Raw refactoring of roles

2025-08-29 15:06:26 +02:00 · 2025-05-09 17:47:33 +02:00
parent 82f442f40e
commit 5b47333955
177 changed files with 1483 additions and 1041 deletions
--- a/roles/docker-matrix-compose/Administration.md
+++ b/roles/docker-matrix-compose/Administration.md
@@ -3,7 +3,7 @@
 ## Cleanup 
 ```
 # Cleanup Database
-for db in matrix mautrix_whatsapp_bridge mautrix_telegram_bridge mautrix_signal_bridge mautrix_slack_bridge; do python reset-database-in-central-postgres.py $db; done
+for db in matrix applications[application_id].credentials.mautrix_whatsapp_bridge applications[application_id].credentials.mautrix_telegram_bridge applications[application_id].credentials.mautrix_signal_bridge applications[application_id].credentials.mautrix_slack_bridge; do python reset-database-in-central-postgres.py $db; done
 # Cleanup Docker and Volumes
 docker compose down -v
 ```
--- a/roles/docker-matrix-compose/Installation.md
+++ b/roles/docker-matrix-compose/Installation.md
@@ -15,7 +15,7 @@ For login with Token checkout [this guide](https://docs.mau.fi/bridges/go/slack/

 ### ChatGPT
 - Create API Token: https://platform.openai.com/api-keys
- Set ``matrix_chatgpt_bridge_access_token`` 
+- Set ``applications[application_id].credentials.chatgpt_bridge_access_token`` 

 ## Debug:
 - https://federationtester.matrix.org/
--- a/roles/docker-matrix-compose/meta/schema.yml
+++ b/roles/docker-matrix-compose/meta/schema.yml
@@ -0,0 +1,90 @@
+credentials:
+  administrator_password:
+    description: "Initial administrator password for the Matrix homeserver"
+    algorithm: "sha256"
+    validation: "^[a-f0-9]{64}$"
+
+  generic_secret_key:
+    description: "Generic secret used by Synapse for key signing and session management"
+    algorithm: "sha256"
+    validation: "^[a-f0-9]{64}$"
+
+  database_password:
+    description: "Password for the Matrix PostgreSQL database"
+    algorithm: "bcrypt"
+    validation: "^\\$2[aby]\\$.{56}$"
+
+  registration_shared_secret:
+    description: "Secret token used to allow shared registration from external sources"
+    algorithm: "sha256"
+    validation: "^[a-f0-9]{64}$"
+
+  macaroon_secret_key:
+    description: "Secret key used to sign macaroon tokens for authentication"
+    algorithm: "sha256"
+    validation: "^[a-f0-9]{64}$"
+
+  form_secret:
+    description: "Secret for form token protection (used in web registration flows)"
+    algorithm: "sha256"
+    validation: "^[a-f0-9]{64}$"
+
+  chatgpt_bridge_openai_api_key:
+    description: "API key for accessing OpenAI via the Matrix ChatGPT bridge"
+    algorithm: "plain"
+    validation: "^sk-[a-zA-Z0-9]{40,}$"
+
+  chatgpt_bridge_access_token:
+    description: "Access token used by the ChatGPT bridge for authentication"
+    algorithm: "plain"
+    validation: "^[a-zA-Z0-9-_]{20,}$"
+
+  chatgpt_bridge_user_password:
+    description: "Matrix user password used by the ChatGPT bridge"
+    algorithm: "sha256"
+    validation: "^[a-f0-9]{64}$"
+
+  mautrix_facebook_bridge_database_password:
+    description: "Database password for the mautrix-facebook bridge"
+    algorithm: "bcrypt"
+    validation: "^\\$2[aby]\\$.{56}$"
+
+  mautrix_instagram_bridge_database_password:
+    description: "Database password for the mautrix-instagram bridge"
+    algorithm: "bcrypt"
+    validation: "^\\$2[aby]\\$.{56}$"
+
+  mautrix_signal_bridge_database_password:
+    description: "Database password for the mautrix-signal bridge"
+    algorithm: "bcrypt"
+    validation: "^\\$2[aby]\\$.{56}$"
+
+  mautrix_slack_bridge_database_password:
+    description: "Database password for the mautrix-slack bridge"
+    algorithm: "bcrypt"
+    validation: "^\\$2[aby]\\$.{56}$"
+
+  mautrix_telegram_bridge_database_password:
+    description: "Database password for the mautrix-telegram bridge"
+    algorithm: "bcrypt"
+    validation: "^\\$2[aby]\\$.{56}$"
+
+  mautrix_telgegram_bridge_api_id:
+    description: "Telegram API ID for the mautrix-telegram bridge"
+    algorithm: "plain"
+    validation: "^\\d{5,}$"
+
+  mautrix_telgegram_bridge_api_pin:
+    description: "Telegram API hash or PIN for the mautrix-telegram bridge"
+    algorithm: "plain"
+    validation: "^[a-zA-Z0-9]{10,}$"
+
+  mautrix_whatsapp_bridge_database_password:
+    description: "Database password for the mautrix-whatsapp bridge"
+    algorithm: "bcrypt"
+    validation: "^\\$2[aby]\\$.{56}$"
+
+  mautrix_whatsapp_bridge_provisioning_shared_secret:
+    description: "Shared secret for the mautrix-whatsapp bridge provisioning endpoint"
+    algorithm: "sha256"
+    validation: "^[a-f0-9]{64}$"
--- a/roles/docker-matrix-compose/tasks/main.yml
+++ b/roles/docker-matrix-compose/tasks/main.yml
@@ -134,14 +134,14 @@

