-user-directory-search-replacepath.replacepath.path=/_matrix/client/r0/user_directory/search
traefik.http.routers.matrix-ma1sd-matrix-client-user-directory-search.rule={{ matrix_ma1sd_container_labels_matrix_client_user_directory_search_traefik_rule }}
traefik.http.routers.matrix-ma1sd-matrix-client-user-directory-search.middlewares=matrix-ma1sd-matrix-client-user-directory-search-replacepath
{% if matrix_ma1sd_container_labels_matrix_client_user_directory_search_traefik_priority | int > 0 %}
traefik.http.routers.matrix-ma1sd-matrix-client-user-directory-search.priority={{ matrix_ma1sd_container_labels_matrix_client_user_directory_search_traefik_priority }}
{% endif %}
traefik.http.routers.matrix-ma1sd-matrix-client-user-directory-search.service=matrix-ma1sd
traefik.http.routers.matrix-ma1sd-matrix-client-user-directory-search.entrypoints={{ matrix_ma1sd_container_labels_matrix_client_user_directory_search_traefik_entrypoints }}
traefik.http.routers.matrix-ma1sd-matrix-client-user-directory-search.tls={{ matrix_ma1sd_container_labels_matrix_client_user_directory_search_traefik_tls | to_json }}
{% if matrix_ma1sd_container_labels_matrix_client_user_directory_search_traefik_tls %}
traefik.http.routers.matrix-ma1sd-matrix-client-user-directory-search.tls.certResolver={{ matrix_ma1sd_container_labels_matrix_client_user_directory_search_traefik_tls_certResolver }}
{% endif %}
############################################################
# #
# /Matrix Client user-directory search API endpoint #
# (/_matrix/client/VERSION/user_directory/search) #
# #
############################################################
{% endif %}
{% if matrix_ma1sd_container_labels_matrix_client_user_directory_search_enabled %}
############################################################
# #
# Matrix Client 3pid registration API endpoint #
# (/_matrix/client/VERSION/register/TYPE/requestToken) #
# #
############################################################
# ma1sd only supports /_matrix/client/r0/register/TYPE/requestToken
# while we potentially handle /_matrix/client/v3/register/TYPE/requestToken as well,
# so we need to transparently reroute.
traefik.http.middlewares.matrix-ma1sd-matrix-client-3pid-registration-replacepathregex.replacepathregex.regex=^/_matrix/client/([^/]+)/register/([^/]+)/requestToken
traefik.http.middlewares.matrix-ma1sd-matrix-client-3pid-registration-replacepathregex.replacepathregex.replacement=/_matrix/client/r0/register/${2}/requestToken
traefik.http.routers.matrix-ma1sd-matrix-client-3pid-registration.rule={{ matrix_ma1sd_container_labels_matrix_client_3pid_registration_traefik_rule }}
traefik.http.routers.matrix-ma1sd-matrix-client-3pid-registration.middlewares=matrix-ma1sd-matrix-client-3pid-registration-replacepathregex
{% if matrix_ma1sd_container_labels_matrix_client_3pid_registration_traefik_priority | int > 0 %}
traefik.http.routers.matrix-ma1sd-matrix-client-3pid-registration.priority={{ matrix_ma1sd_container_labels_matrix_client_3pid_registration_traefik_priority }}
{% endif %}
traefik.http.routers.matrix-ma1sd-matrix-client-3pid-registration.service=matrix-ma1sd
traefik.http.routers.matrix-ma1sd-matrix-client-3pid-registration.entrypoints={{ matrix_ma1sd_container_labels_matrix_client_3pid_registration_traefik_entrypoints }}
traefik.http.routers.matrix-ma1sd-matrix-client-3pid-registration.tls={{ matrix_ma1sd_container_labels_matrix_client_3pid_registration_traefik_tls | to_json }}
{% if matrix_ma1sd_container_labels_matrix_client_3pid_registration_traefik_tls %}
traefik.http.routers.matrix-ma1sd-matrix-client-3pid-registration.tls.certResolver={{ matrix_ma1sd_container_labels_matrix_client_3pid_registration_traefik_tls_certResolver }}
{% endif %}
############################################################
# #
# /Matrix Client 3pid registration API endpoint #
# (/_matrix/client/VERSION/register/TYPE/requestToken) #
# #
############################################################
{% endif %}
{% endif %}
{{ matrix_ma1sd_container_labels_additional_labels }}

