iartamonov/matrix-docker-ansible-deploy
1
0
Fork 0
mirror of https://github.com/spantaleev/matrix-docker-ansible-deploy.git synced 2026-04-02 04:44:50 +03:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: iartamonov:master
Branches Tags
iartamonov:master iartamonov:create-pull-request/i18n iartamonov:migration-validation-system iartamonov:copilot/update-exim-relay-docs iartamonov:renovate/matrixdotorg-sygnal-0.x iartamonov:synapse-user-register-wait-for iartamonov:remove-zulip-bridge iartamonov:stabilize-mas iartamonov:element-call-stack iartamonov:element-call-integration iartamonov:synapse-cache-tuning iartamonov:HarHarLinks/hookshot-encryption
..
compare: iartamonov:migration-validation-system
Branches Tags
iartamonov:master iartamonov:create-pull-request/i18n iartamonov:migration-validation-system iartamonov:copilot/update-exim-relay-docs iartamonov:renovate/matrixdotorg-sygnal-0.x iartamonov:synapse-user-register-wait-for iartamonov:remove-zulip-bridge iartamonov:stabilize-mas iartamonov:element-call-stack iartamonov:element-call-integration iartamonov:synapse-cache-tuning iartamonov:HarHarLinks/hookshot-encryption

2 Commits
master ... migration-

Author SHA1 Message Date
Slavi Pantaleev
08e2b5d618 Add pre-commit check for migration version sync between defaults and examples/vars.yml 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-23 09:07:21 +02:00
Slavi Pantaleev
9f52db133b Add migration validation system to catch breaking changes early 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-23 09:07:21 +02:00
20 changed files with 76 additions and 469 deletions
Expand all files Collapse all files

2
.pre-commit-config.yaml
View File

@@ -24,7 +24,7 @@ repos:
hooks:
- id: reuse
- repo: https://github.com/ansible/ansible-lint
rev: v26.4.0
rev: v26.3.0
hooks:
- id: ansible-lint
files: '^roles/custom/'

2
docs/configuring-playbook-matrix-authentication-service.md
View File

@@ -398,8 +398,6 @@ To perform a real migration, run the `matrix-authentication-service-mas-cli-syn2
just run-tags matrix-authentication-service-mas-cli-syn2mas
```
After `syn2mas` completes, Synapse will intentionally remain stopped to avoid new registrations or other authentication changes from being accepted before the migration is completed. Continue with the next steps in this guide before re-running the installation.
Having performed a `syn2mas` migration once, trying to do it again will report errors (e.g. "Error: The MAS database is not empty: rows found in at least `users`. Please drop and recreate the database, then try again.").
## Verify that Matrix Authentication Service is installed correctly

4
group_vars/matrix_servers
View File

@@ -4909,8 +4909,6 @@ matrix_synapse_experimental_features_msc4108_enabled: "{{ matrix_authentication_
matrix_synapse_experimental_features_msc4140_enabled: "{{ matrix_rtc_enabled }}"
matrix_synapse_experimental_features_msc4143_enabled: "{{ matrix_rtc_enabled }}"
matrix_synapse_experimental_features_msc4222_enabled: "{{ matrix_rtc_enabled }}"
# Disable password authentication when delegating authentication to Matrix Authentication Service.
@@ -5786,8 +5784,6 @@ matrix_continuwuity_container_labels_public_federation_api_traefik_tls: "{{ matr
matrix_continuwuity_container_labels_internal_client_api_enabled: "{{ matrix_playbook_internal_matrix_client_api_traefik_entrypoint_enabled }}"
matrix_continuwuity_container_labels_internal_client_api_traefik_entrypoints: "{{ matrix_playbook_internal_matrix_client_api_traefik_entrypoint_name }}"
matrix_continuwuity_config_rtc_foci_livekit_url: "{{ matrix_livekit_jwt_service_public_url if matrix_livekit_jwt_service_enabled else '' }}"
matrix_continuwuity_config_turn_uris: "{{ coturn_turn_uris if coturn_enabled else [] }}"
matrix_continuwuity_config_turn_secret: "{{ coturn_turn_static_auth_secret if (coturn_enabled and coturn_authentication_method == 'auth-secret') else '' }}"
matrix_continuwuity_config_turn_username: "{{ coturn_lt_cred_mech_username if (coturn_enabled and coturn_authentication_method == 'lt-cred-mech') else '' }}"

4
i18n/requirements.txt
View File

@@ -14,9 +14,9 @@ mdit-py-plugins==0.5.0
mdurl==0.1.2
myst-parser==5.0.0
packaging==26.0
Pygments==2.20.0
Pygments==2.19.2
PyYAML==6.0.3
requests==2.33.1
requests==2.32.5
setuptools==82.0.1
snowballstemmer==3.0.1
Sphinx==9.1.0

18
requirements.yml
View File

@@ -27,10 +27,10 @@
version: 542a2d68db4e9a8e9bb4b508052760b900c7dce6
name: docker_sdk_for_python
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-etherpad.git
version: v2.6.1-5
version: v2.6.1-3
name: etherpad
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-exim-relay.git
version: v4.99.1-r0-2-0
version: v4.99.1-r0-0-1
name: exim_relay
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-grafana.git
version: v11.6.5-9
@@ -39,16 +39,16 @@
version: v0.5.1-2
name: hydrogen
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-jitsi.git
version: v10888-0
version: v10741-2
name: jitsi
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-livekit-server.git
version: v1.10.1-0
version: v1.9.12-1
name: livekit_server
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-ntfy.git
version: v2.21.0-0
version: v2.19.2-1
