Compare commits

..

25 Commits

Author SHA1 Message Date
Aine b18c1efd65 Synapse register user: wait for synapse to be available 2026-02-10 22:14:05 +00:00
Aine 4ec41c0b42 Merge pull request #4909 from spantaleev/renovate/ghcr.io-element-hq-element-web-1.x
chore(deps): update ghcr.io/element-hq/element-web docker tag to v1.12.10
2026-02-10 18:11:36 +00:00
renovate[bot] 0a08126324 chore(deps): update ghcr.io/element-hq/element-web docker tag to v1.12.10 2026-02-10 17:49:29 +00:00
renovate[bot] 482ef0fdf5 chore(deps): update ghcr.io/element-hq/synapse docker tag to v1.147.0 2026-02-10 16:51:46 +02:00
renovate[bot] ca356c52e2 chore(deps): update ghcr.io/element-hq/matrix-authentication-service docker tag to v1.11.0 2026-02-10 16:51:09 +02:00
Slavi Pantaleev ecf9befc32 Adapt to the all-at-once restart mode default in systemd_service_manager v2.0.0-0
- `install-service` no longer forces `one-by-one` restart mode

- the coturn priority condition is flipped: only `one-by-one` mode
  needs the delayed priority (1500); all other modes (including
  the new `all-at-once` default) use the normal priority (900)

Ref:

- https://github.com/devture/com.devture.ansible.role.systemd_service_manager/commit/d42cd9204548d47c1368badc9b152f4261093398
- https://github.com/devture/com.devture.ansible.role.systemd_service_manager/blob/f3e658cca3b41d3aedc81aa77cf22bafd9ca4d0f/docs/restart-mode-comparison.md
- https://github.com/devture/com.devture.ansible.role.systemd_service_manager/commit/36445fb41931c6baa3c44818877def4a162e5db4
- 750cb7e29e
2026-02-10 16:41:41 +02:00
Slavi Pantaleev 750cb7e29e Upgrade systemd_service_manager (v1.1.0-0 -> v2.0.0-0) 2026-02-10 16:21:57 +02:00
Suguru Hirahara 815b9baec6 Update notes about self-hosting services with the MASH playbook
Signed-off-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>
2026-02-10 22:31:11 +09:00
Suguru Hirahara 1dcd4636ff Add a note about self-hosting echoip with the MASH playbook
Reuse https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/3653f9f89b9bc921af4091072a8ca4cb732289ea/docs/configuring-playbook-ssl-certificates.md

Signed-off-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>
2026-02-10 22:28:08 +09:00
renovate[bot] 7f04231904 chore(deps): update ghcr.io/etkecc/baibot docker tag to v1.14.1 2026-02-10 15:18:02 +02:00
renovate[bot] b0828528df chore(deps): update dependency ntfy to v2.17.0-0 2026-02-10 11:53:33 +02:00
Suguru Hirahara 96029bf916 Replace "EchoIP" with "echoip"
cf. https://github.com/mpolden/echoip

Signed-off-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>
2026-02-10 17:41:52 +09:00
Slavi Pantaleev ace086056f Upgrade Postgres (v18.1-4 -> v18.1-5) 2026-02-09 21:24:48 +02:00
Slavi Pantaleev 0e8ef8ef10 Add retry logic for Synapse user registration on Connection refused
When DB credentials change (derived from matrix_synapse_macaroon_secret_key),
a running Synapse container may fail to connect to its database and stop
serving requests. This causes register_new_matrix_user to fail with
"Connection refused" when the matrix-user-creator role tries to register users.

This extends the retry logic from 44b43a51b (which handled HMAC failures)
to also handle Connection refused errors: restart Synapse (picking up the
new config with updated credentials), wait for it to start, and retry.

Caused by c21a80d232

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-09 17:36:59 +02:00
Slavi Pantaleev 2c2738a48f Remove passlib dependency by making matrix-media-repo datastore IDs user-provided
These IDs were incorrectly auto-derived from matrix_homeserver_generic_secret_key,
which is meant for secrets that are OK to change. Datastore IDs are static
identifiers that must never change after first use.

The playbook now requires users to explicitly set matrix_media_repo_datastore_file_id
(and matrix_media_repo_datastore_s3_id when S3 is enabled) in vars.yml, with
validation that fails early if they are missing.

This was the last usage of passlib, which is now removed from prerequisites.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-09 16:56:51 +02:00
Suguru Hirahara 09914bf338 Set ddclient_uid and ddclient_gid
Signed-off-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>
2026-02-09 19:49:59 +09:00
Slavi Pantaleev 44b43a51b9 Add retry logic for Synapse user registration on HMAC failure
When the registration_shared_secret changes (derived from
matrix_synapse_macaroon_secret_key), a running Synapse container still
has the old secret in its config. This causes register_new_matrix_user
to fail with "HMAC incorrect" when the matrix-user-creator role tries
to register users.

This mirrors the approach from 2a581cce (which added similar retry
logic for the Matrix Authentication Service on database auth failure):
if the initial registration attempt fails with an HMAC error, restart
Synapse (picking up the new config with the updated secret), wait for
it to start, and retry.

Caused by c21a80d232

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-09 06:29:14 +02:00
Aine 5f8235f44a remove Zulip bridge 2026-02-08 20:34:56 +02:00
renovate[bot] eb393b4eb8 chore(deps): update dependency setuptools to v82 2026-02-08 19:46:32 +02:00
Slavi Pantaleev 92c204394a Upgrade Postgres (v18.1-3 -> v18.1-4) 2026-02-08 18:46:36 +02:00
Slavi Pantaleev a1015b6df2 Change salt for Whatsapp token secrets to make pre-commit happy 2026-02-08 18:43:10 +02:00
Slavi Pantaleev 2a581cce62 Add retry logic for MAS user registration on database auth failure
When the Postgres role updates database passwords (e.g., due to a
change in the secret derivation method), the Matrix Authentication
Service container may still be running with old configuration that
references the previous password. This causes mas-cli to fail with
"password authentication failed" when the matrix-user-creator role
tries to register users.

Rather than adding config-change detection or eager restarts to the
MAS role, this adds targeted retry logic: if the initial registration
attempt fails with a database authentication error, restart the MAS
service (which picks up the new config with the updated password),
wait for it to start, and retry. The restart usually only triggers
once per run since subsequent user registrations succeed after the restart.

Related to c21a80d232

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-08 18:32:20 +02:00
Slavi Pantaleev c21a80d232 Switch to fast single-round hashing for derived secrets
Replace password_hash('sha512', rounds=655555) with hash('sha512')
for all 114 secret derivations in group_vars/matrix_servers.

The old method (655k rounds of SHA-512) was designed for protecting
low-entropy human passwords in /etc/shadow. For deriving secrets
from a high-entropy secret key, a single hash round is equally
secure - the security comes from the key's entropy, not the
computational cost. SHA-512 remains preimage-resistant regardless
of rounds.

This yields a major performance improvement: evaluating
postgres_managed_databases (which references multiple derived
database passwords) dropped from ~10.7s to ~0.6s on a fast mini
PC. The Postgres role evaluates this variable multiple times, and
other roles reference derived passwords too, so the cumulative
savings across a full playbook run are substantial.

All derived service passwords (database passwords, appservice
tokens, etc.) will change on the next run. The main/superuser
database password is not affected (it's hardcoded in inventory
variables). All services receive their new passwords in the same
run, so this should be seamless.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-08 18:15:02 +02:00
Suguru Hirahara baa740fcda Relocate ddclient role to MASH organization (#4902)
* Fetch ansible-role-ddclient from MASH project

Signed-off-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>

* Replace `matrix_dynamic_dns` with `ddclient`

Signed-off-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>

* Set `matrix-dynamic-dns` to `ddclient_identifier`

Signed-off-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>

* Remove `ddclient_container_network` in favor of the role's configuration

On the role the value of `ddclient_container_network` is set to `ddclient_identifier`, which is set to `matrix-dynamic-dns` on the playbook.

Signed-off-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>

* Replace `matrix-dynamic-dns` with `ddclient` on matrix_servers

Signed-off-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>

* Replace `ddclient_docker_image_*` with `ddclient_container_image_*`

Signed-off-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>

* Update `ddclient_container_image_*`

Signed-off-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>

* Move `ddclient_base_path` to matrix_servers

Signed-off-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>

* Move `ddclient_web_*` to matrix_servers

Signed-off-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>

* Remove `matrix-dynamic-dns` directory

Signed-off-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>

* Update configuring-playbook-dynamic-dns.md

Reuse https://app.radicle.xyz/nodes/seed.radicle.garden/rad%3Az2SXkaceJw3YmS89T1xGysnFSjWsw/tree/75e264f53862ece4931d7970fea856242ff57034/docs/services/ddclient.md

