iartamonov/matrix-docker-ansible-deploy
1
0
Fork 0
mirror of https://github.com/spantaleev/matrix-docker-ansible-deploy.git synced 2026-04-13 17:25:02 +03:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: iartamonov:synapse-user-register-wait-for
Branches Tags
iartamonov:master iartamonov:create-pull-request/i18n iartamonov:migration-validation-system iartamonov:copilot/update-exim-relay-docs iartamonov:renovate/matrixdotorg-sygnal-0.x iartamonov:synapse-user-register-wait-for iartamonov:remove-zulip-bridge iartamonov:stabilize-mas iartamonov:element-call-stack iartamonov:element-call-integration iartamonov:synapse-cache-tuning iartamonov:HarHarLinks/hookshot-encryption
..
compare: iartamonov:409c7393a04126341dc4beb7b14590313fcf5e9e
Branches Tags
iartamonov:master iartamonov:create-pull-request/i18n iartamonov:migration-validation-system iartamonov:copilot/update-exim-relay-docs iartamonov:renovate/matrixdotorg-sygnal-0.x iartamonov:synapse-user-register-wait-for iartamonov:remove-zulip-bridge iartamonov:stabilize-mas iartamonov:element-call-stack iartamonov:element-call-integration iartamonov:synapse-cache-tuning iartamonov:HarHarLinks/hookshot-encryption

20 Commits
synapse-us ... 409c7393a0

Author SHA1 Message Date
renovate[bot]
409c7393a0 chore(deps): update ghcr.io/element-hq/synapse docker tag to v1.147.1 2026-02-12 20:12:35 +02:00
Suguru Hirahara
a4c40979d2 Remove Dimension (#4916) 
* Remove roles/custom/matrix-dimension

Signed-off-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>

* Remove mentions to Dimension

Signed-off-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>

* Update configuring-playbook-dimension.md

Reuse 0f5015a33c/docs/configuring-playbook-bridge-mx-puppet-twitter.md

Signed-off-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>

* Update validate_config.yml

Signed-off-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>

* Update CHANGELOG.md

Signed-off-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>

---------

Signed-off-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>
Co-authored-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>
 2026-02-12 20:05:51 +02:00
Suguru Hirahara
0f5015a33c Merge pull request #4915 from luixxiul/hydrogen 
Relocate Hydrogen to MASH organization
 2026-02-12 15:00:21 +02:00
Slavi Pantaleev
47bf99af7a Merge pull request #4914 from krejcar25/fix/matrix_synapse_wait_seconds_type 
Fix regression introduced in a77a875
 2026-02-12 12:31:03 +02:00
Slavi Pantaleev
0b5ef18d1c Upgrade systemd_service_manager (v2.0.0-1 -> v2.0.0-2) 2026-02-12 09:41:19 +02:00
Amélie-Laura Lilith Krejčí
81b90a7089 Fix regression introduced in a77a875 
matrix_synapse_systemd_service_post_start_delay_seconds is assigned a string value, and setup fails while creating the service file. It is impossible to compare str and int.
 2026-02-12 02:26:44 +01:00
Slavi Pantaleev
014380eecd Upgrade Traefik (v3.6.8-1 -> v3.6.8-2) 2026-02-12 01:04:06 +02:00
Slavi Pantaleev
a77a8753d9 Derive Synapse post-start delay from Traefik's providersThrottleDuration 
After Synapse's systemd health check passes, Traefik still needs
providers.providersThrottleDuration to register routes. Derive the
post-start delay from this setting (+1s for healthcheck polling gap)
instead of using a hardcoded value. Defaults to 0 when no Traefik
reverse proxy is used.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-12 00:54:46 +02:00
Slavi Pantaleev
9569633164 Upgrade Traefik (v3.6.8-0 -> v3.6.8-1) 2026-02-12 00:48:13 +02:00
Slavi Pantaleev
9d9e9e9177 Use docker inspect for Synapse systemd health check and lower health interval 
Switch the systemd ExecStartPost health check from docker exec + curl
to polling docker inspect for container health status. This piggybacks
on the container image's built-in HEALTHCHECK instead of duplicating it.

Also add a configurable container health interval (5s for Traefik setups,
15s otherwise) to speed up startup readiness detection without affecting
non-Traefik deployments.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-12 00:13:02 +02:00
Slavi Pantaleev
bcddeda5df Make traefik-certs-dumper require the Traefik service to avoid race condition 
When both services restart simultaneously (e.g. in all-at-once mode),
Traefik may momentarily truncate or reinitialize acme.json, causing
the certs dumper to read an empty file and panic. By adding
Requires/After on the Traefik service, the certs dumper only starts
after Traefik is fully ready and acme.json is stable.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-12 00:11:28 +02:00
Slavi Pantaleev
59e70b8ca9 Add systemd-healthcheck to Synapse systemd service in an effort to increase reliability (of Synapse-dependant services) 
Previously, we had a 10-second magical delay.

Now we first do a healthcheck to figure out when it really is up.
Then, we do the same 10-second magical delay to account for the time it
may take for a reverse-proxy (like Traefik) to pick up Synapse's routes.
 2026-02-11 23:32:33 +02:00
Slavi Pantaleev
f8815c0bb9 Upgrade systemd_service_manager (v2.0.0-0 -> v2.0.0-1) 2026-02-11 23:31:13 +02:00
Slavi Pantaleev
2fad873b42 Make addon systemd services depend on the homeserver systemd service as well, not just on Traefik 
Addons typically access the homeserver via Traefik, but requests
ultimately lead to the homeserver and it'd better be up or Traefik would
serve a "404 Not Found" error.

This is an attempt (one of many pieces) to make services more reliable,
especially when `devture_systemd_service_manager_service_restart_mode: all-at-once` is used
(which is the default).
 2026-02-11 23:27:09 +02:00
Slavi Pantaleev
294cd109fd Upgrade Traefik (v3.6.7-1 -> v3.6.8-0) 2026-02-11 23:26:13 +02:00
Slavi Pantaleev
9d6c8eabcb Fix swapped Requires=/Wants= directives in Draupnir and Mjolnir systemd service templates 
Commit 593b3157b ("Fix systemd service Wants for mjolnir and draupnir")
accidentally swapped the variable loops: `systemd_wanted_services_list`
ended up generating `Requires=`/`After=` directives and
`systemd_required_services_list` ended up generating `Wants=` directives —
the opposite of what the variable names mean and how every other
bot/bridge service template in the playbook works.

This caused these bots to only `Wants=` (not `Requires=`/`After=`) their
dependencies like matrix-traefik.service, so systemd didn't guarantee
ordering. During all-at-once restarts, the bots would start before traefik
was ready, fail with DNS resolution errors, and crash.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-11 18:54:41 +02:00
Slavi Pantaleev
dd26f8a12a Add systemd dependencies to s3-storage-provider-migrate service 
The migrate service now declares Requires/After on matrix-synapse.service,
ensuring Synapse (and its transitive dependencies like Postgres and Docker)
are running before the migration triggers.
 2026-02-11 16:50:29 +02:00
Suguru Hirahara
7b7b6feb5b Relocate coturn to MASH project (#4906) 
* Fetch ansible-role-coturn from MASH project

Signed-off-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>

* Replace "matrix_coturn" with "coturn"

Signed-off-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>

* Replace "custom/matrix-coturn" with "galaxy/coturn"

Signed-off-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>

* Set `coturn_identifier`

Signed-off-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>

* Move `coturn_base_path` to matrix_servers for the playbook

Signed-off-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>

* Set `coturn_uid` and `coturn_gid`

Signed-off-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>

* Set empty value to `coturn_turn_external_ip_address_auto_detection_echoip_service_url` on main.yml

Signed-off-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>

* Replace `coturn_docker_image_*`

Signed-off-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>

* Move `coturn_container_image_registry_prefix` to matrix_servers

Signed-off-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>

* Replace "matrix-coturn" with "coturn" on matrix_servers

Signed-off-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>

* Replace "matrix-coturn" with "coturn"

Keep "matrix-coturn" on documentation as-is, since it is specified so with `coturn_identifier`.

Signed-off-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>

* Remove roles/custom/matrix-coturn

Signed-off-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>

* Update CHANGELOG.md

Signed-off-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>

---------

Signed-off-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>
Co-authored-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>
Co-authored-by: Slavi Pantaleev <slavi@devture.com>
 2026-02-11 15:06:27 +02:00
Suguru Hirahara
fa7b784c5b Remove conduwuit (#4913) 2026-02-11 15:03:56 +02:00
renovate[bot]
15ba65f235 chore(deps): update docker.io/metio/matrix-alertmanager-receiver docker tag to v2026.2.11 2026-02-11 11:07:09 +02:00
86 changed files with 417 additions and 4887 deletions
Expand all files Collapse all files

60
CHANGELOG.md
View File

@@ -1,3 +1,41 @@
# 2026-02-12
## Dimension integration manager has been removed from the playbook
The [Dimension integration manager](./docs/configuring-playbook-dimension.md) has been removed from the playbook, as it has been unmaintained.
The playbook will let you know if you're using any `matrix_dimension_*` variables. You'll need to remove them from `vars.yml` and potentially [uninstall the component manually](./docs/configuring-playbook-dimension.md#uninstalling-the-component-manually).
## (BC Break) Hydrogen role has been relocated and variable names need adjustments
The role for Hydrogen has been relocated to the [mother-of-all-self-hosting](https://github.com/mother-of-all-self-hosting) organization.
Along with the relocation, the `matrix_client_hydrogen_` prefix was dropped from its variable names, so you need to adjust your `vars.yml` configuration.
You need to do the following replacement:
- `matrix_client_hydrogen_` -> `hydrogen_`
As always, the playbook would let you know about this and point out any variables you may have missed.
# 2026-02-11
## (BC Break) coturn role has been relocated and variable names need adjustments
The role for coturn has been relocated to the [mother-of-all-self-hosting](https://github.com/mother-of-all-self-hosting) organization.
Along with the relocation, the `matrix_coturn_` prefix on its variable names has been renamed to `coturn_`, so you need to adjust your `vars.yml` configuration.
As always, the playbook would let you know about this and point out any variables you may have missed.
## conduwuit has been removed from the playbook
[conduwuit](./docs/configuring-playbook-conduwuit.md) has been removed from the playbook, as it has been abandoned.
The playbook will let you know if you're using any `matrix_conduwuit_*` variables. You'll need to remove them from `vars.yml` and potentially [uninstall the service manually](./docs/configuring-playbook-conduwuit.md#uninstalling-the-service-manually).
Since [Continuwuity](configuring-playbook-continuwuity.md) is a drop-in replacement for conduwuit, migration is possible. Please refer to [this section](./configuring-playbook-continuwuity.md#migrating-from-conduwuit) for details.
# 2026-02-09
## (BC Break) matrix-media-repo datastore IDs are now required in `vars.yml`
@@ -314,7 +352,7 @@ In light of this new information, you have 2 options:
- Consider closing the STUN/UDP port with the following configuration:
```yaml
matrix_coturn_container_stun_plain_host_bind_port_udp: ""
coturn_container_stun_plain_host_bind_port_udp: ""
```
- Consider keeping `3478/udp` blocked in your external firewall (if you have one)
@@ -375,11 +413,11 @@ The playbook now **only exposes the Coturn STUN port (`3478`) over TCP by defaul
If you'd like the Coturn STUN port to be exposed over UDP like before, you can revert to the previous behavior by using the following configuration in your `vars.yml` file:
```yaml
matrix_coturn_container_stun_plain_host_bind_port_udp: "3478"
coturn_container_stun_plain_host_bind_port_udp: "3478"
```
> [!WARNING]
> People running Coturn directly on the `host` network (using `matrix_coturn_container_network: host`) will still have the STUN port exposed over UDP, as port exposure is done directly via Coturn and not via Docker. In such cases, the playbook cannot prevent `3478/udp` port exposure and you'd need to do it in another way (separate firewall rule, etc).
> People running Coturn directly on the `host` network (using `coturn_container_network: host`) will still have the STUN port exposed over UDP, as port exposure is done directly via Coturn and not via Docker. In such cases, the playbook cannot prevent `3478/udp` port exposure and you'd need to do it in another way (separate firewall rule, etc).
# 2025-02-17
@@ -1722,12 +1760,12 @@ Other roles which aren't strictly related to Matrix are likely to follow this fa
## coturn can now use host-networking
Large coturn deployments (with a huge range of ports specified via `matrix_coturn_turn_udp_min_port` and `matrix_coturn_turn_udp_max_port`) experience a huge slowdown with how Docker publishes all these ports (setting up firewall forwarding rules), which leads to a very slow coturn service startup and shutdown.
Large coturn deployments (with a huge range of ports specified via `coturn_turn_udp_min_port` and `coturn_turn_udp_max_port`) experience a huge slowdown with how Docker publishes all these ports (setting up firewall forwarding rules), which leads to a very slow coturn service startup and shutdown.
Such deployments don't need to run coturn within a private container network anymore. coturn can now run with host-networking by using configuration like this:
```yaml
matrix_coturn_container_network: host
coturn_container_network: host
```
With such a configuration, **Docker no longer needs to configure thousands of firewall forwarding rules** each time coturn starts and stops. This, however, means that **you will need to ensure these ports are open** in your firewall yourself.
@@ -1736,11 +1774,11 @@ Thanks to us [tightening coturn security](#backward-compatibility-tightening-cot
## (Backward Compatibility) Tightening coturn security can lead to connectivity issues
**TLDR**: users who run and access their Matrix server on a private network (likely a small minority of users) may experience connectivity issues with our new default coturn blocklists. They may need to override `matrix_coturn_denied_peer_ips` and remove some IP ranges from it.
**TLDR**: users who run and access their Matrix server on a private network (likely a small minority of users) may experience connectivity issues with our new default coturn blocklists. They may need to override `coturn_denied_peer_ips` and remove some IP ranges from it.
Inspired by [this security article](https://www.rtcsec.com/article/cve-2020-26262-bypass-of-coturns-access-control-protection/), we've decided to make use of coturn's `denied-peer-ip` functionality to prevent relaying network traffic to certain private IP subnets. This ensures that your coturn server won't accidentally try to forward traffic to certain services running on your local networks. We run coturn in a container and in a private container network by default, which should prevent such access anyway, but having additional block layers in place is better.
If you access your Matrix server from a local network and need coturn to relay to private IP addresses, you may observe that relaying is now blocked due to our new default `denied-peer-ip` lists (specified in `matrix_coturn_denied_peer_ips`). If you experience such connectivity problems, consider overriding this setting in your `vars.yml` file and removing certain networks from it.
If you access your Matrix server from a local network and need coturn to relay to private IP addresses, you may observe that relaying is now blocked due to our new default `denied-peer-ip` lists (specified in `coturn_denied_peer_ips`). If you experience such connectivity problems, consider overriding this setting in your `vars.yml` file and removing certain networks from it.
We've also added `no-multicast-peers` to the default coturn configuration, but we don't expect this to cause trouble for most people.
@@ -2526,8 +2564,8 @@ To improve security, we've [removed TLSv1 and TLSv1.1 support](https://github.co
If you need to support old clients, you can re-enable both (or whichever one you need) with the following configuration:
```yaml
matrix_coturn_tls_v1_enabled: true
matrix_coturn_tls_v1_1_enabled: true
coturn_tls_v1_enabled: true
coturn_tls_v1_1_enabled: true
```
@@ -3806,7 +3844,7 @@ Because people like using the playbook's components independently (outside of th
With the new changes, **all roles are now only dependent on the minimal `matrix-base` role**. They are no longer dependent among themselves.
In addition, the following components can now be completely disabled (for those who want/need to):
- `matrix-coturn` by using `matrix_coturn_enabled: false`
- `matrix-coturn` by using `coturn_enabled: false`
- `matrix-mailer` by using `matrix_mailer_enabled: false`
- `matrix-postgres` by using `matrix_postgres_enabled: false`
@@ -4026,7 +4064,7 @@ The following playbook variables were renamed:
- from `matrix_docker_image_mautrix_telegram` to `matrix_mautrix_telegram_docker_image`
- from `matrix_docker_image_mautrix_whatsapp` to `matrix_mautrix_whatsapp_docker_image`
- from `matrix_docker_image_mailer` to `matrix_mailer_docker_image`
- from `matrix_docker_image_coturn` to `matrix_coturn_docker_image`
- from `matrix_docker_image_coturn` to `coturn_container_image`
- from `matrix_docker_image_goofys` to `matrix_s3_goofys_docker_image`
- from `matrix_docker_image_riot` to `matrix_riot_web_docker_image`
- from `matrix_docker_image_nginx` to `matrix_nginx_proxy_docker_image`

3
README.md
View File

@@ -52,8 +52,7 @@ The homeserver is the backbone of your Matrix system. Choose one from the follow
| ---- | -------- | ----------- | ------------- |
| [Synapse](https://github.com/element-hq/synapse) | ✅ | Storing your data and managing your presence in the [Matrix](http://matrix.org/) network | [Link](docs/configuring-playbook-synapse.md) |
| [Conduit](https://conduit.rs) | ❌ | Storing your data and managing your presence in the [Matrix](http://matrix.org/) network. Conduit is a lightweight open-source server implementation of the Matrix Specification with a focus on easy setup and low system requirements | [Link](docs/configuring-playbook-conduit.md) |
| [conduwuit](https://conduwuit.puppyirl.gay/) | ❌ | Storing your data and managing your presence in the [Matrix](http://matrix.org/) network. conduwuit is a fork of Conduit. | [Link](docs/configuring-playbook-conduwuit.md) |
| [continuwuity](https://continuwuity.org) | ❌ | Storing your data and managing your presence in the [Matrix](http://matrix.org/) network. continuwuity is a continuation of conduwuit. | [Link](docs/configuring-playbook-continuwuity.md) |
| [continuwuity](https://continuwuity.org) | ❌ | Storing your data and managing your presence in the [Matrix](http://matrix.org/) network. | [Link](docs/configuring-playbook-continuwuity.md) |
| [Dendrite](https://github.com/element-hq/dendrite) | ❌ | Storing your data and managing your presence in the [Matrix](http://matrix.org/) network. Dendrite is a second-generation Matrix homeserver written in Go, an alternative to Synapse. | [Link](docs/configuring-playbook-dendrite.md) |
### Clients

12
docs/configuring-playbook-client-hydrogen.md
View File

@@ -24,22 +24,22 @@ When setting, replace `example.com` with your own.
To enable Hydrogen, add the following configuration to your `inventory/host_vars/matrix.example.com/vars.yml` file:
```yaml
matrix_client_hydrogen_enabled: true
hydrogen_enabled: true
```
### Adjusting the Hydrogen URL (optional)
By tweaking the `matrix_client_hydrogen_hostname` and `matrix_client_hydrogen_path_prefix` variables, you can easily make the service available at a **different hostname and/or path** than the default one.
By tweaking the `hydrogen_hostname` and `hydrogen_path_prefix` variables, you can easily make the service available at a **different hostname and/or path** than the default one.
Example additional configuration for your `vars.yml` file:
```yaml
# Switch to the domain used for Matrix services (`matrix.example.com`),
# so we won't need to add additional DNS records for Hydrogen.
matrix_client_hydrogen_hostname: "{{ matrix_server_fqn_matrix }}"
hydrogen_hostname: "{{ matrix_server_fqn_matrix }}"
# Expose under the /hydrogen subpath
matrix_client_hydrogen_path_prefix: /hydrogen
hydrogen_path_prefix: /hydrogen
```
After changing the domain, **you may need to adjust your DNS** records to point the Hydrogen domain to the Matrix server.
@@ -52,8 +52,8 @@ There are some additional things you may wish to configure about the client.
Take a look at:
- `roles/custom/matrix-client-hydrogen/defaults/main.yml` for some variables that you can customize via your `vars.yml` file
- `roles/custom/matrix-client-hydrogen/templates/config.json.j2` for the client's default configuration. You can override settings (even those that don't have dedicated playbook variables) using the `matrix_client_hydrogen_configuration_extension_json` variable
- `roles/galaxy/hydrogen/defaults/main.yml` for some variables that you can customize via your `vars.yml` file
- `roles/galaxy/hydrogen/templates/config.json.j2` for the client's default configuration. You can override settings (even those that don't have dedicated playbook variables) using the `hydrogen_configuration_extension_json` variable
## Installing

2
docs/configuring-playbook-conduit.md
View File

@@ -13,8 +13,6 @@ See the project's [documentation](https://docs.conduit.rs/) to learn what it doe
By default, the playbook installs [Synapse](https://github.com/element-hq/synapse) as it's the only full-featured Matrix server at the moment. If that's okay, you can skip this document.
💡 **Note**: The playbook also supports installing a (currently) faster-moving Conduit fork called [conduwuit](./configuring-playbook-conduwuit.md).
> [!WARNING]
> - **You can't switch an existing Matrix server's implementation** (e.g. Synapse -> Conduit). Proceed below only if you're OK with losing data or you're dealing with a server on a new domain name, which hasn't participated in the Matrix federation yet.
> - **Homeserver implementations other than Synapse may not be fully functional**. The playbook may also not assist you in an optimal way (like it does with Synapse). Make yourself familiar with the downsides before proceeding

115
docs/configuring-playbook-conduwuit.md
View File

@@ -1,106 +1,45 @@
<!--
SPDX-FileCopyrightText: 2025 Slavi Pantaleev
SPDX-FileCopyrightText: 2025 Suguru Hirahara
SPDX-FileCopyrightText: 2019 Eduardo Beltrame
SPDX-FileCopyrightText: 2019-2025 Slavi Pantaleev
SPDX-FileCopyrightText: 2020 Tulir Asokan
SPDX-FileCopyrightText: 2021, 2024 MDAD project contributors
SPDX-FileCopyrightText: 2022 Dennis Ciba
SPDX-FileCopyrightText: 2022 Vladimir Panteleev
SPDX-FileCopyrightText: 2023 Justin Croonenberghs
SPDX-FileCopyrightText: 2023 Kuba Orlik
SPDX-FileCopyrightText: 2023 Pierre 'McFly' Marty
SPDX-FileCopyrightText: 2023 Samuel Meenzen
SPDX-FileCopyrightText: 2024 Fabio Bonelli
SPDX-FileCopyrightText: 2024-2026 Suguru Hirahara
SPDX-License-Identifier: AGPL-3.0-or-later
-->
# Configuring conduwuit (optional)
# Configuring conduwuit (optional, removed)
The playbook can install and configure the [conduwuit](https://conduwuit.puppyirl.gay/) Matrix server for you.
🪦 The playbook used to be able to install and configure the [conduwuit](https://conduwuit.puppyirl.gay/) Matrix server, but no longer includes this component, as it's been abandoned and unmaintained.
See the project's [documentation](https://conduwuit.puppyirl.gay/) to learn what it does and why it might be useful to you.
## Uninstalling the service manually
By default, the playbook installs [Synapse](https://github.com/element-hq/synapse) as it's the only full-featured Matrix server at the moment. If that's okay, you can skip this document.
If you still have conduwuit installed on your Matrix server, the playbook can no longer help you uninstall it and you will need to do it manually.
💡 **Note**: conduwuit is a fork of [Conduit](./configuring-playbook-conduit.md), which the playbook also supports. See [Differences from upstream Conduit](https://conduwuit.puppyirl.gay/differences.html).
To uninstall the service, run the command below on the server:
> [!WARNING]
> - **You can't switch an existing Matrix server's implementation** (e.g. Synapse -> conduwuit). Proceed below only if you're OK with losing data or you're dealing with a server on a new domain name, which hasn't participated in the Matrix federation yet.
> - **Homeserver implementations other than Synapse may not be fully functional**. The playbook may also not assist you in an optimal way (like it does with Synapse). Make yourself familiar with the downsides before proceeding
> - **the Conduwuit project appears to have been abandoned**. You may wish to install [Conduit](./configuring-playbook-conduit.md), or one of the Conduwuit successors (like [Continuwuity](configuring-playbook-continuwuity.md))
## Adjusting the playbook configuration
To use conduwuit, you **generally** need to adjust the `matrix_homeserver_implementation: synapse` configuration on your `inventory/host_vars/matrix.example.com/vars.yml` file as below:
```yaml
matrix_homeserver_implementation: conduwuit
# Registering users can only happen via the API,
# so it makes sense to enable it, at least initially.
matrix_conduwuit_config_allow_registration: true
# Generate a strong registration token to protect the registration endpoint from abuse.
# You can create one with a command like `pwgen -s 64 1`.
matrix_conduwuit_config_registration_token: ''
```sh
systemctl disable --now matrix-conduwuit.service
```
### Extending the configuration
## Migrating to Continuwuity
There are some additional things you may wish to configure about the server.
Since [Continuwuity](configuring-playbook-continuwuity.md) is a drop-in replacement for conduwuit, migration is possible. Please refer to [this section](./configuring-playbook-continuwuity.md#migrating-from-conduwuit) for details.
Take a look at:
## Removing data manually
- `roles/custom/matrix-conduwuit/defaults/main.yml` for some variables that you can customize via your `vars.yml` file
- `roles/custom/matrix-conduwuit/templates/conduwuit.toml.j2` for the server's default configuration
If you are not going to migrate to [Continuwuity](configuring-playbook-continuwuity.md), you can remove data by running the command on the server:
There are various Ansible variables that control settings in the `conduwuit.toml` file.
If a specific setting you'd like to change does not have a dedicated Ansible variable, you can either submit a PR to us to add it, or you can [override the setting using an environment variable](https://conduwuit.puppyirl.gay/configuration.html#environment-variables) using `matrix_conduwuit_environment_variables_extension`. For example:
```yaml
matrix_conduwuit_environment_variables_extension: |
CONDUWUIT_MAX_REQUEST_SIZE=50000000
CONDUWUIT_REQUEST_TIMEOUT=60
```sh
rm -rf /matrix/conduwuit
```
## Creating the first user account
Unlike other homeserver implementations (like Synapse and Dendrite), conduwuit does not support creating users via the command line or via the playbook.
If you followed the instructions above (see [Adjusting the playbook configuration](#adjusting-the-playbook-configuration)), you should have registration enabled and protected by a registration token.
This should allow you to create the first user account via any client (like [Element Web](./configuring-playbook-client-element-web.md)) which supports creating users.
The **first user account that you create will be marked as an admin** and **will be automatically invited to an admin room**.
## Configuring bridges / appservices
For other homeserver implementations (like Synapse and Dendrite), the playbook automatically registers appservices (for bridges, bots, etc.) with the homeserver.
For conduwuit, you will have to manually register appservices using the [`!admin appservices register` command](https://conduwuit.puppyirl.gay/appservices.html#set-up-the-appservice---general-instructions) sent to the server bot account.
The server's bot account has a Matrix ID of `@conduit:example.com` (not `@conduwuit:example.com`!) due to conduwuit's historical legacy.
Your first user account would already have been invited to an admin room with this bot.
Find the appservice file you'd like to register. This can be any `registration.yaml` file found in the `/matrix` directory, for example `/matrix/mautrix-signal/bridge/registration.yaml`.
Then, send its content to the existing admin room:
!admin appservices register
```
as_token: <token>
de.sorunome.msc2409.push_ephemeral: true
receive_ephemeral: true
hs_token: <token>
id: signal
namespaces:
aliases:
- exclusive: true
regex: ^#signal_.+:example\.org$
users:
- exclusive: true
regex: ^@signal_.+:example\.org$
- exclusive: true
regex: ^@signalbot:example\.org$
rate_limited: false
sender_localpart: _bot_signalbot
url: http://matrix-mautrix-signal:29328
```
## Troubleshooting
As with all other services, you can find the logs in [systemd-journald](https://www.freedesktop.org/software/systemd/man/systemd-journald.service.html) by logging in to the server with SSH and running `journalctl -fu matrix-conduwuit`.
>[!WARNING]
> Once you removing the path, there is no going back. Your data on the homeserver (including chat history, rooms, etc.) will be deleted and not be possible to restore them. Please be certain.

2
docs/configuring-playbook-continuwuity.md
View File

@@ -13,7 +13,7 @@ See the project's [documentation](https://continuwuity.org) to learn what it doe
By default, the playbook installs [Synapse](https://github.com/element-hq/synapse) as it's the only full-featured Matrix server at the moment. If that's okay, you can skip this document.
💡 **Note**: continuwuity is a fork of [conduwuit](./configuring-playbook-conduwuit.md), which the playbook also supports.
💡 **Note**: continuwuity is a fork of [conduwuit](./configuring-playbook-conduwuit.md), which the playbook has supported.
> [!WARNING]
> - **You can't switch an existing Matrix server's implementation** (e.g. Synapse -> Continuwuity). Proceed below only if you're OK with losing data or you're dealing with a server on a new domain name, which hasn't participated in the Matrix federation yet.