name: ntfy
- src: git+https://github.com/devture/com.devture.ansible.role.playbook_help.git
version: ea8c5cc750c4e23d004c9a836dfd9eda82d45ff4
version: 8630e4f1749bcb659c412820f754473f09055052
name: playbook_help
- src: git+https://github.com/devture/com.devture.ansible.role.playbook_runtime_messages.git
version: 9b4b088c62b528b73a9a7c93d3109b091dd42ec6
@@ -57,7 +57,7 @@
version: dd6e15246b7a9a2d921e0b3f9cd8a4a917a1bb2f
name: playbook_state_preserver
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-postgres.git
version: v18.3-4
version: v18.3-1
name: postgres
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-postgres-backup.git
version: v18-2
@@ -75,7 +75,7 @@
version: v0.19.1-3
name: prometheus_postgres_exporter
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-sable.git
version: v1.13.1-0
version: v1.6.0-2
name: sable
- src: git+https://github.com/devture/com.devture.ansible.role.systemd_docker_base.git
version: v1.5.0-0
@@ -87,7 +87,7 @@
version: v1.1.0-1
name: timesync
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-traefik.git
version: v3.6.12-0
version: v3.6.11-2
name: traefik
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-traefik-certs-dumper.git
version: v2.10.0-5

2
roles/custom/matrix-alertmanager-receiver/defaults/main.yml
View File

@@ -11,7 +11,7 @@
matrix_alertmanager_receiver_enabled: true
# renovate: datasource=docker depName=docker.io/metio/matrix-alertmanager-receiver
matrix_alertmanager_receiver_version: 2026.4.1
matrix_alertmanager_receiver_version: 2026.3.18
matrix_alertmanager_receiver_scheme: https

2
roles/custom/matrix-authentication-service/defaults/main.yml
View File

@@ -22,7 +22,7 @@ matrix_authentication_service_container_repo_version: "{{ 'main' if matrix_authe
matrix_authentication_service_container_src_files_path: "{{ matrix_base_data_path }}/matrix-authentication-service/container-src"
# renovate: datasource=docker depName=ghcr.io/element-hq/matrix-authentication-service
matrix_authentication_service_version: 1.14.0
matrix_authentication_service_version: 1.13.0
matrix_authentication_service_container_image_registry_prefix: "{{ 'localhost/' if matrix_authentication_service_container_image_self_build else matrix_authentication_service_container_image_registry_prefix_upstream }}"
matrix_authentication_service_container_image_registry_prefix_upstream: "{{ matrix_authentication_service_container_image_registry_prefix_upstream_default }}"
matrix_authentication_service_container_image_registry_prefix_upstream_default: "ghcr.io/"

14
roles/custom/matrix-authentication-service/tasks/mas_cli_syn2mas.yml
View File

@@ -110,17 +110,11 @@
ansible.builtin.debug:
var: matrix_authentication_service_mas_cli_syn2mas_command_result
- name: Inject syn2mas post-migration note
- name: Ensure Synapse is started (if it previously was)
when: "not matrix_authentication_service_syn2mas_migrate_dry_run and matrix_authentication_service_mas_cli_syn2mas_command_result.changed"
ansible.builtin.set_fact:
devture_playbook_runtime_messages_list: |
{{
devture_playbook_runtime_messages_list | default([])
+
[
"Synapse was intentionally not restarted after `syn2mas`. Continue with the next steps in the Matrix Authentication Service migration guide before re-running the installation."
]
}}
ansible.builtin.service:
name: matrix-synapse
state: started
- name: Ensure Matrix Authentication Service is started (if it previously was)
when: "not matrix_authentication_service_syn2mas_migrate_dry_run and matrix_authentication_service_mas_ensure_stopped_result.changed"

2
roles/custom/matrix-bot-baibot/defaults/main.yml
View File

@@ -17,7 +17,7 @@ matrix_bot_baibot_container_repo_version: "{{ 'main' if matrix_bot_baibot_versio
matrix_bot_baibot_container_src_files_path: "{{ matrix_base_data_path }}/baibot/container-src"
# renovate: datasource=docker depName=ghcr.io/etkecc/baibot
matrix_bot_baibot_version: v1.17.0
matrix_bot_baibot_version: v1.16.0
matrix_bot_baibot_container_image: "{{ matrix_bot_baibot_container_image_registry_prefix }}etkecc/baibot:{{ matrix_bot_baibot_version }}"
matrix_bot_baibot_container_image_registry_prefix: "{{ 'localhost/' if matrix_bot_baibot_container_image_self_build else matrix_bot_baibot_container_image_registry_prefix_upstream }}"
matrix_bot_baibot_container_image_registry_prefix_upstream: "{{ matrix_bot_baibot_container_image_registry_prefix_upstream_default }}"

2
roles/custom/matrix-cactus-comments-client/defaults/main.yml
View File

@@ -18,7 +18,7 @@ matrix_cactus_comments_client_public_path: "{{ matrix_cactus_comments_client_bas
matrix_cactus_comments_client_public_path_file_permissions: "0644"
# renovate: datasource=docker depName=joseluisq/static-web-server
matrix_cactus_comments_client_version: 2.42.0
matrix_cactus_comments_client_version: 2.41.0
matrix_cactus_comments_client_container_image: "{{ matrix_cactus_comments_client_container_image_registry_prefix }}joseluisq/static-web-server:{{ matrix_cactus_comments_client_container_image_tag }}"
matrix_cactus_comments_client_container_image_registry_prefix: "{{ matrix_cactus_comments_client_container_image_registry_prefix_upstream }}"

2
roles/custom/matrix-client-element/defaults/main.yml
View File