Signed-off-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>

* Fix a typo

Signed-off-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>

---------

Signed-off-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>
Co-authored-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>
2026-02-08 16:34:35 +02:00
Suguru Hirahara 66d66f67f8 Remove obsolete X-Frame-Options
Signed-off-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>
2026-02-08 21:54:38 +09:00
46 changed files with 376 additions and 1084 deletions
+51
View File
@@ -1,5 +1,56 @@
# 2026-02-09
## (BC Break) matrix-media-repo datastore IDs are now required in `vars.yml`
**Affects**: users with [matrix-media-repo](docs/configuring-playbook-matrix-media-repo.md) enabled (`matrix_media_repo_enabled: true`)
The `matrix_media_repo_datastore_file_id` and `matrix_media_repo_datastore_s3_id` variables are no longer auto-configured with values. They must now be explicitly defined in your `vars.yml` file. The playbook will fail with a helpful error if they are not set (when needed).
These were never meant to be auto-configured. They were derived from `matrix_homeserver_generic_secret_key`, which is intended for secrets that are OK to change subsequently (and Ansible would assist in propagating these changes). matrix-media-repo datastore IDs are not secrets — they are static identifiers linking media to storage backends, and **must not change** after first use.
**For existing installations**, retrieve your current values from the server:
```sh
grep 'id:' /matrix/media-repo/config/media-repo.yaml
```
Then add to your `vars.yml`:
```yaml
matrix_media_repo_datastore_file_id: "YOUR_FILE_DATASTORE_ID_HERE"
# Only if you use S3 storage:
# matrix_media_repo_datastore_s3_id: "YOUR_S3_DATASTORE_ID_HERE"
```
**Why do this?**: This change allows us to **remove the [passlib](https://passlib.readthedocs.io/en/stable/index.html) Python library** from the [prerequisites](docs/prerequisites.md), as it was the last component that depended on it.
# 2026-02-08
## Zulip bridge has been removed from the playbook
Zulip bridge has been removed from the playbook, as it doesn't work, and the maintainer seems to have abandoned it. See [this issue](https://github.com/GearKite/MatrixZulipBridge/issues/23) for more context.
## Switched to faster secret derivation for service passwords
We've switched the method used for deriving service passwords (database passwords, appservice tokens, etc.) from the `matrix_homeserver_generic_secret_key` variable.
The old method used `password_hash('sha512', rounds=655555)` (655,555 rounds of SHA-512 hashing), which was designed for protecting low-entropy human passwords against brute-force attacks. For deriving secrets from an already high-entropy secret key, this many rounds provide no additional security - the secret key's entropy is what protects the derived passwords, not the computational cost of hashing.
The new method uses a single-round `hash('sha512')` with a unique salt per service. This is equally secure for this use case (SHA-512 remains preimage-resistant; brute-forcing a high-entropy key is infeasible regardless of rounds), while being dramatically faster.
On a fast mini PC, evaluating `postgres_managed_databases` (which references multiple database passwords) dropped from **~10.7 seconds to ~0.6 seconds**. The Postgres role evaluates this variable multiple times during a run, so the cumulative savings are significant. All other roles that reference derived passwords also benefit.
**What this means for users**: all derived service passwords (database passwords, appservice tokens, etc.) will change on the next playbook run. The main/superuser database password (`postgres_connection_password`) is not affected, as it is hardcoded in inventory variables rather than derived via hashing. All services will receive their new passwords as part of the same run, so this should be a seamless, non-user-impacting change.
## (BC Break) Dynamic DNS role has been relocated and variable names need adjustments
The role for Dynamic DNS has been relocated to the [mother-of-all-self-hosting](https://github.com/mother-of-all-self-hosting) organization.
Along with the relocation, the `matrix_dynamic_dns_` prefix on its variable names has been renamed to `ddclient_`, so you need to adjust your `vars.yml` configuration.
As always, the playbook would let you know about this and point out any variables you may have missed.
## ma1sd has been removed from the playbook
[ma1sd](./docs/configuring-playbook-ma1sd.md) has been removed from the playbook, as it has been unmaintained for a long time.
-1
View File
@@ -133,7 +133,6 @@ Bridges can be used to connect your Matrix installation with third-party communi
| [matrix-sms-bridge](https://github.com/benkuly/matrix-sms-bridge) | ❌ | Bridge to SMS | [Link](docs/configuring-playbook-bridge-matrix-bridge-sms.md) |
| [matrix-steam-bridge](https://github.com/jasonlaguidice/matrix-steam-bridge) | ❌ | Bridge to [Steam](https://steampowered.com/) | [Link](docs/configuring-playbook-bridge-steam.md) |
| [matrix-wechat](https://github.com/duo/matrix-wechat) | ❌ | Bridge to [WeChat](https://www.wechat.com/) | [Link](docs/configuring-playbook-bridge-wechat.md) |
| [MatrixZulipBridge](https://github.com/GearKite/MatrixZulipBridge) | ❌ | Puppeting appservice bridge for [Zulip](https://zulip.com/) | [Link](docs/configuring-playbook-bridge-zulip.md) |
| [Heisenbridge](https://github.com/hifi/heisenbridge) | ❌ | Bouncer-style bridge to [IRC](https://wikipedia.org/wiki/Internet_Relay_Chat) | [Link](docs/configuring-playbook-bridge-heisenbridge.md) |
| [mx-puppet-groupme](https://gitlab.com/xangelix-pub/matrix/mx-puppet-groupme) | ❌ | Bridge to [GroupMe](https://groupme.com/) | [Link](docs/configuring-playbook-bridge-mx-puppet-groupme.md) |
| [mx-puppet-steam](https://codeberg.org/icewind/mx-puppet-steam) | ❌ | Bridge to [Steam](https://steamapp.com/) | [Link](docs/configuring-playbook-bridge-mx-puppet-steam.md) |
-83
View File
@@ -1,83 +0,0 @@
<!--
SPDX-FileCopyrightText: 2021 - 2024 Slavi Pantaleev
SPDX-FileCopyrightText: 2021 Toni Spets
SPDX-FileCopyrightText: 2024 - 2025 Suguru Hirahara
SPDX-License-Identifier: AGPL-3.0-or-later
-->
# Setting up a Zulip bridge (optional)
The playbook can install and configure [MatrixZulipBridge](https://github.com/GearKite/MatrixZulipBridge) for you.
See the project's [documentation](https://github.com/GearKite/MatrixZulipBridge/blob/main/README.md) to learn what it does and why it might be useful to you.
## Adjusting DNS records (optional)
By default, this playbook installs the Zulip bridge on the `matrix.` subdomain, at the `/zulip` path (https://matrix.example.com/zulip). This makes it easy to install it, because it **doesn't require additional DNS records to be set up**. If that's okay, you can skip this section.
If you wish to adjust it, see the section [below](#adjusting-the-zulip-bridge-url-optional) for details about DNS configuration.
## Adjusting the playbook configuration
To enable the Zulip bridge, add the following configuration to your `inventory/host_vars/matrix.example.com/vars.yml` file:
```yaml
matrix_zulip_bridge_enabled: true
# Uncomment to add one or more admins to this bridge:
#
# matrix_zulip_bridge_owner:
# - '@yourAdminAccount:{{ matrix_domain }}'
#
# … unless you've made yourself an admin of all bots/bridges like this:
#
# matrix_admin: '@yourAdminAccount:{{ matrix_domain }}'
```
### Adjusting the Zulip bridge URL (optional)
By tweaking the `matrix_zulip_bridge_hostname` and `matrix_zulip_bridge_path_prefix` variables, you can easily make the service available at a **different hostname and/or path** than the default one.
Example additional configuration for your `vars.yml` file:
```yaml
# Change the default hostname and path prefix
matrix_zulip_bridge_hostname: zulip.example.com
matrix_zulip_bridge_path_prefix: /
```
If you've changed the default hostname, you may need to create a CNAME record for the Zulip bridge domain (`zulip.example.com`), which targets `matrix.example.com`.
When setting, replace `example.com` with your own.
### Extending the configuration
There are some additional things you may wish to configure about the bridge.
Take a look at:
- `roles/custom/matrix-bridge-zulip/defaults/main.yml` for some variables that you can customize via your `vars.yml` file
## Installing
After configuring the playbook and potentially [adjusting your DNS records](#adjusting-dns-records), run the playbook with [playbook tags](playbook-tags.md) as below:
<!-- NOTE: let this conservative command run (instead of install-all) to make it clear that failure of the command means something is clearly broken. -->
```sh
ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start
```
The shortcut commands with the [`just` program](just.md) are also available: `just install-all` or `just setup-all`
`just install-all` is useful for maintaining your setup quickly ([2x-5x faster](../CHANGELOG.md#2x-5x-performance-improvements-in-playbook-runtime) than `just setup-all`) when its components remain unchanged. If you adjust your `vars.yml` to remove other components, you'd need to run `just setup-all`, or these components will still remain installed. Note these shortcuts run the `ensure-matrix-users-created` tag too.
## Usage
To use the bridge, you need to start a chat with `@zulipbot:example.com` (where `example.com` is your base domain, not the `matrix.` domain). If the bridge ignores you and a DM is not accepted then the owner setting may be wrong.
If you encounter issues or feel lost you can join the project room at [#matrixzulipbridge:shema.lv](https://matrix.to/#/#matrixzulipbridge:shema.lv) for help.
## Troubleshooting
As with all other services, you can find the logs in [systemd-journald](https://www.freedesktop.org/software/systemd/man/systemd-journald.service.html) by logging in to the server with SSH and running `journalctl -fu matrix-bridge-zulip`.
+31 -8
View File
@@ -1,7 +1,20 @@
<!--
SPDX-FileCopyrightText: 2020 Aaron Raimist
SPDX-FileCopyrightText: 2020 Chris van Dijk
SPDX-FileCopyrightText: 2020 Dominik Zajac
SPDX-FileCopyrightText: 2020 Mickaël Cornière
SPDX-FileCopyrightText: 2020 Scott Crossen
SPDX-FileCopyrightText: 2020 Slavi Pantaleev
SPDX-FileCopyrightText: 2024 - 2025 Suguru Hirahara
SPDX-FileCopyrightText: 2020-2024 MDAD project contributors
SPDX-FileCopyrightText: 2020-2024 Slavi Pantaleev
SPDX-FileCopyrightText: 2022 François Darveau
SPDX-FileCopyrightText: 2022 Julian Foad
SPDX-FileCopyrightText: 2022 Warren Bailey
SPDX-FileCopyrightText: 2023 Antonis Christofides
SPDX-FileCopyrightText: 2023 Felix Stupp
SPDX-FileCopyrightText: 2023 Julian-Samuel Gebühr
SPDX-FileCopyrightText: 2023 Pierre 'McFly' Marty
SPDX-FileCopyrightText: 2024 Tiz
SPDX-FileCopyrightText: 2024-2026 Suguru Hirahara
SPDX-License-Identifier: AGPL-3.0-or-later
-->
@@ -12,6 +25,10 @@ The playbook can configure Dynamic DNS with [ddclient](https://github.com/ddc
Most cloud providers / ISPs will charge you extra for a static IP address. If you're not hosting a highly reliable homeserver you can workaround this via dynamic DNS.
For details about configuring the [Ansible role for ddclient](https://github.com/mother-of-all-self-hosting/ansible-role-ddclient), you can check them via:
- 🌐 [the role's documentation](https://github.com/mother-of-all-self-hosting/ansible-role-ddclient/blob/main/docs/configuring-ddclient.md) online
- 📁 `roles/galaxy/ddclient/docs/configuring-ddclient.md` locally, if you have [fetched the Ansible roles](../installing.md)
## Prerequisite
You'll need to authenticate with your DNS provider somehow, in most cases this is simply a username and password but can differ from provider to provider. Please consult with your providers documentation and the upstream [ddclient documentation](https://github.com/ddclient/ddclient/blob/main/ddclient.conf.in) to determine what you'll need to provide to authenticate.
@@ -21,17 +38,23 @@ You'll need to authenticate with your DNS provider somehow, in most cases this i
To enable dynamic DNS, add the following configuration to your `inventory/host_vars/matrix.example.com/vars.yml` file:
```yaml
matrix_dynamic_dns_enabled: true
ddclient_enabled: true
matrix_dynamic_dns_domain_configurations:
ddclient_domain_configurations:
- provider: example.net
protocol: dyndn2
protocol: dyndns2
username: YOUR_USERNAME_HERE
password: YOUR_PASSWORD_HERE
domain: "{{ matrix_domain }}"
```
Keep in mind that certain providers may require a different configuration of the `matrix_dynamic_dns_domain_configurations` variable, for provider specific examples see the [upstream documentation](https://github.com/ddclient/ddclient/blob/main/ddclient.conf.in).
Keep in mind that certain providers may require a different configuration of the `ddclient_domain_configurations` variable, for provider specific examples see the [upstream documentation](https://github.com/ddclient/ddclient/blob/main/ddclient.conf.in).
### Configuring the endpoint to obtain IP address (optional)
The playbook sets the default endpoint for obtaining the IP address to `https://cloudflare.com/cdn-cgi/trace`. You can replace it by specifying yours to `ddclient_web` and `ddclient_web_skip` if necessary.
Refer to [this section](https://github.com/mother-of-all-self-hosting/ansible-role-ddclient/blob/main/docs/configuring-ddclient.md#setting-the-endpoint-to-obtain-ip-address-optional) for more information.
### Extending the configuration
@@ -39,7 +62,7 @@ There are some additional things you may wish to configure about the component.
Take a look at:
- `roles/custom/matrix-dynamic-dns/defaults/main.yml` for some variables that you can customize via your `vars.yml` file
- `roles/galaxy/ddclient/defaults/main.yml` for some variables that you can customize via your `vars.yml` file
## Installing
@@ -63,4 +86,4 @@ Additional resources:
## Troubleshooting
As with all other services, you can find the logs in [systemd-journald](https://www.freedesktop.org/software/systemd/man/systemd-journald.service.html) by logging in to the server with SSH and running `journalctl -fu matrix-dynamic-dns`. However, due to an [upstream issue](https://github.com/linuxserver/docker-ddclient/issues/54#issuecomment-1153143132) the logging output is not always complete. For advanced debugging purposes running the `ddclient` tool outside of the container is useful via the following: `ddclient -file ./ddclient.conf -daemon=0 -debug -verbose -noquiet`.
See [this section](https://github.com/mother-of-all-self-hosting/ansible-role-ddclient/blob/main/docs/configuring-ddclient.md#troubleshooting) on the role's documentation for details.
@@ -24,8 +24,21 @@ To enable matrix-media-repo, add the following configuration to your `inventory/
```yaml
matrix_media_repo_enabled: true
# Any unique alphanumeric string. Cannot be changed after first use.
# For new installations, generate one with: pwgen -s 64 1
# For existing installations, see below.
matrix_media_repo_datastore_file_id: "CHANGE_ME_TO_A_UNIQUE_VALUE"
```
**For existing installations**: retrieve the current datastore ID from the server's config file before proceeding:
```sh
grep 'id:' /matrix/media-repo/config/media-repo.yaml
```
Then use that value for `matrix_media_repo_datastore_file_id`. This is not a secret — it is a plain identifier used by matrix-media-repo to link media files to their storage backend.
By default, the media-repo will use the local filesystem for data storage. You can alternatively use a `s3` cloud backend as well. Access token caching is also enabled by default since the logout endpoints are proxied through the media repo.
### Enable metrics
@@ -109,6 +122,11 @@ matrix_media_repo_admins: []
matrix_media_repo_datastore_file_for_kinds: ["thumbnails", "remote_media", "local_media", "archives"]
matrix_media_repo_datastore_s3_for_kinds: []
# Required when S3 storage is enabled (matrix_media_repo_datastore_s3_for_kinds is non-empty).
# Any unique alphanumeric string. Cannot be changed after first use.
# For new installations, generate one with: pwgen -s 64 1
# matrix_media_repo_datastore_s3_id: ""
# The s3 uploader needs a temporary location to buffer files to reduce memory usage on
# small file uploads. If the file size is unknown, the file is written to this location
# before being uploaded to s3 (then the file is deleted). If you aren't concerned about
@@ -17,7 +17,7 @@ By default, the playbook retrieves and automatically renews free SSL certificate
- This guide is intended to be referred for configuring the integrated Traefik server with regard to SSL certificates retrieval. If you're using [your own webserver](configuring-playbook-own-webserver.md), consult its documentation about how to configure it.
- Let's Encrypt ends the expiration notification email service on June 4, 2025 (see: [the official announcement](https://letsencrypt.org/2025/01/22/ending-expiration-emails/)), and it recommends using a third party service for those who want to receive expiration notifications. If you are looking for a self-hosting service, you may be interested in a monitoring tool such as [Update Kuma](https://github.com/louislam/uptime-kuma/).
The [Mother-of-All-Self-Hosting (MASH)](https://github.com/mother-of-all-self-hosting/mash-playbook) Ansible playbook can be used to install and manage an Uptime Kuma instance. See [this page](https://github.com/mother-of-all-self-hosting/mash-playbook/blob/main/docs/services/uptime-kuma.md) for the instruction to install it with the MASH playbook. If you are wondering how to use the MASH playbook for your Matrix server, refer [this page](https://github.com/mother-of-all-self-hosting/mash-playbook/blob/main/docs/setting-up-services-on-mdad-server.md).
The [Mother-of-All-Self-Hosting (MASH)](https://github.com/mother-of-all-self-hosting/mash-playbook) Ansible playbook can be used to install and manage an Uptime Kuma instance. See [this page](https://github.com/mother-of-all-self-hosting/mash-playbook/blob/main/docs/services/uptime-kuma.md) for the instruction to install it with the playbook. If you are wondering how to use it for your Matrix server, refer to [this page](https://github.com/mother-of-all-self-hosting/mash-playbook/blob/main/docs/setting-up-services-on-mdad-server.md) for the overview.
## Use staging Let's Encrypt certificates
+10 -4
View File
@@ -1,9 +1,12 @@
<!--
SPDX-FileCopyrightText: 2019 - 2024 Slavi Pantaleev
SPDX-FileCopyrightText: 2018-2024 Slavi Pantaleev
SPDX-FileCopyrightText: 2020 Aaron Raimist
SPDX-FileCopyrightText: 2020 Christian Wolf
SPDX-FileCopyrightText: 2020 MDAD project contributors
SPDX-FileCopyrightText: 2020 Marcel Partap
SPDX-FileCopyrightText: 2024 - 2025 Suguru Hirahara
SPDX-FileCopyrightText: 2020-2024 MDAD project contributors
SPDX-FileCopyrightText: 2022 Alejo Diaz
SPDX-FileCopyrightText: 2022 Julian Foad
SPDX-FileCopyrightText: 2024-2026 Suguru Hirahara
SPDX-License-Identifier: AGPL-3.0-or-later
-->
@@ -26,7 +29,10 @@ If you'd rather use a local IP for `ansible_host`, add the following configurati
matrix_coturn_turn_external_ip_address: "YOUR_PUBLIC_IP"
```
If you'd like to rely on external IP address auto-detection (not recommended unless you need it), set an empty value to the variable. The playbook will automatically contact an [EchoIP](https://github.com/mpolden/echoip)-compatible service (`https://ifconfig.co/json` by default) to determine your server's IP address. This API endpoint is configurable via the `matrix_coturn_turn_external_ip_address_auto_detection_echoip_service_url` variable.
If you'd like to rely on external IP address auto-detection (not recommended unless you need it), set an empty value to the variable. The playbook will automatically contact an [echoip](https://github.com/mpolden/echoip)-compatible service (`https://ifconfig.co/json` by default) to determine your server's IP address. This API endpoint is configurable via the `matrix_coturn_turn_external_ip_address_auto_detection_echoip_service_url` variable.
>[!NOTE]
> You can self-host the echoip service by using the [Mother-of-All-Self-Hosting (MASH)](https://github.com/mother-of-all-self-hosting/mash-playbook) Ansible playbook. See [this page](https://github.com/mother-of-all-self-hosting/mash-playbook/blob/main/docs/services/echoip.md) for the instruction to install it with the playbook. If you are wondering how to use it for your Matrix server, refer to [this page](https://github.com/mother-of-all-self-hosting/mash-playbook/blob/main/docs/setting-up-services-on-mdad-server.md) for the overview.
If your server has multiple external IP addresses, the coturn role offers a different variable for specifying them:
-2
View File
@@ -186,8 +186,6 @@ Bridges can be used to connect your Matrix installation with third-party communi
- [Setting up WeChat bridging](configuring-playbook-bridge-wechat.md)
- [Setting up Zulip bridging](configuring-playbook-bridge-zulip.md)
### Bots
Bots provide various additional functionality to your installation.
-1
