mirror of
				https://github.com/spantaleev/matrix-docker-ansible-deploy.git
				synced 2025-10-25 17:43:23 +00:00 
			
		
		
		
	Compare commits
	
		
			23 Commits
		
	
	
		
			stabilize-
			...
			HarHarLink
		
	
	| Author | SHA1 | Date | |
|---|---|---|---|
|  | 49932b8f3c | ||
|  | 6bdf7a9dcb | ||
|  | 8c531b7971 | ||
|  | 7d26dabc2f | ||
|  | 74f91138c9 | ||
|  | ca7b41f3f2 | ||
|  | ac4a918d58 | ||
|  | 6a81fa208f | ||
|  | 75a8e0f2a6 | ||
|  | 98ad182eac | ||
|  | 29fa9fab15 | ||
|  | 4f835e0560 | ||
|  | 8c93327e25 | ||
|  | 03a7bb6e77 | ||
|  | 06047763bb | ||
|  | e55d769465 | ||
|  | 66706e4535 | ||
|  | f6aaeb9a16 | ||
|  | e5d34002fd | ||
|  | 69f947782d | ||
|  | 4c13be1c89 | ||
|  | 9905309aa9 | ||
|  | 94abf2d5bd | 
| @@ -23,6 +23,11 @@ Other configuration options are available via the `matrix_hookshot_configuration | |||||||
|  |  | ||||||
| Finally, run the playbook (see [installing](installing.md)). | Finally, run the playbook (see [installing](installing.md)). | ||||||
|  |  | ||||||
|  | ### End-to-bridge encryption | ||||||
|  |  | ||||||
|  | You can enable [experimental encryption](https://matrix-org.github.io/matrix-hookshot/latest/advanced/encryption.html) for Hookshot by adding `matrix_hookshot_experimental_encryption_enabled: true` to your configuration (`vars.yml`) and [executing the playbook](installing.md) again. | ||||||
|  |  | ||||||
|  | Should the crypto store be corrupted, you can reset it by executing this Ansible playbook with the tag `reset-hookshot-encryption` added, for example `ansible-playbook -i inventory/hosts setup.yml -K --tags=reset-hookshot-encryption`). | ||||||
|  |  | ||||||
| ## Usage | ## Usage | ||||||
|  |  | ||||||
|   | |||||||
| @@ -1385,6 +1385,16 @@ matrix_hookshot_systemd_wanted_services_list: | | |||||||
|     (['matrix-' + matrix_homeserver_implementation + '.service']) |     (['matrix-' + matrix_homeserver_implementation + '.service']) | ||||||
|     + |     + | ||||||
|     (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) |     (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) | ||||||
|  |     + | ||||||
|  |     ([(redis_identifier + '.service')] if redis_enabled and matrix_hookshot_queue_host == redis_identifier else []) | ||||||
|  |   }} | ||||||
|  |  | ||||||
|  | # Hookshot's experimental encryption feature (and possibly others) may benefit from Redis, if available. | ||||||
|  | matrix_hookshot_queue_host: "{{ redis_identifier if redis_enabled else '' }}" | ||||||
|  |  | ||||||
|  | matrix_hookshot_container_additional_networks_auto: | | ||||||
|  |   {{ | ||||||
|  |     ([redis_container_network] if redis_enabled and matrix_hookshot_queue_host == redis_identifier else []) | ||||||
|   }} |   }} | ||||||
|  |  | ||||||
| matrix_hookshot_container_http_host_bind_ports_defaultmapping: | matrix_hookshot_container_http_host_bind_ports_defaultmapping: | ||||||
| @@ -3359,7 +3369,7 @@ ntfy_visitor_request_limit_exempt_hosts_hostnames_auto: | | |||||||
| # | # | ||||||
| ###################################################################### | ###################################################################### | ||||||
|  |  | ||||||
| redis_enabled: "{{ matrix_synapse_workers_enabled }}" | redis_enabled: "{{ matrix_synapse_workers_enabled or (matrix_hookshot_enabled and matrix_hookshot_experimental_encryption_enabled) }}" | ||||||
|  |  | ||||||
| redis_identifier: matrix-redis | redis_identifier: matrix-redis | ||||||
|  |  | ||||||