@@ -29,7 +29,7 @@ matrix_client_element_container_image_self_build_repo: "https://github.com/eleme
matrix_client_element_container_image_self_build_low_memory_system_patch_enabled: "{{ ansible_facts['memtotal_mb'] < 4096 }}"
# renovate: datasource=docker depName=ghcr.io/element-hq/element-web
matrix_client_element_version: v1.12.13
matrix_client_element_version: v1.12.12
matrix_client_element_container_image: "{{ matrix_client_element_container_image_registry_prefix }}element-hq/element-web:{{ matrix_client_element_version }}"
matrix_client_element_container_image_registry_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_client_element_container_image_registry_prefix_upstream }}"

2
roles/custom/matrix-client-fluffychat/defaults/main.yml
View File

@@ -13,7 +13,7 @@ matrix_client_fluffychat_container_image_self_build_repo: "https://github.com/et
matrix_client_fluffychat_container_image_self_build_version: "{{ 'main' if matrix_client_fluffychat_version == 'latest' else matrix_client_fluffychat_version }}"
# renovate: datasource=docker depName=ghcr.io/etkecc/fluffychat-web
matrix_client_fluffychat_version: v2.5.1
matrix_client_fluffychat_version: v2.4.1
matrix_client_fluffychat_container_image: "{{ matrix_client_fluffychat_container_image_registry_prefix }}etkecc/fluffychat-web:{{ matrix_client_fluffychat_version }}"
matrix_client_fluffychat_container_image_registry_prefix: "{{ 'localhost/' if matrix_client_fluffychat_container_image_self_build else matrix_client_fluffychat_container_image_registry_prefix_upstream }}"
matrix_client_fluffychat_container_image_registry_prefix_upstream: "{{ matrix_client_fluffychat_container_image_registry_prefix_upstream_default }}"

57
roles/custom/matrix-continuwuity/defaults/main.yml
View File

@@ -165,8 +165,8 @@ matrix_continuwuity_config_registration_token: ''
# Upstream defaults this to "🏳️‍⚧️", but we keep this consistent across all homeserver implementations and do not enable a suffix.
matrix_continuwuity_config_new_user_displayname_suffix: ""
# Controls the `allow_announcements_check` setting.
matrix_continuwuity_config_allow_announcements_check: true
# Controls the `allow_check_for_updates` setting.
matrix_continuwuity_config_allow_check_for_updates: false
# Controls the `emergency_password` setting.
matrix_continuwuity_config_emergency_password: ''
@@ -188,29 +188,6 @@ matrix_continuwuity_config_turn_password: ''
# Controls whether the self-check feature should validate SSL certificates.
matrix_continuwuity_self_check_validate_certificates: true
# If set, registration will require Google ReCAPTCHA verification.
matrix_continuwuity_config_recaptcha_site_key: ''
matrix_continuwuity_config_recaptcha_private_site_key: ''
# Controls whether encrypted rooms and events are allowed.
matrix_continuwuity_config_allow_encryption: true
# Controls whether standard users can create new rooms.
# Appservices and admins are always allowed to create new rooms.
matrix_continuwuity_config_allow_room_creation: true
# List/vector of room IDs or room aliases that continuwuity will make
# newly registered users join. The rooms specified must be rooms that you
# have joined at least once on the server, and must be public.
#
# example: ["#continuwuity:continuwuity.org",
# "!main-1:continuwuity.org"]
#
matrix_continuwuity_config_auto_join_rooms: []
# Forces users to always forget rooms they have left (MSC4267).
matrix_continuwuity_config_forget_forced_upon_leave: false
# Controls server (de)federation settings.
matrix_continuwuity_config_allow_federation: true
matrix_continuwuity_config_allowed_remote_server_names: []
@@ -219,39 +196,9 @@ matrix_continuwuity_config_forbidden_remote_room_directory_server_names: []
matrix_continuwuity_config_prevent_media_downloads_from: []
matrix_continuwuity_config_ignore_messages_from_server_names: []
# Allow outgoing presence updates/requests.
#
# Note that outgoing presence is very heavy on the CPU and network, and
# will typically cause extreme strain and slowdowns for no real benefit.
# There are only a few clients that even implement presence, so you
# probably don't want to enable this.
matrix_continuwuity_config_allow_outgoing_presence: false
# Controls MatrixRTC foci served via `/_matrix/client/v1/rtc/transports`
# and `/_matrix/client/unstable/org.matrix.msc4143/rtc/transports` (MSC4143)
matrix_continuwuity_config_rtc_foci: "{{ matrix_continuwuity_config_rtc_foci_auto + matrix_continuwuity_config_rtc_foci_custom }}"
matrix_continuwuity_config_rtc_foci_auto: |-
{{
(
[{'type': 'livekit', 'livekit_service_url': matrix_continuwuity_config_rtc_foci_livekit_url}] if matrix_continuwuity_config_rtc_foci_livekit_url != '' else []
)
}}
matrix_continuwuity_config_rtc_foci_custom: []
# Controls MatrixRTC Livekit URL auto-added to `matrix_continuwuity_config_rtc_foci`.
#
# This is set automatically if you are using the playbook MatrixRTC stack.
matrix_continuwuity_config_rtc_foci_livekit_url: ''
# Controls the `url_preview_domain_contains_allowlist` setting.
matrix_continuwuity_config_url_preview_domain_contains_allowlist: []
# Controls the `url_preview_domain_explicit_allowlist` setting.
matrix_continuwuity_config_url_preview_domain_explicit_allowlist: []
