iartamonov/matrix-docker-ansible-deploy
1
0
Fork 0
mirror of https://github.com/spantaleev/matrix-docker-ansible-deploy.git synced 2026-04-08 15:24:36 +03:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: iartamonov:remove-zulip-bridge
Branches Tags
iartamonov:master iartamonov:renovate/ghcr.io-element-hq-element-web-1.x iartamonov:renovate/etherpad-2.x iartamonov:create-pull-request/i18n iartamonov:migration-validation-system iartamonov:copilot/update-exim-relay-docs iartamonov:renovate/matrixdotorg-sygnal-0.x iartamonov:synapse-user-register-wait-for iartamonov:remove-zulip-bridge iartamonov:stabilize-mas iartamonov:element-call-stack iartamonov:element-call-integration iartamonov:synapse-cache-tuning iartamonov:HarHarLinks/hookshot-encryption
..
compare: iartamonov:014380eecd9aac7cd575aa69a4a6af3f894009c3
Branches Tags
iartamonov:renovate/ghcr.io-element-hq-element-web-1.x iartamonov:renovate/etherpad-2.x iartamonov:master iartamonov:create-pull-request/i18n iartamonov:migration-validation-system iartamonov:copilot/update-exim-relay-docs iartamonov:renovate/matrixdotorg-sygnal-0.x iartamonov:synapse-user-register-wait-for iartamonov:remove-zulip-bridge iartamonov:stabilize-mas iartamonov:element-call-stack iartamonov:element-call-integration iartamonov:synapse-cache-tuning iartamonov:HarHarLinks/hookshot-encryption

31 Commits
remove-zul ... 014380eecd

Author SHA1 Message Date
Slavi Pantaleev
014380eecd Upgrade Traefik (v3.6.8-1 -> v3.6.8-2) 2026-02-12 01:04:06 +02:00
Slavi Pantaleev
a77a8753d9 Derive Synapse post-start delay from Traefik's providersThrottleDuration 
After Synapse's systemd health check passes, Traefik still needs
providers.providersThrottleDuration to register routes. Derive the
post-start delay from this setting (+1s for healthcheck polling gap)
instead of using a hardcoded value. Defaults to 0 when no Traefik
reverse proxy is used.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-12 00:54:46 +02:00
Slavi Pantaleev
9569633164 Upgrade Traefik (v3.6.8-0 -> v3.6.8-1) 2026-02-12 00:48:13 +02:00
Slavi Pantaleev
9d9e9e9177 Use docker inspect for Synapse systemd health check and lower health interval 
Switch the systemd ExecStartPost health check from docker exec + curl
to polling docker inspect for container health status. This piggybacks
on the container image's built-in HEALTHCHECK instead of duplicating it.

Also add a configurable container health interval (5s for Traefik setups,
15s otherwise) to speed up startup readiness detection without affecting
non-Traefik deployments.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-12 00:13:02 +02:00
Slavi Pantaleev
bcddeda5df Make traefik-certs-dumper require the Traefik service to avoid race condition 
When both services restart simultaneously (e.g. in all-at-once mode),
Traefik may momentarily truncate or reinitialize acme.json, causing
the certs dumper to read an empty file and panic. By adding
Requires/After on the Traefik service, the certs dumper only starts
after Traefik is fully ready and acme.json is stable.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-12 00:11:28 +02:00
Slavi Pantaleev
59e70b8ca9 Add systemd-healthcheck to Synapse systemd service in an effort to increase reliability (of Synapse-dependant services) 
Previously, we had a 10-second magical delay.

Now we first do a healthcheck to figure out when it really is up.
Then, we do the same 10-second magical delay to account for the time it
may take for a reverse-proxy (like Traefik) to pick up Synapse's routes.
 2026-02-11 23:32:33 +02:00
Slavi Pantaleev
f8815c0bb9 Upgrade systemd_service_manager (v2.0.0-0 -> v2.0.0-1) 2026-02-11 23:31:13 +02:00
Slavi Pantaleev
2fad873b42 Make addon systemd services depend on the homeserver systemd service as well, not just on Traefik 
Addons typically access the homeserver via Traefik, but requests
ultimately lead to the homeserver and it'd better be up or Traefik would
serve a "404 Not Found" error.

This is an attempt (one of many pieces) to make services more reliable,
especially when `devture_systemd_service_manager_service_restart_mode: all-at-once` is used
(which is the default).
 2026-02-11 23:27:09 +02:00
Slavi Pantaleev
294cd109fd Upgrade Traefik (v3.6.7-1 -> v3.6.8-0) 2026-02-11 23:26:13 +02:00
Slavi Pantaleev
9d6c8eabcb Fix swapped Requires=/Wants= directives in Draupnir and Mjolnir systemd service templates 
Commit 593b3157b ("Fix systemd service Wants for mjolnir and draupnir")
accidentally swapped the variable loops: `systemd_wanted_services_list`
ended up generating `Requires=`/`After=` directives and
`systemd_required_services_list` ended up generating `Wants=` directives —
the opposite of what the variable names mean and how every other
bot/bridge service template in the playbook works.

This caused these bots to only `Wants=` (not `Requires=`/`After=`) their
dependencies like matrix-traefik.service, so systemd didn't guarantee
ordering. During all-at-once restarts, the bots would start before traefik
was ready, fail with DNS resolution errors, and crash.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-11 18:54:41 +02:00
Slavi Pantaleev
dd26f8a12a Add systemd dependencies to s3-storage-provider-migrate service 
The migrate service now declares Requires/After on matrix-synapse.service,
ensuring Synapse (and its transitive dependencies like Postgres and Docker)
are running before the migration triggers.
 2026-02-11 16:50:29 +02:00
Suguru Hirahara
7b7b6feb5b Relocate coturn to MASH project (#4906) 
* Fetch ansible-role-coturn from MASH project

Signed-off-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>

* Replace "matrix_coturn" with "coturn"

Signed-off-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>

* Replace "custom/matrix-coturn" with "galaxy/coturn"

Signed-off-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>

* Set `coturn_identifier`

Signed-off-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>

* Move `coturn_base_path` to matrix_servers for the playbook

Signed-off-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>

* Set `coturn_uid` and `coturn_gid`

Signed-off-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>

* Set empty value to `coturn_turn_external_ip_address_auto_detection_echoip_service_url` on main.yml

Signed-off-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>

* Replace `coturn_docker_image_*`

Signed-off-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>

* Move `coturn_container_image_registry_prefix` to matrix_servers

Signed-off-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>

* Replace "matrix-coturn" with "coturn" on matrix_servers

Signed-off-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>

* Replace "matrix-coturn" with "coturn"

Keep "matrix-coturn" on documentation as-is, since it is specified so with `coturn_identifier`.

Signed-off-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>

* Remove roles/custom/matrix-coturn

Signed-off-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>

* Update CHANGELOG.md

Signed-off-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>

---------

Signed-off-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>
Co-authored-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>
Co-authored-by: Slavi Pantaleev <slavi@devture.com>
 2026-02-11 15:06:27 +02:00
Suguru Hirahara
fa7b784c5b Remove conduwuit (#4913) 2026-02-11 15:03:56 +02:00
renovate[bot]
15ba65f235 chore(deps): update docker.io/metio/matrix-alertmanager-receiver docker tag to v2026.2.11 2026-02-11 11:07:09 +02:00
Aine
4ec41c0b42 Merge pull request #4909 from spantaleev/renovate/ghcr.io-element-hq-element-web-1.x 
chore(deps): update ghcr.io/element-hq/element-web docker tag to v1.12.10
 2026-02-10 18:11:36 +00:00
renovate[bot]
0a08126324 chore(deps): update ghcr.io/element-hq/element-web docker tag to v1.12.10 2026-02-10 17:49:29 +00:00
renovate[bot]
482ef0fdf5 chore(deps): update ghcr.io/element-hq/synapse docker tag to v1.147.0 2026-02-10 16:51:46 +02:00
renovate[bot]
ca356c52e2 chore(deps): update ghcr.io/element-hq/matrix-authentication-service docker tag to v1.11.0 2026-02-10 16:51:09 +02:00
Slavi Pantaleev
ecf9befc32 Adapt to the all-at-once restart mode default in systemd_service_manager v2.0.0-0 
- `install-service` no longer forces `one-by-one` restart mode

- the coturn priority condition is flipped: only `one-by-one` mode
  needs the delayed priority (1500); all other modes (including
  the new `all-at-once` default) use the normal priority (900)

Ref:

- d42cd92045
- f3e658cca3/docs/restart-mode-comparison.md
- 36445fb419
- 750cb7e29e
 2026-02-10 16:41:41 +02:00
Slavi Pantaleev
750cb7e29e Upgrade systemd_service_manager (v1.1.0-0 -> v2.0.0-0) 2026-02-10 16:21:57 +02:00
Suguru Hirahara
815b9baec6 Update notes about self-hosting services with the MASH playbook 
Signed-off-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>
 2026-02-10 22:31:11 +09:00
Suguru Hirahara
1dcd4636ff Add a note about self-hosting echoip with the MASH playbook 
Reuse 3653f9f89b/docs/configuring-playbook-ssl-certificates.md

Signed-off-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>
 2026-02-10 22:28:08 +09:00
renovate[bot]
7f04231904 chore(deps): update ghcr.io/etkecc/baibot docker tag to v1.14.1 2026-02-10 15:18:02 +02:00
renovate[bot]
b0828528df chore(deps): update dependency ntfy to v2.17.0-0 2026-02-10 11:53:33 +02:00
Suguru Hirahara
96029bf916 Replace "EchoIP" with "echoip" 
cf. https://github.com/mpolden/echoip

Signed-off-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>
 2026-02-10 17:41:52 +09:00
Slavi Pantaleev
ace086056f Upgrade Postgres (v18.1-4 -> v18.1-5) 2026-02-09 21:24:48 +02:00
Slavi Pantaleev
0e8ef8ef10 Add retry logic for Synapse user registration on Connection refused 
When DB credentials change (derived from matrix_synapse_macaroon_secret_key),
a running Synapse container may fail to connect to its database and stop
serving requests. This causes register_new_matrix_user to fail with
"Connection refused" when the matrix-user-creator role tries to register users.

This extends the retry logic from 44b43a51b (which handled HMAC failures)
to also handle Connection refused errors: restart Synapse (picking up the
new config with updated credentials), wait for it to start, and retry.

Caused by c21a80d232

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-09 17:36:59 +02:00
Slavi Pantaleev
2c2738a48f Remove passlib dependency by making matrix-media-repo datastore IDs user-provided 
These IDs were incorrectly auto-derived from matrix_homeserver_generic_secret_key,
which is meant for secrets that are OK to change. Datastore IDs are static
identifiers that must never change after first use.

The playbook now requires users to explicitly set matrix_media_repo_datastore_file_id
(and matrix_media_repo_datastore_s3_id when S3 is enabled) in vars.yml, with
validation that fails early if they are missing.

This was the last usage of passlib, which is now removed from prerequisites.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-09 16:56:51 +02:00
Suguru Hirahara
09914bf338 Set ddclient_uid and ddclient_gid 
Signed-off-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>
 2026-02-09 19:49:59 +09:00
Slavi Pantaleev
44b43a51b9 Add retry logic for Synapse user registration on HMAC failure 
When the registration_shared_secret changes (derived from
matrix_synapse_macaroon_secret_key), a running Synapse container still
has the old secret in its config. This causes register_new_matrix_user
to fail with "HMAC incorrect" when the matrix-user-creator role tries
to register users.

This mirrors the approach from 2a581cce (which added similar retry
logic for the Matrix Authentication Service on database auth failure):
if the initial registration attempt fails with an HMAC error, restart
Synapse (picking up the new config with the updated secret), wait for
it to start, and retry.

Caused by c21a80d232

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-09 06:29:14 +02:00
Aine
5f8235f44a remove Zulip bridge 2026-02-08 20:34:56 +02:00
65 changed files with 400 additions and 3256 deletions
Expand all files Collapse all files

67
CHANGELOG.md
View File

@@ -1,3 +1,48 @@
# 2026-02-11
## (BC Break) coturn role has been relocated and variable names need adjustments
The role for coturn has been relocated to the [mother-of-all-self-hosting](https://github.com/mother-of-all-self-hosting) organization.
Along with the relocation, the `matrix_coturn_` prefix on its variable names has been renamed to `coturn_`, so you need to adjust your `vars.yml` configuration.
As always, the playbook would let you know about this and point out any variables you may have missed.
## conduwuit has been removed from the playbook
[conduwuit](./docs/configuring-playbook-conduwuit.md) has been removed from the playbook, as it has been abandoned.
The playbook will let you know if you're using any `matrix_conduwuit_*` variables. You'll need to remove them from `vars.yml` and potentially [uninstall the service manually](./docs/configuring-playbook-conduwuit.md#uninstalling-the-service-manually).
Since [Continuwuity](configuring-playbook-continuwuity.md) is a drop-in replacement for conduwuit, migration is possible. Please refer to [this section](./configuring-playbook-continuwuity.md#migrating-from-conduwuit) for details.
# 2026-02-09
## (BC Break) matrix-media-repo datastore IDs are now required in `vars.yml`
**Affects**: users with [matrix-media-repo](docs/configuring-playbook-matrix-media-repo.md) enabled (`matrix_media_repo_enabled: true`)
The `matrix_media_repo_datastore_file_id` and `matrix_media_repo_datastore_s3_id` variables are no longer auto-configured with values. They must now be explicitly defined in your `vars.yml` file. The playbook will fail with a helpful error if they are not set (when needed).
These were never meant to be auto-configured. They were derived from `matrix_homeserver_generic_secret_key`, which is intended for secrets that are OK to change subsequently (and Ansible would assist in propagating these changes). matrix-media-repo datastore IDs are not secrets — they are static identifiers linking media to storage backends, and **must not change** after first use.
**For existing installations**, retrieve your current values from the server:
```sh
grep 'id:' /matrix/media-repo/config/media-repo.yaml
```
Then add to your `vars.yml`:
```yaml
matrix_media_repo_datastore_file_id: "YOUR_FILE_DATASTORE_ID_HERE"
# Only if you use S3 storage:
# matrix_media_repo_datastore_s3_id: "YOUR_S3_DATASTORE_ID_HERE"
```
**Why do this?**: This change allows us to **remove the [passlib](https://passlib.readthedocs.io/en/stable/index.html) Python library** from the [prerequisites](docs/prerequisites.md), as it was the last component that depended on it.
# 2026-02-08
## Zulip bridge has been removed from the playbook
@@ -287,7 +332,7 @@ In light of this new information, you have 2 options:
- Consider closing the STUN/UDP port with the following configuration:
```yaml
matrix_coturn_container_stun_plain_host_bind_port_udp: ""
coturn_container_stun_plain_host_bind_port_udp: ""
```
- Consider keeping `3478/udp` blocked in your external firewall (if you have one)
@@ -348,11 +393,11 @@ The playbook now **only exposes the Coturn STUN port (`3478`) over TCP by defaul
If you'd like the Coturn STUN port to be exposed over UDP like before, you can revert to the previous behavior by using the following configuration in your `vars.yml` file:
```yaml
matrix_coturn_container_stun_plain_host_bind_port_udp: "3478"
coturn_container_stun_plain_host_bind_port_udp: "3478"
```
> [!WARNING]
> People running Coturn directly on the `host` network (using `matrix_coturn_container_network: host`) will still have the STUN port exposed over UDP, as port exposure is done directly via Coturn and not via Docker. In such cases, the playbook cannot prevent `3478/udp` port exposure and you'd need to do it in another way (separate firewall rule, etc).
> People running Coturn directly on the `host` network (using `coturn_container_network: host`) will still have the STUN port exposed over UDP, as port exposure is done directly via Coturn and not via Docker. In such cases, the playbook cannot prevent `3478/udp` port exposure and you'd need to do it in another way (separate firewall rule, etc).
# 2025-02-17
@@ -1695,12 +1740,12 @@ Other roles which aren't strictly related to Matrix are likely to follow this fa
## coturn can now use host-networking
Large coturn deployments (with a huge range of ports specified via `matrix_coturn_turn_udp_min_port` and `matrix_coturn_turn_udp_max_port`) experience a huge slowdown with how Docker publishes all these ports (setting up firewall forwarding rules), which leads to a very slow coturn service startup and shutdown.
Large coturn deployments (with a huge range of ports specified via `coturn_turn_udp_min_port` and `coturn_turn_udp_max_port`) experience a huge slowdown with how Docker publishes all these ports (setting up firewall forwarding rules), which leads to a very slow coturn service startup and shutdown.
Such deployments don't need to run coturn within a private container network anymore. coturn can now run with host-networking by using configuration like this:
```yaml
matrix_coturn_container_network: host
coturn_container_network: host
```
With such a configuration, **Docker no longer needs to configure thousands of firewall forwarding rules** each time coturn starts and stops. This, however, means that **you will need to ensure these ports are open** in your firewall yourself.
@@ -1709,11 +1754,11 @@ Thanks to us [tightening coturn security](#backward-compatibility-tightening-cot
## (Backward Compatibility) Tightening coturn security can lead to connectivity issues
**TLDR**: users who run and access their Matrix server on a private network (likely a small minority of users) may experience connectivity issues with our new default coturn blocklists. They may need to override `matrix_coturn_denied_peer_ips` and remove some IP ranges from it.
**TLDR**: users who run and access their Matrix server on a private network (likely a small minority of users) may experience connectivity issues with our new default coturn blocklists. They may need to override `coturn_denied_peer_ips` and remove some IP ranges from it.
Inspired by [this security article](https://www.rtcsec.com/article/cve-2020-26262-bypass-of-coturns-access-control-protection/), we've decided to make use of coturn's `denied-peer-ip` functionality to prevent relaying network traffic to certain private IP subnets. This ensures that your coturn server won't accidentally try to forward traffic to certain services running on your local networks. We run coturn in a container and in a private container network by default, which should prevent such access anyway, but having additional block layers in place is better.
If you access your Matrix server from a local network and need coturn to relay to private IP addresses, you may observe that relaying is now blocked due to our new default `denied-peer-ip` lists (specified in `matrix_coturn_denied_peer_ips`). If you experience such connectivity problems, consider overriding this setting in your `vars.yml` file and removing certain networks from it.
If you access your Matrix server from a local network and need coturn to relay to private IP addresses, you may observe that relaying is now blocked due to our new default `denied-peer-ip` lists (specified in `coturn_denied_peer_ips`). If you experience such connectivity problems, consider overriding this setting in your `vars.yml` file and removing certain networks from it.
We've also added `no-multicast-peers` to the default coturn configuration, but we don't expect this to cause trouble for most people.
@@ -2499,8 +2544,8 @@ To improve security, we've [removed TLSv1 and TLSv1.1 support](https://github.co
If you need to support old clients, you can re-enable both (or whichever one you need) with the following configuration:
```yaml
matrix_coturn_tls_v1_enabled: true
matrix_coturn_tls_v1_1_enabled: true
coturn_tls_v1_enabled: true
coturn_tls_v1_1_enabled: true
```
@@ -3779,7 +3824,7 @@ Because people like using the playbook's components independently (outside of th
With the new changes, **all roles are now only dependent on the minimal `matrix-base` role**. They are no longer dependent among themselves.
In addition, the following components can now be completely disabled (for those who want/need to):
- `matrix-coturn` by using `matrix_coturn_enabled: false`
- `matrix-coturn` by using `coturn_enabled: false`
- `matrix-mailer` by using `matrix_mailer_enabled: false`
- `matrix-postgres` by using `matrix_postgres_enabled: false`
@@ -3999,7 +4044,7 @@ The following playbook variables were renamed:
- from `matrix_docker_image_mautrix_telegram` to `matrix_mautrix_telegram_docker_image`
- from `matrix_docker_image_mautrix_whatsapp` to `matrix_mautrix_whatsapp_docker_image`
- from `matrix_docker_image_mailer` to `matrix_mailer_docker_image`
- from `matrix_docker_image_coturn` to `matrix_coturn_docker_image`
- from `matrix_docker_image_coturn` to `coturn_container_image`
- from `matrix_docker_image_goofys` to `matrix_s3_goofys_docker_image`
- from `matrix_docker_image_riot` to `matrix_riot_web_docker_image`
- from `matrix_docker_image_nginx` to `matrix_nginx_proxy_docker_image`

3
README.md
View File

@@ -52,8 +52,7 @@ The homeserver is the backbone of your Matrix system. Choose one from the follow
| ---- | -------- | ----------- | ------------- |
| [Synapse](https://github.com/element-hq/synapse) | ✅ | Storing your data and managing your presence in the [Matrix](http://matrix.org/) network | [Link](docs/configuring-playbook-synapse.md) |
| [Conduit](https://conduit.rs) | ❌ | Storing your data and managing your presence in the [Matrix](http://matrix.org/) network. Conduit is a lightweight open-source server implementation of the Matrix Specification with a focus on easy setup and low system requirements | [Link](docs/configuring-playbook-conduit.md) |
| [conduwuit](https://conduwuit.puppyirl.gay/) | ❌ | Storing your data and managing your presence in the [Matrix](http://matrix.org/) network. conduwuit is a fork of Conduit. | [Link](docs/configuring-playbook-conduwuit.md) |
| [continuwuity](https://continuwuity.org) | ❌ | Storing your data and managing your presence in the [Matrix](http://matrix.org/) network. continuwuity is a continuation of conduwuit. | [Link](docs/configuring-playbook-continuwuity.md) |
| [continuwuity](https://continuwuity.org) | ❌ | Storing your data and managing your presence in the [Matrix](http://matrix.org/) network. | [Link](docs/configuring-playbook-continuwuity.md) |
| [Dendrite](https://github.com/element-hq/dendrite) | ❌ | Storing your data and managing your presence in the [Matrix](http://matrix.org/) network. Dendrite is a second-generation Matrix homeserver written in Go, an alternative to Synapse. | [Link](docs/configuring-playbook-dendrite.md) |
### Clients

