From 6594cce57038c5118e9b056f2b2c0b4ec9451b93 Mon Sep 17 00:00:00 2001 From: wjbeckett Date: Wed, 25 Sep 2024 14:53:48 +1000 Subject: [PATCH 001/148] Feat: Added element call setup and configuration. --- docs/configuring-playbook-element-call.md | 74 ++++++++ group_vars/matrix_servers | 58 +++++++ .../matrix-element-call/defaults/main.yml | 34 ++++ .../tasks/create_element_json.yml | 22 +++ .../matrix-element-call/tasks/install.yml | 17 ++ .../tasks/install_docker_containers.yml | 158 ++++++++++++++++++ .../custom/matrix-element-call/tasks/main.yml | 14 ++ .../matrix-element-call/tasks/uninstall.yml | 51 ++++++ .../tasks/update_element_web_config.yml | 29 ++++ .../tasks/update_homeserver_config.yml | 36 ++++ .../tasks/update_well_known_client.yml | 24 +++ .../tasks/validate_config.yml | 79 +++++++++ .../templates/config.json.j2 | 11 ++ .../matrix-element-call/templates/env.j2 | 9 + .../matrix-element-call/templates/labels.j2 | 11 ++ .../templates/livekit.yaml.j2 | 21 +++ .../templates/redis.conf.j2 | 5 + .../systemd/matrix-element-call.service.j2 | 17 ++ .../custom/matrix-element-call/vars/main.yml | 5 + setup.yml | 1 + 20 files changed, 676 insertions(+) create mode 100644 docs/configuring-playbook-element-call.md create mode 100644 roles/custom/matrix-element-call/defaults/main.yml create mode 100644 roles/custom/matrix-element-call/tasks/create_element_json.yml create mode 100644 roles/custom/matrix-element-call/tasks/install.yml create mode 100644 roles/custom/matrix-element-call/tasks/install_docker_containers.yml create mode 100644 roles/custom/matrix-element-call/tasks/main.yml create mode 100644 roles/custom/matrix-element-call/tasks/uninstall.yml create mode 100644 roles/custom/matrix-element-call/tasks/update_element_web_config.yml create mode 100644 roles/custom/matrix-element-call/tasks/update_homeserver_config.yml create mode 100644 roles/custom/matrix-element-call/tasks/update_well_known_client.yml create mode 100644 roles/custom/matrix-element-call/tasks/validate_config.yml create mode 100644 roles/custom/matrix-element-call/templates/config.json.j2 create mode 100644 roles/custom/matrix-element-call/templates/env.j2 create mode 100644 roles/custom/matrix-element-call/templates/labels.j2 create mode 100644 roles/custom/matrix-element-call/templates/livekit.yaml.j2 create mode 100644 roles/custom/matrix-element-call/templates/redis.conf.j2 create mode 100644 roles/custom/matrix-element-call/templates/systemd/matrix-element-call.service.j2 create mode 100644 roles/custom/matrix-element-call/vars/main.yml diff --git a/docs/configuring-playbook-element-call.md b/docs/configuring-playbook-element-call.md new file mode 100644 index 00000000000..bd36357ab5e --- /dev/null +++ b/docs/configuring-playbook-element-call.md @@ -0,0 +1,74 @@ +# Setting up Element Call (optional) + +The playbook can install and configure [Element Call](https://github.com/vector-im/element-call) for you. + +Element Call is a WebRTC-based video and voice calling platform that integrates with Matrix clients such as Element Web. It provides secure, decentralized communication with support for video calls, audio calls, and screen sharing. + +See the project's [documentation](https://github.com/vector-im/element-call) to learn more. + +## Decide on a domain and path + +By default, Element Call is configured to be served on the Matrix domain (`call.DOMAIN`, controlled by the `matrix_element_call_hostname` variable). + +This makes it easy to set it up, **without** having to adjust your DNS records manually. + +If you'd like to run Element Call on another hostname or path, use the `matrix_element_call_hostname` and `matrix_element_call_path_prefix` variables. + +## Adjusting DNS records + +If you've changed the default hostname, **you may need to adjust your DNS** records accordingly to point to the correct server. + +Ensure that the following DNS names have a public IP/FQDN: +- `call.DOMAIN` +- `sfu.DOMAIN` +- `sfu-jwt.DOMAIN` + +## Adjusting the playbook configuration + +Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file: + +```yaml +matrix_element_call_enabled: true +# Set a secure key for LiveKit authentication +matrix_element_call_livekit_dev_key: 'your-secure-livekit-key' +``` + +## External databases + +If your setup utilizes an external database, you may need to adjust the default configuration for Redis used by Element Call. Modify the defaults in group_vars/matrix_servers.yml or host_vars to suit your setup: + +```yaml +matrix_element_call_redis_hostname: 'localhost' +matrix_element_call_redis_port: 6379 +matrix_element_call_redis_password: '' +``` + +## Installing +After potentially adjusting DNS records and configuring the playbook, run the installation command again: +```yaml +ansible-playbook -i inventory setup.yml +``` + +## Usage +Once installed, Element Call integrates seamlessly with Matrix clients like Element Web. When the Element Call service is installed, the `/.well-known/matrix/client` file is also updated. A new `org.matrix.msc4143.rtc_foci` section is added to point to your JWT service URL (e.g., `https://sfu-jwt.DOMAIN`). + +Additionally, the `/.well-known/element/element.json` file is created to help Element clients discover the Element Call URL (e.g., `https://call.DOMAIN`). + +## Required Firewall and Port Forwarding Rules + +To ensure the services function correctly, the following firewall rules and port forwarding settings are required: + +LiveKit: + + • Forward UDP ports 50100:50200 to the Docker instance running LiveKit. + • Forward TCP port 7881 to the Docker instance running LiveKit. + +Element Call: + + • Forward TCP port 443 to the server running Traefik (for Element Call). + +Ensure these ports are open and forwarded appropriately to allow traffic to flow correctly between the services. + +## Additional Information + +Refer to the Element Call documentation for more details on configuring and using Element Call. \ No newline at end of file diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index c6682be41de..58e93c7b2b4 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -5690,3 +5690,61 @@ devture_traefik_certs_dumper_ssl_dir_path: "{{ devture_traefik_ssl_dir_path if d # /com.devture.ansible.role.traefik_certs_dumper # # # ######################################################################## + + +######################################################################## +# # +# matrix-element-call # +# # +######################################################################## + +# Matrix Element Call Configuration +matrix_element_call_enabled: false # Default is false; should be enabled in host_vars as needed +matrix_element_call_version: "latest" # Default version; can be overridden in host_vars +matrix_element_call_scheme: "https" # Scheme for Element Call (e.g., https) +matrix_element_call_hostname: "call.{{ matrix_domain }}" # Default hostname; should be overridden in host_vars if different +matrix_element_call_path_prefix: "/" # Path prefix for Element Call +matrix_element_call_base_path: "{{ matrix_base_data_path }}/element-call" # Base path for storing Element Call-related files +matrix_element_call_container_image: "ghcr.io/element-hq/element-call:{{ matrix_element_call_version }}" +matrix_element_call_container_image_name_prefix: ghcr.io/ +matrix_element_call_container_image_registry_prefix: ghcr.io/ +matrix_element_call_container_image_force_pull: true + +# Docker network configuration for Element Call +matrix_element_call_container_network: "{{ matrix_homeserver_container_network }}" # Use the homeserver network by default + +# Traefik Configuration for Element Call +matrix_element_call_container_labels_traefik_enabled: true +matrix_element_call_container_labels_traefik_hostname: "{{ matrix_element_call_hostname }}" +matrix_element_call_container_labels_traefik_path_prefix: "{{ matrix_element_call_path_prefix }}" +matrix_element_call_container_labels_traefik_rule: "Host(`{{ matrix_element_call_container_labels_traefik_hostname }}`)" +matrix_element_call_container_labels_traefik_entrypoints: "websecure" +matrix_element_call_container_labels_traefik_tls_certResolver: "default" + +# JWT Service Configuration +matrix_element_call_jwt_service_url: "https://sfu-jwt.{{ matrix_domain }}" # Default JWT service URL; adjust as needed + +# LiveKit Service Configuration +matrix_element_call_livekit_service_url: "https://sfu.{{ matrix_domain }}" # Default LiveKit service URL; adjust as needed +matrix_element_call_livekit_dev_key: "{{ matrix_livekit_dev_key }}" # LiveKit dev key + +# Redis Configuration for Element Call +matrix_element_call_redis_hostname: "localhost" # Default Redis hostname; can be overridden +matrix_element_call_redis_port: 6379 # Default Redis port; can be overridden +matrix_element_call_redis_password: "" # Redis password; should be set in host_vars if needed + +# Additional environment variables for the container +matrix_element_call_environment_variables_additional: {} + +# Additional arguments or configuration options for the Docker container +matrix_element_call_container_extra_arguments: [] + +# Enable or disable metrics collection +matrix_element_call_metrics_enabled: false +matrix_element_call_metrics_port: 2112 + +######################################################################## +# # +# /matrix-element-call # +# # +######################################################################## \ No newline at end of file diff --git a/roles/custom/matrix-element-call/defaults/main.yml b/roles/custom/matrix-element-call/defaults/main.yml new file mode 100644 index 00000000000..38b17553256 --- /dev/null +++ b/roles/custom/matrix-element-call/defaults/main.yml @@ -0,0 +1,34 @@ +--- +# roles/custom/matrix-element-call/defaults/main.yml + +# Enable or disable matrix-element-call deployment +matrix_element_call_enabled: false + +# Base path configuration +matrix_element_call_base_path: "/home/{{ matrix_user_username }}/dockerdata/volumes/elementcall" +matrix_element_call_config_path: "{{ matrix_element_call_base_path }}/config" +matrix_element_call_backend_path: "{{ matrix_element_call_base_path }}/backend" + +# Docker network configuration +matrix_element_call_container_network: "matrix_element_call_network" + +# Docker images +matrix_element_call_image: "ghcr.io/element-hq/element-call:latest" +matrix_jwt_service_image: "ghcr.io/element-hq/lk-jwt-service:latest-ci" +matrix_livekit_image: "livekit/livekit-server:latest" +matrix_redis_image: "redis:6-alpine" + +# Ports +matrix_element_call_port: "8093" +matrix_jwt_service_port: "8881" +matrix_redis_port: "6379" + +# LiveKit configuration (should be set in host_vars or globally) +matrix_element_call_livekit_dev_key: "{{ matrix_livekit_dev_key | default('unset-livekit-key') }}" +matrix_element_call_livekit_service_url: "wss://sfu.{{ matrix_base_domain }}:443" + +# Well-known paths and domains (derived from matrix_base_domain) +matrix_element_call_domain: "call.{{ matrix_base_domain }}" +matrix_element_call_well_known_client_path: "/var/www/.well-known/matrix/client" +matrix_element_call_well_known_element_path: "/var/www/.well-known/element/element.json" +matrix_element_call_base_url: "https://{{ matrix_element_call_domain }}" \ No newline at end of file diff --git a/roles/custom/matrix-element-call/tasks/create_element_json.yml b/roles/custom/matrix-element-call/tasks/create_element_json.yml new file mode 100644 index 00000000000..7fe68918396 --- /dev/null +++ b/roles/custom/matrix-element-call/tasks/create_element_json.yml @@ -0,0 +1,22 @@ +--- +--- +# Create the element.json file to point to Element Call + +- name: Ensure .well-known/element directory exists + ansible.builtin.file: + path: "{{ matrix_element_call_well_known_element_path | dirname }}" + state: directory + mode: 0755 + +- name: Create or update the element.json file with Element Call config + ansible.builtin.copy: + dest: "{{ matrix_element_call_well_known_element_path }}" + content: | + { + "call": { + "widget_url": "{{ matrix_element_call_base_url }}" + } + } + mode: '0644' + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" \ No newline at end of file diff --git a/roles/custom/matrix-element-call/tasks/install.yml b/roles/custom/matrix-element-call/tasks/install.yml new file mode 100644 index 00000000000..250f8c09377 --- /dev/null +++ b/roles/custom/matrix-element-call/tasks/install.yml @@ -0,0 +1,17 @@ +--- +# Main install task for matrix-element-call + +- name: Install Docker containers for Element Call + include_tasks: install_docker_containers.yml + +- name: Update .well-known/matrix/client + include_tasks: update_well_known_client.yml + +- name: Create .well-known/element/element.json + include_tasks: create_element_json.yml + +- name: Update homeserver.yaml for Element Call + include_tasks: update_homeserver_config.yml + +- name: Update Element-Web config.json for Element Call + include_tasks: update_element_web_config.yml \ No newline at end of file diff --git a/roles/custom/matrix-element-call/tasks/install_docker_containers.yml b/roles/custom/matrix-element-call/tasks/install_docker_containers.yml new file mode 100644 index 00000000000..38dfbbd700c --- /dev/null +++ b/roles/custom/matrix-element-call/tasks/install_docker_containers.yml @@ -0,0 +1,158 @@ +--- +# Ensure Required Directories Exist +- name: Ensure matrix-element-call paths exist + ansible.builtin.file: + path: "{{ item.path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + loop: + - path: "{{ matrix_element_call_base_path }}" + - path: "{{ matrix_element_call_base_path }}/data" + - path: "{{ matrix_element_call_base_path }}/config" + - path: "{{ matrix_element_call_base_path }}/backend" # For LiveKit and Redis config + +# Ensure Configuration Files are in Place +- name: Ensure Element Call config.json is in place + ansible.builtin.template: + src: "{{ role_path }}/templates/config.json.j2" + dest: "{{ matrix_element_call_base_path }}/config/config.json" + mode: 0640 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure LiveKit livekit.yaml is in place + ansible.builtin.template: + src: "{{ role_path }}/templates/livekit.yaml.j2" + dest: "{{ matrix_element_call_base_path }}/backend/livekit.yaml" + mode: 0640 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure Redis redis.conf is in place + ansible.builtin.template: + src: "{{ role_path }}/templates/redis.conf.j2" + dest: "{{ matrix_element_call_base_path }}/backend/redis.conf" + mode: 0640 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure matrix-element-call environment file is in place + ansible.builtin.template: + src: "{{ role_path }}/templates/env.j2" + dest: "{{ matrix_element_call_base_path }}/config/env" + mode: 0640 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure matrix-element-call Docker labels file is in place + ansible.builtin.template: + src: "{{ role_path }}/templates/labels.j2" + dest: "{{ matrix_element_call_base_path }}/config/labels" + mode: 0640 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +# Ensure Docker Images are Pulled +- name: Ensure matrix-element-call Docker image is pulled + community.docker.docker_image: + name: "{{ matrix_element_call_image }}" + source: pull + force_source: "{{ matrix_element_call_container_image_force_pull }}" + register: element_call_image_result + retries: "{{ devture_playbook_help_container_retries_count }}" + delay: "{{ devture_playbook_help_container_retries_delay }}" + until: element_call_image_result is not failed + +- name: Ensure jwt-service Docker image is pulled + community.docker.docker_image: + name: "ghcr.io/element-hq/lk-jwt-service:latest-ci" + source: pull + register: jwt_image_result + retries: 3 + delay: 10 + until: jwt_image_result is not failed + +- name: Ensure livekit Docker image is pulled + community.docker.docker_image: + name: "livekit/livekit-server:latest" + source: pull + register: livekit_image_result + retries: 3 + delay: 10 + until: livekit_image_result is not failed + +- name: Ensure redis Docker image is pulled + community.docker.docker_image: + name: "redis:6-alpine" + source: pull + register: redis_image_result + retries: 3 + delay: 10 + until: redis_image_result is not failed + +# Ensure Docker Containers are Running +- name: Run matrix-element-call Docker container + community.docker.docker_container: + name: "matrix-element-call" + image: "{{ matrix_element_call_image }}" + state: started + restart_policy: unless-stopped + env_file: "{{ matrix_element_call_base_path }}/config/env" + labels: "{{ lookup('file', matrix_element_call_base_path ~ '/config/labels') | from_yaml }}" + networks: + - name: "{{ matrix_element_call_container_network }}" + volumes: + - "{{ matrix_element_call_base_path }}/config/config.json:/app/config.json" + - "{{ matrix_element_call_base_path }}/data:/data" + +- name: Run jwt-service Docker container + community.docker.docker_container: + name: "matrix-jwt-service" + image: "ghcr.io/element-hq/lk-jwt-service:latest-ci" + state: started + restart_policy: unless-stopped + environment: + LIVEKIT_SECRET: "{{ matrix_element_call_livekit_dev_key }}" # User-specified key + LIVEKIT_URL: "{{ matrix_element_call_livekit_service_url }}" + LIVEKIT_KEY: "devkey" + networks: + - name: "{{ matrix_element_call_container_network }}" + +- name: Run livekit Docker container + community.docker.docker_container: + name: "matrix-livekit" + image: "livekit/livekit-server:latest" + state: started + restart_policy: unless-stopped + command: "--dev --config /etc/livekit.yaml" + volumes: + - "{{ matrix_element_call_base_path }}/backend/livekit.yaml:/etc/livekit.yaml" + network_mode: "host" + +- name: Run redis Docker container + community.docker.docker_container: + name: "matrix-redis" + image: "redis:6-alpine" + state: started + restart_policy: unless-stopped + command: redis-server /etc/redis.conf + volumes: + - "{{ matrix_element_call_base_path }}/backend/redis.conf:/etc/redis.conf" + networks: + - name: "{{ matrix_element_call_container_network }}" + +# Ensure Systemd Services are Set Up +- name: Ensure matrix-element-call systemd service is installed + ansible.builtin.template: + src: "{{ role_path }}/templates/element-call.service.j2" + dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-element-call.service" + mode: 0644 + +- name: Ensure matrix-element-call systemd service is enabled and started + ansible.builtin.systemd: + name: matrix-element-call + enabled: true + state: started + daemon_reload: true \ No newline at end of file diff --git a/roles/custom/matrix-element-call/tasks/main.yml b/roles/custom/matrix-element-call/tasks/main.yml new file mode 100644 index 00000000000..ae0f7ce6818 --- /dev/null +++ b/roles/custom/matrix-element-call/tasks/main.yml @@ -0,0 +1,14 @@ +--- +# roles/custom/matrix-element-call/tasks/main.yml + +- name: Ensure Element Call dependencies are valid and present + when: matrix_element_call_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" + +- name: Install Element Call and its related services + when: matrix_element_call_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/install.yml" + +- name: Uninstall Element Call and clean up resources + when: not matrix_element_call_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/uninstall.yml" \ No newline at end of file diff --git a/roles/custom/matrix-element-call/tasks/uninstall.yml b/roles/custom/matrix-element-call/tasks/uninstall.yml new file mode 100644 index 00000000000..f863c25be9b --- /dev/null +++ b/roles/custom/matrix-element-call/tasks/uninstall.yml @@ -0,0 +1,51 @@ +--- +--- +# roles/custom/matrix-element-call/tasks/uninstall.yml + +# Stop and remove Docker containers +- name: Stop and remove matrix-element-call Docker container + community.docker.docker_container: + name: "matrix-element-call" + state: absent + when: matrix_element_call_enabled | bool == false + +- name: Stop and remove jwt-service Docker container + community.docker.docker_container: + name: "matrix-jwt-service" + state: absent + when: matrix_element_call_enabled | bool == false + +- name: Stop and remove livekit Docker container + community.docker.docker_container: + name: "matrix-livekit" + state: absent + when: matrix_element_call_enabled | bool == false + +- name: Stop and remove redis Docker container + community.docker.docker_container: + name: "matrix-redis" + state: absent + when: matrix_element_call_enabled | bool == false + +# Remove matrix-element-call directories +- name: Remove matrix-element-call directories + ansible.builtin.file: + path: "{{ item }}" + state: absent + loop: + - "{{ matrix_element_call_base_path }}" + when: matrix_element_call_enabled | bool == false + +# Disable and remove systemd service for matrix-element-call +- name: Stop and disable matrix-element-call systemd service + ansible.builtin.systemd: + name: matrix-element-call + state: stopped + enabled: false + when: matrix_element_call_enabled | bool == false + +- name: Remove matrix-element-call systemd service file + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-element-call.service" + state: absent + when: matrix_element_call_enabled | bool == false \ No newline at end of file diff --git a/roles/custom/matrix-element-call/tasks/update_element_web_config.yml b/roles/custom/matrix-element-call/tasks/update_element_web_config.yml new file mode 100644 index 00000000000..0fa2271726a --- /dev/null +++ b/roles/custom/matrix-element-call/tasks/update_element_web_config.yml @@ -0,0 +1,29 @@ +--- +# Update Element-Web config.json with Element Call features + +- name: Ensure Element-Web config.json exists + ansible.builtin.file: + path: "{{ matrix_element_web_config_path }}" + state: file + mode: 0644 + +- name: Update Element-Web config.json with Element Call features + ansible.builtin.blockinfile: + path: "{{ matrix_element_web_config_path }}" + block: | + "features": { + "feature_video_rooms": true, + "feature_new_room_decoration_ui": true, + "feature_group_calls": true, + "feature_element_call_video_rooms": true + }, + "element_call": { + "url": "{{ matrix_element_call_base_url }}", + "participant_limit": 8, + "brand": "Element Call", + "use_exclusively": true + } + marker: "# ANSIBLE MANAGED BLOCK - Element Call features" + mode: '0644' + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" \ No newline at end of file diff --git a/roles/custom/matrix-element-call/tasks/update_homeserver_config.yml b/roles/custom/matrix-element-call/tasks/update_homeserver_config.yml new file mode 100644 index 00000000000..46e4f5a0962 --- /dev/null +++ b/roles/custom/matrix-element-call/tasks/update_homeserver_config.yml @@ -0,0 +1,36 @@ +--- +# Update the homeserver.yaml file with Element Call config + +- name: Ensure homeserver.yaml exists + ansible.builtin.file: + path: "{{ matrix_homeserver_config_path }}" + state: file + mode: 0644 + +- name: Add listeners section for Element Call to homeserver.yaml + ansible.builtin.blockinfile: + path: "{{ matrix_homeserver_config_path }}" + block: | + listeners: + - port: 8008 + tls: false + type: http + x_forwarded: true + + resources: + - names: [client, federation, openid] + compress: false + marker: "# ANSIBLE MANAGED BLOCK - Element Call listeners" + mode: '0644' + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure serve_server_wellknown is enabled in homeserver.yaml + ansible.builtin.lineinfile: + path: "{{ matrix_homeserver_config_path }}" + line: "serve_server_wellknown: true" + insertafter: EOF + state: present + mode: '0644' + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" \ No newline at end of file diff --git a/roles/custom/matrix-element-call/tasks/update_well_known_client.yml b/roles/custom/matrix-element-call/tasks/update_well_known_client.yml new file mode 100644 index 00000000000..b02269f1c5c --- /dev/null +++ b/roles/custom/matrix-element-call/tasks/update_well_known_client.yml @@ -0,0 +1,24 @@ +--- +--- +# Update the .well-known/matrix/client file with Element Call config + +- name: Ensure .well-known directory exists + ansible.builtin.file: + path: "{{ matrix_element_call_well_known_client_path | dirname }}" + state: directory + mode: 0755 + +- name: Update .well-known/matrix/client file with Element Call config + ansible.builtin.blockinfile: + path: "{{ matrix_element_call_well_known_client_path }}" + block: | + "org.matrix.msc4143.rtc_foci": [ + { + "type": "livekit", + "livekit_service_url": "{{ matrix_element_call_jwt_service_url }}" + } + ] + create: yes + mode: '0644' + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" \ No newline at end of file diff --git a/roles/custom/matrix-element-call/tasks/validate_config.yml b/roles/custom/matrix-element-call/tasks/validate_config.yml new file mode 100644 index 00000000000..c4a55e0df9c --- /dev/null +++ b/roles/custom/matrix-element-call/tasks/validate_config.yml @@ -0,0 +1,79 @@ +--- +# roles/custom/matrix-element-call/tasks/validate_config.yml + +- name: Ensure required variables for Element Call are defined + ansible.builtin.fail: + msg: "The variable '{{ item }}' is required and must be set." + when: vars[item] is not defined or vars[item] == '' + loop: + - matrix_element_call_enabled + - matrix_element_call_version + - matrix_element_call_hostname + - matrix_element_call_path_prefix + - matrix_element_call_base_path + - matrix_element_call_container_image + - matrix_element_call_container_network + - matrix_element_call_container_labels_traefik_hostname + - matrix_element_call_jwt_service_url + - matrix_element_call_livekit_service_url + - matrix_element_call_livekit_dev_key + +- name: Validate that the Element Call hostname is properly formatted + ansible.builtin.assert: + that: + - "'{{ matrix_element_call_hostname }}' is match('^([a-zA-Z0-9][-a-zA-Z0-9]*[a-zA-Z0-9])$')" + fail_msg: "The hostname '{{ matrix_element_call_hostname }}' is not valid. It should be a valid domain or subdomain." + success_msg: "The hostname '{{ matrix_element_call_hostname }}' is valid." + +- name: Validate that the Element Call version is specified correctly + ansible.builtin.assert: + that: + - matrix_element_call_version is string + - matrix_element_call_version != '' + fail_msg: "The Element Call version must be a non-empty string." + success_msg: "The Element Call version is set correctly." + +- name: Ensure LiveKit dev key is set + ansible.builtin.assert: + that: + - matrix_element_call_livekit_dev_key is string + - matrix_element_call_livekit_dev_key != '' + fail_msg: "The LiveKit dev key (matrix_element_call_livekit_dev_key) must be a non-empty string." + success_msg: "The LiveKit dev key is set correctly." + +- name: Ensure JWT service URL is valid + ansible.builtin.assert: + that: + - matrix_element_call_jwt_service_url is match('^https?://[a-zA-Z0-9.-]+$') + fail_msg: "The JWT service URL '{{ matrix_element_call_jwt_service_url }}' is not valid." + success_msg: "The JWT service URL is valid." + +- name: Ensure LiveKit service URL is valid + ansible.builtin.assert: + that: + - matrix_element_call_livekit_service_url is match('^https?://[a-zA-Z0-9.-]+$') + fail_msg: "The LiveKit service URL '{{ matrix_element_call_livekit_service_url }}' is not valid." + success_msg: "The LiveKit service URL is valid." + +- name: Ensure matrix-element-call base path is set and exists + ansible.builtin.assert: + that: + - matrix_element_call_base_path is string + - matrix_element_call_base_path != '' + fail_msg: "The base path for Element Call (matrix_element_call_base_path) must be a non-empty string." + success_msg: "The base path for Element Call is set correctly." + +- name: Ensure required paths for configurations are accessible + ansible.builtin.file: + path: "{{ item }}" + state: directory + with_items: + - "{{ matrix_element_call_base_path }}/config" + - "{{ matrix_element_call_base_path }}/backend" + register: config_paths_check + +- name: Fail if any required paths for configurations are not accessible + ansible.builtin.fail: + msg: "The required configuration path '{{ item.path }}' does not exist or is not accessible." + when: config_paths_check.results is defined and config_paths_check.results | selectattr('failed', 'eq', True) | list | length > 0 + loop: "{{ config_paths_check.results | selectattr('failed', 'eq', True) | list }}" \ No newline at end of file diff --git a/roles/custom/matrix-element-call/templates/config.json.j2 b/roles/custom/matrix-element-call/templates/config.json.j2 new file mode 100644 index 00000000000..1ce2f57c5e0 --- /dev/null +++ b/roles/custom/matrix-element-call/templates/config.json.j2 @@ -0,0 +1,11 @@ +{ + "default_server_config": { + "m.homeserver": { + "base_url": "{{ matrix_homeserver_url }}", + "server_name": "{{ matrix_server_name }}" + } + }, + "livekit": { + "livekit_service_url": "{{ matrix_element_call_livekit_service_url }}" + } +} \ No newline at end of file diff --git a/roles/custom/matrix-element-call/templates/env.j2 b/roles/custom/matrix-element-call/templates/env.j2 new file mode 100644 index 00000000000..db25ed81b0c --- /dev/null +++ b/roles/custom/matrix-element-call/templates/env.j2 @@ -0,0 +1,9 @@ +# Environment variables for Element Call +ELEMENT_CALL_SERVER_URL=https://{{ matrix_element_call_domain }} +LIVEKIT_SERVICE_URL={{ matrix_element_call_livekit_service_url }} +JWT_SERVICE_URL={{ matrix_element_call_jwt_service_url }} + +# Optional additional environment variables provided by the user +{% for key, value in matrix_element_call_environment_variables_additional.items() %} +{{ key }}={{ value }} +{% endfor %} \ No newline at end of file diff --git a/roles/custom/matrix-element-call/templates/labels.j2 b/roles/custom/matrix-element-call/templates/labels.j2 new file mode 100644 index 00000000000..988bfba1ce6 --- /dev/null +++ b/roles/custom/matrix-element-call/templates/labels.j2 @@ -0,0 +1,11 @@ +# Docker labels for Traefik or other routing +traefik.enable: "true" +traefik.http.routers.{{ matrix_element_call_hostname | replace('.', '_') }}-router.rule: "Host(`{{ matrix_element_call_hostname }}`)" +traefik.http.routers.{{ matrix_element_call_hostname | replace('.', '_') }}-router.entrypoints: "{{ matrix_element_call_container_labels_traefik_entrypoints }}" +traefik.http.routers.{{ matrix_element_call_hostname | replace('.', '_') }}-router.tls.certresolver: "{{ matrix_element_call_container_labels_traefik_tls_certResolver }}" +traefik.http.services.{{ matrix_element_call_hostname | replace('.', '_') }}-service.loadbalancer.server.port: "8080" + +# Additional labels (if any) specified by the user +{% for key, value in matrix_element_call_container_extra_arguments.items() %} +{{ key }}: "{{ value }}" +{% endfor %} \ No newline at end of file diff --git a/roles/custom/matrix-element-call/templates/livekit.yaml.j2 b/roles/custom/matrix-element-call/templates/livekit.yaml.j2 new file mode 100644 index 00000000000..a53c0896a11 --- /dev/null +++ b/roles/custom/matrix-element-call/templates/livekit.yaml.j2 @@ -0,0 +1,21 @@ +port: 7880 +bind_addresses: + - "0.0.0.0" +rtc: + tcp_port: 7881 + port_range_start: 50100 + port_range_end: 50200 + use_external_ip: false + +turn: + enabled: false + domain: localhost + cert_file: "" + key_file: "" + tls_port: 5349 + udp_port: 443 + external_tls: true + +keys: + devkey: "{{ matrix_element_call_livekit_dev_key }}" +logging: \ No newline at end of file diff --git a/roles/custom/matrix-element-call/templates/redis.conf.j2 b/roles/custom/matrix-element-call/templates/redis.conf.j2 new file mode 100644 index 00000000000..da19af05a49 --- /dev/null +++ b/roles/custom/matrix-element-call/templates/redis.conf.j2 @@ -0,0 +1,5 @@ +bind 0.0.0.0 +protected-mode yes +port 6379 +timeout 0 +tcp-keepalive 300 \ No newline at end of file diff --git a/roles/custom/matrix-element-call/templates/systemd/matrix-element-call.service.j2 b/roles/custom/matrix-element-call/templates/systemd/matrix-element-call.service.j2 new file mode 100644 index 00000000000..8caad624fac --- /dev/null +++ b/roles/custom/matrix-element-call/templates/systemd/matrix-element-call.service.j2 @@ -0,0 +1,17 @@ +[Unit] +Description=Matrix Element Call Service +After=docker.service +Requires=docker.service + +[Service] +Type=simple +ExecStart=/usr/bin/docker start -a matrix-element-call +ExecStop=/usr/bin/docker stop matrix-element-call +Restart=always +User={{ matrix_user_username }} +Group={{ matrix_user_groupname }} +TimeoutStartSec=0 +RestartSec=10 + +[Install] +WantedBy=multi-user.target \ No newline at end of file diff --git a/roles/custom/matrix-element-call/vars/main.yml b/roles/custom/matrix-element-call/vars/main.yml new file mode 100644 index 00000000000..1f224472a19 --- /dev/null +++ b/roles/custom/matrix-element-call/vars/main.yml @@ -0,0 +1,5 @@ +--- +# roles/custom/matrix-element-call/vars/main.yml + +# Variables specific to matrix-element-call, like service configurations, can go here. +# Any environment-specific values can be overridden here. \ No newline at end of file diff --git a/setup.yml b/setup.yml index 3cff6dbb1b7..cbc3e1673b3 100644 --- a/setup.yml +++ b/setup.yml @@ -130,6 +130,7 @@ - custom/matrix-coturn - custom/matrix-media-repo - custom/matrix-pantalaimon + - custom/matrix-element-call - role: galaxy/postgres_backup From d1ba784dde736a72dac55a2575a11dedfa0fcc42 Mon Sep 17 00:00:00 2001 From: wjbeckett Date: Wed, 25 Sep 2024 15:01:53 +1000 Subject: [PATCH 002/148] added doc for setting up element call. --- docs/configuring-playbook.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index 4b4a3366bce..fb0704e0851 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -232,3 +232,5 @@ When you're done with all the configuration you'd like to do, continue with [Ins - [Setting up the Rageshake bug report server](configuring-playbook-rageshake.md) (optional) - [Setting up Prometheus Alertmanager integration via matrix-alertmanager-receiver](configuring-playbook-alertmanager-receiver.md) (optional) + +- [Setting up the Element Call server](configuring-playbook-element-call.md) (optional) From 60f34cd7af6e752542ace17c61a77122777dd370 Mon Sep 17 00:00:00 2001 From: wjbeckett Date: Wed, 25 Sep 2024 16:13:29 +1000 Subject: [PATCH 003/148] fixed matrix_redis for migration --- roles/custom/matrix-element-call/defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/custom/matrix-element-call/defaults/main.yml b/roles/custom/matrix-element-call/defaults/main.yml index 38b17553256..68217d37fc5 100644 --- a/roles/custom/matrix-element-call/defaults/main.yml +++ b/roles/custom/matrix-element-call/defaults/main.yml @@ -16,12 +16,12 @@ matrix_element_call_container_network: "matrix_element_call_network" matrix_element_call_image: "ghcr.io/element-hq/element-call:latest" matrix_jwt_service_image: "ghcr.io/element-hq/lk-jwt-service:latest-ci" matrix_livekit_image: "livekit/livekit-server:latest" -matrix_redis_image: "redis:6-alpine" +redis_image: "redis:6-alpine" # Ports matrix_element_call_port: "8093" matrix_jwt_service_port: "8881" -matrix_redis_port: "6379" +redis_port: "6379" # LiveKit configuration (should be set in host_vars or globally) matrix_element_call_livekit_dev_key: "{{ matrix_livekit_dev_key | default('unset-livekit-key') }}" From fc6357a089f57a16f5117f6940a25fad2ca0f9ec Mon Sep 17 00:00:00 2001 From: Backslash Date: Wed, 25 Sep 2024 18:05:34 +1000 Subject: [PATCH 004/148] Update main.yml --- .../custom/matrix-element-call/tasks/main.yml | 26 ++++++++++++------- 1 file changed, 16 insertions(+), 10 deletions(-) diff --git a/roles/custom/matrix-element-call/tasks/main.yml b/roles/custom/matrix-element-call/tasks/main.yml index ae0f7ce6818..5727957ffbd 100644 --- a/roles/custom/matrix-element-call/tasks/main.yml +++ b/roles/custom/matrix-element-call/tasks/main.yml @@ -1,14 +1,20 @@ --- -# roles/custom/matrix-element-call/tasks/main.yml -- name: Ensure Element Call dependencies are valid and present - when: matrix_element_call_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" +- tags: + - setup-all + - setup-element-call + - install-all + - install-element-call + block: + - when: matrix_element_call_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" -- name: Install Element Call and its related services - when: matrix_element_call_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/install.yml" + - when: matrix_element_call_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/install.yml" -- name: Uninstall Element Call and clean up resources - when: not matrix_element_call_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/uninstall.yml" \ No newline at end of file +- tags: + - setup-all + - setup-element-call + block: + - when: not matrix_element_call_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/uninstall.yml" From 350d4d4bcd0361ca0dfa5806c0a76b2bdc781df7 Mon Sep 17 00:00:00 2001 From: Backslash Date: Wed, 25 Sep 2024 18:35:09 +1000 Subject: [PATCH 005/148] Fixed assertion block to remove jinja2 delimiters --- roles/custom/matrix-element-call/tasks/validate_config.