# Controls the `url_preview_check_root_domain` setting.
matrix_continuwuity_config_url_preview_check_root_domain: false
# Additional environment variables to pass to the container.
#
# Environment variables take priority over settings in the configuration file.

1
roles/custom/matrix-continuwuity/tasks/validate_config.yml
View File

@@ -22,7 +22,6 @@
when: "lookup('ansible.builtin.varnames', ('^' + item.old + '$'), wantlist=True) | length > 0"
with_items:
- {'old': 'matrix_continuwuity_allowed_remote_server_names', 'new': 'matrix_continuwuity_config_allowed_remote_server_names'}
- {'old': 'matrix_continuwuity_config_allow_check_for_updates', 'new': 'matrix_continuwuity_config_allow_announcements_check'}
- {'old': 'matrix_continuwuity_forbidden_remote_room_directory_server_names', 'new': 'matrix_continuwuity_config_forbidden_remote_room_directory_server_names'}
- {'old': 'matrix_continuwuity_forbidden_remote_server_names', 'new': 'matrix_continuwuity_config_forbidden_remote_server_names'}
- {'old': 'matrix_continuwuity_ignore_messages_from_server_names', 'new': 'matrix_continuwuity_config_ignore_messages_from_server_names'}

407
roles/custom/matrix-continuwuity/templates/continuwuity.toml.j2
View File

@@ -21,8 +21,8 @@ SPDX-License-Identifier: AGPL-3.0-or-later
# Also see the `[global.well_known]` config section at the very bottom.
#
# Examples of delegation:
# - https://continuwuity.org/.well-known/matrix/server
# - https://continuwuity.org/.well-known/matrix/client
# - https://puppygock.gay/.well-known/matrix/server
# - https://puppygock.gay/.well-known/matrix/client
#
# YOU NEED TO EDIT THIS. THIS CANNOT BE CHANGED AFTER WITHOUT A DATABASE
# WIPE.
@@ -112,7 +112,7 @@ new_user_displayname_suffix = {{ matrix_continuwuity_config_new_user_displayname
# `https://continuwuity.org/.well-known/continuwuity/announcements` for any new
# announcements or major updates. This is not an update check endpoint.
#
allow_announcements_check = {{ matrix_continuwuity_config_allow_announcements_check | to_json }}
allow_check_for_updates = {{ matrix_continuwuity_config_allow_check_for_updates | to_json }}
# Set this to any float value to multiply continuwuity's in-memory LRU
# caches with such as "auth_chain_cache_capacity".
@@ -283,25 +283,6 @@ max_request_size = {{ matrix_continuwuity_config_max_request_size }}
#
#max_fetch_prev_events = 192
# How many incoming federation transactions the server is willing to be
# processing at any given time before it becomes overloaded and starts
# rejecting further transactions until some slots become available.
#
# Setting this value too low or too high may result in unstable
# federation, and setting it too high may cause runaway resource usage.
#
#max_concurrent_inbound_transactions = 150
# Maximum age (in seconds) for cached federation transaction responses.
# Entries older than this will be removed during cleanup.
#
#transaction_id_cache_max_age_secs = 7200 (2 hours)
# Maximum number of cached federation transaction responses.
# When the cache exceeds this limit, older entries will be removed.
#
#transaction_id_cache_max_entries = 8192
# Default/base connection timeout (seconds). This is used only by URL
# previews and update/news endpoint checks.
#
@@ -339,38 +320,11 @@ max_request_size = {{ matrix_continuwuity_config_max_request_size }}
#
#well_known_timeout = 10
# Federation client connection timeout (seconds). You should not set this
# to high values, as dead homeservers can significantly slow down
# federation, specifically key retrieval, which will take roughly the
# amount of time you configure here given that a homeserver doesn't
# respond. This will cause most clients to time out /keys/query, causing
# E2EE and device verification to fail.
#
#federation_conn_timeout = 10
# Federation client request timeout (seconds). You most definitely want
# this to be high to account for extremely large room joins, slow
# homeservers, your own resources etc.
#
# Joins have 6x the timeout.
#
#federation_timeout = 60
# MSC4284 Policy server request timeout (seconds). Generally policy
# servers should respond near instantly, however may slow down under
# load. If a policy server doesn't respond in a short amount of time, the
# room it is configured in may become unusable if this limit is set too
# high. 10 seconds is a good default, however dropping this to 3-5 seconds
# can be acceptable.
#
# Please be aware that policy requests are *NOT* currently re-tried, so if
# a spam check request fails, the event will be assumed to be not spam,
# which in some cases may result in spam being sent to or received from
# the room that would typically be prevented.
#
# About policy servers: https://matrix.org/blog/2025/04/introducing-policy-servers/
#
#policy_server_request_timeout = 10
#federation_timeout = 300
# Federation client idle connection pool timeout (seconds).
#
@@ -403,15 +357,7 @@ max_request_size = {{ matrix_continuwuity_config_max_request_size }}
#
#appservice_idle_timeout = 300
# Notification gateway pusher request connection timeout (seconds).
#
#pusher_conn_timeout = 15
# Notification gateway pusher total request timeout (seconds).
#
#pusher_timeout = 60
# Notification gateway pusher idle connection pool timeout (seconds).
# Notification gateway pusher idle connection pool timeout.
#
#pusher_idle_timeout = 15
@@ -456,11 +402,6 @@ allow_registration = {{ matrix_continuwuity_config_allow_registration | to_json