141
docs/configuring-playbook-dimension.md
View File

@@ -1,144 +1,33 @@
<!--
SPDX-FileCopyrightText: 2019 - 2024 Slavi Pantaleev
SPDX-FileCopyrightText: 2019 - 2025 MDAD project contributors
SPDX-FileCopyrightText: 2019 Edgars Voroboks
SPDX-FileCopyrightText: 2019 Eduardo Beltrame
SPDX-FileCopyrightText: 2019-2025 MDAD project contributors
SPDX-FileCopyrightText: 2019-2025 Slavi Pantaleev
SPDX-FileCopyrightText: 2020 Chris van Dijk
SPDX-FileCopyrightText: 2020 Tulir Asokan
SPDX-FileCopyrightText: 2020 jens quade
SPDX-FileCopyrightText: 2022 Dennis Ciba
SPDX-FileCopyrightText: 2022 Kim Brose
SPDX-FileCopyrightText: 2022 Travis Ralston
SPDX-FileCopyrightText: 2022 Vladimir Panteleev
SPDX-FileCopyrightText: 2022 Yan Minagawa
SPDX-FileCopyrightText: 2024 - 2025 Suguru Hirahara
SPDX-FileCopyrightText: 2024-2026 Suguru Hirahara
SPDX-License-Identifier: AGPL-3.0-or-later
-->
# Setting up Dimension integration manager (optional, unmaintained)
# Setting up Dimension integration manager (optional, removed)
**Notes**:
- Dimension is **[officially unmaintained](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/2806#issuecomment-1673559299)**. We recommend not bothering with installing it.
- This playbook now supports running Dimension in both a federated and [unfederated](https://github.com/turt2live/matrix-dimension/blob/master/docs/unfederated.md) environments. This is handled automatically based on the value of `matrix_homeserver_federation_enabled`.
🪦 The playbook used to be able to install and configure [Dimension](https://dimension.t2bot.io) integration manager, but no longer includes this component, as it has been unmaintained.
The playbook can install and configure the [Dimension](https://dimension.t2bot.io) integration manager for you.
## Uninstalling the component manually
See the project's [documentation](https://github.com/turt2live/matrix-dimension/blob/master/README.md) to learn what it does and why it might be useful to you.
## Prerequisites
### Open Matrix Federation port
Enabling the Dimension service will automatically reconfigure your Synapse homeserver to expose the `openid` API endpoints on the Matrix Federation port (usually `8448`), even if [federation](configuring-playbook-federation.md) is disabled. If you enable the component, make sure that the port is accessible.
### Install Matrix services
Dimension can only be installed after Matrix services are installed and running. If you're just installing Matrix services for the first time, please continue with the [Configuration](configuring-playbook.md) / [Installation](installing.md) and come back here later.
### Register a dedicated Matrix user (optional, recommended)
We recommend that you create a dedicated Matrix user for Dimension (`dimension` is a good username).
Generate a strong password for the user. You can create one with a command like `pwgen -s 64 1`.
You can use the playbook to [register a new user](registering-users.md):
If you still have the Dimension integration manager installed on your Matrix server, the playbook can no longer help you uninstall it and you will need to do it manually. To uninstall manually, run these commands on the server:
```sh
ansible-playbook -i inventory/hosts setup.yml --extra-vars='username=dimension password=PASSWORD_FOR_THE_USER admin=no' --tags=register-user
systemctl disable --now matrix-dimension.service
rm -rf /matrix/dimension
/matrix/postgres/bin/cli-non-interactive -c 'DROP DATABASE matrix_dimension;'
```
### Obtain an access token
Dimension requires an access token to be able to connect to your homeserver. Refer to the documentation on [how to obtain an access token](obtaining-access-tokens.md).
> [!WARNING]
> Access tokens are sensitive information. Do not include them in any bug reports, messages, or logs. Do not share the access token with anyone.
## Adjusting DNS records
By default, this playbook installs Dimension on the `dimension.` subdomain (`dimension.example.com`) and requires you to create a CNAME record for `dimension`, which targets `matrix.example.com`.
When setting, replace `example.com` with your own.
## Adjusting the playbook configuration
To enable Dimension, add the following configuration to your `inventory/host_vars/matrix.example.com/vars.yml` file. Make sure to replace `ACCESS_TOKEN_HERE` with the one created [above](#obtain-an-access-token).
```yaml
matrix_dimension_enabled: true
matrix_dimension_access_token: "ACCESS_TOKEN_HERE"
```
### Define admin users
To define admin users who can modify the integrations this Dimension supports, add the following configuration to your `vars.yml` file:
```yaml
matrix_dimension_admins:
- "@alice:{{ matrix_domain }}"
- "@bob:{{ matrix_domain }}"
```
The admin interface is accessible within Element Web by accessing it in any room and clicking the cog wheel/settings icon in the top right. Currently, Dimension can be opened in Element Web by the "Add widgets, bridges, & bots" link in the room information.
### Adjusting the Dimension URL (optional)
By tweaking the `matrix_dimension_hostname` and `matrix_dimension_path_prefix` variables, you can easily make the service available at a **different hostname and/or path** than the default one.
Example additional configuration for your `vars.yml` file:
```yaml
# Switch to the domain used for Matrix services (`matrix.example.com`),
# so we won't need to add additional DNS records for Dimension.
matrix_dimension_hostname: "{{ matrix_server_fqn_matrix }}"
# Expose under the /dimension subpath
# matrix_dimension_path_prefix: /dimension
```
After changing the domain, **you may need to adjust your DNS** records to point the Dimension domain to the Matrix server.
If you've decided to reuse the `matrix.` domain, you won't need to do any extra DNS configuration.
**Note**: while there is a `matrix_dimension_path_prefix` variable for changing the path where Dimension is served, overriding it is not possible due to [this Dimension issue](https://github.com/turt2live/matrix-dimension/issues/510). You'd need to serve Dimension at a dedicated subdomain.
### Extending the configuration
There are some additional things you may wish to configure about the component.
Take a look at:
- `roles/custom/matrix-dimension/defaults/main.yml` for some variables that you can customize via your `vars.yml` file
- `roles/custom/matrix-dimension/templates/config.yaml.j2` for the component's default configuration. You can override settings (even those that don't have dedicated playbook variables) using the `matrix_dimension_configuration_extension_yaml` variable
You can find all configuration options on [GitHub page of Dimension project](https://github.com/turt2live/matrix-dimension/blob/master/config/default.yaml).
## Installing
After configuring the playbook and potentially [adjusting your DNS records](#adjusting-dns-records), run the playbook with [playbook tags](playbook-tags.md) as below:
<!-- NOTE: let this conservative command run (instead of install-all) to make it clear that failure of the command means something is clearly broken. -->
```sh
ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start
```
**Notes**:
- The shortcut commands with the [`just` program](just.md) are also available: `just install-all` or `just setup-all`
`just install-all` is useful for maintaining your setup quickly ([2x-5x faster](../CHANGELOG.md#2x-5x-performance-improvements-in-playbook-runtime) than `just setup-all`) when its components remain unchanged. If you adjust your `vars.yml` to remove other components, you'd need to run `just setup-all`, or these components will still remain installed. Note these shortcuts run the `ensure-matrix-users-created` tag too.
## Usage
After Dimension has been installed you may need to log out and log back in for it to pick up the new integration manager. Then you can access integrations in Element Web by opening a room, clicking the room info button (`i`) on the top right corner, and then clicking the "Add widgets, bridges, & bots" link.
### Set up a Jitsi widget
By default Dimension will use [jitsi.riot.im](https://jitsi.riot.im/) as the `conferenceDomain` of [Jitsi](https://jitsi.org/) audio/video conference widgets. For users running [a self-hosted Jitsi instance](configuring-playbook-jitsi.md), you will likely want the widget to use your own Jitsi instance.
To set up the widget, an admin user needs to configure the domain via the admin UI once Dimension is running. In Element Web, go to *Manage Integrations**Settings**Widgets**Jitsi Conference Settings* and set *Jitsi Domain* and *Jitsi Script URL* appropriately.
There is unfortunately no way to configure the widget via the playbook. See [this issue](https://github.com/turt2live/matrix-dimension/issues/345) for details.
## Troubleshooting
As with all other services, you can find the logs in [systemd-journald](https://www.freedesktop.org/software/systemd/man/systemd-journald.service.html) by logging in to the server with SSH and running `journalctl -fu matrix-dimension`.

2
docs/configuring-playbook-federation.md
View File

@@ -44,7 +44,7 @@ matrix_homeserver_federation_enabled: false
With that, your server's users will only be able to talk among themselves, but not to anyone who is on another server.
**Disabling federation does not necessarily disable the federation port** (`8448`). Services like [Dimension](configuring-playbook-dimension.md) normally rely on `openid` APIs exposed on that port. Even if you disable federation and only if necessary, we may still be exposing the federation port and serving the `openid` APIs there. To override this and completely disable Synapse's federation port use:
**Disabling federation does not necessarily disable the federation port** (`8448`). Even if you disable federation and only if necessary, we may still be exposing the federation port and serving the `openid` APIs there. To override this and completely disable Synapse's federation port use:
```yaml
matrix_homeserver_federation_enabled: false

24
docs/configuring-playbook-turn.md
View File

@@ -26,10 +26,10 @@ In the `hosts` file we explicitly ask for your server's external IP address when
If you'd rather use a local IP for `ansible_host`, add the following configuration to your `vars.yml` file. Make sure to replace `YOUR_PUBLIC_IP` with the pubic IP used by the server.
```yaml
matrix_coturn_turn_external_ip_address: "YOUR_PUBLIC_IP"
coturn_turn_external_ip_address: "YOUR_PUBLIC_IP"
```
If you'd like to rely on external IP address auto-detection (not recommended unless you need it), set an empty value to the variable. The playbook will automatically contact an [echoip](https://github.com/mpolden/echoip)-compatible service (`https://ifconfig.co/json` by default) to determine your server's IP address. This API endpoint is configurable via the `matrix_coturn_turn_external_ip_address_auto_detection_echoip_service_url` variable.
If you'd like to rely on external IP address auto-detection (not recommended unless you need it), set an empty value to the variable. The playbook will automatically contact an [echoip](https://github.com/mpolden/echoip)-compatible service (`https://ifconfig.co/json` by default) to determine your server's IP address. This API endpoint is configurable via the `coturn_turn_external_ip_address_auto_detection_echoip_service_url` variable.
>[!NOTE]
> You can self-host the echoip service by using the [Mother-of-All-Self-Hosting (MASH)](https://github.com/mother-of-all-self-hosting/mash-playbook) Ansible playbook. See [this page](https://github.com/mother-of-all-self-hosting/mash-playbook/blob/main/docs/services/echoip.md) for the instruction to install it with the playbook. If you are wondering how to use it for your Matrix server, refer to [this page](https://github.com/mother-of-all-self-hosting/mash-playbook/blob/main/docs/setting-up-services-on-mdad-server.md) for the overview.
@@ -37,8 +37,8 @@ If you'd like to rely on external IP address auto-detection (not recommended unl
If your server has multiple external IP addresses, the coturn role offers a different variable for specifying them:
```yaml
# Note: matrix_coturn_turn_external_ip_addresses is different than matrix_coturn_turn_external_ip_address
matrix_coturn_turn_external_ip_addresses: ['1.2.3.4', '4.5.6.7']
# Note: coturn_turn_external_ip_addresses is different than coturn_turn_external_ip_address
coturn_turn_external_ip_addresses: ['1.2.3.4', '4.5.6.7']
```
### Change the authentication mechanism (optional)
@@ -48,7 +48,7 @@ The playbook uses the [`auth-secret` authentication method](https://github.com/c
To do so, add the following configuration to your `vars.yml` file:
```yaml
matrix_coturn_authentication_method: lt-cred-mech
coturn_authentication_method: lt-cred-mech
```
Regardless of the selected authentication method, the playbook generates secrets automatically and passes them to the homeserver and coturn.
@@ -62,7 +62,7 @@ By default, Coturn uses the same hostname as your Matrix homeserver (the value o
If you'd like to use a custom subdomain for Coturn (e.g., `turn.example.com` or `t.matrix.example.com`), add the following configuration to your `vars.yml` file:
```yaml
matrix_coturn_hostname: turn.example.com
coturn_hostname: turn.example.com
```
The playbook will automatically:
@@ -78,7 +78,7 @@ If you'd like to use another TURN server (be it coturn or some other one), add t
```yaml
# Disable integrated coturn server
matrix_coturn_enabled: false
coturn_enabled: false
# Point Synapse to your other coturn server
matrix_synapse_turn_uris:
@@ -99,15 +99,15 @@ You can put multiple host/port combinations if you'd like to.
### Edit the reloading schedule (optional)
By default the service is reloaded on 6:30 a.m. every day based on the `matrix_coturn_reload_schedule` variable so that new SSL certificates can kick in. It is defined in the format of systemd timer calendar.
By default the service is reloaded on 6:30 a.m. every day based on the `coturn_reload_schedule` variable so that new SSL certificates can kick in. It is defined in the format of systemd timer calendar.
To edit the schedule, add the following configuration to your `vars.yml` file (adapt to your needs):
```yaml
matrix_coturn_reload_schedule: "*-*-* 06:30:00"
coturn_reload_schedule: "*-*-* 06:30:00"
```
**Note**: the actual job may run with a delay. See `matrix_coturn_reload_schedule_randomized_delay_sec` for its default value.
**Note**: the actual job may run with a delay. See `coturn_reload_schedule_randomized_delay_sec` for its default value.
### Extending the configuration
@@ -115,14 +115,14 @@ There are some additional things you may wish to configure about the TURN server
Take a look at:
- `roles/custom/matrix-coturn/defaults/main.yml` for some variables that you can customize via your `vars.yml` file
- `roles/galaxy/coturn/defaults/main.yml` for some variables that you can customize via your `vars.yml` file
## Disabling coturn
If, for some reason, you'd like for the playbook to not install coturn (or to uninstall it if it was previously installed), add the following configuration to your `vars.yml` file:
```yaml
matrix_coturn_enabled: false
coturn_enabled: false
```
In that case, Synapse would not point to any coturn servers and audio/video call functionality may fail.

4
docs/configuring-playbook.md
View File

@@ -51,8 +51,6 @@ For a more custom setup, see the [Other configuration options](#other-configurat
- [Configuring Conduit](configuring-playbook-conduit.md), if you've switched to the [Conduit](https://conduit.rs) homeserver implementation
- [Configuring conduwuit](configuring-playbook-conduwuit.md), if you've switched to the [conduwuit](https://conduwuit.puppyirl.gay/) homeserver implementation
- [Configuring continuwuity](configuring-playbook-continuwuity.md), if you've switched to the [continuwuity](https://continuwuity.org) homeserver implementation
- [Configuring Dendrite](configuring-playbook-dendrite.md), if you've switched to the [Dendrite](https://matrix-org.github.io/dendrite) homeserver implementation
@@ -261,6 +259,8 @@ Various services that don't fit any other categories.
**Note**: since a deprecated or unmaintained service will not be updated, its bug or vulnerability will be unlikely to get patched. It is recommended to migrate from the service to an alternative if any, and make sure to do your own research before you decide to keep it running nonetheless.
- [Configuring conduwuit](configuring-playbook-conduwuit.md) (removed; this component has been abandoned and unmaintained)
- [Setting up the Sliding Sync proxy](configuring-playbook-sliding-sync-proxy.md) for clients which require Sliding Sync support (like old Element X versions, before it got switched to Simplified Sliding Sync)
- [Setting up Appservice Webhooks bridging](configuring-playbook-bridge-appservice-webhooks.md) (deprecated; the bridge's author suggests taking a look at [matrix-hookshot](https://github.com/matrix-org/matrix-hookshot) as a replacement, which can also be [installed using this playbook](configuring-playbook-bridge-hookshot.md))

2
docs/container-images.md
View File

@@ -27,7 +27,6 @@ We try to stick to official images (provided by their respective projects) as mu
| ------- | --------------- | -------- | ----------- |
| [Synapse](configuring-playbook-synapse.md) | [element-hq/synapse](https://ghcr.io/element-hq/synapse) | ✅ | Storing your data and managing your presence in the [Matrix](http://matrix.org/) network |
| [Conduit](configuring-playbook-conduit.md) | [matrixconduit/matrix-conduit](https://hub.docker.com/r/matrixconduit/matrix-conduit) | ❌ | Storing your data and managing your presence in the [Matrix](http://matrix.org/) network. Conduit is a lightweight open-source server implementation of the Matrix Specification with a focus on easy setup and low system requirements |
| [conduwuit](configuring-playbook-conduwuit.md) | [girlbossceo/conduwuit](https://ghcr.io/girlbossceo/conduwuit) | ❌ | Storing your data and managing your presence in the [Matrix](http://matrix.org/) network. conduwuit is a fork of Conduit. |
| [continuwuity](configuring-playbook-continuwuity.md) | [continuwuation/continuwuity](https://forgejo.ellis.link/continuwuation/continuwuity) | ❌ | Storing your data and managing your presence in the [Matrix](http://matrix.org/) network. continuwuity is a continuation of conduwuit. |
| [Dendrite](configuring-playbook-dendrite.md) | [matrixdotorg/dendrite-monolith](https://hub.docker.com/r/matrixdotorg/dendrite-monolith/) | ❌ | Storing your data and managing your presence in the [Matrix](http://matrix.org/) network. Dendrite is a second-generation Matrix homeserver written in Go, an alternative to Synapse. |
@@ -172,6 +171,7 @@ The list of the deprecated or unmaintained services is available [here](configur
| Service | Container image | Default? | Description |
| ------- | --------------- | -------- | ----------- |
| [conduwuit](configuring-playbook-conduwuit.md) | [girlbossceo/conduwuit](https://ghcr.io/girlbossceo/conduwuit) | ❌ | Storing your data and managing your presence in the [Matrix](http://matrix.org/) network. conduwuit was a fork of Conduit. |
| [Dimension](configuring-playbook-dimension.md) | [turt2live/matrix-dimension](https://hub.docker.com/r/turt2live/matrix-dimension) | ❌ | Open source integration manager for Matrix clients |
| [Email2Matrix](configuring-playbook-email2matrix.md) | [devture/email2matrix](https://hub.docker.com/r/devture/email2matrix/) | ❌ | Bridge for relaying emails to Matrix rooms |
| [Go-NEB](configuring-playbook-bot-go-neb.md) | [matrixdotorg/go-neb](https://hub.docker.com/r/matrixdotorg/go-neb) | ❌ | Multi functional bot written in Go |

2
docs/faq.md
View File

@@ -313,7 +313,7 @@ exim_relay_enabled: false
# You can also disable this to save more RAM,
# at the expense of audio/video calls being unreliable.
matrix_coturn_enabled: false
coturn_enabled: false
# This makes Synapse not keep track of who is online/offline.
#