2
docs/configuring-playbook-conduit.md
View File

@@ -13,8 +13,6 @@ See the project's [documentation](https://docs.conduit.rs/) to learn what it doe
By default, the playbook installs [Synapse](https://github.com/element-hq/synapse) as it's the only full-featured Matrix server at the moment. If that's okay, you can skip this document.
💡 **Note**: The playbook also supports installing a (currently) faster-moving Conduit fork called [conduwuit](./configuring-playbook-conduwuit.md).
> [!WARNING]
> - **You can't switch an existing Matrix server's implementation** (e.g. Synapse -> Conduit). Proceed below only if you're OK with losing data or you're dealing with a server on a new domain name, which hasn't participated in the Matrix federation yet.
> - **Homeserver implementations other than Synapse may not be fully functional**. The playbook may also not assist you in an optimal way (like it does with Synapse). Make yourself familiar with the downsides before proceeding

115
docs/configuring-playbook-conduwuit.md
View File

@@ -1,106 +1,45 @@
<!--
SPDX-FileCopyrightText: 2025 Slavi Pantaleev
SPDX-FileCopyrightText: 2025 Suguru Hirahara
SPDX-FileCopyrightText: 2019 Eduardo Beltrame
SPDX-FileCopyrightText: 2019-2025 Slavi Pantaleev
SPDX-FileCopyrightText: 2020 Tulir Asokan
SPDX-FileCopyrightText: 2021, 2024 MDAD project contributors
SPDX-FileCopyrightText: 2022 Dennis Ciba
SPDX-FileCopyrightText: 2022 Vladimir Panteleev
SPDX-FileCopyrightText: 2023 Justin Croonenberghs
SPDX-FileCopyrightText: 2023 Kuba Orlik
SPDX-FileCopyrightText: 2023 Pierre 'McFly' Marty
SPDX-FileCopyrightText: 2023 Samuel Meenzen
SPDX-FileCopyrightText: 2024 Fabio Bonelli
SPDX-FileCopyrightText: 2024-2026 Suguru Hirahara
SPDX-License-Identifier: AGPL-3.0-or-later
-->
# Configuring conduwuit (optional)
# Configuring conduwuit (optional, removed)
The playbook can install and configure the [conduwuit](https://conduwuit.puppyirl.gay/) Matrix server for you.
🪦 The playbook used to be able to install and configure the [conduwuit](https://conduwuit.puppyirl.gay/) Matrix server, but no longer includes this component, as it's been abandoned and unmaintained.
See the project's [documentation](https://conduwuit.puppyirl.gay/) to learn what it does and why it might be useful to you.
## Uninstalling the service manually
By default, the playbook installs [Synapse](https://github.com/element-hq/synapse) as it's the only full-featured Matrix server at the moment. If that's okay, you can skip this document.
If you still have conduwuit installed on your Matrix server, the playbook can no longer help you uninstall it and you will need to do it manually.
💡 **Note**: conduwuit is a fork of [Conduit](./configuring-playbook-conduit.md), which the playbook also supports. See [Differences from upstream Conduit](https://conduwuit.puppyirl.gay/differences.html).
To uninstall the service, run the command below on the server:
> [!WARNING]
> - **You can't switch an existing Matrix server's implementation** (e.g. Synapse -> conduwuit). Proceed below only if you're OK with losing data or you're dealing with a server on a new domain name, which hasn't participated in the Matrix federation yet.
> - **Homeserver implementations other than Synapse may not be fully functional**. The playbook may also not assist you in an optimal way (like it does with Synapse). Make yourself familiar with the downsides before proceeding
> - **the Conduwuit project appears to have been abandoned**. You may wish to install [Conduit](./configuring-playbook-conduit.md), or one of the Conduwuit successors (like [Continuwuity](configuring-playbook-continuwuity.md))
## Adjusting the playbook configuration
To use conduwuit, you **generally** need to adjust the `matrix_homeserver_implementation: synapse` configuration on your `inventory/host_vars/matrix.example.com/vars.yml` file as below:
```yaml
matrix_homeserver_implementation: conduwuit
# Registering users can only happen via the API,
# so it makes sense to enable it, at least initially.
matrix_conduwuit_config_allow_registration: true
# Generate a strong registration token to protect the registration endpoint from abuse.
# You can create one with a command like `pwgen -s 64 1`.
matrix_conduwuit_config_registration_token: ''
```sh
systemctl disable --now matrix-conduwuit.service
```
### Extending the configuration
## Migrating to Continuwuity
There are some additional things you may wish to configure about the server.
Since [Continuwuity](configuring-playbook-continuwuity.md) is a drop-in replacement for conduwuit, migration is possible. Please refer to [this section](./configuring-playbook-continuwuity.md#migrating-from-conduwuit) for details.
Take a look at:
## Removing data manually
- `roles/custom/matrix-conduwuit/defaults/main.yml` for some variables that you can customize via your `vars.yml` file
- `roles/custom/matrix-conduwuit/templates/conduwuit.toml.j2` for the server's default configuration
If you are not going to migrate to [Continuwuity](configuring-playbook-continuwuity.md), you can remove data by running the command on the server:
There are various Ansible variables that control settings in the `conduwuit.toml` file.
If a specific setting you'd like to change does not have a dedicated Ansible variable, you can either submit a PR to us to add it, or you can [override the setting using an environment variable](https://conduwuit.puppyirl.gay/configuration.html#environment-variables) using `matrix_conduwuit_environment_variables_extension`. For example:
```yaml
matrix_conduwuit_environment_variables_extension: |
CONDUWUIT_MAX_REQUEST_SIZE=50000000
CONDUWUIT_REQUEST_TIMEOUT=60
```sh
rm -rf /matrix/conduwuit
```
## Creating the first user account
Unlike other homeserver implementations (like Synapse and Dendrite), conduwuit does not support creating users via the command line or via the playbook.
If you followed the instructions above (see [Adjusting the playbook configuration](#adjusting-the-playbook-configuration)), you should have registration enabled and protected by a registration token.
This should allow you to create the first user account via any client (like [Element Web](./configuring-playbook-client-element-web.md)) which supports creating users.
The **first user account that you create will be marked as an admin** and **will be automatically invited to an admin room**.
## Configuring bridges / appservices
For other homeserver implementations (like Synapse and Dendrite), the playbook automatically registers appservices (for bridges, bots, etc.) with the homeserver.
For conduwuit, you will have to manually register appservices using the [`!admin appservices register` command](https://conduwuit.puppyirl.gay/appservices.html#set-up-the-appservice---general-instructions) sent to the server bot account.
The server's bot account has a Matrix ID of `@conduit:example.com` (not `@conduwuit:example.com`!) due to conduwuit's historical legacy.
Your first user account would already have been invited to an admin room with this bot.
Find the appservice file you'd like to register. This can be any `registration.yaml` file found in the `/matrix` directory, for example `/matrix/mautrix-signal/bridge/registration.yaml`.
Then, send its content to the existing admin room:
!admin appservices register
```
as_token: <token>
de.sorunome.msc2409.push_ephemeral: true
receive_ephemeral: true
hs_token: <token>
id: signal
namespaces:
aliases:
- exclusive: true
regex: ^#signal_.+:example\.org$
users:
- exclusive: true
regex: ^@signal_.+:example\.org$
- exclusive: true
regex: ^@signalbot:example\.org$
rate_limited: false
sender_localpart: _bot_signalbot
url: http://matrix-mautrix-signal:29328
```
## Troubleshooting
As with all other services, you can find the logs in [systemd-journald](https://www.freedesktop.org/software/systemd/man/systemd-journald.service.html) by logging in to the server with SSH and running `journalctl -fu matrix-conduwuit`.
>[!WARNING]
> Once you removing the path, there is no going back. Your data on the homeserver (including chat history, rooms, etc.) will be deleted and not be possible to restore them. Please be certain.

2
docs/configuring-playbook-continuwuity.md
View File

@@ -13,7 +13,7 @@ See the project's [documentation](https://continuwuity.org) to learn what it doe
By default, the playbook installs [Synapse](https://github.com/element-hq/synapse) as it's the only full-featured Matrix server at the moment. If that's okay, you can skip this document.
💡 **Note**: continuwuity is a fork of [conduwuit](./configuring-playbook-conduwuit.md), which the playbook also supports.
💡 **Note**: continuwuity is a fork of [conduwuit](./configuring-playbook-conduwuit.md), which the playbook has supported.
> [!WARNING]
> - **You can't switch an existing Matrix server's implementation** (e.g. Synapse -> Continuwuity). Proceed below only if you're OK with losing data or you're dealing with a server on a new domain name, which hasn't participated in the Matrix federation yet.

18
docs/configuring-playbook-matrix-media-repo.md
View File

@@ -24,8 +24,21 @@ To enable matrix-media-repo, add the following configuration to your `inventory/
```yaml
matrix_media_repo_enabled: true
# Any unique alphanumeric string. Cannot be changed after first use.
# For new installations, generate one with: pwgen -s 64 1
# For existing installations, see below.
matrix_media_repo_datastore_file_id: "CHANGE_ME_TO_A_UNIQUE_VALUE"
```
**For existing installations**: retrieve the current datastore ID from the server's config file before proceeding:
```sh
grep 'id:' /matrix/media-repo/config/media-repo.yaml
```
Then use that value for `matrix_media_repo_datastore_file_id`. This is not a secret — it is a plain identifier used by matrix-media-repo to link media files to their storage backend.
By default, the media-repo will use the local filesystem for data storage. You can alternatively use a `s3` cloud backend as well. Access token caching is also enabled by default since the logout endpoints are proxied through the media repo.
### Enable metrics
@@ -109,6 +122,11 @@ matrix_media_repo_admins: []
matrix_media_repo_datastore_file_for_kinds: ["thumbnails", "remote_media", "local_media", "archives"]
matrix_media_repo_datastore_s3_for_kinds: []
# Required when S3 storage is enabled (matrix_media_repo_datastore_s3_for_kinds is non-empty).
# Any unique alphanumeric string. Cannot be changed after first use.
# For new installations, generate one with: pwgen -s 64 1
# matrix_media_repo_datastore_s3_id: ""
# The s3 uploader needs a temporary location to buffer files to reduce memory usage on
# small file uploads. If the file size is unknown, the file is written to this location
# before being uploaded to s3 (then the file is deleted). If you aren't concerned about

2
docs/configuring-playbook-ssl-certificates.md
View File

@@ -17,7 +17,7 @@ By default, the playbook retrieves and automatically renews free SSL certificate
- This guide is intended to be referred for configuring the integrated Traefik server with regard to SSL certificates retrieval. If you're using [your own webserver](configuring-playbook-own-webserver.md), consult its documentation about how to configure it.
- Let's Encrypt ends the expiration notification email service on June 4, 2025 (see: [the official announcement](https://letsencrypt.org/2025/01/22/ending-expiration-emails/)), and it recommends using a third party service for those who want to receive expiration notifications. If you are looking for a self-hosting service, you may be interested in a monitoring tool such as [Update Kuma](https://github.com/louislam/uptime-kuma/).
The [Mother-of-All-Self-Hosting (MASH)](https://github.com/mother-of-all-self-hosting/mash-playbook) Ansible playbook can be used to install and manage an Uptime Kuma instance. See [this page](https://github.com/mother-of-all-self-hosting/mash-playbook/blob/main/docs/services/uptime-kuma.md) for the instruction to install it with the MASH playbook. If you are wondering how to use the MASH playbook for your Matrix server, refer [this page](https://github.com/mother-of-all-self-hosting/mash-playbook/blob/main/docs/setting-up-services-on-mdad-server.md).
The [Mother-of-All-Self-Hosting (MASH)](https://github.com/mother-of-all-self-hosting/mash-playbook) Ansible playbook can be used to install and manage an Uptime Kuma instance. See [this page](https://github.com/mother-of-all-self-hosting/mash-playbook/blob/main/docs/services/uptime-kuma.md) for the instruction to install it with the playbook. If you are wondering how to use it for your Matrix server, refer to [this page](https://github.com/mother-of-all-self-hosting/mash-playbook/blob/main/docs/setting-up-services-on-mdad-server.md) for the overview.
## Use staging Let's Encrypt certificates

36
docs/configuring-playbook-turn.md
View File

@@ -1,9 +1,12 @@
<!--
SPDX-FileCopyrightText: 2019 - 2024 Slavi Pantaleev
SPDX-FileCopyrightText: 2018-2024 Slavi Pantaleev
SPDX-FileCopyrightText: 2020 Aaron Raimist
SPDX-FileCopyrightText: 2020 Christian Wolf
SPDX-FileCopyrightText: 2020 MDAD project contributors
SPDX-FileCopyrightText: 2020 Marcel Partap
SPDX-FileCopyrightText: 2024 - 2025 Suguru Hirahara
SPDX-FileCopyrightText: 2020-2024 MDAD project contributors
SPDX-FileCopyrightText: 2022 Alejo Diaz
SPDX-FileCopyrightText: 2022 Julian Foad
SPDX-FileCopyrightText: 2024-2026 Suguru Hirahara
SPDX-License-Identifier: AGPL-3.0-or-later
-->
@@ -23,16 +26,19 @@ In the `hosts` file we explicitly ask for your server's external IP address when
If you'd rather use a local IP for `ansible_host`, add the following configuration to your `vars.yml` file. Make sure to replace `YOUR_PUBLIC_IP` with the pubic IP used by the server.
```yaml
matrix_coturn_turn_external_ip_address: "YOUR_PUBLIC_IP"
coturn_turn_external_ip_address: "YOUR_PUBLIC_IP"
```
If you'd like to rely on external IP address auto-detection (not recommended unless you need it), set an empty value to the variable. The playbook will automatically contact an [EchoIP](https://github.com/mpolden/echoip)-compatible service (`https://ifconfig.co/json` by default) to determine your server's IP address. This API endpoint is configurable via the `matrix_coturn_turn_external_ip_address_auto_detection_echoip_service_url` variable.
If you'd like to rely on external IP address auto-detection (not recommended unless you need it), set an empty value to the variable. The playbook will automatically contact an [echoip](https://github.com/mpolden/echoip)-compatible service (`https://ifconfig.co/json` by default) to determine your server's IP address. This API endpoint is configurable via the `coturn_turn_external_ip_address_auto_detection_echoip_service_url` variable.
>[!NOTE]
> You can self-host the echoip service by using the [Mother-of-All-Self-Hosting (MASH)](https://github.com/mother-of-all-self-hosting/mash-playbook) Ansible playbook. See [this page](https://github.com/mother-of-all-self-hosting/mash-playbook/blob/main/docs/services/echoip.md) for the instruction to install it with the playbook. If you are wondering how to use it for your Matrix server, refer to [this page](https://github.com/mother-of-all-self-hosting/mash-playbook/blob/main/docs/setting-up-services-on-mdad-server.md) for the overview.
If your server has multiple external IP addresses, the coturn role offers a different variable for specifying them:
```yaml
# Note: matrix_coturn_turn_external_ip_addresses is different than matrix_coturn_turn_external_ip_address
matrix_coturn_turn_external_ip_addresses: ['1.2.3.4', '4.5.6.7']
# Note: coturn_turn_external_ip_addresses is different than coturn_turn_external_ip_address
coturn_turn_external_ip_addresses: ['1.2.3.4', '4.5.6.7']
```
### Change the authentication mechanism (optional)
@@ -42,7 +48,7 @@ The playbook uses the [`auth-secret` authentication method](https://github.com/c
To do so, add the following configuration to your `vars.yml` file:
```yaml
matrix_coturn_authentication_method: lt-cred-mech
coturn_authentication_method: lt-cred-mech
```
Regardless of the selected authentication method, the playbook generates secrets automatically and passes them to the homeserver and coturn.
@@ -56,7 +62,7 @@ By default, Coturn uses the same hostname as your Matrix homeserver (the value o
If you'd like to use a custom subdomain for Coturn (e.g., `turn.example.com` or `t.matrix.example.com`), add the following configuration to your `vars.yml` file:
```yaml
matrix_coturn_hostname: turn.example.com
coturn_hostname: turn.example.com
```
The playbook will automatically:
@@ -72,7 +78,7 @@ If you'd like to use another TURN server (be it coturn or some other one), add t
```yaml
# Disable integrated coturn server
matrix_coturn_enabled: false
coturn_enabled: false
# Point Synapse to your other coturn server
matrix_synapse_turn_uris:
@@ -93,15 +99,15 @@ You can put multiple host/port combinations if you'd like to.
### Edit the reloading schedule (optional)
By default the service is reloaded on 6:30 a.m. every day based on the `matrix_coturn_reload_schedule` variable so that new SSL certificates can kick in. It is defined in the format of systemd timer calendar.
By default the service is reloaded on 6:30 a.m. every day based on the `coturn_reload_schedule` variable so that new SSL certificates can kick in. It is defined in the format of systemd timer calendar.
To edit the schedule, add the following configuration to your `vars.yml` file (adapt to your needs):
```yaml
matrix_coturn_reload_schedule: "*-*-* 06:30:00"
coturn_reload_schedule: "*-*-* 06:30:00"
```
**Note**: the actual job may run with a delay. See `matrix_coturn_reload_schedule_randomized_delay_sec` for its default value.
**Note**: the actual job may run with a delay. See `coturn_reload_schedule_randomized_delay_sec` for its default value.
### Extending the configuration
@@ -109,14 +115,14 @@ There are some additional things you may wish to configure about the TURN server
Take a look at:
- `roles/custom/matrix-coturn/defaults/main.yml` for some variables that you can customize via your `vars.yml` file
- `roles/galaxy/coturn/defaults/main.yml` for some variables that you can customize via your `vars.yml` file
## Disabling coturn
If, for some reason, you'd like for the playbook to not install coturn (or to uninstall it if it was previously installed), add the following configuration to your `vars.yml` file:
```yaml
matrix_coturn_enabled: false
coturn_enabled: false
```
In that case, Synapse would not point to any coturn servers and audio/video call functionality may fail.

4
docs/configuring-playbook.md
View File

@@ -51,8 +51,6 @@ For a more custom setup, see the [Other configuration options](#other-configurat
- [Configuring Conduit](configuring-playbook-conduit.md), if you've switched to the [Conduit](https://conduit.rs) homeserver implementation
- [Configuring conduwuit](configuring-playbook-conduwuit.md), if you've switched to the [conduwuit](https://conduwuit.puppyirl.gay/) homeserver implementation
- [Configuring continuwuity](configuring-playbook-continuwuity.md), if you've switched to the [continuwuity](https://continuwuity.org) homeserver implementation
- [Configuring Dendrite](configuring-playbook-dendrite.md), if you've switched to the [Dendrite](https://matrix-org.github.io/dendrite) homeserver implementation
@@ -261,6 +259,8 @@ Various services that don't fit any other categories.
**Note**: since a deprecated or unmaintained service will not be updated, its bug or vulnerability will be unlikely to get patched. It is recommended to migrate from the service to an alternative if any, and make sure to do your own research before you decide to keep it running nonetheless.
- [Configuring conduwuit](configuring-playbook-conduwuit.md) (removed; this component has been abandoned and unmaintained)
- [Setting up the Sliding Sync proxy](configuring-playbook-sliding-sync-proxy.md) for clients which require Sliding Sync support (like old Element X versions, before it got switched to Simplified Sliding Sync)
- [Setting up Appservice Webhooks bridging](configuring-playbook-bridge-appservice-webhooks.md) (deprecated; the bridge's author suggests taking a look at [matrix-hookshot](https://github.com/matrix-org/matrix-hookshot) as a replacement, which can also be [installed using this playbook](configuring-playbook-bridge-hookshot.md))

2
docs/container-images.md
View File

@@ -27,7 +27,6 @@ We try to stick to official images (provided by their respective projects) as mu
| ------- | --------------- | -------- | ----------- |
| [Synapse](configuring-playbook-synapse.md) | [element-hq/synapse](https://ghcr.io/element-hq/synapse) | ✅ | Storing your data and managing your presence in the [Matrix](http://matrix.org/) network |
| [Conduit](configuring-playbook-conduit.md) | [matrixconduit/matrix-conduit](https://hub.docker.com/r/matrixconduit/matrix-conduit) | ❌ | Storing your data and managing your presence in the [Matrix](http://matrix.org/) network. Conduit is a lightweight open-source server implementation of the Matrix Specification with a focus on easy setup and low system requirements |
| [conduwuit](configuring-playbook-conduwuit.md) | [girlbossceo/conduwuit](https://ghcr.io/girlbossceo/conduwuit) | ❌ | Storing your data and managing your presence in the [Matrix](http://matrix.org/) network. conduwuit is a fork of Conduit. |
| [continuwuity](configuring-playbook-continuwuity.md) | [continuwuation/continuwuity](https://forgejo.ellis.link/continuwuation/continuwuity) | ❌ | Storing your data and managing your presence in the [Matrix](http://matrix.org/) network. continuwuity is a continuation of conduwuit. |
| [Dendrite](configuring-playbook-dendrite.md) | [matrixdotorg/dendrite-monolith](https://hub.docker.com/r/matrixdotorg/dendrite-monolith/) | ❌ | Storing your data and managing your presence in the [Matrix](http://matrix.org/) network. Dendrite is a second-generation Matrix homeserver written in Go, an alternative to Synapse. |
@@ -172,6 +171,7 @@ The list of the deprecated or unmaintained services is available [here](configur
| Service | Container image | Default? | Description |
| ------- | --------------- | -------- | ----------- |
| [conduwuit](configuring-playbook-conduwuit.md) | [girlbossceo/conduwuit](https://ghcr.io/girlbossceo/conduwuit) | ❌ | Storing your data and managing your presence in the [Matrix](http://matrix.org/) network. conduwuit was a fork of Conduit. |
| [Dimension](configuring-playbook-dimension.md) | [turt2live/matrix-dimension](https://hub.docker.com/r/turt2live/matrix-dimension) | ❌ | Open source integration manager for Matrix clients |
| [Email2Matrix](configuring-playbook-email2matrix.md) | [devture/email2matrix](https://hub.docker.com/r/devture/email2matrix/) | ❌ | Bridge for relaying emails to Matrix rooms |
| [Go-NEB](configuring-playbook-bot-go-neb.md) | [matrixdotorg/go-neb](https://hub.docker.com/r/matrixdotorg/go-neb) | ❌ | Multi functional bot written in Go |

2
docs/faq.md
View File

@@ -313,7 +313,7 @@ exim_relay_enabled: false
# You can also disable this to save more RAM,
# at the expense of audio/video calls being unreliable.
matrix_coturn_enabled: false
coturn_enabled: false
# This makes Synapse not keep track of who is online/offline.
#

14
docs/howto-srv-server-delegation.md
View File

@@ -26,7 +26,7 @@ The up-to-date list can be accessed on [traefik's documentation](https://doc.tra
**Note**: the changes below instruct you how to do this for a basic Synapse installation. You will need to adapt the variable name and the content of the labels:
- if you're using another homeserver implementation (e.g. [Conduit](./configuring-playbook-conduit.md), [conduwuit](./configuring-playbook-conduwuit.md), [continuwuity](./configuring-playbook-continuwuity.md) or [Dendrite](./configuring-playbook-dendrite.md))
- if you're using another homeserver implementation (e.g. [Conduit](./configuring-playbook-conduit.md), [continuwuity](./configuring-playbook-continuwuity.md) or [Dendrite](./configuring-playbook-dendrite.md))
- if you're using [Synapse with workers enabled](./configuring-playbook-synapse.md#load-balancing-with-workers) (`matrix_synapse_workers_enabled: true`). In that case, it's actually the `matrix-synapse-reverse-proxy-companion` service which has Traefik labels attached
Also, all instructions below are from an older version of the playbook and may not work anymore.
@@ -104,10 +104,10 @@ This should not happen again afterwards as Traefik will renew certificates well
```yaml
# Only depend on docker.service, this removes the dependency on the certificate exporter, might imply the need to manually restart coturn on the first installation once the certificates are obtained, afterwards, the reload service should handle things
matrix_coturn_systemd_required_services_list: ['docker.service']
coturn_systemd_required_services_list: ['docker.service']
# This changes the path of the loaded certificate, while maintaining the original functionality, we're now loading the wildcard certificate.
matrix_coturn_container_additional_volumes: |
coturn_container_additional_volumes: |
{{
(
[
@@ -121,7 +121,7 @@ matrix_coturn_container_additional_volumes: |
'dst': '/privatekey.key',
'options': 'ro',
},
] if matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] and traefik_certs_dumper_enabled and matrix_coturn_tls_enabled else []
] if matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] and traefik_certs_dumper_enabled and coturn_tls_enabled else []
)
}}
```
@@ -165,10 +165,10 @@ traefik_environment_variables: |
LEGO_DISABLE_CNAME_SUPPORT=true
# Only depend on docker.service, this removes the dependency on the certificate exporter, might imply the need to manually restart coturn on the first installation once the certificates are obtained, afterwards, the reload service should handle things
matrix_coturn_systemd_required_services_list: ['docker.service']
coturn_systemd_required_services_list: ['docker.service']
# This changes the path of the loaded certificate, while maintaining the original functionality, we're now loading the wildcard certificate.
matrix_coturn_container_additional_volumes: |
coturn_container_additional_volumes: |
{{
(
[
@@ -182,7 +182,7 @@ matrix_coturn_container_additional_volumes: |
'dst': '/privatekey.key',
'options': 'ro',
},
] if matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] and traefik_certs_dumper_enabled and matrix_coturn_tls_enabled else []
] if matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] and traefik_certs_dumper_enabled and coturn_tls_enabled else []
)
}}
```