# invites, or create/join or otherwise modify rooms.
# They are effectively read-only.
#
# If you want to use this to screen people who register on your server,
# you should add a room to `auto_join_rooms` that is public, and contains
# information that new users can read (since they won't be able to DM
# anyone, or send a message, and may be confused).
#
suspend_on_register = {{ matrix_continuwuity_config_suspend_on_register | to_json }}
# Enabling this setting opens registration to anyone without restrictions.
@@ -490,29 +431,9 @@ registration_token = {{ matrix_continuwuity_config_registration_token | to_json
#
#registration_token_file =
# The public site key for reCaptcha. If this is provided, reCaptcha
# becomes required during registration. If both captcha *and*
# registration token are enabled, both will be required during
# registration.
#
# IMPORTANT: "Verify the origin of reCAPTCHA solutions" **MUST** BE
# DISABLED IF YOU WANT THE CAPTCHA TO WORK IN 3RD PARTY CLIENTS, OR
# CLIENTS HOSTED ON DOMAINS OTHER THAN YOUR OWN!
#
# Registration must be enabled (`allow_registration` must be true) for
# this to have any effect.
#
recaptcha_site_key = {{ matrix_continuwuity_config_recaptcha_site_key | to_json }}
# The private site key for reCaptcha.
# If this is omitted, captcha registration will not work,
# even if `recaptcha_site_key` is set.
#
recaptcha_private_site_key = {{ matrix_continuwuity_config_recaptcha_private_site_key | to_json }}
# Controls whether encrypted rooms and events are allowed.
#
allow_encryption = {{ matrix_continuwuity_config_allow_encryption | to_json }}
#allow_encryption = true
# Controls whether federation is allowed or not. It is not recommended to
# disable this after the fact due to potential federation breakage.
@@ -530,7 +451,7 @@ allow_federation = {{ matrix_continuwuity_config_allow_federation | to_json }}
# Always calls /forget on behalf of the user if leaving a room. This is a
# part of MSC4267 "Automatically forgetting rooms on leave"
#
forget_forced_upon_leave = {{ matrix_continuwuity_config_forget_forced_upon_leave | to_json }}
#forget_forced_upon_leave = false
# Set this to true to require authentication on the normally
# unauthenticated profile retrieval endpoints (GET)
@@ -548,6 +469,12 @@ forget_forced_upon_leave = {{ matrix_continuwuity_config_forget_forced_upon_leav
#
#allow_public_room_directory_over_federation = false
# Set this to true to allow your server's public room directory to be
# queried without client authentication (access token) through the Client
# APIs. Set this to false to protect against /publicRooms spiders.
#
#allow_public_room_directory_without_auth = false
# Allow guests/unauthenticated users to access TURN credentials.
#
# This is the equivalent of Synapse's `turn_allow_guests` config option.
@@ -589,7 +516,7 @@ forget_forced_upon_leave = {{ matrix_continuwuity_config_forget_forced_upon_leav
# Allow standard users to create rooms. Appservices and admins are always
# allowed to create rooms
#
allow_room_creation = {{ matrix_continuwuity_config_allow_room_creation | to_json }}
#allow_room_creation = true
# Set to false to disable users from joining or creating room versions
# that aren't officially supported by continuwuity.
@@ -602,32 +529,18 @@ allow_room_creation = {{ matrix_continuwuity_config_allow_room_creation | to_jso
#allow_unstable_room_versions = true
# Default room version continuwuity will create rooms with.
# Note that this has to be a string since the room version is a string
# rather than an integer. Forgetting the quotes will make the server fail
# to start!
#
# Per spec, room version "11" is the default.
# Per spec, room version 11 is the default.
#
#default_room_version = "11"
#default_room_version = 11
# Enable OpenTelemetry OTLP tracing export. This replaces the deprecated
# Jaeger exporter. Traces will be sent via OTLP to a collector (such as
# Jaeger) that supports the OpenTelemetry Protocol.
# This item is undocumented. Please contribute documentation for it.
#
# Configure your OTLP endpoint using the OTEL_EXPORTER_OTLP_ENDPOINT
# environment variable (defaults to http://localhost:4318).
#
#allow_otlp = false
#allow_jaeger = false
# Filter for OTLP tracing spans. This controls which spans are exported
# to the OTLP collector.
# This item is undocumented. Please contribute documentation for it.
#
#otlp_filter = "info"
# Protocol to use for OTLP tracing export. Options are "http" or "grpc".
# The HTTP protocol uses port 4318 by default, while gRPC uses port 4317.
#
#otlp_protocol = "http"
#jaeger_filter = "info"
# If the 'perf_measurements' compile-time feature is enabled, enables
# collecting folded stack trace profile of tracing spans using
@@ -753,21 +666,6 @@ log = {{ matrix_continuwuity_config_log | to_json }}
#
#log_thread_ids = false
# Enable journald logging on Unix platforms
#
# When enabled, log output will be sent to the systemd journal
# This is only supported on Unix platforms
#
#log_to_journald = false
# The syslog identifier to use with journald logging
#
# Only used when journald logging is enabled
#
# Defaults to the binary name
#
#journald_identifier =
# OpenID token expiration/TTL in seconds.
#
# These are the OpenID tokens that are primarily used for Matrix account
@@ -849,7 +747,7 @@ turn_secret = {{ matrix_continuwuity_config_turn_secret | to_json }}
# example: ["#continuwuity:continuwuity.org",
# "!main-1:continuwuity.org"]
#
auto_join_rooms = {{ matrix_continuwuity_config_auto_join_rooms | to_json }}
#auto_join_rooms = []
# Config option to automatically deactivate the account of any user who
# attempts to join a:
@@ -1062,6 +960,14 @@ auto_join_rooms = {{ matrix_continuwuity_config_auto_join_rooms | to_json }}