14
docs/howto-srv-server-delegation.md
View File

@@ -26,7 +26,7 @@ The up-to-date list can be accessed on [traefik's documentation](https://doc.tra
**Note**: the changes below instruct you how to do this for a basic Synapse installation. You will need to adapt the variable name and the content of the labels:
- if you're using another homeserver implementation (e.g. [Conduit](./configuring-playbook-conduit.md), [conduwuit](./configuring-playbook-conduwuit.md), [continuwuity](./configuring-playbook-continuwuity.md) or [Dendrite](./configuring-playbook-dendrite.md))
- if you're using another homeserver implementation (e.g. [Conduit](./configuring-playbook-conduit.md), [continuwuity](./configuring-playbook-continuwuity.md) or [Dendrite](./configuring-playbook-dendrite.md))
- if you're using [Synapse with workers enabled](./configuring-playbook-synapse.md#load-balancing-with-workers) (`matrix_synapse_workers_enabled: true`). In that case, it's actually the `matrix-synapse-reverse-proxy-companion` service which has Traefik labels attached
Also, all instructions below are from an older version of the playbook and may not work anymore.
@@ -104,10 +104,10 @@ This should not happen again afterwards as Traefik will renew certificates well
```yaml
# Only depend on docker.service, this removes the dependency on the certificate exporter, might imply the need to manually restart coturn on the first installation once the certificates are obtained, afterwards, the reload service should handle things
matrix_coturn_systemd_required_services_list: ['docker.service']
coturn_systemd_required_services_list: ['docker.service']
# This changes the path of the loaded certificate, while maintaining the original functionality, we're now loading the wildcard certificate.
matrix_coturn_container_additional_volumes: |
coturn_container_additional_volumes: |
{{
(
[
@@ -121,7 +121,7 @@ matrix_coturn_container_additional_volumes: |
'dst': '/privatekey.key',
'options': 'ro',
},
] if matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] and traefik_certs_dumper_enabled and matrix_coturn_tls_enabled else []
] if matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] and traefik_certs_dumper_enabled and coturn_tls_enabled else []
)
}}
```
@@ -165,10 +165,10 @@ traefik_environment_variables: |
LEGO_DISABLE_CNAME_SUPPORT=true
# Only depend on docker.service, this removes the dependency on the certificate exporter, might imply the need to manually restart coturn on the first installation once the certificates are obtained, afterwards, the reload service should handle things
matrix_coturn_systemd_required_services_list: ['docker.service']
coturn_systemd_required_services_list: ['docker.service']
# This changes the path of the loaded certificate, while maintaining the original functionality, we're now loading the wildcard certificate.
matrix_coturn_container_additional_volumes: |
coturn_container_additional_volumes: |
{{
(
[
@@ -182,7 +182,7 @@ matrix_coturn_container_additional_volumes: |
'dst': '/privatekey.key',
'options': 'ro',
},
] if matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] and traefik_certs_dumper_enabled and matrix_coturn_tls_enabled else []
] if matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] and traefik_certs_dumper_enabled and coturn_tls_enabled else []
)
}}
```

5
docs/self-building.md
View File

@@ -28,12 +28,11 @@ Possibly outdated list of roles where self-building the Docker image is currentl
- `matrix-synapse`
- `matrix-synapse-admin`
- `matrix-client-element`
- `matrix-client-hydrogen`
- `hydrogen`
- `cinny`
- `matrix-registration`
- `matrix-coturn`
- `coturn`
- `matrix-corporal`
- `matrix-dimension`
- `exim-relay`
- `matrix-bridge-hookshot`
- `matrix-bridge-appservice-irc`

2
examples/hosts
View File

@@ -1,5 +1,5 @@
# We explicitly ask for your server's external IP address, because the same value is used for configuring coturn.
# If you'd rather use a local IP here, make sure to set up `matrix_coturn_turn_external_ip_address`.
# If you'd rather use a local IP here, make sure to set up `coturn_turn_external_ip_address`.
#
# To connect using a non-root user (and elevate to root with sudo later),
# replace `ansible_ssh_user=root` with something like this: `ansible_ssh_user=username ansible_become=true ansible_become_user=root`.

2
examples/reverse-proxies/apache/README.md
View File

@@ -19,4 +19,4 @@ To get started, first follow the [front the integrated reverse-proxy webserver w
`matrix-domain.conf` contains configuration for the Matrix domain, which handles both the Client-Server API (port `443`) and the Matrix Federation API (port `8448`).
`matrix-client-element.conf` is an example for when you're hosting Element Web at `element.example.com`.
This configuration can also be used as an example for handling other domains, depending on the services you enable with the playbook (e.g. `dimension.example.com`, etc).
This configuration can also be used as an example for handling other domains, depending on the services you enable with the playbook (e.g. `etherpad.example.com`, etc).

2
examples/reverse-proxies/nginx/README.md
View File

@@ -22,4 +22,4 @@ Copy the [matrix.conf](matrix.conf) file to your nginx server's filesystem, modi
This configuration **disables SSL certificate retrieval**, so you will **need to obtain SSL certificates manually** (e.g. by using [certbot](https://certbot.eff.org/)) and set the appropriate path in `matrix.conf`. In the example nginx configuration, a single certificate is used for all subdomains (`matrix.example.com`, `element.example.com`, etc.). For your setup, may wish to change this and use separate `server` blocks and separate certificate files for each host.
Also note that your copy of the `matrix.conf` file has to be adapted to whatever services you are using. For example, remove `element.example.com` from the `server_name` list if you don't use [Element Web](../../../docs/configuring-playbook-client-element-web.md) client or add `dimension.example.com` to it if you do use the [Dimension](../../../docs/configuring-playbook-dimension.md) integration manager.
Also note that your copy of the `matrix.conf` file has to be adapted to whatever services you are using. For example, remove `element.example.com` from the `server_name` list if you don't use [Element Web](../../../docs/configuring-playbook-client-element-web.md) client or add `etherpad.example.com` to it if you do use [Etherpad](../../../docs/configuring-playbook-etherpad.md).

2
examples/reverse-proxies/nginx/matrix.conf
View File

@@ -19,7 +19,7 @@ server {
# TODO: add/remove services and their subdomains if you use/don't use them
# this example is using hosting something on the base domain and an Element Web client, so example.com and element.example.com are listed in addition to matrix.example.com
# if you don't use those, you can remove them
# if you use e.g. Dimension on dimension.example.com, add dimension.example.com to the server_name list
# if you use e.g. Etherpad on etherpad.example.com, add etherpad.example.com to the server_name list
server_name example.com matrix.example.com element.example.com;
location / {

8
examples/vars.yml
View File

@@ -61,10 +61,10 @@ postgres_connection_password: ''
# 2. Uncomment and adjust the line below to specify an IP address manually
#
# By default, auto-detection will be attempted using the `https://ifconfig.co/json` API.
# Default values for this are specified in `matrix_coturn_turn_external_ip_address_auto_detection_*` variables in the coturn role
# (see `roles/custom/matrix-coturn/defaults/main.yml`).
# Default values for this are specified in `coturn_turn_external_ip_address_auto_detection_*` variables in the coturn role
# (see `roles/galaxy/coturn/defaults/main.yml`).
#
# If your server has multiple IP addresses, you may define them in another variable which allows a list of addresses.
# Example: `matrix_coturn_turn_external_ip_addresses: ['1.2.3.4', '4.5.6.7']`
# Example: `coturn_turn_external_ip_addresses: ['1.2.3.4', '4.5.6.7']`
#
# matrix_coturn_turn_external_ip_address: ''
# coturn_turn_external_ip_address: ''

343
group_vars/matrix_servers
View File

@@ -212,7 +212,20 @@ matrix_homeserver_app_service_config_files_auto: |
matrix_addons_homeserver_container_network: "{{ matrix_playbook_reverse_proxy_container_network if matrix_playbook_internal_matrix_client_api_traefik_entrypoint_enabled else matrix_homeserver_container_network }}"
matrix_addons_homeserver_client_api_url: "{{ ('http://' + matrix_playbook_reverse_proxy_hostname + ':' + matrix_playbook_internal_matrix_client_api_traefik_entrypoint_port | string) if matrix_playbook_internal_matrix_client_api_traefik_entrypoint_enabled else matrix_homeserver_container_url }}"
matrix_addons_homeserver_systemd_services_list: "{{ ([traefik_identifier + '.service'] if matrix_playbook_reverse_proxy_type == 'playbook-managed-traefik' else []) if matrix_playbook_internal_matrix_client_api_traefik_entrypoint_enabled else matrix_homeserver_systemd_services_list }}"
matrix_addons_homeserver_systemd_services_list: |
{{
(
matrix_homeserver_systemd_services_list
+
(
[traefik_identifier + '.service']
if matrix_playbook_reverse_proxy_type == 'playbook-managed-traefik'
else []
)
)
if matrix_playbook_internal_matrix_client_api_traefik_entrypoint_enabled
else matrix_homeserver_systemd_services_list
}}
########################################################################
# #
@@ -344,7 +357,7 @@ devture_systemd_service_manager_services_list_auto: |
+
([{'name': 'matrix-client-element.service', 'priority': 2000, 'groups': ['matrix', 'clients', 'element', 'client-element']}] if matrix_client_element_enabled else [])
+
([{'name': 'matrix-client-hydrogen.service', 'priority': 2000, 'groups': ['matrix', 'clients', 'hydrogen', 'client-hydrogen']}] if matrix_client_hydrogen_enabled else [])
([{'name': (hydrogen_identifier + '.service'), 'priority': 2000, 'groups': ['matrix', 'clients', 'hydrogen', 'client-hydrogen']}] if hydrogen_enabled else [])
+
([{'name': 'matrix-client-schildichat.service', 'priority': 2000, 'groups': ['matrix', 'clients', 'schildichat', 'client-schildichat']}] if matrix_client_schildichat_enabled else [])
+
@@ -354,15 +367,13 @@ devture_systemd_service_manager_services_list_auto: |
+
([{'name': 'matrix-corporal.service', 'priority': 1500, 'groups': ['matrix', 'corporal']}] if matrix_corporal_enabled else [])
+
([{'name': 'matrix-coturn.service', 'priority': (1500 if devture_systemd_service_manager_service_restart_mode == 'one-by-one' else 900), 'groups': ['matrix', 'coturn']}] if matrix_coturn_enabled else [])
([{'name': (coturn_identifier + '.service'), 'priority': (1500 if devture_systemd_service_manager_service_restart_mode == 'one-by-one' else 900), 'groups': ['matrix', 'coturn']}] if coturn_enabled else [])
+
([{'name': 'matrix-matrixto.service', 'priority': 4000, 'groups': ['matrix', 'matrixto']}] if matrix_matrixto_enabled else [])
+
([{'name': 'matrix-rageshake.service', 'priority': 4000, 'groups': ['matrix', 'rageshake']}] if matrix_rageshake_enabled else [])
+
([{'name': 'matrix-coturn-reload.timer', 'priority': 5000, 'groups': ['matrix', 'coturn']}] if (matrix_coturn_enabled and matrix_coturn_tls_enabled) else [])
+
([{'name': 'matrix-dimension.service', 'priority': 4000, 'groups': ['matrix', 'integration-managers', 'dimension']}] if matrix_dimension_enabled else [])
([{'name': (coturn_identifier + '-reload.timer'), 'priority': 5000, 'groups': ['matrix', 'coturn']}] if (coturn_enabled and coturn_tls_enabled) else [])
+
([{'name': (ddclient_identifier + '.service'), 'priority': 5000, 'groups': ['matrix', 'ddclient', 'dynamic-dns']}] if ddclient_enabled else [])
+
@@ -519,7 +530,6 @@ matrix_homeserver_container_client_api_endpoint: |-
'synapse': ('matrix-synapse-reverse-proxy-companion:8008' if matrix_synapse_reverse_proxy_companion_enabled | default(false) else ('matrix-synapse:'+ matrix_synapse_container_client_api_port | default('8008') | string)),
'dendrite': ('matrix-dendrite:' + matrix_dendrite_http_bind_port | default('8008') | string),
'conduit': ('matrix-conduit:' + matrix_conduit_port_number | default('8008') | string),
'conduwuit': ('matrix-conduwuit:' + matrix_conduwuit_config_port_number | default('8008') | string),
'continuwuity': ('matrix-continuwuity:' + matrix_continuwuity_config_port_number | default('8008') | string),
}[matrix_homeserver_implementation]
}}
@@ -530,13 +540,12 @@ matrix_homeserver_container_federation_api_endpoint: |-
'synapse': ('matrix-synapse-reverse-proxy-companion:8048' if matrix_synapse_reverse_proxy_companion_enabled else ('matrix-synapse:'+ matrix_synapse_container_federation_api_plain_port | default('8008') | string)),
'dendrite': ('matrix-dendrite:' + matrix_dendrite_http_bind_port | default('8008') | string),
'conduit': ('matrix-conduit:' + matrix_conduit_port_number | default('8008') | string),
'conduwuit': ('matrix-conduwuit:' + matrix_conduwuit_config_port_number | default('8008') | string),
'continuwuity': ('matrix-continuwuity:' + matrix_continuwuity_config_port_number | default('8008') | string),
}[matrix_homeserver_implementation]
}}
matrix_integration_manager_rest_url: "{{ matrix_dimension_integrations_rest_url if matrix_dimension_enabled else None }}"
matrix_integration_manager_ui_url: "{{ matrix_dimension_integrations_ui_url if matrix_dimension_enabled else None }}"
matrix_integration_manager_rest_url: ""
matrix_integration_manager_ui_url: ""
######################################################################
#
@@ -3093,31 +3102,42 @@ matrix_rageshake_container_labels_traefik_tls_certResolver: "{{ traefik_certReso
######################################################################
#
# matrix-coturn
# coturn
#
######################################################################
matrix_coturn_enabled: true
coturn_enabled: true
matrix_coturn_hostname: "{{ matrix_server_fqn_matrix }}"
coturn_identifier: matrix-coturn
matrix_coturn_docker_image_registry_prefix_upstream: "{{ matrix_container_global_registry_prefix_override if matrix_container_global_registry_prefix_override else matrix_coturn_docker_image_registry_prefix_upstream_default }}"
coturn_base_path: "{{ matrix_base_data_path }}/coturn"
matrix_coturn_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm32', 'arm64'] }}"
coturn_uid: "{{ matrix_user_uid }}"
coturn_gid: "{{ matrix_user_gid }}"
coturn_hostname: "{{ matrix_server_fqn_matrix }}"
coturn_container_image_registry_prefix: "{{ 'localhost/' if coturn_container_image_self_build else coturn_container_image_registry_prefix_upstream }}"
coturn_container_image_registry_prefix_upstream: "{{ matrix_container_global_registry_prefix_override if matrix_container_global_registry_prefix_override else coturn_container_image_registry_prefix_upstream_default }}"
coturn_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm32', 'arm64'] }}"
# We make the assumption that `ansible_host` points to an external IP address, which may not always be the case.
# Users are free to set `matrix_coturn_turn_external_ip_address` to an empty string
# Users are free to set `coturn_turn_external_ip_address` to an empty string
# to allow auto-detection (via an echoip service) to happen at runtime.
matrix_coturn_turn_external_ip_address: "{{ ansible_host }}"
coturn_turn_external_ip_address: "{{ ansible_host }}"
matrix_coturn_turn_static_auth_secret: "{{ ((matrix_homeserver_generic_secret_key + ':coturn.sas') | hash('sha512') | to_uuid) if matrix_coturn_authentication_method == 'auth-secret' else '' }}"
# By default, we use the official public instance.
coturn_turn_external_ip_address_auto_detection_echoip_service_url: https://ifconfig.co/json
matrix_coturn_lt_cred_mech_username: "{{ ((matrix_homeserver_generic_secret_key + ':coturn.user') | hash('sha512') | to_uuid) if matrix_coturn_authentication_method == 'lt-cred-mech' else '' }}"
matrix_coturn_lt_cred_mech_password: "{{ ((matrix_homeserver_generic_secret_key + ':coturn.pass') | hash('sha512') | to_uuid) if matrix_coturn_authentication_method == 'lt-cred-mech' else '' }}"
coturn_turn_static_auth_secret: "{{ ((matrix_homeserver_generic_secret_key + ':coturn.sas') | hash('sha512') | to_uuid) if coturn_authentication_method == 'auth-secret' else '' }}"
matrix_coturn_tls_enabled: "{{ matrix_playbook_ssl_enabled }}"
coturn_lt_cred_mech_username: "{{ ((matrix_homeserver_generic_secret_key + ':coturn.user') | hash('sha512') | to_uuid) if coturn_authentication_method == 'lt-cred-mech' else '' }}"
coturn_lt_cred_mech_password: "{{ ((matrix_homeserver_generic_secret_key + ':coturn.pass') | hash('sha512') | to_uuid) if coturn_authentication_method == 'lt-cred-mech' else '' }}"
matrix_coturn_tls_cert_path: |-
coturn_tls_enabled: "{{ matrix_playbook_ssl_enabled }}"
coturn_tls_cert_path: |-
{{
{
'playbook-managed-traefik': ('/certificate.crt' if traefik_certs_dumper_enabled else ''),
@@ -3126,7 +3146,7 @@ matrix_coturn_tls_cert_path: |-
}[matrix_playbook_reverse_proxy_type]
}}
matrix_coturn_tls_key_path: |-
coturn_tls_key_path: |-
{{
{
'playbook-managed-traefik': ('/privatekey.key' if traefik_certs_dumper_enabled else ''),
@@ -3135,101 +3155,32 @@ matrix_coturn_tls_key_path: |-
}[matrix_playbook_reverse_proxy_type]
}}
matrix_coturn_container_additional_volumes: |
coturn_container_additional_volumes: |
{{
(
[
{
'src': (traefik_certs_dumper_dumped_certificates_path + '/' + matrix_coturn_hostname + '/certificate.crt'),
'src': (traefik_certs_dumper_dumped_certificates_path + '/' + coturn_hostname + '/certificate.crt'),
'dst': '/certificate.crt',
'options': 'ro',
},
{
'src': (traefik_certs_dumper_dumped_certificates_path + '/' + matrix_coturn_hostname + '/privatekey.key'),
'src': (traefik_certs_dumper_dumped_certificates_path + '/' + coturn_hostname + '/privatekey.key'),
'dst': '/privatekey.key',
'options': 'ro',
},
] if (matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] and traefik_certs_dumper_enabled and matrix_coturn_tls_enabled and (matrix_coturn_tls_cert_path and matrix_coturn_tls_key_path)) else []
] if (matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] and traefik_certs_dumper_enabled and coturn_tls_enabled and (coturn_tls_cert_path and coturn_tls_key_path)) else []
)
}}
matrix_coturn_systemd_required_services_list_auto: |
coturn_systemd_required_services_list_auto: |
{{
([traefik_certs_dumper_identifier + '-wait-for-domain@' + matrix_coturn_hostname + '.service'] if matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] and traefik_certs_dumper_enabled and matrix_coturn_tls_enabled else [])
([traefik_certs_dumper_identifier + '-wait-for-domain@' + coturn_hostname + '.service'] if matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] and traefik_certs_dumper_enabled and coturn_tls_enabled else [])
}}
######################################################################
#
# /matrix-coturn
#
######################################################################
######################################################################
#
# matrix-dimension
#
######################################################################
matrix_dimension_enabled: false
matrix_dimension_scheme: "{{ 'https' if matrix_playbook_ssl_enabled else 'http' }}"
matrix_dimension_hostname: "{{ matrix_server_fqn_dimension }}"
matrix_dimension_docker_image_registry_prefix_upstream: "{{ matrix_container_global_registry_prefix_override if matrix_container_global_registry_prefix_override else matrix_dimension_docker_image_registry_prefix_upstream_default }}"
matrix_dimension_container_image_self_build: "{{ matrix_architecture != 'amd64' }}"
matrix_dimension_container_network: "{{ matrix_addons_container_network }}"
# Dimension is connected both to `matrix_addons_homeserver_container_network` and `matrix_homeserver_container_network`,
# because `matrix_dimension_homeserver_clientServerUrl` and `matrix_dimension_homeserver_federationUrl` are potentially
# going to different places.
matrix_dimension_container_additional_networks: |
{{
(
([] if matrix_addons_homeserver_container_network == '' else [matrix_addons_homeserver_container_network])
+
([matrix_homeserver_container_network] if matrix_homeserver_container_network != matrix_dimension_container_network else [])
+
([postgres_container_network] if (postgres_enabled and matrix_dimension_database_hostname == postgres_connection_hostname and postgres_container_network != matrix_dimension_container_network) else [])
+
([matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network else [])
) | unique
}}
matrix_dimension_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '8184') if matrix_playbook_service_host_bind_interface_prefix else '' }}"
matrix_dimension_container_labels_traefik_enabled: "{{ matrix_playbook_traefik_labels_enabled }}"
matrix_dimension_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}"
matrix_dimension_container_labels_traefik_entrypoints: "{{ traefik_entrypoint_primary }}"
matrix_dimension_container_labels_traefik_tls_certResolver: "{{ traefik_certResolver_primary }}"
matrix_dimension_homeserver_clientServerUrl: "{{ matrix_addons_homeserver_client_api_url }}"
matrix_dimension_homeserver_federationUrl: "{{ matrix_homeserver_container_federation_url }}"
matrix_dimension_homeserver_mediaUrl: "{{ ('https' if matrix_playbook_ssl_enabled else 'http') }}://{{ matrix_server_fqn_matrix }}"
# Dimension depends both on `matrix_addons_homeserver_systemd_services_list` and on the homeserver service,
# because `matrix_dimension_homeserver_clientServerUrl` and `matrix_dimension_homeserver_federationUrl` are potentially
# going to different places.
matrix_dimension_systemd_required_services_list_auto: |
{{
(
matrix_addons_homeserver_systemd_services_list
+
['matrix-' + matrix_homeserver_implementation + '.service']
+
([postgres_identifier ~ '.service'] if (postgres_enabled and matrix_dimension_database_hostname == postgres_connection_hostname) else [])
) | unique
}}
# Postgres is the default, except if not using internal Postgres server
matrix_dimension_database_engine: "{{ 'postgres' if postgres_enabled else 'sqlite' }}"
matrix_dimension_database_hostname: "{{ postgres_connection_hostname if postgres_enabled else '' }}"
matrix_dimension_database_password: "{{ (matrix_homeserver_generic_secret_key + ':dimension.db') | hash('sha512') | to_uuid }}"
######################################################################
#
# /matrix-dimension
# /coturn
#
######################################################################
@@ -3247,7 +3198,7 @@ etherpad_scheme: "{{ 'https' if matrix_playbook_ssl_enabled else 'http' }}"
etherpad_base_path: "{{ matrix_base_data_path }}/etherpad"
etherpad_framing_enabled: "{{ matrix_dimension_enabled or jitsi_enabled }}"
etherpad_framing_enabled: "{{ jitsi_enabled }}"
etherpad_hostname: "{{ matrix_server_fqn_etherpad }}"
@@ -3382,7 +3333,7 @@ jitsi_web_stun_servers: |
'stun:' + matrix_server_fqn_matrix + ':5349',
'stun:' + matrix_server_fqn_matrix + ':3478',
]
if matrix_coturn_enabled
if coturn_enabled
else [ 'stun:meet-jit-si-turnrelay.jitsi.net:443']
}}
@@ -3391,11 +3342,11 @@ jitsi_web_framing_enabled: true
# Jitsi (Prosody) only seems to support authenticating with coturn using `auth-secret`, not `lt-cred-mech`.
# See: https://prosody.im/doc/coturn
jitsi_turn_credentials: "{{ matrix_coturn_turn_static_auth_secret if (matrix_coturn_enabled and matrix_coturn_authentication_method == 'auth-secret') else '' }}"
jitsi_turn_host: "{{ ('turn.' + matrix_server_fqn_matrix) if matrix_coturn_enabled else '' }}"
jitsi_turns_host: "{{ ('turn.' + matrix_server_fqn_matrix) if matrix_coturn_enabled else '' }}"
jitsi_turn_port: "{{ matrix_coturn_container_stun_plain_host_bind_port_tcp.split(':')[-1] if matrix_coturn_enabled else '' }}"
jitsi_turns_port: "{{ matrix_coturn_container_stun_tls_host_bind_port_tcp.split(':')[-1] if matrix_coturn_enabled else '' }}"
jitsi_turn_credentials: "{{ coturn_turn_static_auth_secret if (coturn_enabled and coturn_authentication_method == 'auth-secret') else '' }}"
jitsi_turn_host: "{{ ('turn.' + matrix_server_fqn_matrix) if coturn_enabled else '' }}"
jitsi_turns_host: "{{ ('turn.' + matrix_server_fqn_matrix) if coturn_enabled else '' }}"
jitsi_turn_port: "{{ coturn_container_stun_plain_host_bind_port_tcp.split(':')[-1] if coturn_enabled else '' }}"
jitsi_turns_port: "{{ coturn_container_stun_tls_host_bind_port_tcp.split(':')[-1] if coturn_enabled else '' }}"
# If the self-hosted Etherpad instance is available, it will also show up in Jitsi conferences,
# unless explicitly disabled by setting `jitsi_etherpad_enabled` to false.
@@ -3855,12 +3806,6 @@ postgres_managed_databases_auto: |
'password': matrix_steam_bridge_database_password,
}] if (matrix_steam_bridge_enabled and matrix_steam_bridge_database_engine == 'postgres' and matrix_steam_bridge_database_hostname == postgres_connection_hostname) else [])
+
([{
'name': matrix_dimension_database_name,
'username': matrix_dimension_database_username,
'password': matrix_dimension_database_password,
}] if (matrix_dimension_enabled and matrix_dimension_database_engine == 'postgres' and matrix_dimension_database_hostname == postgres_connection_hostname) else [])
+
([{
'name': etherpad_database_name,
'username': etherpad_database_postgres_username,
@@ -4067,11 +4012,11 @@ matrix_client_element_container_labels_traefik_compression_middleware_name: "{{
matrix_client_element_default_hs_url: "{{ matrix_homeserver_url }}"
matrix_client_element_default_is_url: "{{ matrix_identity_server_url }}"
# Use Dimension if enabled, otherwise fall back to Scalar
matrix_client_element_integrations_ui_url: "{{ matrix_dimension_integrations_ui_url if matrix_dimension_enabled else 'https://scalar.vector.im/' }}"
matrix_client_element_integrations_rest_url: "{{ matrix_dimension_integrations_rest_url if matrix_dimension_enabled else 'https://scalar.vector.im/api' }}"
matrix_client_element_integrations_widgets_urls: "{{ matrix_dimension_integrations_widgets_urls if matrix_dimension_enabled else ['https://scalar.vector.im/api'] }}"
matrix_client_element_integrations_jitsi_widget_url: "{{ matrix_dimension_integrations_jitsi_widget_url if matrix_dimension_enabled else 'https://scalar.vector.im/api/widgets/jitsi.html' }}"
# Use Scalar by default
matrix_client_element_integrations_ui_url: "https://scalar.vector.im/"
matrix_client_element_integrations_rest_url: "https://scalar.vector.im/api"
matrix_client_element_integrations_widgets_urls: "{{ ['https://scalar.vector.im/api'] }}"
matrix_client_element_integrations_jitsi_widget_url: "https://scalar.vector.im/api/widgets/jitsi.html"
matrix_client_element_self_check_validate_certificates: "{{ matrix_playbook_ssl_enabled }}"
@@ -4102,39 +4047,49 @@ matrix_client_element_element_call_url: "{{ matrix_element_call_public_url if ma
######################################################################
#
# matrix-client-hydrogen
# hydrogen
#
######################################################################
matrix_client_hydrogen_enabled: false
hydrogen_enabled: false
matrix_client_hydrogen_docker_image_registry_prefix_upstream: "{{ matrix_container_global_registry_prefix_override if matrix_container_global_registry_prefix_override else matrix_client_hydrogen_docker_image_registry_prefix_upstream_default }}"
hydrogen_identifier: matrix-client-hydrogen
matrix_client_hydrogen_container_image_self_build: "{{ matrix_architecture not in ['arm64', 'amd64'] }}"
hydrogen_uid: "{{ matrix_user_uid }}"
hydrogen_gid: "{{ matrix_user_gid }}"
matrix_client_hydrogen_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '8768') if matrix_playbook_service_host_bind_interface_prefix else '' }}"
hydrogen_container_image_registry_prefix: "{{ 'localhost/' if hydrogen_container_image_self_build else hydrogen_container_image_registry_prefix_upstream }}"
hydrogen_container_image_registry_prefix_upstream: "{{ matrix_container_global_registry_prefix_override if matrix_container_global_registry_prefix_override else hydrogen_container_image_registry_prefix_upstream_default }}"
matrix_client_hydrogen_container_network: "{{ matrix_addons_container_network }}"
hydrogen_container_image_self_build: "{{ matrix_architecture not in ['arm64', 'amd64'] }}"
matrix_client_hydrogen_container_additional_networks: "{{ [matrix_playbook_reverse_proxyable_services_additional_network] if (matrix_client_hydrogen_container_labels_traefik_enabled and matrix_playbook_reverse_proxyable_services_additional_network) else [] }}"
hydrogen_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '8768') if matrix_playbook_service_host_bind_interface_prefix else '' }}"
matrix_client_hydrogen_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}"
matrix_client_hydrogen_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}"
matrix_client_hydrogen_container_labels_traefik_entrypoints: "{{ traefik_entrypoint_primary }}"
matrix_client_hydrogen_container_labels_traefik_tls_certResolver: "{{ traefik_certResolver_primary }}"
hydrogen_container_network: "{{ matrix_addons_container_network }}"
matrix_client_hydrogen_container_labels_traefik_compression_middleware_enabled: "{{ matrix_playbook_reverse_proxy_traefik_middleware_compression_enabled }}"
matrix_client_hydrogen_container_labels_traefik_compression_middleware_name: "{{ matrix_playbook_reverse_proxy_traefik_middleware_compression_name if matrix_playbook_reverse_proxy_traefik_middleware_compression_enabled else '' }}"
hydrogen_container_additional_networks: "{{ [matrix_playbook_reverse_proxyable_services_additional_network] if (hydrogen_container_labels_traefik_enabled and matrix_playbook_reverse_proxyable_services_additional_network) else [] }}"
matrix_client_hydrogen_scheme: "{{ 'https' if matrix_playbook_ssl_enabled else 'http' }}"
hydrogen_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}"
hydrogen_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}"
hydrogen_container_labels_traefik_entrypoints: "{{ traefik_entrypoint_primary }}"
hydrogen_container_labels_traefik_tls_certResolver: "{{ traefik_certResolver_primary }}"
matrix_client_hydrogen_default_hs_url: "{{ matrix_homeserver_url }}"
hydrogen_container_labels_traefik_compression_middleware_enabled: "{{ matrix_playbook_reverse_proxy_traefik_middleware_compression_enabled }}"
hydrogen_container_labels_traefik_compression_middleware_name: "{{ matrix_playbook_reverse_proxy_traefik_middleware_compression_name if matrix_playbook_reverse_proxy_traefik_middleware_compression_enabled else '' }}"
matrix_client_hydrogen_self_check_validate_certificates: "{{ matrix_playbook_ssl_enabled }}"
hydrogen_scheme: "{{ 'https' if matrix_playbook_ssl_enabled else 'http' }}"
hydrogen_default_hs_url: "{{ matrix_homeserver_url }}"
hydrogen_self_check_validate_certificates: "{{ matrix_playbook_ssl_enabled }}"
hydrogen_base_path: "{{ matrix_base_data_path }}/client-hydrogen"
hydrogen_hostname: "{{ matrix_server_fqn_hydrogen }}"
######################################################################
#
# /matrix-client-hydrogen
# /hydrogen
#
######################################################################
@@ -4214,11 +4169,11 @@ matrix_client_schildichat_container_labels_traefik_tls_certResolver: "{{ traefik
matrix_client_schildichat_default_hs_url: "{{ matrix_homeserver_url }}"
matrix_client_schildichat_default_is_url: "{{ matrix_identity_server_url }}"
# Use Dimension if enabled, otherwise fall back to Scalar
matrix_client_schildichat_integrations_ui_url: "{{ matrix_dimension_integrations_ui_url if matrix_dimension_enabled else 'https://scalar.vector.im/' }}"
matrix_client_schildichat_integrations_rest_url: "{{ matrix_dimension_integrations_rest_url if matrix_dimension_enabled else 'https://scalar.vector.im/api' }}"
matrix_client_schildichat_integrations_widgets_urls: "{{ matrix_dimension_integrations_widgets_urls if matrix_dimension_enabled else ['https://scalar.vector.im/api'] }}"
matrix_client_schildichat_integrations_jitsi_widget_url: "{{ matrix_dimension_integrations_jitsi_widget_url if matrix_dimension_enabled else 'https://scalar.vector.im/api/widgets/jitsi.html' }}"
# Use Scalar by default
matrix_client_schildichat_integrations_ui_url: "https://scalar.vector.im/"
matrix_client_schildichat_integrations_rest_url: "https://scalar.vector.im/api"
matrix_client_schildichat_integrations_widgets_urls: "{{ ['https://scalar.vector.im/api'] }}"
matrix_client_schildichat_integrations_jitsi_widget_url: "https://scalar.vector.im/api/widgets/jitsi.html"
matrix_client_schildichat_self_check_validate_certificates: "{{ matrix_playbook_ssl_enabled }}"
@@ -4362,7 +4317,7 @@ matrix_synapse_tls_federation_listener_enabled: false
matrix_synapse_tls_certificate_path: ~
matrix_synapse_tls_private_key_path: ~
matrix_synapse_federation_port_openid_resource_required: "{{ not matrix_synapse_federation_enabled and (matrix_dimension_enabled or matrix_user_verification_service_enabled or matrix_livekit_jwt_service_enabled) }}"
matrix_synapse_federation_port_openid_resource_required: "{{ not matrix_synapse_federation_enabled and (matrix_user_verification_service_enabled or matrix_livekit_jwt_service_enabled) }}"
matrix_synapse_metrics_enabled: "{{ prometheus_enabled or matrix_metrics_exposure_enabled }}"
@@ -4376,10 +4331,10 @@ matrix_synapse_email_smtp_port: 8025
matrix_synapse_email_smtp_require_transport_security: false
matrix_synapse_email_notif_from: "Matrix <{{ exim_relay_sender_address }}>"