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/custom/matrix-element-call/tasks/validate_config.yml b/roles/custom/matrix-element-call/tasks/validate_config.yml index c4a55e0df9c..d6e10c930f5 100644 --- a/roles/custom/matrix-element-call/tasks/validate_config.yml +++ b/roles/custom/matrix-element-call/tasks/validate_config.yml @@ -21,7 +21,7 @@ - name: Validate that the Element Call hostname is properly formatted ansible.builtin.assert: that: - - "'{{ matrix_element_call_hostname }}' is match('^([a-zA-Z0-9][-a-zA-Z0-9]*[a-zA-Z0-9])$')" + - matrix_element_call_hostname is match('^([a-zA-Z0-9][-a-zA-Z0-9]*[a-zA-Z0-9])$') fail_msg: "The hostname '{{ matrix_element_call_hostname }}' is not valid. It should be a valid domain or subdomain." success_msg: "The hostname '{{ matrix_element_call_hostname }}' is valid." @@ -76,4 +76,4 @@ ansible.builtin.fail: msg: "The required configuration path '{{ item.path }}' does not exist or is not accessible." when: config_paths_check.results is defined and config_paths_check.results | selectattr('failed', 'eq', True) | list | length > 0 - loop: "{{ config_paths_check.results | selectattr('failed', 'eq', True) | list }}" \ No newline at end of file + loop: "{{ config_paths_check.results | selectattr('failed', 'eq', True) | list }}" From 90ea758c3bd2ac5cfe03dd946021fb1be668da87 Mon Sep 17 00:00:00 2001 From: Backslash Date: Wed, 25 Sep 2024 18:39:26 +1000 Subject: [PATCH 006/148] Fixed regex for checking the hostname. --- roles/custom/matrix-element-call/tasks/validate_config.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/custom/matrix-element-call/tasks/validate_config.yml b/roles/custom/matrix-element-call/tasks/validate_config.yml index d6e10c930f5..e61973fdda1 100644 --- a/roles/custom/matrix-element-call/tasks/validate_config.yml +++ b/roles/custom/matrix-element-call/tasks/validate_config.yml @@ -21,10 +21,10 @@ - name: Validate that the Element Call hostname is properly formatted ansible.builtin.assert: that: - - matrix_element_call_hostname is match('^([a-zA-Z0-9][-a-zA-Z0-9]*[a-zA-Z0-9])$') + - matrix_element_call_hostname is match('^([a-zA-Z0-9][-a-zA-Z0-9]*[a-zA-Z0-9]\.)+[a-zA-Z]{2,}$') fail_msg: "The hostname '{{ matrix_element_call_hostname }}' is not valid. It should be a valid domain or subdomain." success_msg: "The hostname '{{ matrix_element_call_hostname }}' is valid." - + - name: Validate that the Element Call version is specified correctly ansible.builtin.assert: that: From c93d30bcb8bffdea4d995fb6fba3c267d36a695f Mon Sep 17 00:00:00 2001 From: Backslash Date: Wed, 25 Sep 2024 19:07:03 +1000 Subject: [PATCH 007/148] Added matrix_server_name to the defaults --- roles/custom/matrix-element-call/defaults/main.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/roles/custom/matrix-element-call/defaults/main.yml b/roles/custom/matrix-element-call/defaults/main.yml index 68217d37fc5..3fe77eddef3 100644 --- a/roles/custom/matrix-element-call/defaults/main.yml +++ b/roles/custom/matrix-element-call/defaults/main.yml @@ -4,6 +4,9 @@ # Enable or disable matrix-element-call deployment matrix_element_call_enabled: false +# Default Matrix server name (can be overridden in host_vars if needed) +matrix_server_name: "{{ matrix_base_domain }}" + # Base path configuration matrix_element_call_base_path: "/home/{{ matrix_user_username }}/dockerdata/volumes/elementcall" matrix_element_call_config_path: "{{ matrix_element_call_base_path }}/config" @@ -31,4 +34,4 @@ matrix_element_call_livekit_service_url: "wss://sfu.{{ matrix_base_domain }}:443 matrix_element_call_domain: "call.{{ matrix_base_domain }}" matrix_element_call_well_known_client_path: "/var/www/.well-known/matrix/client" matrix_element_call_well_known_element_path: "/var/www/.well-known/element/element.json" -matrix_element_call_base_url: "https://{{ matrix_element_call_domain }}" \ No newline at end of file +matrix_element_call_base_url: "https://{{ matrix_element_call_domain }}" From ce827e7953a2ee9d5471f96dd7effb3f00691303 Mon Sep 17 00:00:00 2001 From: Backslash Date: Wed, 25 Sep 2024 19:09:13 +1000 Subject: [PATCH 008/148] Changed matrix_base_domain to matrix_domain --- roles/custom/matrix-element-call/defaults/main.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/custom/matrix-element-call/defaults/main.yml b/roles/custom/matrix-element-call/defaults/main.yml index 3fe77eddef3..d6aaf02e0fe 100644 --- a/roles/custom/matrix-element-call/defaults/main.yml +++ b/roles/custom/matrix-element-call/defaults/main.yml @@ -5,7 +5,7 @@ matrix_element_call_enabled: false # Default Matrix server name (can be overridden in host_vars if needed) -matrix_server_name: "{{ matrix_base_domain }}" +matrix_server_name: "{{ matrix_domain }}" # Base path configuration matrix_element_call_base_path: "/home/{{ matrix_user_username }}/dockerdata/volumes/elementcall" @@ -28,10 +28,10 @@ redis_port: "6379" # LiveKit configuration (should be set in host_vars or globally) matrix_element_call_livekit_dev_key: "{{ matrix_livekit_dev_key | default('unset-livekit-key') }}" -matrix_element_call_livekit_service_url: "wss://sfu.{{ matrix_base_domain }}:443" +matrix_element_call_livekit_service_url: "wss://sfu.{{ matrix_domain }}:443" # Well-known paths and domains (derived from matrix_base_domain) -matrix_element_call_domain: "call.{{ matrix_base_domain }}" +matrix_element_call_domain: "call.{{ matrix_domain }}" matrix_element_call_well_known_client_path: "/var/www/.well-known/matrix/client" matrix_element_call_well_known_element_path: "/var/www/.well-known/element/element.json" matrix_element_call_base_url: "https://{{ matrix_element_call_domain }}" From 8644a7383e3a1a882f70bf3b33b71307cda2c2ab Mon Sep 17 00:00:00 2001 From: Backslash Date: Wed, 25 Sep 2024 19:22:21 +1000 Subject: [PATCH 009/148] Removed additional label loop --- roles/custom/matrix-element-call/templates/labels.j2 | 5 ----- 1 file changed, 5 deletions(-) diff --git a/roles/custom/matrix-element-call/templates/labels.j2 b/roles/custom/matrix-element-call/templates/labels.j2 index 988bfba1ce6..ccfbdbf930d 100644 --- a/roles/custom/matrix-element-call/templates/labels.j2 +++ b/roles/custom/matrix-element-call/templates/labels.j2 @@ -4,8 +4,3 @@ traefik.http.routers.{{ matrix_element_call_hostname | replace('.', '_') }}-rout traefik.http.routers.{{ matrix_element_call_hostname | replace('.', '_') }}-router.entrypoints: "{{ matrix_element_call_container_labels_traefik_entrypoints }}" traefik.http.routers.{{ matrix_element_call_hostname | replace('.', '_') }}-router.tls.certresolver: "{{ matrix_element_call_container_labels_traefik_tls_certResolver }}" traefik.http.services.{{ matrix_element_call_hostname | replace('.', '_') }}-service.loadbalancer.server.port: "8080" - -# Additional labels (if any) specified by the user -{% for key, value in matrix_element_call_container_extra_arguments.items() %} -{{ key }}: "{{ value }}" -{% endfor %} \ No newline at end of file From 81735503f8985359c7b0cc9e8674e0e6ed7aa36f Mon Sep 17 00:00:00 2001 From: Backslash Date: Wed, 25 Sep 2024 20:06:27 +1000 Subject: [PATCH 010/148] Added debug task to test labels configuration --- .../matrix-element-call/tasks/install_docker_containers.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/roles/custom/matrix-element-call/tasks/install_docker_containers.yml b/roles/custom/matrix-element-call/tasks/install_docker_containers.yml index 38dfbbd700c..dbf1a9433d1 100644 --- a/roles/custom/matrix-element-call/tasks/install_docker_containers.yml +++ b/roles/custom/matrix-element-call/tasks/install_docker_containers.yml @@ -92,6 +92,10 @@ delay: 10 until: redis_image_result is not failed +- name: Debug labels file content + ansible.builtin.debug: + msg: "{{ lookup('file', matrix_element_call_base_path ~ '/config/labels') | from_yaml }}" + # Ensure Docker Containers are Running - name: Run matrix-element-call Docker container community.docker.docker_container: @@ -155,4 +159,4 @@ name: matrix-element-call enabled: true state: started - daemon_reload: true \ No newline at end of file + daemon_reload: true From 63641014101b947e43207f591ec56a3f56d8acc9 Mon Sep 17 00:00:00 2001 From: Backslash Date: Wed, 25 Sep 2024 20:20:20 +1000 Subject: [PATCH 011/148] Adding another debug task for testing the labels file. --- .../matrix-element-call/tasks/install_docker_containers.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/roles/custom/matrix-element-call/tasks/install_docker_containers.yml b/roles/custom/matrix-element-call/tasks/install_docker_containers.yml index dbf1a9433d1..a9d55ff85fd 100644 --- a/roles/custom/matrix-element-call/tasks/install_docker_containers.yml +++ b/roles/custom/matrix-element-call/tasks/install_docker_containers.yml @@ -92,6 +92,10 @@ delay: 10 until: redis_image_result is not failed +- name: Debug matrix_element_call_base_path + ansible.builtin.debug: + var: matrix_element_call_base_path + - name: Debug labels file content ansible.builtin.debug: msg: "{{ lookup('file', matrix_element_call_base_path ~ '/config/labels') | from_yaml }}" From 16ed788b3f8a94298bcb688306a08a688cb42e59 Mon Sep 17 00:00:00 2001 From: Backslash Date: Wed, 25 Sep 2024 21:07:22 +1000 Subject: [PATCH 012/148] Update main.yml --- .../matrix-element-call/defaults/main.yml | 41 +++++++++++++------ 1 file changed, 28 insertions(+), 13 deletions(-) diff --git a/roles/custom/matrix-element-call/defaults/main.yml b/roles/custom/matrix-element-call/defaults/main.yml index d6aaf02e0fe..972941d9199 100644 --- a/roles/custom/matrix-element-call/defaults/main.yml +++ b/roles/custom/matrix-element-call/defaults/main.yml @@ -1,14 +1,9 @@ --- -# roles/custom/matrix-element-call/defaults/main.yml - # Enable or disable matrix-element-call deployment matrix_element_call_enabled: false -# Default Matrix server name (can be overridden in host_vars if needed) -matrix_server_name: "{{ matrix_domain }}" - # Base path configuration -matrix_element_call_base_path: "/home/{{ matrix_user_username }}/dockerdata/volumes/elementcall" +matrix_element_call_base_path: "{{ matrix_base_data_path }}/element-call" matrix_element_call_config_path: "{{ matrix_element_call_base_path }}/config" matrix_element_call_backend_path: "{{ matrix_element_call_base_path }}/backend" @@ -19,19 +14,39 @@ matrix_element_call_container_network: "matrix_element_call_network" matrix_element_call_image: "ghcr.io/element-hq/element-call:latest" matrix_jwt_service_image: "ghcr.io/element-hq/lk-jwt-service:latest-ci" matrix_livekit_image: "livekit/livekit-server:latest" -redis_image: "redis:6-alpine" +matrix_redis_image: "redis:6-alpine" # Ports matrix_element_call_port: "8093" matrix_jwt_service_port: "8881" -redis_port: "6379" +matrix_redis_port: "6379" -# LiveKit configuration (should be set in host_vars or globally) -matrix_element_call_livekit_dev_key: "{{ matrix_livekit_dev_key | default('unset-livekit-key') }}" +# LiveKit configuration +matrix_element_call_livekit_dev_key: "{{ matrix_livekit_dev_key }}" # Must be defined in host_vars matrix_element_call_livekit_service_url: "wss://sfu.{{ matrix_domain }}:443" -# Well-known paths and domains (derived from matrix_base_domain) +# Well-known paths and domains (derived from matrix_domain) matrix_element_call_domain: "call.{{ matrix_domain }}" -matrix_element_call_well_known_client_path: "/var/www/.well-known/matrix/client" -matrix_element_call_well_known_element_path: "/var/www/.well-known/element/element.json" +matrix_element_call_well_known_client_path: "{{ matrix_base_data_path }}/static-files/public/.well-known/matrix/client" +matrix_element_call_well_known_element_path: "{{ matrix_base_data_path }}/static-files/public/.well-known/element/element.json" matrix_element_call_base_url: "https://{{ matrix_element_call_domain }}" + +# Redis Configuration for Element Call +redis_hostname: "localhost" +redis_port: 6379 +redis_password: "" + +# Traefik Configuration for Element Call +matrix_element_call_container_labels_traefik_enabled: true +matrix_element_call_container_labels_traefik_hostname: "{{ matrix_element_call_domain }}" +matrix_element_call_container_labels_traefik_path_prefix: "/" +matrix_element_call_container_labels_traefik_rule: "Host(`{{ matrix_element_call_container_labels_traefik_hostname }}`)" +matrix_element_call_container_labels_traefik_entrypoints: "websecure" +matrix_element_call_container_labels_traefik_tls_certResolver: "default" + +# Additional environment variables for the container +matrix_element_call_environment_variables_additional: {} + +# Enable or disable metrics collection +matrix_element_call_metrics_enabled: false +matrix_element_call_metrics_port: 2112 From 0eef094f2bf8717c1bdbc7ae7e6ba05eb68c15b0 Mon Sep 17 00:00:00 2001 From: Backslash Date: Thu, 26 Sep 2024 06:51:36 +1000 Subject: [PATCH 013/148] Restructure install.yml to follow other roles more closely --- .../matrix-element-call/tasks/install.yml | 119 ++++++++++++++++-- 1 file changed, 108 insertions(+), 11 deletions(-) diff --git a/roles/custom/matrix-element-call/tasks/install.yml b/roles/custom/matrix-element-call/tasks/install.yml index 250f8c09377..18b525e4a20 100644 --- a/roles/custom/matrix-element-call/tasks/install.yml +++ b/roles/custom/matrix-element-call/tasks/install.yml @@ -1,17 +1,114 @@ --- -# Main install task for matrix-element-call +# Main installation tasks for matrix-element-call -- name: Install Docker containers for Element Call - include_tasks: install_docker_containers.yml +# Ensure Required Directories Exist +- name: Ensure matrix-element-call paths exist + ansible.builtin.file: + path: "{{ item.path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - path: "{{ matrix_element_call_base_path }}" + - path: "{{ matrix_element_call_config_path }}" + - path: "{{ matrix_element_call_backend_path }}" -- name: Update .well-known/matrix/client - include_tasks: update_well_known_client.yml +# Ensure Configuration Files are in Place +- name: Ensure matrix-element-call support files installed + ansible.builtin.template: + src: "{{ role_path }}/templates/{{ item }}.j2" + dest: "{{ matrix_element_call_base_path }}/{{ item }}" + mode: 0640 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - config.json + - env + - labels -- name: Create .well-known/element/element.json - include_tasks: create_element_json.yml +- name: Ensure livekit.yaml is installed + ansible.builtin.template: + src: "{{ role_path }}/templates/livekit.yaml.j2" + dest: "{{ matrix_element_call_backend_path }}/livekit.yaml" + mode: 0640 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" -- name: Update homeserver.yaml for Element Call - include_tasks: update_homeserver_config.yml +- name: Ensure redis.conf is installed + ansible.builtin.template: + src: "{{ role_path }}/templates/redis.conf.j2" + dest: "{{ matrix_element_call_backend_path }}/redis.conf" + mode: 0640 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" -- name: Update Element-Web config.json for Element Call - include_tasks: update_element_web_config.yml \ No newline at end of file +# Ensure Docker Images are Pulled +- name: Ensure matrix-element-call container image is pulled + community.docker.docker_image: + name: "{{ matrix_element_call_image }}" + source: pull + register: element_call_image_result + retries: "{{ devture_playbook_help_container_retries_count }}" + delay: "{{ devture_playbook_help_container_retries_delay }}" + until: element_call_image_result is not failed + +- name: Ensure jwt-service container image is pulled + community.docker.docker_image: + name: "{{ matrix_jwt_service_image }}" + source: pull + register: jwt_image_result + retries: 3 + delay: 10 + until: jwt_image_result is not failed + +- name: Ensure livekit container image is pulled + community.docker.docker_image: + name: "{{ matrix_livekit_image }}" + source: pull + register: livekit_image_result + retries: 3 + delay: 10 + until: livekit_image_result is not failed + +- name: Ensure redis container image is pulled + community.docker.docker_image: + name: "{{ matrix_redis_image }}" + source: pull + register: redis_image_result + retries: 3 + delay: 10 + until: redis_image_result is not failed + +# Ensure Docker Networks are Created +- name: Ensure matrix-element-call container network is created + community.general.docker_network: + enable_ipv6: "{{ devture_systemd_docker_base_ipv6_enabled }}" + name: "{{ matrix_element_call_container_network }}" + driver: bridge + driver_options: "{{ devture_systemd_docker_base_container_networks_driver_options }}" + +# Deploy Systemd Services for Containers +- name: Ensure matrix-element-call systemd service is installed + ansible.builtin.template: + src: "{{ role_path }}/templates/systemd/matrix-element-call.service.j2" + dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-element-call.service" + mode: 0644 + +- name: Ensure jwt-service systemd service is installed + ansible.builtin.template: + src: "{{ role_path }}/templates/systemd/matrix-jwt-service.service.j2" + dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-jwt-service.service" + mode: 0644 + +- name: Ensure livekit systemd service is installed + ansible.builtin.template: + src: "{{ role_path }}/templates/systemd/matrix-livekit.service.j2" + dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-livekit.service" + mode: 0644 + +- name: Ensure redis systemd service is installed + ansible.builtin.template: + src: "{{ role_path }}/templates/systemd/matrix-redis.service.j2" + dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-redis.service" + mode: 0644 From 02479e8becc9e1db7617f789db94387b19492f1d Mon Sep 17 00:00:00 2001 From: Backslash Date: Thu, 26 Sep 2024 07:59:09 +1000 