2
docs/prerequisites.md
View File

@@ -23,8 +23,6 @@ We will be using `example.com` as the domain in the following instruction. Pleas
- [Ansible](http://ansible.com/) program. It's used to run this playbook and configures your server for you. Take a look at [our guide about Ansible](ansible.md) for more information, as well as [version requirements](ansible.md#supported-ansible-versions) and alternative ways to run Ansible.
- [passlib](https://passlib.readthedocs.io/en/stable/index.html) Python library. See [this official documentation](https://passlib.readthedocs.io/en/stable/install.html#installation-instructions) for an instruction to install it. On most distros, you need to install some `python-passlib` or `py3-passlib` package, etc.
- [`git`](https://git-scm.com/) as the recommended way to download the playbook. `git` may also be required on the server if you will be [self-building](self-building.md) components.
- [`just`](https://github.com/casey/just) for running `just roles`, `just update`, etc. (see [`justfile`](../justfile)), although you can also run these commands manually. Take a look at this documentation for more information: [Running `just` commands](just.md).

2
docs/self-building.md
View File

@@ -31,7 +31,7 @@ Possibly outdated list of roles where self-building the Docker image is currentl
- `matrix-client-hydrogen`
- `cinny`
- `matrix-registration`
- `matrix-coturn`
- `coturn`
- `matrix-corporal`
- `matrix-dimension`
- `exim-relay`

2
examples/hosts
View File

@@ -1,5 +1,5 @@
# We explicitly ask for your server's external IP address, because the same value is used for configuring coturn.
# If you'd rather use a local IP here, make sure to set up `matrix_coturn_turn_external_ip_address`.
# If you'd rather use a local IP here, make sure to set up `coturn_turn_external_ip_address`.
#
# To connect using a non-root user (and elevate to root with sudo later),
# replace `ansible_ssh_user=root` with something like this: `ansible_ssh_user=username ansible_become=true ansible_become_user=root`.

8
examples/vars.yml
View File

@@ -61,10 +61,10 @@ postgres_connection_password: ''
# 2. Uncomment and adjust the line below to specify an IP address manually
#
# By default, auto-detection will be attempted using the `https://ifconfig.co/json` API.
# Default values for this are specified in `matrix_coturn_turn_external_ip_address_auto_detection_*` variables in the coturn role
# (see `roles/custom/matrix-coturn/defaults/main.yml`).
# Default values for this are specified in `coturn_turn_external_ip_address_auto_detection_*` variables in the coturn role
# (see `roles/galaxy/coturn/defaults/main.yml`).
#
# If your server has multiple IP addresses, you may define them in another variable which allows a list of addresses.
# Example: `matrix_coturn_turn_external_ip_addresses: ['1.2.3.4', '4.5.6.7']`
# Example: `coturn_turn_external_ip_addresses: ['1.2.3.4', '4.5.6.7']`
#
# matrix_coturn_turn_external_ip_address: ''
# coturn_turn_external_ip_address: ''

201
group_vars/matrix_servers
View File

@@ -212,7 +212,20 @@ matrix_homeserver_app_service_config_files_auto: |
matrix_addons_homeserver_container_network: "{{ matrix_playbook_reverse_proxy_container_network if matrix_playbook_internal_matrix_client_api_traefik_entrypoint_enabled else matrix_homeserver_container_network }}"
matrix_addons_homeserver_client_api_url: "{{ ('http://' + matrix_playbook_reverse_proxy_hostname + ':' + matrix_playbook_internal_matrix_client_api_traefik_entrypoint_port | string) if matrix_playbook_internal_matrix_client_api_traefik_entrypoint_enabled else matrix_homeserver_container_url }}"
matrix_addons_homeserver_systemd_services_list: "{{ ([traefik_identifier + '.service'] if matrix_playbook_reverse_proxy_type == 'playbook-managed-traefik' else []) if matrix_playbook_internal_matrix_client_api_traefik_entrypoint_enabled else matrix_homeserver_systemd_services_list }}"
matrix_addons_homeserver_systemd_services_list: |
{{
(
matrix_homeserver_systemd_services_list
+
(
[traefik_identifier + '.service']
if matrix_playbook_reverse_proxy_type == 'playbook-managed-traefik'
else []
)
)
if matrix_playbook_internal_matrix_client_api_traefik_entrypoint_enabled
else matrix_homeserver_systemd_services_list
}}
########################################################################
# #
@@ -238,12 +251,14 @@ matrix_addons_homeserver_systemd_services_list: "{{ ([traefik_identifier + '.ser
# (see `matrix_playbook_internal_matrix_client_api_traefik_entrypoint_enabled`)
# - core services (the homeserver) get a level of ~1000
# - services that the homeserver depends on (database, Redis, ntfy, coturn, etc.) get a lower level — between 500 and 1000
# - coturn gets a higher level if `devture_systemd_service_manager_service_restart_mode == 'one-by-one'` to intentionally delay it, because:
# - coturn gets a higher priority level (= starts later) if `devture_systemd_service_manager_service_restart_mode == 'one-by-one'` to intentionally delay it, because:
# - starting services one by one means that the service manager role waits for each service to fully start before proceeding to the next one
# - if coturn has a lower priority than the homeserver, it would be started before it
# - since coturn is started before the homeserver, there's no container label telling Traefik to get a `matrix.example.com` certificate
# - thus, coturn would spin and wait for a certificate until it fails. We'd get a playbook failure due to it, but service manager will proceed to start all other services anyway.
# - only later, when the homeserver actually starts, would that certificate be fetched and dumped
# - this is not a problem with `all-at-once` (default) or `priority-batched` (services start concurrently),
# or with `clean-stop-start` (everything stops first, then starts in priority order — coturn at 900 is fine)
# - reverse-proxying services get level 3000
# - Matrix utility services (bridges, bots) get a level of 2000/2200, so that:
# - they can start before the reverse-proxy
@@ -352,13 +367,13 @@ devture_systemd_service_manager_services_list_auto: |
+
([{'name': 'matrix-corporal.service', 'priority': 1500, 'groups': ['matrix', 'corporal']}] if matrix_corporal_enabled else [])
+
([{'name': 'matrix-coturn.service', 'priority': (900 if devture_systemd_service_manager_service_restart_mode == 'clean-stop-start' else 1500), 'groups': ['matrix', 'coturn']}] if matrix_coturn_enabled else [])
([{'name': (coturn_identifier + '.service'), 'priority': (1500 if devture_systemd_service_manager_service_restart_mode == 'one-by-one' else 900), 'groups': ['matrix', 'coturn']}] if coturn_enabled else [])
+
([{'name': 'matrix-matrixto.service', 'priority': 4000, 'groups': ['matrix', 'matrixto']}] if matrix_matrixto_enabled else [])
+
([{'name': 'matrix-rageshake.service', 'priority': 4000, 'groups': ['matrix', 'rageshake']}] if matrix_rageshake_enabled else [])
+
([{'name': 'matrix-coturn-reload.timer', 'priority': 5000, 'groups': ['matrix', 'coturn']}] if (matrix_coturn_enabled and matrix_coturn_tls_enabled) else [])
([{'name': (coturn_identifier + '-reload.timer'), 'priority': 5000, 'groups': ['matrix', 'coturn']}] if (coturn_enabled and coturn_tls_enabled) else [])
+
([{'name': 'matrix-dimension.service', 'priority': 4000, 'groups': ['matrix', 'integration-managers', 'dimension']}] if matrix_dimension_enabled else [])
+
@@ -517,7 +532,6 @@ matrix_homeserver_container_client_api_endpoint: |-
'synapse': ('matrix-synapse-reverse-proxy-companion:8008' if matrix_synapse_reverse_proxy_companion_enabled | default(false) else ('matrix-synapse:'+ matrix_synapse_container_client_api_port | default('8008') | string)),
'dendrite': ('matrix-dendrite:' + matrix_dendrite_http_bind_port | default('8008') | string),
'conduit': ('matrix-conduit:' + matrix_conduit_port_number | default('8008') | string),
'conduwuit': ('matrix-conduwuit:' + matrix_conduwuit_config_port_number | default('8008') | string),
'continuwuity': ('matrix-continuwuity:' + matrix_continuwuity_config_port_number | default('8008') | string),
}[matrix_homeserver_implementation]
}}
@@ -528,7 +542,6 @@ matrix_homeserver_container_federation_api_endpoint: |-
'synapse': ('matrix-synapse-reverse-proxy-companion:8048' if matrix_synapse_reverse_proxy_companion_enabled else ('matrix-synapse:'+ matrix_synapse_container_federation_api_plain_port | default('8008') | string)),
'dendrite': ('matrix-dendrite:' + matrix_dendrite_http_bind_port | default('8008') | string),
'conduit': ('matrix-conduit:' + matrix_conduit_port_number | default('8008') | string),
'conduwuit': ('matrix-conduwuit:' + matrix_conduwuit_config_port_number | default('8008') | string),
'continuwuity': ('matrix-continuwuity:' + matrix_continuwuity_config_port_number | default('8008') | string),
}[matrix_homeserver_implementation]
}}
@@ -3091,31 +3104,42 @@ matrix_rageshake_container_labels_traefik_tls_certResolver: "{{ traefik_certReso
######################################################################
#
# matrix-coturn
# coturn
#
######################################################################
matrix_coturn_enabled: true
coturn_enabled: true
matrix_coturn_hostname: "{{ matrix_server_fqn_matrix }}"
coturn_identifier: matrix-coturn
matrix_coturn_docker_image_registry_prefix_upstream: "{{ matrix_container_global_registry_prefix_override if matrix_container_global_registry_prefix_override else matrix_coturn_docker_image_registry_prefix_upstream_default }}"
coturn_base_path: "{{ matrix_base_data_path }}/coturn"
matrix_coturn_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm32', 'arm64'] }}"
coturn_uid: "{{ matrix_user_uid }}"
coturn_gid: "{{ matrix_user_gid }}"
coturn_hostname: "{{ matrix_server_fqn_matrix }}"
coturn_container_image_registry_prefix: "{{ 'localhost/' if coturn_container_image_self_build else coturn_container_image_registry_prefix_upstream }}"
coturn_container_image_registry_prefix_upstream: "{{ matrix_container_global_registry_prefix_override if matrix_container_global_registry_prefix_override else coturn_container_image_registry_prefix_upstream_default }}"
coturn_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm32', 'arm64'] }}"
# We make the assumption that `ansible_host` points to an external IP address, which may not always be the case.
# Users are free to set `matrix_coturn_turn_external_ip_address` to an empty string
# to allow auto-detection (via an EchoIP service) to happen at runtime.
matrix_coturn_turn_external_ip_address: "{{ ansible_host }}"
# Users are free to set `coturn_turn_external_ip_address` to an empty string
# to allow auto-detection (via an echoip service) to happen at runtime.
coturn_turn_external_ip_address: "{{ ansible_host }}"
matrix_coturn_turn_static_auth_secret: "{{ ((matrix_homeserver_generic_secret_key + ':coturn.sas') | hash('sha512') | to_uuid) if matrix_coturn_authentication_method == 'auth-secret' else '' }}"
# By default, we use the official public instance.
coturn_turn_external_ip_address_auto_detection_echoip_service_url: https://ifconfig.co/json
matrix_coturn_lt_cred_mech_username: "{{ ((matrix_homeserver_generic_secret_key + ':coturn.user') | hash('sha512') | to_uuid) if matrix_coturn_authentication_method == 'lt-cred-mech' else '' }}"
matrix_coturn_lt_cred_mech_password: "{{ ((matrix_homeserver_generic_secret_key + ':coturn.pass') | hash('sha512') | to_uuid) if matrix_coturn_authentication_method == 'lt-cred-mech' else '' }}"
coturn_turn_static_auth_secret: "{{ ((matrix_homeserver_generic_secret_key + ':coturn.sas') | hash('sha512') | to_uuid) if coturn_authentication_method == 'auth-secret' else '' }}"
matrix_coturn_tls_enabled: "{{ matrix_playbook_ssl_enabled }}"
coturn_lt_cred_mech_username: "{{ ((matrix_homeserver_generic_secret_key + ':coturn.user') | hash('sha512') | to_uuid) if coturn_authentication_method == 'lt-cred-mech' else '' }}"
coturn_lt_cred_mech_password: "{{ ((matrix_homeserver_generic_secret_key + ':coturn.pass') | hash('sha512') | to_uuid) if coturn_authentication_method == 'lt-cred-mech' else '' }}"
matrix_coturn_tls_cert_path: |-
coturn_tls_enabled: "{{ matrix_playbook_ssl_enabled }}"
coturn_tls_cert_path: |-
{{
{
'playbook-managed-traefik': ('/certificate.crt' if traefik_certs_dumper_enabled else ''),
@@ -3124,7 +3148,7 @@ matrix_coturn_tls_cert_path: |-
}[matrix_playbook_reverse_proxy_type]
}}
matrix_coturn_tls_key_path: |-
coturn_tls_key_path: |-
{{
{
'playbook-managed-traefik': ('/privatekey.key' if traefik_certs_dumper_enabled else ''),
@@ -3133,32 +3157,32 @@ matrix_coturn_tls_key_path: |-
}[matrix_playbook_reverse_proxy_type]
}}
matrix_coturn_container_additional_volumes: |
coturn_container_additional_volumes: |
{{
(
[
{
'src': (traefik_certs_dumper_dumped_certificates_path + '/' + matrix_coturn_hostname + '/certificate.crt'),
'src': (traefik_certs_dumper_dumped_certificates_path + '/' + coturn_hostname + '/certificate.crt'),
'dst': '/certificate.crt',
'options': 'ro',
},
{
'src': (traefik_certs_dumper_dumped_certificates_path + '/' + matrix_coturn_hostname + '/privatekey.key'),
'src': (traefik_certs_dumper_dumped_certificates_path + '/' + coturn_hostname + '/privatekey.key'),
'dst': '/privatekey.key',
'options': 'ro',
},
] if (matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] and traefik_certs_dumper_enabled and matrix_coturn_tls_enabled and (matrix_coturn_tls_cert_path and matrix_coturn_tls_key_path)) else []
] if (matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] and traefik_certs_dumper_enabled and coturn_tls_enabled and (coturn_tls_cert_path and coturn_tls_key_path)) else []
)
}}
matrix_coturn_systemd_required_services_list_auto: |
coturn_systemd_required_services_list_auto: |
{{
([traefik_certs_dumper_identifier + '-wait-for-domain@' + matrix_coturn_hostname + '.service'] if matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] and traefik_certs_dumper_enabled and matrix_coturn_tls_enabled else [])
([traefik_certs_dumper_identifier + '-wait-for-domain@' + coturn_hostname + '.service'] if matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] and traefik_certs_dumper_enabled and coturn_tls_enabled else [])
}}
######################################################################
#
# /matrix-coturn
# /coturn
#
######################################################################
@@ -3299,6 +3323,9 @@ ddclient_identifier: matrix-dynamic-dns
ddclient_base_path: "{{ matrix_base_data_path }}/dynamic-dns"
ddclient_uid: "{{ matrix_user_uid }}"
ddclient_gid: "{{ matrix_user_gid }}"
ddclient_container_image_registry_prefix: "{{ 'localhost/' if ddclient_container_image_self_build else ddclient_container_image_registry_prefix_upstream }}"
ddclient_container_image_registry_prefix_upstream: "{{ matrix_container_global_registry_prefix_override if matrix_container_global_registry_prefix_override else ddclient_docker_image_registry_prefix_upstream_default }}"
@@ -3377,7 +3404,7 @@ jitsi_web_stun_servers: |
'stun:' + matrix_server_fqn_matrix + ':5349',
'stun:' + matrix_server_fqn_matrix + ':3478',
]
if matrix_coturn_enabled
if coturn_enabled
else [ 'stun:meet-jit-si-turnrelay.jitsi.net:443']
}}
@@ -3386,11 +3413,11 @@ jitsi_web_framing_enabled: true
# Jitsi (Prosody) only seems to support authenticating with coturn using `auth-secret`, not `lt-cred-mech`.
# See: https://prosody.im/doc/coturn
jitsi_turn_credentials: "{{ matrix_coturn_turn_static_auth_secret if (matrix_coturn_enabled and matrix_coturn_authentication_method == 'auth-secret') else '' }}"
jitsi_turn_host: "{{ ('turn.' + matrix_server_fqn_matrix) if matrix_coturn_enabled else '' }}"
jitsi_turns_host: "{{ ('turn.' + matrix_server_fqn_matrix) if matrix_coturn_enabled else '' }}"
jitsi_turn_port: "{{ matrix_coturn_container_stun_plain_host_bind_port_tcp.split(':')[-1] if matrix_coturn_enabled else '' }}"
jitsi_turns_port: "{{ matrix_coturn_container_stun_tls_host_bind_port_tcp.split(':')[-1] if matrix_coturn_enabled else '' }}"
jitsi_turn_credentials: "{{ coturn_turn_static_auth_secret if (coturn_enabled and coturn_authentication_method == 'auth-secret') else '' }}"
jitsi_turn_host: "{{ ('turn.' + matrix_server_fqn_matrix) if coturn_enabled else '' }}"
jitsi_turns_host: "{{ ('turn.' + matrix_server_fqn_matrix) if coturn_enabled else '' }}"
jitsi_turn_port: "{{ coturn_container_stun_plain_host_bind_port_tcp.split(':')[-1] if coturn_enabled else '' }}"
jitsi_turns_port: "{{ coturn_container_stun_tls_host_bind_port_tcp.split(':')[-1] if coturn_enabled else '' }}"
# If the self-hosted Etherpad instance is available, it will also show up in Jitsi conferences,
# unless explicitly disabled by setting `jitsi_etherpad_enabled` to false.
@@ -4371,10 +4398,10 @@ matrix_synapse_email_smtp_port: 8025
matrix_synapse_email_smtp_require_transport_security: false
matrix_synapse_email_notif_from: "Matrix <{{ exim_relay_sender_address }}>"
matrix_synapse_turn_uris: "{{ matrix_coturn_turn_uris if matrix_coturn_enabled else [] }}"
matrix_synapse_turn_shared_secret: "{{ matrix_coturn_turn_static_auth_secret if (matrix_coturn_enabled and matrix_coturn_authentication_method == 'auth-secret') else '' }}"
matrix_synapse_turn_username: "{{ matrix_coturn_lt_cred_mech_username if (matrix_coturn_enabled and matrix_coturn_authentication_method == 'lt-cred-mech') else '' }}"
matrix_synapse_turn_password: "{{ matrix_coturn_lt_cred_mech_password if (matrix_coturn_enabled and matrix_coturn_authentication_method == 'lt-cred-mech') else '' }}"
matrix_synapse_turn_uris: "{{ coturn_turn_uris if coturn_enabled else [] }}"
matrix_synapse_turn_shared_secret: "{{ coturn_turn_static_auth_secret if (coturn_enabled and coturn_authentication_method == 'auth-secret') else '' }}"
matrix_synapse_turn_username: "{{ coturn_lt_cred_mech_username if (coturn_enabled and coturn_authentication_method == 'lt-cred-mech') else '' }}"
matrix_synapse_turn_password: "{{ coturn_lt_cred_mech_password if (coturn_enabled and coturn_authentication_method == 'lt-cred-mech') else '' }}"
matrix_synapse_self_check_validate_certificates: "{{ matrix_playbook_ssl_enabled }}"
@@ -4391,7 +4418,7 @@ matrix_synapse_systemd_required_services_list_auto: |
matrix_synapse_systemd_wanted_services_list_auto: |
{{
(['matrix-coturn.service'] if matrix_coturn_enabled else [])
([coturn_identifier ~ '.service'] if coturn_enabled else [])
+
([exim_relay_identifier ~ '.service'] if exim_relay_enabled else [])
}}
@@ -4438,6 +4465,12 @@ matrix_synapse_password_config_enabled: "{{ not matrix_synapse_matrix_authentica
matrix_synapse_register_user_script_matrix_authentication_service_path: "{{ matrix_authentication_service_bin_path }}/register-user"
# After Synapse's systemd health check passes, the reverse proxy still needs time to
# discover the container and register its routes. We derive this delay from Traefik's
# providers.providersThrottleDuration setting (+1s grace for our healthcheck polling interval),
# so it stays in sync automatically.
matrix_synapse_systemd_service_post_start_delay_seconds: "{{ (traefik_config_providers_providersThrottleDuration_seconds | int + 1) if matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] else 0 }}"
######################################################################
#
# /matrix-synapse
@@ -5090,7 +5123,6 @@ grafana_default_home_dashboard_path: |-
'synapse': ('/etc/grafana/dashboards/synapse.json' if matrix_synapse_metrics_enabled and matrix_synapse_metrics_enabled else ('/etc/grafana/dashboards/node-exporter-full.json' if prometheus_node_exporter_enabled else '')),
'dendrite': ('/etc/grafana/dashboards/node-exporter-full.json' if prometheus_node_exporter_enabled else ''),
'conduit': ('/etc/grafana/dashboards/node-exporter-full.json' if prometheus_node_exporter_enabled else ''),
'conduwuit': ('/etc/grafana/dashboards/node-exporter-full.json' if prometheus_node_exporter_enabled else ''),
'continuwuity': ('/etc/grafana/dashboards/node-exporter-full.json' if prometheus_node_exporter_enabled else ''),
}[matrix_homeserver_implementation]
}}
@@ -5151,7 +5183,6 @@ matrix_registration_shared_secret: |-
'synapse': matrix_synapse_registration_shared_secret | default (''),
'dendrite': matrix_dendrite_client_api_registration_shared_secret | default (''),
'conduit': '',
'conduwuit': '',
'continuwuity': '',
}[matrix_homeserver_implementation]
}}
@@ -5228,10 +5259,10 @@ matrix_dendrite_database_hostname: "{{ postgres_connection_hostname if postgres_
matrix_dendrite_database_password: "{{ (matrix_homeserver_generic_secret_key + ':dendrite.db') | hash('sha512') | to_uuid }}"
matrix_dendrite_client_api_turn_uris: "{{ matrix_coturn_turn_uris if matrix_coturn_enabled else [] }}"
matrix_dendrite_client_api_turn_shared_secret: "{{ matrix_coturn_turn_static_auth_secret if (matrix_coturn_enabled and matrix_coturn_authentication_method == 'auth-secret') else '' }}"
matrix_dendrite_client_api_turn_username: "{{ matrix_coturn_lt_cred_mech_username if (matrix_coturn_enabled and matrix_coturn_authentication_method == 'lt-cred-mech') else '' }}"
matrix_dendrite_client_api_turn_password: "{{ matrix_coturn_lt_cred_mech_password if (matrix_coturn_enabled and matrix_coturn_authentication_method == 'lt-cred-mech') else '' }}"
matrix_dendrite_client_api_turn_uris: "{{ coturn_turn_uris if coturn_enabled else [] }}"
matrix_dendrite_client_api_turn_shared_secret: "{{ coturn_turn_static_auth_secret if (coturn_enabled and coturn_authentication_method == 'auth-secret') else '' }}"
matrix_dendrite_client_api_turn_username: "{{ coturn_lt_cred_mech_username if (coturn_enabled and coturn_authentication_method == 'lt-cred-mech') else '' }}"
matrix_dendrite_client_api_turn_password: "{{ coturn_lt_cred_mech_password if (coturn_enabled and coturn_authentication_method == 'lt-cred-mech') else '' }}"
matrix_dendrite_disable_tls_validation: "{{ not matrix_playbook_ssl_enabled }}"
@@ -5248,7 +5279,7 @@ matrix_dendrite_systemd_required_services_list_auto: |
matrix_dendrite_systemd_wanted_services_list_auto: |
{{
(['matrix-coturn.service'] if matrix_coturn_enabled else [])
([coturn_identifier ~ '.service'] if coturn_enabled else [])
}}
matrix_dendrite_container_extra_arguments_auto: "{{ matrix_homeserver_container_extra_arguments_auto }}"
@@ -5299,10 +5330,10 @@ matrix_conduit_container_labels_public_federation_api_traefik_tls: "{{ matrix_fe
matrix_conduit_container_labels_internal_client_api_enabled: "{{ matrix_playbook_internal_matrix_client_api_traefik_entrypoint_enabled }}"
matrix_conduit_container_labels_internal_client_api_traefik_entrypoints: "{{ matrix_playbook_internal_matrix_client_api_traefik_entrypoint_name }}"
matrix_conduit_turn_uris: "{{ matrix_coturn_turn_uris if matrix_coturn_enabled else [] }}"
matrix_conduit_turn_secret: "{{ matrix_coturn_turn_static_auth_secret if (matrix_coturn_enabled and matrix_coturn_authentication_method == 'auth-secret') else '' }}"
matrix_conduit_turn_username: "{{ matrix_coturn_lt_cred_mech_username if (matrix_coturn_enabled and matrix_coturn_authentication_method == 'lt-cred-mech') else '' }}"
matrix_conduit_turn_password: "{{ matrix_coturn_lt_cred_mech_password if (matrix_coturn_enabled and matrix_coturn_authentication_method == 'lt-cred-mech') else '' }}"
matrix_conduit_turn_uris: "{{ coturn_turn_uris if coturn_enabled else [] }}"
matrix_conduit_turn_secret: "{{ coturn_turn_static_auth_secret if (coturn_enabled and coturn_authentication_method == 'auth-secret') else '' }}"
matrix_conduit_turn_username: "{{ coturn_lt_cred_mech_username if (coturn_enabled and coturn_authentication_method == 'lt-cred-mech') else '' }}"
matrix_conduit_turn_password: "{{ coturn_lt_cred_mech_password if (coturn_enabled and coturn_authentication_method == 'lt-cred-mech') else '' }}"
######################################################################
#
@@ -5311,58 +5342,6 @@ matrix_conduit_turn_password: "{{ matrix_coturn_lt_cred_mech_password if (matrix
######################################################################
######################################################################
#
# matrix-conduwuit
#
######################################################################
matrix_conduwuit_enabled: "{{ matrix_homeserver_implementation == 'conduwuit' }}"
matrix_conduwuit_hostname: "{{ matrix_server_fqn_matrix }}"
matrix_conduwuit_config_allow_federation: "{{ matrix_homeserver_federation_enabled }}"
matrix_conduwuit_docker_image_registry_prefix_upstream: "{{ matrix_container_global_registry_prefix_override if matrix_container_global_registry_prefix_override else matrix_conduwuit_docker_image_registry_prefix_upstream_default }}"
matrix_conduwuit_container_network: "{{ matrix_homeserver_container_network }}"
matrix_conduwuit_container_additional_networks_auto: |
{{
(
([matrix_playbook_reverse_proxyable_services_additional_network] if matrix_conduwuit_container_labels_traefik_enabled and matrix_playbook_reverse_proxyable_services_additional_network else [])
) | unique
}}
matrix_conduwuit_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] and not matrix_synapse_workers_enabled }}"
matrix_conduwuit_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}"
matrix_conduwuit_container_labels_traefik_entrypoints: "{{ traefik_entrypoint_primary }}"
matrix_conduwuit_container_labels_traefik_tls_certResolver: "{{ traefik_certResolver_primary }}"
matrix_conduwuit_container_labels_public_client_root_redirection_enabled: "{{ matrix_conduwuit_container_labels_public_client_root_redirection_url != '' }}"
matrix_conduwuit_container_labels_public_client_root_redirection_url: "{{ (('https://' if matrix_playbook_ssl_enabled else 'http://') + matrix_server_fqn_element) if matrix_client_element_enabled else '' }}"
matrix_conduwuit_container_labels_public_federation_api_traefik_hostname: "{{ matrix_server_fqn_matrix_federation }}"
matrix_conduwuit_container_labels_public_federation_api_traefik_entrypoints: "{{ matrix_federation_traefik_entrypoint_name }}"
matrix_conduwuit_container_labels_public_federation_api_traefik_tls: "{{ matrix_federation_traefik_entrypoint_tls }}"
matrix_conduwuit_container_labels_internal_client_api_enabled: "{{ matrix_playbook_internal_matrix_client_api_traefik_entrypoint_enabled }}"
matrix_conduwuit_container_labels_internal_client_api_traefik_entrypoints: "{{ matrix_playbook_internal_matrix_client_api_traefik_entrypoint_name }}"
matrix_conduwuit_config_turn_uris: "{{ matrix_coturn_turn_uris if matrix_coturn_enabled else [] }}"
matrix_conduwuit_config_turn_secret: "{{ matrix_coturn_turn_static_auth_secret if (matrix_coturn_enabled and matrix_coturn_authentication_method == 'auth-secret') else '' }}"
matrix_conduwuit_config_turn_username: "{{ matrix_coturn_lt_cred_mech_username if (matrix_coturn_enabled and matrix_coturn_authentication_method == 'lt-cred-mech') else '' }}"
matrix_conduwuit_config_turn_password: "{{ matrix_coturn_lt_cred_mech_password if (matrix_coturn_enabled and matrix_coturn_authentication_method == 'lt-cred-mech') else '' }}"
matrix_conduwuit_self_check_validate_certificates: "{{ matrix_playbook_ssl_enabled }}"
######################################################################
#
# /matrix-conduwuit
#
######################################################################
######################################################################
#
# matrix-continuwuity
@@ -5401,10 +5380,10 @@ matrix_continuwuity_container_labels_public_federation_api_traefik_tls: "{{ matr
matrix_continuwuity_container_labels_internal_client_api_enabled: "{{ matrix_playbook_internal_matrix_client_api_traefik_entrypoint_enabled }}"
matrix_continuwuity_container_labels_internal_client_api_traefik_entrypoints: "{{ matrix_playbook_internal_matrix_client_api_traefik_entrypoint_name }}"
matrix_continuwuity_config_turn_uris: "{{ matrix_coturn_turn_uris if matrix_coturn_enabled else [] }}"
matrix_continuwuity_config_turn_secret: "{{ matrix_coturn_turn_static_auth_secret if (matrix_coturn_enabled and matrix_coturn_authentication_method == 'auth-secret') else '' }}"
matrix_continuwuity_config_turn_username: "{{ matrix_coturn_lt_cred_mech_username if (matrix_coturn_enabled and matrix_coturn_authentication_method == 'lt-cred-mech') else '' }}"
matrix_continuwuity_config_turn_password: "{{ matrix_coturn_lt_cred_mech_password if (matrix_coturn_enabled and matrix_coturn_authentication_method == 'lt-cred-mech') else '' }}"
matrix_continuwuity_config_turn_uris: "{{ coturn_turn_uris if coturn_enabled else [] }}"
matrix_continuwuity_config_turn_secret: "{{ coturn_turn_static_auth_secret if (coturn_enabled and coturn_authentication_method == 'auth-secret') else '' }}"
matrix_continuwuity_config_turn_username: "{{ coturn_lt_cred_mech_username if (coturn_enabled and coturn_authentication_method == 'lt-cred-mech') else '' }}"
matrix_continuwuity_config_turn_password: "{{ coturn_lt_cred_mech_password if (coturn_enabled and coturn_authentication_method == 'lt-cred-mech') else '' }}"
matrix_continuwuity_self_check_validate_certificates: "{{ matrix_playbook_ssl_enabled }}"
@@ -5663,7 +5642,7 @@ traefik_systemd_required_services_list: |
traefik_additional_domains_to_obtain_certificates_for_auto: |
{{
([matrix_coturn_hostname] if (matrix_coturn_enabled and matrix_coturn_tls_enabled and matrix_coturn_hostname != matrix_server_fqn_matrix) else [])
([coturn_hostname] if (coturn_enabled and coturn_tls_enabled and coturn_hostname != matrix_server_fqn_matrix) else [])
}}
########################################################################
@@ -5690,6 +5669,16 @@ traefik_certs_dumper_gid: "{{ matrix_user_gid }}"
traefik_certs_dumper_ssl_path: "{{ traefik_ssl_dir_path if traefik_enabled else '' }}"
# We make the certs dumper require the Traefik service (not just docker.service),
# because when both restart simultaneously (e.g. in all-at-once mode), Traefik may
# momentarily truncate or reinitialize acme.json, causing the certs dumper to read
# an empty file and panic. By requiring Traefik, the certs dumper only starts after
# Traefik is fully ready and acme.json is stable.
traefik_certs_dumper_systemd_required_services_list_auto: |
{{
([traefik_identifier + '.service'] if traefik_enabled else [])
}}
traefik_certs_dumper_container_image_registry_prefix_upstream: "{{ matrix_container_global_registry_prefix_override if matrix_container_global_registry_prefix_override else traefik_certs_dumper_container_image_registry_prefix_upstream_default }}"
########################################################################