matrix_synapse_turn_uris: "{{ matrix_coturn_turn_uris if matrix_coturn_enabled else [] }}"
matrix_synapse_turn_shared_secret: "{{ matrix_coturn_turn_static_auth_secret if (matrix_coturn_enabled and matrix_coturn_authentication_method == 'auth-secret') else '' }}"
matrix_synapse_turn_username: "{{ matrix_coturn_lt_cred_mech_username if (matrix_coturn_enabled and matrix_coturn_authentication_method == 'lt-cred-mech') else '' }}"
matrix_synapse_turn_password: "{{ matrix_coturn_lt_cred_mech_password if (matrix_coturn_enabled and matrix_coturn_authentication_method == 'lt-cred-mech') else '' }}"
matrix_synapse_turn_uris: "{{ coturn_turn_uris if coturn_enabled else [] }}"
matrix_synapse_turn_shared_secret: "{{ coturn_turn_static_auth_secret if (coturn_enabled and coturn_authentication_method == 'auth-secret') else '' }}"
matrix_synapse_turn_username: "{{ coturn_lt_cred_mech_username if (coturn_enabled and coturn_authentication_method == 'lt-cred-mech') else '' }}"
matrix_synapse_turn_password: "{{ coturn_lt_cred_mech_password if (coturn_enabled and coturn_authentication_method == 'lt-cred-mech') else '' }}"
matrix_synapse_self_check_validate_certificates: "{{ matrix_playbook_ssl_enabled }}"
@@ -4396,7 +4351,7 @@ matrix_synapse_systemd_required_services_list_auto: |
matrix_synapse_systemd_wanted_services_list_auto: |
{{
(['matrix-coturn.service'] if matrix_coturn_enabled else [])
([coturn_identifier ~ '.service'] if coturn_enabled else [])
+
([exim_relay_identifier ~ '.service'] if exim_relay_enabled else [])
}}
@@ -4443,6 +4398,12 @@ matrix_synapse_password_config_enabled: "{{ not matrix_synapse_matrix_authentica
matrix_synapse_register_user_script_matrix_authentication_service_path: "{{ matrix_authentication_service_bin_path }}/register-user"
# After Synapse's systemd health check passes, the reverse proxy still needs time to
# discover the container and register its routes. We derive this delay from Traefik's
# providers.providersThrottleDuration setting (+1s grace for our healthcheck polling interval),
# so it stays in sync automatically.
matrix_synapse_systemd_service_post_start_delay_seconds: "{{ (traefik_config_providers_providersThrottleDuration_seconds | int + 1) if matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] else 0 }}"
######################################################################
#
# /matrix-synapse
@@ -5095,7 +5056,6 @@ grafana_default_home_dashboard_path: |-
'synapse': ('/etc/grafana/dashboards/synapse.json' if matrix_synapse_metrics_enabled and matrix_synapse_metrics_enabled else ('/etc/grafana/dashboards/node-exporter-full.json' if prometheus_node_exporter_enabled else '')),
'dendrite': ('/etc/grafana/dashboards/node-exporter-full.json' if prometheus_node_exporter_enabled else ''),
'conduit': ('/etc/grafana/dashboards/node-exporter-full.json' if prometheus_node_exporter_enabled else ''),
'conduwuit': ('/etc/grafana/dashboards/node-exporter-full.json' if prometheus_node_exporter_enabled else ''),
'continuwuity': ('/etc/grafana/dashboards/node-exporter-full.json' if prometheus_node_exporter_enabled else ''),
}[matrix_homeserver_implementation]
}}
@@ -5156,7 +5116,6 @@ matrix_registration_shared_secret: |-
'synapse': matrix_synapse_registration_shared_secret | default (''),
'dendrite': matrix_dendrite_client_api_registration_shared_secret | default (''),
'conduit': '',
'conduwuit': '',
'continuwuity': '',
}[matrix_homeserver_implementation]
}}
@@ -5233,10 +5192,10 @@ matrix_dendrite_database_hostname: "{{ postgres_connection_hostname if postgres_
matrix_dendrite_database_password: "{{ (matrix_homeserver_generic_secret_key + ':dendrite.db') | hash('sha512') | to_uuid }}"
matrix_dendrite_client_api_turn_uris: "{{ matrix_coturn_turn_uris if matrix_coturn_enabled else [] }}"
matrix_dendrite_client_api_turn_shared_secret: "{{ matrix_coturn_turn_static_auth_secret if (matrix_coturn_enabled and matrix_coturn_authentication_method == 'auth-secret') else '' }}"
matrix_dendrite_client_api_turn_username: "{{ matrix_coturn_lt_cred_mech_username if (matrix_coturn_enabled and matrix_coturn_authentication_method == 'lt-cred-mech') else '' }}"
matrix_dendrite_client_api_turn_password: "{{ matrix_coturn_lt_cred_mech_password if (matrix_coturn_enabled and matrix_coturn_authentication_method == 'lt-cred-mech') else '' }}"
matrix_dendrite_client_api_turn_uris: "{{ coturn_turn_uris if coturn_enabled else [] }}"
matrix_dendrite_client_api_turn_shared_secret: "{{ coturn_turn_static_auth_secret if (coturn_enabled and coturn_authentication_method == 'auth-secret') else '' }}"
matrix_dendrite_client_api_turn_username: "{{ coturn_lt_cred_mech_username if (coturn_enabled and coturn_authentication_method == 'lt-cred-mech') else '' }}"
matrix_dendrite_client_api_turn_password: "{{ coturn_lt_cred_mech_password if (coturn_enabled and coturn_authentication_method == 'lt-cred-mech') else '' }}"
matrix_dendrite_disable_tls_validation: "{{ not matrix_playbook_ssl_enabled }}"
@@ -5253,7 +5212,7 @@ matrix_dendrite_systemd_required_services_list_auto: |
matrix_dendrite_systemd_wanted_services_list_auto: |
{{
(['matrix-coturn.service'] if matrix_coturn_enabled else [])
([coturn_identifier ~ '.service'] if coturn_enabled else [])
}}
matrix_dendrite_container_extra_arguments_auto: "{{ matrix_homeserver_container_extra_arguments_auto }}"
@@ -5304,10 +5263,10 @@ matrix_conduit_container_labels_public_federation_api_traefik_tls: "{{ matrix_fe
matrix_conduit_container_labels_internal_client_api_enabled: "{{ matrix_playbook_internal_matrix_client_api_traefik_entrypoint_enabled }}"
matrix_conduit_container_labels_internal_client_api_traefik_entrypoints: "{{ matrix_playbook_internal_matrix_client_api_traefik_entrypoint_name }}"
matrix_conduit_turn_uris: "{{ matrix_coturn_turn_uris if matrix_coturn_enabled else [] }}"
matrix_conduit_turn_secret: "{{ matrix_coturn_turn_static_auth_secret if (matrix_coturn_enabled and matrix_coturn_authentication_method == 'auth-secret') else '' }}"
matrix_conduit_turn_username: "{{ matrix_coturn_lt_cred_mech_username if (matrix_coturn_enabled and matrix_coturn_authentication_method == 'lt-cred-mech') else '' }}"
matrix_conduit_turn_password: "{{ matrix_coturn_lt_cred_mech_password if (matrix_coturn_enabled and matrix_coturn_authentication_method == 'lt-cred-mech') else '' }}"
matrix_conduit_turn_uris: "{{ coturn_turn_uris if coturn_enabled else [] }}"
matrix_conduit_turn_secret: "{{ coturn_turn_static_auth_secret if (coturn_enabled and coturn_authentication_method == 'auth-secret') else '' }}"
matrix_conduit_turn_username: "{{ coturn_lt_cred_mech_username if (coturn_enabled and coturn_authentication_method == 'lt-cred-mech') else '' }}"
matrix_conduit_turn_password: "{{ coturn_lt_cred_mech_password if (coturn_enabled and coturn_authentication_method == 'lt-cred-mech') else '' }}"
######################################################################
#
@@ -5316,58 +5275,6 @@ matrix_conduit_turn_password: "{{ matrix_coturn_lt_cred_mech_password if (matrix
######################################################################
######################################################################
#
# matrix-conduwuit
#
######################################################################
matrix_conduwuit_enabled: "{{ matrix_homeserver_implementation == 'conduwuit' }}"
matrix_conduwuit_hostname: "{{ matrix_server_fqn_matrix }}"
matrix_conduwuit_config_allow_federation: "{{ matrix_homeserver_federation_enabled }}"
matrix_conduwuit_docker_image_registry_prefix_upstream: "{{ matrix_container_global_registry_prefix_override if matrix_container_global_registry_prefix_override else matrix_conduwuit_docker_image_registry_prefix_upstream_default }}"
matrix_conduwuit_container_network: "{{ matrix_homeserver_container_network }}"
matrix_conduwuit_container_additional_networks_auto: |
{{
(
([matrix_playbook_reverse_proxyable_services_additional_network] if matrix_conduwuit_container_labels_traefik_enabled and matrix_playbook_reverse_proxyable_services_additional_network else [])
) | unique
}}
matrix_conduwuit_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] and not matrix_synapse_workers_enabled }}"
matrix_conduwuit_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}"
matrix_conduwuit_container_labels_traefik_entrypoints: "{{ traefik_entrypoint_primary }}"
matrix_conduwuit_container_labels_traefik_tls_certResolver: "{{ traefik_certResolver_primary }}"
matrix_conduwuit_container_labels_public_client_root_redirection_enabled: "{{ matrix_conduwuit_container_labels_public_client_root_redirection_url != '' }}"
matrix_conduwuit_container_labels_public_client_root_redirection_url: "{{ (('https://' if matrix_playbook_ssl_enabled else 'http://') + matrix_server_fqn_element) if matrix_client_element_enabled else '' }}"
matrix_conduwuit_container_labels_public_federation_api_traefik_hostname: "{{ matrix_server_fqn_matrix_federation }}"
matrix_conduwuit_container_labels_public_federation_api_traefik_entrypoints: "{{ matrix_federation_traefik_entrypoint_name }}"
matrix_conduwuit_container_labels_public_federation_api_traefik_tls: "{{ matrix_federation_traefik_entrypoint_tls }}"
matrix_conduwuit_container_labels_internal_client_api_enabled: "{{ matrix_playbook_internal_matrix_client_api_traefik_entrypoint_enabled }}"
matrix_conduwuit_container_labels_internal_client_api_traefik_entrypoints: "{{ matrix_playbook_internal_matrix_client_api_traefik_entrypoint_name }}"
matrix_conduwuit_config_turn_uris: "{{ matrix_coturn_turn_uris if matrix_coturn_enabled else [] }}"
matrix_conduwuit_config_turn_secret: "{{ matrix_coturn_turn_static_auth_secret if (matrix_coturn_enabled and matrix_coturn_authentication_method == 'auth-secret') else '' }}"
matrix_conduwuit_config_turn_username: "{{ matrix_coturn_lt_cred_mech_username if (matrix_coturn_enabled and matrix_coturn_authentication_method == 'lt-cred-mech') else '' }}"
matrix_conduwuit_config_turn_password: "{{ matrix_coturn_lt_cred_mech_password if (matrix_coturn_enabled and matrix_coturn_authentication_method == 'lt-cred-mech') else '' }}"
matrix_conduwuit_self_check_validate_certificates: "{{ matrix_playbook_ssl_enabled }}"
######################################################################
#
# /matrix-conduwuit
#
######################################################################
######################################################################
#
# matrix-continuwuity
@@ -5406,10 +5313,10 @@ matrix_continuwuity_container_labels_public_federation_api_traefik_tls: "{{ matr
matrix_continuwuity_container_labels_internal_client_api_enabled: "{{ matrix_playbook_internal_matrix_client_api_traefik_entrypoint_enabled }}"
matrix_continuwuity_container_labels_internal_client_api_traefik_entrypoints: "{{ matrix_playbook_internal_matrix_client_api_traefik_entrypoint_name }}"
matrix_continuwuity_config_turn_uris: "{{ matrix_coturn_turn_uris if matrix_coturn_enabled else [] }}"
matrix_continuwuity_config_turn_secret: "{{ matrix_coturn_turn_static_auth_secret if (matrix_coturn_enabled and matrix_coturn_authentication_method == 'auth-secret') else '' }}"
matrix_continuwuity_config_turn_username: "{{ matrix_coturn_lt_cred_mech_username if (matrix_coturn_enabled and matrix_coturn_authentication_method == 'lt-cred-mech') else '' }}"
matrix_continuwuity_config_turn_password: "{{ matrix_coturn_lt_cred_mech_password if (matrix_coturn_enabled and matrix_coturn_authentication_method == 'lt-cred-mech') else '' }}"
matrix_continuwuity_config_turn_uris: "{{ coturn_turn_uris if coturn_enabled else [] }}"
matrix_continuwuity_config_turn_secret: "{{ coturn_turn_static_auth_secret if (coturn_enabled and coturn_authentication_method == 'auth-secret') else '' }}"
matrix_continuwuity_config_turn_username: "{{ coturn_lt_cred_mech_username if (coturn_enabled and coturn_authentication_method == 'lt-cred-mech') else '' }}"
matrix_continuwuity_config_turn_password: "{{ coturn_lt_cred_mech_password if (coturn_enabled and coturn_authentication_method == 'lt-cred-mech') else '' }}"
matrix_continuwuity_self_check_validate_certificates: "{{ matrix_playbook_ssl_enabled }}"
@@ -5668,7 +5575,7 @@ traefik_systemd_required_services_list: |
traefik_additional_domains_to_obtain_certificates_for_auto: |
{{
([matrix_coturn_hostname] if (matrix_coturn_enabled and matrix_coturn_tls_enabled and matrix_coturn_hostname != matrix_server_fqn_matrix) else [])
([coturn_hostname] if (coturn_enabled and coturn_tls_enabled and coturn_hostname != matrix_server_fqn_matrix) else [])
}}
########################################################################
@@ -5695,6 +5602,16 @@ traefik_certs_dumper_gid: "{{ matrix_user_gid }}"
traefik_certs_dumper_ssl_path: "{{ traefik_ssl_dir_path if traefik_enabled else '' }}"
# We make the certs dumper require the Traefik service (not just docker.service),
# because when both restart simultaneously (e.g. in all-at-once mode), Traefik may
# momentarily truncate or reinitialize acme.json, causing the certs dumper to read
# an empty file and panic. By requiring Traefik, the certs dumper only starts after
# Traefik is fully ready and acme.json is stable.
traefik_certs_dumper_systemd_required_services_list_auto: |
{{
([traefik_identifier + '.service'] if traefik_enabled else [])
}}
traefik_certs_dumper_container_image_registry_prefix_upstream: "{{ matrix_container_global_registry_prefix_override if matrix_container_global_registry_prefix_override else traefik_certs_dumper_container_image_registry_prefix_upstream_default }}"
########################################################################

11
requirements.yml
View File

@@ -12,6 +12,10 @@
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-container-socket-proxy.git
version: v0.4.2-1
name: container_socket_proxy
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-coturn.git
version: v4.8.0-1
name: coturn
activation_prefix: coturn_
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-ddclient.git
version: v4.0.0-0
name: ddclient
@@ -31,6 +35,9 @@
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-grafana.git
version: v11.6.5-6
name: grafana
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-hydrogen.git
version: v0.5.1-0
name: hydrogen
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-jitsi.git
version: v10741-0
name: jitsi
@@ -68,13 +75,13 @@
version: v1.4.1-0
name: systemd_docker_base
- src: git+https://github.com/devture/com.devture.ansible.role.systemd_service_manager.git
version: v2.0.0-0
version: v2.0.0-2
name: systemd_service_manager
- src: git+https://github.com/devture/com.devture.ansible.role.timesync.git
version: v1.1.0-1
name: timesync
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-traefik.git
version: v3.6.7-1
version: v3.6.8-2
name: traefik
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-traefik-certs-dumper.git
version: v2.10.0-4

2
roles/custom/matrix-alertmanager-receiver/defaults/main.yml
View File

@@ -11,7 +11,7 @@
matrix_alertmanager_receiver_enabled: true
# renovate: datasource=docker depName=docker.io/metio/matrix-alertmanager-receiver
matrix_alertmanager_receiver_version: 2026.2.4
matrix_alertmanager_receiver_version: 2026.2.11
matrix_alertmanager_receiver_scheme: https

7
roles/custom/matrix-base/defaults/main.yml
View File

@@ -84,7 +84,7 @@ matrix_monitoring_container_network: matrix-monitoring
matrix_homeserver_enabled: true
# This will contain the homeserver implementation that is in use.
# Valid values: synapse, dendrite, conduit, conduwuit, continuwuity
# Valid values: synapse, dendrite, conduit, continuwuity
#
# By default, we use Synapse, because it's the only full-featured Matrix server at the moment.
#
@@ -106,7 +106,7 @@ matrix_server_fqn_matrix_federation: '{{ matrix_server_fqn_matrix }}'
# This and the Matrix FQN (see above) are expected to be on the same server.
matrix_server_fqn_element: "element.{{ matrix_domain }}"
# This is where you access the Hydrogen web client from (if enabled via matrix_client_hydrogen_enabled; disabled by default).
# This is where you access the Hydrogen web client from (if enabled via hydrogen_enabled; disabled by default).
matrix_server_fqn_hydrogen: "hydrogen.{{ matrix_domain }}"
# This is where you access the Cinny web client from (if enabled via cinny_enabled; disabled by default).
@@ -121,9 +121,6 @@ matrix_server_fqn_fluffychat: "fluffychat.{{ matrix_domain }}"
# This is where you access the Buscarron bot from (if enabled via matrix_bot_buscarron_enabled; disabled by default).
matrix_server_fqn_buscarron: "buscarron.{{ matrix_domain }}"
# This is where you access the Dimension.
matrix_server_fqn_dimension: "dimension.{{ matrix_domain }}"
# This is where you access the Etherpad (if enabled via etherpad_enabled; disabled by default).
matrix_server_fqn_etherpad: "etherpad.{{ matrix_domain }}"

2
roles/custom/matrix-base/tasks/validate_config.yml
View File

@@ -13,7 +13,7 @@
- name: Fail if invalid homeserver implementation
ansible.builtin.fail:
msg: "You need to set a valid homeserver implementation in `matrix_homeserver_implementation`"
when: "matrix_homeserver_implementation not in ['synapse', 'dendrite', 'conduit', 'conduwuit', 'continuwuity']"
when: "matrix_homeserver_implementation not in ['synapse', 'dendrite', 'conduit', 'continuwuity']"
- name: (Deprecation) Catch and report renamed settings
ansible.builtin.fail:

4
roles/custom/matrix-bot-draupnir/templates/systemd/matrix-bot-draupnir.service.j2
View File

@@ -1,11 +1,11 @@
#jinja2: lstrip_blocks: True
[Unit]
Description=Matrix Draupnir bot
{% for service in matrix_bot_draupnir_systemd_wanted_services_list %}
{% for service in matrix_bot_draupnir_systemd_required_services_list %}
Requires={{ service }}
After={{ service }}
{% endfor %}
{% for service in matrix_bot_draupnir_systemd_required_services_list %}
{% for service in matrix_bot_draupnir_systemd_wanted_services_list %}
Wants={{ service }}
{% endfor %}
DefaultDependencies=no

4
roles/custom/matrix-bot-mjolnir/templates/systemd/matrix-bot-mjolnir.service.j2
View File

@@ -1,11 +1,11 @@
#jinja2: lstrip_blocks: True
[Unit]
Description=Matrix Mjolnir bot
{% for service in matrix_bot_mjolnir_systemd_wanted_services_list %}
{% for service in matrix_bot_mjolnir_systemd_required_services_list %}
Requires={{ service }}
After={{ service }}
{% endfor %}
{% for service in matrix_bot_mjolnir_systemd_required_services_list %}
{% for service in matrix_bot_mjolnir_systemd_wanted_services_list %}
Wants={{ service }}
{% endfor %}
DefaultDependencies=no

198
roles/custom/matrix-client-hydrogen/defaults/main.yml
View File

@@ -1,198 +0,0 @@
# SPDX-FileCopyrightText: 2021 - 2022 Aaron Raimist
# SPDX-FileCopyrightText: 2021 - 2022 MDAD project contributors
# SPDX-FileCopyrightText: 2021 - 2025 Slavi Pantaleev
# SPDX-FileCopyrightText: 2022 - 2023 Nikita Chernyi
# SPDX-FileCopyrightText: 2022 Marko Weltzer
# SPDX-FileCopyrightText: 2022 Matthew Cengia
# SPDX-FileCopyrightText: 2023 Pierre 'McFly' Marty
# SPDX-FileCopyrightText: 2023 Samuel Meenzen
#
# SPDX-License-Identifier: AGPL-3.0-or-later
---
# Project source code URL: https://github.com/element-hq/hydrogen-web
matrix_client_hydrogen_enabled: true
matrix_client_hydrogen_container_image_self_build: false
matrix_client_hydrogen_container_image_self_build_repo: "https://github.com/element-hq/hydrogen-web.git"
# renovate: datasource=docker depName=ghcr.io/element-hq/hydrogen-web
matrix_client_hydrogen_version: v0.5.1
matrix_client_hydrogen_docker_image: "{{ matrix_client_hydrogen_docker_image_registry_prefix }}element-hq/hydrogen-web:{{ matrix_client_hydrogen_version }}"
matrix_client_hydrogen_docker_image_registry_prefix: "{{ 'localhost/' if matrix_client_hydrogen_container_image_self_build else matrix_client_hydrogen_docker_image_registry_prefix_upstream }}"
matrix_client_hydrogen_docker_image_registry_prefix_upstream: "{{ matrix_client_hydrogen_docker_image_registry_prefix_upstream_default }}"
matrix_client_hydrogen_docker_image_registry_prefix_upstream_default: ghcr.io/
matrix_client_hydrogen_docker_image_force_pull: "{{ matrix_client_hydrogen_docker_image.endswith(':latest') }}"
matrix_client_hydrogen_data_path: "{{ matrix_base_data_path }}/client-hydrogen"
matrix_client_hydrogen_docker_src_files_path: "{{ matrix_client_hydrogen_data_path }}/docker-src"
# The base container network
matrix_client_hydrogen_container_network: ''
# A list of additional container networks that the container would be connected to.
# The role does not create these networks, so make sure they already exist.
# Use this to expose this container to a reverse proxy, which runs in a different container network.
matrix_client_hydrogen_container_additional_networks: []
# Controls whether the container exposes its HTTP port (tcp/8080 in the container).
#
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:8768"), or empty string to not expose.
matrix_client_hydrogen_container_http_host_bind_port: ''
# matrix_client_hydrogen_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container.
# See `../templates/labels.j2` for details.
#
# To inject your own other container labels, see `matrix_client_hydrogen_container_labels_additional_labels`.
matrix_client_hydrogen_container_labels_traefik_enabled: true
matrix_client_hydrogen_container_labels_traefik_docker_network: "{{ matrix_client_hydrogen_container_network }}"
matrix_client_hydrogen_container_labels_traefik_hostname: "{{ matrix_client_hydrogen_hostname }}"
# The path prefix must either be `/` or not end with a slash (e.g. `/hydrogen`).
matrix_client_hydrogen_container_labels_traefik_path_prefix: "{{ matrix_client_hydrogen_path_prefix }}"
matrix_client_hydrogen_container_labels_traefik_rule: "Host(`{{ matrix_client_hydrogen_container_labels_traefik_hostname }}`){% if matrix_client_hydrogen_container_labels_traefik_path_prefix != '/' %} && PathPrefix(`{{ matrix_client_hydrogen_container_labels_traefik_path_prefix }}`){% endif %}"
matrix_client_hydrogen_container_labels_traefik_priority: 0
matrix_client_hydrogen_container_labels_traefik_entrypoints: web-secure
matrix_client_hydrogen_container_labels_traefik_tls: "{{ matrix_client_hydrogen_container_labels_traefik_entrypoints != 'web' }}"
matrix_client_hydrogen_container_labels_traefik_tls_certResolver: default # noqa var-naming
# Controls whether a compression middleware will be injected into the middlewares list.
# This compression middleware is supposed to be defined elsewhere (using labels or a File provider, etc.) and is merely referenced by this router.
matrix_client_hydrogen_container_labels_traefik_compression_middleware_enabled: false
matrix_client_hydrogen_container_labels_traefik_compression_middleware_name: ""
# Controls which additional headers to attach to all HTTP responses.
# To add your own headers, use `matrix_client_hydrogen_container_labels_traefik_additional_response_headers_custom`
matrix_client_hydrogen_container_labels_traefik_additional_response_headers: "{{ matrix_client_hydrogen_container_labels_traefik_additional_response_headers_auto | combine(matrix_client_hydrogen_container_labels_traefik_additional_response_headers_custom) }}"
matrix_client_hydrogen_container_labels_traefik_additional_response_headers_auto: |
{{
{}
| combine ({'X-XSS-Protection': matrix_client_hydrogen_http_header_xss_protection} if matrix_client_hydrogen_http_header_xss_protection else {})
| combine ({'X-Content-Type-Options': matrix_client_hydrogen_http_header_content_type_options} if matrix_client_hydrogen_http_header_content_type_options else {})
| combine ({'Content-Security-Policy': matrix_client_hydrogen_http_header_content_security_policy} if matrix_client_hydrogen_http_header_content_security_policy else {})
| combine ({'Permission-Policy': matrix_client_hydrogen_http_header_content_permission_policy} if matrix_client_hydrogen_http_header_content_permission_policy else {})
| combine ({'Strict-Transport-Security': matrix_client_hydrogen_http_header_strict_transport_security} if matrix_client_hydrogen_http_header_strict_transport_security and matrix_client_hydrogen_container_labels_traefik_tls else {})
}}
matrix_client_hydrogen_container_labels_traefik_additional_response_headers_custom: {}
# matrix_client_hydrogen_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file.
# See `../templates/labels.j2` for details.
#
# Example:
# matrix_client_hydrogen_container_labels_additional_labels: |
# my.label=1
# another.label="here"
matrix_client_hydrogen_container_labels_additional_labels: ''
# A list of extra arguments to pass to the container
matrix_client_hydrogen_container_extra_arguments: []
# List of systemd services that matrix-client-hydrogen.service depends on
matrix_client_hydrogen_systemd_required_services_list: "{{ [devture_systemd_docker_base_docker_service_name] if devture_systemd_docker_base_docker_service_name else [] }}"
# Specifies the value of the `X-XSS-Protection` header
# Stops pages from loading when they detect reflected cross-site scripting (XSS) attacks.
#
# Learn more about it is here:
# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
# - https://portswigger.net/web-security/cross-site-scripting/reflected
matrix_client_hydrogen_http_header_xss_protection: "1; mode=block"
# Specifies the value of the `X-Content-Type-Options` header.
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
matrix_client_hydrogen_http_header_content_type_options: nosniff
# Specifies the value of the `Content-Security-Policy` header.
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
matrix_client_hydrogen_http_header_content_security_policy: frame-ancestors 'self'
# Specifies the value of the `Permission-Policy` header.
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permission-Policy
matrix_client_hydrogen_http_header_content_permission_policy: "{{ 'interest-cohort=()' if matrix_client_hydrogen_floc_optout_enabled else '' }}"
# Specifies the value of the `Strict-Transport-Security` header.
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
matrix_client_hydrogen_http_header_strict_transport_security: "max-age=31536000; includeSubDomains{{ '; preload' if matrix_client_hydrogen_hsts_preload_enabled else '' }}"
# Controls whether to send a "Permissions-Policy interest-cohort=();" header along with all responses
#
# Learn more about what it is here:
# - https://www.eff.org/deeplinks/2021/03/googles-floc-terrible-idea
# - https://paramdeo.com/blog/opting-your-website-out-of-googles-floc-network
# - https://amifloced.org/
#
# Of course, a better solution is to just stop using browsers (like Chrome), which participate in such tracking practices.
# See: `matrix_client_hydrogen_content_permission_policy`
matrix_client_hydrogen_floc_optout_enabled: true
# Controls if HSTS preloading is enabled
#
# In its strongest and recommended form, the [HSTS policy](https://www.chromium.org/hsts) includes all subdomains, and
# indicates a willingness to be "preloaded" into browsers:
# `Strict-Transport-Security: max-age=31536000; includeSubDomains; preload`
# For more information visit:
# - https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
# - https://hstspreload.org/#opt-in
# See: `matrix_client_hydrogen_http_header_strict_transport_security`
matrix_client_hydrogen_hsts_preload_enabled: false
matrix_client_hydrogen_scheme: https
# The hostname at which Hydrogen is served.
matrix_client_hydrogen_hostname: "{{ matrix_server_fqn_hydrogen }}"
# The path at which Hydrogen is exposed.
# This value must either be `/` or not end with a slash (e.g. `/hydrogen`).
matrix_client_hydrogen_path_prefix: /
# Controls whether the self-check feature should validate SSL certificates.
matrix_client_hydrogen_self_check_validate_certificates: true
# Controls whether the access log is enabled.
matrix_client_hydrogen_access_log_enabled: true
# config.json
matrix_client_hydrogen_push:
appId: io.element.hydrogen.web
gatewayUrl: https://matrix.org
applicationServerKey: "BC-gpSdVHEXhvHSHS0AzzWrQoukv2BE7KzpoPO_FfPacqOo3l1pdqz7rSgmB04pZCWaHPz7XRe6fjLaC-WPDopM"
matrix_client_hydrogen_default_hs_url: ""
matrix_client_hydrogen_bugReportEndpointUrl: "https://element.io/bugreports/submit" # noqa var-naming
# Default Hydrogen configuration template which covers the generic use case.
# You can customize it by controlling the various variables inside it.
#
# For a more advanced customization, you can extend the default (see `matrix_client_hydrogen_configuration_extension_json`)
# or completely replace this variable with your own template.
#
# The side-effect of this lookup is that Ansible would even parse the JSON for us, returning a dict.
# This is unlike what it does when looking up YAML template files (no automatic parsing there).
matrix_client_hydrogen_configuration_default: "{{ lookup('template', 'templates/config.json.j2', convert_data=False) | from_json }}"
# Your custom JSON configuration for Hydrogen should go to `matrix_client_hydrogen_configuration_extension_json`.
# This configuration extends the default starting configuration (`matrix_client_hydrogen_configuration_default`).
#
# You can override individual variables from the default configuration, or introduce new ones.
#
# If you need something more special, you can take full control by
# completely redefining `matrix_client_hydrogen_configuration_default`.
#
# Example configuration extension follows:
#
# matrix_client_hydrogen_configuration_extension_json: |
# {
# "push": {
# "appId": "io.element.hydrogen.web",
# "gatewayUrl": "https://matrix.org",
# "applicationServerKey": "BC-gpSdVHEXhvHSHS0AzzWrQoukv2BE7KzpoPO_FfPacqOo3l1pdqz7rSgmB04pZCWaHPz7XRe6fjLaC-WPDopM"
# },
# "defaultHomeServer": "matrix.org"
# }
matrix_client_hydrogen_configuration_extension_json: '{}'
matrix_client_hydrogen_configuration_extension: "{{ matrix_client_hydrogen_configuration_extension_json | from_json if matrix_client_hydrogen_configuration_extension_json | from_json is mapping else {} }}"
# Holds the final Hydrogen configuration (a combination of the default and its extension).
# You most likely don't need to touch this variable. Instead, see `matrix_client_hydrogen_configuration_default`.
matrix_client_hydrogen_configuration: "{{ matrix_client_hydrogen_configuration_default | combine(matrix_client_hydrogen_configuration_extension, recursive=True) }}"

32
roles/custom/matrix-client-hydrogen/tasks/main.yml
View File

@@ -1,32 +0,0 @@
# SPDX-FileCopyrightText: 2021 - 2023 Slavi Pantaleev
# SPDX-FileCopyrightText: 2021 Aaron Raimist
# SPDX-FileCopyrightText: 2022 Marko Weltzer
#
# SPDX-License-Identifier: AGPL-3.0-or-later
---
- tags:
- setup-all
- setup-client-hydrogen
- install-all
- install-client-hydrogen
block:
- when: matrix_client_hydrogen_enabled | bool
ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml"
- when: matrix_client_hydrogen_enabled | bool
ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml"
- tags:
- setup-all
- setup-client-hydrogen
block:
- when: not matrix_client_hydrogen_enabled | bool
ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"
- tags:
- self-check
block:
- when: matrix_client_hydrogen_enabled | bool
ansible.builtin.include_tasks: "{{ role_path }}/tasks/self_check.yml"

30
roles/custom/matrix-client-hydrogen/tasks/self_check.yml
View File

@@ -1,30 +0,0 @@
# SPDX-FileCopyrightText: 2021 - 2022 Aaron Raimist
# SPDX-FileCopyrightText: 2022 - 2024 Slavi Pantaleev
# SPDX-FileCopyrightText: 2022 Marko Weltzer
#
# SPDX-License-Identifier: AGPL-3.0-or-later
---
- ansible.builtin.set_fact:
matrix_client_hydrogen_url_endpoint_public: "{{ matrix_client_hydrogen_scheme }}://{{ matrix_client_hydrogen_hostname }}{{ matrix_client_hydrogen_path_prefix }}/config.json"
- name: Check Hydrogen
ansible.builtin.uri:
url: "{{ matrix_client_hydrogen_url_endpoint_public }}"
follow_redirects: none
validate_certs: "{{ matrix_client_hydrogen_self_check_validate_certificates }}"
register: matrix_client_hydrogen_self_check_result
check_mode: false
ignore_errors: true
delegate_to: 127.0.0.1
become: false
- name: Fail if Hydrogen not working
ansible.builtin.fail:
msg: "Failed checking Hydrogen is up at `{{ matrix_client_hydrogen_hostname }}` (checked endpoint: `{{ matrix_client_hydrogen_url_endpoint_public }}`). Is Hydrogen running? Is port 443 open in your firewall? Full error: {{ matrix_client_hydrogen_self_check_result }}"
when: "matrix_client_hydrogen_self_check_result.failed or 'json' not in matrix_client_hydrogen_self_check_result"
- name: Report working Hydrogen
ansible.builtin.debug:
msg: "Hydrogen at `{{ matrix_client_hydrogen_hostname }}` is working (checked endpoint: `{{ matrix_client_hydrogen_url_endpoint_public }}`)"

101
roles/custom/matrix-client-hydrogen/tasks/setup_install.yml
View File

@@ -1,101 +0,0 @@
# SPDX-FileCopyrightText: 2021 - 2022 Aaron Raimist
# SPDX-FileCopyrightText: 2021 - 2024 Slavi Pantaleev
# SPDX-FileCopyrightText: 2022 Marko Weltzer
# SPDX-FileCopyrightText: 2022 Matthew Cengia
# SPDX-FileCopyrightText: 2022 Nikita Chernyi
# SPDX-FileCopyrightText: 2022 Sebastian Gumprich
# SPDX-FileCopyrightText: 2023 Julian Foad
# SPDX-FileCopyrightText: 2024 David Mehren
#
# SPDX-License-Identifier: AGPL-3.0-or-later
---
- name: Ensure Hydrogen paths exists
ansible.builtin.file:
path: "{{ item.path }}"
state: directory
mode: 0750
owner: "{{ matrix_user_name }}"
group: "{{ matrix_group_name }}"
with_items:
- {path: "{{ matrix_client_hydrogen_data_path }}", when: true}