Subject: [PATCH 014/148] Updated with new structure. --- .../matrix-element-call/tasks/uninstall.yml | 54 +++++++++---------- 1 file changed, 27 insertions(+), 27 deletions(-) diff --git a/roles/custom/matrix-element-call/tasks/uninstall.yml b/roles/custom/matrix-element-call/tasks/uninstall.yml index f863c25be9b..d9a77415fb5 100644 --- a/roles/custom/matrix-element-call/tasks/uninstall.yml +++ b/roles/custom/matrix-element-call/tasks/uninstall.yml @@ -1,51 +1,51 @@ --- ---- -# roles/custom/matrix-element-call/tasks/uninstall.yml +# Uninstall tasks for matrix-element-call -# Stop and remove Docker containers -- name: Stop and remove matrix-element-call Docker container +- name: Stop and remove matrix-element-call container community.docker.docker_container: name: "matrix-element-call" state: absent - when: matrix_element_call_enabled | bool == false -- name: Stop and remove jwt-service Docker container +- name: Stop and remove jwt-service container community.docker.docker_container: name: "matrix-jwt-service" state: absent - when: matrix_element_call_enabled | bool == false -- name: Stop and remove livekit Docker container +- name: Stop and remove livekit container community.docker.docker_container: name: "matrix-livekit" state: absent - when: matrix_element_call_enabled | bool == false -- name: Stop and remove redis Docker container +- name: Stop and remove redis container community.docker.docker_container: name: "matrix-redis" state: absent - when: matrix_element_call_enabled | bool == false -# Remove matrix-element-call directories -- name: Remove matrix-element-call directories +- name: Remove matrix-element-call systemd service ansible.builtin.file: - path: "{{ item }}" + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-element-call.service" state: absent - loop: - - "{{ matrix_element_call_base_path }}" - when: matrix_element_call_enabled | bool == false -# Disable and remove systemd service for matrix-element-call -- name: Stop and disable matrix-element-call systemd service - ansible.builtin.systemd: - name: matrix-element-call - state: stopped - enabled: false - when: matrix_element_call_enabled | bool == false +- name: Remove jwt-service systemd service + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-jwt-service.service" + state: absent -- name: Remove matrix-element-call systemd service file +- name: Remove livekit systemd service ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-element-call.service" + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-livekit.service" + state: absent + +- name: Remove redis systemd service + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-redis.service" state: absent - when: matrix_element_call_enabled | bool == false \ No newline at end of file + +- name: Remove matrix-element-call configuration files + ansible.builtin.file: + path: "{{ matrix_element_call_base_path }}" + state: absent + +- name: Reload systemd daemon + ansible.builtin.systemd: + daemon_reload: true From 5efc1892935a3e0cfc323f5b3f950bcd037ab434 Mon Sep 17 00:00:00 2001 From: Backslash Date: Thu, 26 Sep 2024 08:12:06 +1000 Subject: [PATCH 015/148] Updated to support new structure --- roles/custom/matrix-element-call/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/custom/matrix-element-call/tasks/main.yml b/roles/custom/matrix-element-call/tasks/main.yml index 5727957ffbd..ad50c2d9660 100644 --- a/roles/custom/matrix-element-call/tasks/main.yml +++ b/roles/custom/matrix-element-call/tasks/main.yml @@ -1,4 +1,5 @@ --- +# Main task file for matrix-element-call - tags: - setup-all From 68cc1f4b2bff23d2c190fb18d6e638eb57c73a4d Mon Sep 17 00:00:00 2001 From: Backslash Date: Thu, 26 Sep 2024 08:29:16 +1000 Subject: [PATCH 016/148] Simplified the validation step. --- .../tasks/validate_config.yml | 88 +++---------------- 1 file changed, 13 insertions(+), 75 deletions(-) diff --git a/roles/custom/matrix-element-call/tasks/validate_config.yml b/roles/custom/matrix-element-call/tasks/validate_config.yml index e61973fdda1..1feccecb8cd 100644 --- a/roles/custom/matrix-element-call/tasks/validate_config.yml +++ b/roles/custom/matrix-element-call/tasks/validate_config.yml @@ -1,79 +1,17 @@ --- -# roles/custom/matrix-element-call/tasks/validate_config.yml +# Validate configuration for matrix-element-call -- name: Ensure required variables for Element Call are defined +- name: Fail if required matrix-element-call settings are not defined ansible.builtin.fail: - msg: "The variable '{{ item }}' is required and must be set." - when: vars[item] is not defined or vars[item] == '' - loop: - - matrix_element_call_enabled - - matrix_element_call_version - - matrix_element_call_hostname - - matrix_element_call_path_prefix - - matrix_element_call_base_path - - matrix_element_call_container_image - - matrix_element_call_container_network - - matrix_element_call_container_labels_traefik_hostname - - matrix_element_call_jwt_service_url - - matrix_element_call_livekit_service_url - - matrix_element_call_livekit_dev_key - -- name: Validate that the Element Call hostname is properly formatted - ansible.builtin.assert: - that: - - matrix_element_call_hostname is match('^([a-zA-Z0-9][-a-zA-Z0-9]*[a-zA-Z0-9]\.)+[a-zA-Z]{2,}$') - fail_msg: "The hostname '{{ matrix_element_call_hostname }}' is not valid. It should be a valid domain or subdomain." - success_msg: "The hostname '{{ matrix_element_call_hostname }}' is valid." - -- name: Validate that the Element Call version is specified correctly - ansible.builtin.assert: - that: - - matrix_element_call_version is string - - matrix_element_call_version != '' - fail_msg: "The Element Call version must be a non-empty string." - success_msg: "The Element Call version is set correctly." - -- name: Ensure LiveKit dev key is set - ansible.builtin.assert: - that: - - matrix_element_call_livekit_dev_key is string - - matrix_element_call_livekit_dev_key != '' - fail_msg: "The LiveKit dev key (matrix_element_call_livekit_dev_key) must be a non-empty string." - success_msg: "The LiveKit dev key is set correctly." - -- name: Ensure JWT service URL is valid - ansible.builtin.assert: - that: - - matrix_element_call_jwt_service_url is match('^https?://[a-zA-Z0-9.-]+$') - fail_msg: "The JWT service URL '{{ matrix_element_call_jwt_service_url }}' is not valid." - success_msg: "The JWT service URL is valid." - -- name: Ensure LiveKit service URL is valid - ansible.builtin.assert: - that: - - matrix_element_call_livekit_service_url is match('^https?://[a-zA-Z0-9.-]+$') - fail_msg: "The LiveKit service URL '{{ matrix_element_call_livekit_service_url }}' is not valid." - success_msg: "The LiveKit service URL is valid." - -- name: Ensure matrix-element-call base path is set and exists - ansible.builtin.assert: - that: - - matrix_element_call_base_path is string - - matrix_element_call_base_path != '' - fail_msg: "The base path for Element Call (matrix_element_call_base_path) must be a non-empty string." - success_msg: "The base path for Element Call is set correctly." - -- name: Ensure required paths for configurations are accessible - ansible.builtin.file: - path: "{{ item }}" - state: directory + msg: > + You need to define a required configuration setting (`{{ item.name }}`). + when: "item.when | bool and vars[item.name] == ''" with_items: - - "{{ matrix_element_call_base_path }}/config" - - "{{ matrix_element_call_base_path }}/backend" - register: config_paths_check - -- name: Fail if any required paths for configurations are not accessible - ansible.builtin.fail: - msg: "The required configuration path '{{ item.path }}' does not exist or is not accessible." - when: config_paths_check.results is defined and config_paths_check.results | selectattr('failed', 'eq', True) | list | length > 0 - loop: "{{ config_paths_check.results | selectattr('failed', 'eq', True) | list }}" + - {'name': 'matrix_element_call_base_path', when: true} + - {'name': 'matrix_element_call_container_network', when: true} + - {'name': 'matrix_element_call_image', when: true} + - {'name': 'matrix_jwt_service_image', when: true} + - {'name': 'matrix_livekit_image', when: true} + - {'name': 'matrix_redis_image', when: true} + - {'name': 'matrix_element_call_livekit_dev_key', when: true} + - {'name': 'matrix_element_call_livekit_service_url', when: true} From 37fd2e701d7e7c30f58602b589325f0c7c766b6f Mon Sep 17 00:00:00 2001 From: Backslash Date: Thu, 26 Sep 2024 09:15:07 +1000 Subject: [PATCH 017/148] Update env.j2 to support the new configuration --- roles/custom/matrix-element-call/templates/env.j2 | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/custom/matrix-element-call/templates/env.j2 b/roles/custom/matrix-element-call/templates/env.j2 index db25ed81b0c..71e9a06934f 100644 --- a/roles/custom/matrix-element-call/templates/env.j2 +++ b/roles/custom/matrix-element-call/templates/env.j2 @@ -1,9 +1,10 @@ # Environment variables for Element Call ELEMENT_CALL_SERVER_URL=https://{{ matrix_element_call_domain }} LIVEKIT_SERVICE_URL={{ matrix_element_call_livekit_service_url }} +LIVEKIT_SECRET={{ matrix_element_call_livekit_dev_key }} JWT_SERVICE_URL={{ matrix_element_call_jwt_service_url }} # Optional additional environment variables provided by the user {% for key, value in matrix_element_call_environment_variables_additional.items() %} {{ key }}={{ value }} -{% endfor %} \ No newline at end of file +{% endfor %} From becdb0810c6522ede3d3bf17a6ef3099a95cb99d Mon Sep 17 00:00:00 2001 From: Backslash Date: Thu, 26 Sep 2024 09:18:55 +1000 Subject: [PATCH 018/148] Update config.json.j2 --- roles/custom/matrix-element-call/templates/config.json.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-element-call/templates/config.json.j2 b/roles/custom/matrix-element-call/templates/config.json.j2 index 1ce2f57c5e0..7c75144e343 100644 --- a/roles/custom/matrix-element-call/templates/config.json.j2 +++ b/roles/custom/matrix-element-call/templates/config.json.j2 @@ -8,4 +8,4 @@ "livekit": { "livekit_service_url": "{{ matrix_element_call_livekit_service_url }}" } -} \ No newline at end of file +} From f306a47b830e262d22f426d75f91a544f4719b41 Mon Sep 17 00:00:00 2001 From: Backslash Date: Thu, 26 Sep 2024 09:22:29 +1000 Subject: [PATCH 019/148] Update livekit.yaml.j2 --- roles/custom/matrix-element-call/templates/livekit.yaml.j2 | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/custom/matrix-element-call/templates/livekit.yaml.j2 b/roles/custom/matrix-element-call/templates/livekit.yaml.j2 index a53c0896a11..384cf372239 100644 --- a/roles/custom/matrix-element-call/templates/livekit.yaml.j2 +++ b/roles/custom/matrix-element-call/templates/livekit.yaml.j2 @@ -18,4 +18,3 @@ turn: keys: devkey: "{{ matrix_element_call_livekit_dev_key }}" -logging: \ No newline at end of file From dfeca192abe6b319985e6bfccde8d3841d59a003 Mon Sep 17 00:00:00 2001 From: Backslash Date: Thu, 26 Sep 2024 09:23:26 +1000 Subject: [PATCH 020/148] Update redis.conf.j2 --- roles/custom/matrix-element-call/templates/redis.conf.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/custom/matrix-element-call/templates/redis.conf.j2 b/roles/custom/matrix-element-call/templates/redis.conf.j2 index da19af05a49..9935720964a 100644 --- a/roles/custom/matrix-element-call/templates/redis.conf.j2 +++ b/roles/custom/matrix-element-call/templates/redis.conf.j2 @@ -1,5 +1,5 @@ bind 0.0.0.0 protected-mode yes -port 6379 +port {{ matrix_element_call_redis_port }} timeout 0 -tcp-keepalive 300 \ No newline at end of file +tcp-keepalive 300 From 954d46cfd7bb8b3a960fd4f147be1597ccc401a0 Mon Sep 17 00:00:00 2001 From: Backslash Date: Thu, 26 Sep 2024 09:25:49 +1000 Subject: [PATCH 021/148] Update labels.j2 --- .../matrix-element-call/templates/labels.j2 | 52 ++++++++++++++++--- 1 file changed, 46 insertions(+), 6 deletions(-) diff --git a/roles/custom/matrix-element-call/templates/labels.j2 b/roles/custom/matrix-element-call/templates/labels.j2 index ccfbdbf930d..7e2ea810d60 100644 --- a/roles/custom/matrix-element-call/templates/labels.j2 +++ b/roles/custom/matrix-element-call/templates/labels.j2 @@ -1,6 +1,46 @@ -# Docker labels for Traefik or other routing -traefik.enable: "true" -traefik.http.routers.{{ matrix_element_call_hostname | replace('.', '_') }}-router.rule: "Host(`{{ matrix_element_call_hostname }}`)" -traefik.http.routers.{{ matrix_element_call_hostname | replace('.', '_') }}-router.entrypoints: "{{ matrix_element_call_container_labels_traefik_entrypoints }}" -traefik.http.routers.{{ matrix_element_call_hostname | replace('.', '_') }}-router.tls.certresolver: "{{ matrix_element_call_container_labels_traefik_tls_certResolver }}" -traefik.http.services.{{ matrix_element_call_hostname | replace('.', '_') }}-service.loadbalancer.server.port: "8080" +{% if matrix_element_call_container_labels_traefik_enabled %} +traefik.enable=true + +{% if matrix_element_call_container_labels_traefik_docker_network %} +traefik.docker.network={{ matrix_element_call_container_labels_traefik_docker_network }} +{% endif %} + +traefik.http.services.matrix-element-call.loadbalancer.server.port=8080 + +{% set middlewares = [] %} + +{% if matrix_element_call_container_labels_traefik_path_prefix != '/' %} +traefik.http.middlewares.matrix-element-call-slashless-redirect.redirectregex.regex=({{ matrix_element_call_container_labels_traefik_path_prefix | quote }})$ +traefik.http.middlewares.matrix-element-call-slashless-redirect.redirectregex.replacement=${1}/ +{% set middlewares = middlewares + ['matrix-element-call-slashless-redirect'] %} +{% endif %} + +{% if matrix_element_call_container_labels_traefik_path_prefix != '/' %} +traefik.http.middlewares.matrix-element-call-strip-prefix.stripprefix.prefixes={{ matrix_element_call_container_labels_traefik_path_prefix }} +{% set middlewares = middlewares + ['matrix-element-call-strip-prefix'] %} +{% endif %} + +{% if matrix_element_call_container_labels_traefik_additional_response_headers.keys() | length > 0 %} +{% for name, value in matrix_element_call_container_labels_traefik_additional_response_headers.items() %} +traefik.http.middlewares.matrix-element-call-add-headers.headers.customresponseheaders.{{ name }}={{ value }} +{% endfor %} +{% set middlewares = middlewares + ['matrix-element-call-add-headers'] %} +{% endif %} + +traefik.http.routers.matrix-element-call.rule={{ matrix_element_call_container_labels_traefik_rule }} +{% if matrix_element_call_container_labels_traefik_priority | int > 0 %} +traefik.http.routers.matrix-element-call.priority={{ matrix_element_call_container_labels_traefik_priority }} +{% endif %} +traefik.http.routers.matrix-element-call.service=matrix-element-call +{% if middlewares | length > 0 %} +traefik.http.routers.matrix-element-call.middlewares={{ middlewares | join(',') }} +{% endif %} +traefik.http.routers.matrix-element-call.entrypoints={{ matrix_element_call_container_labels_traefik_entrypoints }} +traefik.http.routers.matrix-element-call.tls={{ matrix_element_call_container_labels_traefik_tls | to_json }} +{% if matrix_element_call_container_labels_traefik_tls %} +traefik.http.routers.matrix-element-call.tls.certResolver={{ matrix_element_call_container_labels_traefik_tls_certResolver }} +{% endif %} + +{% endif %} + +{{ matrix_element_call_container_extra_arguments }} From 45c8a61f043bce8548da17831438527dba9a5b09 Mon Sep 17 00:00:00 2001 From: Backslash Date: Thu, 26 Sep 2024 11:39:33 +1000 Subject: [PATCH 022/148] Migrating to systemd for container management --- .../systemd/matrix-element-call.service.j2 | 35 +++++++++++++++---- 1 file changed, 28 insertions(+), 7 deletions(-) diff --git a/roles/custom/matrix-element-call/templates/systemd/matrix-element-call.service.j2 b/roles/custom/matrix-element-call/templates/systemd/matrix-element-call.service.j2 index 8caad624fac..ff08ff9fdbe 100644 --- a/roles/custom/matrix-element-call/templates/systemd/matrix-element-call.service.j2 +++ b/roles/custom/matrix-element-call/templates/systemd/matrix-element-call.service.j2 @@ -5,13 +5,34 @@ Requires=docker.service [Service] Type=simple -ExecStart=/usr/bin/docker start -a matrix-element-call -ExecStop=/usr/bin/docker stop matrix-element-call +Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" +ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-element-call 2>/dev/null || true' +ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-element-call 2>/dev/null || true' + +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ + --rm \ + --name=matrix-element-call \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --network={{ matrix_element_call_container_network }} \ + -p {{ matrix_element_call_port }}:8080 \ + --env-file={{ matrix_element_call_base_path }}/config/env \ + --label-file={{ matrix_element_call_base_path }}/config/labels \ + {{ matrix_element_call_image }} \ + serve + +{% for network in matrix_element_call_container_additional_networks %} +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-element-call +{% endfor %} + +ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-element-call + +ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-element-call 2>/dev/null || true' +ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-element-call 2>/dev/null || true' Restart=always -User={{ matrix_user_username }} -Group={{ matrix_user_groupname }} -TimeoutStartSec=0 -RestartSec=10 +RestartSec=30 +SyslogIdentifier=matrix-element-call [Install] -WantedBy=multi-user.target \ No newline at end of file +WantedBy=multi-user.target From bc9658c06b38f2a647154eb29720ddca33afe645 Mon Sep 17 00:00:00 2001 From: Backslash Date: Thu, 26 Sep 2024 13:40:38 +1000 Subject: [PATCH 023/148] Create matrix-livekit.service.j2 --- .../systemd/matrix-livekit.service.j2 | 32 +++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 roles/custom/matrix-element-call/templates/systemd/matrix-livekit.service.j2 diff --git a/roles/custom/matrix-element-call/templates/systemd/matrix-livekit.service.j2 b/roles/custom/matrix-element-call/templates/systemd/matrix-livekit.service.j2 new file mode 100644 index 00000000000..0b28522a5ab --- /dev/null +++ b/roles/custom/matrix-element-call/templates/systemd/matrix-livekit.service.j2 @@ -0,0 +1,32 @@ +[Unit] +Description=Matrix LiveKit Service +After=docker.service +Requires=docker.service + +[Service] +Type=simple +Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" +ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-livekit 2>/dev/null || true' +ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-livekit 2>/dev/null || true' + +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ + --rm \ + --name=matrix-livekit \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --network=host \ + --mount type=bind,src={{ matrix_element_call_backend_path }}/livekit.yaml,dst=/etc/livekit.yaml,ro \ + {{ matrix_livekit_image }} \ + --dev --config /etc/livekit.yaml + +ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-livekit + +ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-livekit 2>/dev/null || true' +ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-livekit 2>/dev/null || true' +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-livekit + +[Install] +WantedBy=multi-user.target From e910d09ff142d6e931e4d4d238f14b2ad08817a3 Mon Sep 17 00:00:00 2001 From: Backslash Date: Thu, 26 Sep 2024 14:52:30 +1000 Subject: [PATCH 024/148] Create matrix-redis.service.j2 --- .../templates/systemd/matrix-redis.service.j2 | 32 +++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 roles/custom/matrix-element-call/templates/systemd/matrix-redis.service.j2 diff --git a/roles/custom/matrix-element-call/templates/systemd/matrix-redis.service.j2 b/roles/custom/matrix-element-call/templates/systemd/matrix-redis.service.j2 new file mode 100644 index 00000000000..17adad1b4f7 --- /dev/null +++ b/roles/custom/matrix-element-call/templates/systemd/matrix-redis.service.j2 @@ -0,0 +1,32 @@ +[Unit] +Description=Matrix Redis Service +After=docker.service +Requires=docker.service + +[Service] +Type=simple +Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" +ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-redis 2>/dev/null || true' +ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-redis 2>/dev/null || true' + +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ + --rm \ + --name=matrix-redis \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --network={{ matrix_element_call_container_network }} \ + --mount type=bind,src={{ matrix_element_call_backend_path }}/redis.conf,dst=/etc/redis.conf,ro \ + {{ matrix_redis_image }} \ + redis-server /etc/redis.conf + +ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-redis + +ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-redis 2>/dev/null || true' +ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-redis 2>/dev/null || true' +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-redis + +[Install] +WantedBy=multi-user.target From f16ca24408e622650e257e9a99f485278f6a5b23 Mon Sep 17 00:00:00 2001 From: Backslash Date: Thu, 26 Sep 2024 15:17:15 +1000 Subject: [PATCH 025/148] Update install.yml --- .../matrix-element-call/tasks/install.yml | 133 ++++++++++++++---- 1 file changed, 105 insertions(+), 28 deletions(-) diff --git a/roles/custom/matrix-element-call/tasks/install.yml b/roles/custom/matrix-element-call/tasks/install.yml index 18b525e4a20..c0e16456ba6 100644 --- a/roles/custom/matrix-element-call/tasks/install.yml +++ b/roles/custom/matrix-element-call/tasks/install.yml @@ -1,5 +1,5 @@ --- -# Main installation tasks for matrix-element-call +# roles/custom/matrix-element-call/tasks/install.yml # Ensure Required Directories Exist - name: Ensure matrix-element-call paths exist @@ -9,51 +9,65 @@ mode: 0750 owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" - with_items: + loop: - path: "{{ matrix_element_call_base_path }}" - - path: "{{ matrix_element_call_config_path }}" - - path: "{{ matrix_element_call_backend_path }}" + - path: "{{ matrix_element_call_base_path }}/data" + - path: "{{ matrix_element_call_base_path }}/config" + - path: "{{ matrix_element_call_base_path }}/backend" # For LiveKit and Redis config # Ensure Configuration Files are in Place -- name: Ensure matrix-element-call support files installed +- name: Ensure Element Call config.json is in place ansible.builtin.template: - src: "{{ role_path }}/templates/{{ item }}.j2" - dest: "{{ matrix_element_call_base_path }}/{{ item }}" + src: "{{ role_path }}/templates/config.json.j2" + dest: "{{ matrix_element_call_base_path }}/config/config.json" mode: 0640 owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" - with_items: - - config.json - - env - - labels -- name: Ensure livekit.yaml is installed +- name: Ensure LiveKit livekit.yaml is in place ansible.builtin.template: src: "{{ role_path }}/templates/livekit.yaml.j2" - dest: "{{ matrix_element_call_backend_path }}/livekit.yaml" + dest: "{{ matrix_element_call_base_path }}/backend/livekit.yaml" mode: 0640 owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" -- name: Ensure redis.conf is installed +- name: Ensure Redis redis.conf is in place ansible.builtin.template: src: "{{ role_path }}/templates/redis.conf.j2" - dest: "{{ matrix_element_call_backend_path }}/redis.conf" + dest: "{{ matrix_element_call_base_path }}/backend/redis.conf" + mode: 0640 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure matrix-element-call environment file is in place + ansible.builtin.template: + src: "{{ role_path }}/templates/env.j2" + dest: "{{ matrix_element_call_base_path }}/config/env" + mode: 0640 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure matrix-element-call Docker labels file is in place + ansible.builtin.template: + src: "{{ role_path }}/templates/labels.j2" + dest: "{{ matrix_element_call_base_path }}/config/labels" mode: 0640 owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" # Ensure Docker Images are Pulled -- name: Ensure matrix-element-call container image is pulled +- name: Ensure matrix-element-call Docker image is pulled community.docker.docker_image: - name: "{{ matrix_element_call_image }}" + name: "{{ matrix_element_call_container_image }}" source: pull + force_source: "{{ matrix_element_call_container_image_force_pull }}" register: element_call_image_result retries: "{{ devture_playbook_help_container_retries_count }}" delay: "{{ devture_playbook_help_container_retries_delay }}" until: element_call_image_result is not failed -- name: Ensure jwt-service container image is pulled +- name: Ensure jwt-service Docker image is pulled community.docker.docker_image: name: "{{ matrix_jwt_service_image }}" source: pull @@ -62,7 +76,7 @@ delay: 10 until: jwt_image_result is not failed -- name: Ensure livekit container image is pulled +- name: Ensure livekit Docker image is pulled community.docker.docker_image: name: "{{ matrix_livekit_image }}" source: pull @@ -71,7 +85,7 @@ delay: 10 until: livekit_image_result is not failed -- name: Ensure redis container image is pulled +- name: Ensure redis Docker image is pulled community.docker.docker_image: name: "{{ matrix_redis_image }}" source: pull @@ -80,15 +94,8 @@ delay: 10 until: redis_image_result is not failed -# Ensure Docker Networks are Created -- name: Ensure matrix-element-call container network is created - community.general.docker_network: - enable_ipv6: "{{ devture_systemd_docker_base_ipv6_enabled }}" - name: "{{ matrix_element_call_container_network }}" - driver: bridge - driver_options: "{{ devture_systemd_docker_base_container_networks_driver_options }}" +# Systemd Services for Element Call, JWT Service, LiveKit, and Redis -# Deploy Systemd Services for Containers - name: Ensure matrix-element-call systemd service is installed ansible.builtin.template: src: "{{ role_path }}/templates/systemd/matrix-element-call.service.j2" @@ -112,3 +119,73 @@ src: "{{ role_path }}/templates/systemd/matrix-redis.service.j2" dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-redis.service" mode: 0644 + +# Update homeserver.yaml for Element Call +- name: Add listeners section for Element Call to homeserver.yaml + ansible.builtin.blockinfile: + path: "{{ matrix_homeserver_config_path }}" + block: | + listeners: + - port: 8008 + tls: false + type: http + x_forwarded: true + resources: + - names: [client, federation, openid] + compress: false + marker: "# ANSIBLE MANAGED BLOCK - Element Call listeners" + mode: '0644' + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + when: matrix_element_call_enabled | bool + +- name: Ensure serve_server_wellknown is enabled in homeserver.yaml + ansible.builtin.lineinfile: + path: "{{ matrix_homeserver_config_path }}" + line: "serve_server_wellknown: true" + insertafter: EOF + state: present + mode: '0644' + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + when: matrix_element_call_enabled | bool + +# Update the .well-known/matrix/client file +- name: Update the well-known client file + ansible.builtin.template: + src: "{{ role_path }}/templates/well_known_client.json.j2" + dest: "{{ matrix_base_data_path }}/static-files/public/.well-known/matrix/client" + mode: '0644' + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +# Create .well-known/element/element.json for Element Call +- name: Create the well-known element.json file + ansible.builtin.template: + src: "{{ role_path }}/templates/well_known_element.json.j2" + dest: "{{ matrix_base_data_path }}/static-files/public/.well-known/element/element.json" + mode: '0644' + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +# Update Element Web config.json with Element Call settings +- name: Update Element Web config.json + ansible.builtin.blockinfile: + path: "{{ element_web_config_path }}" + block: | + "features": { + "feature_video_rooms": true, + "feature_new_room_decoration_ui": true, + "feature_group_calls": true, + "feature_element_call_video_rooms": true + }, + "element_call": { + "url": "https://{{ matrix_element_call_domain }}", + "participant_limit": 8, + "brand": "Element Call", + "use_exclusively": true + } + marker: "# ANSIBLE MANAGED BLOCK - Element Call settings" + mode: '0644' + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" From a533ec4204343de6469b80d0bd5ebba4b412ffdb Mon Sep 17 00:00:00 2001 From: Backslash Date: Thu, 26 Sep 2024 15:38:12 +1000 Subject: [PATCH 026/148] Update matrix_servers --- group_vars/matrix_servers | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index c36c348e03f..ff107af21b4 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -5890,6 +5890,7 @@ matrix_element_call_container_network: "{{ matrix_homeserver_container_network } # Traefik Configuration for Element Call matrix_element_call_container_labels_traefik_enabled: true +matrix_element_call_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" matrix_element_call_container_labels_traefik_hostname: "{{ matrix_element_call_hostname }}" matrix_element_call_container_labels_traefik_path_prefix: "{{ matrix_element_call_path_prefix }}" matrix_element_call_container_labels_traefik_rule: "Host(`{{ matrix_element_call_container_labels_traefik_hostname }}`)" @@ -5922,4 +5923,4 @@ matrix_element_call_metrics_port: 2112 # # # /matrix-element-call # # # -######################################################################## \ No newline at end of file +######################################################################## From e31e688a416ffad0d9c9aa4f9d8187ef3faf2755 Mon Sep 17 00:00:00 2001 From: Backslash Date: Thu, 26 Sep 2024 15:42:05 +1000 Subject: [PATCH 027/148] Update main.yml --- roles/custom/matrix-element-call/defaults/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/custom/matrix-element-call/defaults/main.yml b/roles/custom/matrix-element-call/defaults/main.yml index 972941d9199..de507b70404 100644 --- a/roles/custom/matrix-element-call/defaults/main.yml +++ b/roles/custom/matrix-element-call/defaults/main.yml @@ -9,6 +9,7 @@ matrix_element_call_backend_path: "{{ matrix_element_call_base_path }}/backend" # Docker network configuration matrix_element_call_container_network: "matrix_element_call_network" +matrix_element_call_container_labels_traefik_additional_response_headers: {} # Docker images matrix_element_call_image: "ghcr.io/element-hq/element-call:latest" From f7621283fdb4690e65709f9f649d01419b06c373 Mon Sep 17 00:00:00 2001 From: Backslash Date: Thu, 26 Sep 2024 16:31:23 +1000 Subject: [PATCH 028/148] Update labels.j2 --- .../matrix-element-call/templates/labels.j2 | 39 ++++++++----------- 1 file changed, 16 insertions(+), 23 deletions(-) diff --git a/roles/custom/matrix-element-call/templates/labels.j2 b/roles/custom/matrix-element-call/templates/labels.j2 index 7e2ea810d60..a31c6ea6b47 100644 --- a/roles/custom/matrix-element-call/templates/labels.j2 +++ b/roles/custom/matrix-element-call/templates/labels.j2 @@ -5,42 +5,35 @@ traefik.enable=true traefik.docker.network={{ matrix_element_call_container_labels_traefik_docker_network }} {% endif %} -traefik.http.services.matrix-element-call.loadbalancer.server.port=8080 +# Define the Traefik router rule +traefik.http.routers.element-call-router.rule={{ matrix_element_call_container_labels_traefik_rule }} +traefik.http.routers.element-call-router.entrypoints={{ matrix_element_call_container_labels_traefik_entrypoints }} +traefik.http.routers.element-call-router.tls.certresolver={{ matrix_element_call_container_labels_traefik_tls_certResolver }} +traefik.http.services.element-call-service.loadbalancer.server.port=8080 {% set middlewares = [] %} +# Define any path prefix redirection or stripping middleware {% if matrix_element_call_container_labels_traefik_path_prefix != '/' %} -traefik.http.middlewares.matrix-element-call-slashless-redirect.redirectregex.regex=({{ matrix_element_call_container_labels_traefik_path_prefix | quote }})$ -traefik.http.middlewares.matrix-element-call-slashless-redirect.redirectregex.replacement=${1}/ -{% set middlewares = middlewares + ['matrix-element-call-slashless-redirect'] %} -{% endif %} +traefik.http.middlewares.element-call-slashless-redirect.redirectregex.regex=({{ matrix_element_call_container_labels_traefik_path_prefix | quote }})$ +traefik.http.middlewares.element-call-slashless-redirect.redirectregex.replacement=${1}/ +{% set middlewares = middlewares + ['element-call-slashless-redirect'] %} -{% if matrix_element_call_container_labels_traefik_path_prefix != '/' %} -traefik.http.middlewares.matrix-element-call-strip-prefix.stripprefix.prefixes={{ matrix_element_call_container_labels_traefik_path_prefix }} -{% set middlewares = middlewares + ['matrix-element-call-strip-prefix'] %} +traefik.http.middlewares.element-call-strip-prefix.stripprefix.prefixes={{ matrix_element_call_container_labels_traefik_path_prefix }} +{% set middlewares = middlewares + ['element-call-strip-prefix'] %} {% endif %} +# Apply any additional response headers if provided {% if matrix_element_call_container_labels_traefik_additional_response_headers.keys() | length > 0 %} {% for name, value in matrix_element_call_container_labels_traefik_additional_response_headers.items() %} -traefik.http.middlewares.matrix-element-call-add-headers.headers.customresponseheaders.{{ name }}={{ value }} +traefik.http.middlewares.element-call-add-headers.headers.customresponseheaders.{{ name }}={{ value }} {% endfor %} -{% set middlewares = middlewares + ['matrix-element-call-add-headers'] %} +{% set middlewares = middlewares + ['element-call-add-headers'] %} {% endif %} -traefik.http.routers.matrix-element-call.rule={{ matrix_element_call_container_labels_traefik_rule }} -{% if matrix_element_call_container_labels_traefik_priority | int > 0 %} -traefik.http.routers.matrix-element-call.priority={{ matrix_element_call_container_labels_traefik_priority }} -{% endif %} -traefik.http.routers.matrix-element-call.service=matrix-element-call +# Add middlewares to the router {% if middlewares | length > 0 %} -traefik.http.routers.matrix-element-call.middlewares={{ middlewares | join(',') }} -{% endif %} -traefik.http.routers.matrix-element-call.entrypoints={{ matrix_element_call_container_labels_traefik_entrypoints }} -traefik.http.routers.matrix-element-call.tls={{ matrix_element_call_container_labels_traefik_tls | to_json }} -{% if matrix_element_call_container_labels_traefik_tls %} -traefik.http.routers.matrix-element-call.tls.certResolver={{ matrix_element_call_container_labels_traefik_tls_certResolver }} +traefik.http.routers.element-call-router.middlewares={{ middlewares | join(',') }} {% endif %} {% endif %} - -{{ matrix_element_call_container_extra_arguments }} From bc2ed6076260e2720ec230b49d245f4f0173c1dc Mon Sep 17 00:00:00 2001 From: Backslash Date: Thu, 26 Sep 2024 17:23:03 +1000 Subject: [PATCH 029/148] Update main.yml --- roles/custom/matrix-element-call/defaults/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/custom/matrix-element-call/defaults/main.yml b/roles/custom/matrix-element-call/defaults/main.yml index de507b70404..1fa2c57d9ad 100644 --- a/roles/custom/matrix-element-call/defaults/main.yml +++ b/roles/custom/matrix-element-call/defaults/main.yml @@ -10,6 +10,7 @@ matrix_element_call_backend_path: "{{ matrix_element_call_base_path }}/backend" # Docker network configuration matrix_element_call_container_network: "matrix_element_call_network" matrix_element_call_container_labels_traefik_additional_response_headers: {} +matrix_element_call_container_additional_networks: [] # No additional networks by default # Docker images matrix_element_call_image: "ghcr.io/element-hq/element-call:latest" From ac1295ac455ce82731c6a8ea9c42db0d2c48eeb3 Mon Sep 17 00:00:00 2001 From: Backslash Date: Thu, 26 Sep 2024 18:33:22 +1000 Subject: [PATCH 030/148] Create matrix-jwt-service.service.j2 --- .../systemd/matrix-jwt-service.service.j2 | 38 +++++++++++++++++++ 1 file changed, 38 insertions(+) create mode 100644 roles/custom/matrix-element-call/templates/systemd/matrix-jwt-service.service.j2 diff --git a/roles/custom/matrix-element-call/templates/systemd/matrix-jwt-service.service.j2 b/roles/custom/matrix-element-call/templates/systemd/matrix-jwt-service.service.j2 new file mode 100644 index 00000000000..1df21478d78 --- /dev/null +++ b/roles/custom/matrix-element-call/templates/systemd/matrix-jwt-service.service.j2 @@ -0,0 +1,38 @@ +[Unit] +Description=Matrix JWT Service +After=docker.service +Requires=docker.service + +[Service] +Type=simple +Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" +ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-jwt-service 2>/dev/null || true' +ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-jwt-service 2>/dev/null || true' + +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ + --rm \ + --name=matrix-jwt-service \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --network={{ matrix_element_call_container_network }} \ + -p {{ matrix_jwt_service_port }}:8080 \ + --env-file={{ matrix_element_call_base_path }}/config/env \ + --label-file={{ matrix_element_call_base_path }}/config/labels \ + {{ matrix_jwt_service_image }} \ + serve + +{% for network in matrix_element_call_container_additional_networks %} +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-jwt-service +{% endfor %} + +ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-jwt-service + +ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-jwt-service 2>/dev/null || true' +ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-jwt-service 2>/dev/null || true' +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-jwt-service + +[Install] +WantedBy=multi-user.target From f38d6a0d88067cb64c9a266ab7963fbe57b16482 Mon Sep 17 00:00:00 2001 From: Backslash Date: Thu, 26 Sep 2024 18:39:03 +1000 Subject: [PATCH 031/148] Update main.yml --- roles/custom/matrix-element-call/defaults/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/custom/matrix-element-call/defaults/main.yml b/roles/custom/matrix-element-call/defaults/main.yml index 1fa2c57d9ad..33525303df2 100644 --- a/roles/custom/matrix-element-call/defaults/main.yml +++ b/roles/custom/matrix-element-call/defaults/main.yml @@ -6,6 +6,7 @@ matrix_element_call_enabled: false matrix_element_call_base_path: "{{ matrix_base_data_path }}/element-call" matrix_element_call_config_path: "{{ matrix_element_call_base_path }}/config" matrix_element_call_backend_path: "{{ matrix_element_call_base_path }}/backend" +matrix_homeserver_config_path: "{{ matrix_base_data_path }}/synapse/config/homeserver.yaml" # Docker network configuration matrix_element_call_container_network: "matrix_element_call_network" From 9cb236da30795dd3071e4a7ee1e531d830fb99b7 Mon Sep 17 00:00:00 2001 From: Backslash Date: Thu, 26 Sep 2024 18:50:48 +1000 Subject: [PATCH 032/148] Update install.yml --- .../matrix-element-call/tasks/install.yml | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/roles/custom/matrix-element-call/tasks/install.yml b/roles/custom/matrix-element-call/tasks/install.yml index c0e16456ba6..ccf2d4121d8 100644 --- a/roles/custom/matrix-element-call/tasks/install.yml +++ b/roles/custom/matrix-element-call/tasks/install.yml @@ -150,11 +150,18 @@ group: "{{ matrix_user_groupname }}" when: matrix_element_call_enabled | bool -# Update the .well-known/matrix/client file -- name: Update the well-known client file - ansible.builtin.template: - src: "{{ role_path }}/templates/well_known_client.json.j2" - dest: "{{ matrix_base_data_path }}/static-files/public/.well-known/matrix/client" +# Update the well-known client file for Element Call (adding RTC FOCI) +- name: Update the existing well-known client file for Element Call (RTC FOCI) + ansible.builtin.blockinfile: + path: "{{ matrix_base_data_path }}/static-files/public/.well-known/matrix/client" + block: | + "org.matrix.msc4143.rtc_foci": [ + { + "type": "livekit", + "livekit_service_url": "{{ matrix_element_call_jwt_service_url }}" + } + ] + marker: "# ANSIBLE MANAGED BLOCK - Element Call RTC FOCI" mode: '0644' owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" From f2acc7430dc6865ec6ac847339a8c6c8b69962b8 Mon Sep 17 00:00:00 2001 From: Backslash Date: Thu, 26 Sep 2024 18:53:49 +1000 Subject: [PATCH 033/148] Create well_known_element.json.j2 --- .../matrix-element-call/templates/well_known_element.json.j2 | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 roles/custom/matrix-element-call/templates/well_known_element.json.j2 diff --git a/roles/custom/matrix-element-call/templates/well_known_element.json.j2 b/roles/custom/matrix-element-call/templates/well_known_element.json.j2 new file mode 100644 index 00000000000..eae63cf8349 --- /dev/null +++ b/roles/custom/matrix-element-call/templates/well_known_element.json.j2 @@ -0,0 +1,5 @@ +{ + "call": { + "widget_url": "https://{{ matrix_element_call_domain }}" + } +} From ba54e549c47927951490088b1ef962a36a063306 Mon Sep 17 00:00:00 2001 From: Backslash Date: Thu, 26 Sep 2024 19:08:09 +1000 Subject: [PATCH 034/148] Added well-known element directory --- roles/custom/matrix-element-call/tasks/install.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/custom/matrix-element-call/tasks/install.yml b/roles/custom/matrix-element-call/tasks/install.yml index ccf2d4121d8..93fbeba9513 100644 --- a/roles/custom/matrix-element-call/tasks/install.yml +++ b/roles/custom/matrix-element-call/tasks/install.yml @@ -14,6 +14,7 @@ - path: "{{ matrix_element_call_base_path }}/data" - path: "{{ matrix_element_call_base_path }}/config" - path: "{{ matrix_element_call_base_path }}/backend" # For LiveKit and Redis config + - path: "{{ matrix_base_data_path }}/static-files/public/.well-known/element" # Directory for element.json # Ensure Configuration Files are in Place - name: Ensure Element Call config.json is in place From 3f6c327da288c00e1cfc24d27fa15d142d26e74a Mon Sep 17 00:00:00 2001 From: Backslash Date: Thu, 26 Sep 2024 19:18:47 +1000 Subject: [PATCH 035/148] Update main.yml --- roles/custom/matrix-element-call/defaults/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/custom/matrix-element-call/defaults/main.yml b/roles/custom/matrix-element-call/defaults/main.yml index 33525303df2..5de1b8f9422 100644 --- a/roles/custom/matrix-element-call/defaults/main.yml +++ b/roles/custom/matrix-element-call/defaults/main.yml @@ -7,6 +7,7 @@ matrix_element_call_base_path: "{{ matrix_base_data_path }}/element-call" matrix_element_call_config_path: "{{ matrix_element_call_base_path }}/config" matrix_element_call_backend_path: "{{ matrix_element_call_base_path }}/backend" matrix_homeserver_config_path: "{{ matrix_base_data_path }}/synapse/config/homeserver.yaml" +element_web_config_path: "{{ matrix_base_data_path }}/static-files/public/.well-known/matrix/client" # Docker network configuration matrix_element_call_container_network: "matrix_element_call_network" From 85be68946cbac0a21302a1746b3a61d6ab3a6953 Mon Sep 17 00:00:00 2001 From: Backslash Date: Thu, 26 Sep 2024 19:30:15 +1000 Subject: [PATCH 036/148] Migrated from matrix_redis to redis_ --- roles/custom/matrix-element-call/defaults/main.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/custom/matrix-element-call/defaults/main.yml b/roles/custom/matrix-element-call/defaults/main.yml index 5de1b8f9422..35c3d90ed99 100644 --- a/roles/custom/matrix-element-call/defaults/main.yml +++ b/roles/custom/matrix-element-call/defaults/main.yml @@ -18,12 +18,12 @@ matrix_element_call_container_additional_networks: [] # No additional networks matrix_element_call_image: "ghcr.io/element-hq/element-call:latest" matrix_jwt_service_image: "ghcr.io/element-hq/lk-jwt-service:latest-ci" matrix_livekit_image: "livekit/livekit-server:latest" -matrix_redis_image: "redis:6-alpine" +redis_image: "redis:6-alpine" # Ports matrix_element_call_port: "8093" matrix_jwt_service_port: "8881" -matrix_redis_port: "6379" +redis_port: "6379" # LiveKit configuration matrix_element_call_livekit_dev_key: "{{ matrix_livekit_dev_key }}" # Must be defined in host_vars @@ -37,7 +37,7 @@ matrix_element_call_base_url: "https://{{ matrix_element_call_domain }}" # Redis Configuration for Element Call redis_hostname: "localhost" -redis_port: 6379 +#redis_port: 6379 redis_password: "" # Traefik Configuration for Element Call From 6ef304b118e9d1bd58943ac2f8c34f2ed342357c Mon Sep 17 00:00:00 2001 From: Backslash Date: Thu, 26 Sep 2024 19:43:22 +1000 Subject: [PATCH 037/148] Update validate_config.yml --- roles/custom/matrix-element-call/tasks/validate_config.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-element-call/tasks/validate_config.yml b/roles/custom/matrix-element-call/tasks/validate_config.yml index 1feccecb8cd..c0e0ef94067 100644 --- a/roles/custom/matrix-element-call/tasks/validate_config.yml +++ b/roles/custom/matrix-element-call/tasks/validate_config.yml @@ -12,6 +12,6 @@ - {'name': 'matrix_element_call_image', when: true} - {'name': 'matrix_jwt_service_image', when: true} - {'name': 'matrix_livekit_image', when: true} - - {'name': 'matrix_redis_image', when: true} + - {'name': 'redis_image', when: true} - {'name': 'matrix_element_call_livekit_dev_key', when: true} - {'name': 'matrix_element_call_livekit_service_url', when: true} From 656d4275bcab2a638f18a1442ce4b6dad9e79af4 Mon Sep 17 00:00:00 2001 From: Backslash Date: Thu, 26 Sep 2024 19:48:06 +1000 Subject: [PATCH 038/148] Update install.yml --- roles/custom/matrix-element-call/tasks/install.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-element-call/tasks/install.yml b/roles/custom/matrix-element-call/tasks/install.yml index 93fbeba9513..5e3c716d395 100644 --- a/roles/custom/matrix-element-call/tasks/install.yml +++ b/roles/custom/matrix-element-call/tasks/install.yml @@ -88,7 +88,7 @@ - name: Ensure redis Docker image is pulled community.docker.docker_image: - name: "{{ matrix_redis_image }}" + name: "{{ redis_image }}" source: pull register: redis_image_result retries: 3 From e34e5da9a4d27d3d656dd48fe3409f7d2b769300 Mon Sep 17 00:00:00 2001 From: Backslash Date: Thu, 26 Sep 2024 19:57:39 +1000 Subject: [PATCH 039/148] Update matrix-redis.service.j2 --- .../templates/systemd/matrix-redis.service.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-element-call/templates/systemd/matrix-redis.service.j2 b/roles/custom/matrix-element-call/templates/systemd/matrix-redis.service.j2 index 17adad1b4f7..5cccced1664 100644 --- a/roles/custom/matrix-element-call/templates/systemd/matrix-redis.service.j2 +++ b/roles/custom/matrix-element-call/templates/systemd/matrix-redis.service.j2 @@ -17,7 +17,7 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ --cap-drop=ALL \ --network={{ matrix_element_call_container_network }} \ --mount type=bind,src={{ matrix_element_call_backend_path }}/redis.conf,dst=/etc/redis.conf,ro \ - {{ matrix_redis_image }} \ + {{ redis_image }} \ redis-server /etc/redis.conf ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-redis From 5cc9c70ba6fc95a575b380fa55ab9f058fd59766 Mon Sep 17 00:00:00 2001 From: Backslash Date: Thu, 26 Sep 2024 20:57:47 +1000 Subject: [PATCH 040/148] Remove serve command from matrix-element-call.service.j2 --- .../templates/systemd/matrix-element-call.service.j2 | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/roles/custom/matrix-element-call/templates/systemd/matrix-element-call.service.j2 b/roles/custom/matrix-element-call/templates/systemd/matrix-element-call.service.j2 index ff08ff9fdbe..21ddd54f3b6 100644 --- a/roles/custom/matrix-element-call/templates/systemd/matrix-element-call.service.j2 +++ b/roles/custom/matrix-element-call/templates/systemd/matrix-element-call.service.j2 @@ -19,8 +19,7 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ -p {{ matrix_element_call_port }}:8080 \ --env-file={{ matrix_element_call_base_path }}/config/env \ --label-file={{ matrix_element_call_base_path }}/config/labels \ - {{ matrix_element_call_image }} \ - serve + {{ matrix_element_call_image }} {% for network in matrix_element_call_container_additional_networks %} ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-element-call From f0632b20ebed7611373b690fe8483960b2d36230 Mon Sep 17 00:00:00 2001 From: Backslash Date: Thu, 26 Sep 2024 21:24:43 +1000 Subject: [PATCH 041/148] Added missing labels for sfu and jwt --- .../matrix-element-call/templates/labels.j2 | 33 ++++++++++++++++--- 1 file changed, 29 insertions(+), 4 deletions(-) diff --git a/roles/custom/matrix-element-call/templates/labels.j2 b/roles/custom/matrix-element-call/templates/labels.j2 index a31c6ea6b47..a13a75ef0ab 100644 --- a/roles/custom/matrix-element-call/templates/labels.j2 +++ b/roles/custom/matrix-element-call/templates/labels.j2 @@ -5,7 +5,7 @@ traefik.enable=true traefik.docker.network={{ matrix_element_call_container_labels_traefik_docker_network }} {% endif %} -# Define the Traefik router rule +# Element Call Labels traefik.http.routers.element-call-router.rule={{ matrix_element_call_container_labels_traefik_rule }} traefik.http.routers.element-call-router.entrypoints={{ matrix_element_call_container_labels_traefik_entrypoints }} traefik.http.routers.element-call-router.tls.certresolver={{ matrix_element_call_container_labels_traefik_tls_certResolver }} @@ -13,7 +13,7 @@ traefik.http.services.element-call-service.loadbalancer.server.port=8080 {% set middlewares = [] %} -# Define any path prefix redirection or stripping middleware +# Path prefix handling for Element Call {% if matrix_element_call_container_labels_traefik_path_prefix != '/' %} traefik.http.middlewares.element-call-slashless-redirect.redirectregex.regex=({{ matrix_element_call_container_labels_traefik_path_prefix | quote }})$ traefik.http.middlewares.element-call-slashless-redirect.redirectregex.replacement=${1}/ @@ -23,7 +23,7 @@ traefik.http.middlewares.element-call-strip-prefix.stripprefix.prefixes={{ matri {% set middlewares = middlewares + ['element-call-strip-prefix'] %} {% endif %} -# Apply any additional response headers if provided +# Additional response headers for Element Call {% if matrix_element_call_container_labels_traefik_additional_response_headers.keys() | length > 0 %} {% for name, value in matrix_element_call_container_labels_traefik_additional_response_headers.items() %} traefik.http.middlewares.element-call-add-headers.headers.customresponseheaders.{{ name }}={{ value }} @@ -31,9 +31,34 @@ traefik.http.middlewares.element-call-add-headers.headers.customresponseheaders. {% set middlewares = middlewares + ['element-call-add-headers'] %} {% endif %} -# Add middlewares to the router +# Add middlewares to the Element Call router {% if middlewares | length > 0 %} traefik.http.routers.element-call-router.middlewares={{ middlewares | join(',') }} {% endif %} +# LiveKit Labels +traefik.http.routers.sfu-router.rule=Host(`{{ matrix_element_call_livekit_service_url | regex_replace('^https?://', '') }}`) +traefik.http.routers.sfu-router.entrypoints=websecure +traefik.http.routers.sfu-router.tls.certresolver=default +traefik.http.services.sfu-service.loadbalancer.server.port=7880 +traefik.http.middlewares.sfu-headers.headers.customFrameOptionsValue=SAMEORIGIN +traefik.http.middlewares.sfu-headers.headers.customResponseHeaders.X-Content-Type-Options=nosniff +traefik.http.middlewares.sfu-headers.headers.customResponseHeaders.Strict-Transport-Security=max-age=31536000; includeSubDomains; preload +traefik.http.routers.sfu-router.middlewares=sfu-headers + +# JWT Labels +traefik.http.routers.jwt-router.rule=Host(`{{ matrix_element_call_jwt_service_url | regex_replace('^https?://', '') }}`) +traefik.http.routers.jwt-router.entrypoints=websecure +traefik.http.routers.jwt-router.tls.certresolver=default +traefik.http.services.jwt-service.loadbalancer.server.port=8881 +traefik.http.middlewares.jwt-headers.headers.customFrameOptionsValue=SAMEORIGIN +traefik.http.middlewares.jwt-headers.headers.customResponseHeaders.X-Content-Type-Options=nosniff +traefik.http.middlewares.jwt-headers.headers.customResponseHeaders.Strict-Transport-Security=max-age=31536000; includeSubDomains; preload +traefik.http.routers.jwt-router.middlewares=jwt-headers + {% endif %} + +# Additional labels (if any) specified by the user +{% for key, value in matrix_element_call_container_extra_arguments.items() %} +{{ key }}={{ value }} +{% endfor %} From 6a519bb05332940f6b19c70345a1d3eb8671731f Mon Sep 17 00:00:00 2001 From: Backslash Date: Fri, 27 Sep 2024 08:08:42 +1000 Subject: [PATCH 042/148] Created element-call-labels to separate the labels for each container --- .../templates/element-call-labels.j2 | 39 +++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 roles/custom/matrix-element-call/templates/element-call-labels.j2 diff --git a/roles/custom/matrix-element-call/templates/element-call-labels.j2 b/roles/custom/matrix-element-call/templates/element-call-labels.j2 new file mode 100644 index 00000000000..a31c6ea6b47 --- /dev/null +++ b/roles/custom/matrix-element-call/templates/element-call-labels.j2 @@ -0,0 +1,39 @@ +{% if matrix_element_call_container_labels_traefik_enabled %} +traefik.enable=true + +{% if matrix_element_call_container_labels_traefik_docker_network %} +traefik.docker.network={{ matrix_element_call_container_labels_traefik_docker_network }} +{% endif %} + +# Define the Traefik router rule +traefik.http.routers.element-call-router.rule={{ matrix_element_call_container_labels_traefik_rule }} +traefik.http.routers.element-call-router.entrypoints={{ matrix_element_call_container_labels_traefik_entrypoints }} +traefik.http.routers.element-call-router.tls.certresolver={{ matrix_element_call_container_labels_traefik_tls_certResolver }} +traefik.http.services.element-call-service.loadbalancer.server.port=8080 + +{% set middlewares = [] %} + +# Define any path prefix redirection or stripping middleware +{% if matrix_element_call_container_labels_traefik_path_prefix != '/' %} +traefik.http.middlewares.element-call-slashless-redirect.redirectregex.regex=({{ matrix_element_call_container_labels_traefik_path_prefix | quote }})$ +traefik.http.middlewares.element-call-slashless-redirect.redirectregex.replacement=${1}/ +{% set middlewares = middlewares + ['element-call-slashless-redirect'] %} + +traefik.http.middlewares.element-call-strip-prefix.stripprefix.prefixes={{ matrix_element_call_container_labels_traefik_path_prefix }} +{% set middlewares = middlewares + ['element-call-strip-prefix'] %} +{% endif %} + +# Apply any additional response headers if provided +{% if matrix_element_call_container_labels_traefik_additional_response_headers.keys() | length > 0 %} +{% for name, value in matrix_element_call_container_labels_traefik_additional_response_headers.items() %} +traefik.http.middlewares.element-call-add-headers.headers.customresponseheaders.