#
#rocksdb_repair = false
# This item is undocumented. Please contribute documentation for it.
#
#rocksdb_read_only = false
# This item is undocumented. Please contribute documentation for it.
#
#rocksdb_secondary = false
# Enables idle CPU priority for compaction thread. This is not enabled by
# default to prevent compaction from falling too far behind on busy
# systems.
@@ -1120,34 +1026,27 @@ emergency_password = {{ matrix_continuwuity_config_emergency_password | to_json
# Allow local (your server only) presence updates/requests.
#
# Local presence must be enabled for outgoing presence to function.
#
# Note that local presence is not as heavy on the CPU as federated
# presence, but will still become more expensive the more local users you
# have.
# Note that presence on continuwuity is very fast unlike Synapse's. If
# using outgoing presence, this MUST be enabled.
#
#allow_local_presence = true
# Allow incoming federated presence updates.
# Allow incoming federated presence updates/requests.
#
# This option enables processing inbound presence updates from other
# servers. Without it, remote users will appear as if they are always
# offline to your local users. This does not affect typing indicators or
# read receipts.
# This option receives presence updates from other servers, but does not
# send any unless `allow_outgoing_presence` is true. Note that presence on
# continuwuity is very fast unlike Synapse's.
#
#allow_incoming_presence = true
# Allow outgoing presence updates/requests.
#
# This option sends presence updates to other servers, and requires that
# `allow_local_presence` is also enabled.
# This option sends presence updates to other servers, but does not
# receive any unless `allow_incoming_presence` is true. Note that presence
# on continuwuity is very fast unlike Synapse's. If using outgoing
# presence, you MUST enable `allow_local_presence` as well.
#
# Note that outgoing presence is very heavy on the CPU and network, and
# will typically cause extreme strain and slowdowns for no real benefit.
# There are only a few clients that even implement presence, so you
# probably don't want to enable this.
#
allow_outgoing_presence = {{ matrix_continuwuity_config_allow_outgoing_presence | to_json }}
#allow_outgoing_presence = true
# How many seconds without presence updates before you become idle.
# Defaults to 5 minutes.
@@ -1168,38 +1067,16 @@ allow_outgoing_presence = {{ matrix_continuwuity_config_allow_outgoing_presence
#
#presence_timeout_remote_users = true
# Allow local read receipts.
#
# Disabling this will effectively also disable outgoing federated read
# receipts.
#
#allow_local_read_receipts = true
# Allow receiving incoming read receipts from remote servers.
#
#allow_incoming_read_receipts = true
# Allow sending read receipts to remote servers.
#
# Note that sending read receipts to remote servers in large rooms with
# lots of other homeservers may cause additional strain on the CPU and
# network.
#
#allow_outgoing_read_receipts = true
# Allow local typing updates.
#
# Disabling this will effectively also disable outgoing federated typing
# updates.
#
#allow_local_typing = true
# Allow outgoing typing updates to federation.
#
# Note that sending typing indicators to remote servers in large rooms
# with lots of other homeservers may cause additional strain on the CPU
# and network.
#
#allow_outgoing_typing = true
# Allow incoming typing updates from federation.
@@ -1333,7 +1210,7 @@ allow_outgoing_presence = {{ matrix_continuwuity_config_allow_outgoing_presence
# sender user's server name, inbound federation X-Matrix origin, and
# outbound federation handler.
#
# You can set this to [".*"] to block all servers by default, and then
# You can set this to ["*"] to block all servers by default, and then
# use `allowed_remote_server_names` to allow only specific servers.
#
# example: ["badserver\\.tld$", "badphrase", "19dollarfortnitecards"]
@@ -1442,7 +1319,7 @@ url_preview_domain_contains_allowlist = {{ matrix_continuwuity_config_url_previe
# attack surface to your server, you are expected to be aware of the risks
# by doing so.
#
url_preview_domain_explicit_allowlist = {{ matrix_continuwuity_config_url_preview_domain_explicit_allowlist | to_json }}
#url_preview_domain_explicit_allowlist = []
# Vector list of explicit domains not allowed to send requests to for URL
# previews.
@@ -1471,11 +1348,6 @@ url_preview_domain_explicit_allowlist = {{ matrix_continuwuity_config_url_previe
#
#url_preview_max_spider_size = 256000
# Total request timeout for URL previews (seconds). This includes
# connection, request, and response body reading time.
#
#url_preview_timeout = 120
# Option to decide whether you would like to run the domain allowlist
# checks (contains and explicit) on the root domain or not. Does not apply
# to URL contains allowlist. Defaults to false.
@@ -1487,16 +1359,7 @@ url_preview_domain_explicit_allowlist = {{ matrix_continuwuity_config_url_previe
# allowlist is still too broad for you but you still want to allow all the
# subdomains under a root domain.
#
url_preview_check_root_domain = {{ matrix_continuwuity_config_url_preview_check_root_domain | to_json }}
# User agent that is used specifically when fetching url previews.
#
#url_preview_user_agent = "continuwuity/<version> (bot; +https://continuwuity.org)"
