Ansible-setup
Matrix Server with Ansible
Return to server-guides
Recommend using Tailscale to connect to remote server instead of ssh.
For ssh connect using ssh keys
For the full steps and options see the official repo
Pushing Updates
To push updates to the entire matrix server including all the add ons and clients you need to 0. Move into the Matrix Repo 1. git pull (updates repo) 2. Make (This will stage all updates including the new docker image versions) 3. Push setup and start
<syntaxhighlight lang="shell">sudo make roles sudo ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start</syntaxhighlight>
Remotely Pushing updates with ssh command
This is how you can setup the ansible script on a remote server to run “locally.” Each time you update you will need to git pull the repo
<syntaxhighlight lang="shell"># sync the var config section with local rsync -avz /Users/USERNAME/Git/matrix-docker-ansible-deploy root@proxmox-main:/root/Git/
push ansible setup and start
the & at the end will keep this script alive until finished
ssh root@proxmox-main 'ansible-playbook -i /root/Git/matrix-docker-ansible-deploy/inventory/hosts /root/Git/matrix-docker-ansible-deploy/setup.yml --tags=setup-all,start &'
ensure-matrix-users-created can be added before start
when creating users but user creation should be done with sso</syntaxhighlight>
Configuration
Documentation ### hosts
<syntaxhighlight lang="yaml">[matrix_servers] matrix.irregularchat.com ansible_host=ip.add.re.ss ansible_port=22
[matrix_servers:vars]
ansible_ssh_user=root
local install , same server running as script
matrix.irregularchat.com ansible_ssh_user=sac become=true become_user=root ansible_connection=local ansible_python_interpreter=/usr/bin/python3 matrix_coturn_turn_external_ip_address=ip.add.re.ss</syntaxhighlight>
vars.yml
<syntaxhighlight lang="yaml"># Traefik Reverse-Proxy Configuration matrix_playbook_reverse_proxy_type: playbook-managed-traefik matrix_playbook_ssl_enabled: true
new term 20240115
matrix_well_known_matrix_server_enabled: false
matrix_static_files_file_matrix_server_enabled: false matrix_synapse_admin_enabled: true # Synapse Admin will be accessible at: https://matrix.DOMAIN/synapse-admin/
Devture Traefik Configuration
Source Guide: https://appelman.se/matrix-on-cloudflare/
devture_traefik_config_entrypoint_web_secure_enabled: false devture_traefik_container_web_host_bind_port: "127.0.0.1:81" devture_traefik_config_entrypoint_web_forwardedHeaders_insecure: true
commented out 20240115
devture_traefik_additional_entrypoints_auto:
- name: matrix-federation
port: 8449
host_bind_port: "127.0.0.1:8449"
config: {}
matrix_playbook_public_matrix_federation_api_traefik_entrypoint_host_bind_port: 127.0.0.1:8449 matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_custom:
forwardedHeaders: insecure: true
metrics
matrix_synapse_report_stats: true prometheus_enabled: true prometheus_node_exporter_enabled: false prometheus_postgres_exporter_enabled: false matrix_prometheus_nginxlog_exporter_enabled: false
grafana_enabled: false grafana_anonymous_access: false grafana_default_admin_user: "sacmin" grafana_default_admin_password: "secret_here"
Coturn Server Configuration
matrix_coturn_enabled: false
Sliding Sync Configuration
Enables the Sliding Sync proxy
matrix_sliding_sync_enabled: true
# Maps a port on the host, passed into the Sliding Sync container's internal listening port. MUST be set as by default the container has no host bindings and thus can never be reached from outside the internal docker network. Not even locally. I have chosen host port 8018 so that it's well out of the way
matrix_sliding_sync_container_extra_arguments:
- "-p 8018:8008"
Sets the server URL the server tells clients to try to connect to it with. This should be your https://matrix.yourdomain.com URL, including the "https://". MUST be set as for some reason the default tells clients to use an internal docker hostname, namely matrix-nginx-proxy container which obviously won't work externally and caused 404's in the sliding sync logs.
matrix_sliding_sync_environment_variable_syncv3_server: "https://matrix.irregularchat.com"
devture_traefik_config_certificatesResolvers_acme_email: [email protected] enable_set_displayname: true
Homeserver and Registration Configuration
matrix_homeserver_implementation: synapse matrix_homeserver_generic_secret_key: 'secret_here' matrix_registration_enabled: true matrix_registration_admin_secret: "secret_here" matrix_domain: irregularchat.com devture_postgres_connection_password: 'secret_here' matrix_synapse_max_upload_size_mb: 150 matrix_synapse_media_retention_local_media_lifetime: 1 y matrix_synapse_media_retention_remote_media_lifetime: 1 m matrix_synapse_user_directory_prefer_local_users: true
wether to accept passwords or not. True is yes. false is no.