104
roles/custom/matrix-ma1sd/templates/ma1sd.yaml.j2
View File

@@ -1,104 +0,0 @@
#jinja2: lstrip_blocks: True
matrix:
domain: {{ matrix_domain }}
v1: {{ matrix_ma1sd_v1_enabled|to_json }}
v2: {{ matrix_ma1sd_v2_enabled|to_json }}
server:
name: {{ matrix_server_fqn_matrix }}
key:
path: /var/ma1sd/sign.key
storage:
{% if matrix_ma1sd_database_engine == 'sqlite' %}
backend: sqlite
provider:
sqlite:
database: {{ matrix_ma1sd_sqlite_database_path_in_container|to_json }}
{% elif matrix_ma1sd_database_engine == 'postgres' %}
backend: postgresql
provider:
postgresql:
database: //{{ matrix_ma1sd_database_hostname }}:{{ matrix_ma1sd_database_port }}/{{ matrix_ma1sd_database_name }}
username: {{ matrix_ma1sd_database_username|to_json }}
password: {{ matrix_ma1sd_database_password|to_json }}
{% endif %}
{% if matrix_ma1sd_dns_overwrite_enabled %}
dns:
overwrite:
homeserver:
client:
- name: {{ matrix_ma1sd_dns_overwrite_homeserver_client_name }}
value: {{ matrix_ma1sd_dns_overwrite_homeserver_client_value }}
{% endif %}
{% if matrix_ma1sd_matrixorg_forwarding_enabled %}
forward:
servers: ['matrix-org']
{% endif %}
threepid:
medium:
email:
identity:
from: {{ matrix_ma1sd_threepid_medium_email_identity_from }}
connectors:
smtp:
host: {{ matrix_ma1sd_threepid_medium_email_connectors_smtp_host }}
port: {{ matrix_ma1sd_threepid_medium_email_connectors_smtp_port }}
tls: {{ matrix_ma1sd_threepid_medium_email_connectors_smtp_tls }}
login: {{ matrix_ma1sd_threepid_medium_email_connectors_smtp_login }}
password: {{ matrix_ma1sd_threepid_medium_email_connectors_smtp_password }}
{% if matrix_ma1sd_threepid_medium_email_custom_templates_enabled %}
generators:
template:
{% if matrix_ma1sd_threepid_medium_email_custom_invite_template %}
invite: '/etc/ma1sd/invite-template.eml'
{% endif %}
{% if matrix_ma1sd_threepid_medium_email_custom_session_validation_template or matrix_ma1sd_threepid_medium_email_custom_session_unbind_notification_template %}
session:
{% if matrix_ma1sd_threepid_medium_email_custom_session_validation_template %}
validation: '/etc/ma1sd/validate-template.eml'
{% endif %}
{% if matrix_ma1sd_threepid_medium_email_custom_session_unbind_notification_template %}
unbind:
notification: '/etc/ma1sd/unbind-notification.eml'
{% endif %}
{% endif %}
{% if matrix_ma1sd_threepid_medium_email_custom_matrixid_template %}
generic:
matrixId: '/etc/ma1sd/mxid-template.eml'
{% endif %}
{% endif %}
{% if matrix_ma1sd_view_session_custom_templates_enabled %}
view:
session:
onTokenSubmit:
{% if matrix_ma1sd_view_session_custom_onTokenSubmit_success_template %}
success: '/etc/ma1sd/tokenSubmitSuccess.html'
{% endif %}
{% if matrix_ma1sd_view_session_custom_onTokenSubmit_failure_template %}
failure: '/etc/ma1sd/tokenSubmitFailure.html'
{% endif %}
{% endif %}
{% if matrix_ma1sd_hashing_enabled %}
hashing:
enabled: true # enable or disable the hash lookup MSC2140 (default is false)
pepperLength: 20 # length of the pepper value (default is 20)
rotationPolicy: per_requests # or `per_seconds` how often the hashes will be updating
hashStorageType: sql # or `in_memory` where the hashes will be stored
algorithms:
- none # the same as v1 bulk lookup
- sha256 # hash the 3PID and pepper.
delay: 2m # how often hashes will be updated if rotation policy = per_seconds (default is 10s)
requests: 10
{% endif %}
synapseSql:
enabled: {{ matrix_ma1sd_synapsesql_enabled|to_json }}
type: {{ matrix_ma1sd_synapsesql_type|to_json }}
connection: {{ matrix_ma1sd_synapsesql_connection|to_json }}