3
justfile
View File

@@ -50,8 +50,7 @@ install-all *extra_args: (run-tags "install-all,ensure-matrix-users-created,star
install-service service *extra_args:
{{ just_executable() }} --justfile "{{ justfile() }}" run \
--tags=install-{{ service }},start-group \
--extra-vars=group={{ service }} \
--extra-vars=devture_systemd_service_manager_service_restart_mode=one-by-one {{ extra_args }}
--extra-vars=group={{ service }} {{ extra_args }}
# Runs the playbook with --tags=setup-all,ensure-matrix-users-created,start and optional arguments
setup-all *extra_args: (run-tags "setup-all,ensure-matrix-users-created,start" extra_args)

12
requirements.yml
View File

@@ -12,6 +12,10 @@
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-container-socket-proxy.git
version: v0.4.2-1
name: container_socket_proxy
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-coturn.git
version: v4.8.0-1
name: coturn
activation_prefix: coturn_
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-ddclient.git
version: v4.0.0-0
name: ddclient
@@ -38,7 +42,7 @@
version: v1.9.11-0
name: livekit_server
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-ntfy.git
version: v2.16.0-1
version: v2.17.0-0
name: ntfy
- src: git+https://github.com/devture/com.devture.ansible.role.playbook_help.git
version: 8630e4f1749bcb659c412820f754473f09055052
@@ -50,7 +54,7 @@
version: dd6e15246b7a9a2d921e0b3f9cd8a4a917a1bb2f
name: playbook_state_preserver
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-postgres.git
version: v18.1-4
version: v18.1-5
name: postgres
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-postgres-backup.git
version: v18-0
@@ -68,13 +72,13 @@
version: v1.4.1-0
name: systemd_docker_base
- src: git+https://github.com/devture/com.devture.ansible.role.systemd_service_manager.git
version: v1.1.0-0
version: v2.0.0-1
name: systemd_service_manager
- src: git+https://github.com/devture/com.devture.ansible.role.timesync.git
version: v1.1.0-1
name: timesync
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-traefik.git
version: v3.6.7-1
version: v3.6.8-2
name: traefik
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-traefik-certs-dumper.git
version: v2.10.0-4

2
roles/custom/matrix-alertmanager-receiver/defaults/main.yml
View File

@@ -11,7 +11,7 @@
matrix_alertmanager_receiver_enabled: true
# renovate: datasource=docker depName=docker.io/metio/matrix-alertmanager-receiver
matrix_alertmanager_receiver_version: 2026.2.4
matrix_alertmanager_receiver_version: 2026.2.11
matrix_alertmanager_receiver_scheme: https

2
roles/custom/matrix-authentication-service/defaults/main.yml
View File

@@ -22,7 +22,7 @@ matrix_authentication_service_container_repo_version: "{{ 'main' if matrix_authe
matrix_authentication_service_container_src_files_path: "{{ matrix_base_data_path }}/matrix-authentication-service/container-src"
# renovate: datasource=docker depName=ghcr.io/element-hq/matrix-authentication-service
matrix_authentication_service_version: 1.10.0
matrix_authentication_service_version: 1.11.0
matrix_authentication_service_container_image_registry_prefix: "{{ 'localhost/' if matrix_authentication_service_container_image_self_build else matrix_authentication_service_container_image_registry_prefix_upstream }}"
matrix_authentication_service_container_image_registry_prefix_upstream: "{{ matrix_authentication_service_container_image_registry_prefix_upstream_default }}"
matrix_authentication_service_container_image_registry_prefix_upstream_default: "ghcr.io/"

2
roles/custom/matrix-base/defaults/main.yml
View File

@@ -84,7 +84,7 @@ matrix_monitoring_container_network: matrix-monitoring
matrix_homeserver_enabled: true
# This will contain the homeserver implementation that is in use.
# Valid values: synapse, dendrite, conduit, conduwuit, continuwuity
# Valid values: synapse, dendrite, conduit, continuwuity
#
# By default, we use Synapse, because it's the only full-featured Matrix server at the moment.
#

2
roles/custom/matrix-base/tasks/validate_config.yml
View File

@@ -13,7 +13,7 @@
- name: Fail if invalid homeserver implementation
ansible.builtin.fail:
msg: "You need to set a valid homeserver implementation in `matrix_homeserver_implementation`"
when: "matrix_homeserver_implementation not in ['synapse', 'dendrite', 'conduit', 'conduwuit', 'continuwuity']"
when: "matrix_homeserver_implementation not in ['synapse', 'dendrite', 'conduit', 'continuwuity']"
- name: (Deprecation) Catch and report renamed settings
ansible.builtin.fail:

2
roles/custom/matrix-bot-baibot/defaults/main.yml
View File

@@ -17,7 +17,7 @@ matrix_bot_baibot_container_repo_version: "{{ 'main' if matrix_bot_baibot_versio
matrix_bot_baibot_container_src_files_path: "{{ matrix_base_data_path }}/baibot/container-src"
# renovate: datasource=docker depName=ghcr.io/etkecc/baibot
matrix_bot_baibot_version: v1.14.0
matrix_bot_baibot_version: v1.14.1
matrix_bot_baibot_container_image: "{{ matrix_bot_baibot_container_image_registry_prefix }}etkecc/baibot:{{ matrix_bot_baibot_version }}"
matrix_bot_baibot_container_image_registry_prefix: "{{ 'localhost/' if matrix_bot_baibot_container_image_self_build else matrix_bot_baibot_container_image_registry_prefix_upstream }}"
matrix_bot_baibot_container_image_registry_prefix_upstream: "{{ matrix_bot_baibot_container_image_registry_prefix_upstream_default }}"

4
roles/custom/matrix-bot-draupnir/templates/systemd/matrix-bot-draupnir.service.j2
View File

@@ -1,11 +1,11 @@
#jinja2: lstrip_blocks: True
[Unit]
Description=Matrix Draupnir bot
{% for service in matrix_bot_draupnir_systemd_wanted_services_list %}
{% for service in matrix_bot_draupnir_systemd_required_services_list %}
Requires={{ service }}
After={{ service }}
{% endfor %}
{% for service in matrix_bot_draupnir_systemd_required_services_list %}
{% for service in matrix_bot_draupnir_systemd_wanted_services_list %}
Wants={{ service }}
{% endfor %}
DefaultDependencies=no

4
roles/custom/matrix-bot-mjolnir/templates/systemd/matrix-bot-mjolnir.service.j2
View File

@@ -1,11 +1,11 @@
#jinja2: lstrip_blocks: True
[Unit]
Description=Matrix Mjolnir bot
{% for service in matrix_bot_mjolnir_systemd_wanted_services_list %}
{% for service in matrix_bot_mjolnir_systemd_required_services_list %}
Requires={{ service }}
After={{ service }}
{% endfor %}
{% for service in matrix_bot_mjolnir_systemd_required_services_list %}
{% for service in matrix_bot_mjolnir_systemd_wanted_services_list %}
Wants={{ service }}
{% endfor %}
DefaultDependencies=no

2
roles/custom/matrix-client-element/defaults/main.yml
View File

@@ -29,7 +29,7 @@ matrix_client_element_container_image_self_build_repo: "https://github.com/eleme
matrix_client_element_container_image_self_build_low_memory_system_patch_enabled: "{{ ansible_facts['memtotal_mb'] < 4096 }}"
# renovate: datasource=docker depName=ghcr.io/element-hq/element-web
matrix_client_element_version: v1.12.9
matrix_client_element_version: v1.12.10
matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_registry_prefix }}element-hq/element-web:{{ matrix_client_element_version }}"
matrix_client_element_docker_image_registry_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_client_element_docker_image_registry_prefix_upstream }}"