View File
@@ -106,7 +106,6 @@ Bridges can be used to connect your Matrix installation with third-party communi
| [matrix-hookshot](configuring-playbook-bridge-hookshot.md) | [halfshot/matrix-hookshot](https://hub.docker.com/r/halfshot/matrix-hookshot) | ❌ | Bridge for generic webhooks and multiple project management services, such as GitHub, GitLab, Figma, and Jira in particular |
| [matrix-sms-bridge](configuring-playbook-bridge-matrix-bridge-sms.md) | [folivonet/matrix-sms-bridge](https://hub.docker.com/repository/docker/folivonet/matrix-sms-bridge) | ❌ | Bridge to SMS |
| [matrix-wechat](configuring-playbook-bridge-wechat.md) | [lxduo/matrix-wechat](https://hub.docker.com/r/lxduo/matrix-wechat) | ❌ | Bridge to [WeChat](https://www.wechat.com/) |
| [MatrixZulipBridge](configuring-playbook-bridge-zulip.md) | [GearKite/MatrixZulipBridge](https://ghcr.io/gearkite/matrixzulipbridge) | ❌ | Puppeting appservice bridge for [Zulip](https://zulip.com/) |
| [Heisenbridge](configuring-playbook-bridge-heisenbridge.md) | [hif1/heisenbridge](https://hub.docker.com/r/hif1/heisenbridge) | ❌ | Bouncer-style bridge to [IRC](https://wikipedia.org/wiki/Internet_Relay_Chat) |
| [mx-puppet-groupme](configuring-playbook-bridge-mx-puppet-groupme.md) | [xangelix/mx-puppet-groupme](https://hub.docker.com/r/xangelix/mx-puppet-groupme) | ❌ | Bridge to [GroupMe](https://groupme.com/) |
| [matrix-steam-bridge](configuring-playbook-bridge-steam.md) | [jasonlaguidice/matrix-steam-bridge](https://github.com/jasonlaguidice/matrix-steam-bridge/pkgs/container/matrix-steam-bridge) | ❌ | Bridge to [Steam](https://steampowered.com/) |
-2
View File
@@ -23,8 +23,6 @@ We will be using `example.com` as the domain in the following instruction. Pleas
- [Ansible](http://ansible.com/) program. It's used to run this playbook and configures your server for you. Take a look at [our guide about Ansible](ansible.md) for more information, as well as [version requirements](ansible.md#supported-ansible-versions) and alternative ways to run Ansible.
- [passlib](https://passlib.readthedocs.io/en/stable/index.html) Python library. See [this official documentation](https://passlib.readthedocs.io/en/stable/install.html#installation-instructions) for an instruction to install it. On most distros, you need to install some `python-passlib` or `py3-passlib` package, etc.
- [`git`](https://git-scm.com/) as the recommended way to download the playbook. `git` may also be required on the server if you will be [self-building](self-building.md) components.
- [`just`](https://github.com/casey/just) for running `just roles`, `just update`, etc. (see [`justfile`](../justfile)), although you can also run these commands manually. Take a look at this documentation for more information: [Running `just` commands](just.md).
+133 -181
View File
@@ -114,8 +114,6 @@ matrix_homeserver_container_extra_arguments_auto: |
+
(['--mount type=bind,src=' + matrix_hookshot_base_path + '/registration.yml,dst=/hookshot-registration.yml,ro'] if matrix_hookshot_enabled else [])
+
(['--mount type=bind,src=' + matrix_zulip_bridge_base_path + '/registration.yaml,dst=/matrixzulipbridge-registration.yaml,ro'] if matrix_zulip_bridge_enabled else [])
+
(['--mount type=bind,src=' + matrix_mautrix_bluesky_config_path + '/registration.yaml,dst=/matrix-mautrix-bluesky-registration.yaml,ro'] if matrix_mautrix_bluesky_enabled else [])
+
(['--mount type=bind,src=' + matrix_mautrix_discord_config_path + '/registration.yaml,dst=/matrix-mautrix-discord-registration.yaml,ro'] if matrix_mautrix_discord_enabled else [])
@@ -175,8 +173,6 @@ matrix_homeserver_app_service_config_files_auto: |
+
(['/hookshot-registration.yml'] if matrix_hookshot_enabled else [])
+
(['/matrixzulipbridge-registration.yaml'] if matrix_zulip_bridge_enabled else [])
+
(['/matrix-mautrix-bluesky-registration.yaml'] if matrix_mautrix_bluesky_enabled else [])
+
(['/matrix-mautrix-discord-registration.yaml'] if matrix_mautrix_discord_enabled else [])
@@ -242,12 +238,14 @@ matrix_addons_homeserver_systemd_services_list: "{{ ([traefik_identifier + '.ser
# (see `matrix_playbook_internal_matrix_client_api_traefik_entrypoint_enabled`)
# - core services (the homeserver) get a level of ~1000
# - services that the homeserver depends on (database, Redis, ntfy, coturn, etc.) get a lower level — between 500 and 1000
# - coturn gets a higher level if `devture_systemd_service_manager_service_restart_mode == 'one-by-one'` to intentionally delay it, because:
# - coturn gets a higher priority level (= starts later) if `devture_systemd_service_manager_service_restart_mode == 'one-by-one'` to intentionally delay it, because:
# - starting services one by one means that the service manager role waits for each service to fully start before proceeding to the next one
# - if coturn has a lower priority than the homeserver, it would be started before it
# - since coturn is started before the homeserver, there's no container label telling Traefik to get a `matrix.example.com` certificate
# - thus, coturn would spin and wait for a certificate until it fails. We'd get a playbook failure due to it, but service manager will proceed to start all other services anyway.
# - only later, when the homeserver actually starts, would that certificate be fetched and dumped
# - this is not a problem with `all-at-once` (default) or `priority-batched` (services start concurrently),
# or with `clean-stop-start` (everything stops first, then starts in priority order — coturn at 900 is fine)
# - reverse-proxying services get level 3000
# - Matrix utility services (bridges, bots) get a level of 2000/2200, so that:
# - they can start before the reverse-proxy
@@ -302,8 +300,6 @@ devture_systemd_service_manager_services_list_auto: |
+
([{'name': 'matrix-hookshot.service', 'priority': 2000, 'groups': ['matrix', 'bridges', 'hookshot', 'bridge-hookshot']}] if matrix_hookshot_enabled else [])
+
([{'name': 'matrix-zulip-bridge.service', 'priority': 2000, 'groups': ['matrix', 'bridges', 'zulip']}] if matrix_zulip_bridge_enabled else [])
+
([{'name': 'matrix-mautrix-bluesky.service', 'priority': 2000, 'groups': ['matrix', 'bridges', 'mautrix-bluesky']}] if matrix_mautrix_bluesky_enabled else [])
+
([{'name': 'matrix-mautrix-discord.service', 'priority': 2000, 'groups': ['matrix', 'bridges', 'mautrix-discord']}] if matrix_mautrix_discord_enabled else [])
@@ -358,7 +354,7 @@ devture_systemd_service_manager_services_list_auto: |
+
([{'name': 'matrix-corporal.service', 'priority': 1500, 'groups': ['matrix', 'corporal']}] if matrix_corporal_enabled else [])
+
([{'name': 'matrix-coturn.service', 'priority': (900 if devture_systemd_service_manager_service_restart_mode == 'clean-stop-start' else 1500), 'groups': ['matrix', 'coturn']}] if matrix_coturn_enabled else [])
([{'name': 'matrix-coturn.service', 'priority': (1500 if devture_systemd_service_manager_service_restart_mode == 'one-by-one' else 900), 'groups': ['matrix', 'coturn']}] if matrix_coturn_enabled else [])
+
([{'name': 'matrix-matrixto.service', 'priority': 4000, 'groups': ['matrix', 'matrixto']}] if matrix_matrixto_enabled else [])
+
@@ -368,7 +364,7 @@ devture_systemd_service_manager_services_list_auto: |
+
([{'name': 'matrix-dimension.service', 'priority': 4000, 'groups': ['matrix', 'integration-managers', 'dimension']}] if matrix_dimension_enabled else [])
+
([{'name': 'matrix-dynamic-dns.service', 'priority': 5000, 'groups': ['matrix', 'dynamic-dns']}] if matrix_dynamic_dns_enabled else [])
([{'name': (ddclient_identifier + '.service'), 'priority': 5000, 'groups': ['matrix', 'ddclient', 'dynamic-dns']}] if ddclient_enabled else [])
+
([{'name': (etherpad_identifier + '.service'), 'priority': 4000, 'groups': ['matrix', 'etherpad']}] if etherpad_enabled else [])
+
@@ -610,10 +606,10 @@ matrix_authentication_service_hostname: "{{ matrix_server_fqn_matrix }}"
matrix_authentication_service_path_prefix: /auth
matrix_authentication_service_config_database_host: "{{ postgres_connection_hostname if postgres_enabled else '' }}"
matrix_authentication_service_config_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mas.db', rounds=655555) | to_uuid }}"
matrix_authentication_service_config_database_password: "{{ (matrix_homeserver_generic_secret_key + ':mas.db') | hash('sha512') | to_uuid }}"
matrix_authentication_service_config_matrix_homeserver: "{{ matrix_domain }}"
matrix_authentication_service_config_matrix_secret: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mas.hs.secret', rounds=655555) | to_uuid }}"
matrix_authentication_service_config_matrix_secret: "{{ (matrix_homeserver_generic_secret_key + ':mas.hs.secret') | hash('sha512') | to_uuid }}"
matrix_authentication_service_config_matrix_endpoint: "{{ matrix_homeserver_container_url }}"
# We're using a non-default configuration which:
@@ -727,15 +723,15 @@ matrix_appservice_discord_container_additional_networks_auto: |-
# If the homeserver disables presence, it's likely better (less wasteful) to also disable presence on the bridge side.
matrix_appservice_discord_bridge_disablePresence: "{{ (not matrix_synapse_presence_enabled) if matrix_homeserver_implementation == 'synapse' else false }}"
matrix_appservice_discord_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'discord.as.token', rounds=655555) | to_uuid }}"
matrix_appservice_discord_appservice_token: "{{ (matrix_homeserver_generic_secret_key + ':discord.as.token') | hash('sha512') | to_uuid }}"
matrix_appservice_discord_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'discord.hs.token', rounds=655555) | to_uuid }}"
matrix_appservice_discord_homeserver_token: "{{ (matrix_homeserver_generic_secret_key + ':discord.hs.token') | hash('sha512') | to_uuid }}"
# We only make this use Postgres if our own Postgres server is enabled.
# It's only then (for now) that we can automatically create the necessary database and user for this service.
matrix_appservice_discord_database_engine: "{{ 'postgres' if postgres_enabled else 'sqlite' }}"
matrix_appservice_discord_database_hostname: "{{ postgres_connection_hostname if postgres_enabled else '' }}"
matrix_appservice_discord_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'as.discord.db', rounds=655555) | to_uuid }}"
matrix_appservice_discord_database_password: "{{ (matrix_homeserver_generic_secret_key + ':as.discord.db') | hash('sha512') | to_uuid }}"
######################################################################
#
@@ -785,17 +781,17 @@ matrix_appservice_slack_container_labels_traefik_docker_network: "{{ matrix_play
matrix_appservice_slack_container_labels_traefik_entrypoints: "{{ traefik_entrypoint_primary }}"
matrix_appservice_slack_container_labels_traefik_tls_certResolver: "{{ traefik_certResolver_primary }}"
matrix_appservice_slack_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'slack.as.token', rounds=655555) | to_uuid }}"
matrix_appservice_slack_appservice_token: "{{ (matrix_homeserver_generic_secret_key + ':slack.as.token') | hash('sha512') | to_uuid }}"
matrix_appservice_slack_homeserver_url: "{{ matrix_addons_homeserver_client_api_url }}"
matrix_appservice_slack_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'slack.hs.token', rounds=655555) | to_uuid }}"
matrix_appservice_slack_homeserver_token: "{{ (matrix_homeserver_generic_secret_key + ':slack.hs.token') | hash('sha512') | to_uuid }}"
matrix_appservice_slack_id_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'slack.id.token', rounds=655555) | to_uuid }}"
matrix_appservice_slack_id_token: "{{ (matrix_homeserver_generic_secret_key + ':slack.id.token') | hash('sha512') | to_uuid }}"
# Postgres is the default, except if not using internal Postgres server
matrix_appservice_slack_database_engine: "{{ 'postgres' if postgres_enabled else 'nedb' }}"
matrix_appservice_slack_database_hostname: "{{ postgres_connection_hostname if postgres_enabled else '' }}"
matrix_appservice_slack_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'as.slack.db', rounds=655555) | to_uuid }}"
matrix_appservice_slack_database_password: "{{ (matrix_homeserver_generic_secret_key + ':as.slack.db') | hash('sha512') | to_uuid }}"
matrix_appservice_slack_database_container_network: "{{ postgres_container_network if postgres_enabled else '' }}"
######################################################################
@@ -843,14 +839,14 @@ matrix_appservice_irc_container_additional_networks_auto: |-
# IRC bridge presence, for performance reasons.
matrix_appservice_irc_homeserver_enablePresence: "{{ matrix_synapse_presence_enabled if matrix_homeserver_implementation == 'synapse' else true }}"
matrix_appservice_irc_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'irc.as.token', rounds=655555) | to_uuid }}"
matrix_appservice_irc_appservice_token: "{{ (matrix_homeserver_generic_secret_key + ':irc.as.token') | hash('sha512') | to_uuid }}"
matrix_appservice_irc_homeserver_url: "{{ matrix_addons_homeserver_client_api_url }}"
matrix_appservice_irc_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'irc.hs.token', rounds=655555) | to_uuid }}"
matrix_appservice_irc_homeserver_token: "{{ (matrix_homeserver_generic_secret_key + ':irc.hs.token') | hash('sha512') | to_uuid }}"
matrix_appservice_irc_database_engine: "{{ 'postgres' if postgres_enabled else 'nedb' }}"
matrix_appservice_irc_database_hostname: "{{ postgres_connection_hostname if postgres_enabled else '' }}"
matrix_appservice_irc_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'as.irc.db', rounds=655555) | to_uuid }}"
matrix_appservice_irc_database_password: "{{ (matrix_homeserver_generic_secret_key + ':as.irc.db') | hash('sha512') | to_uuid }}"
matrix_appservice_irc_database_container_network: "{{ postgres_container_network if postgres_enabled else '' }}"
matrix_appservice_irc_ircService_mediaProxy_publicUrl_scheme: "{{ 'https' if matrix_playbook_ssl_enabled else 'http' }}" # noqa var-naming
@@ -897,10 +893,10 @@ matrix_appservice_kakaotalk_container_additional_networks_auto: |-
) | unique
}}
matrix_appservice_kakaotalk_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'as.kakao.hs', rounds=655555) | to_uuid }}"
matrix_appservice_kakaotalk_appservice_token: "{{ (matrix_homeserver_generic_secret_key + ':as.kakao.hs') | hash('sha512') | to_uuid }}"
matrix_appservice_kakaotalk_homeserver_address: "{{ matrix_addons_homeserver_client_api_url }}"
matrix_appservice_kakaotalk_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'as.kakao.hs', rounds=655555) | to_uuid }}"
matrix_appservice_kakaotalk_homeserver_token: "{{ (matrix_homeserver_generic_secret_key + ':as.kakao.hs') | hash('sha512') | to_uuid }}"
matrix_appservice_kakaotalk_homeserver_async_media: "{{ matrix_homeserver_implementation in ['synapse'] }}"
@@ -908,7 +904,7 @@ matrix_appservice_kakaotalk_login_shared_secret: "{{ matrix_synapse_ext_password
matrix_appservice_kakaotalk_database_engine: "{{ 'postgres' if postgres_enabled else 'sqlite' }}"
matrix_appservice_kakaotalk_database_hostname: "{{ postgres_connection_hostname if postgres_enabled else '' }}"
matrix_appservice_kakaotalk_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'as.kakao.db', rounds=655555) | to_uuid }}"
matrix_appservice_kakaotalk_database_password: "{{ (matrix_homeserver_generic_secret_key + ':as.kakao.db') | hash('sha512') | to_uuid }}"
######################################################################
#
@@ -948,10 +944,10 @@ matrix_beeper_linkedin_container_additional_networks_auto: |-
) | unique
}}
matrix_beeper_linkedin_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'linked.as.token', rounds=655555) | to_uuid }}"
matrix_beeper_linkedin_appservice_token: "{{ (matrix_homeserver_generic_secret_key + ':linked.as.token') | hash('sha512') | to_uuid }}"
matrix_beeper_linkedin_homeserver_address: "{{ matrix_addons_homeserver_client_api_url }}"
matrix_beeper_linkedin_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'linked.hs.token', rounds=655555) | to_uuid }}"
matrix_beeper_linkedin_homeserver_token: "{{ (matrix_homeserver_generic_secret_key + ':linked.hs.token') | hash('sha512') | to_uuid }}"
matrix_beeper_linkedin_homeserver_async_media: "{{ matrix_homeserver_implementation in ['synapse'] }}"
@@ -971,7 +967,7 @@ matrix_beeper_linkedin_bridge_login_shared_secret_map_auto: |-
matrix_beeper_linkedin_bridge_presence: "{{ (matrix_synapse_presence_enabled if matrix_synapse_enabled else true) if matrix_homeserver_implementation == 'synapse' else true }}"
matrix_beeper_linkedin_database_hostname: "{{ postgres_connection_hostname if postgres_enabled else '' }}"
matrix_beeper_linkedin_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'maulinkedin.db', rounds=655555) | to_uuid }}"
matrix_beeper_linkedin_database_password: "{{ (matrix_homeserver_generic_secret_key + ':maulinkedin.db') | hash('sha512') | to_uuid }}"
######################################################################
#
@@ -1020,14 +1016,14 @@ matrix_mautrix_bluesky_container_labels_traefik_tls_certResolver: "{{ traefik_ce
matrix_mautrix_bluesky_container_labels_metrics_middleware_basic_auth_enabled: "{{ matrix_metrics_exposure_http_basic_auth_enabled }}"
matrix_mautrix_bluesky_container_labels_metrics_middleware_basic_auth_users: "{{ matrix_metrics_exposure_http_basic_auth_users }}"
matrix_mautrix_bluesky_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'bsky.as.token', rounds=655555) | to_uuid }}"
matrix_mautrix_bluesky_appservice_token: "{{ (matrix_homeserver_generic_secret_key + ':bsky.as.token') | hash('sha512') | to_uuid }}"
matrix_mautrix_bluesky_homeserver_address: "{{ matrix_addons_homeserver_client_api_url }}"
matrix_mautrix_bluesky_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'bsky.hs.token', rounds=655555) | to_uuid }}"
matrix_mautrix_bluesky_homeserver_token: "{{ (matrix_homeserver_generic_secret_key + ':bsky.hs.token') | hash('sha512') | to_uuid }}"
matrix_mautrix_bluesky_homeserver_async_media: "{{ matrix_homeserver_implementation in ['synapse'] }}"
matrix_mautrix_bluesky_provisioning_shared_secret: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mau.bsky.prov', rounds=655555) | to_uuid }}"
matrix_mautrix_bluesky_provisioning_shared_secret: "{{ (matrix_homeserver_generic_secret_key + ':mau.bsky.prov') | hash('sha512') | to_uuid }}"
matrix_mautrix_bluesky_double_puppet_secrets_auto: |-
{{
@@ -1045,7 +1041,7 @@ matrix_mautrix_bluesky_metrics_proxying_hostname: "{{ matrix_metrics_exposure_ho
matrix_mautrix_bluesky_metrics_proxying_path_prefix: "{{ matrix_metrics_exposure_path_prefix }}/mautrix-bluesky"
matrix_mautrix_bluesky_database_hostname: "{{ postgres_connection_hostname if postgres_enabled else '' }}"
matrix_mautrix_bluesky_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mau.twt.db', rounds=655555) | to_uuid if postgres_enabled else '' }}"
matrix_mautrix_bluesky_database_password: "{{ (matrix_homeserver_generic_secret_key + ':mau.twt.db') | hash('sha512') | to_uuid if postgres_enabled else '' }}"
######################################################################
#
@@ -1091,14 +1087,14 @@ matrix_mautrix_discord_systemd_required_services_list_auto: |
([postgres_identifier ~ '.service'] if (postgres_enabled and matrix_mautrix_discord_database_hostname == postgres_connection_hostname) else [])
}}
matrix_mautrix_discord_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'maudisc.as.tok', rounds=655555) | to_uuid }}"
matrix_mautrix_discord_appservice_token: "{{ (matrix_homeserver_generic_secret_key + ':maudisc.as.tok') | hash('sha512') | to_uuid }}"
matrix_mautrix_discord_homeserver_address: "{{ matrix_addons_homeserver_client_api_url }}"
matrix_mautrix_discord_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'maudisc.hs.tok', rounds=655555) | to_uuid }}"
matrix_mautrix_discord_homeserver_token: "{{ (matrix_homeserver_generic_secret_key + ':maudisc.hs.tok') | hash('sha512') | to_uuid }}"
matrix_mautrix_discord_homeserver_async_media: "{{ matrix_homeserver_implementation in ['synapse'] }}"
matrix_mautrix_discord_bridge_avatar_proxy_key: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'maudisc.avatar', rounds=655555) | to_uuid }}"
matrix_mautrix_discord_bridge_avatar_proxy_key: "{{ (matrix_homeserver_generic_secret_key + ':maudisc.avatar') | hash('sha512') | to_uuid }}"
matrix_mautrix_discord_hostname: "{{ matrix_server_fqn_matrix }}"
matrix_mautrix_discord_scheme: "{{ 'https' if matrix_playbook_ssl_enabled else 'http' }}"
@@ -1119,7 +1115,7 @@ matrix_mautrix_discord_bridge_login_shared_secret_map_auto: |-
# Postgres is the default, except if not using internal Postgres server
matrix_mautrix_discord_database_engine: "{{ 'postgres' if postgres_enabled else 'sqlite' }}"
matrix_mautrix_discord_database_hostname: "{{ postgres_connection_hostname if postgres_enabled else '' }}"
matrix_mautrix_discord_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'maudiscord.db', rounds=655555) | to_uuid }}"
matrix_mautrix_discord_database_password: "{{ (matrix_homeserver_generic_secret_key + ':maudiscord.db') | hash('sha512') | to_uuid }}"