4
roles/custom/matrix-ma1sd/templates/ma1sd.yaml.j2.license
View File

@@ -1,4 +0,0 @@
SPDX-FileCopyrightText: 2020 - 2022 Slavi Pantaleev
SPDX-FileCopyrightText: 2020 MDAD project contributors
SPDX-License-Identifier: AGPL-3.0-or-later

57
roles/custom/matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2
View File

@@ -1,57 +0,0 @@
#jinja2: lstrip_blocks: True
[Unit]
Description=Matrix ma1sd Identity server
{% for service in matrix_ma1sd_systemd_required_services_list %}
Requires={{ service }}
After={{ service }}
{% endfor %}
{% for service in matrix_ma1sd_systemd_wanted_services_list %}
Wants={{ service }}
{% endfor %}
DefaultDependencies=no
[Service]
Type=simple
Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}"
ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop -t {{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-ma1sd 2>/dev/null || true'
ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-ma1sd 2>/dev/null || true'
# ma1sd writes an SQLite shared library (libsqlitejdbc.so) to /tmp and executes it from there,
# so /tmp needs to be mounted with an exec option.
ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \
--rm \
--name=matrix-ma1sd \
--log-driver=none \
--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
--cap-drop=ALL \
--read-only \
--tmpfs=/tmp:rw,exec,nosuid,size=10m \
--network={{ matrix_ma1sd_container_network }} \
{% if matrix_ma1sd_container_http_host_bind_port %}
-p {{ matrix_ma1sd_container_http_host_bind_port }}:{{ matrix_ma1sd_container_port }} \
{% endif %}
{% if matrix_ma1sd_verbose_logging %}
-e MA1SD_LOG_LEVEL=debug \
{% endif %}
--mount type=bind,src={{ matrix_ma1sd_config_path }},dst=/etc/ma1sd,ro \
--mount type=bind,src={{ matrix_ma1sd_data_path }},dst=/var/ma1sd \
--label-file={{ matrix_ma1sd_base_path }}/labels \
{% for arg in matrix_ma1sd_container_extra_arguments %}
{{ arg }} \
{% endfor %}
{{ matrix_ma1sd_docker_image }}
{% for network in matrix_ma1sd_container_additional_networks %}
ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-ma1sd
{% endfor %}
ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-ma1sd
ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop -t {{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-ma1sd 2>/dev/null || true'
ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-ma1sd 2>/dev/null || true'
Restart=always
RestartSec=30
SyslogIdentifier=matrix-ma1sd
[Install]
WantedBy=multi-user.target

7
roles/custom/matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2.license
View File

@@ -1,7 +0,0 @@
SPDX-FileCopyrightText: 2020 - 2025 Slavi Pantaleev
SPDX-FileCopyrightText: 2020 Chris van Dijk
SPDX-FileCopyrightText: 2020 Marcel Partap
SPDX-FileCopyrightText: 2021 - 2022 MDAD project contributors
SPDX-FileCopyrightText: 2021 boris runakov
SPDX-License-Identifier: AGPL-3.0-or-later