194
roles/custom/matrix-conduwuit/defaults/main.yml
View File

@@ -1,194 +0,0 @@
# SPDX-FileCopyrightText: 2025 MDAD project contributors
# SPDX-FileCopyrightText: 2025 Slavi Pantaleev
#
# SPDX-License-Identifier: AGPL-3.0-or-later
---
# conduwuit is a very cool, featureful fork of conduit (https://gitlab.com/famedly/conduit).
# Project source code URL: https://github.com/girlbossceo/conduwuit
# See: https://conduwuit.puppyirl.gay/
matrix_conduwuit_enabled: true
matrix_conduwuit_hostname: ''
matrix_conduwuit_docker_image: "{{ matrix_conduwuit_docker_image_registry_prefix }}girlbossceo/conduwuit:{{ matrix_conduwuit_docker_image_tag }}"
matrix_conduwuit_docker_image_tag: v0.4.6-8f7ade4c22533a3177bfd8f175e178573ba6c1d4
matrix_conduwuit_docker_image_force_pull: "{{ matrix_conduwuit_docker_image.endswith(':latest') }}"
matrix_conduwuit_docker_image_registry_prefix: "{{ matrix_conduwuit_docker_image_registry_prefix_upstream }}"
matrix_conduwuit_docker_image_registry_prefix_upstream: "{{ matrix_conduwuit_docker_image_registry_prefix_upstream_default }}"
matrix_conduwuit_docker_image_registry_prefix_upstream_default: ghcr.io/
matrix_conduwuit_base_path: "{{ matrix_base_data_path }}/conduwuit"
matrix_conduwuit_config_path: "{{ matrix_conduwuit_base_path }}/config"
matrix_conduwuit_data_path: "{{ matrix_conduwuit_base_path }}/data"
matrix_conduwuit_config_port_number: 6167
matrix_conduwuit_tmp_directory_size_mb: 500
# List of systemd services that matrix-conduwuit.service depends on
matrix_conduwuit_systemd_required_services_list: "{{ matrix_conduwuit_systemd_required_services_list_default + matrix_conduwuit_systemd_required_services_list_auto + matrix_conduwuit_systemd_required_services_list_custom }}"
matrix_conduwuit_systemd_required_services_list_default: "{{ [devture_systemd_docker_base_docker_service_name] if devture_systemd_docker_base_docker_service_name else [] }}"
matrix_conduwuit_systemd_required_services_list_auto: []
matrix_conduwuit_systemd_required_services_list_custom: []
# List of systemd services that matrix-conduwuit.service wants
matrix_conduwuit_systemd_wanted_services_list: []
# Controls how long to sleep for after starting the matrix-synapse container.
#
# Delaying, so that the homeserver can manage to fully start and various services
# that depend on it (`matrix_conduwuit_systemd_required_services_list` and `matrix_conduwuit_systemd_wanted_services_list`)
# may only start after the homeserver is up and running.
#
# This can be set to 0 to remove the delay.
matrix_conduwuit_systemd_service_post_start_delay_seconds: 3
# The base container network. It will be auto-created by this role if it doesn't exist already.
matrix_conduwuit_container_network: ""
# A list of additional container networks that the container would be connected to.
# The role does not create these networks, so make sure they already exist.
# Use this to expose this container to another reverse proxy, which runs in a different container network.
matrix_conduwuit_container_additional_networks: "{{ matrix_conduwuit_container_additional_networks_auto + matrix_conduwuit_container_additional_networks_custom }}"
matrix_conduwuit_container_additional_networks_auto: []
matrix_conduwuit_container_additional_networks_custom: []
# matrix_conduwuit_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container.
# See `../templates/labels.j2` for details.
#
# To inject your own other container labels, see `matrix_conduwuit_container_labels_additional_labels`.
matrix_conduwuit_container_labels_traefik_enabled: true
matrix_conduwuit_container_labels_traefik_docker_network: "{{ matrix_conduwuit_container_network }}"
matrix_conduwuit_container_labels_traefik_entrypoints: web-secure
matrix_conduwuit_container_labels_traefik_tls_certResolver: default # noqa var-naming
# Controls whether labels will be added for handling the root (/) path on a public Traefik entrypoint.
matrix_conduwuit_container_labels_public_client_root_enabled: true
matrix_conduwuit_container_labels_public_client_root_traefik_hostname: "{{ matrix_conduwuit_hostname }}"
matrix_conduwuit_container_labels_public_client_root_traefik_rule: "Host(`{{ matrix_conduwuit_container_labels_public_client_root_traefik_hostname }}`) && Path(`/`)"
matrix_conduwuit_container_labels_public_client_root_traefik_priority: 0
matrix_conduwuit_container_labels_public_client_root_traefik_entrypoints: "{{ matrix_conduwuit_container_labels_traefik_entrypoints }}"
matrix_conduwuit_container_labels_public_client_root_traefik_tls: "{{ matrix_conduwuit_container_labels_public_client_root_traefik_entrypoints != 'web' }}"
matrix_conduwuit_container_labels_public_client_root_traefik_tls_certResolver: "{{ matrix_conduwuit_container_labels_traefik_tls_certResolver }}" # noqa var-naming
matrix_conduwuit_container_labels_public_client_root_redirection_enabled: false
matrix_conduwuit_container_labels_public_client_root_redirection_url: ""
# Controls whether labels will be added that expose the Client-Server API on a public Traefik entrypoint.
matrix_conduwuit_container_labels_public_client_api_enabled: true
matrix_conduwuit_container_labels_public_client_api_traefik_hostname: "{{ matrix_conduwuit_hostname }}"
matrix_conduwuit_container_labels_public_client_api_traefik_path_prefix: /_matrix
matrix_conduwuit_container_labels_public_client_api_traefik_rule: "Host(`{{ matrix_conduwuit_container_labels_public_client_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_conduwuit_container_labels_public_client_api_traefik_path_prefix }}`)"
matrix_conduwuit_container_labels_public_client_api_traefik_priority: 0
matrix_conduwuit_container_labels_public_client_api_traefik_entrypoints: "{{ matrix_conduwuit_container_labels_traefik_entrypoints }}"
matrix_conduwuit_container_labels_public_client_api_traefik_tls: "{{ matrix_conduwuit_container_labels_public_client_api_traefik_entrypoints != 'web' }}"
matrix_conduwuit_container_labels_public_client_api_traefik_tls_certResolver: "{{ matrix_conduwuit_container_labels_traefik_tls_certResolver }}" # noqa var-naming
# Controls whether labels will be added that expose the Client-Server API on the internal Traefik entrypoint.
# This is similar to `matrix_conduwuit_container_labels_public_client_api_enabled`, but the entrypoint and intent is different.
matrix_conduwuit_container_labels_internal_client_api_enabled: false
matrix_conduwuit_container_labels_internal_client_api_traefik_path_prefix: "{{ matrix_conduwuit_container_labels_public_client_api_traefik_path_prefix }}"
matrix_conduwuit_container_labels_internal_client_api_traefik_rule: "PathPrefix(`{{ matrix_conduwuit_container_labels_internal_client_api_traefik_path_prefix }}`)"
matrix_conduwuit_container_labels_internal_client_api_traefik_priority: "{{ matrix_conduwuit_container_labels_public_client_api_traefik_priority }}"
matrix_conduwuit_container_labels_internal_client_api_traefik_entrypoints: ""
# Controls whether labels will be added that expose the Server-Server API (Federation API) on a public Traefik entrypoint.
matrix_conduwuit_container_labels_public_federation_api_enabled: "{{ matrix_conduwuit_config_allow_federation }}"
matrix_conduwuit_container_labels_public_federation_api_traefik_hostname: "{{ matrix_conduwuit_hostname }}"
matrix_conduwuit_container_labels_public_federation_api_traefik_path_prefix: /_matrix
matrix_conduwuit_container_labels_public_federation_api_traefik_rule: "Host(`{{ matrix_conduwuit_container_labels_public_federation_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_conduwuit_container_labels_public_federation_api_traefik_path_prefix }}`)"
matrix_conduwuit_container_labels_public_federation_api_traefik_priority: 0
matrix_conduwuit_container_labels_public_federation_api_traefik_entrypoints: ''
# TLS is force-enabled here, because the spec (https://spec.matrix.org/v1.9/server-server-api/#tls) says that the federation API must use HTTPS.
matrix_conduwuit_container_labels_public_federation_api_traefik_tls: true
matrix_conduwuit_container_labels_public_federation_api_traefik_tls_certResolver: "{{ matrix_conduwuit_container_labels_traefik_tls_certResolver }}" # noqa var-naming
# Controls whether labels will be added that expose the `/_conduwuit` path prefix on a public Traefik entrypoint.
matrix_conduwuit_container_labels_public_conduwuit_api_enabled: true
matrix_conduwuit_container_labels_public_conduwuit_api_traefik_hostname: "{{ matrix_conduwuit_hostname }}"
matrix_conduwuit_container_labels_public_conduwuit_api_traefik_path_prefix: /_conduwuit
matrix_conduwuit_container_labels_public_conduwuit_api_traefik_rule: "Host(`{{ matrix_conduwuit_container_labels_public_conduwuit_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_conduwuit_container_labels_public_conduwuit_api_traefik_path_prefix }}`)"
matrix_conduwuit_container_labels_public_conduwuit_api_traefik_priority: 0
matrix_conduwuit_container_labels_public_conduwuit_api_traefik_entrypoints: "{{ matrix_conduwuit_container_labels_traefik_entrypoints }}"
matrix_conduwuit_container_labels_public_conduwuit_api_traefik_tls: "{{ matrix_conduwuit_container_labels_public_conduwuit_api_traefik_entrypoints != 'web' }}"
matrix_conduwuit_container_labels_public_conduwuit_api_traefik_tls_certResolver: "{{ matrix_conduwuit_container_labels_traefik_tls_certResolver }}" # noqa var-naming
# matrix_conduwuit_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file.
# See `../templates/labels.j2` for details.
#
# Example:
# matrix_conduwuit_container_labels_additional_labels: |
# my.label=1
# another.label="here"
matrix_conduwuit_container_labels_additional_labels: ''
# Extra arguments for the Docker container
matrix_conduwuit_container_extra_arguments: []
# Specifies which template files to use when configuring conduwuit.
# If you'd like to have your own different configuration, feel free to copy and paste
# the original files into your inventory (e.g. in `inventory/host_vars/matrix.example.com/`)
# and then change the specific host's `vars.yml` file like this:
# matrix_conduwuit_template_conduwuit_config: "{{ playbook_dir }}/inventory/host_vars/matrix.example.com/conduwuit.toml.j2"
matrix_conduwuit_template_conduwuit_config: "{{ role_path }}/templates/conduwuit.toml.j2"
# Max size for uploads, in bytes
matrix_conduwuit_config_server_name: "{{ matrix_domain }}"
# Max size for uploads, in bytes
matrix_conduwuit_config_max_request_size: 20_000_000
# Enables registration. If set to false, no users can register on this server.
matrix_conduwuit_config_allow_registration: false
# Controls the `yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse` setting.
# This is only used when `matrix_conduwuit_config_allow_registration` is set to true and no registration token is configured.
matrix_conduwuit_config_yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse: false
# Controls the `registration_token` setting.
# When registration is enabled (`matrix_conduwuit_config_allow_registration`) you:
# - either need to set a token to protect registration from abuse
# - or you need to enable the `yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse` setting
# (see `matrix_conduwuit_config_yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse`),
# to allow registration without any form of 2nd-step.
matrix_conduwuit_config_registration_token: ''
# Controls the `new_user_displayname_suffix` setting.
# This is the suffix that will be added to the displayname of new users.
# Upstream defaults this to "🏳️‍⚧️", but we keep this consistent across all homeserver implementations and do not enable a suffix.
matrix_conduwuit_config_new_user_displayname_suffix: ""
# Controls the `allow_check_for_updates` setting.
matrix_conduwuit_config_allow_check_for_updates: false
# Controls the `emergency_password` setting.
matrix_conduwuit_config_emergency_password: ''
# Controls the `allow_federation` setting.
matrix_conduwuit_config_allow_federation: true
matrix_conduwuit_trusted_servers:
- "matrix.org"
matrix_conduwuit_config_log: "info,state_res=warn,rocket=off,_=off,sled=off"
# TURN integration.
# See: https://conduwuit.puppyirl.gay/turn.html
matrix_conduwuit_config_turn_uris: []
matrix_conduwuit_config_turn_secret: ''
matrix_conduwuit_config_turn_username: ''
matrix_conduwuit_config_turn_password: ''
# Controls whether the self-check feature should validate SSL certificates.
matrix_conduwuit_self_check_validate_certificates: true
# Additional environment variables to pass to the container.
#
# Environment variables take priority over settings in the configuration file.
#
# Example:
# matrix_conduwuit_environment_variables_extension: |
# CONDUWUIT_MAX_REQUEST_SIZE=50000000
# CONDUWUIT_REQUEST_TIMEOUT=60
matrix_conduwuit_environment_variables_extension: ''

64
roles/custom/matrix-conduwuit/tasks/install.yml
View File

@@ -1,64 +0,0 @@
# SPDX-FileCopyrightText: 2025 Slavi Pantaleev
#
# SPDX-License-Identifier: AGPL-3.0-or-later
---
- name: Ensure conduwuit config path exists
ansible.builtin.file:
path: "{{ matrix_conduwuit_config_path }}"
state: directory
mode: 0750
owner: "{{ matrix_user_name }}"
group: "{{ matrix_group_name }}"
- name: Ensure conduwuit data path exists
ansible.builtin.file:
path: "{{ matrix_conduwuit_data_path }}"
state: directory
mode: 0770
owner: "{{ matrix_user_name }}"
group: "{{ matrix_group_name }}"
- name: Ensure conduwuit configuration installed
ansible.builtin.template:
src: "{{ matrix_conduwuit_template_conduwuit_config }}"
dest: "{{ matrix_conduwuit_config_path }}/conduwuit.toml"
mode: 0644
owner: "{{ matrix_user_name }}"
group: "{{ matrix_group_name }}"
- name: Ensure conduwuit support files installed
ansible.builtin.template:
src: "{{ role_path }}/templates/{{ item }}.j2"
dest: "{{ matrix_conduwuit_base_path }}/{{ item }}"
mode: 0640
owner: "{{ matrix_user_name }}"
group: "{{ matrix_group_name }}"
with_items:
- labels
- env
- name: Ensure conduwuit container network is created
community.general.docker_network:
enable_ipv6: "{{ devture_systemd_docker_base_ipv6_enabled }}"
name: "{{ matrix_conduwuit_container_network }}"
driver: bridge
driver_options: "{{ devture_systemd_docker_base_container_networks_driver_options }}"
- name: Ensure conduwuit container image is pulled
community.docker.docker_image:
name: "{{ matrix_conduwuit_docker_image }}"
source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
force_source: "{{ matrix_conduwuit_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_conduwuit_docker_image_force_pull }}"
register: result
retries: "{{ devture_playbook_help_container_retries_count }}"
delay: "{{ devture_playbook_help_container_retries_delay }}"
until: result is not failed
- name: Ensure matrix-conduwuit.service installed
ansible.builtin.template:
src: "{{ role_path }}/templates/systemd/matrix-conduwuit.service.j2"
dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-conduwuit.service"
mode: 0644

34
roles/custom/matrix-conduwuit/tasks/main.yml
View File

@@ -1,34 +0,0 @@
# SPDX-FileCopyrightText: 2025 MDAD project contributors
# SPDX-FileCopyrightText: 2025 Slavi Pantaleev
#
# SPDX-License-Identifier: AGPL-3.0-or-later
---
- tags:
- setup-all
- setup-conduwuit
- install-all
- install-conduwuit
block:
- when: matrix_conduwuit_enabled | bool
ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml"
- when: matrix_conduwuit_enabled | bool
ansible.builtin.include_tasks: "{{ role_path }}/tasks/install.yml"
- tags:
- setup-all
- setup-conduwuit
block:
- when: not matrix_conduwuit_enabled | bool
ansible.builtin.include_tasks: "{{ role_path }}/tasks/uninstall.yml"
- tags:
- self-check
block:
- when: matrix_conduwuit_enabled | bool
ansible.builtin.include_tasks: "{{ role_path }}/tasks/self_check_client_api.yml"
- when: matrix_conduwuit_enabled | bool
ansible.builtin.include_tasks: "{{ role_path }}/tasks/self_check_federation_api.yml"

28
roles/custom/matrix-conduwuit/tasks/self_check_client_api.yml
View File

@@ -1,28 +0,0 @@
# SPDX-FileCopyrightText: 2025 Slavi Pantaleev
# SPDX-FileCopyrightText: 2025 Suguru Hirahara
#
# SPDX-License-Identifier: AGPL-3.0-or-later
---
- name: Check Matrix Client API
ansible.builtin.uri:
url: "{{ matrix_conduwuit_client_api_url_endpoint_public }}"
follow_redirects: none
validate_certs: "{{ matrix_conduwuit_self_check_validate_certificates }}"
register: result_matrix_conduwuit_client_api
ignore_errors: true
check_mode: false
when: matrix_conduwuit_enabled | bool
delegate_to: 127.0.0.1
become: false
- name: Fail if Matrix Client API not working
ansible.builtin.fail:
msg: "Failed checking Matrix Client API is up at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ matrix_conduwuit_client_api_url_endpoint_public }}`). Is conduwuit running? Is port 443 open in your firewall? Full error: {{ result_matrix_conduwuit_client_api }}"
when: "matrix_conduwuit_enabled | bool and (result_matrix_conduwuit_client_api.failed or 'json' not in result_matrix_conduwuit_client_api)"
- name: Report working Matrix Client API
ansible.builtin.debug:
msg: "The Matrix Client API at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ matrix_conduwuit_client_api_url_endpoint_public }}`) is working"
when: matrix_conduwuit_enabled | bool

32
roles/custom/matrix-conduwuit/tasks/self_check_federation_api.yml
View File

@@ -1,32 +0,0 @@
# SPDX-FileCopyrightText: 2025 Slavi Pantaleev
#
# SPDX-License-Identifier: AGPL-3.0-or-later
---
- name: Check Matrix Federation API
ansible.builtin.uri:
url: "{{ matrix_synapse_federation_api_url_endpoint_public }}"
follow_redirects: none
validate_certs: "{{ matrix_synapse_self_check_validate_certificates }}"
register: result_matrix_synapse_federation_api
ignore_errors: true
check_mode: false
when: matrix_synapse_enabled | bool
delegate_to: 127.0.0.1
become: false
- name: Fail if Matrix Federation API not working
ansible.builtin.fail:
msg: "Failed checking Matrix Federation API is up at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ matrix_synapse_federation_api_url_endpoint_public }}`). Is Synapse running? Is port {{ matrix_federation_public_port }} open in your firewall? Full error: {{ result_matrix_synapse_federation_api }}"
when: "matrix_synapse_enabled | bool and matrix_synapse_federation_enabled | bool and (result_matrix_synapse_federation_api.failed or 'json' not in result_matrix_synapse_federation_api)"
- name: Fail if Matrix Federation API unexpectedly enabled
ansible.builtin.fail:
msg: "Matrix Federation API is up at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ matrix_synapse_federation_api_url_endpoint_public }}`) despite being disabled."
when: "matrix_synapse_enabled | bool and not matrix_synapse_federation_enabled | bool and not result_matrix_synapse_federation_api.failed"
- name: Report working Matrix Federation API
ansible.builtin.debug:
msg: "The Matrix Federation API at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ matrix_synapse_federation_api_url_endpoint_public }}`) is working"
when: "matrix_synapse_enabled | bool and matrix_synapse_federation_enabled | bool"

63
roles/custom/matrix-conduwuit/tasks/setup_install.yml
View File

@@ -1,63 +0,0 @@
# SPDX-FileCopyrightText: 2025 MDAD project contributors
#
# SPDX-License-Identifier: AGPL-3.0-or-later
---
- name: Ensure conduwuit config path exists
ansible.builtin.file:
path: "{{ matrix_conduwuit_config_path }}"
state: directory
mode: 0750
owner: "{{ matrix_user_name }}"
group: "{{ matrix_group_name }}"
- name: Ensure conduwuit data path exists
ansible.builtin.file:
path: "{{ matrix_conduwuit_data_path }}"
state: directory
mode: 0770
owner: "{{ matrix_user_name }}"
group: "{{ matrix_group_name }}"
- name: Ensure conduwuit configuration installed
ansible.builtin.template:
src: "{{ matrix_conduwuit_template_conduwuit_config }}"
dest: "{{ matrix_conduwuit_config_path }}/conduwuit.toml"
mode: 0644
owner: "{{ matrix_user_name }}"
group: "{{ matrix_group_name }}"
- name: Ensure conduwuit support files installed
ansible.builtin.template:
src: "{{ role_path }}/templates/{{ item }}.j2"
dest: "{{ matrix_conduwuit_base_path }}/{{ item }}"
mode: 0640
owner: "{{ matrix_user_name }}"
group: "{{ matrix_group_name }}"
with_items:
- labels
- name: Ensure conduwuit container network is created
community.general.docker_network:
enable_ipv6: "{{ devture_systemd_docker_base_ipv6_enabled }}"
name: "{{ matrix_conduwuit_container_network }}"
driver: bridge
driver_options: "{{ devture_systemd_docker_base_container_networks_driver_options }}"
- name: Ensure conduwuit container image is pulled
community.docker.docker_image:
name: "{{ matrix_conduwuit_docker_image }}"
source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
force_source: "{{ matrix_conduwuit_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_conduwuit_docker_image_force_pull }}"
register: result
retries: "{{ devture_playbook_help_container_retries_count }}"
delay: "{{ devture_playbook_help_container_retries_delay }}"
until: result is not failed
- name: Ensure matrix-conduwuit.service installed
ansible.builtin.template:
src: "{{ role_path }}/templates/systemd/matrix-conduwuit.service.j2"
dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-conduwuit.service"
mode: 0644