######################################################################
#
@@ -1159,10 +1155,10 @@ matrix_mautrix_slack_container_additional_networks_auto: |-
) | unique
}}
matrix_mautrix_slack_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mauslack.as.tok', rounds=655555) | to_uuid }}"
matrix_mautrix_slack_appservice_token: "{{ (matrix_homeserver_generic_secret_key + ':mauslack.as.tok') | hash('sha512') | to_uuid }}"
matrix_mautrix_slack_homeserver_address: "{{ matrix_addons_homeserver_client_api_url }}"
matrix_mautrix_slack_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mauslack.hs.tok', rounds=655555) | to_uuid }}"
matrix_mautrix_slack_homeserver_token: "{{ (matrix_homeserver_generic_secret_key + ':mauslack.hs.tok') | hash('sha512') | to_uuid }}"
matrix_mautrix_slack_homeserver_async_media: "{{ matrix_homeserver_implementation in ['synapse'] }}"
@@ -1178,10 +1174,10 @@ matrix_mautrix_slack_double_puppet_secrets_auto: |-
# Postgres is the default, except if not using internal Postgres server
matrix_mautrix_slack_database_engine: "{{ 'postgres' if postgres_enabled else 'sqlite' }}"
matrix_mautrix_slack_database_hostname: "{{ postgres_connection_hostname if postgres_enabled else '' }}"
matrix_mautrix_slack_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mauslack.db', rounds=655555) | to_uuid }}"
matrix_mautrix_slack_database_password: "{{ (matrix_homeserver_generic_secret_key + ':mauslack.db') | hash('sha512') | to_uuid }}"
matrix_mautrix_slack_provisioning_shared_secret: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mau.slack.prov', rounds=655555) | to_uuid }}"
matrix_mautrix_slack_public_media_signing_key: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mau.slack.pmed', rounds=655555) | to_uuid }}"
matrix_mautrix_slack_provisioning_shared_secret: "{{ (matrix_homeserver_generic_secret_key + ':mau.slack.prov') | hash('sha512') | to_uuid }}"
matrix_mautrix_slack_public_media_signing_key: "{{ (matrix_homeserver_generic_secret_key + ':mau.slack.pmed') | hash('sha512') | to_uuid }}"
######################################################################
#
@@ -1234,10 +1230,10 @@ matrix_mautrix_googlechat_container_labels_public_endpoint_hostname: "{{ matrix_
matrix_mautrix_googlechat_container_labels_metrics_middleware_basic_auth_enabled: "{{ matrix_metrics_exposure_http_basic_auth_enabled }}"
matrix_mautrix_googlechat_container_labels_metrics_middleware_basic_auth_users: "{{ matrix_metrics_exposure_http_basic_auth_users }}"
matrix_mautrix_googlechat_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'gc.as.token', rounds=655555) | to_uuid }}"
matrix_mautrix_googlechat_appservice_token: "{{ (matrix_homeserver_generic_secret_key + ':gc.as.token') | hash('sha512') | to_uuid }}"
matrix_mautrix_googlechat_homeserver_address: "{{ matrix_addons_homeserver_client_api_url }}"
matrix_mautrix_googlechat_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'gc.hs.token', rounds=655555) | to_uuid }}"
matrix_mautrix_googlechat_homeserver_token: "{{ (matrix_homeserver_generic_secret_key + ':gc.hs.token') | hash('sha512') | to_uuid }}"
matrix_mautrix_googlechat_login_shared_secret: |-
{{
@@ -1259,7 +1255,7 @@ matrix_mautrix_googlechat_metrics_proxying_path_prefix: "{{ matrix_metrics_expos
# Postgres is the default, except if not using internal Postgres server
matrix_mautrix_googlechat_database_engine: "{{ 'postgres' if postgres_enabled else 'sqlite' }}"
matrix_mautrix_googlechat_database_hostname: "{{ postgres_connection_hostname if postgres_enabled else '' }}"
matrix_mautrix_googlechat_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mau.gc.db', rounds=655555) | to_uuid }}"
matrix_mautrix_googlechat_database_password: "{{ (matrix_homeserver_generic_secret_key + ':mau.gc.db') | hash('sha512') | to_uuid }}"
######################################################################
#
@@ -1310,11 +1306,11 @@ matrix_mautrix_signal_container_labels_metrics_middleware_basic_auth_users: "{{
matrix_mautrix_signal_homeserver_domain: '{{ matrix_domain }}'
matrix_mautrix_signal_homeserver_address: "{{ matrix_addons_homeserver_client_api_url }}"
matrix_mautrix_signal_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'si.hs.token', rounds=655555) | to_uuid }}"
matrix_mautrix_signal_homeserver_token: "{{ (matrix_homeserver_generic_secret_key + ':si.hs.token') | hash('sha512') | to_uuid }}"
matrix_mautrix_signal_homeserver_async_media: "{{ matrix_homeserver_implementation in ['synapse'] }}"
matrix_mautrix_signal_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'si.as.token', rounds=655555) | to_uuid }}"
matrix_mautrix_signal_appservice_token: "{{ (matrix_homeserver_generic_secret_key + ':si.as.token') | hash('sha512') | to_uuid }}"
matrix_mautrix_signal_double_puppet_secrets_auto: |-
{{
@@ -1333,10 +1329,10 @@ matrix_mautrix_signal_metrics_proxying_path_prefix: "{{ matrix_metrics_exposure_
matrix_mautrix_signal_database_engine: "{{ 'postgres' if postgres_enabled else 'sqlite' }}"
matrix_mautrix_signal_database_hostname: "{{ postgres_connection_hostname if postgres_enabled else '' }}"
matrix_mautrix_signal_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mau.signal.db', rounds=655555) | to_uuid }}"
matrix_mautrix_signal_database_password: "{{ (matrix_homeserver_generic_secret_key + ':mau.signal.db') | hash('sha512') | to_uuid }}"
matrix_mautrix_signal_provisioning_shared_secret: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mau.signal.prov', rounds=655555) | to_uuid }}"
matrix_mautrix_signal_public_media_signing_key: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mau.signal.pmed', rounds=655555) | to_uuid }}"
matrix_mautrix_signal_provisioning_shared_secret: "{{ (matrix_homeserver_generic_secret_key + ':mau.signal.prov') | hash('sha512') | to_uuid }}"
matrix_mautrix_signal_public_media_signing_key: "{{ (matrix_homeserver_generic_secret_key + ':mau.signal.pmed') | hash('sha512') | to_uuid }}"
######################################################################
#
@@ -1386,11 +1382,11 @@ matrix_mautrix_meta_messenger_container_labels_traefik_tls_certResolver: "{{ tra
matrix_mautrix_meta_messenger_container_labels_metrics_middleware_basic_auth_enabled: "{{ matrix_metrics_exposure_http_basic_auth_enabled }}"
matrix_mautrix_meta_messenger_container_labels_metrics_middleware_basic_auth_users: "{{ matrix_metrics_exposure_http_basic_auth_users }}"
matrix_mautrix_meta_messenger_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mau.meta.fb.as', rounds=655555) | to_uuid }}"
matrix_mautrix_meta_messenger_appservice_token: "{{ (matrix_homeserver_generic_secret_key + ':mau.meta.fb.as') | hash('sha512') | to_uuid }}"
matrix_mautrix_meta_messenger_homeserver_address: "{{ matrix_addons_homeserver_client_api_url }}"
matrix_mautrix_meta_messenger_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mau.meta.fb.hs', rounds=655555) | to_uuid }}"
matrix_mautrix_meta_messenger_homeserver_token: "{{ (matrix_homeserver_generic_secret_key + ':mau.meta.fb.hs') | hash('sha512') | to_uuid }}"
matrix_mautrix_meta_messenger_homeserver_async_media: "{{ matrix_homeserver_implementation in ['synapse'] }}"
@@ -1413,7 +1409,7 @@ matrix_mautrix_meta_messenger_metrics_proxying_path_prefix: "{{ matrix_metrics_e
# and point them to a migration path.
matrix_mautrix_meta_messenger_database_engine: "{{ 'postgres' if postgres_enabled else 'sqlite3-fk-wal' }}"
matrix_mautrix_meta_messenger_database_hostname: "{{ postgres_connection_hostname if (postgres_enabled and matrix_mautrix_meta_messenger_database_engine == 'postgres') else '' }}"
matrix_mautrix_meta_messenger_database_password: "{{ ('%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mau.fb.db', rounds=655555) | to_uuid) if (postgres_enabled and matrix_mautrix_meta_messenger_database_engine == 'postgres') else '' }}"
matrix_mautrix_meta_messenger_database_password: "{{ ((matrix_homeserver_generic_secret_key + ':mau.fb.db') | hash('sha512') | to_uuid) if (postgres_enabled and matrix_mautrix_meta_messenger_database_engine == 'postgres') else '' }}"
######################################################################
#
@@ -1464,11 +1460,11 @@ matrix_mautrix_meta_instagram_container_labels_traefik_tls_certResolver: "{{ tra
matrix_mautrix_meta_instagram_container_labels_metrics_middleware_basic_auth_enabled: "{{ matrix_metrics_exposure_http_basic_auth_enabled }}"
matrix_mautrix_meta_instagram_container_labels_metrics_middleware_basic_auth_users: "{{ matrix_metrics_exposure_http_basic_auth_users }}"
matrix_mautrix_meta_instagram_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mau.meta.ig.as', rounds=655555) | to_uuid }}"
matrix_mautrix_meta_instagram_appservice_token: "{{ (matrix_homeserver_generic_secret_key + ':mau.meta.ig.as') | hash('sha512') | to_uuid }}"
matrix_mautrix_meta_instagram_homeserver_address: "{{ matrix_addons_homeserver_client_api_url }}"
matrix_mautrix_meta_instagram_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mau.meta.ig.hs', rounds=655555) | to_uuid }}"
matrix_mautrix_meta_instagram_homeserver_token: "{{ (matrix_homeserver_generic_secret_key + ':mau.meta.ig.hs') | hash('sha512') | to_uuid }}"
matrix_mautrix_meta_instagram_homeserver_async_media: "{{ matrix_homeserver_implementation in ['synapse'] }}"
@@ -1491,7 +1487,7 @@ matrix_mautrix_meta_instagram_metrics_proxying_path_prefix: "{{ matrix_metrics_e
# and point them to a migration path.
matrix_mautrix_meta_instagram_database_engine: "{{ 'postgres' if postgres_enabled else 'sqlite3-fk-wal' }}"
matrix_mautrix_meta_instagram_database_hostname: "{{ postgres_connection_hostname if (postgres_enabled and matrix_mautrix_meta_instagram_database_engine == 'postgres') else '' }}"
matrix_mautrix_meta_instagram_database_password: "{{ ('%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mau.fb.db', rounds=655555) | to_uuid) if (postgres_enabled and matrix_mautrix_meta_instagram_database_engine == 'postgres') else '' }}"
matrix_mautrix_meta_instagram_database_password: "{{ ((matrix_homeserver_generic_secret_key + ':mau.fb.db') | hash('sha512') | to_uuid) if (postgres_enabled and matrix_mautrix_meta_instagram_database_engine == 'postgres') else '' }}"
######################################################################
#
@@ -1510,7 +1506,7 @@ matrix_mautrix_meta_instagram_database_password: "{{ ('%s' | format(matrix_homes
matrix_mautrix_telegram_enabled: false
matrix_mautrix_telegram_hostname: "{{ matrix_server_fqn_matrix }}"
matrix_mautrix_telegram_path_prefix: "/{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'telegram', rounds=655555) | to_uuid }}"
matrix_mautrix_telegram_path_prefix: "/{{ (matrix_homeserver_generic_secret_key + ':telegram') | hash('sha512') | to_uuid }}"
matrix_mautrix_telegram_systemd_required_services_list_auto: |
{{
@@ -1551,11 +1547,11 @@ matrix_mautrix_telegram_container_labels_traefik_tls_certResolver: "{{ traefik_c
matrix_mautrix_telegram_container_labels_metrics_middleware_basic_auth_enabled: "{{ matrix_metrics_exposure_http_basic_auth_enabled }}"
matrix_mautrix_telegram_container_labels_metrics_middleware_basic_auth_users: "{{ matrix_metrics_exposure_http_basic_auth_users }}"
matrix_mautrix_telegram_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'telegr.as.token', rounds=655555) | to_uuid }}"
matrix_mautrix_telegram_appservice_token: "{{ (matrix_homeserver_generic_secret_key + ':telegr.as.token') | hash('sha512') | to_uuid }}"
matrix_mautrix_telegram_homeserver_domain: "{{ matrix_domain }}"
matrix_mautrix_telegram_homeserver_address: "{{ matrix_addons_homeserver_client_api_url }}"
matrix_mautrix_telegram_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'telegr.hs.token', rounds=655555) | to_uuid }}"
matrix_mautrix_telegram_homeserver_token: "{{ (matrix_homeserver_generic_secret_key + ':telegr.hs.token') | hash('sha512') | to_uuid }}"
matrix_mautrix_telegram_homeserver_async_media: "{{ matrix_homeserver_implementation in ['synapse'] }}"
@@ -1581,7 +1577,7 @@ matrix_mautrix_telegram_metrics_proxying_path_prefix: "{{ matrix_metrics_exposur
# Postgres is the default, except if not using internal Postgres server
matrix_mautrix_telegram_database_engine: "{{ 'postgres' if postgres_enabled else 'sqlite' }}"
matrix_mautrix_telegram_database_hostname: "{{ postgres_connection_hostname if postgres_enabled else '' }}"
matrix_mautrix_telegram_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mau.telegram.db', rounds=655555) | to_uuid }}"
matrix_mautrix_telegram_database_password: "{{ (matrix_homeserver_generic_secret_key + ':mau.telegram.db') | hash('sha512') | to_uuid }}"
######################################################################
#
@@ -1630,14 +1626,14 @@ matrix_mautrix_twitter_container_labels_traefik_tls_certResolver: "{{ traefik_ce
matrix_mautrix_twitter_container_labels_metrics_middleware_basic_auth_enabled: "{{ matrix_metrics_exposure_http_basic_auth_enabled }}"
matrix_mautrix_twitter_container_labels_metrics_middleware_basic_auth_users: "{{ matrix_metrics_exposure_http_basic_auth_users }}"
matrix_mautrix_twitter_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'twt.as.token', rounds=655555) | to_uuid }}"
matrix_mautrix_twitter_appservice_token: "{{ (matrix_homeserver_generic_secret_key + ':twt.as.token') | hash('sha512') | to_uuid }}"
matrix_mautrix_twitter_homeserver_address: "{{ matrix_addons_homeserver_client_api_url }}"
matrix_mautrix_twitter_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'twt.hs.token', rounds=655555) | to_uuid }}"
matrix_mautrix_twitter_homeserver_token: "{{ (matrix_homeserver_generic_secret_key + ':twt.hs.token') | hash('sha512') | to_uuid }}"
matrix_mautrix_twitter_homeserver_async_media: "{{ matrix_homeserver_implementation in ['synapse'] }}"
matrix_mautrix_twitter_provisioning_shared_secret: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mau.twit.prov', rounds=655555) | to_uuid }}"
matrix_mautrix_twitter_provisioning_shared_secret: "{{ (matrix_homeserver_generic_secret_key + ':mau.twit.prov') | hash('sha512') | to_uuid }}"
matrix_mautrix_twitter_double_puppet_secrets_auto: |-
{{
@@ -1655,7 +1651,7 @@ matrix_mautrix_twitter_metrics_proxying_hostname: "{{ matrix_metrics_exposure_ho
matrix_mautrix_twitter_metrics_proxying_path_prefix: "{{ matrix_metrics_exposure_path_prefix }}/mautrix-twitter"
matrix_mautrix_twitter_database_hostname: "{{ postgres_connection_hostname if postgres_enabled else '' }}"
matrix_mautrix_twitter_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mau.twt.db', rounds=655555) | to_uuid if postgres_enabled else '' }}"
matrix_mautrix_twitter_database_password: "{{ (matrix_homeserver_generic_secret_key + ':mau.twt.db') | hash('sha512') | to_uuid if postgres_enabled else '' }}"
######################################################################
#
@@ -1704,10 +1700,10 @@ matrix_mautrix_gmessages_container_labels_traefik_tls_certResolver: "{{ traefik_
matrix_mautrix_gmessages_container_labels_metrics_middleware_basic_auth_enabled: "{{ matrix_metrics_exposure_http_basic_auth_enabled }}"
matrix_mautrix_gmessages_container_labels_metrics_middleware_basic_auth_users: "{{ matrix_metrics_exposure_http_basic_auth_users }}"
matrix_mautrix_gmessages_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'gmessa.as.token', rounds=655555) | to_uuid }}"
matrix_mautrix_gmessages_appservice_token: "{{ (matrix_homeserver_generic_secret_key + ':gmessa.as.token') | hash('sha512') | to_uuid }}"
matrix_mautrix_gmessages_homeserver_address: "{{ matrix_addons_homeserver_client_api_url }}"
matrix_mautrix_gmessages_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'gmessa.hs.token', rounds=655555) | to_uuid }}"
matrix_mautrix_gmessages_homeserver_token: "{{ (matrix_homeserver_generic_secret_key + ':gmessa.hs.token') | hash('sha512') | to_uuid }}"
matrix_mautrix_gmessages_homeserver_async_media: "{{ matrix_homeserver_implementation in ['synapse'] }}"
@@ -1729,7 +1725,7 @@ matrix_mautrix_gmessages_metrics_proxying_path_prefix: "{{ matrix_metrics_exposu
# Postgres is the default, except if not using internal Postgres server
matrix_mautrix_gmessages_database_engine: "{{ 'postgres' if postgres_enabled else 'sqlite' }}"
matrix_mautrix_gmessages_database_hostname: "{{ postgres_connection_hostname if postgres_enabled else '' }}"
matrix_mautrix_gmessages_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'maugmessages.db', rounds=655555) | to_uuid }}"
matrix_mautrix_gmessages_database_password: "{{ (matrix_homeserver_generic_secret_key + ':maugmessages.db') | hash('sha512') | to_uuid }}"
######################################################################
#
@@ -1781,7 +1777,7 @@ matrix_mautrix_wsproxy_container_labels_traefik_entrypoints: "{{ traefik_entrypo
matrix_mautrix_wsproxy_container_labels_traefik_tls_certResolver: "{{ traefik_certResolver_primary }}"
matrix_mautrix_wsproxy_syncproxy_database_hostname: "{{ postgres_connection_hostname if postgres_enabled else '' }}"
matrix_mautrix_wsproxy_syncproxy_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'wsproxy.db', rounds=655555) | to_uuid }}"
matrix_mautrix_wsproxy_syncproxy_database_password: "{{ (matrix_homeserver_generic_secret_key + ':wsproxy.db') | hash('sha512') | to_uuid }}"
######################################################################
#
@@ -1824,21 +1820,21 @@ matrix_wechat_container_additional_networks_auto: |-
) | unique
}}
matrix_wechat_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'wechat.as.token', rounds=655555) | to_uuid }}"
matrix_wechat_appservice_token: "{{ (matrix_homeserver_generic_secret_key + ':wechat.as.token') | hash('sha512') | to_uuid }}"
matrix_wechat_homeserver_address: "{{ matrix_addons_homeserver_client_api_url }}"
matrix_wechat_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'wechat.hs.token', rounds=655555) | to_uuid }}"
matrix_wechat_homeserver_token: "{{ (matrix_homeserver_generic_secret_key + ':wechat.hs.token') | hash('sha512') | to_uuid }}"
matrix_wechat_homeserver_async_media: "{{ matrix_homeserver_implementation in ['synapse'] }}"
matrix_wechat_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}"
matrix_wechat_bridge_listen_secret: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'wechat.lstn', rounds=655555) | to_uuid }}"
matrix_wechat_bridge_listen_secret: "{{ (matrix_homeserver_generic_secret_key + ':wechat.lstn') | hash('sha512') | to_uuid }}"
# Postgres is the default, except if not using internal Postgres server
matrix_wechat_database_engine: "{{ 'postgres' if postgres_enabled else 'sqlite' }}"
matrix_wechat_database_hostname: "{{ postgres_connection_hostname if postgres_enabled else '' }}"
matrix_wechat_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'gowechat.db', rounds=655555) | to_uuid }}"
matrix_wechat_database_password: "{{ (matrix_homeserver_generic_secret_key + ':gowechat.db') | hash('sha512') | to_uuid }}"
######################################################################
#
@@ -1887,10 +1883,10 @@ matrix_mautrix_whatsapp_systemd_required_services_list_auto: |
([postgres_identifier ~ '.service'] if postgres_enabled and matrix_mautrix_whatsapp_database_hostname == postgres_connection_hostname else [])
}}
matrix_mautrix_whatsapp_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'whats.as.token', rounds=655555) | to_uuid }}"
matrix_mautrix_whatsapp_appservice_token: "{{ (matrix_homeserver_generic_secret_key + ':wa.as.token') | hash('sha512') | to_uuid }}"
matrix_mautrix_whatsapp_homeserver_address: "{{ matrix_addons_homeserver_client_api_url }}"
matrix_mautrix_whatsapp_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'whats.hs.token', rounds=655555) | to_uuid }}"
matrix_mautrix_whatsapp_homeserver_token: "{{ (matrix_homeserver_generic_secret_key + ':wa.hs.token') | hash('sha512') | to_uuid }}"
matrix_mautrix_whatsapp_homeserver_async_media: "{{ matrix_homeserver_implementation in ['synapse'] }}"
@@ -1912,7 +1908,7 @@ matrix_mautrix_whatsapp_metrics_proxying_path_prefix: "{{ matrix_metrics_exposur
# Postgres is the default, except if not using internal Postgres server
matrix_mautrix_whatsapp_database_engine: "{{ 'postgres' if postgres_enabled else 'sqlite' }}"
matrix_mautrix_whatsapp_database_hostname: "{{ postgres_connection_hostname if postgres_enabled else '' }}"
matrix_mautrix_whatsapp_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mauwhatsapp.db', rounds=655555) | to_uuid }}"
matrix_mautrix_whatsapp_database_password: "{{ (matrix_homeserver_generic_secret_key + ':mauwhatsapp.db') | hash('sha512') | to_uuid }}"
######################################################################
#
@@ -1943,11 +1939,11 @@ matrix_sms_bridge_container_additional_networks_auto: |-
([] if matrix_addons_homeserver_container_network == '' else [matrix_addons_homeserver_container_network])
}}
matrix_sms_bridge_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'sms.as.token', rounds=655555) | to_uuid }}"
matrix_sms_bridge_appservice_token: "{{ (matrix_homeserver_generic_secret_key + ':sms.as.token') | hash('sha512') | to_uuid }}"