10
roles/custom/matrix-ma1sd/vars/main.yml
View File

@@ -1,10 +0,0 @@
# SPDX-FileCopyrightText: 2020 Marcel Partap
# SPDX-FileCopyrightText: 2022 Slavi Pantaleev
#
# SPDX-License-Identifier: AGPL-3.0-or-later
---
# Doing `|from_yaml` when the extension contains nothing yields an empty string ("").
# We need to ensure it's a dictionary or `|combine` (when building `matrix_ma1sd_configuration`) will fail later.
matrix_ma1sd_configuration_extension: "{{ matrix_ma1sd_configuration_extension_yaml | from_yaml if matrix_ma1sd_configuration_extension_yaml | from_yaml else {} }}"

18
roles/custom/matrix-media-repo/defaults/main.yml
View File

@@ -414,8 +414,9 @@ matrix_media_repo_shared_secret_auth_token: "PutSomeRandomSecureValueHere"
# thumbnails and other misc data is also stored in these places. The media repo, when looking
# for a datastore to use, will always use the smallest datastore first.
# ID for the file datastore (cannot change). Alphanumeric recommended.
matrix_media_repo_datastore_file_id: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'filestore.db', rounds=655555) | to_uuid }}"
# ID for the file datastore. Any unique alphanumeric string (e.g. generated via `pwgen -s 64 1`).
# This value CANNOT be changed after media has been stored — matrix-media-repo ties media to this ID.
matrix_media_repo_datastore_file_id: ""
# Datastores can be split into many areas when handling uploads. Media is still de-duplicated
# across all datastores (local content which duplicates remote content will re-use the remote
@@ -434,8 +435,9 @@ matrix_media_repo_datastore_file_for_kinds: ["thumbnails", "remote_media", "loca
# Path to datastore, relative to matrix-media-repo directory root
matrix_media_repo_datastore_opts_path: "/data/media"
# ID for the s3 datastore (cannot change). Alphanumeric recommended.
matrix_media_repo_datastore_s3_id: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 's3store.db', rounds=655555) | to_uuid }}"
# ID for the S3 datastore. Any unique alphanumeric string (e.g. generated via `pwgen -s 64 1`).
# This value CANNOT be changed after media has been stored — matrix-media-repo ties media to this ID.
matrix_media_repo_datastore_s3_id: ""
# Datastores can be split into many areas when handling uploads. Media is still de-duplicated
# across all datastores (local content which duplicates remote content will re-use the remote
@@ -895,13 +897,7 @@ matrix_media_repo_redis_database_number: 0
# The Redis shards that should be used by the media repo in the ring. The names of the
# shards are for your reference and have no bearing on the connection, but must be unique.
matrix_media_repo_redis_shards:
- name: "server1"
addr: ":7000"
- name: "server2"
addr: ":7001"
- name: "server3"
addr: ":7002"
matrix_media_repo_redis_shards: []
# Optional sentry (https://sentry.io/) configuration for the media repo

2
roles/custom/matrix-media-repo/tasks/validate_config.yml
View File

@@ -15,6 +15,8 @@
- {'name': 'matrix_media_repo_database_hostname', when: true}
- {'name': 'matrix_media_repo_container_labels_traefik_internal_media_entrypoints', when: "{{ matrix_media_repo_container_labels_traefik_internal_media_enabled }}"}
- {'name': 'matrix_media_repo_container_labels_traefik_internal_matrix_client_media_entrypoints', when: "{{ matrix_media_repo_container_labels_traefik_internal_matrix_client_media_enabled }}"}
- {'name': 'matrix_media_repo_datastore_file_id', when: "{{ (matrix_media_repo_datastore_file_for_kinds | length) > 0 }}"}
- {'name': 'matrix_media_repo_datastore_s3_id', when: "{{ (matrix_media_repo_datastore_s3_for_kinds | length) > 0 }}"}
- name: (Deprecation) Catch and report renamed matrix-media-repo settings
ansible.builtin.fail:

Some files were not shown because too many files have changed in this diff Show More