|   | |||||||
| @@ -10,6 +10,11 @@ matrix_hookshot_container_image_self_build: false | |||||||
| matrix_hookshot_container_image_self_build_repo: "https://github.com/matrix-org/matrix-hookshot.git" | matrix_hookshot_container_image_self_build_repo: "https://github.com/matrix-org/matrix-hookshot.git" | ||||||
| matrix_hookshot_container_image_self_build_branch: "{{ 'main' if matrix_hookshot_version == 'latest' else matrix_hookshot_version }}" | matrix_hookshot_container_image_self_build_branch: "{{ 'main' if matrix_hookshot_version == 'latest' else matrix_hookshot_version }}" | ||||||
|  |  | ||||||
|  | # Specifies additional networks for the Hookshot container to connect with | ||||||
|  | matrix_hookshot_container_additional_networks: "{{ matrix_hookshot_container_additional_networks_auto + matrix_hookshot_container_additional_networks_custom }}" | ||||||
|  | matrix_hookshot_container_additional_networks_auto: [] | ||||||
|  | matrix_hookshot_container_additional_networks_custom: [] | ||||||
|  |  | ||||||
| # renovate: datasource=docker depName=halfshot/matrix-hookshot | # renovate: datasource=docker depName=halfshot/matrix-hookshot | ||||||
| matrix_hookshot_version: 4.7.0 | matrix_hookshot_version: 4.7.0 | ||||||
|  |  | ||||||
| @@ -30,6 +35,17 @@ matrix_hookshot_public_endpoint: /hookshot | |||||||
| matrix_hookshot_appservice_port: 9993 | matrix_hookshot_appservice_port: 9993 | ||||||
| matrix_hookshot_appservice_endpoint: "{{ matrix_hookshot_public_endpoint }}/_matrix/app" | matrix_hookshot_appservice_endpoint: "{{ matrix_hookshot_public_endpoint }}/_matrix/app" | ||||||
|  |  | ||||||
|  | # The variables below control the queue parameters and may optionally be pointed to a Redis instance. | ||||||
|  | # These are required when experimental encryption is enabled (`matrix_hookshot_experimental_encryption_enabled`). | ||||||
|  | matrix_hookshot_queue_host: '' | ||||||
|  | matrix_hookshot_queue_port: 6739 | ||||||
|  |  | ||||||
|  | # Controls whether the experimental end-to-bridge encryption support is enabled. | ||||||
|  | # This requires that: | ||||||
|  | # - support to also be enabled in the homeserver, see the documentation of Hookshot. | ||||||
|  | # - Hookshot to be pointed at a Redis instance via the `matrix_hookshot_queue_*` variables. | ||||||
|  | matrix_hookshot_experimental_encryption_enabled: false | ||||||
|  |  | ||||||
| # Controls whether metrics are enabled in the bridge configuration. | # Controls whether metrics are enabled in the bridge configuration. | ||||||
| # Enabling them is usually enough for a local (in-container) Prometheus to consume them. | # Enabling them is usually enough for a local (in-container) Prometheus to consume them. | ||||||
| # If metrics need to be consumed by another (external) Prometheus server, consider exposing them via `matrix_hookshot_metrics_proxying_enabled`. | # If metrics need to be consumed by another (external) Prometheus server, consider exposing them via `matrix_hookshot_metrics_proxying_enabled`. | ||||||
| @@ -41,7 +57,7 @@ matrix_hookshot_metrics_enabled: false | |||||||
| matrix_hookshot_metrics_proxying_enabled: false | matrix_hookshot_metrics_proxying_enabled: false | ||||||
|  |  | ||||||
| # There is no need to edit ports. | # There is no need to edit ports. | ||||||
| # Read the documentation to learn about using hookshot metrics with external Prometheus | # Read the documentation to learn about using Hookshot metrics with external Prometheus | ||||||