- {path: "{{ matrix_client_hydrogen_docker_src_files_path }}", when: "{{ matrix_client_hydrogen_container_image_self_build }}"}
when: "item.when | bool"
- when: "matrix_client_hydrogen_container_image_self_build | bool"
block:
- name: Ensure Hydrogen repository is present on self-build
ansible.builtin.git:
repo: "{{ matrix_client_hydrogen_container_image_self_build_repo }}"
dest: "{{ matrix_client_hydrogen_docker_src_files_path }}"
version: "{{ matrix_client_hydrogen_docker_image.split(':')[1] }}"
force: "yes"
become: true
become_user: "{{ matrix_user_name }}"
register: matrix_client_hydrogen_git_pull_results
- name: Check if Hydrogen Docker image exists
ansible.builtin.command: "{{ devture_systemd_docker_base_host_command_docker }} images --quiet --filter 'reference={{ matrix_client_hydrogen_docker_image }}'"
register: matrix_client_hydrogen_docker_image_check_result
changed_when: false
# Invoking the `docker build` command here, instead of calling the `docker_image` Ansible module,
# because the latter does not support BuildKit.
# See: https://github.com/ansible-collections/community.general/issues/514
- name: Ensure Hydrogen Docker image is built
ansible.builtin.shell:
chdir: "{{ matrix_client_hydrogen_docker_src_files_path }}"
cmd: |
{{ devture_systemd_docker_base_host_command_docker }} build \
-t "{{ matrix_client_hydrogen_docker_image }}" \
-f Dockerfile \
.
environment:
DOCKER_BUILDKIT: 1
changed_when: true
when: "matrix_client_hydrogen_git_pull_results.changed | bool or matrix_client_hydrogen_docker_image_check_result.stdout == ''"
- name: Ensure Hydrogen Docker image is pulled
community.docker.docker_image:
name: "{{ matrix_client_hydrogen_docker_image }}"
source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
force_source: "{{ matrix_client_hydrogen_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_client_hydrogen_docker_image_force_pull }}"
when: "not matrix_client_hydrogen_container_image_self_build | bool"
register: result
retries: "{{ devture_playbook_help_container_retries_count }}"
delay: "{{ devture_playbook_help_container_retries_delay }}"
until: result is not failed
- name: Ensure Hydrogen configuration installed
ansible.builtin.copy:
content: "{{ matrix_client_hydrogen_configuration | to_nice_json }}"
dest: "{{ matrix_client_hydrogen_data_path }}/config.json"
mode: 0644
owner: "{{ matrix_user_name }}"
group: "{{ matrix_group_name }}"
- name: Ensure Hydrogen additional config files installed
ansible.builtin.template:
src: "{{ item.src }}"
dest: "{{ matrix_client_hydrogen_data_path }}/{{ item.name }}"
mode: 0644
owner: "{{ matrix_user_name }}"
group: "{{ matrix_group_name }}"
with_items:
- {src: "{{ role_path }}/templates/nginx.conf.j2", name: "nginx.conf"}
- {src: "{{ role_path }}/templates/labels.j2", name: "labels"}
- name: Ensure Hydrogen container network is created
community.general.docker_network:
enable_ipv6: "{{ devture_systemd_docker_base_ipv6_enabled }}"
name: "{{ matrix_client_hydrogen_container_network }}"
driver: bridge
driver_options: "{{ devture_systemd_docker_base_container_networks_driver_options }}"
- name: Ensure matrix-client-hydrogen.service installed
ansible.builtin.template:
src: "{{ role_path }}/templates/systemd/matrix-client-hydrogen.service.j2"
dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-client-hydrogen.service"
mode: 0644

31
roles/custom/matrix-client-hydrogen/tasks/setup_uninstall.yml
View File

@@ -1,31 +0,0 @@
# SPDX-FileCopyrightText: 2021 - 2022 Slavi Pantaleev
# SPDX-FileCopyrightText: 2022 Marko Weltzer
# SPDX-FileCopyrightText: 2022 Sebastian Gumprich
#
# SPDX-License-Identifier: AGPL-3.0-or-later
---
- name: Check existence of matrix-client-hydrogen.service
ansible.builtin.stat:
path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-client-hydrogen.service"
register: matrix_client_hydrogen_service_stat
- when: matrix_client_hydrogen_service_stat.stat.exists | bool
block:
- name: Ensure matrix-client-hydrogen is stopped
ansible.builtin.service:
name: matrix-client-hydrogen
state: stopped
enabled: false
daemon_reload: true
- name: Ensure matrix-client-hydrogen.service doesn't exist
ansible.builtin.file:
path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-client-hydrogen.service"
state: absent
- name: Ensure Hydrogen paths doesn't exist
ansible.builtin.file:
path: "{{ matrix_client_hydrogen_data_path }}"
state: absent

45
roles/custom/matrix-client-hydrogen/tasks/validate_config.yml
View File

@@ -1,45 +0,0 @@
# SPDX-FileCopyrightText: 2021 Aaron Raimist
# SPDX-FileCopyrightText: 2022 - 2025 Slavi Pantaleev
# SPDX-FileCopyrightText: 2024 Suguru Hirahara
#
# SPDX-License-Identifier: AGPL-3.0-or-later
---
- name: Fail if required Hydrogen settings not defined
ansible.builtin.fail:
msg: >
You need to define a required configuration setting (`{{ item }}`) to use Hydrogen.
when: "item.when | bool and lookup('vars', item.name, default='') | string | length == 0"
with_items:
- {'name': 'matrix_client_hydrogen_default_hs_url', when: "{{ matrix_client_hydrogen_container_image_self_build }}"}
- {'name': 'matrix_client_hydrogen_container_network', when: true}
- {'name': 'matrix_client_hydrogen_container_labels_traefik_compression_middleware_name', when: "{{ matrix_client_hydrogen_container_labels_traefik_compression_middleware_enabled }}"}
- name: (Deprecation) Catch and report renamed Hydrogen variables
ansible.builtin.fail:
msg: >-
The variable `{{ item.old }}` is deprecated. Please use `{{ item.new }}` instead.
when: "lookup('ansible.builtin.varnames', ('^' + item.old + '$'), wantlist=True) | length > 0"
with_items:
- {'old': 'matrix_client_hydrogen_container_image_name_prefix', 'new': 'matrix_client_hydrogen_container_image_registry_prefix'}
- when: matrix_client_hydrogen_container_labels_traefik_enabled | bool
block:
- name: Fail if required matrix-client-hydrogen Traefik settings not defined
ansible.builtin.fail:
msg: >-
You need to define a required configuration setting (`{{ item }}`).
when: "lookup('vars', item, default='') == ''"
with_items:
- matrix_client_hydrogen_container_labels_traefik_hostname
- matrix_client_hydrogen_container_labels_traefik_path_prefix
# We ensure it doesn't end with a slash, because we handle both (slash and no-slash).
# Knowing that `matrix_client_hydrogen_container_labels_traefik_path_prefix` does not end with a slash
# ensures we know how to set these routes up without having to do "does it end with a slash" checks elsewhere.
- name: Fail if matrix_client_hydrogen_container_labels_traefik_path_prefix ends with a slash
ansible.builtin.fail:
msg: >-
matrix_client_hydrogen_container_labels_traefik_path_prefix (`{{ matrix_client_hydrogen_container_labels_traefik_path_prefix }}`) must either be `/` or not end with a slash (e.g. `/hydrogen`).
when: "matrix_client_hydrogen_container_labels_traefik_path_prefix != '/' and matrix_client_hydrogen_container_labels_traefik_path_prefix[-1] == '/'"

12
roles/custom/matrix-client-hydrogen/templates/config.json.j2
View File

@@ -1,12 +0,0 @@
{
"push": {{ matrix_client_hydrogen_push | to_json }},
"defaultHomeServer": {{ matrix_client_hydrogen_default_hs_url | string | to_json }},
"bugReportEndpointUrl": {{ matrix_client_hydrogen_bugReportEndpointUrl | to_json }},
"themeManifests": [
"{{ '' if matrix_client_hydrogen_path_prefix == '/' else matrix_client_hydrogen_path_prefix }}/assets/theme-element.json"
],
"defaultTheme": {
"light": "element-light",
"dark": "element-dark"
}
}

7
roles/custom/matrix-client-hydrogen/templates/config.json.j2.license
View File

@@ -1,7 +0,0 @@
SPDX-FileCopyrightText: 2021 - 2022 Aaron Raimist
SPDX-FileCopyrightText: 2022 - 2023 Slavi Pantaleev
SPDX-FileCopyrightText: 2022 Matthew Cengia
SPDX-FileCopyrightText: 2022 Nikita Chernyi
SPDX-FileCopyrightText: 2023 Sergio Durigan Junior
SPDX-License-Identifier: AGPL-3.0-or-later

56
roles/custom/matrix-client-hydrogen/templates/labels.j2
View File

@@ -1,56 +0,0 @@
{#
SPDX-FileCopyrightText: 2023 - 2024 Slavi Pantaleev
SPDX-License-Identifier: AGPL-3.0-or-later
#}
{% if matrix_client_hydrogen_container_labels_traefik_enabled %}
traefik.enable=true
{% if matrix_client_hydrogen_container_labels_traefik_docker_network %}
traefik.docker.network={{ matrix_client_hydrogen_container_labels_traefik_docker_network }}
{% endif %}
traefik.http.services.matrix-client-hydrogen.loadbalancer.server.port=8080
{% set middlewares = [] %}
{% if matrix_client_hydrogen_container_labels_traefik_compression_middleware_enabled %}
{% set middlewares = middlewares + [matrix_client_hydrogen_container_labels_traefik_compression_middleware_name] %}
{% endif %}
{% if matrix_client_hydrogen_container_labels_traefik_path_prefix != '/' %}
traefik.http.middlewares.matrix-client-hydrogen-slashless-redirect.redirectregex.regex=({{ matrix_client_hydrogen_container_labels_traefik_path_prefix | quote }})$
traefik.http.middlewares.matrix-client-hydrogen-slashless-redirect.redirectregex.replacement=${1}/
{% set middlewares = middlewares + ['matrix-client-hydrogen-slashless-redirect'] %}
{% endif %}
{% if matrix_client_hydrogen_container_labels_traefik_path_prefix != '/' %}
traefik.http.middlewares.matrix-client-hydrogen-strip-prefix.stripprefix.prefixes={{ matrix_client_hydrogen_container_labels_traefik_path_prefix }}
{% set middlewares = middlewares + ['matrix-client-hydrogen-strip-prefix'] %}
{% endif %}
{% if matrix_client_hydrogen_container_labels_traefik_additional_response_headers.keys() | length > 0 %}
{% for name, value in matrix_client_hydrogen_container_labels_traefik_additional_response_headers.items() %}
traefik.http.middlewares.matrix-client-hydrogen-add-headers.headers.customresponseheaders.{{ name }}={{ value }}
{% endfor %}
{% set middlewares = middlewares + ['matrix-client-hydrogen-add-headers'] %}
{% endif %}
traefik.http.routers.matrix-client-hydrogen.rule={{ matrix_client_hydrogen_container_labels_traefik_rule }}
{% if matrix_client_hydrogen_container_labels_traefik_priority | int > 0 %}
traefik.http.routers.matrix-client-hydrogen.priority={{ matrix_client_hydrogen_container_labels_traefik_priority }}
{% endif %}
traefik.http.routers.matrix-client-hydrogen.service=matrix-client-hydrogen
{% if middlewares | length > 0 %}
traefik.http.routers.matrix-client-hydrogen.middlewares={{ middlewares | join(',') }}
{% endif %}
traefik.http.routers.matrix-client-hydrogen.entrypoints={{ matrix_client_hydrogen_container_labels_traefik_entrypoints }}
traefik.http.routers.matrix-client-hydrogen.tls={{ matrix_client_hydrogen_container_labels_traefik_tls | to_json }}
{% if matrix_client_hydrogen_container_labels_traefik_tls %}
traefik.http.routers.matrix-client-hydrogen.tls.certResolver={{ matrix_client_hydrogen_container_labels_traefik_tls_certResolver }}
{% endif %}
{% endif %}
{{ matrix_client_hydrogen_container_labels_additional_labels }}

70
roles/custom/matrix-client-hydrogen/templates/nginx.conf.j2
View File

@@ -1,70 +0,0 @@
#jinja2: lstrip_blocks: True
# This is a custom nginx configuration file that we use in the container (instead of the default one),
# because it allows us to run nginx with a non-root user.
#
# For this to work, the default vhost file (`/etc/nginx/conf.d/default.conf`) also needs to be removed.
# (mounting `/dev/null` over `/etc/nginx/conf.d/default.conf` works well)
#
# The following changes have been done compared to a default nginx configuration file:
# - default server port is changed (80 -> 8080), so that a non-root user can bind it
# - various temp paths are changed to `/tmp`, so that a non-root user can write to them
# - the `user` directive was removed, as we don't want nginx to switch users
worker_processes 1;
error_log /var/log/nginx/error.log warn;
pid /tmp/nginx.pid;
events {
worker_connections 1024;
}
http {
proxy_temp_path /tmp/proxy_temp;
client_body_temp_path /tmp/client_temp;
fastcgi_temp_path /tmp/fastcgi_temp;
uwsgi_temp_path /tmp/uwsgi_temp;
scgi_temp_path /tmp/scgi_temp;
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
{% if matrix_client_hydrogen_access_log_enabled %}
access_log /var/log/nginx/access.log main;
{% else %}
access_log off;
{% endif %}
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
server {
listen 8080;
server_name localhost;
root /usr/share/nginx/html;
location / {
index index.html index.htm;
}
location ~* ^/(config(.+)?\.json$|(.+)\.html$|i18n) {
expires -1;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}
}

4
roles/custom/matrix-client-hydrogen/templates/nginx.conf.j2.license
View File

@@ -1,4 +0,0 @@
SPDX-FileCopyrightText: 2021 Aaron Raimist
SPDX-FileCopyrightText: 2022 Slavi Pantaleev
SPDX-License-Identifier: AGPL-3.0-or-later

50
roles/custom/matrix-client-hydrogen/templates/systemd/matrix-client-hydrogen.service.j2
View File

@@ -1,50 +0,0 @@
#jinja2: lstrip_blocks: True
[Unit]
Description=Matrix Hydrogen Client
{% for service in matrix_client_hydrogen_systemd_required_services_list %}
Requires={{ service }}
After={{ service }}
{% endfor %}
DefaultDependencies=no
[Service]
Type=simple
Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}"
ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop -t {{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-client-hydrogen 2>/dev/null || true'
ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-client-hydrogen 2>/dev/null || true'
ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \
--rm \
--name=matrix-client-hydrogen \
--log-driver=none \
--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
--cap-drop=ALL \
--read-only \
--network={{ matrix_client_hydrogen_container_network }} \
{% if matrix_client_hydrogen_container_http_host_bind_port %}
-p {{ matrix_client_hydrogen_container_http_host_bind_port }}:8080 \
{% endif %}
--label-file={{ matrix_client_hydrogen_data_path }}/labels \
--tmpfs=/tmp:rw,noexec,nosuid,size=10m \
--mount type=bind,src={{ matrix_client_hydrogen_data_path }}/nginx.conf,dst=/etc/nginx/nginx.conf,ro \
--mount type=bind,src={{ matrix_client_hydrogen_data_path }}/config.json,dst=/config.json.bundled,ro \
{% for arg in matrix_client_hydrogen_container_extra_arguments %}
{{ arg }} \
{% endfor %}
{{ matrix_client_hydrogen_docker_image }}
{% for network in matrix_client_hydrogen_container_additional_networks %}
ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-client-hydrogen
{% endfor %}
ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-client-hydrogen
ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop -t {{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-client-hydrogen 2>/dev/null || true'
ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-client-hydrogen 2>/dev/null || true'
Restart=always
RestartSec=30
SyslogIdentifier=matrix-client-hydrogen
[Install]
WantedBy=multi-user.target

5
roles/custom/matrix-client-hydrogen/templates/systemd/matrix-client-hydrogen.service.j2.license
View File

@@ -1,5 +0,0 @@
SPDX-FileCopyrightText: 2021 - 2025 Slavi Pantaleev
SPDX-FileCopyrightText: 2021 Aaron Raimist
SPDX-FileCopyrightText: 2022 Matthew Cengia
SPDX-License-Identifier: AGPL-3.0-or-later

194
roles/custom/matrix-conduwuit/defaults/main.yml
View File

@@ -1,194 +0,0 @@
# SPDX-FileCopyrightText: 2025 MDAD project contributors
# SPDX-FileCopyrightText: 2025 Slavi Pantaleev
#
# SPDX-License-Identifier: AGPL-3.0-or-later
---
# conduwuit is a very cool, featureful fork of conduit (https://gitlab.com/famedly/conduit).
# Project source code URL: https://github.com/girlbossceo/conduwuit
# See: https://conduwuit.puppyirl.gay/
matrix_conduwuit_enabled: true
matrix_conduwuit_hostname: ''
matrix_conduwuit_docker_image: "{{ matrix_conduwuit_docker_image_registry_prefix }}girlbossceo/conduwuit:{{ matrix_conduwuit_docker_image_tag }}"
matrix_conduwuit_docker_image_tag: v0.4.6-8f7ade4c22533a3177bfd8f175e178573ba6c1d4
matrix_conduwuit_docker_image_force_pull: "{{ matrix_conduwuit_docker_image.endswith(':latest') }}"
matrix_conduwuit_docker_image_registry_prefix: "{{ matrix_conduwuit_docker_image_registry_prefix_upstream }}"
matrix_conduwuit_docker_image_registry_prefix_upstream: "{{ matrix_conduwuit_docker_image_registry_prefix_upstream_default }}"
matrix_conduwuit_docker_image_registry_prefix_upstream_default: ghcr.io/
matrix_conduwuit_base_path: "{{ matrix_base_data_path }}/conduwuit"
matrix_conduwuit_config_path: "{{ matrix_conduwuit_base_path }}/config"
matrix_conduwuit_data_path: "{{ matrix_conduwuit_base_path }}/data"
matrix_conduwuit_config_port_number: 6167
matrix_conduwuit_tmp_directory_size_mb: 500
# List of systemd services that matrix-conduwuit.service depends on
matrix_conduwuit_systemd_required_services_list: "{{ matrix_conduwuit_systemd_required_services_list_default + matrix_conduwuit_systemd_required_services_list_auto + matrix_conduwuit_systemd_required_services_list_custom }}"
matrix_conduwuit_systemd_required_services_list_default: "{{ [devture_systemd_docker_base_docker_service_name] if devture_systemd_docker_base_docker_service_name else [] }}"
matrix_conduwuit_systemd_required_services_list_auto: []
matrix_conduwuit_systemd_required_services_list_custom: []
# List of systemd services that matrix-conduwuit.service wants
matrix_conduwuit_systemd_wanted_services_list: []
# Controls how long to sleep for after starting the matrix-synapse container.
#
# Delaying, so that the homeserver can manage to fully start and various services
# that depend on it (`matrix_conduwuit_systemd_required_services_list` and `matrix_conduwuit_systemd_wanted_services_list`)
# may only start after the homeserver is up and running.
#
# This can be set to 0 to remove the delay.
matrix_conduwuit_systemd_service_post_start_delay_seconds: 3
# The base container network. It will be auto-created by this role if it doesn't exist already.
matrix_conduwuit_container_network: ""
# A list of additional container networks that the container would be connected to.
# The role does not create these networks, so make sure they already exist.
# Use this to expose this container to another reverse proxy, which runs in a different container network.
matrix_conduwuit_container_additional_networks: "{{ matrix_conduwuit_container_additional_networks_auto + matrix_conduwuit_container_additional_networks_custom }}"
matrix_conduwuit_container_additional_networks_auto: []
matrix_conduwuit_container_additional_networks_custom: []
# matrix_conduwuit_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container.
# See `../templates/labels.j2` for details.
#
# To inject your own other container labels, see `matrix_conduwuit_container_labels_additional_labels`.
matrix_conduwuit_container_labels_traefik_enabled: true
matrix_conduwuit_container_labels_traefik_docker_network: "{{ matrix_conduwuit_container_network }}"
matrix_conduwuit_container_labels_traefik_entrypoints: web-secure
matrix_conduwuit_container_labels_traefik_tls_certResolver: default # noqa var-naming
# Controls whether labels will be added for handling the root (/) path on a public Traefik entrypoint.
matrix_conduwuit_container_labels_public_client_root_enabled: true
matrix_conduwuit_container_labels_public_client_root_traefik_hostname: "{{ matrix_conduwuit_hostname }}"
matrix_conduwuit_container_labels_public_client_root_traefik_rule: "Host(`{{ matrix_conduwuit_container_labels_public_client_root_traefik_hostname }}`) && Path(`/`)"
matrix_conduwuit_container_labels_public_client_root_traefik_priority: 0
matrix_conduwuit_container_labels_public_client_root_traefik_entrypoints: "{{ matrix_conduwuit_container_labels_traefik_entrypoints }}"
matrix_conduwuit_container_labels_public_client_root_traefik_tls: "{{ matrix_conduwuit_container_labels_public_client_root_traefik_entrypoints != 'web' }}"
matrix_conduwuit_container_labels_public_client_root_traefik_tls_certResolver: "{{ matrix_conduwuit_container_labels_traefik_tls_certResolver }}" # noqa var-naming
matrix_conduwuit_container_labels_public_client_root_redirection_enabled: false
matrix_conduwuit_container_labels_public_client_root_redirection_url: ""
# Controls whether labels will be added that expose the Client-Server API on a public Traefik entrypoint.
matrix_conduwuit_container_labels_public_client_api_enabled: true
matrix_conduwuit_container_labels_public_client_api_traefik_hostname: "{{ matrix_conduwuit_hostname }}"
matrix_conduwuit_container_labels_public_client_api_traefik_path_prefix: /_matrix
matrix_conduwuit_container_labels_public_client_api_traefik_rule: "Host(`{{ matrix_conduwuit_container_labels_public_client_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_conduwuit_container_labels_public_client_api_traefik_path_prefix }}`)"
matrix_conduwuit_container_labels_public_client_api_traefik_priority: 0
matrix_conduwuit_container_labels_public_client_api_traefik_entrypoints: "{{ matrix_conduwuit_container_labels_traefik_entrypoints }}"
matrix_conduwuit_container_labels_public_client_api_traefik_tls: "{{ matrix_conduwuit_container_labels_public_client_api_traefik_entrypoints != 'web' }}"
matrix_conduwuit_container_labels_public_client_api_traefik_tls_certResolver: "{{ matrix_conduwuit_container_labels_traefik_tls_certResolver }}" # noqa var-naming
# Controls whether labels will be added that expose the Client-Server API on the internal Traefik entrypoint.
# This is similar to `matrix_conduwuit_container_labels_public_client_api_enabled`, but the entrypoint and intent is different.
matrix_conduwuit_container_labels_internal_client_api_enabled: false
matrix_conduwuit_container_labels_internal_client_api_traefik_path_prefix: "{{ matrix_conduwuit_container_labels_public_client_api_traefik_path_prefix }}"
matrix_conduwuit_container_labels_internal_client_api_traefik_rule: "PathPrefix(`{{ matrix_conduwuit_container_labels_internal_client_api_traefik_path_prefix }}`)"
matrix_conduwuit_container_labels_internal_client_api_traefik_priority: "{{ matrix_conduwuit_container_labels_public_client_api_traefik_priority }}"
matrix_conduwuit_container_labels_internal_client_api_traefik_entrypoints: ""
# Controls whether labels will be added that expose the Server-Server API (Federation API) on a public Traefik entrypoint.
matrix_conduwuit_container_labels_public_federation_api_enabled: "{{ matrix_conduwuit_config_allow_federation }}"
matrix_conduwuit_container_labels_public_federation_api_traefik_hostname: "{{ matrix_conduwuit_hostname }}"
matrix_conduwuit_container_labels_public_federation_api_traefik_path_prefix: /_matrix
matrix_conduwuit_container_labels_public_federation_api_traefik_rule: "Host(`{{ matrix_conduwuit_container_labels_public_federation_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_conduwuit_container_labels_public_federation_api_traefik_path_prefix }}`)"
matrix_conduwuit_container_labels_public_federation_api_traefik_priority: 0
matrix_conduwuit_container_labels_public_federation_api_traefik_entrypoints: ''
# TLS is force-enabled here, because the spec (https://spec.matrix.org/v1.9/server-server-api/#tls) says that the federation API must use HTTPS.
matrix_conduwuit_container_labels_public_federation_api_traefik_tls: true
matrix_conduwuit_container_labels_public_federation_api_traefik_tls_certResolver: "{{ matrix_conduwuit_container_labels_traefik_tls_certResolver }}" # noqa var-naming
# Controls whether labels will be added that expose the `/_conduwuit` path prefix on a public Traefik entrypoint.
matrix_conduwuit_container_labels_public_conduwuit_api_enabled: true
matrix_conduwuit_container_labels_public_conduwuit_api_traefik_hostname: "{{ matrix_conduwuit_hostname }}"
matrix_conduwuit_container_labels_public_conduwuit_api_traefik_path_prefix: /_conduwuit
matrix_conduwuit_container_labels_public_conduwuit_api_traefik_rule: "Host(`{{ matrix_conduwuit_container_labels_public_conduwuit_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_conduwuit_container_labels_public_conduwuit_api_traefik_path_prefix }}`)"
matrix_conduwuit_container_labels_public_conduwuit_api_traefik_priority: 0
matrix_conduwuit_container_labels_public_conduwuit_api_traefik_entrypoints: "{{ matrix_conduwuit_container_labels_traefik_entrypoints }}"
matrix_conduwuit_container_labels_public_conduwuit_api_traefik_tls: "{{ matrix_conduwuit_container_labels_public_conduwuit_api_traefik_entrypoints != 'web' }}"
matrix_conduwuit_container_labels_public_conduwuit_api_traefik_tls_certResolver: "{{ matrix_conduwuit_container_labels_traefik_tls_certResolver }}" # noqa var-naming
# matrix_conduwuit_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file.
# See `../templates/labels.j2` for details.
#
# Example:
# matrix_conduwuit_container_labels_additional_labels: |
# my.label=1
# another.label="here"
matrix_conduwuit_container_labels_additional_labels: ''
# Extra arguments for the Docker container
matrix_conduwuit_container_extra_arguments: []
# Specifies which template files to use when configuring conduwuit.
# If you'd like to have your own different configuration, feel free to copy and paste
# the original files into your inventory (e.g. in `inventory/host_vars/matrix.example.com/`)
# and then change the specific host's `vars.yml` file like this:
# matrix_conduwuit_template_conduwuit_config: "{{ playbook_dir }}/inventory/host_vars/matrix.example.com/conduwuit.toml.j2"
matrix_conduwuit_template_conduwuit_config: "{{ role_path }}/templates/conduwuit.toml.j2"
# Max size for uploads, in bytes
matrix_conduwuit_config_server_name: "{{ matrix_domain }}"
# Max size for uploads, in bytes
matrix_conduwuit_config_max_request_size: 20_000_000
# Enables registration. If set to false, no users can register on this server.
matrix_conduwuit_config_allow_registration: false
# Controls the `yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse` setting.
# This is only used when `matrix_conduwuit_config_allow_registration` is set to true and no registration token is configured.
matrix_conduwuit_config_yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse: false
# Controls the `registration_token` setting.
# When registration is enabled (`matrix_conduwuit_config_allow_registration`) you:
# - either need to set a token to protect registration from abuse
# - or you need to enable the `yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse` setting
# (see `matrix_conduwuit_config_yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse`),
# to allow registration without any form of 2nd-step.
matrix_conduwuit_config_registration_token: ''
# Controls the `new_user_displayname_suffix` setting.
# This is the suffix that will be added to the displayname of new users.
# Upstream defaults this to "🏳️‍⚧️", but we keep this consistent across all homeserver implementations and do not enable a suffix.
matrix_conduwuit_config_new_user_displayname_suffix: ""
# Controls the `allow_check_for_updates` setting.
matrix_conduwuit_config_allow_check_for_updates: false
# Controls the `emergency_password` setting.
matrix_conduwuit_config_emergency_password: ''
# Controls the `allow_federation` setting.
matrix_conduwuit_config_allow_federation: true
matrix_conduwuit_trusted_servers:
- "matrix.org"
matrix_conduwuit_config_log: "info,state_res=warn,rocket=off,_=off,sled=off"
# TURN integration.
# See: https://conduwuit.puppyirl.gay/turn.html
matrix_conduwuit_config_turn_uris: []
matrix_conduwuit_config_turn_secret: ''
matrix_conduwuit_config_turn_username: ''
matrix_conduwuit_config_turn_password: ''
# Controls whether the self-check feature should validate SSL certificates.
matrix_conduwuit_self_check_validate_certificates: true
# Additional environment variables to pass to the container.
#
# Environment variables take priority over settings in the configuration file.
#
# Example:
# matrix_conduwuit_environment_variables_extension: |
# CONDUWUIT_MAX_REQUEST_SIZE=50000000
# CONDUWUIT_REQUEST_TIMEOUT=60
matrix_conduwuit_environment_variables_extension: ''

64
roles/custom/matrix-conduwuit/tasks/install.yml
View File

@@ -1,64 +0,0 @@
# SPDX-FileCopyrightText: 2025 Slavi Pantaleev
#
# SPDX-License-Identifier: AGPL-3.0-or-later
---
- name: Ensure conduwuit config path exists
ansible.builtin.file:
path: "{{ matrix_conduwuit_config_path }}"
state: directory
mode: 0750
owner: "{{ matrix_user_name }}"
group: "{{ matrix_group_name }}"
- name: Ensure conduwuit data path exists
ansible.builtin.file:
path: "{{ matrix_conduwuit_data_path }}"
state: directory
mode: 0770
owner: "{{ matrix_user_name }}"
group: "{{ matrix_group_name }}"
- name: Ensure conduwuit configuration installed
ansible.builtin.template:
src: "{{ matrix_conduwuit_template_conduwuit_config }}"
dest: "{{ matrix_conduwuit_config_path }}/conduwuit.toml"
mode: 0644
owner: "{{ matrix_user_name }}"
group: "{{ matrix_group_name }}"
- name: Ensure conduwuit support files installed
ansible.builtin.template:
src: "{{ role_path }}/templates/{{ item }}.j2"
dest: "{{ matrix_conduwuit_base_path }}/{{ item }}"
mode: 0640
owner: "{{ matrix_user_name }}"
group: "{{ matrix_group_name }}"
with_items:
- labels
- env
- name: Ensure conduwuit container network is created
community.general.docker_network:
enable_ipv6: "{{ devture_systemd_docker_base_ipv6_enabled }}"
name: "{{ matrix_conduwuit_container_network }}"
driver: bridge
driver_options: "{{ devture_systemd_docker_base_container_networks_driver_options }}"
- name: Ensure conduwuit container image is pulled
community.docker.docker_image:
name: "{{ matrix_conduwuit_docker_image }}"
source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
force_source: "{{ matrix_conduwuit_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_conduwuit_docker_image_force_pull }}"
register: result
retries: "{{ devture_playbook_help_container_retries_count }}"
delay: "{{ devture_playbook_help_container_retries_delay }}"
until: result is not failed
- name: Ensure matrix-conduwuit.service installed
ansible.builtin.template:
src: "{{ role_path }}/templates/systemd/matrix-conduwuit.service.j2"
dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-conduwuit.service"
mode: 0644

34
roles/custom/matrix-conduwuit/tasks/main.yml
View File

@@ -1,34 +0,0 @@
# SPDX-FileCopyrightText: 2025 MDAD project contributors
# SPDX-FileCopyrightText: 2025 Slavi Pantaleev
#
# SPDX-License-Identifier: AGPL-3.0-or-later
---
- tags:
- setup-all
- setup-conduwuit
- install-all
- install-conduwuit
block:
- when: matrix_conduwuit_enabled | bool
ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml"
- when: matrix_conduwuit_enabled | bool
ansible.builtin.include_tasks: "{{ role_path }}/tasks/install.yml"
- tags:
- setup-all
- setup-conduwuit
block:
- when: not matrix_conduwuit_enabled | bool
ansible.builtin.include_tasks: "{{ role_path }}/tasks/uninstall.yml"
- tags:
- self-check
block:
- when: matrix_conduwuit_enabled | bool
ansible.builtin.include_tasks: "{{ role_path }}/tasks/self_check_client_api.yml"
- when: matrix_conduwuit_enabled | bool
ansible.builtin.include_tasks: "{{ role_path }}/tasks/self_check_federation_api.yml"

28
roles/custom/matrix-conduwuit/tasks/self_check_client_api.yml
View File

@@ -1,28 +0,0 @@
# SPDX-FileCopyrightText: 2025 Slavi Pantaleev
# SPDX-FileCopyrightText: 2025 Suguru Hirahara
#
# SPDX-License-Identifier: AGPL-3.0-or-later
---
- name: Check Matrix Client API
ansible.builtin.uri:
url: "{{ matrix_conduwuit_client_api_url_endpoint_public }}"
follow_redirects: none
validate_certs: "{{ matrix_conduwuit_self_check_validate_certificates }}"
register: result_matrix_conduwuit_client_api
ignore_errors: true
check_mode: false
when: matrix_conduwuit_enabled | bool
delegate_to: 127.0.0.1
become: false
- name: Fail if Matrix Client API not working
ansible.builtin.fail:
msg: "Failed checking Matrix Client API is up at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ matrix_conduwuit_client_api_url_endpoint_public }}`). Is conduwuit running? Is port 443 open in your firewall? Full error: {{ result_matrix_conduwuit_client_api }}"
when: "matrix_conduwuit_enabled | bool and (result_matrix_conduwuit_client_api.failed or 'json' not in result_matrix_conduwuit_client_api)"
- name: Report working Matrix Client API
ansible.builtin.debug:
msg: "The Matrix Client API at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ matrix_conduwuit_client_api_url_endpoint_public }}`) is working"
when: matrix_conduwuit_enabled | bool

32
roles/custom/matrix-conduwuit/tasks/self_check_federation_api.yml
View File

@@ -1,32 +0,0 @@
# SPDX-FileCopyrightText: 2025 Slavi Pantaleev
#
# SPDX-License-Identifier: AGPL-3.0-or-later
---
- name: Check Matrix Federation API
ansible.builtin.uri:
url: "{{ matrix_synapse_federation_api_url_endpoint_public }}"
follow_redirects: none
validate_certs: "{{ matrix_synapse_self_check_validate_certificates }}"
register: result_matrix_synapse_federation_api
ignore_errors: true
check_mode: false
when: matrix_synapse_enabled | bool
delegate_to: 127.0.0.1
become: false
- name: Fail if Matrix Federation API not working
ansible.builtin.fail:
msg: "Failed checking Matrix Federation API is up at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ matrix_synapse_federation_api_url_endpoint_public }}`). Is Synapse running? Is port {{ matrix_federation_public_port }} open in your firewall? Full error: {{ result_matrix_synapse_federation_api }}"
when: "matrix_synapse_enabled | bool and matrix_synapse_federation_enabled | bool and (result_matrix_synapse_federation_api.failed or 'json' not in result_matrix_synapse_federation_api)"
- name: Fail if Matrix Federation API unexpectedly enabled
ansible.builtin.fail:
msg: "Matrix Federation API is up at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ matrix_synapse_federation_api_url_endpoint_public }}`) despite being disabled."
when: "matrix_synapse_enabled | bool and not matrix_synapse_federation_enabled | bool and not result_matrix_synapse_federation_api.failed"
- name: Report working Matrix Federation API
ansible.builtin.debug:
msg: "The Matrix Federation API at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ matrix_synapse_federation_api_url_endpoint_public }}`) is working"
when: "matrix_synapse_enabled | bool and matrix_synapse_federation_enabled | bool"

63
roles/custom/matrix-conduwuit/tasks/setup_install.yml
View File

@@ -1,63 +0,0 @@
# SPDX-FileCopyrightText: 2025 MDAD project contributors
#
# SPDX-License-Identifier: AGPL-3.0-or-later
---
- name: Ensure conduwuit config path exists
ansible.builtin.file:
path: "{{ matrix_conduwuit_config_path }}"
state: directory
mode: 0750
owner: "{{ matrix_user_name }}"
group: "{{ matrix_group_name }}"
- name: Ensure conduwuit data path exists
ansible.builtin.file:
path: "{{ matrix_conduwuit_data_path }}"
state: directory
mode: 0770
owner: "{{ matrix_user_name }}"
group: "{{ matrix_group_name }}"
- name: Ensure conduwuit configuration installed
ansible.builtin.template:
src: "{{ matrix_conduwuit_template_conduwuit_config }}"
dest: "{{ matrix_conduwuit_config_path }}/conduwuit.toml"
mode: 0644
owner: "{{ matrix_user_name }}"
group: "{{ matrix_group_name }}"
- name: Ensure conduwuit support files installed
ansible.builtin.template:
src: "{{ role_path }}/templates/{{ item }}.j2"
dest: "{{ matrix_conduwuit_base_path }}/{{ item }}"
mode: 0640
owner: "{{ matrix_user_name }}"
group: "{{ matrix_group_name }}"
with_items:
- labels
- name: Ensure conduwuit container network is created
community.general.docker_network:
enable_ipv6: "{{ devture_systemd_docker_base_ipv6_enabled }}"
name: "{{ matrix_conduwuit_container_network }}"
driver: bridge
driver_options: "{{ devture_systemd_docker_base_container_networks_driver_options }}"
- name: Ensure conduwuit container image is pulled
community.docker.docker_image:
name: "{{ matrix_conduwuit_docker_image }}"
source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
force_source: "{{ matrix_conduwuit_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_conduwuit_docker_image_force_pull }}"
register: result
retries: "{{ devture_playbook_help_container_retries_count }}"
delay: "{{ devture_playbook_help_container_retries_delay }}"
until: result is not failed
- name: Ensure matrix-conduwuit.service installed
ansible.builtin.template:
src: "{{ role_path }}/templates/systemd/matrix-conduwuit.service.j2"
dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-conduwuit.service"
mode: 0644

23
roles/custom/matrix-conduwuit/tasks/setup_uninstall.yml
View File

@@ -1,23 +0,0 @@
# SPDX-FileCopyrightText: 2025 MDAD project contributors
#
# SPDX-License-Identifier: AGPL-3.0-or-later
---
- name: Check existence of matrix-conduwuit service
ansible.builtin.stat:
path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-conduwuit.service"
register: matrix_conduwuit_service_stat
- when: matrix_conduwuit_service_stat.stat.exists | bool
block:
- name: Ensure matrix-conduwuit is stopped
ansible.builtin.systemd:
name: matrix-conduwuit
state: stopped
daemon_reload: true
- name: Ensure matrix-conduwuit.service doesn't exist
ansible.builtin.file:
path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-conduwuit.service"
state: absent

23
roles/custom/matrix-conduwuit/tasks/uninstall.yml
View File

@@ -1,23 +0,0 @@
# SPDX-FileCopyrightText: 2025 Slavi Pantaleev
#
# SPDX-License-Identifier: AGPL-3.0-or-later
---
- name: Check existence of matrix-conduwuit service
ansible.builtin.stat:
path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-conduwuit.service"
register: matrix_conduwuit_service_stat
- when: matrix_conduwuit_service_stat.stat.exists | bool
block:
- name: Ensure matrix-conduwuit is stopped
ansible.builtin.systemd:
name: matrix-conduwuit
state: stopped
daemon_reload: true
- name: Ensure matrix-conduwuit.service doesn't exist
ansible.builtin.file:
path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-conduwuit.service"
state: absent

15
roles/custom/matrix-conduwuit/tasks/validate_config.yml
View File

@@ -1,15 +0,0 @@
# SPDX-FileCopyrightText: 2025 MDAD project contributors
#
# SPDX-License-Identifier: AGPL-3.0-or-later
---
- name: Fail if required conduwuit settings not defined
ansible.builtin.fail:
msg: >-
You need to define a required configuration setting (`{{ item.name }}`).
when: "item.when | bool and lookup('vars', item.name, default='') | string | length == 0"
with_items:
- {'name': 'matrix_conduwuit_hostname', when: true}
- {'name': 'matrix_conduwuit_container_network', when: true}
- {'name': 'matrix_conduwuit_container_labels_internal_client_api_traefik_entrypoints', when: "{{ matrix_conduwuit_container_labels_internal_client_api_enabled }}"}

1546
roles/custom/matrix-conduwuit/templates/conduwuit.toml.j2
View File

File diff suppressed because it is too large Load Diff

1
roles/custom/matrix-conduwuit/templates/env.j2
View File

@@ -1 +0,0 @@
{{ matrix_conduwuit_environment_variables_extension }}

3
roles/custom/matrix-conduwuit/templates/env.j2.license
View File

@@ -1,3 +0,0 @@
SPDX-FileCopyrightText: 2025 Slavi Pantaleev
SPDX-License-Identifier: AGPL-3.0-or-later

173
roles/custom/matrix-conduwuit/templates/labels.j2
View File

@@ -1,173 +0,0 @@
{#
SPDX-FileCopyrightText: 2025 MDAD project contributors
SPDX-FileCopyrightText: 2025 Slavi Pantaleev
SPDX-FileCopyrightText: 2025 Suguru Hirahara
SPDX-License-Identifier: AGPL-3.0-or-later
#}
{% if matrix_conduwuit_container_labels_traefik_enabled %}
traefik.enable=true
{% if matrix_conduwuit_container_labels_traefik_docker_network %}
traefik.docker.network={{ matrix_conduwuit_container_labels_traefik_docker_network }}
{% endif %}
traefik.http.services.matrix-conduwuit.loadbalancer.server.port={{ matrix_conduwuit_config_port_number }}
{% if matrix_conduwuit_container_labels_public_client_root_enabled %}
############################################################
# #
# Public Root path (/) #
# #
############################################################
{% set client_root_middlewares = [] %}
{% if matrix_conduwuit_container_labels_public_client_root_redirection_enabled %}
{% set client_root_middlewares = client_root_middlewares + ['matrix-conduwuit-client-root-redirect'] %}
traefik.http.middlewares.matrix-conduwuit-client-root-redirect.redirectregex.regex=(.*)
traefik.http.middlewares.matrix-conduwuit-client-root-redirect.redirectregex.replacement={{ matrix_conduwuit_container_labels_public_client_root_redirection_url }}
{% endif %}
traefik.http.routers.matrix-conduwuit-public-client-root.rule={{ matrix_conduwuit_container_labels_public_client_root_traefik_rule }}
traefik.http.routers.matrix-conduwuit-public-client-root.middlewares={{ client_root_middlewares | join(',') }}
{% if matrix_conduwuit_container_labels_public_client_root_traefik_priority | int > 0 %}
traefik.http.routers.matrix-conduwuit-public-client-root.priority={{ matrix_conduwuit_container_labels_public_client_root_traefik_priority }}
{% endif %}
traefik.http.routers.matrix-conduwuit-public-client-root.service=matrix-conduwuit
traefik.http.routers.matrix-conduwuit-public-client-root.entrypoints={{ matrix_conduwuit_container_labels_public_client_root_traefik_entrypoints }}
traefik.http.routers.matrix-conduwuit-public-client-root.tls={{ matrix_conduwuit_container_labels_public_client_root_traefik_tls | to_json }}
{% if matrix_conduwuit_container_labels_public_client_root_traefik_tls %}
traefik.http.routers.matrix-conduwuit-public-client-root.tls.certResolver={{ matrix_conduwuit_container_labels_public_client_root_traefik_tls_certResolver }}
{% endif %}
############################################################
# #
# /Public Root path (/) #
# #
############################################################
{% endif %}
{% if matrix_conduwuit_container_labels_public_client_api_enabled %}
############################################################
# #
# Public Client-API (/_matrix) #
# #
############################################################
traefik.http.routers.matrix-conduwuit-public-client-api.rule={{ matrix_conduwuit_container_labels_public_client_api_traefik_rule }}
{% if matrix_conduwuit_container_labels_public_client_api_traefik_priority | int > 0 %}
traefik.http.routers.matrix-conduwuit-public-client-api.priority={{ matrix_conduwuit_container_labels_public_client_api_traefik_priority }}
{% endif %}
traefik.http.routers.matrix-conduwuit-public-client-api.service=matrix-conduwuit
traefik.http.routers.matrix-conduwuit-public-client-api.entrypoints={{ matrix_conduwuit_container_labels_public_client_api_traefik_entrypoints }}
traefik.http.routers.matrix-conduwuit-public-client-api.tls={{ matrix_conduwuit_container_labels_public_client_api_traefik_tls | to_json }}
{% if matrix_conduwuit_container_labels_public_client_api_traefik_tls %}
traefik.http.routers.matrix-conduwuit-public-client-api.tls.certResolver={{ matrix_conduwuit_container_labels_public_client_api_traefik_tls_certResolver }}
{% endif %}
############################################################
# #
# /Public Client-API (/_matrix) #
# #
############################################################
{% endif %}
{% if matrix_conduwuit_container_labels_internal_client_api_enabled %}
############################################################
# #
# Internal Client-API (/_matrix) #
# #
############################################################
traefik.http.routers.matrix-conduwuit-internal-client-api.rule={{ matrix_conduwuit_container_labels_internal_client_api_traefik_rule }}
{% if matrix_conduwuit_container_labels_internal_client_api_traefik_priority | int > 0 %}
traefik.http.routers.matrix-conduwuit-internal-client-api.priority={{ matrix_conduwuit_container_labels_internal_client_api_traefik_priority }}
{% endif %}
traefik.http.routers.matrix-conduwuit-internal-client-api.service=matrix-conduwuit
traefik.http.routers.matrix-conduwuit-internal-client-api.entrypoints={{ matrix_conduwuit_container_labels_internal_client_api_traefik_entrypoints }}
############################################################
# #
# /Internal Client-API (/_matrix) #
# #
############################################################
{% endif %}
{% if matrix_conduwuit_container_labels_public_federation_api_enabled %}
############################################################
# #
# Public Federation-API (/_matrix) #
# #
############################################################
traefik.http.routers.matrix-conduwuit-public-federation-api.rule={{ matrix_conduwuit_container_labels_public_federation_api_traefik_rule }}
{% if matrix_conduwuit_container_labels_public_federation_api_traefik_priority | int > 0 %}
traefik.http.routers.matrix-conduwuit-public-federation-api.priority={{ matrix_conduwuit_container_labels_public_federation_api_traefik_priority }}
{% endif %}
traefik.http.routers.matrix-conduwuit-public-federation-api.service=matrix-conduwuit
traefik.http.routers.matrix-conduwuit-public-federation-api.entrypoints={{ matrix_conduwuit_container_labels_public_federation_api_traefik_entrypoints }}
traefik.http.routers.matrix-conduwuit-public-federation-api.tls={{ matrix_conduwuit_container_labels_public_federation_api_traefik_tls | to_json }}
{% if matrix_conduwuit_container_labels_public_federation_api_traefik_tls %}
traefik.http.routers.matrix-conduwuit-public-federation-api.tls.certResolver={{ matrix_conduwuit_container_labels_public_federation_api_traefik_tls_certResolver }}
{% endif %}
############################################################
# #
# /Public Federation-API (/_matrix) #
# #
############################################################
{% endif %}
{% if matrix_conduwuit_container_labels_public_conduwuit_api_enabled %}
############################################################
# #
# Public conduwuit-API (/_conduwuit) #
# #
############################################################
traefik.http.routers.matrix-conduwuit-public-conduwuit-api.rule={{ matrix_conduwuit_container_labels_public_conduwuit_api_traefik_rule }}
{% if matrix_conduwuit_container_labels_public_conduwuit_api_traefik_priority | int > 0 %}
traefik.http.routers.matrix-conduwuit-public-conduwuit-api.priority={{ matrix_conduwuit_container_labels_public_conduwuit_api_traefik_priority }}
{% endif %}
traefik.http.routers.matrix-conduwuit-public-conduwuit-api.service=matrix-conduwuit
traefik.http.routers.matrix-conduwuit-public-conduwuit-api.entrypoints={{ matrix_conduwuit_container_labels_public_conduwuit_api_traefik_entrypoints }}
traefik.http.routers.matrix-conduwuit-public-conduwuit-api.tls={{ matrix_conduwuit_container_labels_public_conduwuit_api_traefik_tls | to_json }}
{% if matrix_conduwuit_container_labels_public_conduwuit_api_traefik_tls %}
traefik.http.routers.matrix-conduwuit-public-conduwuit-api.tls.certResolver={{ matrix_conduwuit_container_labels_public_conduwuit_api_traefik_tls_certResolver }}
{% endif %}
############################################################
# #
# /Public conduwuit-API (/_conduwuit) #
# #
############################################################
{% endif %}
{% endif %}
{{ matrix_conduwuit_container_labels_additional_labels }}

51
roles/custom/matrix-conduwuit/templates/systemd/matrix-conduwuit.service.j2
View File

@@ -1,51 +0,0 @@
#jinja2: lstrip_blocks: True
[Unit]
Description=conduwuit Matrix homeserver
{% for service in matrix_conduwuit_systemd_required_services_list %}
Requires={{ service }}
After={{ service }}
{% endfor %}
[Service]
Type=simple
Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}"
ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop -t {{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-conduwuit 2>/dev/null || true'
ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-conduwuit 2>/dev/null || true'
ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \
--rm \
--name=matrix-conduwuit \
--log-driver=none \
--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
--cap-drop=ALL \
--read-only \
--tmpfs=/tmp:rw,noexec,nosuid,size={{ matrix_conduwuit_tmp_directory_size_mb }}m \
--network={{ matrix_conduwuit_container_network }} \
--env CONDUWUIT_CONFIG=/etc/conduwuit/conduwuit.toml \
--label-file={{ matrix_conduwuit_base_path }}/labels \
--mount type=bind,src={{ matrix_conduwuit_data_path }},dst=/var/lib/conduwuit \
--mount type=bind,src={{ matrix_conduwuit_config_path }},dst=/etc/conduwuit,ro \
{% for arg in matrix_conduwuit_container_extra_arguments %}
{{ arg }} \
{% endfor %}
{{ matrix_conduwuit_docker_image }}
{% for network in matrix_conduwuit_container_additional_networks %}
ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-conduwuit
{% endfor %}
ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-conduwuit
{% if matrix_conduwuit_systemd_service_post_start_delay_seconds != 0 %}
ExecStartPost=-{{ matrix_host_command_sleep }} {{ matrix_conduwuit_systemd_service_post_start_delay_seconds }}
{% endif %}
ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop -t {{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-conduwuit 2>/dev/null || true'
ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-conduwuit 2>/dev/null || true'
ExecReload={{ devture_systemd_docker_base_host_command_docker }} exec matrix-conduwuit /bin/sh -c 'kill -HUP 1'
Restart=always
RestartSec=30
SyslogIdentifier=matrix-conduwuit
[Install]
WantedBy=multi-user.target

4
roles/custom/matrix-conduwuit/templates/systemd/matrix-conduwuit.service.j2.license
View File

@@ -1,4 +0,0 @@
SPDX-FileCopyrightText: 2025 MDAD project contributors
SPDX-FileCopyrightText: 2025 Slavi Pantaleev
SPDX-License-Identifier: AGPL-3.0-or-later

9
roles/custom/matrix-conduwuit/vars/main.yml
View File

@@ -1,9 +0,0 @@
# SPDX-FileCopyrightText: 2025 MDAD project contributors
# SPDX-FileCopyrightText: 2025 Slavi Pantaleev
#
# SPDX-License-Identifier: AGPL-3.0-or-later
---
matrix_conduwuit_client_api_url_endpoint_public: "{{ 'https' if matrix_playbook_ssl_enabled else 'http' }}://{{ matrix_conduwuit_hostname }}/_matrix/client/versions"
matrix_conduwuit_federation_api_url_endpoint_public: "{{ 'https' if matrix_playbook_ssl_enabled else 'http' }}://{{ matrix_conduwuit_hostname }}:{{ matrix_federation_public_port }}/_matrix/federation/v1/version"

4
roles/custom/matrix-continuwuity/tasks/migrate_from_conduwuit.yml
View File

@@ -13,7 +13,7 @@
- name: Check existence of conduwuit directory
ansible.builtin.stat:
path: "{{ matrix_base_data_path }}/conduwuit"
register: matrix_conduwuit_directory_stat
register: matrix_removed_conduwuit_directory_stat
- name: Check existence of continuwuity directory
ansible.builtin.stat:
@@ -21,7 +21,7 @@
register: matrix_continuwuity_directory_stat
- when: >
matrix_conduwuit_directory_stat.stat.exists | bool and
matrix_removed_conduwuit_directory_stat.stat.exists | bool and
matrix_continuwuity_directory_stat.stat.exists | bool
block:
- name: Ensure matrix-continuwuity.service systemd service is stopped

237
roles/custom/matrix-coturn/defaults/main.yml
View File

@@ -1,237 +0,0 @@
# SPDX-FileCopyrightText: 2019 - 2025 Slavi Pantaleev
# SPDX-FileCopyrightText: 2019 Stuart Mumford
# SPDX-FileCopyrightText: 2019 Sylvia van Os
# SPDX-FileCopyrightText: 2020 - 2021 Dan Arnfield
# SPDX-FileCopyrightText: 2020 Horvath Gergely
# SPDX-FileCopyrightText: 2021 - 2022 MDAD project contributors
# SPDX-FileCopyrightText: 2021 Ahmad Haghighi
# SPDX-FileCopyrightText: 2022 - 2023 Nikita Chernyi
# SPDX-FileCopyrightText: 2022 Hefty Zauk
# SPDX-FileCopyrightText: 2022 Marko Weltzer
# SPDX-FileCopyrightText: 2023 Samuel Meenzen
# SPDX-FileCopyrightText: 2025 Suguru Hirahara
#
# SPDX-License-Identifier: AGPL-3.0-or-later
---
# Project source code URL: https://github.com/coturn/coturn
matrix_coturn_enabled: true
matrix_coturn_hostname: ""
matrix_coturn_container_image_self_build: false
matrix_coturn_container_image_self_build_repo: "https://github.com/coturn/coturn"
matrix_coturn_container_image_self_build_repo_version: "docker/{{ matrix_coturn_version }}"
matrix_coturn_container_image_self_build_repo_dockerfile_path: "docker/coturn/alpine/Dockerfile"
# renovate: datasource=docker depName=coturn/coturn versioning=loose
matrix_coturn_version: 4.8.0
matrix_coturn_docker_image: "{{ matrix_coturn_docker_image_registry_prefix }}coturn/coturn:{{ matrix_coturn_version }}-alpine"
matrix_coturn_docker_image_registry_prefix: "{{ 'localhost/' if matrix_coturn_container_image_self_build else matrix_coturn_docker_image_registry_prefix_upstream }}"
matrix_coturn_docker_image_registry_prefix_upstream: "{{ matrix_coturn_docker_image_registry_prefix_upstream_default }}"
matrix_coturn_docker_image_registry_prefix_upstream_default: docker.io/
matrix_coturn_docker_image_force_pull: "{{ matrix_coturn_docker_image.endswith(':latest') }}"
# The Docker network that coturn would be put into.
#
# Because coturn relays traffic to unvalidated IP addresses,
# using a dedicated network, isolated from other Docker (and local) services is preferable.
#
# Setting up deny/allow rules with `matrix_coturn_allowed_peer_ips`/`matrix_coturn_denied_peer_ips` is also
# possible for achieving such isolation, but is more complicated due to the dynamic nature of Docker networking.
#
# Setting `matrix_coturn_container_network` to 'host' will run the container with host networking,
# which will drastically improve performance when thousands of ports are opened due to Docker not having to set up forwarding rules for each port.
# Running with host networking can be dangerous, as it potentially exposes your local network and its services to coturn peers.
# Regardless of the networking mode, we apply a deny list which via `matrix_coturn_denied_peer_ips`,
# which hopefully prevents access to such private network ranges.
# When running in host-networking mode, you need to adjust the firewall yourself, so that ports are opened.
matrix_coturn_container_network: "matrix-coturn"
matrix_coturn_container_additional_networks: "{{ matrix_coturn_container_additional_networks_auto + matrix_coturn_container_additional_networks_custom }}"
matrix_coturn_container_additional_networks_auto: []
matrix_coturn_container_additional_networks_custom: []
matrix_coturn_base_path: "{{ matrix_base_data_path }}/coturn"
matrix_coturn_docker_src_files_path: "{{ matrix_coturn_base_path }}/docker-src"
matrix_coturn_config_path: "{{ matrix_coturn_base_path }}/turnserver.conf"
# List of systemd services that matrix-coturn.service depends on
matrix_coturn_systemd_required_services_list: "{{ matrix_coturn_systemd_required_services_list_default + matrix_coturn_systemd_required_services_list_auto + matrix_coturn_systemd_required_services_list_custom }}"
matrix_coturn_systemd_required_services_list_default: "{{ [devture_systemd_docker_base_docker_service_name] if devture_systemd_docker_base_docker_service_name else [] }}"
matrix_coturn_systemd_required_services_list_auto: []
matrix_coturn_systemd_required_services_list_custom: []
# A list of additional "volumes" to mount in the container.
# This list gets populated dynamically at runtime. You can provide a different default value,
# if you wish to mount your own files into the container.
# Contains definition objects like this: `{"type": "bind", "src": "/outside", "dst": "/inside", "options": "readonly"}.
# See the `--mount` documentation for the `docker run` command.
matrix_coturn_container_additional_volumes: []
# A list of extra arguments to pass to the container
matrix_coturn_container_extra_arguments: []
# Controls whether the coturn container exposes its plain STUN port (tcp/3478 in the container) over TCP.
#
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:3478"), or empty string to not expose.
matrix_coturn_container_stun_plain_host_bind_port_tcp: "{{ '3478' if matrix_coturn_container_network != 'host' else '' }}"
# Controls whether the coturn container exposes its plain STUN port (udp/3478 in the container) over UDP.
#
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:3478"), or empty string to not expose.
#
# Ideally, we'd like to set this to "" to avoid exposing this port and decrease the risk of DDoS amplification attacks.
# See: https://stormwall.network/resources/blog/protect-against-ddos-based-on-stun-exploit
# In practice, old Element clients only support talking to the STUN port over UDP, not TCP, so we need to keep this enabled for now.
matrix_coturn_container_stun_plain_host_bind_port_udp: "{{ '3478' if matrix_coturn_container_network != 'host' else '' }}"
# Controls whether the coturn container exposes its TLS STUN port (tcp/5349 in the container) over TCP.
#
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:5349"), or empty string to not expose.
matrix_coturn_container_stun_tls_host_bind_port_tcp: "{{ '5349' if matrix_coturn_container_network != 'host' else '' }}"
# Controls whether the coturn container exposes its TLS STUN port (udp/5349 in the container) over UDP.
#
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:5349"), or empty string to not expose.
#
# This is enabled by default, unlike `matrix_coturn_container_stun_plain_host_bind_port_udp`,
# because the risk of DDoS amplification attacks is lower for TLS
# due to the handshake requiring two-way authentication and being generally more expensive.
matrix_coturn_container_stun_tls_host_bind_port_udp: "{{ '5349' if matrix_coturn_container_network != 'host' else '' }}"
# Controls whether the coturn container exposes its TURN UDP port range and which interface to do it on.
#
# Takes an interface "<ip address>" (e.g. "127.0.0.1"), or empty string to listen on all interfaces.
# Takes a null/none value (`~`) or 'none' (as a string) to prevent listening.
#
# The UDP port-range itself is specified using `matrix_coturn_turn_udp_min_port` and `matrix_coturn_turn_udp_max_port`.
matrix_coturn_container_turn_range_listen_interface: "{{ '' if matrix_coturn_container_network != 'host' else 'none' }}"
# UDP port-range to use for TURN
matrix_coturn_turn_udp_min_port: 49152
matrix_coturn_turn_udp_max_port: 49172
# Controls the `realm` configuration option
matrix_coturn_realm: "turn.{{ matrix_coturn_hostname }}"
# Controls which authentication method to enable.
#
# lt-cred-mech likely provides better compatibility,
# as described here: https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/3191
# but those claims are unverified.
#
# For now, we still default to `auth-secret` like we've always done.
#
# Known values: auth-secret, lt-cred-mech
matrix_coturn_authentication_method: auth-secret
# A shared secret used for authentication when `matrix_coturn_authentication_method` is `auth-secret`.
# You can put any string here, but generating a strong one is preferred. You can create one with a command like `pwgen -s 64 1`.
matrix_coturn_turn_static_auth_secret: ""
# A username used authentication when `matrix_coturn_authentication_method` is `lt-cred-mech`.
matrix_coturn_lt_cred_mech_username: ""
# A password used authentication when `matrix_coturn_authentication_method` is `lt-cred-mech`.
matrix_coturn_lt_cred_mech_password: ""
# The external IP address of the machine where coturn is.
# If do not define an IP address here or in `matrix_coturn_turn_external_ip_addresses`, auto-detection via an EchoIP service will be done.
# See `matrix_coturn_turn_external_ip_address_auto_detection_enabled`
matrix_coturn_turn_external_ip_address: ""
matrix_coturn_turn_external_ip_addresses: "{{ [matrix_coturn_turn_external_ip_address] if matrix_coturn_turn_external_ip_address != '' else [] }}"
# Controls whether external IP address auto-detection should be attempted.
# We try to do this if there is no external IP address explicitly configured and if an EchoIP service URL is specified.
# See matrix_coturn_turn_external_ip_address_auto_detection_echoip_service_url
matrix_coturn_turn_external_ip_address_auto_detection_enabled: "{{ matrix_coturn_turn_external_ip_addresses | length == 0 and matrix_coturn_turn_external_ip_address_auto_detection_echoip_service_url != '' }}"
# Specifies the address of the EchoIP service (https://github.com/mpolden/echoip) to use for detecting the external IP address.
# By default, we use the official public instance.
matrix_coturn_turn_external_ip_address_auto_detection_echoip_service_url: https://ifconfig.co/json
# Controls whether SSL certificates will be validated when contacting the EchoIP service (matrix_coturn_turn_external_ip_address_auto_detection_echoip_service_url)
matrix_coturn_turn_external_ip_address_auto_detection_echoip_validate_certs: true
matrix_coturn_turn_external_ip_address_auto_detection_echoip_service_retries_count: "{{ devture_playbook_help_geturl_retries_count }}"
matrix_coturn_turn_external_ip_address_auto_detection_echoip_service_retries_delay: "{{ devture_playbook_help_geturl_retries_delay }}"
matrix_coturn_allowed_peer_ips: []
# We block loopback interfaces and private networks by default to prevent private resources from being accessible.
# This is especially important when coturn does not run within a container network (e.g. `matrix_coturn_container_network: host`).
#
# Learn more: https://www.rtcsec.com/article/cve-2020-26262-bypass-of-coturns-access-control-protection/
#
# If you're running coturn for local network peers, you may wish to override these rules.
matrix_coturn_denied_peer_ips:
- 0.0.0.0-0.255.255.255
- 10.0.0.0-10.255.255.255
- 100.64.0.0-100.127.255.255
- 127.0.0.0-127.255.255.255
- 169.254.0.0-169.254.255.255
- 172.16.0.0-172.31.255.255
- 192.0.0.0-192.0.0.255
- 192.0.2.0-192.0.2.255
- 192.88.99.0-192.88.99.255
- 192.168.0.0-192.168.255.255
- 198.18.0.0-198.19.255.255
- 198.51.100.0-198.51.100.255
- 203.0.113.0-203.0.113.255
- 240.0.0.0-255.255.255.255
- ::1
- 64:ff9b::-64:ff9b::ffff:ffff
- ::ffff:0.0.0.0-::ffff:255.255.255.255
- 100::-100::ffff:ffff:ffff:ffff
- 2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff
- 2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff
- fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
- fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff
matrix_coturn_user_quota: null
matrix_coturn_total_quota: null
# Controls whether `no-tcp-relay` is added to the configuration
# Learn more here: https://github.com/coturn/coturn/blob/242eb78227f66442ba1573c00ec4552faae23eed/examples/etc/turnserver.conf#L419-L422
matrix_coturn_no_tcp_relay_enabled: true
# Controls whether `no-multicast-peers` is added to the configuration
# Learn more here: https://github.com/coturn/coturn/blob/242eb78227f66442ba1573c00ec4552faae23eed/examples/etc/turnserver.conf#L629-L632
matrix_coturn_no_multicast_peers_enabled: true
# Controls whether `no-rfc5780` is added to the configuration
# Learn more here: https://github.com/coturn/coturn/blob/242eb78227f66442ba1573c00ec4552faae23eed/examples/etc/turnserver.conf#L770-L781
matrix_coturn_no_rfc5780_enabled: true
# Controls whether `no-stun-backward-compatibility` is added to the configuration
# Learn more here: https://github.com/coturn/coturn/blob/242eb78227f66442ba1573c00ec4552faae23eed/examples/etc/turnserver.conf#L783-L789
matrix_coturn_no_stun_backward_compatibility_enabled: true
# Controls whether `response-origin-only-with-rfc5780` is added to the configuration
# Learn more here: https://github.com/coturn/coturn/blob/242eb78227f66442ba1573c00ec4552faae23eed/examples/etc/turnserver.conf#L791-L796
matrix_coturn_response_origin_only_with_rfc5780_enabled: true
# Additional configuration to be passed to turnserver.conf
# Example:
# matrix_coturn_additional_configuration: |
# simple-log
# aux-server=1.2.3.4
# relay-ip=4.3.2.1
matrix_coturn_additional_configuration: ""
# To enable TLS, you need to provide paths to certificates.
# Paths defined in `matrix_coturn_tls_cert_path` and `matrix_coturn_tls_key_path` are in-container paths.
# Files on the host can be mounted into the container using `matrix_coturn_container_additional_volumes`.
matrix_coturn_tls_enabled: false
matrix_coturn_tls_cert_path: ~
matrix_coturn_tls_key_path: ~
matrix_coturn_tls_v1_enabled: false
matrix_coturn_tls_v1_1_enabled: false
# systemd calendar configuration for the reload job
# the actual job may run with a delay (see matrix_coturn_reload_schedule_randomized_delay_sec)
matrix_coturn_reload_schedule: "*-*-* 06:30:00"
# the delay with which the systemd timer may run in relation to the `matrix_coturn_reload_schedule` schedule
matrix_coturn_reload_schedule_randomized_delay_sec: 1h

26
roles/custom/matrix-coturn/tasks/main.yml
View File

@@ -1,26 +0,0 @@
# SPDX-FileCopyrightText: 2019 - 2023 Slavi Pantaleev
# SPDX-FileCopyrightText: 2019 Dan Arnfield
# SPDX-FileCopyrightText: 2022 Marko Weltzer
#
# SPDX-License-Identifier: AGPL-3.0-or-later
---
- tags:
- setup-all
- setup-coturn
- install-all
- install-coturn
block:
- when: matrix_coturn_enabled | bool
ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml"
- when: matrix_coturn_enabled | bool
ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml"
- tags:
- setup-all
- setup-coturn
block:
- when: not matrix_coturn_enabled | bool
ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"

146
roles/custom/matrix-coturn/tasks/setup_install.yml
View File

@@ -1,146 +0,0 @@
# SPDX-FileCopyrightText: 2018 - 2025 Slavi Pantaleev
# SPDX-FileCopyrightText: 2019 - 2020 MDAD project contributors
# SPDX-FileCopyrightText: 2019 Dan Arnfield
# SPDX-FileCopyrightText: 2020 Béla Becker
# SPDX-FileCopyrightText: 2020 Chris van Dijk
# SPDX-FileCopyrightText: 2020 Horvath Gergely
# SPDX-FileCopyrightText: 2022 Marko Weltzer
# SPDX-FileCopyrightText: 2022 Nikita Chernyi
# SPDX-FileCopyrightText: 2022 Sebastian Gumprich
# SPDX-FileCopyrightText: 2024 - 2025 Suguru Hirahara
# SPDX-FileCopyrightText: 2024 David Mehren
#
# SPDX-License-Identifier: AGPL-3.0-or-later
---
- when: matrix_coturn_turn_external_ip_address_auto_detection_enabled | bool
block:
- name: Fail if enabled, but EchoIP service URL unset
when: matrix_coturn_turn_external_ip_address_auto_detection_echoip_service_url == ''
ansible.builtin.fail:
msg: "To use the external IP address auto-detection feature, you need to set matrix_coturn_turn_external_ip_address_auto_detection_echoip_service_url"
# Note:
# `ansible.builtin.uri` does not provide a way to configure whether IPv4 or IPv6 is used.
# Luckily, the default instance we use does not define AAAA records for now, so it's always IPv4.
- name: Fetch IP address information from EchoIP service
ansible.builtin.uri:
url: "{{ matrix_coturn_turn_external_ip_address_auto_detection_echoip_service_url }}"
headers:
Content-Type: application/json
follow_redirects: none
validate_certs: "{{ matrix_coturn_turn_external_ip_address_auto_detection_echoip_validate_certs }}"
register: result_matrix_coturn_turn_external_ip_address_auto_detection_echoip_response
ignore_errors: true
check_mode: false
retries: "{{ matrix_coturn_turn_external_ip_address_auto_detection_echoip_service_retries_count }}"
delay: "{{ matrix_coturn_turn_external_ip_address_auto_detection_echoip_service_retries_delay }}"
until: not result_matrix_coturn_turn_external_ip_address_auto_detection_echoip_response.failed
- name: Fail if EchoIP service failed
when: "(result_matrix_coturn_turn_external_ip_address_auto_detection_echoip_response.failed or 'json' not in result_matrix_coturn_turn_external_ip_address_auto_detection_echoip_response)"