 - name: create admin account
  command:
-    cmd: docker compose exec -it synapse register_new_matrix_user -u {{applications.matrix.users.administrator.username}} -p {{matrix_admin_password}} -a -c /data/homeserver.yaml http://localhost:8008
+    cmd: docker compose exec -it synapse register_new_matrix_user -u {{applications.matrix.users.administrator.username}} -p {{applications[application_id].credentials.administrator_password}} -a -c /data/homeserver.yaml http://localhost:8008
    chdir: "{{ docker_compose.directories.instance }}"
  ignore_errors: true
  when: applications.matrix.setup | bool

 - name: create chatgpt bot
  command:
-    cmd: docker compose exec -it synapse register_new_matrix_user -u chatgptbot -p {{matrix_chatgpt_bridge_user_password}} -a -c /data/homeserver.yaml http://localhost:8008
+    cmd: docker compose exec -it synapse register_new_matrix_user -u chatgptbot -p {{applications[application_id].credentials.chatgpt_bridge_user_password}} -a -c /data/homeserver.yaml http://localhost:8008
    chdir: "{{ docker_compose.directories.instance }}"
  ignore_errors: true
  when: applications.matrix.setup | bool
--- a/roles/docker-matrix-compose/templates/docker-compose.yml.j2
+++ b/roles/docker-matrix-compose/templates/docker-compose.yml.j2
@@ -70,7 +70,7 @@ services:
 #    volumes:
 #      - chatgpt_data:/storage
 #    environment:
-#      OPENAI_API_KEY: '{{matrix_chatgpt_bridge_openai_api_key}}'
+#      OPENAI_API_KEY: '{{applications[application_id].credentials.chatgpt_bridge_openai_api_key}}'
 #      # Uncomment the next two lines if you are using Azure OpenAI API
 #      # OPENAI_AZURE: 'false'
 #      # CHATGPT_REVERSE_PROXY: 'your-completion-endpoint-here'
@@ -91,8 +91,8 @@ services:
 #      KEYV_BOT_STORAGE: 'true'
 #      MATRIX_HOMESERVER_URL: 'https://{{domains.matrix_synapse}}'
 #      MATRIX_BOT_USERNAME: '@chatgptbot:{{applications.matrix.server_name}}'
-#      MATRIX_ACCESS_TOKEN: '{{ matrix_chatgpt_bridge_access_token | default('') }}'
-#      MATRIX_BOT_PASSWORD: '{{matrix_chatgpt_bridge_user_password}}'
+#      MATRIX_ACCESS_TOKEN: '{{ applications[application_id].credentials.chatgpt_bridge_access_token | default('') }}'
+#      MATRIX_BOT_PASSWORD: '{{applications[application_id].credentials.chatgpt_bridge_user_password}}'
 #      MATRIX_DEFAULT_PREFIX: '!chatgpt'
 #      MATRIX_DEFAULT_PREFIX_REPLY: 'false'
 #      #MATRIX_BLACKLIST: ''
--- a/roles/docker-matrix-compose/templates/mautrix/facebook.config.yml.j2
+++ b/roles/docker-matrix-compose/templates/mautrix/facebook.config.yml.j2
@@ -39,7 +39,7 @@ appservice:
    # Format examples:
    #   SQLite:   sqlite:filename.db
    #   Postgres: postgres://username:password@hostname/dbname
-    database: postgres://mautrix_facebook_bridge:{{mautrix_facebook_bridge_database_password}}@{{database_host}}/mautrix_facebook_bridge
+    database: postgres://mautrix_facebook_bridge:{{applications[application_id].credentials.mautrix_facebook_bridge_database_password}}@{{database_host}}/mautrix_facebook_bridge
    # Additional arguments for asyncpg.create_pool() or sqlite3.connect()
    # https://magicstack.github.io/asyncpg/current/api/index.html#asyncpg.pool.create_pool
    # https://docs.python.org/3/library/sqlite3.html#sqlite3.connect
@@ -154,7 +154,7 @@ bridge:
    # If using this for other servers than the bridge's server,
    # you must also set the URL in the double_puppet_server_map.
    login_shared_secret_map:
-        {{applications.matrix.server_name}}: {{matrix_registration_shared_secret}}
+        {{applications.matrix.server_name}}: {{applications[application_id].credentials.registration_shared_secret}}
    # Should presence from Facebook be bridged? This doesn't use the same API as the Android app,
    # so it might be more suspicious to Facebook.
    presence_from_facebook: false
--- a/roles/docker-matrix-compose/templates/mautrix/instagram.config.yml.j2
+++ b/roles/docker-matrix-compose/templates/mautrix/instagram.config.yml.j2