matrix_sms_bridge_homeserver_hostname: "{{ (matrix_homeserver_container_client_api_endpoint | split(':'))[0] }}"
matrix_sms_bridge_homeserver_port: "{{ (matrix_homeserver_container_client_api_endpoint | split(':'))[1] }}"
matrix_sms_bridge_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'sms.hs.token', rounds=655555) | to_uuid }}"
matrix_sms_bridge_homeserver_token: "{{ (matrix_homeserver_generic_secret_key + ':sms.hs.token') | hash('sha512') | to_uuid }}"
######################################################################
#
@@ -1989,9 +1985,9 @@ matrix_heisenbridge_container_labels_traefik_docker_network: "{{ matrix_playbook
matrix_heisenbridge_container_labels_traefik_entrypoints: "{{ traefik_entrypoint_primary }}"
matrix_heisenbridge_container_labels_traefik_tls_certResolver: "{{ traefik_certResolver_primary }}"
matrix_heisenbridge_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'heisen.as.tok', rounds=655555) | to_uuid }}"
matrix_heisenbridge_appservice_token: "{{ (matrix_homeserver_generic_secret_key + ':heisen.as.tok') | hash('sha512') | to_uuid }}"
matrix_heisenbridge_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'heisen.hs.tok', rounds=655555) | to_uuid }}"
matrix_heisenbridge_homeserver_token: "{{ (matrix_homeserver_generic_secret_key + ':heisen.hs.tok') | hash('sha512') | to_uuid }}"
matrix_heisenbridge_homeserver_url: "{{ matrix_addons_homeserver_client_api_url }}"
@@ -2014,9 +2010,9 @@ matrix_hookshot_docker_image_registry_prefix_upstream: "{{ matrix_container_glob
matrix_hookshot_container_image_self_build: "{{ matrix_architecture not in ['arm64', 'amd64'] }}"
matrix_hookshot_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'hookshot.as.tok', rounds=655555) | to_uuid }}"
matrix_hookshot_appservice_token: "{{ (matrix_homeserver_generic_secret_key + ':hookshot.as.tok') | hash('sha512') | to_uuid }}"
matrix_hookshot_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'hookshot.hs.tok', rounds=655555) | to_uuid }}"
matrix_hookshot_homeserver_token: "{{ (matrix_homeserver_generic_secret_key + ':hookshot.hs.tok') | hash('sha512') | to_uuid }}"
matrix_hookshot_homeserver_address: "{{ matrix_addons_homeserver_client_api_url }}"
@@ -2074,55 +2070,6 @@ matrix_hookshot_public_hostname: "{{ matrix_server_fqn_matrix }}"
#
######################################################################
######################################################################
#
# matrix-bridge-zulip
#
######################################################################
# We don't enable bridges by default.
matrix_zulip_bridge_enabled: false
matrix_zulip_bridge_scheme: "{{ 'https' if matrix_playbook_ssl_enabled else 'http' }}"
# Set this to your Matrix ID if you want to enforce the owner, otherwise first _local_ user becomes one
matrix_zulip_bridge_owner: "{{ matrix_admin if matrix_admin else '' }}"
matrix_zulip_bridge_systemd_required_services_list_auto: |
{{
matrix_addons_homeserver_systemd_services_list
}}
matrix_zulip_bridge_docker_image_registry_prefix_upstream: "{{ matrix_container_global_registry_prefix_override if matrix_container_global_registry_prefix_override else matrix_zulip_bridge_docker_image_registry_prefix_upstream_default }}"
matrix_zulip_bridge_container_network: "{{ matrix_addons_container_network }}"
matrix_zulip_bridge_container_additional_networks_auto: |-
{{
(
([] if matrix_addons_homeserver_container_network == '' else [matrix_addons_homeserver_container_network])
+
[matrix_playbook_reverse_proxyable_services_additional_network] if (matrix_zulip_bridge_container_labels_traefik_enabled and matrix_playbook_reverse_proxyable_services_additional_network) else []
) | unique
}}
matrix_zulip_bridge_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}"
matrix_zulip_bridge_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}"
matrix_zulip_bridge_container_labels_traefik_entrypoints: "{{ traefik_entrypoint_primary }}"
matrix_zulip_bridge_container_labels_traefik_tls_certResolver: "{{ traefik_certResolver_primary }}"
matrix_zulip_bridge_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'zulip.as.tok', rounds=655555) | to_uuid }}"
matrix_zulip_bridge_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'zulip.hs.tok', rounds=655555) | to_uuid }}"
matrix_zulip_bridge_homeserver_url: "{{ matrix_addons_homeserver_client_api_url }}"
######################################################################
#
# /matrix-bridge-zulip
#
######################################################################
######################################################################
#
# matrix-bridge-mx-puppet-steam
@@ -2154,10 +2101,10 @@ matrix_mx_puppet_steam_container_additional_networks_auto: |-
) | unique
}}
matrix_mx_puppet_steam_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxste.as.tok', rounds=655555) | to_uuid }}"
matrix_mx_puppet_steam_appservice_token: "{{ (matrix_homeserver_generic_secret_key + ':mxste.as.tok') | hash('sha512') | to_uuid }}"
matrix_mx_puppet_steam_homeserver_address: "{{ matrix_addons_homeserver_client_api_url }}"
matrix_mx_puppet_steam_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxste.hs.tok', rounds=655555) | to_uuid }}"
matrix_mx_puppet_steam_homeserver_token: "{{ (matrix_homeserver_generic_secret_key + ':mxste.hs.tok') | hash('sha512') | to_uuid }}"
matrix_mx_puppet_steam_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}"
@@ -2166,7 +2113,7 @@ matrix_mx_puppet_steam_presence_enabled: "{{ matrix_homeserver_implementation !=
# Postgres is the default, except if not using internal Postgres server
matrix_mx_puppet_steam_database_engine: "{{ 'postgres' if postgres_enabled else 'sqlite' }}"
matrix_mx_puppet_steam_database_hostname: "{{ postgres_connection_hostname if postgres_enabled else '' }}"
matrix_mx_puppet_steam_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxpup.steam.db', rounds=655555) | to_uuid }}"
matrix_mx_puppet_steam_database_password: "{{ (matrix_homeserver_generic_secret_key + ':mxpup.steam.db') | hash('sha512') | to_uuid }}"
######################################################################
#
@@ -2206,10 +2153,10 @@ matrix_mx_puppet_groupme_container_additional_networks_auto: |-
) | unique
}}
matrix_mx_puppet_groupme_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxgro.as.tok', rounds=655555) | to_uuid }}"
matrix_mx_puppet_groupme_appservice_token: "{{ (matrix_homeserver_generic_secret_key + ':mxgro.as.tok') | hash('sha512') | to_uuid }}"
matrix_mx_puppet_groupme_homeserver_address: "{{ matrix_addons_homeserver_client_api_url }}"
matrix_mx_puppet_groupme_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxgro.hs.tok', rounds=655555) | to_uuid }}"
matrix_mx_puppet_groupme_homeserver_token: "{{ (matrix_homeserver_generic_secret_key + ':mxgro.hs.tok') | hash('sha512') | to_uuid }}"
matrix_mx_puppet_groupme_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}"
@@ -2218,7 +2165,7 @@ matrix_mx_puppet_groupme_presence_enabled: "{{ matrix_homeserver_implementation
# Postgres is the default, except if not using internal Postgres server
matrix_mx_puppet_groupme_database_engine: "{{ 'postgres' if postgres_enabled else 'sqlite' }}"
matrix_mx_puppet_groupme_database_hostname: "{{ postgres_connection_hostname if postgres_enabled else '' }}"
matrix_mx_puppet_groupme_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxpup.groupme.db', rounds=655555) | to_uuid }}"
matrix_mx_puppet_groupme_database_password: "{{ (matrix_homeserver_generic_secret_key + ':mxpup.groupme.db') | hash('sha512') | to_uuid }}"
######################################################################
#
@@ -2283,7 +2230,7 @@ matrix_postmoogle_systemd_required_services_list_auto: |
# Postgres is the default, except if not using internal Postgres server
matrix_postmoogle_database_engine: "{{ 'postgres' if postgres_enabled else 'sqlite' }}"
matrix_postmoogle_database_hostname: "{{ postgres_connection_hostname if postgres_enabled else '' }}"
matrix_postmoogle_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'postmoogle.db', rounds=655555) | to_uuid }}"
matrix_postmoogle_database_password: "{{ (matrix_homeserver_generic_secret_key + ':postmoogle.db') | hash('sha512') | to_uuid }}"
matrix_postmoogle_homeserver: "{{ matrix_addons_homeserver_client_api_url }}"
@@ -2345,16 +2292,16 @@ matrix_steam_bridge_container_labels_traefik_tls_certResolver: "{{ traefik_certR
matrix_steam_bridge_container_labels_metrics_middleware_basic_auth_enabled: "{{ matrix_metrics_exposure_http_basic_auth_enabled }}"
matrix_steam_bridge_container_labels_metrics_middleware_basic_auth_users: "{{ matrix_metrics_exposure_http_basic_auth_users }}"
matrix_steam_bridge_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'steam.as.token', rounds=655555) | to_uuid }}"
matrix_steam_bridge_appservice_token: "{{ (matrix_homeserver_generic_secret_key + ':steam.as.token') | hash('sha512') | to_uuid }}"
matrix_steam_bridge_homeserver_address: "{{ matrix_addons_homeserver_client_api_url }}"
matrix_steam_bridge_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'steam.hs.token', rounds=655555) | to_uuid }}"
matrix_steam_bridge_homeserver_token: "{{ (matrix_homeserver_generic_secret_key + ':steam.hs.token') | hash('sha512') | to_uuid }}"
matrix_steam_bridge_homeserver_async_media: "{{ matrix_homeserver_implementation in ['synapse'] }}"
matrix_steam_bridge_public_media_signing_key: "{{ ('%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'steam.pub.key', rounds=655555) | to_uuid) if matrix_steam_bridge_public_media_enabled else '' }}"
matrix_steam_bridge_public_media_signing_key: "{{ ((matrix_homeserver_generic_secret_key + ':steam.pub.key') | hash('sha512') | to_uuid) if matrix_steam_bridge_public_media_enabled else '' }}"
matrix_steam_bridge_provisioning_shared_secret: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'steam.prov', rounds=655555) | to_uuid }}"
matrix_steam_bridge_provisioning_shared_secret: "{{ (matrix_homeserver_generic_secret_key + ':steam.prov') | hash('sha512') | to_uuid }}"
matrix_steam_bridge_double_puppet_secrets_auto: |-
{{
@@ -2372,7 +2319,7 @@ matrix_steam_bridge_metrics_proxying_hostname: "{{ matrix_metrics_exposure_hostn
matrix_steam_bridge_metrics_proxying_path_prefix: "{{ matrix_metrics_exposure_path_prefix }}/matrix-steam-bridge"
matrix_steam_bridge_database_hostname: "{{ postgres_connection_hostname if postgres_enabled else '' }}"
matrix_steam_bridge_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mau.twt.db', rounds=655555) | to_uuid if postgres_enabled else '' }}"
matrix_steam_bridge_database_password: "{{ (matrix_homeserver_generic_secret_key + ':mau.twt.db') | hash('sha512') | to_uuid if postgres_enabled else '' }}"
######################################################################
#
@@ -2416,7 +2363,7 @@ matrix_bot_matrix_reminder_bot_matrix_homeserver_url: "{{ matrix_addons_homeserv
# Postgres is the default, except if not using internal Postgres server
matrix_bot_matrix_reminder_bot_database_engine: "{{ 'postgres' if postgres_enabled else 'sqlite' }}"
matrix_bot_matrix_reminder_bot_database_hostname: "{{ postgres_connection_hostname if postgres_enabled else '' }}"
matrix_bot_matrix_reminder_bot_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'reminder.bot.db', rounds=655555) | to_uuid }}"
matrix_bot_matrix_reminder_bot_database_password: "{{ (matrix_homeserver_generic_secret_key + ':reminder.bot.db') | hash('sha512') | to_uuid }}"
matrix_bot_matrix_reminder_bot_allowlist_enabled: true
matrix_bot_matrix_reminder_bot_allowlist_regexes_auto:
@@ -2521,7 +2468,7 @@ matrix_bot_maubot_container_labels_management_hostname: "{{ matrix_server_fqn_ma
# Postgres is the default, except if not using internal Postgres server
matrix_bot_maubot_database_engine: "{{ 'postgres' if postgres_enabled else 'sqlite' }}"
matrix_bot_maubot_database_hostname: "{{ postgres_connection_hostname if postgres_enabled else '' }}"
matrix_bot_maubot_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mxpup.dsc.db', rounds=655555) | to_uuid }}"
matrix_bot_maubot_database_password: "{{ (matrix_homeserver_generic_secret_key + ':mxpup.dsc.db') | hash('sha512') | to_uuid }}"
######################################################################
#
@@ -2579,7 +2526,7 @@ matrix_bot_honoroit_homeserver: "{{ matrix_addons_homeserver_client_api_url }}"
# Postgres is the default, except if not using internal Postgres server
matrix_bot_honoroit_database_engine: "{{ 'postgres' if postgres_enabled else 'sqlite' }}"
matrix_bot_honoroit_database_hostname: "{{ postgres_connection_hostname if postgres_enabled else '' }}"
matrix_bot_honoroit_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'honoroit.bot.db', rounds=655555) | to_uuid }}"
matrix_bot_honoroit_database_password: "{{ (matrix_homeserver_generic_secret_key + ':honoroit.bot.db') | hash('sha512') | to_uuid }}"
matrix_bot_honoroit_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm64'] }}"
######################################################################
@@ -2633,7 +2580,7 @@ matrix_bot_buscarron_homeserver: "{{ matrix_addons_homeserver_client_api_url }}"
# Postgres is the default, except if not using internal Postgres server
matrix_bot_buscarron_database_engine: "{{ 'postgres' if postgres_enabled else 'sqlite' }}"
matrix_bot_buscarron_database_hostname: "{{ postgres_connection_hostname if postgres_enabled else '' }}"
matrix_bot_buscarron_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'buscarron.bot.db', rounds=655555) | to_uuid }}"
matrix_bot_buscarron_database_password: "{{ (matrix_homeserver_generic_secret_key + ':buscarron.bot.db') | hash('sha512') | to_uuid }}"
######################################################################
#
@@ -2804,7 +2751,7 @@ matrix_bot_draupnir_container_labels_web_abuseReporting_traefik_entrypoints: "{{
matrix_bot_draupnir_container_labels_web_abuseReporting_traefik_tls_certResolver: "{{ traefik_certResolver_primary }}"
#The salt is size restricted here as a maximum salt size of 16 characters exists due to the functions used.
matrix_bot_draupnir_config_web_synapseHTTPAntispam_authorization: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'draupnir.httpmod', rounds=655555) | to_uuid }}" # noqa var-naming
matrix_bot_draupnir_config_web_synapseHTTPAntispam_authorization: "{{ (matrix_homeserver_generic_secret_key + ':draupnir.httpmod') | hash('sha512') | to_uuid }}" # noqa var-naming
######################################################################
#
@@ -2844,11 +2791,11 @@ matrix_appservice_draupnir_for_all_container_additional_networks_auto: |-
) | unique
}}
matrix_appservice_draupnir_for_all_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'd4a.as.token', rounds=655555) | to_uuid }}"
matrix_appservice_draupnir_for_all_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'd4a.hs.token', rounds=655555) | to_uuid }}"
matrix_appservice_draupnir_for_all_appservice_token: "{{ (matrix_homeserver_generic_secret_key + ':d4a.as.token') | hash('sha512') | to_uuid }}"
matrix_appservice_draupnir_for_all_homeserver_token: "{{ (matrix_homeserver_generic_secret_key + ':d4a.hs.token') | hash('sha512') | to_uuid }}"
matrix_appservice_draupnir_for_all_database_hostname: "{{ postgres_connection_hostname if postgres_enabled else '' }}"
matrix_appservice_draupnir_for_all_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'as.d4a.db', rounds=655555) | to_uuid }}"
matrix_appservice_draupnir_for_all_database_password: "{{ (matrix_homeserver_generic_secret_key + ':as.d4a.db') | hash('sha512') | to_uuid }}"
######################################################################
#
@@ -2865,8 +2812,8 @@ matrix_appservice_draupnir_for_all_database_password: "{{ '%s' | format(matrix_h
matrix_appservice_double_puppet_enabled: false
matrix_appservice_double_puppet_registration_as_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'as.doub.pup', rounds=655555) | to_uuid }}"
matrix_appservice_double_puppet_registration_hs_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'hs.doub.pup', rounds=655555) | to_uuid }}"
matrix_appservice_double_puppet_registration_as_token: "{{ (matrix_homeserver_generic_secret_key + ':as.doub.pup') | hash('sha512') | to_uuid }}"
matrix_appservice_double_puppet_registration_hs_token: "{{ (matrix_homeserver_generic_secret_key + ':hs.doub.pup') | hash('sha512') | to_uuid }}"
######################################################################
#
@@ -2983,8 +2930,8 @@ matrix_cactus_comments_container_additional_networks_auto: |-
([] if matrix_addons_homeserver_container_network == '' else [matrix_addons_homeserver_container_network])
}}
matrix_cactus_comments_as_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'cactus.as.token', rounds=655555) | to_uuid }}"
matrix_cactus_comments_hs_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'cactus.hs.token', rounds=655555) | to_uuid }}"
matrix_cactus_comments_as_token: "{{ (matrix_homeserver_generic_secret_key + ':cactus.as.token') | hash('sha512') | to_uuid }}"
matrix_cactus_comments_hs_token: "{{ (matrix_homeserver_generic_secret_key + ':cactus.hs.token') | hash('sha512') | to_uuid }}"
matrix_cactus_comments_homeserver_url: "{{ matrix_addons_homeserver_client_api_url }}"
@@ -3160,13 +3107,13 @@ matrix_coturn_container_image_self_build: "{{ matrix_architecture not in ['amd64
# We make the assumption that `ansible_host` points to an external IP address, which may not always be the case.
# Users are free to set `matrix_coturn_turn_external_ip_address` to an empty string
# to allow auto-detection (via an EchoIP service) to happen at runtime.
# to allow auto-detection (via an echoip service) to happen at runtime.
matrix_coturn_turn_external_ip_address: "{{ ansible_host }}"
matrix_coturn_turn_static_auth_secret: "{{ ('%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'coturn.sas', rounds=655555) | to_uuid) if matrix_coturn_authentication_method == 'auth-secret' else '' }}"
matrix_coturn_turn_static_auth_secret: "{{ ((matrix_homeserver_generic_secret_key + ':coturn.sas') | hash('sha512') | to_uuid) if matrix_coturn_authentication_method == 'auth-secret' else '' }}"
matrix_coturn_lt_cred_mech_username: "{{ ('%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'coturn.user', rounds=655555) | to_uuid) if matrix_coturn_authentication_method == 'lt-cred-mech' else '' }}"
matrix_coturn_lt_cred_mech_password: "{{ ('%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'coturn.pass', rounds=655555) | to_uuid) if matrix_coturn_authentication_method == 'lt-cred-mech' else '' }}"
matrix_coturn_lt_cred_mech_username: "{{ ((matrix_homeserver_generic_secret_key + ':coturn.user') | hash('sha512') | to_uuid) if matrix_coturn_authentication_method == 'lt-cred-mech' else '' }}"
matrix_coturn_lt_cred_mech_password: "{{ ((matrix_homeserver_generic_secret_key + ':coturn.pass') | hash('sha512') | to_uuid) if matrix_coturn_authentication_method == 'lt-cred-mech' else '' }}"
matrix_coturn_tls_enabled: "{{ matrix_playbook_ssl_enabled }}"
@@ -3278,7 +3225,7 @@ matrix_dimension_systemd_required_services_list_auto: |
# Postgres is the default, except if not using internal Postgres server
matrix_dimension_database_engine: "{{ 'postgres' if postgres_enabled else 'sqlite' }}"
matrix_dimension_database_hostname: "{{ postgres_connection_hostname if postgres_enabled else '' }}"
matrix_dimension_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'dimension.db', rounds=655555) | to_uuid }}"
matrix_dimension_database_password: "{{ (matrix_homeserver_generic_secret_key + ':dimension.db') | hash('sha512') | to_uuid }}"
######################################################################
#
@@ -3334,7 +3281,7 @@ etherpad_systemd_required_services_list_auto: |
etherpad_database_postgres_hostname: "{{ postgres_connection_hostname if postgres_enabled else '' }}"
etherpad_database_name: matrix_etherpad
etherpad_database_postgres_username: matrix_etherpad
etherpad_database_postgres_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'etherpad.db', rounds=655555) | to_uuid }}"
etherpad_database_postgres_password: "{{ (matrix_homeserver_generic_secret_key + ':etherpad.db') | hash('sha512') | to_uuid }}"
######################################################################
#
@@ -3344,19 +3291,29 @@ etherpad_database_postgres_password: "{{ '%s' | format(matrix_homeserver_generic
######################################################################
#
# matrix-dynamic-dns
# ddclient
#
######################################################################
matrix_dynamic_dns_enabled: false
ddclient_enabled: false
matrix_dynamic_dns_docker_image_registry_prefix_upstream: "{{ matrix_container_global_registry_prefix_override if matrix_container_global_registry_prefix_override else matrix_dynamic_dns_docker_image_registry_prefix_upstream_default }}"
ddclient_identifier: matrix-dynamic-dns
matrix_dynamic_dns_container_network: matrix-dynamic-dns
ddclient_base_path: "{{ matrix_base_data_path }}/dynamic-dns"
ddclient_uid: "{{ matrix_user_uid }}"
ddclient_gid: "{{ matrix_user_gid }}"