# Determines whether audio and video files will be downloaded for URL
# previews.
#
#url_preview_allow_audio_video = false
#url_preview_check_root_domain = false
# List of forbidden room aliases and room IDs as strings of regex
# patterns.
@@ -1550,25 +1413,12 @@ url_preview_check_root_domain = {{ matrix_continuwuity_config_url_preview_check_
#
#block_non_admin_invites = false
# Enable or disable making requests to MSC4284 Policy Servers.
# It is recommended you keep this enabled unless you experience frequent
# connectivity issues, such as in a restricted networking environment.
#
#enable_msc4284_policy_servers = true
# Enable running locally generated events through configured MSC4284
# policy servers. You may wish to disable this if your server is
# single-user for a slight speed benefit in some rooms, but otherwise
# should leave it enabled.
#
#policy_server_check_own_events = true
# Allow admins to enter commands in rooms other than "#admins" (admin
# room) by prefixing your message with "\!admin" or "\\!admin" followed up
# a normal continuwuity admin command. The reply will be publicly visible
# to the room, originating from the sender.
#
# example: \\!admin debug ping continuwuity.org
# example: \\!admin debug ping puppygock.gay
#
#admin_escape_commands = true
@@ -1586,8 +1436,7 @@ url_preview_check_root_domain = {{ matrix_continuwuity_config_url_preview_check_
# For example: `./continuwuity --execute "server admin-notice continuwuity
# has started up at $(date)"`
#
# example: admin_execute = ["debug ping continuwuity.org", "debug echo
# hi"]`
# example: admin_execute = ["debug ping puppygock.gay", "debug echo hi"]`
#
#admin_execute = []
@@ -1620,18 +1469,6 @@ url_preview_check_root_domain = {{ matrix_continuwuity_config_url_preview_check_
#
#admin_room_tag = "m.server_notice"
# A list of Matrix IDs that are qualified as server admins.
#
# Any Matrix IDs within this list are regarded as an admin
# regardless of whether they are in the admin room or not
#
#admins_list = []
# Defines whether those within the admin room are added to the
# admins_list.
#
#admins_from_room = true
# Sentry.io crash/panic reporting, performance monitoring/metrics, etc.
# This is NOT enabled by default.
#
@@ -1783,11 +1620,6 @@ url_preview_check_root_domain = {{ matrix_continuwuity_config_url_preview_check_
#
#config_reload_signal = true
# Allow search engines and crawlers to index Continuwuity's built-in
# webpages served under the `/_continuwuity/` prefix.
#
#allow_web_indexing = false
[global.tls]
# Path to a valid TLS certificate file.
@@ -1866,152 +1698,3 @@ url_preview_check_root_domain = {{ matrix_continuwuity_config_url_preview_check_
# is 33.55MB. Setting it to 0 disables blurhashing.
#
#blurhash_max_raw_size = 33554432
[global.matrix_rtc]
# A list of MatrixRTC foci (transports) which will be served via the
# MSC4143 RTC transports endpoint at
# `/_matrix/client/v1/rtc/transports`. If you're setting up livekit,
# you'd want something like:
# ```toml
# [global.matrix_rtc]
# foci = [
# { type = "livekit", livekit_service_url = "https://livekit.example.com" },
# ]
# ```
#
# To disable, set this to an empty list (`[]`).
#
foci = [
{% for focus in matrix_continuwuity_config_rtc_foci %}
{ {% for key, value in focus.items() %}{{ key }} = {{ value | to_json }}{% if not loop.last %}, {% endif %}{% endfor %} }{% if not loop.last %}, {% endif %}
{% endfor %}
]
[global.ldap]
# Whether to enable LDAP login.
#
# example: "true"
#
#enable = false
# Whether to force LDAP authentication or authorize classical password
# login.
#
# example: "true"
#
#ldap_only = false
# URI of the LDAP server.
#
# example: "ldap://ldap.example.com:389"
#
#uri = ""
# Root of the searches.
#
# example: "ou=users,dc=example,dc=org"
#
#base_dn = ""
# Bind DN if anonymous search is not enabled.
#
# You can use the variable `{username}` that will be replaced by the
# entered username. In such case, the password used to bind will be the
# one provided for the login and not the one given by
# `bind_password_file`. Beware: automatically granting admin rights will
# not work if you use this direct bind instead of a LDAP search.
#
# example: "cn=ldap-reader,dc=example,dc=org" or
# "cn={username},ou=users,dc=example,dc=org"
#
#bind_dn = ""
# Path to a file on the system that contains the password for the
# `bind_dn`.
#
# The server must be able to access the file, and it must not be empty.
#
#bind_password_file = ""
# Search filter to limit user searches.
#
# You can use the variable `{username}` that will be replaced by the
# entered username for more complex filters.
#
# example: "(&(objectClass=person)(memberOf=matrix))"
#
#filter = "(objectClass=*)"
# Attribute to use to uniquely identify the user.
#
# example: "uid" or "cn"
#
#uid_attribute = "uid"
# Attribute containing the display name of the user.
#
# example: "givenName" or "sn"
#
#name_attribute = "givenName"
# Root of the searches for admin users.
#
# Defaults to `base_dn` if empty.
#
# example: "ou=admins,dc=example,dc=org"
#
#admin_base_dn = ""
# The LDAP search filter to find administrative users for continuwuity.
#
# If left blank, administrative state must be configured manually for each
# user.
#
# You can use the variable `{username}` that will be replaced by the
# entered username for more complex filters.
#
# example: "(objectClass=conduwuitAdmin)" or "(uid={username})"
#
#admin_filter = ""
#[global.antispam]
#[global.antispam.meowlnir]