@@ -42,7 +42,7 @@ appservice:
    # Format examples:
    #   SQLite:   sqlite:filename.db
    #   Postgres: postgres://username:password@hostname/dbname
-    database: postgres://mautrix_instagram_bridge:{{mautrix_instagram_bridge_database_password}}@{{database_host}}/mautrix_instagram_bridge
+    database: postgres://mautrix_instagram_bridge:{{applications[application_id].credentials.mautrix_instagram_bridge_database_password}}@{{database_host}}/mautrix_instagram_bridge
    # Additional arguments for asyncpg.create_pool() or sqlite3.connect()
    # https://magicstack.github.io/asyncpg/current/api/index.html#asyncpg.pool.create_pool
    # https://docs.python.org/3/library/sqlite3.html#sqlite3.connect
@@ -143,7 +143,7 @@ bridge:
    # If using this for other servers than the bridge's server,
    # you must also set the URL in the double_puppet_server_map.
    login_shared_secret_map:
-        {{applications.matrix.server_name}}: {{matrix_registration_shared_secret}}
+        {{applications.matrix.server_name}}: {{applications[application_id].credentials.registration_shared_secret}}
    # Whether or not created rooms should have federation enabled.
    # If false, created portal rooms will never be federated.
    federate_rooms: true
--- a/roles/docker-matrix-compose/templates/mautrix/signal.config.yml.j2
+++ b/roles/docker-matrix-compose/templates/mautrix/signal.config.yml.j2
@@ -43,7 +43,7 @@ appservice:
        #           https://github.com/mattn/go-sqlite3#connection-string
        #   Postgres: Connection string. For example, postgres://user:password@host/database?sslmode=disable
        #             To connect via Unix socket, use something like postgres:///dbname?host=/var/run/postgresql
-        uri: postgres://mautrix_signal_bridge:{{mautrix_signal_bridge_database_password}}@{{database_host}}/mautrix_signal_bridge?sslmode=disable
+        uri: postgres://mautrix_signal_bridge:{{applications[application_id].credentials.mautrix_signal_bridge_database_password}}@{{database_host}}/mautrix_signal_bridge?sslmode=disable
        # Maximum number of connections. Mostly relevant for Postgres.
        max_open_conns: 20
        max_idle_conns: 2
@@ -150,7 +150,7 @@ bridge:
    # instead of users having to find an access token and run `login-matrix`
    # manually.
    login_shared_secret_map:
-        {{applications.matrix.server_name}}: {{matrix_registration_shared_secret}}
+        {{applications.matrix.server_name}}: {{applications[application_id].credentials.registration_shared_secret}}

    # Maximum time for handling Matrix events. Duration strings formatted for https://pkg.go.dev/time#ParseDuration
    # Null means there's no enforced timeout.
--- a/roles/docker-matrix-compose/templates/mautrix/slack.config.yml.j2
+++ b/roles/docker-matrix-compose/templates/mautrix/slack.config.yml.j2
@@ -43,7 +43,7 @@ appservice:
        #           https://github.com/mattn/go-sqlite3#connection-string
        #   Postgres: Connection string. For example, postgres://user:password@host/database?sslmode=disable
        #             To connect via Unix socket, use something like postgres:///dbname?host=/var/run/postgresql
-        uri: postgres://mautrix_slack_bridge:{{mautrix_slack_bridge_database_password}}@{{database_host}}/mautrix_slack_bridge?sslmode=disable
+        uri: postgres://mautrix_slack_bridge:{{applications[application_id].credentials.mautrix_slack_bridge_database_password}}@{{database_host}}/mautrix_slack_bridge?sslmode=disable
        # Maximum number of connections. Mostly relevant for Postgres.
        max_open_conns: 20
        max_idle_conns: 2
@@ -127,7 +127,7 @@ bridge:
    # instead of users having to find an access token and run `login-matrix`
    # manually.
    login_shared_secret_map:
-        {{applications.matrix.server_name}}: {{matrix_registration_shared_secret}}
+        {{applications.matrix.server_name}}: {{applications[application_id].credentials.registration_shared_secret}}