| # If you still want something different, use matrix_hookshot_container_http_host_bind_ports below to expose ports instead. | # If you still want something different, use matrix_hookshot_container_http_host_bind_ports below to expose ports instead. | ||||||
| matrix_hookshot_metrics_port: 9001 | matrix_hookshot_metrics_port: 9001 | ||||||
|  |  | ||||||
|   | |||||||
| @@ -9,6 +9,12 @@ | |||||||
|     - when: matrix_hookshot_enabled | bool |     - when: matrix_hookshot_enabled | bool | ||||||
|       ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" |       ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" | ||||||
|  |  | ||||||
|  | - tags: | ||||||
|  |     - reset-hookshot-encryption | ||||||
|  |   block: | ||||||
|  |     - when: matrix_hookshot_enabled | bool | ||||||
|  |       ansible.builtin.include_tasks: "{{ role_path }}/tasks/reset_encryption.yml" | ||||||
|  |  | ||||||
| - tags: | - tags: | ||||||
|     - setup-all |     - setup-all | ||||||
|     - setup-hookshot |     - setup-hookshot | ||||||
|   | |||||||
| @@ -0,0 +1,14 @@ | |||||||
|  | --- | ||||||
|  |  | ||||||
|  | - name: Resetting Hookshot's crypto store | ||||||
|  |   ansible.builtin.command: | ||||||
|  |     cmd: | | ||||||
|  |       {{ devture_systemd_docker_base_host_command_docker }} run | ||||||
|  |       --rm | ||||||
|  |       --name={{ matrix_hookshot_container_ident }}-reset-crypto | ||||||
|  |       --user={{ matrix_user_uid }}:{{ matrix_user_gid }} | ||||||
|  |       --cap-drop=ALL | ||||||
|  |       --mount type=bind,src={{ matrix_hookshot_base_path }}/config.yml,dst=/config.yml | ||||||
|  |       {{ matrix_hookshot_docker_image }} | ||||||
|  |       yarn start:resetcrypto | ||||||
|  |   changed_when: true | ||||||
| @@ -87,6 +87,12 @@ | |||||||
|   with_items: |   with_items: | ||||||
|     - "matrix_hookshot_provisioning_secret" |     - "matrix_hookshot_provisioning_secret" | ||||||
|  |  | ||||||
|  | - name: Fail if no Redis queue enabled when Hookshot encryption is enabled | ||||||
|  |   ansible.builtin.fail: | ||||||
|  |     msg: >- | ||||||
|  |       You need to define a required configuration setting (`{{ item }}`) to enable Hookshot encryption. | ||||||
|  |   when: "matrix_hookshot_experimental_encryption_enabled and matrix_hookshot_queue_host == ''" | ||||||
|  |  | ||||||
| - name: (Deprecation) Catch and report old metrics usage | - name: (Deprecation) Catch and report old metrics usage | ||||||
|   ansible.builtin.fail: |   ansible.builtin.fail: | ||||||
|     msg: >- |     msg: >- | ||||||
|   | |||||||
| @@ -107,6 +107,16 @@ metrics: | |||||||
|   # (Optional) Prometheus metrics support |   # (Optional) Prometheus metrics support | ||||||
|   # |   # | ||||||
|   enabled: {{ matrix_hookshot_metrics_enabled | to_json }} |   enabled: {{ matrix_hookshot_metrics_enabled | to_json }} | ||||||
|  | {% if matrix_hookshot_queue_host != '' %} | ||||||
|  | queue: | ||||||
|  |   monolithic: true | ||||||
|  |   port: {{ matrix_hookshot_queue_port }} | ||||||
|  |   host: {{ matrix_hookshot_queue_host | to_json }} | ||||||
|  | {% endif %} | ||||||
|  | {% if matrix_hookshot_experimental_encryption_enabled %} | ||||||
|  | experimentalEncryption: | ||||||
|  |   storagePath: /data/encryption | ||||||
|  | {% endif %} | ||||||
| logging: | logging: | ||||||
|   # (Optional) Logging settings. You can have a severity debug,info,warn,error |   # (Optional) Logging settings. You can have a severity debug,info,warn,error | ||||||