# The base URL on which to contact Meowlnir (before /_meowlnir/antispam).
#
# Example: "http://127.0.0.1:29339"
#
#base_url =
# The authentication secret defined in antispam->secret. Required for
# continuwuity to talk to Meowlnir.
#
#secret =
# The management room for which to send requests
#
#management_room =
# If enabled run all federated join attempts (both federated and local)
# through the Meowlnir anti-spam checks.
#
# By default, only join attempts for rooms with the `fi.mau.spam_checker`
# restricted join rule are checked.
#
#check_all_joins = false
#[global.antispam.draupnir]
# The base URL on which to contact Draupnir (before /api/).
#
# Example: "http://127.0.0.1:29339"
#
#base_url =
# The authentication secret defined in
# web->synapseHTTPAntispam->authorization
#
#secret =

2
roles/custom/matrix-livekit-jwt-service/defaults/main.yml
View File

@@ -25,7 +25,7 @@ matrix_livekit_jwt_service_container_additional_networks_auto: []
matrix_livekit_jwt_service_container_additional_networks_custom: []
# renovate: datasource=docker depName=ghcr.io/element-hq/lk-jwt-service
matrix_livekit_jwt_service_version: 0.4.2
matrix_livekit_jwt_service_version: 0.4.1
matrix_livekit_jwt_service_container_image_self_build: false
matrix_livekit_jwt_service_container_repo: "https://github.com/element-hq/lk-jwt-service.git"

2
roles/custom/matrix-static-files/defaults/main.yml
View File

@@ -13,7 +13,7 @@ matrix_static_files_enabled: true
matrix_static_files_identifier: matrix-static-files
# renovate: datasource=docker depName=joseluisq/static-web-server
matrix_static_files_version: 2.42.0
matrix_static_files_version: 2.41.0
matrix_static_files_base_path: "{{ matrix_base_data_path }}/{{ 'static-files' if matrix_static_files_identifier == 'matrix-static-files' else matrix_static_files_identifier }}"
matrix_static_files_config_path: "{{ matrix_static_files_base_path }}/config"

11
roles/custom/matrix-synapse/defaults/main.yml
View File

@@ -16,7 +16,7 @@ matrix_synapse_enabled: true
matrix_synapse_github_org_and_repo: element-hq/synapse
# renovate: datasource=docker depName=ghcr.io/element-hq/synapse
matrix_synapse_version: v1.150.0
matrix_synapse_version: v1.149.1
matrix_synapse_username: ''
matrix_synapse_uid: ''
@@ -1430,13 +1430,6 @@ matrix_synapse_experimental_features_msc4140_enabled: false
# See `matrix_synapse_experimental_features_msc4140_enabled`.
matrix_synapse_max_event_delay_duration: 24h
# Controls whether to enable the MSC4143 experimental feature (RTC transports).
#
# This is used by MatrixRTC clients to discover the unstable RTC transports API.
#
# See https://github.com/matrix-org/matrix-spec-proposals/pull/4143
matrix_synapse_experimental_features_msc4143_enabled: false
# Controls whether to enable the MSC4222 experimental feature (adding `state_after` to sync v2).
#
# Allow clients to opt-in to a change of the sync v2 API that allows them to correctly track the state of the room.
@@ -1835,7 +1828,7 @@ matrix_synapse_register_user_script_matrix_authentication_service_path: ""
matrix_synapse_reverse_proxy_companion_enabled: "{{ matrix_synapse_enabled and matrix_synapse_workers_enabled }}"
# renovate: datasource=docker depName=nginx
matrix_synapse_reverse_proxy_companion_version: 1.29.7-alpine
matrix_synapse_reverse_proxy_companion_version: 1.29.6-alpine
matrix_synapse_reverse_proxy_companion_base_path: "{{ matrix_synapse_base_path }}/reverse-proxy-companion"
matrix_synapse_reverse_proxy_companion_confd_path: "{{ matrix_synapse_reverse_proxy_companion_base_path }}/conf.d"

2
roles/custom/matrix-synapse/tasks/validate_config.yml
View File

@@ -210,7 +210,7 @@
- name: Fail if OpenID Connect is enabled for Synapse when auth is delegated to Matrix Authentication Service
ansible.builtin.fail:
msg: "When Synapse is delegating authentication to Matrix Authentication Service (`matrix_synapse_matrix_authentication_service_enabled: true`), it doesn't make sense to enable OpenID Connect (`matrix_synapse_oidc_enabled: true`), because it is not Synapse that is handling authentication. Synapse will refuse to start otherwise."
when: matrix_synapse_matrix_authentication_service_enabled and matrix_synapse_oidc_enabled and not matrix_authentication_service_migration_in_progress
when: matrix_synapse_matrix_authentication_service_enabled and matrix_synapse_oidc_enabled
- name: Fail if CAS config is enabled for Synapse when auth is delegated to Matrix Authentication Service
ansible.builtin.fail:

5
roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2
View File

@@ -2987,7 +2987,7 @@ background_updates:
#default_batch_size: 50
{% if matrix_synapse_matrix_authentication_service_enabled and not matrix_authentication_service_migration_in_progress %}
{% if matrix_synapse_matrix_authentication_service_enabled %}
matrix_authentication_service:
enabled: true
endpoint: {{ matrix_synapse_matrix_authentication_service_endpoint | to_json }}
@@ -3010,9 +3010,6 @@ experimental_features:
{% if matrix_synapse_experimental_features_msc4140_enabled %}
msc4140_enabled: true
{% endif %}
{% if matrix_synapse_experimental_features_msc4143_enabled %}
msc4143_enabled: true
{% endif %}
{% if matrix_synapse_experimental_features_msc4222_enabled %}
msc4222_enabled: true
{% endif %}