    message_handling_timeout:
        # Send an error message after this timeout, but keep waiting for the response until the deadline.
--- a/roles/docker-matrix-compose/templates/mautrix/telegram.config.yml.j2
+++ b/roles/docker-matrix-compose/templates/mautrix/telegram.config.yml.j2
@@ -42,7 +42,7 @@ appservice:
    # Format examples:
    #   SQLite:   sqlite:filename.db
    #   Postgres: postgres://username:password@hostname/dbname
-    database: postgres://mautrix_telegram_bridge:{{mautrix_telegram_bridge_database_password}}@{{database_host}}/mautrix_telegram_bridge
+    database: postgres://mautrix_telegram_bridge:{{applications[application_id].credentials.mautrix_telegram_bridge_database_password}}@{{database_host}}/mautrix_telegram_bridge
    # Additional arguments for asyncpg.create_pool() or sqlite3.connect()
    # https://magicstack.github.io/asyncpg/current/api/index.html#asyncpg.pool.create_pool
    # https://docs.python.org/3/library/sqlite3.html#sqlite3.connect
@@ -209,7 +209,7 @@ bridge:
    # If using this for other servers than the bridge's server,
    # you must also set the URL in the double_puppet_server_map.
    login_shared_secret_map:
-        {{applications.matrix.server_name}}: {{matrix_registration_shared_secret}}
+        {{applications.matrix.server_name}}: {{applications[application_id].credentials.registration_shared_secret}}
    # Set to false to disable link previews in messages sent to Telegram.
    telegram_link_preview: true
    # Whether or not the !tg join command should do a HTTP request
@@ -564,8 +564,8 @@ bridge:
 # Telegram config
 telegram:
    # Get your own API keys at https://my.telegram.org/apps
-    api_id: {{mautrix_telgegram_bridge_api_id}}
-    api_hash: {{mautrix_telgegram_bridge_api_pin}}
+    api_id: {{applications[application_id].credentials.mautrix_telgegram_bridge_api_id}}
+    api_hash: {{applications[application_id].credentials.mautrix_telgegram_bridge_api_pin}}
    # (Optional) Create your own bot at https://t.me/BotFather
    bot_token: disabled