23
roles/custom/matrix-conduwuit/tasks/setup_uninstall.yml
View File

@@ -1,23 +0,0 @@
# SPDX-FileCopyrightText: 2025 MDAD project contributors
#
# SPDX-License-Identifier: AGPL-3.0-or-later
---
- name: Check existence of matrix-conduwuit service
ansible.builtin.stat:
path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-conduwuit.service"
register: matrix_conduwuit_service_stat
- when: matrix_conduwuit_service_stat.stat.exists | bool
block:
- name: Ensure matrix-conduwuit is stopped
ansible.builtin.systemd:
name: matrix-conduwuit
state: stopped
daemon_reload: true
- name: Ensure matrix-conduwuit.service doesn't exist
ansible.builtin.file:
path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-conduwuit.service"
state: absent

23
roles/custom/matrix-conduwuit/tasks/uninstall.yml
View File

@@ -1,23 +0,0 @@
# SPDX-FileCopyrightText: 2025 Slavi Pantaleev
#
# SPDX-License-Identifier: AGPL-3.0-or-later
---
- name: Check existence of matrix-conduwuit service
ansible.builtin.stat:
path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-conduwuit.service"
register: matrix_conduwuit_service_stat
- when: matrix_conduwuit_service_stat.stat.exists | bool
block:
- name: Ensure matrix-conduwuit is stopped
ansible.builtin.systemd:
name: matrix-conduwuit
state: stopped
daemon_reload: true
- name: Ensure matrix-conduwuit.service doesn't exist
ansible.builtin.file:
path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-conduwuit.service"
state: absent

15
roles/custom/matrix-conduwuit/tasks/validate_config.yml
View File

@@ -1,15 +0,0 @@
# SPDX-FileCopyrightText: 2025 MDAD project contributors
#
# SPDX-License-Identifier: AGPL-3.0-or-later
---
- name: Fail if required conduwuit settings not defined
ansible.builtin.fail:
msg: >-
You need to define a required configuration setting (`{{ item.name }}`).
when: "item.when | bool and lookup('vars', item.name, default='') | string | length == 0"
with_items:
- {'name': 'matrix_conduwuit_hostname', when: true}
- {'name': 'matrix_conduwuit_container_network', when: true}
- {'name': 'matrix_conduwuit_container_labels_internal_client_api_traefik_entrypoints', when: "{{ matrix_conduwuit_container_labels_internal_client_api_enabled }}"}

1546
roles/custom/matrix-conduwuit/templates/conduwuit.toml.j2
View File

File diff suppressed because it is too large Load Diff

1
roles/custom/matrix-conduwuit/templates/env.j2
View File

@@ -1 +0,0 @@
{{ matrix_conduwuit_environment_variables_extension }}

3
roles/custom/matrix-conduwuit/templates/env.j2.license
View File

@@ -1,3 +0,0 @@
SPDX-FileCopyrightText: 2025 Slavi Pantaleev
SPDX-License-Identifier: AGPL-3.0-or-later

173
roles/custom/matrix-conduwuit/templates/labels.j2
View File

@@ -1,173 +0,0 @@
{#
SPDX-FileCopyrightText: 2025 MDAD project contributors
SPDX-FileCopyrightText: 2025 Slavi Pantaleev
SPDX-FileCopyrightText: 2025 Suguru Hirahara
SPDX-License-Identifier: AGPL-3.0-or-later
#}
{% if matrix_conduwuit_container_labels_traefik_enabled %}
traefik.enable=true
{% if matrix_conduwuit_container_labels_traefik_docker_network %}
traefik.docker.network={{ matrix_conduwuit_container_labels_traefik_docker_network }}
{% endif %}
traefik.http.services.matrix-conduwuit.loadbalancer.server.port={{ matrix_conduwuit_config_port_number }}
{% if matrix_conduwuit_container_labels_public_client_root_enabled %}
############################################################
# #
# Public Root path (/) #
# #
############################################################
{% set client_root_middlewares = [] %}
{% if matrix_conduwuit_container_labels_public_client_root_redirection_enabled %}
{% set client_root_middlewares = client_root_middlewares + ['matrix-conduwuit-client-root-redirect'] %}
traefik.http.middlewares.matrix-conduwuit-client-root-redirect.redirectregex.regex=(.*)
traefik.http.middlewares.matrix-conduwuit-client-root-redirect.redirectregex.replacement={{ matrix_conduwuit_container_labels_public_client_root_redirection_url }}
{% endif %}
traefik.http.routers.matrix-conduwuit-public-client-root.rule={{ matrix_conduwuit_container_labels_public_client_root_traefik_rule }}
traefik.http.routers.matrix-conduwuit-public-client-root.middlewares={{ client_root_middlewares | join(',') }}
{% if matrix_conduwuit_container_labels_public_client_root_traefik_priority | int > 0 %}
traefik.http.routers.matrix-conduwuit-public-client-root.priority={{ matrix_conduwuit_container_labels_public_client_root_traefik_priority }}
{% endif %}
traefik.http.routers.matrix-conduwuit-public-client-root.service=matrix-conduwuit
traefik.http.routers.matrix-conduwuit-public-client-root.entrypoints={{ matrix_conduwuit_container_labels_public_client_root_traefik_entrypoints }}
traefik.http.routers.matrix-conduwuit-public-client-root.tls={{ matrix_conduwuit_container_labels_public_client_root_traefik_tls | to_json }}
{% if matrix_conduwuit_container_labels_public_client_root_traefik_tls %}
traefik.http.routers.matrix-conduwuit-public-client-root.tls.certResolver={{ matrix_conduwuit_container_labels_public_client_root_traefik_tls_certResolver }}
{% endif %}
############################################################
# #
# /Public Root path (/) #
# #
############################################################
{% endif %}
{% if matrix_conduwuit_container_labels_public_client_api_enabled %}
############################################################
# #
# Public Client-API (/_matrix) #
# #
############################################################
traefik.http.routers.matrix-conduwuit-public-client-api.rule={{ matrix_conduwuit_container_labels_public_client_api_traefik_rule }}
{% if matrix_conduwuit_container_labels_public_client_api_traefik_priority | int > 0 %}
traefik.http.routers.matrix-conduwuit-public-client-api.priority={{ matrix_conduwuit_container_labels_public_client_api_traefik_priority }}
{% endif %}
traefik.http.routers.matrix-conduwuit-public-client-api.service=matrix-conduwuit
traefik.http.routers.matrix-conduwuit-public-client-api.entrypoints={{ matrix_conduwuit_container_labels_public_client_api_traefik_entrypoints }}
traefik.http.routers.matrix-conduwuit-public-client-api.tls={{ matrix_conduwuit_container_labels_public_client_api_traefik_tls | to_json }}
{% if matrix_conduwuit_container_labels_public_client_api_traefik_tls %}
traefik.http.routers.matrix-conduwuit-public-client-api.tls.certResolver={{ matrix_conduwuit_container_labels_public_client_api_traefik_tls_certResolver }}
{% endif %}
############################################################
# #
# /Public Client-API (/_matrix) #
# #
############################################################
{% endif %}
{% if matrix_conduwuit_container_labels_internal_client_api_enabled %}
############################################################
# #
# Internal Client-API (/_matrix) #
# #
############################################################
traefik.http.routers.matrix-conduwuit-internal-client-api.rule={{ matrix_conduwuit_container_labels_internal_client_api_traefik_rule }}
{% if matrix_conduwuit_container_labels_internal_client_api_traefik_priority | int > 0 %}
traefik.http.routers.matrix-conduwuit-internal-client-api.priority={{ matrix_conduwuit_container_labels_internal_client_api_traefik_priority }}
{% endif %}
traefik.http.routers.matrix-conduwuit-internal-client-api.service=matrix-conduwuit
traefik.http.routers.matrix-conduwuit-internal-client-api.entrypoints={{ matrix_conduwuit_container_labels_internal_client_api_traefik_entrypoints }}
############################################################
# #
# /Internal Client-API (/_matrix) #
# #
############################################################
{% endif %}
{% if matrix_conduwuit_container_labels_public_federation_api_enabled %}
############################################################
# #
# Public Federation-API (/_matrix) #
# #
############################################################
traefik.http.routers.matrix-conduwuit-public-federation-api.rule={{ matrix_conduwuit_container_labels_public_federation_api_traefik_rule }}
{% if matrix_conduwuit_container_labels_public_federation_api_traefik_priority | int > 0 %}
traefik.http.routers.matrix-conduwuit-public-federation-api.priority={{ matrix_conduwuit_container_labels_public_federation_api_traefik_priority }}
{% endif %}
traefik.http.routers.matrix-conduwuit-public-federation-api.service=matrix-conduwuit
traefik.http.routers.matrix-conduwuit-public-federation-api.entrypoints={{ matrix_conduwuit_container_labels_public_federation_api_traefik_entrypoints }}
traefik.http.routers.matrix-conduwuit-public-federation-api.tls={{ matrix_conduwuit_container_labels_public_federation_api_traefik_tls | to_json }}
{% if matrix_conduwuit_container_labels_public_federation_api_traefik_tls %}
traefik.http.routers.matrix-conduwuit-public-federation-api.tls.certResolver={{ matrix_conduwuit_container_labels_public_federation_api_traefik_tls_certResolver }}
{% endif %}
############################################################
# #
# /Public Federation-API (/_matrix) #
# #
############################################################
{% endif %}
{% if matrix_conduwuit_container_labels_public_conduwuit_api_enabled %}
############################################################
# #
# Public conduwuit-API (/_conduwuit) #
# #
############################################################
traefik.http.routers.matrix-conduwuit-public-conduwuit-api.rule={{ matrix_conduwuit_container_labels_public_conduwuit_api_traefik_rule }}
{% if matrix_conduwuit_container_labels_public_conduwuit_api_traefik_priority | int > 0 %}
traefik.http.routers.matrix-conduwuit-public-conduwuit-api.priority={{ matrix_conduwuit_container_labels_public_conduwuit_api_traefik_priority }}
{% endif %}
traefik.http.routers.matrix-conduwuit-public-conduwuit-api.service=matrix-conduwuit
traefik.http.routers.matrix-conduwuit-public-conduwuit-api.entrypoints={{ matrix_conduwuit_container_labels_public_conduwuit_api_traefik_entrypoints }}
traefik.http.routers.matrix-conduwuit-public-conduwuit-api.tls={{ matrix_conduwuit_container_labels_public_conduwuit_api_traefik_tls | to_json }}
{% if matrix_conduwuit_container_labels_public_conduwuit_api_traefik_tls %}
traefik.http.routers.matrix-conduwuit-public-conduwuit-api.tls.certResolver={{ matrix_conduwuit_container_labels_public_conduwuit_api_traefik_tls_certResolver }}
{% endif %}
############################################################
# #
# /Public conduwuit-API (/_conduwuit) #
# #
############################################################
{% endif %}
{% endif %}
{{ matrix_conduwuit_container_labels_additional_labels }}

51
roles/custom/matrix-conduwuit/templates/systemd/matrix-conduwuit.service.j2
View File

@@ -1,51 +0,0 @@
#jinja2: lstrip_blocks: True
[Unit]
Description=conduwuit Matrix homeserver
{% for service in matrix_conduwuit_systemd_required_services_list %}
Requires={{ service }}
After={{ service }}
{% endfor %}
[Service]
Type=simple
Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}"
ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop -t {{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-conduwuit 2>/dev/null || true'
ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-conduwuit 2>/dev/null || true'
ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \
--rm \
--name=matrix-conduwuit \
--log-driver=none \
--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
--cap-drop=ALL \
--read-only \
--tmpfs=/tmp:rw,noexec,nosuid,size={{ matrix_conduwuit_tmp_directory_size_mb }}m \
--network={{ matrix_conduwuit_container_network }} \
--env CONDUWUIT_CONFIG=/etc/conduwuit/conduwuit.toml \
--label-file={{ matrix_conduwuit_base_path }}/labels \
--mount type=bind,src={{ matrix_conduwuit_data_path }},dst=/var/lib/conduwuit \
--mount type=bind,src={{ matrix_conduwuit_config_path }},dst=/etc/conduwuit,ro \
{% for arg in matrix_conduwuit_container_extra_arguments %}
{{ arg }} \
{% endfor %}
{{ matrix_conduwuit_docker_image }}
{% for network in matrix_conduwuit_container_additional_networks %}
ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-conduwuit
{% endfor %}
ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-conduwuit
{% if matrix_conduwuit_systemd_service_post_start_delay_seconds != 0 %}
ExecStartPost=-{{ matrix_host_command_sleep }} {{ matrix_conduwuit_systemd_service_post_start_delay_seconds }}
{% endif %}
ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop -t {{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-conduwuit 2>/dev/null || true'
ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-conduwuit 2>/dev/null || true'
ExecReload={{ devture_systemd_docker_base_host_command_docker }} exec matrix-conduwuit /bin/sh -c 'kill -HUP 1'
Restart=always
RestartSec=30
SyslogIdentifier=matrix-conduwuit
[Install]
WantedBy=multi-user.target

4
roles/custom/matrix-conduwuit/templates/systemd/matrix-conduwuit.service.j2.license
View File

@@ -1,4 +0,0 @@
SPDX-FileCopyrightText: 2025 MDAD project contributors
SPDX-FileCopyrightText: 2025 Slavi Pantaleev
SPDX-License-Identifier: AGPL-3.0-or-later

9
roles/custom/matrix-conduwuit/vars/main.yml
View File

@@ -1,9 +0,0 @@
# SPDX-FileCopyrightText: 2025 MDAD project contributors
# SPDX-FileCopyrightText: 2025 Slavi Pantaleev
#
# SPDX-License-Identifier: AGPL-3.0-or-later
---
matrix_conduwuit_client_api_url_endpoint_public: "{{ 'https' if matrix_playbook_ssl_enabled else 'http' }}://{{ matrix_conduwuit_hostname }}/_matrix/client/versions"
matrix_conduwuit_federation_api_url_endpoint_public: "{{ 'https' if matrix_playbook_ssl_enabled else 'http' }}://{{ matrix_conduwuit_hostname }}:{{ matrix_federation_public_port }}/_matrix/federation/v1/version"

4
roles/custom/matrix-continuwuity/tasks/migrate_from_conduwuit.yml
View File

@@ -13,7 +13,7 @@
- name: Check existence of conduwuit directory
ansible.builtin.stat:
path: "{{ matrix_base_data_path }}/conduwuit"
register: matrix_conduwuit_directory_stat
register: matrix_removed_conduwuit_directory_stat
- name: Check existence of continuwuity directory
ansible.builtin.stat:
@@ -21,7 +21,7 @@
register: matrix_continuwuity_directory_stat
- when: >
matrix_conduwuit_directory_stat.stat.exists | bool and
matrix_removed_conduwuit_directory_stat.stat.exists | bool and
matrix_continuwuity_directory_stat.stat.exists | bool
block:
- name: Ensure matrix-continuwuity.service systemd service is stopped

237
roles/custom/matrix-coturn/defaults/main.yml
View File

@@ -1,237 +0,0 @@
# SPDX-FileCopyrightText: 2019 - 2025 Slavi Pantaleev
# SPDX-FileCopyrightText: 2019 Stuart Mumford
# SPDX-FileCopyrightText: 2019 Sylvia van Os
# SPDX-FileCopyrightText: 2020 - 2021 Dan Arnfield
# SPDX-FileCopyrightText: 2020 Horvath Gergely
# SPDX-FileCopyrightText: 2021 - 2022 MDAD project contributors
# SPDX-FileCopyrightText: 2021 Ahmad Haghighi
# SPDX-FileCopyrightText: 2022 - 2023 Nikita Chernyi
# SPDX-FileCopyrightText: 2022 Hefty Zauk
# SPDX-FileCopyrightText: 2022 Marko Weltzer
# SPDX-FileCopyrightText: 2023 Samuel Meenzen
# SPDX-FileCopyrightText: 2025 Suguru Hirahara
#
# SPDX-License-Identifier: AGPL-3.0-or-later
---
# Project source code URL: https://github.com/coturn/coturn
matrix_coturn_enabled: true
matrix_coturn_hostname: ""
matrix_coturn_container_image_self_build: false
matrix_coturn_container_image_self_build_repo: "https://github.com/coturn/coturn"
matrix_coturn_container_image_self_build_repo_version: "docker/{{ matrix_coturn_version }}"
matrix_coturn_container_image_self_build_repo_dockerfile_path: "docker/coturn/alpine/Dockerfile"
# renovate: datasource=docker depName=coturn/coturn versioning=loose
matrix_coturn_version: 4.8.0
matrix_coturn_docker_image: "{{ matrix_coturn_docker_image_registry_prefix }}coturn/coturn:{{ matrix_coturn_version }}-alpine"
matrix_coturn_docker_image_registry_prefix: "{{ 'localhost/' if matrix_coturn_container_image_self_build else matrix_coturn_docker_image_registry_prefix_upstream }}"
matrix_coturn_docker_image_registry_prefix_upstream: "{{ matrix_coturn_docker_image_registry_prefix_upstream_default }}"
matrix_coturn_docker_image_registry_prefix_upstream_default: docker.io/
matrix_coturn_docker_image_force_pull: "{{ matrix_coturn_docker_image.endswith(':latest') }}"
# The Docker network that coturn would be put into.
#
# Because coturn relays traffic to unvalidated IP addresses,
# using a dedicated network, isolated from other Docker (and local) services is preferable.
#
# Setting up deny/allow rules with `matrix_coturn_allowed_peer_ips`/`matrix_coturn_denied_peer_ips` is also
# possible for achieving such isolation, but is more complicated due to the dynamic nature of Docker networking.
#
# Setting `matrix_coturn_container_network` to 'host' will run the container with host networking,
# which will drastically improve performance when thousands of ports are opened due to Docker not having to set up forwarding rules for each port.
# Running with host networking can be dangerous, as it potentially exposes your local network and its services to coturn peers.
# Regardless of the networking mode, we apply a deny list which via `matrix_coturn_denied_peer_ips`,
# which hopefully prevents access to such private network ranges.
# When running in host-networking mode, you need to adjust the firewall yourself, so that ports are opened.
matrix_coturn_container_network: "matrix-coturn"
matrix_coturn_container_additional_networks: "{{ matrix_coturn_container_additional_networks_auto + matrix_coturn_container_additional_networks_custom }}"
matrix_coturn_container_additional_networks_auto: []
matrix_coturn_container_additional_networks_custom: []
matrix_coturn_base_path: "{{ matrix_base_data_path }}/coturn"
matrix_coturn_docker_src_files_path: "{{ matrix_coturn_base_path }}/docker-src"
matrix_coturn_config_path: "{{ matrix_coturn_base_path }}/turnserver.conf"
# List of systemd services that matrix-coturn.service depends on
matrix_coturn_systemd_required_services_list: "{{ matrix_coturn_systemd_required_services_list_default + matrix_coturn_systemd_required_services_list_auto + matrix_coturn_systemd_required_services_list_custom }}"
matrix_coturn_systemd_required_services_list_default: "{{ [devture_systemd_docker_base_docker_service_name] if devture_systemd_docker_base_docker_service_name else [] }}"
matrix_coturn_systemd_required_services_list_auto: []
matrix_coturn_systemd_required_services_list_custom: []
# A list of additional "volumes" to mount in the container.
# This list gets populated dynamically at runtime. You can provide a different default value,
# if you wish to mount your own files into the container.
# Contains definition objects like this: `{"type": "bind", "src": "/outside", "dst": "/inside", "options": "readonly"}.
# See the `--mount` documentation for the `docker run` command.
matrix_coturn_container_additional_volumes: []
# A list of extra arguments to pass to the container
matrix_coturn_container_extra_arguments: []
# Controls whether the coturn container exposes its plain STUN port (tcp/3478 in the container) over TCP.
#
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:3478"), or empty string to not expose.
matrix_coturn_container_stun_plain_host_bind_port_tcp: "{{ '3478' if matrix_coturn_container_network != 'host' else '' }}"
# Controls whether the coturn container exposes its plain STUN port (udp/3478 in the container) over UDP.
#
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:3478"), or empty string to not expose.
#
# Ideally, we'd like to set this to "" to avoid exposing this port and decrease the risk of DDoS amplification attacks.
# See: https://stormwall.network/resources/blog/protect-against-ddos-based-on-stun-exploit
# In practice, old Element clients only support talking to the STUN port over UDP, not TCP, so we need to keep this enabled for now.
matrix_coturn_container_stun_plain_host_bind_port_udp: "{{ '3478' if matrix_coturn_container_network != 'host' else '' }}"
# Controls whether the coturn container exposes its TLS STUN port (tcp/5349 in the container) over TCP.
#
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:5349"), or empty string to not expose.
matrix_coturn_container_stun_tls_host_bind_port_tcp: "{{ '5349' if matrix_coturn_container_network != 'host' else '' }}"
# Controls whether the coturn container exposes its TLS STUN port (udp/5349 in the container) over UDP.
#
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:5349"), or empty string to not expose.
#
# This is enabled by default, unlike `matrix_coturn_container_stun_plain_host_bind_port_udp`,
# because the risk of DDoS amplification attacks is lower for TLS
# due to the handshake requiring two-way authentication and being generally more expensive.
matrix_coturn_container_stun_tls_host_bind_port_udp: "{{ '5349' if matrix_coturn_container_network != 'host' else '' }}"
# Controls whether the coturn container exposes its TURN UDP port range and which interface to do it on.
#
# Takes an interface "<ip address>" (e.g. "127.0.0.1"), or empty string to listen on all interfaces.
# Takes a null/none value (`~`) or 'none' (as a string) to prevent listening.
#
# The UDP port-range itself is specified using `matrix_coturn_turn_udp_min_port` and `matrix_coturn_turn_udp_max_port`.
matrix_coturn_container_turn_range_listen_interface: "{{ '' if matrix_coturn_container_network != 'host' else 'none' }}"
# UDP port-range to use for TURN
matrix_coturn_turn_udp_min_port: 49152
matrix_coturn_turn_udp_max_port: 49172
# Controls the `realm` configuration option
matrix_coturn_realm: "turn.{{ matrix_coturn_hostname }}"
# Controls which authentication method to enable.
#
# lt-cred-mech likely provides better compatibility,
# as described here: https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/3191
# but those claims are unverified.
#
# For now, we still default to `auth-secret` like we've always done.
#
# Known values: auth-secret, lt-cred-mech
matrix_coturn_authentication_method: auth-secret
# A shared secret used for authentication when `matrix_coturn_authentication_method` is `auth-secret`.
# You can put any string here, but generating a strong one is preferred. You can create one with a command like `pwgen -s 64 1`.
matrix_coturn_turn_static_auth_secret: ""
# A username used authentication when `matrix_coturn_authentication_method` is `lt-cred-mech`.
matrix_coturn_lt_cred_mech_username: ""
# A password used authentication when `matrix_coturn_authentication_method` is `lt-cred-mech`.
matrix_coturn_lt_cred_mech_password: ""
# The external IP address of the machine where coturn is.
# If do not define an IP address here or in `matrix_coturn_turn_external_ip_addresses`, auto-detection via an EchoIP service will be done.
# See `matrix_coturn_turn_external_ip_address_auto_detection_enabled`
matrix_coturn_turn_external_ip_address: ""
matrix_coturn_turn_external_ip_addresses: "{{ [matrix_coturn_turn_external_ip_address] if matrix_coturn_turn_external_ip_address != '' else [] }}"
# Controls whether external IP address auto-detection should be attempted.
# We try to do this if there is no external IP address explicitly configured and if an EchoIP service URL is specified.
# See matrix_coturn_turn_external_ip_address_auto_detection_echoip_service_url
matrix_coturn_turn_external_ip_address_auto_detection_enabled: "{{ matrix_coturn_turn_external_ip_addresses | length == 0 and matrix_coturn_turn_external_ip_address_auto_detection_echoip_service_url != '' }}"
# Specifies the address of the EchoIP service (https://github.com/mpolden/echoip) to use for detecting the external IP address.
# By default, we use the official public instance.
matrix_coturn_turn_external_ip_address_auto_detection_echoip_service_url: https://ifconfig.co/json
# Controls whether SSL certificates will be validated when contacting the EchoIP service (matrix_coturn_turn_external_ip_address_auto_detection_echoip_service_url)
matrix_coturn_turn_external_ip_address_auto_detection_echoip_validate_certs: true
matrix_coturn_turn_external_ip_address_auto_detection_echoip_service_retries_count: "{{ devture_playbook_help_geturl_retries_count }}"
matrix_coturn_turn_external_ip_address_auto_detection_echoip_service_retries_delay: "{{ devture_playbook_help_geturl_retries_delay }}"
matrix_coturn_allowed_peer_ips: []
# We block loopback interfaces and private networks by default to prevent private resources from being accessible.
# This is especially important when coturn does not run within a container network (e.g. `matrix_coturn_container_network: host`).
#
# Learn more: https://www.rtcsec.com/article/cve-2020-26262-bypass-of-coturns-access-control-protection/
#
# If you're running coturn for local network peers, you may wish to override these rules.
matrix_coturn_denied_peer_ips:
- 0.0.0.0-0.255.255.255
- 10.0.0.0-10.255.255.255
- 100.64.0.0-100.127.255.255
- 127.0.0.0-127.255.255.255
- 169.254.0.0-169.254.255.255
- 172.16.0.0-172.31.255.255
- 192.0.0.0-192.0.0.255
- 192.0.2.0-192.0.2.255
- 192.88.99.0-192.88.99.255
- 192.168.0.0-192.168.255.255
- 198.18.0.0-198.19.255.255
- 198.51.100.0-198.51.100.255
- 203.0.113.0-203.0.113.255
- 240.0.0.0-255.255.255.255
- ::1
- 64:ff9b::-64:ff9b::ffff:ffff
- ::ffff:0.0.0.0-::ffff:255.255.255.255
- 100::-100::ffff:ffff:ffff:ffff
- 2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff
- 2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff
- fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
- fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff
matrix_coturn_user_quota: null
matrix_coturn_total_quota: null
# Controls whether `no-tcp-relay` is added to the configuration
# Learn more here: https://github.com/coturn/coturn/blob/242eb78227f66442ba1573c00ec4552faae23eed/examples/etc/turnserver.conf#L419-L422
matrix_coturn_no_tcp_relay_enabled: true
# Controls whether `no-multicast-peers` is added to the configuration
# Learn more here: https://github.com/coturn/coturn/blob/242eb78227f66442ba1573c00ec4552faae23eed/examples/etc/turnserver.conf#L629-L632
matrix_coturn_no_multicast_peers_enabled: true
# Controls whether `no-rfc5780` is added to the configuration
# Learn more here: https://github.com/coturn/coturn/blob/242eb78227f66442ba1573c00ec4552faae23eed/examples/etc/turnserver.conf#L770-L781
matrix_coturn_no_rfc5780_enabled: true
# Controls whether `no-stun-backward-compatibility` is added to the configuration
# Learn more here: https://github.com/coturn/coturn/blob/242eb78227f66442ba1573c00ec4552faae23eed/examples/etc/turnserver.conf#L783-L789
matrix_coturn_no_stun_backward_compatibility_enabled: true
# Controls whether `response-origin-only-with-rfc5780` is added to the configuration
# Learn more here: https://github.com/coturn/coturn/blob/242eb78227f66442ba1573c00ec4552faae23eed/examples/etc/turnserver.conf#L791-L796
matrix_coturn_response_origin_only_with_rfc5780_enabled: true
# Additional configuration to be passed to turnserver.conf
# Example:
# matrix_coturn_additional_configuration: |
# simple-log
# aux-server=1.2.3.4
# relay-ip=4.3.2.1
matrix_coturn_additional_configuration: ""
# To enable TLS, you need to provide paths to certificates.
# Paths defined in `matrix_coturn_tls_cert_path` and `matrix_coturn_tls_key_path` are in-container paths.
# Files on the host can be mounted into the container using `matrix_coturn_container_additional_volumes`.
matrix_coturn_tls_enabled: false
matrix_coturn_tls_cert_path: ~
matrix_coturn_tls_key_path: ~
matrix_coturn_tls_v1_enabled: false
matrix_coturn_tls_v1_1_enabled: false
# systemd calendar configuration for the reload job
# the actual job may run with a delay (see matrix_coturn_reload_schedule_randomized_delay_sec)
matrix_coturn_reload_schedule: "*-*-* 06:30:00"
# the delay with which the systemd timer may run in relation to the `matrix_coturn_reload_schedule` schedule
matrix_coturn_reload_schedule_randomized_delay_sec: 1h