{{ name }}={{ value }} +{% endfor %} +{% set middlewares = middlewares + ['element-call-add-headers'] %} +{% endif %} + +# Add middlewares to the router +{% if middlewares | length > 0 %} +traefik.http.routers.element-call-router.middlewares={{ middlewares | join(',') }} +{% endif %} + +{% endif %} From 2cf471075db355f6df66ffb188424425be1c8981 Mon Sep 17 00:00:00 2001 From: Backslash Date: Fri, 27 Sep 2024 08:09:32 +1000 Subject: [PATCH 043/148] Created livekit-labels.j2 --- .../matrix-element-call/templates/livekit-labels.j2 | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 roles/custom/matrix-element-call/templates/livekit-labels.j2 diff --git a/roles/custom/matrix-element-call/templates/livekit-labels.j2 b/roles/custom/matrix-element-call/templates/livekit-labels.j2 new file mode 100644 index 00000000000..df680b2a72d --- /dev/null +++ b/roles/custom/matrix-element-call/templates/livekit-labels.j2 @@ -0,0 +1,13 @@ +{% if matrix_element_call_container_labels_traefik_enabled %} +traefik.enable=true + +{% if matrix_element_call_container_labels_traefik_docker_network %} +traefik.docker.network={{ matrix_element_call_container_labels_traefik_docker_network }} +{% endif %} + +# Define the Traefik router rule for LiveKit +traefik.http.routers.livekit-router.rule=Host(`{{ matrix_element_call_sfu_hostname }}`) +traefik.http.routers.livekit-router.entrypoints={{ matrix_element_call_container_labels_traefik_entrypoints }} +traefik.http.routers.livekit-router.tls.certresolver={{ matrix_element_call_container_labels_traefik_tls_certResolver }} +traefik.http.services.livekit-service.loadbalancer.server.port=7880 +{% endif %} From 1d7a60055c2114c35ab64e18157a79f86fbcf33b Mon Sep 17 00:00:00 2001 From: Backslash Date: Fri, 27 Sep 2024 08:10:06 +1000 Subject: [PATCH 044/148] Create jwt-service-labels.j2 --- .../templates/jwt-service-labels.j2 | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 roles/custom/matrix-element-call/templates/jwt-service-labels.j2 diff --git a/roles/custom/matrix-element-call/templates/jwt-service-labels.j2 b/roles/custom/matrix-element-call/templates/jwt-service-labels.j2 new file mode 100644 index 00000000000..86b314cf44e --- /dev/null +++ b/roles/custom/matrix-element-call/templates/jwt-service-labels.j2 @@ -0,0 +1,13 @@ +{% if matrix_element_call_container_labels_traefik_enabled %} +traefik.enable=true + +{% if matrix_element_call_container_labels_traefik_docker_network %} +traefik.docker.network={{ matrix_element_call_container_labels_traefik_docker_network }} +{% endif %} + +# Define the Traefik router rule for JWT Service +traefik.http.routers.jwt-router.rule=Host(`{{ matrix_element_call_jwt_service_hostname }}`) +traefik.http.routers.jwt-router.entrypoints={{ matrix_element_call_container_labels_traefik_entrypoints }} +traefik.http.routers.jwt-router.tls.certresolver={{ matrix_element_call_container_labels_traefik_tls_certResolver }} +traefik.http.services.jwt-service.loadbalancer.server.port=8881 +{% endif %} From 80763804f914506b119f4b90fdd2013901d91648 Mon Sep 17 00:00:00 2001 From: Backslash Date: Fri, 27 Sep 2024 08:16:56 +1000 Subject: [PATCH 045/148] Updated label file --- .../templates/systemd/matrix-element-call.service.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-element-call/templates/systemd/matrix-element-call.service.j2 b/roles/custom/matrix-element-call/templates/systemd/matrix-element-call.service.j2 index 21ddd54f3b6..eded8dc6a53 100644 --- a/roles/custom/matrix-element-call/templates/systemd/matrix-element-call.service.j2 +++ b/roles/custom/matrix-element-call/templates/systemd/matrix-element-call.service.j2 @@ -18,7 +18,7 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ --network={{ matrix_element_call_container_network }} \ -p {{ matrix_element_call_port }}:8080 \ --env-file={{ matrix_element_call_base_path }}/config/env \ - --label-file={{ matrix_element_call_base_path }}/config/labels \ + --label-file={{ matrix_element_call_base_path }}/config/element-call-labels \ {{ matrix_element_call_image }} {% for network in matrix_element_call_container_additional_networks %} From d2e2781d3b715ea3872c60fe5a2290a6d55c30ef Mon Sep 17 00:00:00 2001 From: Backslash Date: Fri, 27 Sep 2024 08:18:27 +1000 Subject: [PATCH 046/148] Updated label file --- .../templates/systemd/matrix-jwt-service.service.j2 | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/roles/custom/matrix-element-call/templates/systemd/matrix-jwt-service.service.j2 b/roles/custom/matrix-element-call/templates/systemd/matrix-jwt-service.service.j2 index 1df21478d78..7d2ac8fd88e 100644 --- a/roles/custom/matrix-element-call/templates/systemd/matrix-jwt-service.service.j2 +++ b/roles/custom/matrix-element-call/templates/systemd/matrix-jwt-service.service.j2 @@ -18,9 +18,8 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ --network={{ matrix_element_call_container_network }} \ -p {{ matrix_jwt_service_port }}:8080 \ --env-file={{ matrix_element_call_base_path }}/config/env \ - --label-file={{ matrix_element_call_base_path }}/config/labels \ - {{ matrix_jwt_service_image }} \ - serve + --label-file={{ matrix_element_call_base_path }}/config/jwt-service-labels \ + {{ matrix_jwt_service_image }} {% for network in matrix_element_call_container_additional_networks %} ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-jwt-service From 2f2cb8962e64984f5c62acbe176a54c5a6d96591 Mon Sep 17 00:00:00 2001 From: Backslash Date: Fri, 27 Sep 2024 08:19:26 +1000 Subject: [PATCH 047/148] Updated livekit labels --- .../templates/systemd/matrix-livekit.service.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/custom/matrix-element-call/templates/systemd/matrix-livekit.service.j2 b/roles/custom/matrix-element-call/templates/systemd/matrix-livekit.service.j2 index 0b28522a5ab..4b7f3ea8ac7 100644 --- a/roles/custom/matrix-element-call/templates/systemd/matrix-livekit.service.j2 +++ b/roles/custom/matrix-element-call/templates/systemd/matrix-livekit.service.j2 @@ -17,6 +17,7 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ --cap-drop=ALL \ --network=host \ --mount type=bind,src={{ matrix_element_call_backend_path }}/livekit.yaml,dst=/etc/livekit.yaml,ro \ + --label-file={{ matrix_element_call_base_path }}/config/livekit-labels \ {{ matrix_livekit_image }} \ --dev --config /etc/livekit.yaml From df4bf4a0c930b549316180a1880dc55f00fbbf71 Mon Sep 17 00:00:00 2001 From: Backslash Date: Fri, 27 Sep 2024 08:23:24 +1000 Subject: [PATCH 048/148] Added tasks for moving the new labels files into place --- .../matrix-element-call/tasks/install.yml | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/roles/custom/matrix-element-call/tasks/install.yml b/roles/custom/matrix-element-call/tasks/install.yml index 5e3c716d395..fdb60787145 100644 --- a/roles/custom/matrix-element-call/tasks/install.yml +++ b/roles/custom/matrix-element-call/tasks/install.yml @@ -52,7 +52,23 @@ - name: Ensure matrix-element-call Docker labels file is in place ansible.builtin.template: src: "{{ role_path }}/templates/labels.j2" - dest: "{{ matrix_element_call_base_path }}/config/labels" + dest: "{{ matrix_element_call_base_path }}/config/element-call-labels" + mode: 0640 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure LiveKit labels file is in place + ansible.builtin.template: + src: "{{ role_path }}/templates/livekit-labels.j2" + dest: "{{ matrix_element_call_base_path }}/config/livekit-labels" + mode: 0640 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure JWT Service labels file is in place + ansible.builtin.template: + src: "{{ role_path }}/templates/jwt-service-labels.j2" + dest: "{{ matrix_element_call_base_path }}/config/jwt-service-labels" mode: 0640 owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" From dd96b93d899b7ba6c46cef8e93b86d5068b55ac8 Mon Sep 17 00:00:00 2001 From: Backslash Date: Fri, 27 Sep 2024 08:34:01 +1000 Subject: [PATCH 049/148] Update matrix-element-call.service.j2 --- .../systemd/matrix-element-call.service.j2 | 56 +++++++++---------- 1 file changed, 25 insertions(+), 31 deletions(-) diff --git a/roles/custom/matrix-element-call/templates/systemd/matrix-element-call.service.j2 b/roles/custom/matrix-element-call/templates/systemd/matrix-element-call.service.j2 index eded8dc6a53..488b1f40040 100644 --- a/roles/custom/matrix-element-call/templates/systemd/matrix-element-call.service.j2 +++ b/roles/custom/matrix-element-call/templates/systemd/matrix-element-call.service.j2 @@ -1,37 +1,31 @@ -[Unit] -Description=Matrix Element Call Service -After=docker.service -Requires=docker.service +{% if matrix_element_call_container_labels_traefik_enabled %} +traefik.enable=true -[Service] -Type=simple -Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" -ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-element-call 2>/dev/null || true' -ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-element-call 2>/dev/null || true' +{% if matrix_element_call_container_labels_traefik_docker_network %} +traefik.docker.network={{ matrix_element_call_container_labels_traefik_docker_network }} +{% endif %} -ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ - --rm \ - --name=matrix-element-call \ - --log-driver=none \ - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ - --cap-drop=ALL \ - --network={{ matrix_element_call_container_network }} \ - -p {{ matrix_element_call_port }}:8080 \ - --env-file={{ matrix_element_call_base_path }}/config/env \ - --label-file={{ matrix_element_call_base_path }}/config/element-call-labels \ - {{ matrix_element_call_image }} +# Define the Traefik router rule +traefik.http.routers.element-call-router.rule={{ matrix_element_call_container_labels_traefik_rule }} +traefik.http.routers.element-call-router.entrypoints={{ matrix_element_call_container_labels_traefik_entrypoints }} +traefik.http.routers.element-call-router.tls.certresolver={{ matrix_element_call_container_labels_traefik_tls_certResolver }} +traefik.http.services.element-call-service.loadbalancer.server.port=8080 -{% for network in matrix_element_call_container_additional_networks %} -ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-element-call -{% endfor %} +{% set middlewares = [] %} -ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-element-call +# Define any path prefix redirection or stripping middleware +{% if matrix_element_call_container_labels_traefik_path_prefix != '/' %} +traefik.http.middlewares.element-call-slashless-redirect.redirectregex.regex=({{ matrix_element_call_container_labels_traefik_path_prefix | quote }})$ +traefik.http.middlewares.element-call-slashless-redirect.redirectregex.replacement=${1}/ +{% set middlewares = middlewares + ['element-call-slashless-redirect'] %} -ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-element-call 2>/dev/null || true' -ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-element-call 2>/dev/null || true' -Restart=always -RestartSec=30 -SyslogIdentifier=matrix-element-call +traefik.http.middlewares.element-call-strip-prefix.stripprefix.prefixes={{ matrix_element_call_container_labels_traefik_path_prefix }} +{% set middlewares = middlewares + ['element-call-strip-prefix'] %} +{% endif %} -[Install] -WantedBy=multi-user.target +# Add middlewares to the router +{% if middlewares | length > 0 %} +traefik.http.routers.element-call-router.middlewares={{ middlewares | join(',') }} +{% endif %} + +{% endif %} From 3264408758bf162dfba2724f20a6cc0b015df227 Mon Sep 17 00:00:00 2001 From: Backslash Date: Fri, 27 Sep 2024 08:49:55 +1000 Subject: [PATCH 050/148] Rename element-call-labels.j2 to element-call-labels.j2-new --- .../{element-call-labels.j2 => element-call-labels.j2-new} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename roles/custom/matrix-element-call/templates/{element-call-labels.j2 => element-call-labels.j2-new} (100%) diff --git a/roles/custom/matrix-element-call/templates/element-call-labels.j2 b/roles/custom/matrix-element-call/templates/element-call-labels.j2-new similarity index 100% rename from roles/custom/matrix-element-call/templates/element-call-labels.j2 rename to roles/custom/matrix-element-call/templates/element-call-labels.j2-new From 25909b102945fbd030466fcc04b4f861d1418587 Mon Sep 17 00:00:00 2001 From: Backslash Date: Fri, 27 Sep 2024 08:51:27 +1000 Subject: [PATCH 051/148] Update and rename labels.j2 to element-call-labels.j2 --- .../{labels.j2 => element-call-labels.j2} | 20 ------------------- 1 file changed, 20 deletions(-) rename roles/custom/matrix-element-call/templates/{labels.j2 => element-call-labels.j2} (61%) diff --git a/roles/custom/matrix-element-call/templates/labels.j2 b/roles/custom/matrix-element-call/templates/element-call-labels.j2 similarity index 61% rename from roles/custom/matrix-element-call/templates/labels.j2 rename to roles/custom/matrix-element-call/templates/element-call-labels.j2 index a13a75ef0ab..7ec9aa164d4 100644 --- a/roles/custom/matrix-element-call/templates/labels.j2 +++ b/roles/custom/matrix-element-call/templates/element-call-labels.j2 @@ -36,26 +36,6 @@ traefik.http.middlewares.element-call-add-headers.headers.customresponseheaders. traefik.http.routers.element-call-router.middlewares={{ middlewares | join(',') }} {% endif %} -# LiveKit Labels -traefik.http.routers.sfu-router.rule=Host(`{{ matrix_element_call_livekit_service_url | regex_replace('^https?://', '') }}`) -traefik.http.routers.sfu-router.entrypoints=websecure -traefik.http.routers.sfu-router.tls.certresolver=default -traefik.http.services.sfu-service.loadbalancer.server.port=7880 -traefik.http.middlewares.sfu-headers.headers.customFrameOptionsValue=SAMEORIGIN -traefik.http.middlewares.sfu-headers.headers.customResponseHeaders.X-Content-Type-Options=nosniff -traefik.http.middlewares.sfu-headers.headers.customResponseHeaders.Strict-Transport-Security=max-age=31536000; includeSubDomains; preload -traefik.http.routers.sfu-router.middlewares=sfu-headers - -# JWT Labels -traefik.http.routers.jwt-router.rule=Host(`{{ matrix_element_call_jwt_service_url | regex_replace('^https?://', '') }}`) -traefik.http.routers.jwt-router.entrypoints=websecure -traefik.http.routers.jwt-router.tls.certresolver=default -traefik.http.services.jwt-service.loadbalancer.server.port=8881 -traefik.http.middlewares.jwt-headers.headers.customFrameOptionsValue=SAMEORIGIN -traefik.http.middlewares.jwt-headers.headers.customResponseHeaders.X-Content-Type-Options=nosniff -traefik.http.middlewares.jwt-headers.headers.customResponseHeaders.Strict-Transport-Security=max-age=31536000; includeSubDomains; preload -traefik.http.routers.jwt-router.middlewares=jwt-headers - {% endif %} # Additional labels (if any) specified by the user From 1721e85195e2aa6fcd3ce53ffa3a302cb0af6d22 Mon Sep 17 00:00:00 2001 From: Backslash Date: Fri, 27 Sep 2024 09:00:03 +1000 Subject: [PATCH 052/148] Corrected element call labels file name --- roles/custom/matrix-element-call/tasks/install.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-element-call/tasks/install.yml b/roles/custom/matrix-element-call/tasks/install.yml index fdb60787145..ba3a8704d1a 100644 --- a/roles/custom/matrix-element-call/tasks/install.yml +++ b/roles/custom/matrix-element-call/tasks/install.yml @@ -51,7 +51,7 @@ - name: Ensure matrix-element-call Docker labels file is in place ansible.builtin.template: - src: "{{ role_path }}/templates/labels.j2" + src: "{{ role_path }}/templates/element-call-labels.j2" dest: "{{ matrix_element_call_base_path }}/config/element-call-labels" mode: 0640 owner: "{{ matrix_user_username }}" From 510cfb2dace4bb23332dc4596fcff0395053885f Mon Sep 17 00:00:00 2001 From: Backslash Date: Fri, 27 Sep 2024 09:14:29 +1000 Subject: [PATCH 053/148] Update matrix_servers --- group_vars/matrix_servers | 1 + 1 file changed, 1 insertion(+) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index ff107af21b4..6c80b088416 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -5896,6 +5896,7 @@ matrix_element_call_container_labels_traefik_path_prefix: "{{ matrix_element_cal matrix_element_call_container_labels_traefik_rule: "Host(`{{ matrix_element_call_container_labels_traefik_hostname }}`)" matrix_element_call_container_labels_traefik_entrypoints: "websecure" matrix_element_call_container_labels_traefik_tls_certResolver: "default" +matrix_element_call_container_labels_traefik_additional_response_headers: {} # JWT Service Configuration matrix_element_call_jwt_service_url: "https://sfu-jwt.{{ matrix_domain }}" # Default JWT service URL; adjust as needed From 5f49433f6c93e45f1e253d9981d4b23a098c9478 Mon Sep 17 00:00:00 2001 From: Backslash Date: Fri, 27 Sep 2024 09:15:21 +1000 Subject: [PATCH 054/148] Handle empty labels correctly. --- .../custom/matrix-element-call/templates/element-call-labels.j2 | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/custom/matrix-element-call/templates/element-call-labels.j2 b/roles/custom/matrix-element-call/templates/element-call-labels.j2 index 7ec9aa164d4..915ab6e2588 100644 --- a/roles/custom/matrix-element-call/templates/element-call-labels.j2 +++ b/roles/custom/matrix-element-call/templates/element-call-labels.j2 @@ -39,6 +39,8 @@ traefik.http.routers.element-call-router.middlewares={{ middlewares | join(',') {% endif %} # Additional labels (if any) specified by the user +{% if matrix_element_call_container_extra_arguments.keys() | length > 0 %} {% for key, value in matrix_element_call_container_extra_arguments.items() %} {{ key }}={{ value }} {% endfor %} +{% endif %} From 805b726c6d8132516197d29c941044d361d3a6ce Mon Sep 17 00:00:00 2001 From: Backslash Date: Fri, 27 Sep 2024 09:25:01 +1000 Subject: [PATCH 055/148] Update element-call-labels.j2 --- .../matrix-element-call/templates/element-call-labels.