--- a/roles/docker-matrix-compose/templates/mautrix/whatsapp.config.yml.j2
+++ b/roles/docker-matrix-compose/templates/mautrix/whatsapp.config.yml.j2
@@ -42,7 +42,7 @@ appservice:
        #           https://github.com/mattn/go-sqlite3#connection-string
        #   Postgres: Connection string. For example, postgres://user:password@host/database?sslmode=disable
        #             To connect via Unix socket, use something like postgres:///dbname?host=/var/run/postgresql
-        uri: postgres://mautrix_whatsapp_bridge:{{mautrix_whatsapp_bridge_database_password}}@{{database_host}}/mautrix_whatsapp_bridge?sslmode=disable
+        uri: postgres://mautrix_whatsapp_bridge:{{applications[application_id].credentials.mautrix_whatsapp_bridge_database_password}}@{{database_host}}/mautrix_whatsapp_bridge?sslmode=disable
        # Maximum number of connections. Mostly relevant for Postgres.
        max_open_conns: 20
        max_idle_conns: 2
@@ -245,7 +245,7 @@ bridge:
    # instead of users having to find an access token and run `login-matrix`
    # manually.
    login_shared_secret_map:
-        {{applications.matrix.server_name}}: {{matrix_registration_shared_secret}}
+        {{applications.matrix.server_name}}: {{applications[application_id].credentials.registration_shared_secret}}
    # Whether to explicitly set the avatar and room name for private chat portal rooms.
    # If set to `default`, this will be enabled in encrypted rooms and disabled in unencrypted rooms.
    # If set to `always`, all DM rooms will have explicit names and avatars set.
--- a/roles/docker-matrix-compose/templates/synapse/homeserver.yaml.j2
+++ b/roles/docker-matrix-compose/templates/synapse/homeserver.yaml.j2
@@ -19,10 +19,10 @@ database:
    cp_max: 10
 log_config:                     "/data/{{domains.matrix_synapse}}.log.config"
 media_store_path:               "/data/media_store"
-registration_shared_secret:     "{{matrix_registration_shared_secret}}"
+registration_shared_secret:     "{{applications[application_id].credentials.registration_shared_secret}}"
 report_stats:                   true
-macaroon_secret_key:            "{{matrix_macaroon_secret_key}}"
-form_secret:                    "{{matrix_form_secret}}"
+macaroon_secret_key:            "{{applications[application_id].credentials.macaroon_secret_key}}"
+form_secret:                    "{{applications[application_id].credentials.form_secret}}"
 signing_key_path:               "/data/{{domains.matrix_synapse}}.signing.key"
 web_client_location:            "{{ web_protocol }}://{{domains.matrix_element}}"
 public_baseurl:                 "{{ web_protocol }}://{{domains.matrix_synapse}}"
--- a/roles/docker-matrix-compose/vars/configuration.yml
+++ b/roles/docker-matrix-compose/vars/configuration.yml
@@ -0,0 +1,18 @@
+
+users:
+  administrator:
+    username:         "{{users.administrator.username}}" # Accountname of the matrix admin
+playbook_tags:        "setup-all,start"                  # For the initial update use: install-all,ensure-matrix-users-created,start
+role:                 "compose"                          # Role to setup Matrix. Valid values: ansible, compose
+server_name:          "{{primary_domain}}"               # Adress for the account names etc.
+synapse:
+  version:            "latest"
+element:
+  version:            "latest"
+setup:                false                              # Set true in inventory file to execute the setup and initializing procedures
+features:
+  matomo:             true
+  css:                true
+  landingpage_iframe: false
+  oidc:               false                              # Deactivated OIDC due to this issue https://github.com/matrix-org/synapse/issues/10492
+  central_database:   true
--- a/roles/docker-matrix-compose/vars/main.yml
+++ b/roles/docker-matrix-compose/vars/main.yml
@@ -1,39 +1,39 @@
 ---
 application_id:  	        "matrix"
-database_password:  	    "{{matrix_database_password}}"
+database_password:  	    "{{applications[application_id].credentials.database_password}}"
 database_type:            "postgres"
 registration_file_folder: "/data/"
 well_known_directory:     "{{nginx.directories.data.well_known}}/matrix/"

 bridges:
-  - database_password: "{{ mautrix_whatsapp_bridge_database_password }}"
+  - database_password: "{{ applications[application_id].credentials.mautrix_whatsapp_bridge_database_password }}"
    database_username:  "mautrix_whatsapp_bridge"
    database_name:      "mautrix_whatsapp_bridge"
    bridge_name:        "whatsapp"   

-  - database_password:  "{{ mautrix_telegram_bridge_database_password }}"
+  - database_password:  "{{ applications[application_id].credentials.mautrix_telegram_bridge_database_password }}"
    database_username:  "mautrix_telegram_bridge"
    database_name:      "mautrix_telegram_bridge"
    bridge_name:        "telegram"

-  - database_password:  "{{ mautrix_signal_bridge_database_password }}"
+  - database_password:  "{{ applications[application_id].credentials.mautrix_signal_bridge_database_password }}"
    database_username:  "mautrix_signal_bridge"
    database_name:      "mautrix_signal_bridge"
    bridge_name:        "signal"

 # Deactivated temporary, due to bug which is hard to find 
 # @todo Reactivate 
-#  - database_password:  "{{ mautrix_slack_bridge_database_password }}"
+#  - database_password:  "{{ applications[application_id].credentials.mautrix_slack_bridge_database_password }}"
 #    database_username:  "mautrix_slack_bridge"
 #    database_name:      "mautrix_slack_bridge"
 #    bridge_name:        "slack"

-  - database_password:  "{{ mautrix_facebook_bridge_database_password }}"
+  - database_password:  "{{ applications[application_id].credentials.mautrix_facebook_bridge_database_password }}"
    database_username:  "mautrix_facebook_bridge"
    database_name:      "mautrix_facebook_bridge"
    bridge_name:        "facebook"

-  - database_password:  "{{ mautrix_instagram_bridge_database_password }}"
+  - database_password:  "{{ applications[application_id].credentials.mautrix_instagram_bridge_database_password }}"
    database_username:  "mautrix_instagram_bridge"
    database_name:      "mautrix_instagram_bridge"
    bridge_name:        "instagram"