|   # |   # | ||||||
|   | |||||||
| @@ -28,3 +28,9 @@ namespaces: | |||||||
| sender_localpart: hookshot | sender_localpart: hookshot | ||||||
| url: "http://{{ matrix_hookshot_container_url }}:{{ matrix_hookshot_appservice_port }}" # This should match the bridge.port in your config file | url: "http://{{ matrix_hookshot_container_url }}:{{ matrix_hookshot_appservice_port }}" # This should match the bridge.port in your config file | ||||||
| rate_limited: false | rate_limited: false | ||||||
|  |  | ||||||
|  | {% if matrix_hookshot_experimental_encryption_enabled %} | ||||||
|  | de.sorunome.msc2409.push_ephemeral: true | ||||||
|  | push_ephemeral: true | ||||||
|  | org.matrix.msc3202: true | ||||||
|  | {% endif %} | ||||||
|   | |||||||
| @@ -13,10 +13,9 @@ DefaultDependencies=no | |||||||
| [Service] | [Service] | ||||||
| Type=simple | Type=simple | ||||||
| Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" | Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" | ||||||
| ExecStartPre=-{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} {{ matrix_hookshot_container_url }} | ExecStartPre=-{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} {{ matrix_hookshot_container_ident }} | ||||||
| ExecStartPre=-{{ devture_systemd_docker_base_host_command_docker }} rm {{ matrix_hookshot_container_url }} | ExecStartPre=-{{ devture_systemd_docker_base_host_command_docker }} rm {{ matrix_hookshot_container_ident }} | ||||||
|  | ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create --rm --name {{ matrix_hookshot_container_ident }} \ | ||||||
| ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name {{ matrix_hookshot_container_url }} \ |  | ||||||
|           --log-driver=none \ |           --log-driver=none \ | ||||||
|           --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ |           --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ | ||||||
|           --cap-drop=ALL \ |           --cap-drop=ALL \ | ||||||
| @@ -30,11 +29,18 @@ ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name | |||||||
|           {% endfor %} |           {% endfor %} | ||||||
|           {{ matrix_hookshot_docker_image }} |           {{ matrix_hookshot_docker_image }} | ||||||
|  |  | ||||||
| ExecStop=-{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} {{ matrix_hookshot_container_url }} | {% for network in matrix_hookshot_container_additional_networks %} | ||||||
| ExecStop=-{{ devture_systemd_docker_base_host_command_docker }} rm {{ matrix_hookshot_container_url }} | ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} {{ matrix_hookshot_container_ident }} | ||||||
|  | {% endfor %} | ||||||
|  |  | ||||||
|  | ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach {{ matrix_hookshot_container_ident }} | ||||||
|  |  | ||||||
|  | ExecStop=-{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} {{ matrix_hookshot_container_ident }} | ||||||
|  | ExecStop=-{{ devture_systemd_docker_base_host_command_docker }} rm {{ matrix_hookshot_container_ident }} | ||||||
|  |  | ||||||
| Restart=always | Restart=always | ||||||
| RestartSec=30 | RestartSec=30 | ||||||
| SyslogIdentifier={{ matrix_hookshot_container_url }} | SyslogIdentifier={{ matrix_hookshot_container_ident }} | ||||||
|  |  | ||||||
| [Install] | [Install] | ||||||
| WantedBy=multi-user.target | WantedBy=multi-user.target | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user