ansible.builtin.fail:
msg: "Failed contacting EchoIP service API at `{{ matrix_coturn_turn_external_ip_address_auto_detection_echoip_service_url }}` (controlled by `matrix_coturn_turn_external_ip_address_auto_detection_echoip_service_url`). Full error: {{ result_matrix_coturn_turn_external_ip_address_auto_detection_echoip_response }}"
- ansible.builtin.set_fact:
matrix_coturn_turn_external_ip_address: "{{ result_matrix_coturn_turn_external_ip_address_auto_detection_echoip_response.json.ip }}"
- name: Ensure Matrix coturn path exists
ansible.builtin.file:
path: "{{ item.path }}"
state: directory
mode: 0750
owner: "{{ matrix_user_name }}"
group: "{{ matrix_group_name }}"
with_items:
- {path: "{{ matrix_coturn_docker_src_files_path }}", when: "{{ matrix_coturn_container_image_self_build }}"}
when: "item.when | bool"
- name: Ensure coturn image is pulled
community.docker.docker_image:
name: "{{ matrix_coturn_docker_image }}"
source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
force_source: "{{ matrix_coturn_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_coturn_docker_image_force_pull }}"
when: "not matrix_coturn_container_image_self_build | bool"
register: result
retries: "{{ devture_playbook_help_container_retries_count }}"
delay: "{{ devture_playbook_help_container_retries_delay }}"
until: result is not failed
- when: "matrix_coturn_container_image_self_build | bool"
block:
- name: Ensure coturn repository is present on self-build
ansible.builtin.git:
repo: "{{ matrix_coturn_container_image_self_build_repo }}"
dest: "{{ matrix_coturn_docker_src_files_path }}"
version: "{{ matrix_coturn_container_image_self_build_repo_version }}"
force: "yes"
become: true
become_user: "{{ matrix_user_name }}"
register: matrix_coturn_git_pull_results
- name: Ensure coturn Docker image is built
community.docker.docker_image:
name: "{{ matrix_coturn_docker_image }}"
source: build
force_source: "{{ matrix_coturn_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_coturn_git_pull_results.changed }}"
build:
dockerfile: "{{ matrix_coturn_container_image_self_build_repo_dockerfile_path }}"
path: "{{ matrix_coturn_docker_src_files_path }}"
pull: true
- name: Ensure coturn configuration path exists
ansible.builtin.file:
path: "{{ matrix_coturn_base_path }}"
state: directory
mode: 0750
owner: "{{ matrix_user_name }}"
group: "{{ matrix_group_name }}"
- name: Ensure turnserver.conf installed
ansible.builtin.template:
src: "{{ role_path }}/templates/turnserver.conf.j2"
dest: "{{ matrix_coturn_config_path }}"
mode: 0644
owner: "{{ matrix_user_name }}"
group: "{{ matrix_group_name }}"
- name: Ensure coturn network is created in Docker
when: matrix_coturn_container_network not in ['', 'host']
community.docker.docker_network:
enable_ipv6: "{{ devture_systemd_docker_base_ipv6_enabled }}"
name: "{{ matrix_coturn_container_network }}"
driver: bridge
driver_options: "{{ devture_systemd_docker_base_container_networks_driver_options }}"
- name: Ensure matrix-coturn.service installed
ansible.builtin.template:
src: "{{ role_path }}/templates/systemd/matrix-coturn.service.j2"
dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-coturn.service"
mode: 0644
# This may be unnecessary when more long-lived certificates are used.
# We optimize for the common use-case though (short-lived Let's Encrypt certificates).
# Reloading doesn't hurt anyway, so there's no need to make this more flexible.
- name: Ensure reloading systemd units installed, if necessary
ansible.builtin.template:
src: "{{ role_path }}/templates/systemd/{{ item }}.j2"
dest: "{{ devture_systemd_docker_base_systemd_path }}/{{ item }}"
mode: 0644
when: "matrix_coturn_tls_enabled | bool"
with_items:
- matrix-coturn-reload.service
- matrix-coturn-reload.timer
# A similar task exists in `setup_uninstall.yml`
- name: Ensure reloading systemd units uninstalled, if unnecessary
ansible.builtin.file:
path: "{{ item }}"
state: absent
when: "not matrix_coturn_tls_enabled | bool"
with_items:
- matrix-coturn-reload.service
- matrix-coturn-reload.timer

43
roles/custom/matrix-coturn/tasks/setup_uninstall.yml
View File

@@ -1,43 +0,0 @@
# SPDX-FileCopyrightText: 2021 - 2022 Slavi Pantaleev
# SPDX-FileCopyrightText: 2022 Marko Weltzer
#
# SPDX-License-Identifier: AGPL-3.0-or-later
---
- name: Check existence of matrix-coturn service
ansible.builtin.stat:
path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-coturn.service"
register: matrix_coturn_service_stat
when: "not matrix_coturn_enabled | bool"
- when: matrix_coturn_service_stat.stat.exists | bool
block:
- name: Ensure matrix-coturn is stopped
ansible.builtin.service:
name: matrix-coturn
state: stopped
enabled: false
daemon_reload: true
- name: Ensure matrix-coturn-reload.timer is stopped
ansible.builtin.service:
name: matrix-coturn
state: stopped
enabled: false
daemon_reload: true
failed_when: false
- name: Ensure systemd units don't exist
ansible.builtin.file:
path: "{{ devture_systemd_docker_base_systemd_path }}/{{ item }}"
state: absent
with_items:
- matrix-coturn.service
- matrix-coturn-reload.service
- matrix-coturn-reload.timer
- name: Ensure Matrix coturn paths don't exist
ansible.builtin.file:
path: "{{ matrix_coturn_base_path }}"
state: absent

35
roles/custom/matrix-coturn/tasks/validate_config.yml
View File

@@ -1,35 +0,0 @@
# SPDX-FileCopyrightText: 2019 - 2025 Slavi Pantaleev
# SPDX-FileCopyrightText: 2024 - 2025 Suguru Hirahara
#
# SPDX-License-Identifier: AGPL-3.0-or-later
---
- name: (Deprecation) Catch and report renamed coturn settings
ansible.builtin.fail:
msg: >-
Your configuration contains a variable, which now has a different name.
Please rename the variable (`{{ item.old }}` -> `{{ item.new }}`) on your configuration file (vars.yml).
when: "lookup('ansible.builtin.varnames', ('^' + item.old + '$'), wantlist=True) | length > 0"
with_items:
- {'old': 'matrix_coturn_docker_network', 'new': 'matrix_coturn_container_network'}
- {'old': 'matrix_coturn_container_stun_plain_host_bind_port', 'new': 'superseded by matrix_coturn_container_stun_plain_host_bind_port_tcp and matrix_coturn_container_stun_plain_host_bind_port_udp'}
- {'old': 'matrix_coturn_container_stun_tls_host_bind_port', 'new': 'superseded by matrix_coturn_container_stun_tls_host_bind_port_tcp and matrix_coturn_container_stun_tls_host_bind_port_udp'}
- {'old': 'matrix_coturn_container_image_name_prefix', 'new': 'matrix_coturn_docker_image_registry_prefix'}
- name: Fail if matrix_coturn_authentication_method is invalid
ansible.builtin.fail:
msg: >-
Invalid authentication method specified in `matrix_coturn_authentication_method`
when: "matrix_coturn_authentication_method not in ['auth-secret', 'lt-cred-mech']"
- name: Fail if required coturn settings not defined
ansible.builtin.fail:
msg: >-
You need to define a required configuration setting (`{{ item.name }}`).
when: "item.when | bool and lookup('vars', item.name, default='') | string | length == 0"
with_items:
- {'name': 'matrix_coturn_hostname', when: true}
- {'name': 'matrix_coturn_turn_static_auth_secret', when: "{{ matrix_coturn_authentication_method == 'auth-secret' }}"}
- {'name': 'matrix_coturn_lt_cred_mech_username', when: "{{ matrix_coturn_authentication_method == 'lt-cred-mech' }}"}
- {'name': 'matrix_coturn_lt_cred_mech_password', when: "{{ matrix_coturn_authentication_method == 'lt-cred-mech' }}"}

12
roles/custom/matrix-coturn/templates/systemd/matrix-coturn-reload.service.j2
View File

@@ -1,12 +0,0 @@
{#
SPDX-FileCopyrightText: 2021 - 2022 Slavi Pantaleev
SPDX-License-Identifier: AGPL-3.0-or-later
#}
[Unit]
Description=Reloads matrix-coturn so that new SSL certificates can kick in
[Service]
Type=oneshot
ExecStart={{ devture_systemd_docker_base_host_command_systemctl }} reload matrix-coturn.service

18
roles/custom/matrix-coturn/templates/systemd/matrix-coturn-reload.timer.j2
View File

@@ -1,18 +0,0 @@
{#
SPDX-FileCopyrightText: 2021 - 2022 Slavi Pantaleev
SPDX-FileCopyrightText: 2021 Hardy Erlinger
SPDX-FileCopyrightText: 2025 Suguru Hirahara
SPDX-License-Identifier: AGPL-3.0-or-later
#}
[Unit]
Description=Reloads matrix-coturn periodically so that new SSL certificates can kick in
[Timer]
Unit=matrix-coturn-reload.service
OnCalendar={{ matrix_coturn_reload_schedule }}
RandomizedDelaySec={{ matrix_coturn_reload_schedule_randomized_delay_sec }}
[Install]
WantedBy=timers.target

70
roles/custom/matrix-coturn/templates/systemd/matrix-coturn.service.j2
View File

@@ -1,70 +0,0 @@
#jinja2: lstrip_blocks: True
[Unit]
Description=Matrix coturn server
{% for service in matrix_coturn_systemd_required_services_list %}
Requires={{ service }}
After={{ service }}
{% endfor %}
DefaultDependencies=no
[Service]
Type=simple
Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}"
ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop -t {{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-coturn 2>/dev/null || true'
ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-coturn 2>/dev/null || true'
ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \
--rm \
--name=matrix-coturn \
--log-driver=none \
--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
--cap-drop=ALL \
--cap-add=NET_BIND_SERVICE \
--entrypoint=turnserver \
--read-only \
--tmpfs=/var/tmp:rw,noexec,nosuid,size=100m \
--network={{ matrix_coturn_container_network }} \
{% if matrix_coturn_container_stun_plain_host_bind_port_tcp != '' %}
-p {{ matrix_coturn_container_stun_plain_host_bind_port_tcp }}:3478 \
{% endif %}
{% if matrix_coturn_container_stun_plain_host_bind_port_udp != '' %}
-p {{ matrix_coturn_container_stun_plain_host_bind_port_udp }}:3478/udp \
{% endif %}
{% if matrix_coturn_container_stun_tls_host_bind_port_tcp != '' %}
-p {{ matrix_coturn_container_stun_tls_host_bind_port_tcp }}:5349 \
{% endif %}
{% if matrix_coturn_container_stun_tls_host_bind_port_udp != '' %}
-p {{ matrix_coturn_container_stun_tls_host_bind_port_udp }}:5349/udp \
{% endif %}
{% if matrix_coturn_container_turn_range_listen_interface is not in [none, 'none'] %}
-p {{ matrix_coturn_container_turn_range_listen_interface }}{{ ':' if matrix_coturn_container_turn_range_listen_interface else '' }}{{ matrix_coturn_turn_udp_min_port }}-{{ matrix_coturn_turn_udp_max_port }}:{{ matrix_coturn_turn_udp_min_port }}-{{ matrix_coturn_turn_udp_max_port }}/udp \
{% endif %}
--mount type=bind,src={{ matrix_coturn_config_path }},dst=/turnserver.conf,ro \
{% for volume in matrix_coturn_container_additional_volumes %}
--mount type={{ volume.type | default('bind' if '/' in volume.src else 'volume') }},src={{ volume.src }},dst={{ volume.dst }}{{ (',' + volume.options) if volume.options else '' }} \
{% endfor %}
{% for arg in matrix_coturn_container_extra_arguments %}
{{ arg }} \
{% endfor %}
{{ matrix_coturn_docker_image }} \
-c /turnserver.conf
{% for network in matrix_coturn_container_additional_networks %}
ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-coturn
{% endfor %}
ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-coturn
ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop -t {{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-coturn 2>/dev/null || true'
ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-coturn 2>/dev/null || true'
# This only reloads certificates (not other configuration).
# See: https://github.com/coturn/coturn/pull/236
ExecReload={{ devture_systemd_docker_base_host_command_docker }} exec matrix-coturn kill -USR2 1
Restart=always
RestartSec=30
SyslogIdentifier=matrix-coturn
[Install]
WantedBy=multi-user.target

8
roles/custom/matrix-coturn/templates/systemd/matrix-coturn.service.j2.license
View File

@@ -1,8 +0,0 @@
SPDX-FileCopyrightText: 2018 - 2025 Slavi Pantaleev
SPDX-FileCopyrightText: 2019 Hugues De Keyzer
SPDX-FileCopyrightText: 2019 Sylvia van Os
SPDX-FileCopyrightText: 2020 Chris van Dijk
SPDX-FileCopyrightText: 2021 Dan Arnfield
SPDX-FileCopyrightText: 2024 Suguru Hirahara
SPDX-License-Identifier: AGPL-3.0-or-later

78
roles/custom/matrix-coturn/templates/turnserver.conf.j2
View File

@@ -1,78 +0,0 @@
#jinja2: lstrip_blocks: True
{% if matrix_coturn_authentication_method == 'auth-secret' %}
use-auth-secret
static-auth-secret={{ matrix_coturn_turn_static_auth_secret }}
userdb=/var/tmp/turnserver.db
{% endif %}
{% if matrix_coturn_authentication_method == 'lt-cred-mech' %}
lt-cred-mech
user={{ matrix_coturn_lt_cred_mech_username }}:{{ matrix_coturn_lt_cred_mech_password }}
{% endif %}
realm={{ matrix_coturn_realm }}
min-port={{ matrix_coturn_turn_udp_min_port }}
max-port={{ matrix_coturn_turn_udp_max_port }}
{% for ip in matrix_coturn_turn_external_ip_addresses %}
external-ip={{ ip }}
{% endfor %}
log-file=stdout
pidfile=/var/tmp/turnserver.pid
no-cli
{% if matrix_coturn_tls_enabled %}
cert={{ matrix_coturn_tls_cert_path }}
pkey={{ matrix_coturn_tls_key_path }}
{% if not matrix_coturn_tls_v1_enabled %}
no-tlsv1
{% endif %}
{% if not matrix_coturn_tls_v1_1_enabled %}
no-tlsv1_1
{% endif %}
{% else %}
no-tls
no-dtls
{% endif %}
prod
{% if matrix_coturn_no_tcp_relay_enabled %}
no-tcp-relay
{% endif %}
{% if matrix_coturn_no_rfc5780_enabled %}
no-rfc5780
{% endif %}
{% if matrix_coturn_no_stun_backward_compatibility_enabled %}
no-stun-backward-compatibility
{% endif %}
{% if matrix_coturn_response_origin_only_with_rfc5780_enabled %}
response-origin-only-with-rfc5780
{% endif %}
{% if matrix_coturn_user_quota != None %}
user-quota={{ matrix_coturn_user_quota }}
{% endif %}
{% if matrix_coturn_total_quota != None %}
total-quota={{ matrix_coturn_total_quota }}
{% endif %}
{% if matrix_coturn_no_multicast_peers_enabled %}
no-multicast-peers
{% endif %}
{% for ip_range in matrix_coturn_denied_peer_ips %}
denied-peer-ip={{ ip_range }}
{% endfor %}
{% for ip_range in matrix_coturn_allowed_peer_ips %}
allowed-peer-ip={{ ip_range }}
{% endfor %}
{{ matrix_coturn_additional_configuration }}

6
roles/custom/matrix-coturn/templates/turnserver.conf.j2.license
View File

@@ -1,6 +0,0 @@
SPDX-FileCopyrightText: 2018 - 2024 Slavi Pantaleev
SPDX-FileCopyrightText: 2019 Hugues De Keyzer
SPDX-FileCopyrightText: 2019 Stuart Mumford
SPDX-FileCopyrightText: 2021 - 2022 MDAD project contributors
SPDX-License-Identifier: AGPL-3.0-or-later

21
roles/custom/matrix-coturn/vars/main.yml
View File

@@ -1,21 +0,0 @@
# SPDX-FileCopyrightText: 2025 Slavi Pantaleev
#
# SPDX-License-Identifier: AGPL-3.0-or-later
---
matrix_coturn_turn_uris: |-
{{
([
'turns:' + matrix_coturn_hostname + '?transport=udp',
'turns:' + matrix_coturn_hostname + '?transport=tcp',
] if matrix_coturn_tls_enabled else [])
+
([
'turn:' + matrix_coturn_hostname + '?transport=udp',
] if (matrix_coturn_container_stun_plain_host_bind_port_udp != '' or matrix_coturn_container_network == 'host') else [])
+
([
'turn:' + matrix_coturn_hostname + '?transport=tcp',
] if (matrix_coturn_container_stun_plain_host_bind_port_tcp != '' or matrix_coturn_container_network == 'host') else [])
}}

238
roles/custom/matrix-dimension/defaults/main.yml
View File

@@ -1,238 +0,0 @@
# SPDX-FileCopyrightText: 2019 - 2021 MDAD project contributors
# SPDX-FileCopyrightText: 2019 - 2025 Slavi Pantaleev
# SPDX-FileCopyrightText: 2019 Dan Arnfield
# SPDX-FileCopyrightText: 2019 Edgars Voroboks
# SPDX-FileCopyrightText: 2019 Sylvia van Os
# SPDX-FileCopyrightText: 2020 Chris van Dijk
# SPDX-FileCopyrightText: 2021 Aaron Raimist
# SPDX-FileCopyrightText: 2021 Ahmad Haghighi
# SPDX-FileCopyrightText: 2022 Marko Weltzer
# SPDX-FileCopyrightText: 2022 Nikita Chernyi
# SPDX-FileCopyrightText: 2023 Samuel Meenzen
# SPDX-FileCopyrightText: 2024 Suguru Hirahara
#
# SPDX-License-Identifier: AGPL-3.0-or-later
---
# Project source code URL: https://github.com/turt2live/matrix-dimension
matrix_dimension_enabled: false
matrix_dimension_scheme: https
# The hostname at which Dimension is served.
matrix_dimension_hostname: ''
# The path at which Dimension is exposed.
# This value must either be `/` or not end with a slash (e.g. `/dimension`).
matrix_dimension_path_prefix: /
# You are required to specify an access token for Dimension to work.
# For information on how to acquire an access token, visit https://t2bot.io/docs/access_tokens
matrix_dimension_access_token: ""
# Users in form: ['@alice:example.com', '@bob:example.com']
matrix_dimension_admins: []
# Whether to allow Dimension widgets serve websites with invalid or self signed SSL certificates
matrix_dimension_widgets_allow_self_signed_ssl_certificates: false
matrix_dimension_container_image_self_build: false
matrix_dimension_container_image_self_build_repo: "https://github.com/turt2live/matrix-dimension.git"
matrix_dimension_container_image_self_build_branch: master
matrix_dimension_base_path: "{{ matrix_base_data_path }}/dimension"
matrix_dimension_docker_src_files_path: "{{ matrix_base_data_path }}/docker-src/dimension"
# renovate: datasource=docker depName=turt2live/matrix-dimension
matrix_dimension_version: latest
matrix_dimension_docker_image: "{{ matrix_dimension_docker_image_registry_prefix }}turt2live/matrix-dimension:{{ matrix_dimension_version }}"
matrix_dimension_docker_image_registry_prefix: "{{ 'localhost/' if matrix_dimension_container_image_self_build else matrix_dimension_docker_image_registry_prefix_upstream }}"
matrix_dimension_docker_image_registry_prefix_upstream: "{{ matrix_dimension_docker_image_registry_prefix_upstream_default }}"
matrix_dimension_docker_image_registry_prefix_upstream_default: docker.io/
matrix_dimension_docker_image_force_pull: "{{ matrix_dimension_docker_image.endswith(':latest') }}"
# List of systemd services that matrix-dimension.service depends on.
matrix_dimension_systemd_required_services_list: "{{ matrix_dimension_systemd_required_services_list_default + matrix_dimension_systemd_required_services_list_auto + matrix_dimension_systemd_required_services_list_custom }}"
matrix_dimension_systemd_required_services_list_default: "{{ [devture_systemd_docker_base_docker_service_name] if devture_systemd_docker_base_docker_service_name else [] }}"
matrix_dimension_systemd_required_services_list_auto: []
matrix_dimension_systemd_required_services_list_custom: []
# List of systemd services that matrix-dimension.service wants
matrix_dimension_systemd_wanted_services_list: []
# The user and group ID correspond to the node user in the `turt2live/matrix-dimension` image.
matrix_dimension_user_uid: '1000'
matrix_dimension_user_gid: '1000'
# The base container network. It will be auto-created by this role if it doesn't exist already.
matrix_dimension_container_network: matrix-dimension
# A list of additional container networks that the container would be connected to.
# The role does not create these networks, so make sure they already exist.
# Use this to expose this container to another reverse proxy, which runs in a different container network.
matrix_dimension_container_additional_networks: []
# Controls whether the matrix-dimension container exposes its HTTP port (tcp/8184 in the container).
#
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:8184"), or empty string to not expose.
matrix_dimension_container_http_host_bind_port: ''
# matrix_dimension_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container.
# See `../templates/labels.j2` for details.
#
# To inject your own other container labels, see `matrix_dimension_container_labels_additional_labels`.
matrix_dimension_container_labels_traefik_enabled: true
matrix_dimension_container_labels_traefik_docker_network: "{{ matrix_dimension_container_network }}"
matrix_dimension_container_labels_traefik_hostname: "{{ matrix_dimension_hostname }}"
# The path prefix must either be `/` or not end with a slash (e.g. `/dimension`).
matrix_dimension_container_labels_traefik_path_prefix: "{{ matrix_dimension_path_prefix }}"
matrix_dimension_container_labels_traefik_rule: "Host(`{{ matrix_dimension_container_labels_traefik_hostname }}`){% if matrix_dimension_container_labels_traefik_path_prefix != '/' %} && PathPrefix(`{{ matrix_dimension_container_labels_traefik_path_prefix }}`){% endif %}"
matrix_dimension_container_labels_traefik_priority: 0
matrix_dimension_container_labels_traefik_entrypoints: web-secure
matrix_dimension_container_labels_traefik_tls: "{{ matrix_dimension_container_labels_traefik_entrypoints != 'web' }}"
matrix_dimension_container_labels_traefik_tls_certResolver: default # noqa var-naming
# Controls which additional headers to attach to all HTTP responses.
# To add your own headers, use `matrix_dimension_container_labels_traefik_additional_response_headers_custom`
matrix_dimension_container_labels_traefik_additional_response_headers: "{{ matrix_dimension_container_labels_traefik_additional_response_headers_auto | combine(matrix_dimension_container_labels_traefik_additional_response_headers_custom) }}"
matrix_dimension_container_labels_traefik_additional_response_headers_auto: |
{{
{}
| combine ({'X-XSS-Protection': matrix_dimension_http_header_xss_protection} if matrix_dimension_http_header_xss_protection else {})
| combine ({'X-Frame-Options': matrix_dimension_http_header_frame_options} if matrix_dimension_http_header_frame_options else {})
| combine ({'X-Content-Type-Options': matrix_dimension_http_header_content_type_options} if matrix_dimension_http_header_content_type_options else {})
| combine ({'Content-Security-Policy': matrix_dimension_http_header_content_security_policy} if matrix_dimension_http_header_content_security_policy else {})
| combine ({'Permission-Policy': matrix_dimension_http_header_content_permission_policy} if matrix_dimension_http_header_content_permission_policy else {})
| combine ({'Strict-Transport-Security': matrix_dimension_http_header_strict_transport_security} if matrix_dimension_http_header_strict_transport_security and matrix_dimension_container_labels_traefik_tls else {})
}}
matrix_dimension_container_labels_traefik_additional_response_headers_custom: {}
# matrix_dimension_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file.
# See `../templates/labels.j2` for details.
#
# Example:
# matrix_dimension_container_labels_additional_labels: |
# my.label=1
# another.label="here"
matrix_dimension_container_labels_additional_labels: ''
# A list of extra arguments to pass to the container
matrix_dimension_container_extra_arguments: []
# Public facing base URL of the Dimension service.
# It should not end with a slash.
matrix_dimension_base_url: "{{ matrix_dimension_scheme }}://{{ matrix_dimension_hostname }}{{ '' if matrix_dimension_path_prefix == '/' else matrix_dimension_path_prefix }}"
matrix_dimension_integrations_ui_url: "{{ matrix_dimension_base_url }}/element"
matrix_dimension_integrations_rest_url: "{{ matrix_dimension_base_url }}/api/v1/scalar"
matrix_dimension_integrations_widgets_urls: ["{{ matrix_dimension_base_url }}/widgets"]
matrix_dimension_integrations_jitsi_widget_url: "{{ matrix_dimension_base_url }}/widgets/jitsi"
matrix_dimension_homeserver_clientServerUrl: '' # noqa var-naming
matrix_dimension_homeserver_federationUrl: '' # noqa var-naming
matrix_dimension_homeserver_mediaUrl: '' # noqa var-naming
# Controls the dimension.publicUrl configuration option
matrix_dimension_dimension_publicUrl: "{{ matrix_dimension_base_url }}" # noqa var-naming
# Specifies the value of the `X-XSS-Protection` header
# Stops pages from loading when they detect reflected cross-site scripting (XSS) attacks.
#
# Learn more about it is here:
# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
# - https://portswigger.net/web-security/cross-site-scripting/reflected
matrix_dimension_http_header_xss_protection: "1; mode=block"
# Specifies the value of the `X-Frame-Options` header which controls whether framing can happen.
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
matrix_dimension_http_header_frame_options: ''
# Specifies the value of the `X-Content-Type-Options` header.
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
matrix_dimension_http_header_content_type_options: nosniff
# Specifies the value of the `Content-Security-Policy` header.
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
matrix_dimension_http_header_content_security_policy: ''
# Specifies the value of the `Permission-Policy` header.
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permission-Policy
matrix_dimension_http_header_content_permission_policy: "{{ 'interest-cohort=()' if matrix_dimension_floc_optout_enabled else '' }}"
# Specifies the value of the `Strict-Transport-Security` header.
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
matrix_dimension_http_header_strict_transport_security: "max-age=31536000; includeSubDomains{{ '; preload' if matrix_dimension_hsts_preload_enabled else '' }}"
# Controls whether to send a "Permissions-Policy interest-cohort=();" header along with all responses
#
# Learn more about what it is here:
# - https://www.eff.org/deeplinks/2021/03/googles-floc-terrible-idea
# - https://paramdeo.com/blog/opting-your-website-out-of-googles-floc-network
# - https://amifloced.org/
#
# Of course, a better solution is to just stop using browsers (like Chrome), which participate in such tracking practices.
# See: `matrix_dimension_content_permission_policy`
matrix_dimension_floc_optout_enabled: true
# Controls if HSTS preloading is enabled
#
# In its strongest and recommended form, the [HSTS policy](https://www.chromium.org/hsts) includes all subdomains, and
# indicates a willingness to be "preloaded" into browsers:
# `Strict-Transport-Security: max-age=31536000; includeSubDomains; preload`
# For more information visit:
# - https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
# - https://hstspreload.org/#opt-in
# See: `matrix_dimension_http_header_strict_transport_security`
matrix_dimension_hsts_preload_enabled: false
# Database-related configuration fields.
#
# To use SQLite, stick to these defaults.
#
# To use Postgres:
# - change the engine (`matrix_dimension_database_engine: 'postgres'`)
# - adjust your database credentials via the `matrix_dimension_database_*` variables
matrix_dimension_database_engine: 'sqlite'
matrix_dimension_sqlite_database_path_local: "{{ matrix_dimension_base_path }}/dimension.db"
matrix_dimension_sqlite_database_path_in_container: "dimension.db"
matrix_dimension_database_username: 'matrix_dimension'
matrix_dimension_database_password: 'some-password'
matrix_dimension_database_hostname: ''
matrix_dimension_database_port: 5432
matrix_dimension_database_name: 'matrix_dimension'
matrix_dimension_database_connection_string: 'postgres://{{ matrix_dimension_database_username }}:{{ matrix_dimension_database_password }}@{{ matrix_dimension_database_hostname }}:{{ matrix_dimension_database_port }}/{{ matrix_dimension_database_name }}'
# Default Dimension configuration template which covers the generic use case.
# You can customize it by controlling the various variables inside it.
#
# For a more advanced customization, you can extend the default (see `matrix_dimension_configuration_extension_yaml`)
# or completely replace this variable with your own template.
matrix_dimension_configuration_yaml: "{{ lookup('template', 'templates/config.yaml.j2') }}"
matrix_dimension_configuration_extension_yaml: |
# Your custom YAML configuration for Dimension goes here.
# This configuration extends the default starting configuration (`matrix_dimension_configuration_yaml`).
#
# You can override individual variables from the default configuration, or introduce new ones.
#
# If you need something more special, you can take full control by
# completely redefining `matrix_dimension_configuration_yaml`.
#
# Example configuration extension follows:
# telegram:
# botToken: "YourTokenHere"
#
matrix_dimension_configuration_extension: "{{ matrix_dimension_configuration_extension_yaml | from_yaml if matrix_dimension_configuration_extension_yaml | from_yaml is mapping else {} }}"
# Holds the final Dimension configuration (a combination of the default and its extension).
# You most likely don't need to touch this variable. Instead, see `matrix_dimension_configuration_yaml`.
matrix_dimension_configuration: "{{ matrix_dimension_configuration_yaml | from_yaml | combine(matrix_dimension_configuration_extension, recursive=True) }}"

27
roles/custom/matrix-dimension/tasks/main.yml
View File

@@ -1,27 +0,0 @@
# SPDX-FileCopyrightText: 2019 - 2023 Slavi Pantaleev
# SPDX-FileCopyrightText: 2019 Dan Arnfield
# SPDX-FileCopyrightText: 2019 Edgars Voroboks
# SPDX-FileCopyrightText: 2022 Marko Weltzer
#
# SPDX-License-Identifier: AGPL-3.0-or-later
---
- tags:
- setup-all
- setup-dimension
- install-all
- install-dimension
block:
- when: matrix_dimension_enabled | bool
ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml"
- when: matrix_dimension_enabled | bool
ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml"
- tags:
- setup-all
- setup-dimension
block:
- when: not matrix_dimension_enabled | bool
ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"

162
roles/custom/matrix-dimension/tasks/setup_install.yml
View File

@@ -1,162 +0,0 @@
# SPDX-FileCopyrightText: 2020 - 2024 Slavi Pantaleev
# SPDX-FileCopyrightText: 2020 Stuart Mumford
# SPDX-FileCopyrightText: 2021 MDAD project contributors
# SPDX-FileCopyrightText: 2021 Yannick Goossens
# SPDX-FileCopyrightText: 2022 Jim Myhrberg
# SPDX-FileCopyrightText: 2022 Marko Weltzer
# SPDX-FileCopyrightText: 2022 Nikita Chernyi
# SPDX-FileCopyrightText: 2022 Sebastian Gumprich
# SPDX-FileCopyrightText: 2024 David Mehren
# SPDX-FileCopyrightText: 2025 Suguru Hirahara
#
# SPDX-License-Identifier: AGPL-3.0-or-later
---
- ansible.builtin.set_fact:
matrix_dimension_requires_restart: false
- when: "matrix_dimension_database_engine == 'postgres'"
block:
- name: Check if an SQLite database already exists
ansible.builtin.stat:
path: "{{ matrix_dimension_sqlite_database_path_local }}"
register: matrix_dimension_sqlite_database_path_local_stat_result
- when: "matrix_dimension_sqlite_database_path_local_stat_result.stat.exists | bool"
block:
# pgloader makes a few columns `smallint`, instead of `boolean`.
# We need to fix them up.
- ansible.builtin.set_fact:
matrix_dimension_pgloader_additional_psql_statements_list: []
- ansible.builtin.set_fact:
matrix_dimension_pgloader_additional_psql_statements_list: |
{{
matrix_dimension_pgloader_additional_psql_statements_list
+
([] if item.default == '' else ['ALTER TABLE ' + item.table + ' ALTER COLUMN "' + item.column + '" DROP default;'])
+
(['ALTER TABLE ' + item.table + ' ALTER COLUMN "' + item.column + '" TYPE BOOLEAN USING("' + item.column + '"::text::boolean);'])
+
([] if item.default == '' else ['ALTER TABLE ' + item.table + ' ALTER COLUMN "' + item.column + '" SET default ' + item.default + ';'])
}}
with_items:
- {'table': 'dimension_widgets', 'column': 'isEnabled', 'default': ''}
- {'table': 'dimension_widgets', 'column': 'isPublic', 'default': ''}
- {'table': 'dimension_webhook_bridges', 'column': 'isEnabled', 'default': ''}
- {'table': 'dimension_user_sticker_packs', 'column': 'isSelected', 'default': ''}
- {'table': 'dimension_scalar_tokens', 'column': 'isDimensionToken', 'default': ''}
- {'table': 'dimension_users', 'column': 'isSelfBot', 'default': 'false'}
- {'table': 'dimension_telegram_bridges', 'column': 'allowTgPuppets', 'default': ''}
- {'table': 'dimension_telegram_bridges', 'column': 'allowMxPuppets', 'default': ''}
- {'table': 'dimension_telegram_bridges', 'column': 'isEnabled', 'default': ''}
- {'table': 'dimension_sticker_packs', 'column': 'isEnabled', 'default': ''}
- {'table': 'dimension_sticker_packs', 'column': 'isPublic', 'default': ''}
- {'table': 'dimension_slack_bridges', 'column': 'isEnabled', 'default': ''}
- {'table': 'dimension_neb_integrations', 'column': 'isPublic', 'default': ''}
- {'table': 'dimension_neb_integrations', 'column': 'isEnabled', 'default': ''}
- {'table': 'dimension_irc_bridges', 'column': 'isEnabled', 'default': ''}
- {'table': 'dimension_irc_bridge_networks', 'column': 'isEnabled', 'default': ''}
- {'table': 'dimension_gitter_bridges', 'column': 'isEnabled', 'default': ''}
- {'table': 'dimension_custom_simple_bots', 'column': 'isEnabled', 'default': ''}
- {'table': 'dimension_custom_simple_bots', 'column': 'isPublic', 'default': ''}
- {'table': 'dimension_bridges', 'column': 'isEnabled', 'default': ''}
- {'table': 'dimension_bridges', 'column': 'isPublic', 'default': ''}
- ansible.builtin.include_role:
name: galaxy/postgres
tasks_from: migrate_db_to_postgres
vars:
postgres_db_migration_request:
src: "{{ matrix_dimension_sqlite_database_path_local }}"
dst: "{{ matrix_dimension_database_connection_string }}"
caller: "{{ role_path | basename }}"
engine_variable_name: 'matrix_dimension_database_engine'
engine_old: 'sqlite'
systemd_services_to_stop: ['matrix-dimension.service']
pgloader_options: ['--with "quote identifiers"']
additional_psql_statements_list: "{{ matrix_dimension_pgloader_additional_psql_statements_list }}"
additional_psql_statements_db_name: "{{ matrix_dimension_database_name }}"
- ansible.builtin.set_fact:
matrix_dimension_requires_restart: true
- name: Ensure Dimension base path exists
ansible.builtin.file:
path: "{{ matrix_dimension_base_path }}"
state: directory
mode: 0770
owner: "{{ matrix_user_name }}"
group: "{{ matrix_dimension_user_gid }}"
- name: Ensure Dimension config installed
ansible.builtin.copy:
content: "{{ matrix_dimension_configuration | to_nice_yaml(indent=2, width=999999) }}"