26
roles/custom/matrix-coturn/tasks/main.yml
View File

@@ -1,26 +0,0 @@
# SPDX-FileCopyrightText: 2019 - 2023 Slavi Pantaleev
# SPDX-FileCopyrightText: 2019 Dan Arnfield
# SPDX-FileCopyrightText: 2022 Marko Weltzer
#
# SPDX-License-Identifier: AGPL-3.0-or-later
---
- tags:
- setup-all
- setup-coturn
- install-all
- install-coturn
block:
- when: matrix_coturn_enabled | bool
ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml"
- when: matrix_coturn_enabled | bool
ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml"
- tags:
- setup-all
- setup-coturn
block:
- when: not matrix_coturn_enabled | bool
ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"

146
roles/custom/matrix-coturn/tasks/setup_install.yml
View File

@@ -1,146 +0,0 @@
# SPDX-FileCopyrightText: 2018 - 2025 Slavi Pantaleev
# SPDX-FileCopyrightText: 2019 - 2020 MDAD project contributors
# SPDX-FileCopyrightText: 2019 Dan Arnfield
# SPDX-FileCopyrightText: 2020 Béla Becker
# SPDX-FileCopyrightText: 2020 Chris van Dijk
# SPDX-FileCopyrightText: 2020 Horvath Gergely
# SPDX-FileCopyrightText: 2022 Marko Weltzer
# SPDX-FileCopyrightText: 2022 Nikita Chernyi
# SPDX-FileCopyrightText: 2022 Sebastian Gumprich
# SPDX-FileCopyrightText: 2024 - 2025 Suguru Hirahara
# SPDX-FileCopyrightText: 2024 David Mehren
#
# SPDX-License-Identifier: AGPL-3.0-or-later
---
- when: matrix_coturn_turn_external_ip_address_auto_detection_enabled | bool
block:
- name: Fail if enabled, but EchoIP service URL unset
when: matrix_coturn_turn_external_ip_address_auto_detection_echoip_service_url == ''
ansible.builtin.fail:
msg: "To use the external IP address auto-detection feature, you need to set matrix_coturn_turn_external_ip_address_auto_detection_echoip_service_url"
# Note:
# `ansible.builtin.uri` does not provide a way to configure whether IPv4 or IPv6 is used.
# Luckily, the default instance we use does not define AAAA records for now, so it's always IPv4.
- name: Fetch IP address information from EchoIP service
ansible.builtin.uri:
url: "{{ matrix_coturn_turn_external_ip_address_auto_detection_echoip_service_url }}"
headers:
Content-Type: application/json
follow_redirects: none
validate_certs: "{{ matrix_coturn_turn_external_ip_address_auto_detection_echoip_validate_certs }}"
register: result_matrix_coturn_turn_external_ip_address_auto_detection_echoip_response
ignore_errors: true
check_mode: false
retries: "{{ matrix_coturn_turn_external_ip_address_auto_detection_echoip_service_retries_count }}"
delay: "{{ matrix_coturn_turn_external_ip_address_auto_detection_echoip_service_retries_delay }}"
until: not result_matrix_coturn_turn_external_ip_address_auto_detection_echoip_response.failed
- name: Fail if EchoIP service failed
when: "(result_matrix_coturn_turn_external_ip_address_auto_detection_echoip_response.failed or 'json' not in result_matrix_coturn_turn_external_ip_address_auto_detection_echoip_response)"
ansible.builtin.fail:
msg: "Failed contacting EchoIP service API at `{{ matrix_coturn_turn_external_ip_address_auto_detection_echoip_service_url }}` (controlled by `matrix_coturn_turn_external_ip_address_auto_detection_echoip_service_url`). Full error: {{ result_matrix_coturn_turn_external_ip_address_auto_detection_echoip_response }}"
- ansible.builtin.set_fact:
matrix_coturn_turn_external_ip_address: "{{ result_matrix_coturn_turn_external_ip_address_auto_detection_echoip_response.json.ip }}"
- name: Ensure Matrix coturn path exists
ansible.builtin.file:
path: "{{ item.path }}"
state: directory
mode: 0750
owner: "{{ matrix_user_name }}"
group: "{{ matrix_group_name }}"
with_items:
- {path: "{{ matrix_coturn_docker_src_files_path }}", when: "{{ matrix_coturn_container_image_self_build }}"}
when: "item.when | bool"
- name: Ensure coturn image is pulled
community.docker.docker_image:
name: "{{ matrix_coturn_docker_image }}"
source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
force_source: "{{ matrix_coturn_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_coturn_docker_image_force_pull }}"
when: "not matrix_coturn_container_image_self_build | bool"
register: result
retries: "{{ devture_playbook_help_container_retries_count }}"
delay: "{{ devture_playbook_help_container_retries_delay }}"
until: result is not failed
- when: "matrix_coturn_container_image_self_build | bool"
block:
- name: Ensure coturn repository is present on self-build
ansible.builtin.git:
repo: "{{ matrix_coturn_container_image_self_build_repo }}"
dest: "{{ matrix_coturn_docker_src_files_path }}"
version: "{{ matrix_coturn_container_image_self_build_repo_version }}"
force: "yes"
become: true
become_user: "{{ matrix_user_name }}"
register: matrix_coturn_git_pull_results
- name: Ensure coturn Docker image is built
community.docker.docker_image:
name: "{{ matrix_coturn_docker_image }}"
source: build
force_source: "{{ matrix_coturn_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_coturn_git_pull_results.changed }}"
build:
dockerfile: "{{ matrix_coturn_container_image_self_build_repo_dockerfile_path }}"
path: "{{ matrix_coturn_docker_src_files_path }}"
pull: true
- name: Ensure coturn configuration path exists
ansible.builtin.file:
path: "{{ matrix_coturn_base_path }}"
state: directory
mode: 0750
owner: "{{ matrix_user_name }}"
group: "{{ matrix_group_name }}"
- name: Ensure turnserver.conf installed
ansible.builtin.template:
src: "{{ role_path }}/templates/turnserver.conf.j2"
dest: "{{ matrix_coturn_config_path }}"
mode: 0644
owner: "{{ matrix_user_name }}"
group: "{{ matrix_group_name }}"
- name: Ensure coturn network is created in Docker
when: matrix_coturn_container_network not in ['', 'host']
community.docker.docker_network:
enable_ipv6: "{{ devture_systemd_docker_base_ipv6_enabled }}"
name: "{{ matrix_coturn_container_network }}"
driver: bridge
driver_options: "{{ devture_systemd_docker_base_container_networks_driver_options }}"
- name: Ensure matrix-coturn.service installed
ansible.builtin.template:
src: "{{ role_path }}/templates/systemd/matrix-coturn.service.j2"
dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-coturn.service"
mode: 0644
# This may be unnecessary when more long-lived certificates are used.
# We optimize for the common use-case though (short-lived Let's Encrypt certificates).
# Reloading doesn't hurt anyway, so there's no need to make this more flexible.
- name: Ensure reloading systemd units installed, if necessary
ansible.builtin.template:
src: "{{ role_path }}/templates/systemd/{{ item }}.j2"
dest: "{{ devture_systemd_docker_base_systemd_path }}/{{ item }}"
mode: 0644
when: "matrix_coturn_tls_enabled | bool"
with_items:
- matrix-coturn-reload.service
- matrix-coturn-reload.timer
# A similar task exists in `setup_uninstall.yml`
- name: Ensure reloading systemd units uninstalled, if unnecessary
ansible.builtin.file:
path: "{{ item }}"
state: absent
when: "not matrix_coturn_tls_enabled | bool"
with_items:
- matrix-coturn-reload.service
- matrix-coturn-reload.timer

43
roles/custom/matrix-coturn/tasks/setup_uninstall.yml
View File

@@ -1,43 +0,0 @@
# SPDX-FileCopyrightText: 2021 - 2022 Slavi Pantaleev
# SPDX-FileCopyrightText: 2022 Marko Weltzer
#
# SPDX-License-Identifier: AGPL-3.0-or-later
---
- name: Check existence of matrix-coturn service
ansible.builtin.stat:
path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-coturn.service"
register: matrix_coturn_service_stat
when: "not matrix_coturn_enabled | bool"
- when: matrix_coturn_service_stat.stat.exists | bool
block:
- name: Ensure matrix-coturn is stopped
ansible.builtin.service:
name: matrix-coturn
state: stopped
enabled: false
daemon_reload: true
- name: Ensure matrix-coturn-reload.timer is stopped
ansible.builtin.service:
name: matrix-coturn
state: stopped
enabled: false
daemon_reload: true
failed_when: false
- name: Ensure systemd units don't exist
ansible.builtin.file:
path: "{{ devture_systemd_docker_base_systemd_path }}/{{ item }}"
state: absent
with_items:
- matrix-coturn.service
- matrix-coturn-reload.service
- matrix-coturn-reload.timer
- name: Ensure Matrix coturn paths don't exist
ansible.builtin.file:
path: "{{ matrix_coturn_base_path }}"
state: absent

35
roles/custom/matrix-coturn/tasks/validate_config.yml
View File

@@ -1,35 +0,0 @@
# SPDX-FileCopyrightText: 2019 - 2025 Slavi Pantaleev
# SPDX-FileCopyrightText: 2024 - 2025 Suguru Hirahara
#
# SPDX-License-Identifier: AGPL-3.0-or-later
---
- name: (Deprecation) Catch and report renamed coturn settings
ansible.builtin.fail:
msg: >-
Your configuration contains a variable, which now has a different name.
Please rename the variable (`{{ item.old }}` -> `{{ item.new }}`) on your configuration file (vars.yml).
when: "lookup('ansible.builtin.varnames', ('^' + item.old + '$'), wantlist=True) | length > 0"
with_items:
- {'old': 'matrix_coturn_docker_network', 'new': 'matrix_coturn_container_network'}
- {'old': 'matrix_coturn_container_stun_plain_host_bind_port', 'new': 'superseded by matrix_coturn_container_stun_plain_host_bind_port_tcp and matrix_coturn_container_stun_plain_host_bind_port_udp'}
- {'old': 'matrix_coturn_container_stun_tls_host_bind_port', 'new': 'superseded by matrix_coturn_container_stun_tls_host_bind_port_tcp and matrix_coturn_container_stun_tls_host_bind_port_udp'}
- {'old': 'matrix_coturn_container_image_name_prefix', 'new': 'matrix_coturn_docker_image_registry_prefix'}
- name: Fail if matrix_coturn_authentication_method is invalid
ansible.builtin.fail:
msg: >-
Invalid authentication method specified in `matrix_coturn_authentication_method`
when: "matrix_coturn_authentication_method not in ['auth-secret', 'lt-cred-mech']"
- name: Fail if required coturn settings not defined
ansible.builtin.fail:
msg: >-
You need to define a required configuration setting (`{{ item.name }}`).
when: "item.when | bool and lookup('vars', item.name, default='') | string | length == 0"
with_items:
- {'name': 'matrix_coturn_hostname', when: true}
- {'name': 'matrix_coturn_turn_static_auth_secret', when: "{{ matrix_coturn_authentication_method == 'auth-secret' }}"}
- {'name': 'matrix_coturn_lt_cred_mech_username', when: "{{ matrix_coturn_authentication_method == 'lt-cred-mech' }}"}
- {'name': 'matrix_coturn_lt_cred_mech_password', when: "{{ matrix_coturn_authentication_method == 'lt-cred-mech' }}"}

12
roles/custom/matrix-coturn/templates/systemd/matrix-coturn-reload.service.j2
View File

@@ -1,12 +0,0 @@
{#
SPDX-FileCopyrightText: 2021 - 2022 Slavi Pantaleev
SPDX-License-Identifier: AGPL-3.0-or-later
#}
[Unit]
Description=Reloads matrix-coturn so that new SSL certificates can kick in
[Service]
Type=oneshot
ExecStart={{ devture_systemd_docker_base_host_command_systemctl }} reload matrix-coturn.service

18
roles/custom/matrix-coturn/templates/systemd/matrix-coturn-reload.timer.j2
View File

@@ -1,18 +0,0 @@
{#
SPDX-FileCopyrightText: 2021 - 2022 Slavi Pantaleev
SPDX-FileCopyrightText: 2021 Hardy Erlinger
SPDX-FileCopyrightText: 2025 Suguru Hirahara
SPDX-License-Identifier: AGPL-3.0-or-later
#}
[Unit]
Description=Reloads matrix-coturn periodically so that new SSL certificates can kick in
[Timer]
Unit=matrix-coturn-reload.service
OnCalendar={{ matrix_coturn_reload_schedule }}
RandomizedDelaySec={{ matrix_coturn_reload_schedule_randomized_delay_sec }}
[Install]
WantedBy=timers.target

70
roles/custom/matrix-coturn/templates/systemd/matrix-coturn.service.j2
View File

@@ -1,70 +0,0 @@
#jinja2: lstrip_blocks: True
[Unit]
Description=Matrix coturn server
{% for service in matrix_coturn_systemd_required_services_list %}
Requires={{ service }}
After={{ service }}
{% endfor %}
DefaultDependencies=no
[Service]
Type=simple
Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}"
ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop -t {{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-coturn 2>/dev/null || true'
ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-coturn 2>/dev/null || true'
ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \
--rm \
--name=matrix-coturn \
--log-driver=none \
--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
--cap-drop=ALL \
--cap-add=NET_BIND_SERVICE \
--entrypoint=turnserver \
--read-only \
--tmpfs=/var/tmp:rw,noexec,nosuid,size=100m \
--network={{ matrix_coturn_container_network }} \
{% if matrix_coturn_container_stun_plain_host_bind_port_tcp != '' %}
-p {{ matrix_coturn_container_stun_plain_host_bind_port_tcp }}:3478 \
{% endif %}
{% if matrix_coturn_container_stun_plain_host_bind_port_udp != '' %}
-p {{ matrix_coturn_container_stun_plain_host_bind_port_udp }}:3478/udp \
{% endif %}
{% if matrix_coturn_container_stun_tls_host_bind_port_tcp != '' %}
-p {{ matrix_coturn_container_stun_tls_host_bind_port_tcp }}:5349 \
{% endif %}
{% if matrix_coturn_container_stun_tls_host_bind_port_udp != '' %}
-p {{ matrix_coturn_container_stun_tls_host_bind_port_udp }}:5349/udp \
{% endif %}
{% if matrix_coturn_container_turn_range_listen_interface is not in [none, 'none'] %}
-p {{ matrix_coturn_container_turn_range_listen_interface }}{{ ':' if matrix_coturn_container_turn_range_listen_interface else '' }}{{ matrix_coturn_turn_udp_min_port }}-{{ matrix_coturn_turn_udp_max_port }}:{{ matrix_coturn_turn_udp_min_port }}-{{ matrix_coturn_turn_udp_max_port }}/udp \
{% endif %}
--mount type=bind,src={{ matrix_coturn_config_path }},dst=/turnserver.conf,ro \
{% for volume in matrix_coturn_container_additional_volumes %}
--mount type={{ volume.type | default('bind' if '/' in volume.src else 'volume') }},src={{ volume.src }},dst={{ volume.dst }}{{ (',' + volume.options) if volume.options else '' }} \
{% endfor %}
{% for arg in matrix_coturn_container_extra_arguments %}
{{ arg }} \
{% endfor %}
{{ matrix_coturn_docker_image }} \
-c /turnserver.conf
{% for network in matrix_coturn_container_additional_networks %}
ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-coturn
{% endfor %}
ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-coturn
ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop -t {{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-coturn 2>/dev/null || true'
ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-coturn 2>/dev/null || true'
# This only reloads certificates (not other configuration).
# See: https://github.com/coturn/coturn/pull/236
ExecReload={{ devture_systemd_docker_base_host_command_docker }} exec matrix-coturn kill -USR2 1
Restart=always
RestartSec=30
SyslogIdentifier=matrix-coturn
[Install]
WantedBy=multi-user.target