matrix_synapse_password_config_enabled: false devture_systemd_service_manager_up_verification_delay_seconds: 65
Synapse Auto Compressor Configuration
matrix_synapse_auto_compressor_enabled: true
force redis, based on the change to keydb: https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/CHANGELOG.md
redis_enabled: true
keydb_enabled: false #default to true
Clients
schildichat
matrix_client_schildichat_enabled: true
Element
matrix_client_element_default_theme: 'dark'
Jitsi Video Service
jitsi_enabled: true matrix_client_element_jitsi_preferred_domain: 'jitsi.irregularchat.com'
EtherPad
etherpad_enabled: true
Uncomment below to enable the admin web UI
etherpad_admin_username: admin etherpad_admin_password: secret_here
Synapse Workers Configuration
matrix_synapse_workers_enabled: true matrix_synapse_workers_preset: specialized-workers
Dimensions
matrix_dimension_enabled: false matrix_dimension_admins:
- "@sacmin:irregularchat.com" - "@rod:irregularchat.com"
matrix_dimension_access_token: "secret_here"
BOTS
Source: https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/f84a53d801307cc3e6c24cf40b0db217ffe8a1ab/docs/configuring-playbook-mautrix-bridges.md?plain=1#L42
matrix_synapse_ext_password_provider_shared_secret_auth_enabled: true matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret: 'secret_here' matrix_synapse_password_config_localdb_enabled: false matrix_bridges_encryption_enabled: true matrix_bridges_encryption_default: true matrix_admin: "@sac:irregularchat.com"
Mautrix WhatsAPP Bot Configuration
matrix_mautrix_whatsapp_enabled: true matrix_mautrix_whatsapp_bridge_relay_enabled: true matrix_mautrix_whatsapp_configuration_extension_yaml: |
bridge:
encryption:
allow: true
require: true
Mautrix Signal Bot Configuration
Signal Bot
matrix_mautrix_signal_enabled: true matrix_mautrix_signal_appservice_bot_username: 'signalbot'
Encryption settings
matrix_mautrix_signal_bridge_encryption_allow: true
matrix_mautrix_signal_bridge_encryption_default: true
matrix_mautrix_signal_configuration_extension_yaml: |
bridge:
encryption:
allow: true
require: true
permissions:
'@sac:irregularchat.com': admin
'@.:irregularchat.com': relay
relay:
enabled: true
# Mjolnir Moderation Bot Configuration
matrix_bot_mjolnir_enabled: true
matrix_bot_mjolnir_pantalaimon_username: "mjolnir"
matrix_bot_mjolnir_access_token: "secret_here"
matrix_bot_mjolnir_management_room: "!DRqqGyInlMHNNtYQmI:irregularchat.com"
# # Anti-Spam Configuration
matrix_synapse_ext_spam_checker_mjolnir_antispam_enabled: true
matrix_synapse_ext_spam_checker_mjolnir_antispam_config_block_invites: true
matrix_synapse_ext_spam_checker_mjolnir_antispam_config_block_messages: true
matrix_synapse_ext_spam_checker_mjolnir_antispam_config_block_usernames: false
matrix_synapse_ext_spam_checker_mjolnir_antispam_config_ban_lists: []
Maubot Configuration
matrix_bot_maubot_enabled: true matrix_bot_maubot_initial_password: 'secret_here' matrix_bot_maubot_admins:
- sac: 'secret_here' - rod: 'secret_here' - jon: 'secret_here' - josh: 'secret_here'
Discord Bot Configuration
matrix_mautrix_discord_enabled: true
OIDC Configuration
roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2
https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/9427f9408dfded216d7c29027c234b9762a26727
matrix_synapse_oidc_enabled: true matrix_synapse_oidc_providers:
- idp_id: irregularchat-sso idp_name: "IrregularChat SSO" idp_icon: mxc://irregularchat.com/axcviKJxegoQTAOorOabNCpl discover: true issuer: "https://sso.irregularchat.com/application/o/element-messenger/" client_id: "client_id_here" client_secret: "secret_here" client_auth_method: client_secret_post scopes: - "openid" - "profile" allow_existing_users: true user_mapping_provider: config: localpart_template: "{% raw %}Template:User.preferred username{% endraw %}" display_name_template: "{% raw %}Template:User.preferred username{% endraw %}"
Auto-join rooms must be of the same homeserver and must be public
matrix_synapse_auto_join_rooms:
- "#entry-public:irregularchat.com" - "#announcements:irregularchat.com" - "#public:irregularchat.com" - "#meetup:irregularchat.com"
Set the rate limits for rooms
matrix_synapse_rc_invites:
per_room: per_second: 100 # High value to effectively remove limit burst_count: 1000 # High value to effectively remove limit per_user: per_second: 100 # High value to effectively remove limit burst_count: 300 # High value to effectively remove limit
matrix_synapse_rc_message:
per_second: 15 # Adjust as needed, allows 5 messages per second burst_count: 200 # Adjust as needed, allows bursts of 50 messages
exim_relay_sender_address: "[email protected]" exim_relay_relay_use: true exim_relay_relay_host_name: "email-smtp.us-east-1.amazonaws.com" exim_relay_relay_host_port: 587 exim_relay_relay_auth: true exim_relay_relay_auth_username: "username_here" exim_relay_relay_auth_password: "secret_here"
Backups
devture_postgres_backup_enabled: false # https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/e01aa667e7dd0a34f1f5af1572d73db7b602a9fd/docs/configuring-playbook-postgres-backup.md
backup_borg_enabled: true backup_borg_location_repositories:
- ssh://[email protected]:xxx/PATH/Backups/Matrix/
backup_borg_storage_encryption_passphrase: "secret_here" backup_borg_ssh_key_private: |
-----BEGIN OPENSSH PRIVATE KEY-----
secret_here
-----END OPENSSH PRIVATE KEY-----
</syntaxhighlight>