dest: "{{ matrix_dimension_base_path }}/config.yaml"
mode: 0640
owner: "{{ matrix_user_name }}"
group: "{{ matrix_dimension_user_gid }}"
- name: Ensure Dimension labels installed
ansible.builtin.template:
src: "{{ role_path }}/templates/labels.j2"
dest: "{{ matrix_dimension_base_path }}/labels"
mode: 0640
owner: "{{ matrix_user_name }}"
group: "{{ matrix_group_name }}"
- name: Ensure Dimension image is pulled
community.docker.docker_image:
name: "{{ matrix_dimension_docker_image }}"
source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
force_source: "{{ matrix_dimension_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_dimension_docker_image_force_pull }}"
when: "not matrix_dimension_container_image_self_build | bool"
register: matrix_dimension_pull_results
retries: "{{ devture_playbook_help_container_retries_count }}"
delay: "{{ devture_playbook_help_container_retries_delay }}"
until: matrix_dimension_pull_results is not failed
- name: Ensure Dimension repository is present on self-build
ansible.builtin.git:
repo: "{{ matrix_dimension_container_image_self_build_repo }}"
dest: "{{ matrix_dimension_docker_src_files_path }}"
version: "{{ matrix_dimension_container_image_self_build_branch }}"
force: "yes"
become: true
become_user: "{{ matrix_user_name }}"
when: "matrix_dimension_container_image_self_build | bool"
register: matrix_dimension_git_pull_results
- name: Ensure Dimension Docker image is built
community.docker.docker_image:
name: "{{ matrix_dimension_docker_image }}"
source: build
force_source: "{{ matrix_dimension_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_dimension_git_pull_results.changed }}"
build:
dockerfile: Dockerfile
path: "{{ matrix_dimension_docker_src_files_path }}"
pull: true
when: "matrix_dimension_container_image_self_build | bool"
- name: Ensure Dimension container network is created
community.general.docker_network:
enable_ipv6: "{{ devture_systemd_docker_base_ipv6_enabled }}"
name: "{{ matrix_dimension_container_network }}"
driver: bridge
driver_options: "{{ devture_systemd_docker_base_container_networks_driver_options }}"
- name: Ensure matrix-dimension.service installed
ansible.builtin.template:
src: "{{ role_path }}/templates/systemd/matrix-dimension.service.j2"
dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-dimension.service"
mode: 0644
- name: Ensure matrix-dimension.service restarted, if necessary
ansible.builtin.service:
name: "matrix-dimension.service"
state: restarted
daemon_reload: true
when: "matrix_dimension_requires_restart | bool"

31
roles/custom/matrix-dimension/tasks/setup_uninstall.yml
View File

@@ -1,31 +0,0 @@
# SPDX-FileCopyrightText: 2020 - 2022 Slavi Pantaleev
# SPDX-FileCopyrightText: 2022 Marko Weltzer
# SPDX-FileCopyrightText: 2022 Sebastian Gumprich
#
# SPDX-License-Identifier: AGPL-3.0-or-later
---
- name: Check existence of matrix-dimension service
ansible.builtin.stat:
path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-dimension.service"
register: matrix_dimension_service_stat
- when: matrix_dimension_service_stat.stat.exists | bool
block:
- name: Ensure matrix-dimension is stopped
ansible.builtin.service:
name: matrix-dimension
state: stopped
enabled: false
daemon_reload: true
- name: Ensure matrix-dimension.service doesn't exist
ansible.builtin.file:
path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-dimension.service"
state: absent
- name: Ensure Dimension base directory doesn't exist
ansible.builtin.file:
path: "{{ matrix_dimension_base_path }}"
state: absent

62
roles/custom/matrix-dimension/tasks/validate_config.yml
View File

@@ -1,62 +0,0 @@
# SPDX-FileCopyrightText: 2019 - 2023 Slavi Pantaleev
# SPDX-FileCopyrightText: 2019 Dan Arnfield
# SPDX-FileCopyrightText: 2019 Edgars Voroboks
# SPDX-FileCopyrightText: 2020 Chris van Dijk
# SPDX-FileCopyrightText: 2022 Marko Weltzer
# SPDX-FileCopyrightText: 2025 Suguru Hirahara
#
# SPDX-License-Identifier: AGPL-3.0-or-later
---
- name: Fail if required Dimension settings not defined
ansible.builtin.fail:
msg: >
You need to define a required configuration setting (`{{ item.name }}`).
when: "item.when | bool and lookup('vars', item.name, default='') | string | length == 0"
with_items:
- {'name': 'matrix_dimension_hostname', when: true}
- {'name': 'matrix_dimension_container_network', when: true}
- {'name': 'matrix_dimension_access_token', when: true}
- {'name': 'matrix_dimension_homeserver_clientServerUrl', when: true}
- {'name': 'matrix_dimension_homeserver_federationUrl', when: true}
- {'name': 'matrix_dimension_homeserver_mediaUrl', when: true}
- {'name': 'matrix_dimension_database_hostname', when: "{{ matrix_dimension_database_engine == 'postgres' }}"}
- name: (Deprecation) Catch and report renamed Dimension variables
ansible.builtin.fail:
msg: >-
Your configuration contains a variable, which now has a different name.
Please rename the variable (`{{ item.old }}` -> `{{ item.new }}`) on your configuration file (vars.yml).
when: "lookup('ansible.builtin.varnames', ('^' + item.old + '$'), wantlist=True) | length > 0"
with_items:
- {'old': 'matrix_dimension_container_expose_port', 'new': '<superseded by matrix_dimension_container_http_host_bind_port>'}
- {'old': 'matrix_dimension_container_image_name_prefix', 'new': 'matrix_dimension_docker_image_registry_prefix'}
- when: matrix_dimension_container_labels_traefik_enabled | bool
block:
- name: Fail if required Dimension Traefik settings not defined
ansible.builtin.fail:
msg: >-
You need to define a required configuration setting (`{{ item }}`).
when: "lookup('vars', item, default='') == ''"
with_items:
- matrix_dimension_container_labels_traefik_hostname
- matrix_dimension_container_labels_traefik_path_prefix
# We ensure it doesn't end with a slash, because we handle both (slash and no-slash).
# Knowing that `matrix_dimension_container_labels_traefik_path_prefix` does not end with a slash
# ensures we know how to set these routes up without having to do "does it end with a slash" checks elsewhere.
- name: Fail if matrix_dimension_container_labels_traefik_path_prefix ends with a slash
ansible.builtin.fail:
msg: >-
matrix_dimension_container_labels_traefik_path_prefix (`{{ matrix_dimension_container_labels_traefik_path_prefix }}`) must either be `/` or not end with a slash (e.g. `/dimension`).
when: "matrix_dimension_container_labels_traefik_path_prefix != '/' and matrix_dimension_container_labels_traefik_path_prefix[-1] == '/'"
- name: Fail if matrix_dimension_container_labels_traefik_path_prefix is not /
ansible.builtin.fail:
msg: >-
matrix_dimension_container_labels_traefik_path_prefix (`{{ matrix_dimension_container_labels_traefik_path_prefix }}`) must currently be set to `/`.
Other values are not supported.
See: https://github.com/turt2live/matrix-dimension/issues/510
when: "matrix_dimension_container_labels_traefik_path_prefix != '/' and matrix_dimension_container_labels_traefik_path_prefix[-1] == '/'"

75
roles/custom/matrix-dimension/templates/config.yaml.j2
View File

@@ -1,75 +0,0 @@
#jinja2: lstrip_blocks: True
# The web settings for the service (API and UI).
# It is best to have this run on localhost and use a reverse proxy to access Dimension.
web:
port: 8184
address: '0.0.0.0'
# Homeserver configuration
homeserver:
# The domain name of the homeserver. This is used in many places, such as with go-neb
# setups, to identify the homeserver.
name: {{ matrix_domain | to_json }}
# The URL that Dimension, go-neb, and other services provisioned by Dimension should
# use to access the homeserver with.
clientServerUrl: {{ matrix_dimension_homeserver_clientServerUrl | to_json }}
# The URL that Dimension should use when trying to communicate with federated APIs on
# the homeserver. If not supplied or left empty Dimension will try to resolve the address
# through the normal federation process.
federationUrl: {{ matrix_dimension_homeserver_federationUrl | to_json }}
# The URL that Dimension will redirect media requests to for downloading media such as
# stickers. If not supplied or left empty Dimension will use the clientServerUrl.
mediaUrl: {{ matrix_dimension_homeserver_mediaUrl | to_json }}
# The access token Dimension should use for miscellaneous access to the homeserver. This
# should be for a user on the configured homeserver: any user will do, however it is
# recommended to use a dedicated user (such as @dimension:t2bot.io). For information on
# how to acquire an access token, visit https://t2bot.io/docs/access_tokens
accessToken: {{ matrix_dimension_access_token | to_json }}
# These users can modify the integrations this Dimension supports.
# To access the admin interface, open Dimension in Element Web and click the settings icon.
admins: {{ matrix_dimension_admins | to_json }}
# IPs and CIDR ranges listed here will be blocked from being widgets.
# Note: Widgets may still be embedded with restricted content, although not through Dimension directly.
widgetBlacklist:
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
- 127.0.0.0/8
# Where the database for Dimension is
database:
{% if matrix_dimension_database_engine == 'sqlite' %}
file: {{ matrix_dimension_sqlite_database_path_in_container|to_json }}
{% elif matrix_dimension_database_engine == 'postgres' %}
uri: {{ matrix_dimension_database_connection_string|to_json }}
{% endif %}
# Display settings that apply to self-hosted go-neb instances
goneb:
# The avatars to set for each bot. Usually these don't need to be changed, however if your homeserver
# is not able to reach t2bot.io then you should specify your own here. To not use an avatar for a bot,
# make the bot's avatar an empty string.
avatars:
giphy: "mxc://t2bot.io/c5eaab3ef0133c1a61d3c849026deb27"
imgur: "mxc://t2bot.io/6749eaf2b302bb2188ae931b2eeb1513"
github: "mxc://t2bot.io/905b64b3cd8e2347f91a60c5eb0832e1"
wikipedia: "mxc://t2bot.io/7edfb54e9ad9e13fec0df22636feedf1"
travisci: "mxc://t2bot.io/7f4703126906fab8bb27df34a17707a8"
rss: "mxc://t2bot.io/aace4fcbd045f30afc1b4e5f0928f2f3"
google: "mxc://t2bot.io/636ad10742b66c4729bf89881a505142"
guggy: "mxc://t2bot.io/e7ef0ed0ba651aaf907655704f9a7526"
echo: "mxc://t2bot.io/3407ff2db96b4e954fcbf2c6c0415a13"
circleci: "mxc://t2bot.io/cf7d875845a82a6b21f5f66de78f6bee"
jira: "mxc://t2bot.io/f4a38ebcc4280ba5b950163ca3e7c329"
# Settings for how Dimension is represented to the public
dimension:
# This is where Dimension is accessible from clients. Be sure to set this
# to your own Dimension instance.
publicUrl: {{ matrix_dimension_dimension_publicUrl | to_json }}

5
roles/custom/matrix-dimension/templates/config.yaml.j2.license
View File

@@ -1,5 +0,0 @@
SPDX-FileCopyrightText: 2020 - 2023 Slavi Pantaleev
SPDX-FileCopyrightText: 2020 MDAD project contributors
SPDX-FileCopyrightText: 2024 Suguru Hirahara
SPDX-License-Identifier: AGPL-3.0-or-later

52
roles/custom/matrix-dimension/templates/labels.j2
View File

@@ -1,52 +0,0 @@
{#
SPDX-FileCopyrightText: 2023 - 2024 Slavi Pantaleev
SPDX-License-Identifier: AGPL-3.0-or-later
#}
{% if matrix_dimension_container_labels_traefik_enabled %}
traefik.enable=true
{% if matrix_dimension_container_labels_traefik_docker_network %}
traefik.docker.network={{ matrix_dimension_container_labels_traefik_docker_network }}
{% endif %}
traefik.http.services.matrix-dimension.loadbalancer.server.port=8184
{% set middlewares = [] %}
{% if matrix_dimension_container_labels_traefik_path_prefix != '/' %}
traefik.http.middlewares.matrix-dimension-slashless-redirect.redirectregex.regex=({{ matrix_dimension_container_labels_traefik_path_prefix | quote }})$
traefik.http.middlewares.matrix-dimension-slashless-redirect.redirectregex.replacement=${1}/
{% set middlewares = middlewares + ['matrix-dimension-slashless-redirect'] %}
{% endif %}
{% if matrix_dimension_container_labels_traefik_path_prefix != '/' %}
traefik.http.middlewares.matrix-dimension-strip-prefix.stripprefix.prefixes={{ matrix_dimension_container_labels_traefik_path_prefix }}
{% set middlewares = middlewares + ['matrix-dimension-strip-prefix'] %}
{% endif %}
{% if matrix_dimension_container_labels_traefik_additional_response_headers.keys() | length > 0 %}
{% for name, value in matrix_dimension_container_labels_traefik_additional_response_headers.items() %}
traefik.http.middlewares.matrix-dimension-add-headers.headers.customresponseheaders.{{ name }}={{ value }}
{% endfor %}
{% set middlewares = middlewares + ['matrix-dimension-add-headers'] %}
{% endif %}
traefik.http.routers.matrix-dimension.rule={{ matrix_dimension_container_labels_traefik_rule }}
{% if matrix_dimension_container_labels_traefik_priority | int > 0 %}
traefik.http.routers.matrix-dimension.priority={{ matrix_dimension_container_labels_traefik_priority }}
{% endif %}
traefik.http.routers.matrix-dimension.service=matrix-dimension
{% if middlewares | length > 0 %}
traefik.http.routers.matrix-dimension.middlewares={{ middlewares | join(',') }}
{% endif %}
traefik.http.routers.matrix-dimension.entrypoints={{ matrix_dimension_container_labels_traefik_entrypoints }}
traefik.http.routers.matrix-dimension.tls={{ matrix_dimension_container_labels_traefik_tls | to_json }}
{% if matrix_dimension_container_labels_traefik_tls %}
traefik.http.routers.matrix-dimension.tls.certResolver={{ matrix_dimension_container_labels_traefik_tls_certResolver }}
{% endif %}
{% endif %}
{{ matrix_dimension_container_labels_additional_labels }}

58
roles/custom/matrix-dimension/templates/systemd/matrix-dimension.service.j2
View File

@@ -1,58 +0,0 @@
#jinja2: lstrip_blocks: True
[Unit]
Description=Matrix Dimension
{% for service in matrix_dimension_systemd_required_services_list %}
Requires={{ service }}
After={{ service }}
{% endfor %}
{% for service in matrix_dimension_systemd_wanted_services_list %}
Wants={{ service }}
{% endfor %}
DefaultDependencies=no
[Service]
Type=simple
Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}"
ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop -t {{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-dimension 2>/dev/null || true'
ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-dimension 2>/dev/null || true'
# Fixup database ownership if it got changed somehow (during a server migration, etc.)
{% if matrix_dimension_database_engine == 'sqlite' %}
ExecStartPre=-{{ matrix_host_command_chown }} {{ matrix_dimension_user_uid }}:{{ matrix_dimension_user_gid }} {{ matrix_dimension_sqlite_database_path_local }}
{% endif %}
ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \
--rm \
--name=matrix-dimension \
--log-driver=none \
--user={{ matrix_dimension_user_uid }}:{{ matrix_dimension_user_gid }} \
--cap-drop=ALL \
--network={{ matrix_dimension_container_network }} \
{% if matrix_dimension_widgets_allow_self_signed_ssl_certificates %}
-e NODE_TLS_REJECT_UNAUTHORIZED=0 \
{% endif %}
{% if matrix_dimension_container_http_host_bind_port %}
-p {{ matrix_dimension_container_http_host_bind_port }}:8184 \
{% endif %}
--label-file={{ matrix_dimension_base_path }}/labels \
--mount type=bind,src={{ matrix_dimension_base_path }},dst=/data \
{% for arg in matrix_dimension_container_extra_arguments %}
{{ arg }} \
{% endfor %}
{{ matrix_dimension_docker_image }}
{% for network in matrix_dimension_container_additional_networks %}
ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-dimension
{% endfor %}
ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-dimension
ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop -t {{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-dimension 2>/dev/null || true'
ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-dimension 2>/dev/null || true'
Restart=always
RestartSec=30
SyslogIdentifier=matrix-dimension
[Install]
WantedBy=multi-user.target

7
roles/custom/matrix-dimension/templates/systemd/matrix-dimension.service.j2.license
View File

@@ -1,7 +0,0 @@
SPDX-FileCopyrightText: 2019 - 2025 Slavi Pantaleev
SPDX-FileCopyrightText: 2019 Edgars Voroboks
SPDX-FileCopyrightText: 2019 Hugues De Keyzer
SPDX-FileCopyrightText: 2019 Sylvia van Os
SPDX-FileCopyrightText: 2020 Chris van Dijk
SPDX-License-Identifier: AGPL-3.0-or-later

11
roles/custom/matrix-dimension/vars/main.yml
View File

@@ -1,11 +0,0 @@
# SPDX-FileCopyrightText: 2019 - 2022 Slavi Pantaleev
# SPDX-FileCopyrightText: 2019 Edgars Voroboks
# SPDX-FileCopyrightText: 2022 Marko Weltzer
#
# SPDX-License-Identifier: AGPL-3.0-or-later
---
# Doing `|from_yaml` when the extension contains nothing yields an empty string ("").
# We need to ensure it's a dictionary or `|combine` (when building `matrix_dimension_configuration`) will fail later.
matrix_dimension_configuration_extension: "{{ matrix_dimension_configuration_extension_yaml | from_yaml if matrix_dimension_configuration_extension_yaml | from_yaml else {} }}"

67
roles/custom/matrix-synapse/defaults/main.yml
View File

@@ -16,7 +16,7 @@ matrix_synapse_enabled: true
matrix_synapse_github_org_and_repo: element-hq/synapse
# renovate: datasource=docker depName=ghcr.io/element-hq/synapse
matrix_synapse_version: v1.147.0
matrix_synapse_version: v1.147.1
matrix_synapse_username: ''
matrix_synapse_uid: ''
@@ -322,6 +322,22 @@ matrix_synapse_container_labels_public_metrics_middleware_basic_auth_users: ''
# another.label="here"
matrix_synapse_container_labels_additional_labels: ''
# Specifies how often the container health check will run.
#
# The Synapse container image ships with a default HEALTHCHECK (curl to /health)
# with an interval of 15s, timeout of 5s, and start period of 5s.
#
# For Traefik-based setups, it's important that the interval is short,
# because the interval value also specifies the "initial wait time".
# This is a Docker (moby) bug: https://github.com/moby/moby/issues/33410
# Without a successful healthcheck, Traefik will not register the service for reverse-proxying.
# A shorter interval also lets our systemd ExecStartPost health check
# (see matrix_synapse_systemd_healthcheck_enabled) detect readiness faster at startup.
#
# For non-Traefik setups, we use the default healthcheck interval (15s) to decrease overhead.
matrix_synapse_container_health_interval_seconds: "{{ 5 if matrix_synapse_container_labels_traefik_enabled else 15 }}"
matrix_synapse_container_health_interval: "{{ matrix_synapse_container_health_interval_seconds }}s"
# A list of extra arguments to pass to the container
# Also see `matrix_synapse_container_arguments`
matrix_synapse_container_extra_arguments: []
@@ -358,14 +374,37 @@ matrix_synapse_goofys_systemd_required_services_list_default: "{{ [devture_syste
matrix_synapse_goofys_systemd_required_services_list_auto: []
matrix_synapse_goofys_systemd_required_services_list_custom: []
# Controls how long to sleep for after starting the matrix-synapse container.
#
# Delaying, so that the homeserver can manage to fully start and various services
# that depend on it (`matrix_synapse_systemd_required_services_list` and `matrix_synapse_systemd_wanted_services_list`)
# may only start after the homeserver is up and running.
#
# This can be set to 0 to remove the delay.
matrix_synapse_systemd_service_post_start_delay_seconds: 10
# Controls the post-start health check in the systemd service.
# When enabled, ExecStartPost polls Docker's container health status via `docker inspect`,
# keeping the service in "activating (start-post)" state until Synapse is ready.
# Services with After=matrix-synapse.service will properly wait.
# This relies on the container image's built-in HEALTHCHECK (curl to /health),
# with the interval controlled by matrix_synapse_container_health_interval.
matrix_synapse_systemd_healthcheck_enabled: true
matrix_synapse_systemd_healthcheck_max_retries: 60
matrix_synapse_systemd_healthcheck_interval_seconds: 1
# The command used for the health check in ExecStartPost.
# Polls `docker inspect` for the container's health status until it reports "healthy".
matrix_synapse_systemd_healthcheck_command: >-
{{ devture_systemd_docker_base_host_command_sh }} -c
'for i in $(seq 1 {{ matrix_synapse_systemd_healthcheck_max_retries }}); do
echo "[Attempt $i/{{ matrix_synapse_systemd_healthcheck_max_retries }}] Synapse systemd health check: checking container health status..";
status=$( {{ devture_systemd_docker_base_host_command_docker }} inspect --format={{ '"{{' }}.State.Health.Status{{ '}}"' }} matrix-synapse 2>/dev/null);
if [ "$status" = "healthy" ]; then echo "[Attempt $i/{{ matrix_synapse_systemd_healthcheck_max_retries }}] Synapse systemd health check: passed" && exit 0; fi;
echo "[Attempt $i/{{ matrix_synapse_systemd_healthcheck_max_retries }}] Synapse systemd health check: not ready yet (status: $status), retrying in {{ matrix_synapse_systemd_healthcheck_interval_seconds }}s..";
sleep {{ matrix_synapse_systemd_healthcheck_interval_seconds }};
done; echo "[Attempt $i/{{ matrix_synapse_systemd_healthcheck_max_retries }}] Synapse systemd health check: failed after {{ matrix_synapse_systemd_healthcheck_max_retries }} attempts"; exit 1'
# Controls how long to sleep for after the systemd health check passes.
# Even after Synapse is healthy, the reverse proxy (e.g. Traefik) needs time to discover
# the container and register its routes. Traefik waits `providers.providersThrottleDuration`
# (see https://doc.traefik.io/traefik/v3.3/providers/overview/#providersprovidersthrottleduration)
# before applying new configuration from Docker events.
# Without this delay, services depending on Synapse may encounter 404 errors
# when connecting through the reverse proxy.
# This value is meant to be wired to the Traefik throttle duration by the playbook's group vars.
matrix_synapse_systemd_service_post_start_delay_seconds: 0
matrix_synapse_in_container_python_packages_path: "/usr/local/lib/python3.13/site-packages"
@@ -522,7 +561,7 @@ matrix_synapse_http_listener_resource_names: ["client"]
# Resources served on Synapse's federation port.
# When disabling federation, we may wish to serve the `openid` resource here,
# so that services like Dimension can work.
# so that services like Matrix User Verification Service can work.
matrix_synapse_federation_listener_resource_names: "{{ ['federation'] if matrix_synapse_federation_enabled else (['openid'] if matrix_synapse_federation_port_openid_resource_required else []) }}"
# Enable this to allow Synapse to report utilization statistics about your server to matrix.org
@@ -1503,6 +1542,14 @@ matrix_synapse_ext_synapse_s3_storage_provider_update_db_day_count: 0
# This is a systemd timer OnCalendar definition. Learn more here: https://man.archlinux.org/man/systemd.time.7#CALENDAR_EVENTS
matrix_synapse_ext_synapse_s3_storage_provider_periodic_migration_schedule: '*-*-* 05:00:00'
# List of systemd services that matrix-synapse-s3-storage-provider-migrate.service requires.
# We only depend on matrix-synapse.service here, because its own dependencies (Postgres, Docker, etc.)
# are transitively resolved by systemd.
matrix_synapse_ext_synapse_s3_storage_provider_migrate_systemd_required_services_list: ['matrix-synapse.service']
# List of systemd services that matrix-synapse-s3-storage-provider-migrate.service wants
matrix_synapse_ext_synapse_s3_storage_provider_migrate_systemd_wanted_services_list: []
# Synapse module to automatically accept room invites.
#
# Since Synapse v1.109.0 (https://github.com/element-hq/synapse/pull/17147),

30
roles/custom/matrix-synapse/templates/synapse/bin/register-user.j2
View File

@@ -15,36 +15,6 @@ user=$1
password=$2
admin=$3
wait_for_synapse() {
local timeout_seconds=180
local interval_seconds=5
local elapsed=0
local last_reason=""
while [ "$elapsed" -lt "$timeout_seconds" ]; do
if ! {{ devture_systemd_docker_base_host_command_docker }} ps -a --format '{{"{{"}}.Names{{"}}"}}' | grep -q '^matrix-synapse$'; then
last_reason="container not found"
elif [ "$({{ devture_systemd_docker_base_host_command_docker }} inspect -f '{{"{{"}}.State.Running{{"}}"}}' matrix-synapse 2>/dev/null)" != "true" ]; then
last_reason="container not running"
elif ! {{ devture_systemd_docker_base_host_command_docker }} exec matrix-synapse \
curl -fsS "http://localhost:{{ matrix_synapse_container_client_api_port }}/health" >/dev/null 2>&1; then
last_reason="health endpoint not ready"
else
return 0
fi
sleep "$interval_seconds"
elapsed=$((elapsed + interval_seconds))
done
echo "Timed out waiting for matrix-synapse to become healthy after ${timeout_seconds}s (${last_reason})."
return 1
}
if ! wait_for_synapse; then
exit 1
fi
if [ "$admin" -eq "1" ]; then
{{ devture_systemd_docker_base_host_command_docker }} exec matrix-synapse register_new_matrix_user -u "$user" -p "$password" -c /data/homeserver.yaml --admin http://localhost:{{ matrix_synapse_container_client_api_port }}
else

9
roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/systemd/matrix-synapse-s3-storage-provider-migrate.service.j2
View File

@@ -1,5 +1,14 @@
#jinja2: lstrip_blocks: True
[Unit]
Description=Migrates locally-stored Synapse media store files to S3
{% for service in matrix_synapse_ext_synapse_s3_storage_provider_migrate_systemd_required_services_list %}
Requires={{ service }}
After={{ service }}
{% endfor %}
{% for service in matrix_synapse_ext_synapse_s3_storage_provider_migrate_systemd_wanted_services_list %}
Wants={{ service }}
{% endfor %}
DefaultDependencies=no
[Service]
Type=oneshot

9
roles/custom/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2
View File

@@ -33,6 +33,7 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \
--read-only \
--tmpfs=/tmp:rw,noexec,nosuid,size={{ matrix_synapse_tmp_directory_size_mb }}m \
--network={{ matrix_synapse_container_network }} \
--health-interval={{ matrix_synapse_container_health_interval }} \
{% if matrix_synapse_container_client_api_host_bind_port %}
-p {{ matrix_synapse_container_client_api_host_bind_port }}:{{ matrix_synapse_container_client_api_port }} \
{% endif %}
@@ -69,8 +70,12 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network conne
ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-synapse
{% if matrix_synapse_systemd_service_post_start_delay_seconds > 0 %}
ExecStartPost=-{{ matrix_host_command_sleep }} {{ matrix_synapse_systemd_service_post_start_delay_seconds }}
{% if matrix_synapse_systemd_healthcheck_enabled %}
ExecStartPost={{ matrix_synapse_systemd_healthcheck_command }}
{% endif %}
{% if matrix_synapse_systemd_service_post_start_delay_seconds | int > 0 %}
ExecStartPost=-{{ matrix_host_command_sleep }} {{ matrix_synapse_systemd_service_post_start_delay_seconds }}
{% endif %}
ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop -t {{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-synapse 2>/dev/null || true'

10
roles/custom/matrix-user-creator/tasks/util/ensure_user_registered_conduwuit.yml
View File

@@ -1,10 +0,0 @@
# SPDX-FileCopyrightText: 2025 Slavi Pantaleev
# SPDX-FileCopyrightText: 2025 Suguru Hirahara
#
# SPDX-License-Identifier: AGPL-3.0-or-later
---
- name: Ensure conduwuit user registered - {{ user.username | quote }}
ansible.builtin.debug:
msg: "Not registering user. To register conduwuit users, message the conduwuit bot"

60
roles/custom/matrix_playbook_migration/tasks/validate_config.yml
View File

@@ -80,11 +80,21 @@
- {'old': 'cinny_docker_image_registry_prefix_upstream', 'new': 'cinny_container_image_registry_prefix_upstream'}
- {'old': 'cinny_docker_image_registry_prefix_upstream_default', 'new': 'cinny_container_image_registry_prefix_upstream_default'}
- {'old': 'coturn_docker_image', 'new': 'coturn_container_image'}
- {'old': 'coturn_docker_image_registry_prefix', 'new': 'coturn_container_image_registry_prefix'}
- {'old': 'coturn_docker_image_registry_prefix_upstream', 'new': 'coturn_container_image_registry_prefix_upstream'}
- {'old': 'coturn_docker_image_registry_prefix_upstream_default', 'new': 'coturn_container_image_registry_prefix_upstream_default'}
- {'old': 'ddclient_docker_image', 'new': 'ddclient_container_image'}
- {'old': 'ddclient_docker_image_registry_prefix', 'new': 'ddclient_container_image_registry_prefix'}
- {'old': 'ddclient_docker_image_registry_prefix_upstream', 'new': 'ddclient_container_image_registry_prefix_upstream'}
- {'old': 'ddclient_docker_image_registry_prefix_upstream_default', 'new': 'ddclient_container_image_registry_prefix_upstream_default'}
- {'old': 'hydrogen_docker_image', 'new': 'hydrogen_container_image'}
- {'old': 'hydrogen_docker_image_registry_prefix', 'new': 'hydrogen_container_image_registry_prefix'}
- {'old': 'hydrogen_docker_image_registry_prefix_upstream', 'new': 'hydrogen_container_image_registry_prefix_upstream'}
- {'old': 'hydrogen_docker_image_registry_prefix_upstream_default', 'new': 'hydrogen_container_image_registry_prefix_upstream_default'}
- name: (Deprecation) Catch and report matrix_postgres variables
ansible.builtin.fail:
msg: |-
@@ -595,6 +605,44 @@
The following variables in your configuration need to be renamed: {{ lookup('ansible.builtin.varnames', '^matrix_client_cinny_.+', wantlist=True) | join(', ') }}
when: "lookup('ansible.builtin.varnames', '^matrix_client_cinny_.+', wantlist=True) | length > 0"
- name: (Deprecation) Catch and report matrix-client-hydrogen variables
ansible.builtin.fail:
msg: |-
The matrix-client-hydrogen role in the playbook now lives under the MASH organization (https://github.com/mother-of-all-self-hosting/ansible-role-hydrogen).
The new role is pretty much the same, but uses differently named variables.
Please rename all `matrix_client_hydrogen_`-prefixed variables (`matrix_client_hydrogen_*` -> `hydrogen_*`) on your configuration file (vars.yml).
After renaming them, please do not forget to fetch the Ansible role. See docs/maintenance-upgrading-services.md for details about how to do so.
The following variables in your configuration need to be renamed: {{ lookup('ansible.builtin.varnames', '^matrix_client_hydrogen_.+', wantlist=True) | join(', ') }}
when: "lookup('ansible.builtin.varnames', '^matrix_client_hydrogen_.+', wantlist=True) | length > 0"
- name: (Deprecation) Catch and report matrix-coturn variables
ansible.builtin.fail:
msg: |-
The matrix-coturn role in the playbook now lives under the MASH organization (https://github.com/mother-of-all-self-hosting/ansible-role-coturn).
The new role is pretty much the same, but uses differently named variables.
Please rename all `matrix_coturn_`-prefixed variables (`matrix_coturn_*` -> `coturn_*`) on your configuration file (vars.yml).
After renaming them, please do not forget to fetch the Ansible role. See docs/maintenance-upgrading-services.md for details about how to do so.
The following variables in your configuration need to be renamed: {{ lookup('ansible.builtin.varnames', '^matrix_coturn_.+', wantlist=True) | join(', ') }}
when: "lookup('ansible.builtin.varnames', '^matrix_coturn_.+', wantlist=True) | length > 0"
- name: (Deprecation) Catch and report matrix-conduwuit variables
ansible.builtin.fail:
msg: |-
matrix-conduwuit was completely removed from the playbook in February 2026.
Please remove all `matrix_conduwuit*` variables from your configuration file (vars.yml).
You may wish to migrate to Continuwuity, a drop-in replacement for conduwuit. See `docs/configuring-playbook-continuwuity.md` for more information.
The following variables in your configuration need to be removed: {{ lookup('ansible.builtin.varnames', '^matrix_conduwuit.+', wantlist=True) | join(', ') }}
when: "lookup('ansible.builtin.varnames', '^matrix_conduwuit.+', wantlist=True) | length > 0"
- name: (Deprecation) Catch and report matrix-dynamic-dns variables
ansible.builtin.fail:
msg: |-
@@ -693,6 +741,18 @@
The following variables in your configuration need to be removed: {{ lookup('ansible.builtin.varnames', '^matrix_mx_puppet_twitter_.+', wantlist=True) | join(', ') }}
when: "lookup('ansible.builtin.varnames', '^matrix_mx_puppet_twitter_.+', wantlist=True) | length > 0"
- name: (Deprecation) Catch and report the Dimension integration manager variables
ansible.builtin.fail:
msg: |-
The Dimension integration manager was completely removed from the playbook in February 2026.
Please remove all `matrix_dimension_*` variables from your configuration file (vars.yml).
You may also wish to uninstall the component manually. See `docs/configuring-playbook-dimension.md` for more information.
The following variables in your configuration need to be removed: {{ lookup('ansible.builtin.varnames', '^matrix_dimension_.+', wantlist=True) | join(', ') }}
when: "lookup('ansible.builtin.varnames', '^matrix_dimension_.+', wantlist=True) | length > 0"
- name: (Deprecation) Catch and report Email2Matrix variables
ansible.builtin.fail:
msg: |-

6
setup.yml
View File

@@ -97,7 +97,6 @@
- custom/matrix-synapse-reverse-proxy-companion
- custom/matrix-dendrite
- custom/matrix-conduit
- custom/matrix-conduwuit
- custom/matrix-continuwuity
- custom/matrix-synapse-admin
- custom/matrix-synapse-usage-exporter
@@ -109,19 +108,18 @@
- custom/matrix-prometheus-services-connect
- custom/matrix-registration
- custom/matrix-client-element
- custom/matrix-client-hydrogen
- galaxy/hydrogen
- galaxy/cinny
- custom/matrix-client-schildichat
- custom/matrix-client-fluffychat
- galaxy/jitsi
- custom/matrix-user-verification-service
- custom/matrix-ldap-registration-proxy
- custom/matrix-dimension
- galaxy/etherpad
- custom/matrix-sygnal
- galaxy/ntfy
- custom/matrix-static-files
- custom/matrix-coturn
- galaxy/coturn
- custom/matrix-media-repo
- custom/matrix-pantalaimon