ddclient_container_image_registry_prefix: "{{ 'localhost/' if ddclient_container_image_self_build else ddclient_container_image_registry_prefix_upstream }}"
ddclient_container_image_registry_prefix_upstream: "{{ matrix_container_global_registry_prefix_override if matrix_container_global_registry_prefix_override else ddclient_docker_image_registry_prefix_upstream_default }}"
ddclient_web: "https://cloudflare.com/cdn-cgi/trace"
ddclient_web_skip: "ip="
######################################################################
#
# /matrix-dynamic-dns
# /ddclient
#
######################################################################
@@ -3415,9 +3372,9 @@ jitsi_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxy
jitsi_container_labels_traefik_entrypoints: "{{ traefik_entrypoint_primary }}"
jitsi_container_labels_traefik_tls_certResolver: "{{ traefik_certResolver_primary }}"
jitsi_jibri_xmpp_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'jibri', rounds=655555) | to_uuid }}"
jitsi_jicofo_auth_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'jicofo', rounds=655555) | to_uuid }}"
jitsi_jvb_auth_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'jvb', rounds=655555) | to_uuid }}"
jitsi_jibri_xmpp_password: "{{ (matrix_homeserver_generic_secret_key + ':jibri') | hash('sha512') | to_uuid }}"
jitsi_jicofo_auth_password: "{{ (matrix_homeserver_generic_secret_key + ':jicofo') | hash('sha512') | to_uuid }}"
jitsi_jvb_auth_password: "{{ (matrix_homeserver_generic_secret_key + ':jvb') | hash('sha512') | to_uuid }}"
jitsi_web_stun_servers: |
{{
@@ -3583,7 +3540,7 @@ matrix_media_repo_container_labels_traefik_metrics_middleware_basic_auth_users:
matrix_media_repo_database_hostname: "{{ postgres_connection_hostname if postgres_enabled else '' }}"
matrix_media_repo_database_username: matrix_media_repo
matrix_media_repo_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mediarepo.db', rounds=655555) | to_uuid }}"
matrix_media_repo_database_password: "{{ (matrix_homeserver_generic_secret_key + ':mediarepo.db') | hash('sha512') | to_uuid }}"
matrix_media_repo_database_name: matrix_media_repo
matrix_media_repo_systemd_required_services_list_auto: |
@@ -4396,9 +4353,9 @@ matrix_synapse_container_labels_internal_client_api_traefik_entrypoints: "{{ mat
matrix_synapse_workers_container_host_bind_address: "{{ matrix_playbook_service_host_bind_interface_prefix[0:-1] if (matrix_synapse_workers_enabled and matrix_playbook_service_host_bind_interface_prefix) else '' }}"
matrix_synapse_database_host: "{{ postgres_connection_hostname if postgres_enabled else '' }}"
matrix_synapse_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'synapse.db', rounds=655555) | to_uuid }}"
matrix_synapse_database_password: "{{ (matrix_homeserver_generic_secret_key + ':synapse.db') | hash('sha512') | to_uuid }}"
matrix_synapse_macaroon_secret_key: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'synapse.mac', rounds=655555) | to_uuid }}"
matrix_synapse_macaroon_secret_key: "{{ (matrix_homeserver_generic_secret_key + ':synapse.mac') | hash('sha512') | to_uuid }}"
# We do not enable TLS in Synapse by default, since it's handled by Traefik.
matrix_synapse_tls_federation_listener_enabled: false
@@ -4695,11 +4652,6 @@ matrix_synapse_admin_config_asManagedUsers_auto: |
'^@hbirc_[a-zA-Z0-9]+:'+(matrix_domain | regex_escape)+'$',
] if matrix_heisenbridge_enabled else [])
+
([
'^@zulipbot:'+(matrix_domain | regex_escape)+'$',
'^@zulip_[a-zA-Z0-9]+:'+(matrix_domain | regex_escape)+'$',
] if matrix_zulip_bridge_enabled else [])
+
([
'^@hookshot:'+(matrix_domain | regex_escape)+'$',
'^@_github_[a-zA-Z0-9]+:'+(matrix_domain | regex_escape)+'$',
@@ -4899,7 +4851,7 @@ prometheus_postgres_exporter_container_labels_metrics_middleware_basic_auth_user
prometheus_postgres_exporter_database_hostname: "{{ postgres_connection_hostname if postgres_enabled else '' }}"
prometheus_postgres_exporter_database_username: matrix_prometheus_postgres_exporter
prometheus_postgres_exporter_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'prometheus.pg.db', rounds=655555) | to_uuid }}"
prometheus_postgres_exporter_database_password: "{{ (matrix_homeserver_generic_secret_key + ':prometheus.pg.db') | hash('sha512') | to_uuid }}"
prometheus_postgres_exporter_database_name: matrix_prometheus_postgres_exporter
prometheus_postgres_exporter_systemd_required_services_list_auto: |
@@ -5216,7 +5168,7 @@ matrix_registration_api_validate_certs: "{{ matrix_playbook_ssl_enabled }}"
# Postgres is the default, except if not using internal Postgres server
matrix_registration_database_engine: "{{ 'postgres' if postgres_enabled else 'sqlite' }}"
matrix_registration_database_hostname: "{{ postgres_connection_hostname if postgres_enabled else '' }}"
matrix_registration_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mx.registr.db', rounds=655555) | to_uuid }}"
matrix_registration_database_password: "{{ (matrix_homeserver_generic_secret_key + ':mx.registr.db') | hash('sha512') | to_uuid }}"
######################################################################
#
@@ -5275,11 +5227,11 @@ matrix_dendrite_metrics_proxying_enabled: "{{ matrix_dendrite_metrics_enabled an
matrix_dendrite_metrics_proxying_hostname: "{{ matrix_metrics_exposure_hostname }}"
matrix_dendrite_metrics_proxying_path_prefix: "{{ matrix_metrics_exposure_path_prefix }}/dendrite"
matrix_dendrite_client_api_registration_shared_secret: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'dendrite.rss', rounds=655555) | to_uuid }}"
matrix_dendrite_client_api_registration_shared_secret: "{{ (matrix_homeserver_generic_secret_key + ':dendrite.rss') | hash('sha512') | to_uuid }}"
matrix_dendrite_database_hostname: "{{ postgres_connection_hostname if postgres_enabled else '' }}"
matrix_dendrite_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'dendrite.db', rounds=655555) | to_uuid }}"
matrix_dendrite_database_password: "{{ (matrix_homeserver_generic_secret_key + ':dendrite.db') | hash('sha512') | to_uuid }}"
matrix_dendrite_client_api_turn_uris: "{{ matrix_coturn_turn_uris if matrix_coturn_enabled else [] }}"
matrix_dendrite_client_api_turn_shared_secret: "{{ matrix_coturn_turn_static_auth_secret if (matrix_coturn_enabled and matrix_coturn_authentication_method == 'auth-secret') else '' }}"
@@ -5574,7 +5526,7 @@ matrix_user_verification_service_uvs_homeserver_url: "{{ matrix_addons_homeserve
# We connect via the container network (private IPs), so we need to disable IP checks
matrix_user_verification_service_uvs_disable_ip_blacklist: "{{ matrix_synapse_enabled }}"
matrix_user_verification_service_uvs_auth_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'uvs.auth.token', rounds=655555) | to_uuid }}"
matrix_user_verification_service_uvs_auth_token: "{{ (matrix_homeserver_generic_secret_key + ':uvs.auth.token') | hash('sha512') | to_uuid }}"
######################################################################
#
@@ -5970,9 +5922,9 @@ matrix_livekit_jwt_service_container_labels_traefik_tls_certResolver: "{{ traefi
matrix_livekit_jwt_service_environment_variable_livekit_url: "{{ livekit_server_websocket_public_url }}"
matrix_livekit_jwt_service_environment_variable_livekit_key: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'lk.key', rounds=655555) | to_uuid }}"
matrix_livekit_jwt_service_environment_variable_livekit_key: "{{ (matrix_homeserver_generic_secret_key + ':lk.key') | hash('sha512') | to_uuid }}"
matrix_livekit_jwt_service_environment_variable_livekit_secret: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'lk.secret', rounds=655555) | to_uuid }}"
matrix_livekit_jwt_service_environment_variable_livekit_secret: "{{ (matrix_homeserver_generic_secret_key + ':lk.secret') | hash('sha512') | to_uuid }}"
matrix_livekit_jwt_service_environment_variable_livekit_full_access_homeservers_list: ["{{ matrix_domain }}"]
+1 -1
View File
@@ -17,7 +17,7 @@ packaging==26.0
Pygments==2.19.2
PyYAML==6.0.3
requests==2.32.5
setuptools==81.0.0
setuptools==82.0.0
snowballstemmer==3.0.1
Sphinx==9.1.0
sphinx-intl==2.3.2
@@ -45,7 +45,7 @@ msgid "To enable dynamic DNS, add the following configuration to your `inventory
msgstr ""
#: ../../../docs/configuring-playbook-dynamic-dns.md:34
msgid "Keep in mind that certain providers may require a different configuration of the `matrix_dynamic_dns_domain_configurations` variable, for provider specific examples see the [upstream documentation](https://github.com/ddclient/ddclient/blob/main/ddclient.conf.in)."
msgid "Keep in mind that certain providers may require a different configuration of the `ddclient_domain_configurations` variable, for provider specific examples see the [upstream documentation](https://github.com/ddclient/ddclient/blob/main/ddclient.conf.in)."
msgstr ""
#: ../../../docs/configuring-playbook-dynamic-dns.md:36
+1 -2
View File
@@ -50,8 +50,7 @@ install-all *extra_args: (run-tags "install-all,ensure-matrix-users-created,star
install-service service *extra_args:
{{ just_executable() }} --justfile "{{ justfile() }}" run \
--tags=install-{{ service }},start-group \
--extra-vars=group={{ service }} \
--extra-vars=devture_systemd_service_manager_service_restart_mode=one-by-one {{ extra_args }}
--extra-vars=group={{ service }} {{ extra_args }}
# Runs the playbook with --tags=setup-all,ensure-matrix-users-created,start and optional arguments
setup-all *extra_args: (run-tags "setup-all,ensure-matrix-users-created,start" extra_args)
+7 -3
View File
@@ -12,6 +12,10 @@
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-container-socket-proxy.git
version: v0.4.2-1
name: container_socket_proxy
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-ddclient.git
version: v4.0.0-0
name: ddclient
activation_prefix: ddclient_
- src: git+https://github.com/geerlingguy/ansible-role-docker
version: 8.0.0
name: docker
@@ -34,7 +38,7 @@
version: v1.9.11-0
name: livekit_server
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-ntfy.git
version: v2.16.0-1
version: v2.17.0-0
name: ntfy
- src: git+https://github.com/devture/com.devture.ansible.role.playbook_help.git
version: 8630e4f1749bcb659c412820f754473f09055052
@@ -46,7 +50,7 @@
version: dd6e15246b7a9a2d921e0b3f9cd8a4a917a1bb2f
name: playbook_state_preserver
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-postgres.git
version: v18.1-3
version: v18.1-5
name: postgres
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-postgres-backup.git
version: v18-0
@@ -64,7 +68,7 @@
version: v1.4.1-0
name: systemd_docker_base
- src: git+https://github.com/devture/com.devture.ansible.role.systemd_service_manager.git
version: v1.1.0-0
version: v2.0.0-0
name: systemd_service_manager
- src: git+https://github.com/devture/com.devture.ansible.role.timesync.git
version: v1.1.0-1
@@ -22,7 +22,7 @@ matrix_authentication_service_container_repo_version: "{{ 'main' if matrix_authe
matrix_authentication_service_container_src_files_path: "{{ matrix_base_data_path }}/matrix-authentication-service/container-src"
# renovate: datasource=docker depName=ghcr.io/element-hq/matrix-authentication-service
matrix_authentication_service_version: 1.10.0
matrix_authentication_service_version: 1.11.0
matrix_authentication_service_container_image_registry_prefix: "{{ 'localhost/' if matrix_authentication_service_container_image_self_build else matrix_authentication_service_container_image_registry_prefix_upstream }}"
matrix_authentication_service_container_image_registry_prefix_upstream: "{{ matrix_authentication_service_container_image_registry_prefix_upstream_default }}"
matrix_authentication_service_container_image_registry_prefix_upstream_default: "ghcr.io/"
@@ -17,7 +17,7 @@ matrix_bot_baibot_container_repo_version: "{{ 'main' if matrix_bot_baibot_versio
matrix_bot_baibot_container_src_files_path: "{{ matrix_base_data_path }}/baibot/container-src"
# renovate: datasource=docker depName=ghcr.io/etkecc/baibot
matrix_bot_baibot_version: v1.14.0
matrix_bot_baibot_version: v1.14.1
matrix_bot_baibot_container_image: "{{ matrix_bot_baibot_container_image_registry_prefix }}etkecc/baibot:{{ matrix_bot_baibot_version }}"
matrix_bot_baibot_container_image_registry_prefix: "{{ 'localhost/' if matrix_bot_baibot_container_image_self_build else matrix_bot_baibot_container_image_registry_prefix_upstream }}"
matrix_bot_baibot_container_image_registry_prefix_upstream: "{{ matrix_bot_baibot_container_image_registry_prefix_upstream_default }}"
@@ -76,7 +76,6 @@ matrix_bot_go_neb_container_labels_traefik_additional_response_headers_auto: |
{{
{}
| combine ({'X-XSS-Protection': matrix_bot_go_neb_http_header_xss_protection} if matrix_bot_go_neb_http_header_xss_protection else {})
| combine ({'X-Frame-Options': matrix_bot_go_neb_http_header_frame_options} if matrix_bot_go_neb_http_header_frame_options else {})
| combine ({'X-Content-Type-Options': matrix_bot_go_neb_http_header_content_type_options} if matrix_bot_go_neb_http_header_content_type_options else {})
| combine ({'Content-Security-Policy': matrix_bot_go_neb_http_header_content_security_policy} if matrix_bot_go_neb_http_header_content_security_policy else {})
| combine ({'Permission-Policy': matrix_bot_go_neb_http_header_content_permission_policy} if matrix_bot_go_neb_http_header_content_permission_policy else {})
@@ -113,10 +112,6 @@ matrix_bot_go_neb_systemd_wanted_services_list: []
# - https://portswigger.net/web-security/cross-site-scripting/reflected
matrix_bot_go_neb_http_header_xss_protection: "1; mode=block"
# Specifies the value of the `X-Frame-Options` header which controls whether framing can happen.
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
matrix_bot_go_neb_http_header_frame_options: SAMEORIGIN
# Specifies the value of the `X-Content-Type-Options` header.
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
matrix_bot_go_neb_http_header_content_type_options: nosniff
@@ -1,122 +0,0 @@
# SPDX-FileCopyrightText: 2021 - 2022 Toni Spets
# SPDX-FileCopyrightText: 2022 - 2023 Nikita Chernyi
# SPDX-FileCopyrightText: 2022 - 2025 Slavi Pantaleev
# SPDX-FileCopyrightText: 2022 MDAD project contributors
# SPDX-FileCopyrightText: 2022 Marko Weltzer
# SPDX-FileCopyrightText: 2023 Samuel Meenzen
# SPDX-FileCopyrightText: 2024 - 2025 Suguru Hirahara
#
# SPDX-License-Identifier: AGPL-3.0-or-later
---
# MatrixZulipBridge is a puppeting appservice bridge for Zulip
# Project source code URL: https://github.com/GearKite/MatrixZulipBridge
matrix_zulip_bridge_enabled: true
matrix_zulip_bridge_scheme: https
matrix_zulip_bridge_hostname: "{{ matrix_server_fqn_matrix }}"
matrix_zulip_bridge_path_prefix: "/zulip"
# renovate: datasource=docker depName=ghcr.io/gearkite/matrixzulipbridge
matrix_zulip_bridge_version: v0.4.1
matrix_zulip_bridge_docker_image: "{{ matrix_zulip_bridge_docker_image_registry_prefix }}gearkite/matrixzulipbridge:{{ matrix_zulip_bridge_version }}"
matrix_zulip_bridge_docker_image_registry_prefix: "{{ matrix_zulip_bridge_docker_image_registry_prefix_upstream }}"
matrix_zulip_bridge_docker_image_registry_prefix_upstream: "{{ matrix_zulip_bridge_docker_image_registry_prefix_upstream_default }}"
matrix_zulip_bridge_docker_image_registry_prefix_upstream_default: ghcr.io/
matrix_zulip_bridge_docker_image_force_pull: "{{ matrix_zulip_bridge_docker_image.endswith(':latest') }}"
matrix_zulip_bridge_base_path: "{{ matrix_base_data_path }}/zulip"
matrix_zulip_bridge_container_network: ""
# The port number in the container
matrix_zulip_bridge_container_http_port: 9898
matrix_zulip_bridge_container_additional_networks: "{{ matrix_zulip_bridge_container_additional_networks_auto + matrix_zulip_bridge_container_additional_networks_custom }}"
matrix_zulip_bridge_container_additional_networks_auto: []
matrix_zulip_bridge_container_additional_networks_custom: []
# Controls how long to wait for the container to stop gracefully before killing it.
# We use a small value here, because this container does not seem to handle the SIGTERM signal.
matrix_zulip_bridge_container_stop_grace_time_seconds: 1
# matrix_zulip_bridge_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container.
# See `../templates/labels.j2` for details.
#
# To inject your own other container labels, see `matrix_zulip_bridge_container_labels_additional_labels`.
matrix_zulip_bridge_container_labels_traefik_enabled: true
matrix_zulip_bridge_container_labels_traefik_docker_network: "{{ matrix_zulip_bridge_container_network }}"
matrix_zulip_bridge_container_labels_traefik_hostname: "{{ matrix_zulip_bridge_hostname }}"
matrix_zulip_bridge_container_labels_traefik_path_prefix: "{{ matrix_zulip_bridge_path_prefix }}"
matrix_zulip_bridge_container_labels_traefik_entrypoints: web-secure
matrix_zulip_bridge_container_labels_traefik_tls_certResolver: default # noqa var-naming
# Controls if the media router is enabled
matrix_zulip_bridge_container_labels_traefik_media_enabled: true
matrix_zulip_bridge_container_labels_traefik_media_hostname: "{{ matrix_zulip_bridge_container_labels_traefik_hostname }}"
# The path prefix must either be `/` or not end with a slash (e.g. `/zulip`).
matrix_zulip_bridge_container_labels_traefik_media_path_prefix: "{{ '' if matrix_zulip_bridge_container_labels_traefik_path_prefix == '/' else (matrix_zulip_bridge_container_labels_traefik_path_prefix) }}/_bridge_zulip/media"
matrix_zulip_bridge_container_labels_traefik_media_rule: "Host(`{{ matrix_zulip_bridge_container_labels_traefik_media_hostname }}`){% if matrix_zulip_bridge_container_labels_traefik_media_path_prefix != '/' %} && PathPrefix(`{{ matrix_zulip_bridge_container_labels_traefik_media_path_prefix }}`){% endif %}"
matrix_zulip_bridge_container_labels_traefik_media_priority: 0
matrix_zulip_bridge_container_labels_traefik_media_entrypoints: "{{ matrix_zulip_bridge_container_labels_traefik_entrypoints }}"
matrix_zulip_bridge_container_labels_traefik_media_tls: "{{ matrix_zulip_bridge_container_labels_traefik_media_entrypoints != 'web' }}"
matrix_zulip_bridge_container_labels_traefik_media_tls_certResolver: "{{ matrix_zulip_bridge_container_labels_traefik_tls_certResolver }}" # noqa var-naming
# matrix_zulip_bridge_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file.
# See `../templates/labels.j2` for details.
#
# Example:
# matrix_zulip_bridge_container_labels_additional_labels: |
# my.label=1
# another.label="here"
matrix_zulip_bridge_container_labels_additional_labels: ''
# A list of extra arguments to pass to the container
matrix_zulip_bridge_container_extra_arguments: []
# List of systemd services that service depends on.
matrix_zulip_bridge_systemd_required_services_list: "{{ matrix_zulip_bridge_systemd_required_services_list_default + matrix_zulip_bridge_systemd_required_services_list_auto + matrix_zulip_bridge_systemd_required_services_list_custom }}"
matrix_zulip_bridge_systemd_required_services_list_default: "{{ [devture_systemd_docker_base_docker_service_name] if devture_systemd_docker_base_docker_service_name else [] }}"
matrix_zulip_bridge_systemd_required_services_list_auto: []
matrix_zulip_bridge_systemd_required_services_list_custom: []
# List of systemd services that service wants
matrix_zulip_bridge_systemd_wanted_services_list: []
matrix_zulip_bridge_homeserver_url: ""
matrix_zulip_bridge_appservice_token: ''
matrix_zulip_bridge_homeserver_token: ''
matrix_zulip_bridge_config_media_url: "{{ matrix_zulip_bridge_scheme }}://{{ matrix_zulip_bridge_hostname }}"
# This matches the hardcoded `DEFAULT_MEDIA_PATH` in MatrixZulipBridge, but uses `matrix_zulip_bridge_path_prefix` as the path prefix.
# See: https://github.com/GearKite/MatrixZulipBridge/blob/2ba51f3da2ad8bd33460c953ef91a9cfc585a2d4/matrixzulipbridge/__main__.py#L87
matrix_zulip_bridge_config_media_path: "{{ matrix_zulip_bridge_container_labels_traefik_media_path_prefix }}/v3/download/{netloc}{path}{filename}"
matrix_zulip_bridge_config_media_key: "{{ matrix_zulip_bridge_homeserver_token }}"
matrix_zulip_bridge_config_displayname: "Zulip bridge bot"
matrix_zulip_bridge_registration_yaml_bridge_zulip:
media_url: "{{ matrix_zulip_bridge_config_media_url }}"
media_path: "{{ matrix_zulip_bridge_config_media_path }}"
media_key: "{{ matrix_zulip_bridge_config_media_key }}"
displayname: "{{ matrix_zulip_bridge_config_displayname }}"
# Default registration file consumed by both the homeserver and MatrixZulipBridge.
# Besides registration information, it contains configuration (see the Zulip bridge key).
matrix_zulip_bridge_registration_yaml:
id: zulip
url: http://matrix-zulip-bridge:{{ matrix_zulip_bridge_container_http_port }}
as_token: "{{ matrix_zulip_bridge_appservice_token }}"
hs_token: "{{ matrix_zulip_bridge_homeserver_token }}"
rate_limited: false
sender_localpart: zulipbot
namespaces:
users:
- regex: '@zulip_.*'
exclusive: true
aliases: []
rooms: []
zulipbridge: "{{ matrix_zulip_bridge_registration_yaml_bridge_zulip }}"
matrix_zulip_bridge_registration: "{{ matrix_zulip_bridge_registration_yaml | from_yaml }}"
@@ -1,29 +0,0 @@
# SPDX-FileCopyrightText: 2021 Toni Spets
# SPDX-FileCopyrightText: 2022 - 2024 Slavi Pantaleev
# SPDX-FileCopyrightText: 2022 Marko Weltzer
# SPDX-FileCopyrightText: 2025 Suguru Hirahara
#
# SPDX-License-Identifier: AGPL-3.0-or-later
---