8
roles/custom/matrix-coturn/templates/systemd/matrix-coturn.service.j2.license
View File

@@ -1,8 +0,0 @@
SPDX-FileCopyrightText: 2018 - 2025 Slavi Pantaleev
SPDX-FileCopyrightText: 2019 Hugues De Keyzer
SPDX-FileCopyrightText: 2019 Sylvia van Os
SPDX-FileCopyrightText: 2020 Chris van Dijk
SPDX-FileCopyrightText: 2021 Dan Arnfield
SPDX-FileCopyrightText: 2024 Suguru Hirahara
SPDX-License-Identifier: AGPL-3.0-or-later

78
roles/custom/matrix-coturn/templates/turnserver.conf.j2
View File

@@ -1,78 +0,0 @@
#jinja2: lstrip_blocks: True
{% if matrix_coturn_authentication_method == 'auth-secret' %}
use-auth-secret
static-auth-secret={{ matrix_coturn_turn_static_auth_secret }}
userdb=/var/tmp/turnserver.db
{% endif %}
{% if matrix_coturn_authentication_method == 'lt-cred-mech' %}
lt-cred-mech
user={{ matrix_coturn_lt_cred_mech_username }}:{{ matrix_coturn_lt_cred_mech_password }}
{% endif %}
realm={{ matrix_coturn_realm }}
min-port={{ matrix_coturn_turn_udp_min_port }}
max-port={{ matrix_coturn_turn_udp_max_port }}
{% for ip in matrix_coturn_turn_external_ip_addresses %}
external-ip={{ ip }}
{% endfor %}
log-file=stdout
pidfile=/var/tmp/turnserver.pid
no-cli
{% if matrix_coturn_tls_enabled %}
cert={{ matrix_coturn_tls_cert_path }}
pkey={{ matrix_coturn_tls_key_path }}
{% if not matrix_coturn_tls_v1_enabled %}
no-tlsv1
{% endif %}
{% if not matrix_coturn_tls_v1_1_enabled %}
no-tlsv1_1
{% endif %}
{% else %}
no-tls
no-dtls
{% endif %}
prod
{% if matrix_coturn_no_tcp_relay_enabled %}
no-tcp-relay
{% endif %}
{% if matrix_coturn_no_rfc5780_enabled %}
no-rfc5780
{% endif %}
{% if matrix_coturn_no_stun_backward_compatibility_enabled %}
no-stun-backward-compatibility
{% endif %}
{% if matrix_coturn_response_origin_only_with_rfc5780_enabled %}
response-origin-only-with-rfc5780
{% endif %}
{% if matrix_coturn_user_quota != None %}
user-quota={{ matrix_coturn_user_quota }}
{% endif %}
{% if matrix_coturn_total_quota != None %}
total-quota={{ matrix_coturn_total_quota }}
{% endif %}
{% if matrix_coturn_no_multicast_peers_enabled %}
no-multicast-peers
{% endif %}
{% for ip_range in matrix_coturn_denied_peer_ips %}
denied-peer-ip={{ ip_range }}
{% endfor %}
{% for ip_range in matrix_coturn_allowed_peer_ips %}
allowed-peer-ip={{ ip_range }}
{% endfor %}
{{ matrix_coturn_additional_configuration }}

6
roles/custom/matrix-coturn/templates/turnserver.conf.j2.license
View File

@@ -1,6 +0,0 @@
SPDX-FileCopyrightText: 2018 - 2024 Slavi Pantaleev
SPDX-FileCopyrightText: 2019 Hugues De Keyzer
SPDX-FileCopyrightText: 2019 Stuart Mumford
SPDX-FileCopyrightText: 2021 - 2022 MDAD project contributors
SPDX-License-Identifier: AGPL-3.0-or-later

21
roles/custom/matrix-coturn/vars/main.yml
View File

@@ -1,21 +0,0 @@
# SPDX-FileCopyrightText: 2025 Slavi Pantaleev
#
# SPDX-License-Identifier: AGPL-3.0-or-later
---
matrix_coturn_turn_uris: |-
{{
([
'turns:' + matrix_coturn_hostname + '?transport=udp',
'turns:' + matrix_coturn_hostname + '?transport=tcp',
] if matrix_coturn_tls_enabled else [])
+
([
'turn:' + matrix_coturn_hostname + '?transport=udp',
] if (matrix_coturn_container_stun_plain_host_bind_port_udp != '' or matrix_coturn_container_network == 'host') else [])
+
([
'turn:' + matrix_coturn_hostname + '?transport=tcp',
] if (matrix_coturn_container_stun_plain_host_bind_port_tcp != '' or matrix_coturn_container_network == 'host') else [])
}}

10
roles/custom/matrix-media-repo/defaults/main.yml
View File

@@ -414,8 +414,9 @@ matrix_media_repo_shared_secret_auth_token: "PutSomeRandomSecureValueHere"
# thumbnails and other misc data is also stored in these places. The media repo, when looking
# for a datastore to use, will always use the smallest datastore first.
# ID for the file datastore (cannot change). Alphanumeric recommended.
matrix_media_repo_datastore_file_id: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'filestore.db', rounds=655555) | to_uuid }}"
# ID for the file datastore. Any unique alphanumeric string (e.g. generated via `pwgen -s 64 1`).
# This value CANNOT be changed after media has been stored — matrix-media-repo ties media to this ID.
matrix_media_repo_datastore_file_id: ""
# Datastores can be split into many areas when handling uploads. Media is still de-duplicated
# across all datastores (local content which duplicates remote content will re-use the remote
@@ -434,8 +435,9 @@ matrix_media_repo_datastore_file_for_kinds: ["thumbnails", "remote_media", "loca
# Path to datastore, relative to matrix-media-repo directory root
matrix_media_repo_datastore_opts_path: "/data/media"
# ID for the s3 datastore (cannot change). Alphanumeric recommended.
matrix_media_repo_datastore_s3_id: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 's3store.db', rounds=655555) | to_uuid }}"
# ID for the S3 datastore. Any unique alphanumeric string (e.g. generated via `pwgen -s 64 1`).
# This value CANNOT be changed after media has been stored — matrix-media-repo ties media to this ID.
matrix_media_repo_datastore_s3_id: ""
# Datastores can be split into many areas when handling uploads. Media is still de-duplicated
# across all datastores (local content which duplicates remote content will re-use the remote

2
roles/custom/matrix-media-repo/tasks/validate_config.yml
View File

@@ -15,6 +15,8 @@
- {'name': 'matrix_media_repo_database_hostname', when: true}
- {'name': 'matrix_media_repo_container_labels_traefik_internal_media_entrypoints', when: "{{ matrix_media_repo_container_labels_traefik_internal_media_enabled }}"}
- {'name': 'matrix_media_repo_container_labels_traefik_internal_matrix_client_media_entrypoints', when: "{{ matrix_media_repo_container_labels_traefik_internal_matrix_client_media_enabled }}"}
- {'name': 'matrix_media_repo_datastore_file_id', when: "{{ (matrix_media_repo_datastore_file_for_kinds | length) > 0 }}"}
- {'name': 'matrix_media_repo_datastore_s3_id', when: "{{ (matrix_media_repo_datastore_s3_for_kinds | length) > 0 }}"}
- name: (Deprecation) Catch and report renamed matrix-media-repo settings
ansible.builtin.fail:

65
roles/custom/matrix-synapse/defaults/main.yml
View File

@@ -16,7 +16,7 @@ matrix_synapse_enabled: true
matrix_synapse_github_org_and_repo: element-hq/synapse
# renovate: datasource=docker depName=ghcr.io/element-hq/synapse
matrix_synapse_version: v1.146.0
matrix_synapse_version: v1.147.0
matrix_synapse_username: ''
matrix_synapse_uid: ''
@@ -322,6 +322,22 @@ matrix_synapse_container_labels_public_metrics_middleware_basic_auth_users: ''
# another.label="here"
matrix_synapse_container_labels_additional_labels: ''
# Specifies how often the container health check will run.
#
# The Synapse container image ships with a default HEALTHCHECK (curl to /health)
# with an interval of 15s, timeout of 5s, and start period of 5s.
#
# For Traefik-based setups, it's important that the interval is short,
# because the interval value also specifies the "initial wait time".
# This is a Docker (moby) bug: https://github.com/moby/moby/issues/33410
# Without a successful healthcheck, Traefik will not register the service for reverse-proxying.
# A shorter interval also lets our systemd ExecStartPost health check
# (see matrix_synapse_systemd_healthcheck_enabled) detect readiness faster at startup.
#
# For non-Traefik setups, we use the default healthcheck interval (15s) to decrease overhead.
matrix_synapse_container_health_interval_seconds: "{{ 5 if matrix_synapse_container_labels_traefik_enabled else 15 }}"
matrix_synapse_container_health_interval: "{{ matrix_synapse_container_health_interval_seconds }}s"
# A list of extra arguments to pass to the container
# Also see `matrix_synapse_container_arguments`
matrix_synapse_container_extra_arguments: []
@@ -358,14 +374,37 @@ matrix_synapse_goofys_systemd_required_services_list_default: "{{ [devture_syste
matrix_synapse_goofys_systemd_required_services_list_auto: []
matrix_synapse_goofys_systemd_required_services_list_custom: []
# Controls how long to sleep for after starting the matrix-synapse container.
#
# Delaying, so that the homeserver can manage to fully start and various services
# that depend on it (`matrix_synapse_systemd_required_services_list` and `matrix_synapse_systemd_wanted_services_list`)
# may only start after the homeserver is up and running.
#
# This can be set to 0 to remove the delay.
matrix_synapse_systemd_service_post_start_delay_seconds: 10
# Controls the post-start health check in the systemd service.
# When enabled, ExecStartPost polls Docker's container health status via `docker inspect`,
# keeping the service in "activating (start-post)" state until Synapse is ready.
# Services with After=matrix-synapse.service will properly wait.
# This relies on the container image's built-in HEALTHCHECK (curl to /health),
# with the interval controlled by matrix_synapse_container_health_interval.
matrix_synapse_systemd_healthcheck_enabled: true
matrix_synapse_systemd_healthcheck_max_retries: 60
matrix_synapse_systemd_healthcheck_interval_seconds: 1
# The command used for the health check in ExecStartPost.
# Polls `docker inspect` for the container's health status until it reports "healthy".
matrix_synapse_systemd_healthcheck_command: >-
{{ devture_systemd_docker_base_host_command_sh }} -c
'for i in $(seq 1 {{ matrix_synapse_systemd_healthcheck_max_retries }}); do
echo "[Attempt $i/{{ matrix_synapse_systemd_healthcheck_max_retries }}] Synapse systemd health check: checking container health status..";
status=$( {{ devture_systemd_docker_base_host_command_docker }} inspect --format={{ '"{{' }}.State.Health.Status{{ '}}"' }} matrix-synapse 2>/dev/null);
if [ "$status" = "healthy" ]; then echo "[Attempt $i/{{ matrix_synapse_systemd_healthcheck_max_retries }}] Synapse systemd health check: passed" && exit 0; fi;
echo "[Attempt $i/{{ matrix_synapse_systemd_healthcheck_max_retries }}] Synapse systemd health check: not ready yet (status: $status), retrying in {{ matrix_synapse_systemd_healthcheck_interval_seconds }}s..";
sleep {{ matrix_synapse_systemd_healthcheck_interval_seconds }};
done; echo "[Attempt $i/{{ matrix_synapse_systemd_healthcheck_max_retries }}] Synapse systemd health check: failed after {{ matrix_synapse_systemd_healthcheck_max_retries }} attempts"; exit 1'
# Controls how long to sleep for after the systemd health check passes.
# Even after Synapse is healthy, the reverse proxy (e.g. Traefik) needs time to discover
# the container and register its routes. Traefik waits `providers.providersThrottleDuration`
# (see https://doc.traefik.io/traefik/v3.3/providers/overview/#providersprovidersthrottleduration)
# before applying new configuration from Docker events.
# Without this delay, services depending on Synapse may encounter 404 errors
# when connecting through the reverse proxy.
# This value is meant to be wired to the Traefik throttle duration by the playbook's group vars.
matrix_synapse_systemd_service_post_start_delay_seconds: 0
matrix_synapse_in_container_python_packages_path: "/usr/local/lib/python3.13/site-packages"
@@ -1503,6 +1542,14 @@ matrix_synapse_ext_synapse_s3_storage_provider_update_db_day_count: 0
# This is a systemd timer OnCalendar definition. Learn more here: https://man.archlinux.org/man/systemd.time.7#CALENDAR_EVENTS
matrix_synapse_ext_synapse_s3_storage_provider_periodic_migration_schedule: '*-*-* 05:00:00'
# List of systemd services that matrix-synapse-s3-storage-provider-migrate.service requires.
# We only depend on matrix-synapse.service here, because its own dependencies (Postgres, Docker, etc.)
# are transitively resolved by systemd.
matrix_synapse_ext_synapse_s3_storage_provider_migrate_systemd_required_services_list: ['matrix-synapse.service']
# List of systemd services that matrix-synapse-s3-storage-provider-migrate.service wants
matrix_synapse_ext_synapse_s3_storage_provider_migrate_systemd_wanted_services_list: []
# Synapse module to automatically accept room invites.
#
# Since Synapse v1.109.0 (https://github.com/element-hq/synapse/pull/17147),

9
roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/systemd/matrix-synapse-s3-storage-provider-migrate.service.j2
View File

@@ -1,5 +1,14 @@
#jinja2: lstrip_blocks: True
[Unit]
Description=Migrates locally-stored Synapse media store files to S3
{% for service in matrix_synapse_ext_synapse_s3_storage_provider_migrate_systemd_required_services_list %}
Requires={{ service }}
After={{ service }}
{% endfor %}
{% for service in matrix_synapse_ext_synapse_s3_storage_provider_migrate_systemd_wanted_services_list %}
Wants={{ service }}
{% endfor %}
DefaultDependencies=no
[Service]
Type=oneshot

7
roles/custom/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2
View File

@@ -33,6 +33,7 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \
--read-only \
--tmpfs=/tmp:rw,noexec,nosuid,size={{ matrix_synapse_tmp_directory_size_mb }}m \
--network={{ matrix_synapse_container_network }} \
--health-interval={{ matrix_synapse_container_health_interval }} \
{% if matrix_synapse_container_client_api_host_bind_port %}
-p {{ matrix_synapse_container_client_api_host_bind_port }}:{{ matrix_synapse_container_client_api_port }} \
{% endif %}
@@ -69,8 +70,12 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network conne
ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-synapse
{% if matrix_synapse_systemd_healthcheck_enabled %}
ExecStartPost={{ matrix_synapse_systemd_healthcheck_command }}
{% endif %}
{% if matrix_synapse_systemd_service_post_start_delay_seconds > 0 %}
ExecStartPost=-{{ matrix_host_command_sleep }} {{ matrix_synapse_systemd_service_post_start_delay_seconds }}
ExecStartPost=-{{ matrix_host_command_sleep }} {{ matrix_synapse_systemd_service_post_start_delay_seconds }}
{% endif %}
ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop -t {{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-synapse 2>/dev/null || true'

10
roles/custom/matrix-user-creator/tasks/util/ensure_user_registered_conduwuit.yml
View File

@@ -1,10 +0,0 @@
# SPDX-FileCopyrightText: 2025 Slavi Pantaleev
# SPDX-FileCopyrightText: 2025 Suguru Hirahara
#
# SPDX-License-Identifier: AGPL-3.0-or-later
---
- name: Ensure conduwuit user registered - {{ user.username | quote }}
ansible.builtin.debug:
msg: "Not registering user. To register conduwuit users, message the conduwuit bot"

36
roles/custom/matrix-user-creator/tasks/util/ensure_user_registered_synapse.yml
View File

@@ -4,9 +4,9 @@
---
- name: Ensure Synapse user registered - {{ user.username | quote }}
ansible.builtin.command:
cmd: |-
- name: Build Synapse user registration command - {{ user.username | quote }}
ansible.builtin.set_fact:
matrix_synapse_register_user_command: |-
{{ devture_systemd_docker_base_host_command_docker }} exec matrix-synapse
register_new_matrix_user
-u {{ user.username | quote }}
@@ -21,6 +21,34 @@
{% endif %}
{% endif %}
http://localhost:{{ matrix_synapse_container_client_api_port }}
- name: Ensure Synapse user registered - {{ user.username | quote }}
ansible.builtin.command:
cmd: "{{ matrix_synapse_register_user_command }}"
register: matrix_synapse_register_user_result
changed_when: matrix_synapse_register_user_result.rc == 0 and 'User ID already taken' not in matrix_synapse_register_user_result.stdout
failed_when: matrix_synapse_register_user_result.rc != 0 and 'User ID already taken' not in matrix_synapse_register_user_result.stdout
failed_when: >-
matrix_synapse_register_user_result.rc != 0
and 'User ID already taken' not in matrix_synapse_register_user_result.stdout
and 'HMAC incorrect' not in matrix_synapse_register_user_result.stdout
and 'Connection refused' not in matrix_synapse_register_user_result.stderr | default('')
- when: >-
'HMAC incorrect' in matrix_synapse_register_user_result.stdout | default('')
or 'Connection refused' in matrix_synapse_register_user_result.stderr | default('')
block:
- name: Restart Synapse due to registration failure (likely a registration_shared_secret or DB credentials change)
ansible.builtin.service:
name: "matrix-synapse.service"
state: restarted
- name: Wait for Synapse to start after restart
ansible.builtin.pause:
seconds: "{{ matrix_user_creator_homeserver_start_wait_time_seconds }}"
- name: Retry Synapse user registration - {{ user.username | quote }}
ansible.builtin.command:
cmd: "{{ matrix_synapse_register_user_command }}"
register: matrix_synapse_register_user_result
changed_when: matrix_synapse_register_user_result.rc == 0 and 'User ID already taken' not in matrix_synapse_register_user_result.stdout
failed_when: matrix_synapse_register_user_result.rc != 0 and 'User ID already taken' not in matrix_synapse_register_user_result.stdout

30
roles/custom/matrix_playbook_migration/tasks/validate_config.yml
View File

@@ -80,6 +80,11 @@
- {'old': 'cinny_docker_image_registry_prefix_upstream', 'new': 'cinny_container_image_registry_prefix_upstream'}
- {'old': 'cinny_docker_image_registry_prefix_upstream_default', 'new': 'cinny_container_image_registry_prefix_upstream_default'}
- {'old': 'coturn_docker_image', 'new': 'coturn_container_image'}
- {'old': 'coturn_docker_image_registry_prefix', 'new': 'coturn_container_image_registry_prefix'}
- {'old': 'coturn_docker_image_registry_prefix_upstream', 'new': 'coturn_container_image_registry_prefix_upstream'}
- {'old': 'coturn_docker_image_registry_prefix_upstream_default', 'new': 'coturn_container_image_registry_prefix_upstream_default'}
- {'old': 'ddclient_docker_image', 'new': 'ddclient_container_image'}
- {'old': 'ddclient_docker_image_registry_prefix', 'new': 'ddclient_container_image_registry_prefix'}
- {'old': 'ddclient_docker_image_registry_prefix_upstream', 'new': 'ddclient_container_image_registry_prefix_upstream'}
@@ -595,6 +600,31 @@
The following variables in your configuration need to be renamed: {{ lookup('ansible.builtin.varnames', '^matrix_client_cinny_.+', wantlist=True) | join(', ') }}
when: "lookup('ansible.builtin.varnames', '^matrix_client_cinny_.+', wantlist=True) | length > 0"
- name: (Deprecation) Catch and report matrix-coturn variables
ansible.builtin.fail:
msg: |-
The matrix-coturn role in the playbook now lives under the MASH organization (https://github.com/mother-of-all-self-hosting/ansible-role-coturn).
The new role is pretty much the same, but uses differently named variables.
Please rename all `matrix_coturn_`-prefixed variables (`matrix_coturn_*` -> `coturn_*`) on your configuration file (vars.yml).
After renaming them, please do not forget to fetch the Ansible role. See docs/maintenance-upgrading-services.md for details about how to do so.
The following variables in your configuration need to be renamed: {{ lookup('ansible.builtin.varnames', '^matrix_coturn_.+', wantlist=True) | join(', ') }}
when: "lookup('ansible.builtin.varnames', '^matrix_coturn_.+', wantlist=True) | length > 0"
- name: (Deprecation) Catch and report matrix-conduwuit variables
ansible.builtin.fail:
msg: |-
matrix-conduwuit was completely removed from the playbook in February 2026.
Please remove all `matrix_conduwuit*` variables from your configuration file (vars.yml).
You may wish to migrate to Continuwuity, a drop-in replacement for conduwuit. See `docs/configuring-playbook-continuwuity.md` for more information.
The following variables in your configuration need to be removed: {{ lookup('ansible.builtin.varnames', '^matrix_conduwuit.+', wantlist=True) | join(', ') }}
when: "lookup('ansible.builtin.varnames', '^matrix_conduwuit.+', wantlist=True) | length > 0"
- name: (Deprecation) Catch and report matrix-dynamic-dns variables
ansible.builtin.fail:
msg: |-

3
setup.yml
View File

@@ -97,7 +97,6 @@
- custom/matrix-synapse-reverse-proxy-companion
- custom/matrix-dendrite
- custom/matrix-conduit
- custom/matrix-conduwuit
- custom/matrix-continuwuity
- custom/matrix-synapse-admin
- custom/matrix-synapse-usage-exporter
@@ -121,7 +120,7 @@
- custom/matrix-sygnal
- galaxy/ntfy
- custom/matrix-static-files
- custom/matrix-coturn
- galaxy/coturn
- custom/matrix-media-repo
- custom/matrix-pantalaimon