- name: Perform the Zulip bridge installation tasks
when: matrix_zulip_bridge_enabled | bool
tags:
- setup-all
- setup-bridge-zulip
- install-all
- install-bridge-zulip
block:
- name: Validate the Zulip bridge configuration
ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml"
- name: Install the Zulip bridge
ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml"
- name: Perform the Zulip bridge uninstallation tasks
when: not matrix_zulip_bridge_enabled | bool
tags:
- setup-all
- setup-bridge-zulip
block:
- name: Uninstall the Zulip bridge
ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"
@@ -1,62 +0,0 @@
# SPDX-FileCopyrightText: 2021 Toni Spets
# SPDX-FileCopyrightText: 2022 - 2024 Slavi Pantaleev
# SPDX-FileCopyrightText: 2022 Jim Myhrberg
# SPDX-FileCopyrightText: 2022 Marko Weltzer
# SPDX-FileCopyrightText: 2022 Nikita Chernyi
# SPDX-FileCopyrightText: 2022 Sebastian Gumprich
# SPDX-FileCopyrightText: 2024 David Mehren
#
# SPDX-License-Identifier: AGPL-3.0-or-later
---
- name: Ensure the Zulip bridge image is pulled
community.docker.docker_image:
name: "{{ matrix_zulip_bridge_docker_image }}"
source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
force_source: "{{ matrix_zulip_bridge_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_zulip_bridge_docker_image_force_pull }}"
register: result
retries: "{{ devture_playbook_help_container_retries_count }}"
delay: "{{ devture_playbook_help_container_retries_delay }}"
until: result is not failed
- name: Ensure the Zulip bridge paths exist
ansible.builtin.file:
path: "{{ item }}"
state: directory
mode: "0750"
owner: "{{ matrix_user_name }}"
group: "{{ matrix_group_name }}"
with_items:
- "{{ matrix_zulip_bridge_base_path }}"
- name: Ensure the Zulip bridge registration.yaml installed if provided
ansible.builtin.copy:
content: "{{ matrix_zulip_bridge_registration | to_nice_yaml(indent=2, width=999999) }}"
dest: "{{ matrix_zulip_bridge_base_path }}/registration.yaml"
mode: "0644"
owner: "{{ matrix_user_name }}"
group: "{{ matrix_group_name }}"
- name: Ensure the Zulip bridge support files installed
ansible.builtin.template:
src: "{{ role_path }}/templates/{{ item }}.j2"
dest: "{{ matrix_zulip_bridge_base_path }}/{{ item }}"
mode: "0640"
owner: "{{ matrix_user_name }}"
group: "{{ matrix_group_name }}"
with_items:
- labels
- name: Ensure the Zulip bridge container network is created
community.general.docker_network:
enable_ipv6: "{{ devture_systemd_docker_base_ipv6_enabled }}"
name: "{{ matrix_zulip_bridge_container_network }}"
driver: bridge
driver_options: "{{ devture_systemd_docker_base_container_networks_driver_options }}"
- name: Ensure matrix-zulip-bridge.service installed
ansible.builtin.template:
src: "{{ role_path }}/templates/systemd/matrix-zulip-bridge.service.j2"
dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-zulip-bridge.service"
mode: "0644"
@@ -1,26 +0,0 @@
# SPDX-FileCopyrightText: 2021 - 2022 Slavi Pantaleev
# SPDX-FileCopyrightText: 2021 Michael Sasser
# SPDX-FileCopyrightText: 2021 Toni Spets
# SPDX-FileCopyrightText: 2022 Marko Weltzer
#
# SPDX-License-Identifier: AGPL-3.0-or-later
---
- name: Check existence of matrix-bridge-zulip service
ansible.builtin.stat:
path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-zulip-bridge.service"
register: matrix_zulip_bridge_service_stat
- when: matrix_zulip_bridge_service_stat.stat.exists | bool
block:
- name: Ensure matrix-bridge-zulip is stopped
ansible.builtin.service:
name: matrix-zulip-bridge
state: stopped
enabled: false
daemon_reload: true
- name: Ensure matrix-zulip-bridge.service doesn't exist
ansible.builtin.file:
path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-zulip-bridge.service"
state: absent
@@ -1,14 +0,0 @@
# SPDX-FileCopyrightText: 2024 Slavi Pantaleev
# SPDX-FileCopyrightText: 2024 Suguru Hirahara
#
# SPDX-License-Identifier: AGPL-3.0-or-later
---
- name: Fail if required the Zulip bridge settings not defined
ansible.builtin.fail:
msg: >-
You need to define a required configuration setting (`{{ item.name }}`).
when: "item.when | bool and lookup('vars', item.name, default='') | string | length == 0"
with_items:
- {"name": "matrix_zulip_bridge_container_network", when: true}
- {"name": "matrix_zulip_bridge_homeserver_url", when: true}
@@ -1,58 +0,0 @@
{#
SPDX-FileCopyrightText: 2024 Slavi Pantaleev
SPDX-License-Identifier: AGPL-3.0-or-later
#}
{% if matrix_zulip_bridge_container_labels_traefik_enabled %}
traefik.enable=true
{% if matrix_zulip_bridge_container_labels_traefik_docker_network %}
traefik.docker.network={{ matrix_zulip_bridge_container_labels_traefik_docker_network }}
{% endif %}
traefik.http.services.matrix-zulip-bridge.loadbalancer.server.port={{ matrix_zulip_bridge_container_http_port }}
{% set middlewares = [] %}
{% if matrix_zulip_bridge_container_labels_traefik_path_prefix != '/' %}
traefik.http.middlewares.matrix-bridge-zulip-strip-prefix.stripprefix.prefixes={{ matrix_zulip_bridge_container_labels_traefik_path_prefix }}
{% set middlewares = middlewares + ['matrix-bridge-zulip-strip-prefix'] %}
{% endif %}
{% if matrix_zulip_bridge_container_labels_traefik_media_enabled %}
##########################################################################
# #
# Media #
# #
##########################################################################
traefik.http.routers.matrix-bridge-zulip-media.rule={{ matrix_zulip_bridge_container_labels_traefik_media_rule }}
{% if matrix_zulip_bridge_container_labels_traefik_media_priority | int > 0 %}
traefik.http.routers.matrix-bridge-zulip-media.priority={{ matrix_zulip_bridge_container_labels_traefik_media_priority }}
{% endif %}
{% if middlewares | length > 0 %}
traefik.http.routers.matrix-bridge-zulip-media.middlewares={{ middlewares | join(',') }}
{% endif %}
traefik.http.routers.matrix-bridge-zulip-media.service=matrix-bridge-zulip
traefik.http.routers.matrix-bridge-zulip-media.entrypoints={{ matrix_zulip_bridge_container_labels_traefik_entrypoints }}
traefik.http.routers.matrix-bridge-zulip-media.tls={{ matrix_zulip_bridge_container_labels_traefik_media_tls | to_json }}
{% if matrix_zulip_bridge_container_labels_traefik_media_entrypoints %}
traefik.http.routers.matrix-bridge-zulip-media.tls.certResolver={{ matrix_zulip_bridge_container_labels_traefik_media_tls_certResolver }}
{% endif %}
##########################################################################
# #
# /Media #
# #
##########################################################################
{% endif %}
{% endif %}
{{ matrix_zulip_bridge_container_labels_additional_labels }}
@@ -1,60 +0,0 @@
{#
SPDX-FileCopyrightText: 2021 Toni Spets
SPDX-FileCopyrightText: 2022 - 2025 Slavi Pantaleev
SPDX-FileCopyrightText: 2025 Suguru Hirahara
SPDX-License-Identifier: AGPL-3.0-or-later
#}
[Unit]
Description=a puppeting appservice bridge for Zulip
{% for service in matrix_zulip_bridge_systemd_required_services_list %}
Requires={{ service }}
After={{ service }}
{% endfor %}
{% for service in matrix_zulip_bridge_systemd_wanted_services_list %}
Wants={{ service }}
{% endfor %}
DefaultDependencies=no
[Service]
Type=simple
Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}"
ExecStartPre=-{{ devture_systemd_docker_base_host_command_docker }} stop -t {{ matrix_zulip_bridge_container_stop_grace_time_seconds }} matrix-bridge-zulip
ExecStartPre=-{{ devture_systemd_docker_base_host_command_docker }} rm matrix-bridge-zulip
ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \
--rm \
--name=matrix-bridge-zulip \
--log-driver=none \
--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
--cap-drop=ALL \
--network={{ matrix_zulip_bridge_container_network }} \
--mount type=bind,src={{ matrix_zulip_bridge_base_path }},dst=/config \
--label-file={{ matrix_zulip_bridge_base_path }}/labels \
{% for arg in matrix_zulip_bridge_container_extra_arguments %}
{{ arg }} \
{% endfor %}
{{ matrix_zulip_bridge_docker_image }} \
{% if matrix_zulip_bridge_owner %}
-o {{ matrix_zulip_bridge_owner }} \
{% endif %}
--config /config/registration.yaml \
--listen-address 0.0.0.0 \
--listen-port {{ matrix_zulip_bridge_container_http_port }} \
{{ matrix_zulip_bridge_homeserver_url }}
{% for network in matrix_zulip_bridge_container_additional_networks %}
ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-bridge-zulip
{% endfor %}
ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-bridge-zulip
ExecStop=-{{ devture_systemd_docker_base_host_command_docker }} stop -t {{ matrix_zulip_bridge_container_stop_grace_time_seconds }} matrix-bridge-zulip
ExecStop=-{{ devture_systemd_docker_base_host_command_docker }} rm matrix-bridge-zulip
Restart=always
RestartSec=30
SyslogIdentifier=matrix-bridge-zulip
[Install]
WantedBy=multi-user.target
@@ -29,7 +29,7 @@ matrix_client_element_container_image_self_build_repo: "https://github.com/eleme
matrix_client_element_container_image_self_build_low_memory_system_patch_enabled: "{{ ansible_facts['memtotal_mb'] < 4096 }}"
# renovate: datasource=docker depName=ghcr.io/element-hq/element-web
matrix_client_element_version: v1.12.9
matrix_client_element_version: v1.12.10
matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_registry_prefix }}element-hq/element-web:{{ matrix_client_element_version }}"
matrix_client_element_docker_image_registry_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_client_element_docker_image_registry_prefix_upstream }}"
@@ -87,7 +87,6 @@ matrix_client_element_container_labels_traefik_additional_response_headers_auto:
{{
{}
| combine ({'X-XSS-Protection': matrix_client_element_http_header_xss_protection} if matrix_client_element_http_header_xss_protection else {})
| combine ({'X-Frame-Options': matrix_client_element_http_header_frame_options} if matrix_client_element_http_header_frame_options else {})
| combine ({'X-Content-Type-Options': matrix_client_element_http_header_content_type_options} if matrix_client_element_http_header_content_type_options else {})
| combine ({'Content-Security-Policy': matrix_client_element_http_header_content_security_policy} if matrix_client_element_http_header_content_security_policy else {})
| combine ({'Permission-Policy': matrix_client_element_http_header_content_permission_policy} if matrix_client_element_http_header_content_permission_policy else {})
@@ -123,10 +122,6 @@ matrix_client_element_container_healthcheck_cmd: ""
# - https://portswigger.net/web-security/cross-site-scripting/reflected
matrix_client_element_http_header_xss_protection: "1; mode=block"
# Specifies the value of the `X-Frame-Options` header which controls whether framing can happen.
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
matrix_client_element_http_header_frame_options: SAMEORIGIN
# Specifies the value of the `X-Content-Type-Options` header.
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
matrix_client_element_http_header_content_type_options: nosniff
@@ -66,7 +66,6 @@ matrix_client_fluffychat_container_labels_traefik_additional_response_headers_au
{{
{}
| combine ({'X-XSS-Protection': matrix_client_fluffychat_http_header_xss_protection} if matrix_client_fluffychat_http_header_xss_protection else {})
| combine ({'X-Frame-Options': matrix_client_fluffychat_http_header_frame_options} if matrix_client_fluffychat_http_header_frame_options else {})
| combine ({'X-Content-Type-Options': matrix_client_fluffychat_http_header_content_type_options} if matrix_client_fluffychat_http_header_content_type_options else {})
| combine ({'Content-Security-Policy': matrix_client_fluffychat_http_header_content_security_policy} if matrix_client_fluffychat_http_header_content_security_policy else {})
| combine ({'Permission-Policy': matrix_client_fluffychat_http_header_content_permission_policy} if matrix_client_fluffychat_http_header_content_permission_policy else {})
@@ -100,10 +99,6 @@ matrix_client_fluffychat_systemd_required_services_list_custom: []
# - https://portswigger.net/web-security/cross-site-scripting/reflected
matrix_client_fluffychat_http_header_xss_protection: "1; mode=block"
# Specifies the value of the `X-Frame-Options` header which controls whether framing can happen.
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
matrix_client_fluffychat_http_header_frame_options: SAMEORIGIN
# Specifies the value of the `X-Content-Type-Options` header.
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
matrix_client_fluffychat_http_header_content_type_options: nosniff
@@ -68,7 +68,6 @@ matrix_client_hydrogen_container_labels_traefik_additional_response_headers_auto
{{
{}
| combine ({'X-XSS-Protection': matrix_client_hydrogen_http_header_xss_protection} if matrix_client_hydrogen_http_header_xss_protection else {})
| combine ({'X-Frame-Options': matrix_client_hydrogen_http_header_frame_options} if matrix_client_hydrogen_http_header_frame_options else {})
| combine ({'X-Content-Type-Options': matrix_client_hydrogen_http_header_content_type_options} if matrix_client_hydrogen_http_header_content_type_options else {})
| combine ({'Content-Security-Policy': matrix_client_hydrogen_http_header_content_security_policy} if matrix_client_hydrogen_http_header_content_security_policy else {})
| combine ({'Permission-Policy': matrix_client_hydrogen_http_header_content_permission_policy} if matrix_client_hydrogen_http_header_content_permission_policy else {})
@@ -99,10 +98,6 @@ matrix_client_hydrogen_systemd_required_services_list: "{{ [devture_systemd_dock
# - https://portswigger.net/web-security/cross-site-scripting/reflected
matrix_client_hydrogen_http_header_xss_protection: "1; mode=block"
# Specifies the value of the `X-Frame-Options` header which controls whether framing can happen.
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
matrix_client_hydrogen_http_header_frame_options: SAMEORIGIN
# Specifies the value of the `X-Content-Type-Options` header.
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
matrix_client_hydrogen_http_header_content_type_options: nosniff
@@ -64,7 +64,6 @@ matrix_client_schildichat_container_labels_traefik_additional_response_headers_a
{{
{}
| combine ({'X-XSS-Protection': matrix_client_schildichat_http_header_xss_protection} if matrix_client_schildichat_http_header_xss_protection else {})
| combine ({'X-Frame-Options': matrix_client_schildichat_http_header_frame_options} if matrix_client_schildichat_http_header_frame_options else {})
| combine ({'X-Content-Type-Options': matrix_client_schildichat_http_header_content_type_options} if matrix_client_schildichat_http_header_content_type_options else {})
| combine ({'Content-Security-Policy': matrix_client_schildichat_http_header_content_security_policy} if matrix_client_schildichat_http_header_content_security_policy else {})
| combine ({'Permission-Policy': matrix_client_schildichat_http_header_content_permission_policy} if matrix_client_schildichat_http_header_content_permission_policy else {})
@@ -95,10 +94,6 @@ matrix_client_schildichat_systemd_required_services_list: "{{ [devture_systemd_d
# - https://portswigger.net/web-security/cross-site-scripting/reflected
matrix_client_schildichat_http_header_xss_protection: "1; mode=block"
# Specifies the value of the `X-Frame-Options` header which controls whether framing can happen.
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
matrix_client_schildichat_http_header_frame_options: SAMEORIGIN
# Specifies the value of the `X-Content-Type-Options` header.
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
matrix_client_schildichat_http_header_content_type_options: nosniff
@@ -1,79 +0,0 @@
# SPDX-FileCopyrightText: 2020 - 2025 Slavi Pantaleev
# SPDX-FileCopyrightText: 2020 Scott Crossen
# SPDX-FileCopyrightText: 2021 - 2022 MDAD project contributors
# SPDX-FileCopyrightText: 2021 Ahmad Haghighi
# SPDX-FileCopyrightText: 2022 Marko Weltzer
# SPDX-FileCopyrightText: 2022 Nikita Chernyi
# SPDX-FileCopyrightText: 2023 Samuel Meenzen
#
# SPDX-License-Identifier: AGPL-3.0-or-later
---
# Project source code URL: https://github.com/linuxserver/docker-ddclient
# Whether dynamic dns is enabled
matrix_dynamic_dns_enabled: true
# The dynamic dns daemon interval
matrix_dynamic_dns_daemon_interval: '300'
# renovate: datasource=docker depName=linuxserver/ddclient versioning=semver
matrix_dynamic_dns_version: 4.0.0
# The docker container to use when in mode
matrix_dynamic_dns_docker_image: "{{ matrix_dynamic_dns_docker_image_registry_prefix }}linuxserver/ddclient:{{ matrix_dynamic_dns_version }}"
matrix_dynamic_dns_docker_image_registry_prefix: "{{ 'localhost/' if matrix_dynamic_dns_container_image_self_build else matrix_dynamic_dns_docker_image_registry_prefix_upstream }}"
matrix_dynamic_dns_docker_image_registry_prefix_upstream: "{{ matrix_dynamic_dns_docker_image_registry_prefix_upstream_default }}"
matrix_dynamic_dns_docker_image_registry_prefix_upstream_default: docker.io/
# The image to force pull
matrix_dynamic_dns_docker_image_force_pull: "{{ matrix_dynamic_dns_docker_image.endswith(':latest') }}"
matrix_dynamic_dns_container_network: ''
matrix_dynamic_dns_container_additional_networks: "{{ matrix_dynamic_dns_container_additional_networks_auto + matrix_dynamic_dns_container_additional_networks_custom }}"
matrix_dynamic_dns_container_additional_networks_auto: []
matrix_dynamic_dns_container_additional_networks_custom: []
# List of extra arguments to pass to the container mode
matrix_dynamic_dns_container_extra_arguments: []
# List of wanted services when running in mode
matrix_dynamic_dns_systemd_wanted_services_list: []
# List of required services when running in mode
matrix_dynamic_dns_systemd_required_services_list: "{{ [devture_systemd_docker_base_docker_service_name] if devture_systemd_docker_base_docker_service_name else [] }}"
# Build the container from source when running in mode
matrix_dynamic_dns_container_image_self_build: false
matrix_dynamic_dns_container_image_self_build_repo: "https://github.com/linuxserver/docker-ddclient.git"
matrix_dynamic_dns_container_image_self_build_repo_branch: "{{ matrix_dynamic_dns_version }}"
# Config paths
matrix_dynamic_dns_base_path: "{{ matrix_base_data_path }}/dynamic-dns"
matrix_dynamic_dns_config_path: "{{ matrix_dynamic_dns_base_path }}/config"
matrix_dynamic_dns_docker_src_files_path: "{{ matrix_dynamic_dns_base_path }}/docker-src"
# Config options
matrix_dynamic_dns_use: "web"
# The endpoint to use to determine your external IP
matrix_dynamic_dns_web: "https://cloudflare.com/cdn-cgi/trace"
# The field to extract the IP from
# If your endpoint defined in `matrix_dynamic_dns_web` doesn't need this, just set it to ""
matrix_dynamic_dns_web_skip: "ip="
matrix_dynamic_dns_additional_configuration_blocks: []
# Holds the configurations (the domains to update DNS for, the providers they use, etc.)
#
# Example:
# matrix_dynamic_dns_domain_configurations:
# - provider: domains.google.com
# protocol: dyndn2
# username: XXXXXXXXXXXXXXXX
# password: XXXXXXXXXXXXXXXX
# domain: "{{ matrix_domain }}"
matrix_dynamic_dns_domain_configurations: []
@@ -1,26 +0,0 @@
# SPDX-FileCopyrightText: 2020 Scott Crossen
# SPDX-FileCopyrightText: 2022 - 2023 Slavi Pantaleev
# SPDX-FileCopyrightText: 2022 Marko Weltzer
#
# SPDX-License-Identifier: AGPL-3.0-or-later
---
- tags:
- setup-all
- setup-dynamic-dns
- install-all
- install-dynamic-dns
block:
- when: matrix_dynamic_dns_enabled | bool
ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml"
- when: matrix_dynamic_dns_enabled | bool
ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml"
- tags:
- setup-all
- setup-dynamic-dns
block:
- when: not matrix_dynamic_dns_enabled | bool
ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"
@@ -1,79 +0,0 @@
# SPDX-FileCopyrightText: 2020 - 2024 Slavi Pantaleev
# SPDX-FileCopyrightText: 2020 Scott Crossen
# SPDX-FileCopyrightText: 2022 Marko Weltzer
# SPDX-FileCopyrightText: 2022 Nikita Chernyi
# SPDX-FileCopyrightText: 2022 Sebastian Gumprich
# SPDX-FileCopyrightText: 2024 David Mehren
#
# SPDX-License-Identifier: AGPL-3.0-or-later
---
- name: Ensure Dynamic DNS image is pulled
community.docker.docker_image:
name: "{{ matrix_dynamic_dns_docker_image }}"
source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
force_source: "{{ matrix_dynamic_dns_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_dynamic_dns_docker_image_force_pull }}"
when: matrix_dynamic_dns_enabled | bool and not matrix_dynamic_dns_container_image_self_build
register: result
retries: "{{ devture_playbook_help_container_retries_count }}"
delay: "{{ devture_playbook_help_container_retries_delay }}"
until: result is not failed
- name: Ensure Dynamic DNS paths exist
ansible.builtin.file:
path: "{{ item.path }}"
state: directory
mode: 0751
owner: "{{ matrix_user_name }}"
group: "{{ matrix_group_name }}"
with_items:
- {path: "{{ matrix_dynamic_dns_base_path }}", when: true}
- {path: "{{ matrix_dynamic_dns_config_path }}", when: true}
- {path: "{{ matrix_dynamic_dns_docker_src_files_path }}", when: "{{ matrix_dynamic_dns_container_image_self_build }}"}
when: matrix_dynamic_dns_enabled | bool and item.when | bool
- name: Ensure Dynamic DNS repository is present on self build
ansible.builtin.git:
repo: "{{ matrix_dynamic_dns_container_image_self_build_repo }}"
version: "{{ matrix_dynamic_dns_container_image_self_build_repo_branch }}"
dest: "{{ matrix_dynamic_dns_docker_src_files_path }}"
force: "yes"
become: true
become_user: "{{ matrix_user_name }}"
register: matrix_dynamic_dns_git_pull_results
when: "matrix_dynamic_dns_enabled | bool and matrix_dynamic_dns_container_image_self_build | bool"
- name: Ensure Dynamic DNS Docker image is built
community.docker.docker_image:
name: "{{ matrix_dynamic_dns_docker_image }}"
source: build
force_source: "{{ matrix_dynamic_dns_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_dynamic_dns_git_pull_results.changed }}"
build:
dockerfile: Dockerfile
path: "{{ matrix_dynamic_dns_docker_src_files_path }}"
pull: true
when: "matrix_dynamic_dns_enabled | bool and matrix_dynamic_dns_container_image_self_build | bool"
- name: Ensure Dynamic DNS ddclient.conf installed
ansible.builtin.template:
src: "{{ role_path }}/templates/ddclient.conf.j2"
dest: "{{ matrix_dynamic_dns_config_path }}/ddclient.conf"
mode: 0644
owner: "{{ matrix_user_name }}"
group: "{{ matrix_group_name }}"
- name: Ensure matrix-dynamic-dns container network is created
community.general.docker_network:
enable_ipv6: "{{ devture_systemd_docker_base_ipv6_enabled }}"
name: "{{ matrix_dynamic_dns_container_network }}"
driver: bridge
driver_options: "{{ devture_systemd_docker_base_container_networks_driver_options }}"
- name: Ensure matrix-dynamic-dns.service installed
ansible.builtin.template:
src: "{{ role_path }}/templates/systemd/matrix-dynamic-dns.service.j2"
dest: "/etc/systemd/system/matrix-dynamic-dns.service"
mode: 0644
@@ -1,26 +0,0 @@
# SPDX-FileCopyrightText: 2020 - 2022 Slavi Pantaleev
# SPDX-FileCopyrightText: 2020 Scott Crossen
# SPDX-FileCopyrightText: 2022 Marko Weltzer
#
# SPDX-License-Identifier: AGPL-3.0-or-later
---
- name: Check existence of matrix-dynamic-dns service
ansible.builtin.stat:
path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-dynamic-dns.service"
register: matrix_dynamic_dns_service_stat
- when: matrix_dynamic_dns_service_stat.stat.exists | bool
block:
- name: Ensure matrix-dynamic-dns is stopped
ansible.builtin.service:
name: matrix-dynamic-dns
state: stopped
enabled: false
daemon_reload: true
- name: Ensure matrix-dynamic-dns.service doesn't exist
ansible.builtin.file:
path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-dynamic-dns.service"
state: absent
@@ -1,37 +0,0 @@
# SPDX-FileCopyrightText: 2020 - 2025 Slavi Pantaleev
# SPDX-FileCopyrightText: 2020 Scott Crossen
#
# SPDX-License-Identifier: AGPL-3.0-or-later
---
- name: Fail if no matrix-dynamic-dns configurations specified
ansible.builtin.fail:
msg: >-
You need to define at least one configuration in `matrix_dynamic_dns_domain_configurations` for using matrix-dynamic-dns.
when: "matrix_dynamic_dns_domain_configurations | length == 0"
- name: Fail if required matrix-dynamic-dns settings not defined in configuration blocks
ansible.builtin.fail:
msg: >-
One of the configurations in matrix_dynamic_dns_domain_configurations is missing a required key (domain, protocol).
when: "'domain' not in configuration or 'protocol' not in configuration"
with_items: "{{ matrix_dynamic_dns_domain_configurations }}"
loop_control:
loop_var: configuration
- name: Fail if required matrix-dynamic-dns settings not defined
ansible.builtin.fail:
msg: >-
You need to define a required configuration setting (`{{ item.name }}`).
when: "item.when | bool and lookup('vars', item.name, default='') | string | length == 0"
with_items:
- {'name': 'matrix_dynamic_dns_container_network', when: true}
- name: (Deprecation) Catch and report renamed matrix-dynamic-dns variables
ansible.builtin.fail:
msg: >-
The variable `{{ item.old }}` is deprecated. Please use `{{ item.new }}` instead.
when: "lookup('ansible.builtin.varnames', ('^' + item.old + '$'), wantlist=True) | length > 0"
with_items:
- {'old': 'matrix_dynamic_dns_container_image_name_prefix', 'new': 'matrix_dynamic_dns_docker_image_registry_prefix'}
@@ -1,78 +0,0 @@
{#
SPDX-FileCopyrightText: 2020 Scott Crossen
SPDX-FileCopyrightText: 2022 Slavi Pantaleev
SPDX-License-Identifier: AGPL-3.0-or-later
#}
daemon={{ matrix_dynamic_dns_daemon_interval }}
syslog=no
pid=/var/run/ddclient/ddclient.pid
ssl=yes
use={{ matrix_dynamic_dns_use }}
web='{{ matrix_dynamic_dns_web }}'
{% if matrix_dynamic_dns_web_skip %}
web-skip='{{ matrix_dynamic_dns_web_skip }}'
{% endif %}
{% for matrix_dynamic_dns_additional_configuration in matrix_dynamic_dns_additional_configuration_blocks %}
{{ matrix_dynamic_dns_additional_configuration }}
{% endfor %}
{% for dynamic_dns_domain_configuration in matrix_dynamic_dns_domain_configurations %}
protocol={{ dynamic_dns_domain_configuration.protocol }}
{% if 'apikey' in dynamic_dns_domain_configuration %}
apikey={{ dynamic_dns_domain_configuration.apikey }}
{% endif %}
{% if 'secretapikey' in dynamic_dns_domain_configuration %}
secretapikey={{ dynamic_dns_domain_configuration.secretapikey }}
{% endif %}
{% if 'rootdomain' in dynamic_dns_domain_configuration %}
root-domain={{ dynamic_dns_domain_configuration.rootdomain }}
{% endif %}
{% if 'provider' in dynamic_dns_domain_configuration %}
server={{ dynamic_dns_domain_configuration.provider }}
{% endif %}
{% if 'username' in dynamic_dns_domain_configuration %}
login='{{ dynamic_dns_domain_configuration.username }}'
{% endif %}
{% if 'password' in dynamic_dns_domain_configuration %}
password='{{ dynamic_dns_domain_configuration.password }}'
{% endif %}
{% if 'static' in dynamic_dns_domain_configuration %}
static=yes
{% endif %}
{% if 'custom' in dynamic_dns_domain_configuration %}
custom=yes
{% endif %}
{% if 'zone' in dynamic_dns_domain_configuration %}
zone={{ dynamic_dns_domain_configuration.zone }}
{% endif %}
{% if 'ttl' in dynamic_dns_domain_configuration %}
ttl={{ dynamic_dns_domain_configuration.ttl }}
{% endif %}
{% if 'mx' in dynamic_dns_domain_configuration %}
mx={{ dynamic_dns_domain_configuration.mx }}
{% endif %}
{% if 'wildcard' in dynamic_dns_domain_configuration %}
wildcard=yes
{% endif %}
{% if 'script' in dynamic_dns_domain_configuration %}
script={{ dynamic_dns_domain_configuration.script }}
{% endif %}
{{ dynamic_dns_domain_configuration.domain }}
{% endfor %}
@@ -1,46 +0,0 @@
#jinja2: lstrip_blocks: True
[Unit]
Description=Matrix Dynamic DNS
{% for service in matrix_dynamic_dns_systemd_required_services_list %}
Requires={{ service }}
After={{ service }}
{% endfor %}
{% for service in matrix_dynamic_dns_systemd_wanted_services_list %}
Wants={{ service }}
{% endfor %}
DefaultDependencies=no
[Service]
Type=simple
Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}"
ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop -t {{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-dynamic-dns 2>/dev/null || true'
ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-dynamic-dns 2>/dev/null || true'
ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \
--rm \
--name=matrix-dynamic-dns \
--log-driver=none \
--network={{ matrix_dynamic_dns_container_network }} \
-e PUID={{ matrix_user_uid }} \
-e PGID={{ matrix_user_gid }} \
--mount type=bind,src={{ matrix_dynamic_dns_config_path }},dst=/config \
{% for arg in matrix_dynamic_dns_container_extra_arguments %}
{{ arg }} \
{% endfor %}
{{ matrix_dynamic_dns_docker_image }}
{% for network in matrix_dynamic_dns_container_additional_networks %}
ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-dynamic-dns
{% endfor %}
ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-dynamic-dns
ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop -t {{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-dynamic-dns 2>/dev/null || true'
ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-dynamic-dns 2>/dev/null || true'
Restart=always
RestartSec=30
SyslogIdentifier=matrix-dynamic-dns
[Install]
WantedBy=multi-user.target
@@ -1,4 +0,0 @@
SPDX-FileCopyrightText: 2020 - 2025 Slavi Pantaleev
SPDX-FileCopyrightText: 2020 Scott Crossen
SPDX-License-Identifier: AGPL-3.0-or-later
@@ -414,8 +414,9 @@ matrix_media_repo_shared_secret_auth_token: "PutSomeRandomSecureValueHere"
# thumbnails and other misc data is also stored in these places. The media repo, when looking
# for a datastore to use, will always use the smallest datastore first.
# ID for the file datastore (cannot change). Alphanumeric recommended.
matrix_media_repo_datastore_file_id: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'filestore.db', rounds=655555) | to_uuid }}"
# ID for the file datastore. Any unique alphanumeric string (e.g. generated via `pwgen -s 64 1`).
# This value CANNOT be changed after media has been stored — matrix-media-repo ties media to this ID.
matrix_media_repo_datastore_file_id: ""
# Datastores can be split into many areas when handling uploads. Media is still de-duplicated
# across all datastores (local content which duplicates remote content will re-use the remote
@@ -434,8 +435,9 @@ matrix_media_repo_datastore_file_for_kinds: ["thumbnails", "remote_media", "loca
# Path to datastore, relative to matrix-media-repo directory root
matrix_media_repo_datastore_opts_path: "/data/media"
# ID for the s3 datastore (cannot change). Alphanumeric recommended.
matrix_media_repo_datastore_s3_id: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 's3store.db', rounds=655555) | to_uuid }}"
# ID for the S3 datastore. Any unique alphanumeric string (e.g. generated via `pwgen -s 64 1`).
# This value CANNOT be changed after media has been stored — matrix-media-repo ties media to this ID.
matrix_media_repo_datastore_s3_id: ""
# Datastores can be split into many areas when handling uploads. Media is still de-duplicated
# across all datastores (local content which duplicates remote content will re-use the remote
@@ -15,6 +15,8 @@
- {'name': 'matrix_media_repo_database_hostname', when: true}
- {'name': 'matrix_media_repo_container_labels_traefik_internal_media_entrypoints', when: "{{ matrix_media_repo_container_labels_traefik_internal_media_enabled }}"}
- {'name': 'matrix_media_repo_container_labels_traefik_internal_matrix_client_media_entrypoints', when: "{{ matrix_media_repo_container_labels_traefik_internal_matrix_client_media_enabled }}"}
- {'name': 'matrix_media_repo_datastore_file_id', when: "{{ (matrix_media_repo_datastore_file_for_kinds | length) > 0 }}"}
- {'name': 'matrix_media_repo_datastore_s3_id', when: "{{ (matrix_media_repo_datastore_s3_for_kinds | length) > 0 }}"}
- name: (Deprecation) Catch and report renamed matrix-media-repo settings
ansible.builtin.fail:
@@ -78,7 +78,6 @@ matrix_synapse_admin_container_labels_traefik_additional_response_headers_auto:
{{
{}
| combine ({'X-XSS-Protection': matrix_synapse_admin_http_header_xss_protection} if matrix_synapse_admin_http_header_xss_protection else {})
| combine ({'X-Frame-Options': matrix_synapse_admin_http_header_frame_options} if matrix_synapse_admin_http_header_frame_options else {})
| combine ({'X-Content-Type-Options': matrix_synapse_admin_http_header_content_type_options} if matrix_synapse_admin_http_header_content_type_options else {})
| combine ({'Content-Security-Policy': matrix_synapse_admin_http_header_content_security_policy} if matrix_synapse_admin_http_header_content_security_policy else {})
| combine ({'Permission-Policy': matrix_synapse_admin_http_header_content_permission_policy} if matrix_synapse_admin_http_header_content_permission_policy else {})
@@ -109,10 +108,6 @@ matrix_synapse_admin_systemd_wanted_services_list: []
# - https://portswigger.net/web-security/cross-site-scripting/reflected
matrix_synapse_admin_http_header_xss_protection: "1; mode=block"
# Specifies the value of the `X-Frame-Options` header which controls whether framing can happen.
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
matrix_synapse_admin_http_header_frame_options: SAMEORIGIN
# Specifies the value of the `X-Content-Type-Options` header.
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
matrix_synapse_admin_http_header_content_type_options: nosniff
@@ -16,7 +16,7 @@ matrix_synapse_enabled: true
matrix_synapse_github_org_and_repo: element-hq/synapse
# renovate: datasource=docker depName=ghcr.io/element-hq/synapse
matrix_synapse_version: v1.146.0
matrix_synapse_version: v1.147.0
matrix_synapse_username: ''
matrix_synapse_uid: ''
@@ -15,6 +15,36 @@ user=$1
password=$2
admin=$3
wait_for_synapse() {
local timeout_seconds=180
local interval_seconds=5
local elapsed=0
local last_reason=""
while [ "$elapsed" -lt "$timeout_seconds" ]; do
if ! {{ devture_systemd_docker_base_host_command_docker }} ps -a --format '{{"{{"}}.Names{{"}}"}}' | grep -q '^matrix-synapse$'; then
last_reason="container not found"
elif [ "$({{ devture_systemd_docker_base_host_command_docker }} inspect -f '{{"{{"}}.State.Running{{"}}"}}' matrix-synapse 2>/dev/null)" != "true" ]; then
last_reason="container not running"
elif ! {{ devture_systemd_docker_base_host_command_docker }} exec matrix-synapse \
curl -fsS "http://localhost:{{ matrix_synapse_container_client_api_port }}/health" >/dev/null 2>&1; then
last_reason="health endpoint not ready"
else
return 0
fi
sleep "$interval_seconds"
elapsed=$((elapsed + interval_seconds))
done
echo "Timed out waiting for matrix-synapse to become healthy after ${timeout_seconds}s (${last_reason})."
return 1
}
if ! wait_for_synapse; then
exit 1
fi
if [ "$admin" -eq "1" ]; then
{{ devture_systemd_docker_base_host_command_docker }} exec matrix-synapse register_new_matrix_user -u "$user" -p "$password" -c /data/homeserver.yaml --admin http://localhost:{{ matrix_synapse_container_client_api_port }}
else
@@ -4,9 +4,9 @@
---
- name: Ensure Matrix Authentication Service user registered - {{ user.username | quote }}
ansible.builtin.command:
cmd: |-
- name: Build Matrix Authentication Service user registration command - {{ user.username | quote }}
ansible.builtin.set_fact:
matrix_authentication_service_register_user_command: |-
{{ devture_systemd_docker_base_host_command_docker }} exec matrix-authentication-service
mas-cli manage register-user
-p {{ user.initial_password | quote }}
@@ -18,6 +18,31 @@
--no-admin
{% endif %}
{{ user.username | quote }}
- name: Ensure Matrix Authentication Service user registered - {{ user.username | quote }}
ansible.builtin.command:
cmd: "{{ matrix_authentication_service_register_user_command }}"
register: matrix_authentication_service_register_user_result
changed_when: "matrix_authentication_service_register_user_result.rc == 0 and 'Error: User already exists' not in matrix_authentication_service_register_user_result.stderr"
failed_when: "matrix_authentication_service_register_user_result.rc != 0 and 'Error: User already exists' not in matrix_authentication_service_register_user_result.stderr"
failed_when: >-
matrix_authentication_service_register_user_result.rc != 0
and 'Error: User already exists' not in matrix_authentication_service_register_user_result.stderr
and 'password authentication failed' not in matrix_authentication_service_register_user_result.stderr
- when: "'password authentication failed' in matrix_authentication_service_register_user_result.stderr | default('')"
block:
- name: Restart Matrix Authentication Service due to database authentication failure (likely a password change)
ansible.builtin.service:
name: "matrix-authentication-service.service"
state: restarted
- name: Wait for Matrix Authentication Service to start after restart
ansible.builtin.pause:
seconds: "{{ matrix_user_creator_homeserver_start_wait_time_seconds }}"
- name: Retry Matrix Authentication Service user registration - {{ user.username | quote }}
ansible.builtin.command:
cmd: "{{ matrix_authentication_service_register_user_command }}"
register: matrix_authentication_service_register_user_result
changed_when: "matrix_authentication_service_register_user_result.rc == 0 and 'Error: User already exists' not in matrix_authentication_service_register_user_result.stderr"
failed_when: "matrix_authentication_service_register_user_result.rc != 0 and 'Error: User already exists' not in matrix_authentication_service_register_user_result.stderr"
@@ -4,9 +4,9 @@
---
- name: Ensure Synapse user registered - {{ user.username | quote }}
ansible.builtin.command:
cmd: |-
- name: Build Synapse user registration command - {{ user.username | quote }}
ansible.builtin.set_fact:
matrix_synapse_register_user_command: |-
{{ devture_systemd_docker_base_host_command_docker }} exec matrix-synapse
register_new_matrix_user
-u {{ user.username | quote }}
@@ -21,6 +21,34 @@
{% endif %}
{% endif %}
http://localhost:{{ matrix_synapse_container_client_api_port }}
- name: Ensure Synapse user registered - {{ user.username | quote }}
ansible.builtin.command:
cmd: "{{ matrix_synapse_register_user_command }}"
register: matrix_synapse_register_user_result
changed_when: matrix_synapse_register_user_result.rc == 0 and 'User ID already taken' not in matrix_synapse_register_user_result.stdout
failed_when: matrix_synapse_register_user_result.rc != 0 and 'User ID already taken' not in matrix_synapse_register_user_result.stdout
failed_when: >-
matrix_synapse_register_user_result.rc != 0
and 'User ID already taken' not in matrix_synapse_register_user_result.stdout
and 'HMAC incorrect' not in matrix_synapse_register_user_result.stdout
and 'Connection refused' not in matrix_synapse_register_user_result.stderr | default('')
- when: >-
'HMAC incorrect' in matrix_synapse_register_user_result.stdout | default('')
or 'Connection refused' in matrix_synapse_register_user_result.stderr | default('')
block:
- name: Restart Synapse due to registration failure (likely a registration_shared_secret or DB credentials change)
ansible.builtin.service:
name: "matrix-synapse.service"
state: restarted
- name: Wait for Synapse to start after restart
ansible.builtin.pause:
seconds: "{{ matrix_user_creator_homeserver_start_wait_time_seconds }}"
- name: Retry Synapse user registration - {{ user.username | quote }}
ansible.builtin.command:
cmd: "{{ matrix_synapse_register_user_command }}"
register: matrix_synapse_register_user_result
changed_when: matrix_synapse_register_user_result.rc == 0 and 'User ID already taken' not in matrix_synapse_register_user_result.stdout
failed_when: matrix_synapse_register_user_result.rc != 0 and 'User ID already taken' not in matrix_synapse_register_user_result.stdout
@@ -80,6 +80,11 @@
- {'old': 'cinny_docker_image_registry_prefix_upstream', 'new': 'cinny_container_image_registry_prefix_upstream'}
- {'old': 'cinny_docker_image_registry_prefix_upstream_default', 'new': 'cinny_container_image_registry_prefix_upstream_default'}
- {'old': 'ddclient_docker_image', 'new': 'ddclient_container_image'}
- {'old': 'ddclient_docker_image_registry_prefix', 'new': 'ddclient_container_image_registry_prefix'}
- {'old': 'ddclient_docker_image_registry_prefix_upstream', 'new': 'ddclient_container_image_registry_prefix_upstream'}
- {'old': 'ddclient_docker_image_registry_prefix_upstream_default', 'new': 'ddclient_container_image_registry_prefix_upstream_default'}
- name: (Deprecation) Catch and report matrix_postgres variables
ansible.builtin.fail:
msg: |-
@@ -590,6 +595,19 @@
The following variables in your configuration need to be renamed: {{ lookup('ansible.builtin.varnames', '^matrix_client_cinny_.+', wantlist=True) | join(', ') }}
when: "lookup('ansible.builtin.varnames', '^matrix_client_cinny_.+', wantlist=True) | length > 0"
- name: (Deprecation) Catch and report matrix-dynamic-dns variables
ansible.builtin.fail:
msg: |-
The matrix-dynamic-dns role in the playbook now lives under the MASH organization (https://github.com/mother-of-all-self-hosting/ansible-role-ddclient).
The new role is pretty much the same, but uses differently named variables.
Please rename all `matrix_dynamic_dns_`-prefixed variables (`matrix_dynamic_dns_*` -> `ddclient_*`) on your configuration file (vars.yml).
After renaming them, please do not forget to fetch the Ansible role. See docs/maintenance-upgrading-services.md for details about how to do so.
The following variables in your configuration need to be renamed: {{ lookup('ansible.builtin.varnames', '^matrix_dynamic_dns_.+', wantlist=True) | join(', ') }}
when: "lookup('ansible.builtin.varnames', '^matrix_dynamic_dns_.+', wantlist=True) | length > 0"
- name: (Deprecation) Catch and report mautrix-facebook variables
ansible.builtin.fail:
msg: |-
+1 -2
View File
@@ -42,7 +42,7 @@
- install-all
- custom/matrix-base
- custom/matrix-dynamic-dns
- galaxy/ddclient
- galaxy/exim_relay
- role: galaxy/postgres
@@ -79,7 +79,6 @@
- custom/matrix-bridge-steam
- custom/matrix-bridge-heisenbridge
- custom/matrix-bridge-hookshot
- custom/matrix-bridge-zulip
- custom/matrix-bot-matrix-reminder-bot
- custom/matrix-bot-matrix-registration-bot
- custom/matrix-bot-maubot