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/custom/matrix-element-call/templates/element-call-labels.j2 b/roles/custom/matrix-element-call/templates/element-call-labels.j2 index 915ab6e2588..e721c93cc98 100644 --- a/roles/custom/matrix-element-call/templates/element-call-labels.j2 +++ b/roles/custom/matrix-element-call/templates/element-call-labels.j2 @@ -24,7 +24,7 @@ traefik.http.middlewares.element-call-strip-prefix.stripprefix.prefixes={{ matri {% endif %} # Additional response headers for Element Call -{% if matrix_element_call_container_labels_traefik_additional_response_headers.keys() | length > 0 %} +{% if matrix_element_call_container_labels_traefik_additional_response_headers is mapping and matrix_element_call_container_labels_traefik_additional_response_headers.keys() | length > 0 %} {% for name, value in matrix_element_call_container_labels_traefik_additional_response_headers.items() %} traefik.http.middlewares.element-call-add-headers.headers.customresponseheaders.{{ name }}={{ value }} {% endfor %} @@ -39,7 +39,7 @@ traefik.http.routers.element-call-router.middlewares={{ middlewares | join(',') {% endif %} # Additional labels (if any) specified by the user -{% if matrix_element_call_container_extra_arguments.keys() | length > 0 %} +{% if matrix_element_call_container_extra_arguments is mapping and matrix_element_call_container_extra_arguments.keys() | length > 0 %} {% for key, value in matrix_element_call_container_extra_arguments.items() %} {{ key }}={{ value }} {% endfor %} From c14f9cdcb59e9fd92f5ba7465abc2042ed4e8a43 Mon Sep 17 00:00:00 2001 From: Backslash Date: Fri, 27 Sep 2024 09:25:48 +1000 Subject: [PATCH 056/148] Update matrix_servers --- group_vars/matrix_servers | 1 + 1 file changed, 1 insertion(+) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 6c80b088416..008eba6dcf0 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -5897,6 +5897,7 @@ matrix_element_call_container_labels_traefik_rule: "Host(`{{ matrix_element_call matrix_element_call_container_labels_traefik_entrypoints: "websecure" matrix_element_call_container_labels_traefik_tls_certResolver: "default" matrix_element_call_container_labels_traefik_additional_response_headers: {} +matrix_element_call_container_extra_arguments: {} # JWT Service Configuration matrix_element_call_jwt_service_url: "https://sfu-jwt.{{ matrix_domain }}" # Default JWT service URL; adjust as needed From 5730dbfc6e0928b1b4defa6e4fe734759feb3ae8 Mon Sep 17 00:00:00 2001 From: Backslash Date: Fri, 27 Sep 2024 09:54:01 +1000 Subject: [PATCH 057/148] Added hostname label --- .../templates/element-call-labels.j2 | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/roles/custom/matrix-element-call/templates/element-call-labels.j2 b/roles/custom/matrix-element-call/templates/element-call-labels.j2 index e721c93cc98..0428d056abd 100644 --- a/roles/custom/matrix-element-call/templates/element-call-labels.j2 +++ b/roles/custom/matrix-element-call/templates/element-call-labels.j2 @@ -1,12 +1,13 @@ {% if matrix_element_call_container_labels_traefik_enabled %} traefik.enable=true +# Network configuration for Traefik {% if matrix_element_call_container_labels_traefik_docker_network %} traefik.docker.network={{ matrix_element_call_container_labels_traefik_docker_network }} {% endif %} -# Element Call Labels -traefik.http.routers.element-call-router.rule={{ matrix_element_call_container_labels_traefik_rule }} +# Traefik Router and Service configuration for Element Call +traefik.http.routers.element-call-router.rule=Host(`{{ matrix_element_call_container_labels_traefik_hostname }}`) traefik.http.routers.element-call-router.entrypoints={{ matrix_element_call_container_labels_traefik_entrypoints }} traefik.http.routers.element-call-router.tls.certresolver={{ matrix_element_call_container_labels_traefik_tls_certResolver }} traefik.http.services.element-call-service.loadbalancer.server.port=8080 @@ -24,14 +25,14 @@ traefik.http.middlewares.element-call-strip-prefix.stripprefix.prefixes={{ matri {% endif %} # Additional response headers for Element Call -{% if matrix_element_call_container_labels_traefik_additional_response_headers is mapping and matrix_element_call_container_labels_traefik_additional_response_headers.keys() | length > 0 %} +{% if matrix_element_call_container_labels_traefik_additional_response_headers is defined and matrix_element_call_container_labels_traefik_additional_response_headers | length > 0 %} {% for name, value in matrix_element_call_container_labels_traefik_additional_response_headers.items() %} traefik.http.middlewares.element-call-add-headers.headers.customresponseheaders.{{ name }}={{ value }} {% endfor %} {% set middlewares = middlewares + ['element-call-add-headers'] %} {% endif %} -# Add middlewares to the Element Call router +# Apply middlewares to the Element Call router {% if middlewares | length > 0 %} traefik.http.routers.element-call-router.middlewares={{ middlewares | join(',') }} {% endif %} @@ -39,7 +40,7 @@ traefik.http.routers.element-call-router.middlewares={{ middlewares | join(',') {% endif %} # Additional labels (if any) specified by the user -{% if matrix_element_call_container_extra_arguments is mapping and matrix_element_call_container_extra_arguments.keys() | length > 0 %} +{% if matrix_element_call_container_extra_arguments is defined and matrix_element_call_container_extra_arguments | length > 0 %} {% for key, value in matrix_element_call_container_extra_arguments.items() %} {{ key }}={{ value }} {% endfor %} From 6d6f9ab853104213f7e6cc5d8db3381a298713dc Mon Sep 17 00:00:00 2001 From: Backslash Date: Fri, 27 Sep 2024 09:59:13 +1000 Subject: [PATCH 058/148] Added hostnames for livekit and jwt labels --- roles/custom/matrix-element-call/defaults/main.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/roles/custom/matrix-element-call/defaults/main.yml b/roles/custom/matrix-element-call/defaults/main.yml index 35c3d90ed99..8d04028e4a5 100644 --- a/roles/custom/matrix-element-call/defaults/main.yml +++ b/roles/custom/matrix-element-call/defaults/main.yml @@ -28,6 +28,10 @@ redis_port: "6379" # LiveKit configuration matrix_element_call_livekit_dev_key: "{{ matrix_livekit_dev_key }}" # Must be defined in host_vars matrix_element_call_livekit_service_url: "wss://sfu.{{ matrix_domain }}:443" +matrix_element_call_livekit_hostname: "sfu.{{ matrix_domain }}" + +# jwt configuration +matrix_element_call_jwt_hostname: "sfu-jwt.{{ matrix_domain }}" # Well-known paths and domains (derived from matrix_domain) matrix_element_call_domain: "call.{{ matrix_domain }}" From b6571fc4fdfffd60cc5d11e63e13dd6077fbba93 Mon Sep 17 00:00:00 2001 From: Backslash Date: Fri, 27 Sep 2024 09:59:54 +1000 Subject: [PATCH 059/148] Update livekit-labels.j2 --- roles/custom/matrix-element-call/templates/livekit-labels.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-element-call/templates/livekit-labels.j2 b/roles/custom/matrix-element-call/templates/livekit-labels.j2 index df680b2a72d..5fa0c51adc2 100644 --- a/roles/custom/matrix-element-call/templates/livekit-labels.j2 +++ b/roles/custom/matrix-element-call/templates/livekit-labels.j2 @@ -6,7 +6,7 @@ traefik.docker.network={{ matrix_element_call_container_labels_traefik_docker_ne {% endif %} # Define the Traefik router rule for LiveKit -traefik.http.routers.livekit-router.rule=Host(`{{ matrix_element_call_sfu_hostname }}`) +traefik.http.routers.livekit-router.rule=Host(`{{ matrix_element_call_livekit_hostname }}`) traefik.http.routers.livekit-router.entrypoints={{ matrix_element_call_container_labels_traefik_entrypoints }} traefik.http.routers.livekit-router.tls.certresolver={{ matrix_element_call_container_labels_traefik_tls_certResolver }} traefik.http.services.livekit-service.loadbalancer.server.port=7880 From 089c5f14c8e9ee57fb8da0f48a8c221e1d67b1a1 Mon Sep 17 00:00:00 2001 From: Backslash Date: Fri, 27 Sep 2024 10:00:40 +1000 Subject: [PATCH 060/148] Update jwt-service-labels.j2 --- .../custom/matrix-element-call/templates/jwt-service-labels.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-element-call/templates/jwt-service-labels.j2 b/roles/custom/matrix-element-call/templates/jwt-service-labels.j2 index 86b314cf44e..603ced75824 100644 --- a/roles/custom/matrix-element-call/templates/jwt-service-labels.j2 +++ b/roles/custom/matrix-element-call/templates/jwt-service-labels.j2 @@ -6,7 +6,7 @@ traefik.docker.network={{ matrix_element_call_container_labels_traefik_docker_ne {% endif %} # Define the Traefik router rule for JWT Service -traefik.http.routers.jwt-router.rule=Host(`{{ matrix_element_call_jwt_service_hostname }}`) +traefik.http.routers.jwt-router.rule=Host(`{{ matrix_element_call_jwt_hostname }}`) traefik.http.routers.jwt-router.entrypoints={{ matrix_element_call_container_labels_traefik_entrypoints }} traefik.http.routers.jwt-router.tls.certresolver={{ matrix_element_call_container_labels_traefik_tls_certResolver }} traefik.http.services.jwt-service.loadbalancer.server.port=8881 From 3c084e17d266892ea10e51188d70508e5ab6a64e Mon Sep 17 00:00:00 2001 From: Backslash Date: Fri, 27 Sep 2024 10:15:51 +1000 Subject: [PATCH 061/148] Update element-call-labels.j2-new --- .../templates/element-call-labels.j2-new | 20 +++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/roles/custom/matrix-element-call/templates/element-call-labels.j2-new b/roles/custom/matrix-element-call/templates/element-call-labels.j2-new index a31c6ea6b47..0428d056abd 100644 --- a/roles/custom/matrix-element-call/templates/element-call-labels.j2-new +++ b/roles/custom/matrix-element-call/templates/element-call-labels.j2-new @@ -1,19 +1,20 @@ {% if matrix_element_call_container_labels_traefik_enabled %} traefik.enable=true +# Network configuration for Traefik {% if matrix_element_call_container_labels_traefik_docker_network %} traefik.docker.network={{ matrix_element_call_container_labels_traefik_docker_network }} {% endif %} -# Define the Traefik router rule -traefik.http.routers.element-call-router.rule={{ matrix_element_call_container_labels_traefik_rule }} +# Traefik Router and Service configuration for Element Call +traefik.http.routers.element-call-router.rule=Host(`{{ matrix_element_call_container_labels_traefik_hostname }}`) traefik.http.routers.element-call-router.entrypoints={{ matrix_element_call_container_labels_traefik_entrypoints }} traefik.http.routers.element-call-router.tls.certresolver={{ matrix_element_call_container_labels_traefik_tls_certResolver }} traefik.http.services.element-call-service.loadbalancer.server.port=8080 {% set middlewares = [] %} -# Define any path prefix redirection or stripping middleware +# Path prefix handling for Element Call {% if matrix_element_call_container_labels_traefik_path_prefix != '/' %} traefik.http.middlewares.element-call-slashless-redirect.redirectregex.regex=({{ matrix_element_call_container_labels_traefik_path_prefix | quote }})$ traefik.http.middlewares.element-call-slashless-redirect.redirectregex.replacement=${1}/ @@ -23,17 +24,24 @@ traefik.http.middlewares.element-call-strip-prefix.stripprefix.prefixes={{ matri {% set middlewares = middlewares + ['element-call-strip-prefix'] %} {% endif %} -# Apply any additional response headers if provided -{% if matrix_element_call_container_labels_traefik_additional_response_headers.keys() | length > 0 %} +# Additional response headers for Element Call +{% if matrix_element_call_container_labels_traefik_additional_response_headers is defined and matrix_element_call_container_labels_traefik_additional_response_headers | length > 0 %} {% for name, value in matrix_element_call_container_labels_traefik_additional_response_headers.items() %} traefik.http.middlewares.element-call-add-headers.headers.customresponseheaders.{{ name }}={{ value }} {% endfor %} {% set middlewares = middlewares + ['element-call-add-headers'] %} {% endif %} -# Add middlewares to the router +# Apply middlewares to the Element Call router {% if middlewares | length > 0 %} traefik.http.routers.element-call-router.middlewares={{ middlewares | join(',') }} {% endif %} {% endif %} + +# Additional labels (if any) specified by the user +{% if matrix_element_call_container_extra_arguments is defined and matrix_element_call_container_extra_arguments | length > 0 %} +{% for key, value in matrix_element_call_container_extra_arguments.items() %} +{{ key }}={{ value }} +{% endfor %} +{% endif %} From 14614cb21102dfc6c645d05ca8e38156add079d7 Mon Sep 17 00:00:00 2001 From: Backslash Date: Fri, 27 Sep 2024 10:26:01 +1000 Subject: [PATCH 062/148] Update matrix-element-call.service.j2 --- .../systemd/matrix-element-call.service.j2 | 56 ++++++++++--------- 1 file changed, 31 insertions(+), 25 deletions(-) diff --git a/roles/custom/matrix-element-call/templates/systemd/matrix-element-call.service.j2 b/roles/custom/matrix-element-call/templates/systemd/matrix-element-call.service.j2 index 488b1f40040..eded8dc6a53 100644 --- a/roles/custom/matrix-element-call/templates/systemd/matrix-element-call.service.j2 +++ b/roles/custom/matrix-element-call/templates/systemd/matrix-element-call.service.j2 @@ -1,31 +1,37 @@ -{% if matrix_element_call_container_labels_traefik_enabled %} -traefik.enable=true +[Unit] +Description=Matrix Element Call Service +After=docker.service +Requires=docker.service -{% if matrix_element_call_container_labels_traefik_docker_network %} -traefik.docker.network={{ matrix_element_call_container_labels_traefik_docker_network }} -{% endif %} +[Service] +Type=simple +Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" +ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-element-call 2>/dev/null || true' +ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-element-call 2>/dev/null || true' -# Define the Traefik router rule -traefik.http.routers.element-call-router.rule={{ matrix_element_call_container_labels_traefik_rule }} -traefik.http.routers.element-call-router.entrypoints={{ matrix_element_call_container_labels_traefik_entrypoints }} -traefik.http.routers.element-call-router.tls.certresolver={{ matrix_element_call_container_labels_traefik_tls_certResolver }} -traefik.http.services.element-call-service.loadbalancer.server.port=8080 +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ + --rm \ + --name=matrix-element-call \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --network={{ matrix_element_call_container_network }} \ + -p {{ matrix_element_call_port }}:8080 \ + --env-file={{ matrix_element_call_base_path }}/config/env \ + --label-file={{ matrix_element_call_base_path }}/config/element-call-labels \ + {{ matrix_element_call_image }} -{% set middlewares = [] %} +{% for network in matrix_element_call_container_additional_networks %} +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-element-call +{% endfor %} -# Define any path prefix redirection or stripping middleware -{% if matrix_element_call_container_labels_traefik_path_prefix != '/' %} -traefik.http.middlewares.element-call-slashless-redirect.redirectregex.regex=({{ matrix_element_call_container_labels_traefik_path_prefix | quote }})$ -traefik.http.middlewares.element-call-slashless-redirect.redirectregex.replacement=${1}/ -{% set middlewares = middlewares + ['element-call-slashless-redirect'] %} +ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-element-call -traefik.http.middlewares.element-call-strip-prefix.stripprefix.prefixes={{ matrix_element_call_container_labels_traefik_path_prefix }} -{% set middlewares = middlewares + ['element-call-strip-prefix'] %} -{% endif %} +ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-element-call 2>/dev/null || true' +ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-element-call 2>/dev/null || true' +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-element-call -# Add middlewares to the router -{% if middlewares | length > 0 %} -traefik.http.routers.element-call-router.middlewares={{ middlewares | join(',') }} -{% endif %} - -{% endif %} +[Install] +WantedBy=multi-user.target From 5b8dcf32d5fa47d0cbb5777b66138c47db0b41d0 Mon Sep 17 00:00:00 2001 From: Backslash Date: Fri, 27 Sep 2024 11:42:34 +1000 Subject: [PATCH 063/148] Added element-call systemd services to the service manager. --- group_vars/matrix_servers | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 008eba6dcf0..9da357c8844 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -433,6 +433,14 @@ devture_systemd_service_manager_services_list_auto: | + ([{'name': 'matrix-pantalaimon.service', 'priority': 4000, 'groups': ['matrix', 'pantalaimon']}] if matrix_pantalaimon_enabled else []) + + ([{'name': 'matrix-element-call.service', 'priority': 4000, 'groups': ['matrix', 'element-call']}] if matrix_element_call_enabled else []) + + + ([{'name': 'matrix-jwt-service.service', 'priority': 3000, 'groups': ['matrix', 'jwt-service']}] if matrix_element_call_enabled else []) + + + ([{'name': 'matrix-livekit.service', 'priority': 3000, 'groups': ['matrix', 'livekit']}] if matrix_element_call_enabled else []) + + + ([{'name': 'matrix-redis.service', 'priority': 450, 'groups': ['matrix', 'redis']}] if matrix_element_call_enabled else []) + + ([{'name': 'matrix-registration.service', 'priority': 4000, 'groups': ['matrix', 'registration', 'matrix-registration']}] if matrix_registration_enabled else []) + ([{'name': 'matrix-sliding-sync.service', 'priority': 1500, 'groups': ['matrix', 'sliding-sync']}] if matrix_sliding_sync_enabled else []) From 63133d659972342b825782ed678ce356c1541acf Mon Sep 17 00:00:00 2001 From: Backslash Date: Fri, 27 Sep 2024 11:53:26 +1000 Subject: [PATCH 064/148] Added serve command back in. --- .../templates/systemd/matrix-jwt-service.service.j2 | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/custom/matrix-element-call/templates/systemd/matrix-jwt-service.service.j2 b/roles/custom/matrix-element-call/templates/systemd/matrix-jwt-service.service.j2 index 7d2ac8fd88e..cdcac8b4002 100644 --- a/roles/custom/matrix-element-call/templates/systemd/matrix-jwt-service.service.j2 +++ b/roles/custom/matrix-element-call/templates/systemd/matrix-jwt-service.service.j2 @@ -19,7 +19,8 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ -p {{ matrix_jwt_service_port }}:8080 \ --env-file={{ matrix_element_call_base_path }}/config/env \ --label-file={{ matrix_element_call_base_path }}/config/jwt-service-labels \ - {{ matrix_jwt_service_image }} + {{ matrix_jwt_service_image }} \ + serve {% for network in matrix_element_call_container_additional_networks %} ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-jwt-service From 8b172cc19447be51a17fd94db46246b29a961086 Mon Sep 17 00:00:00 2001 From: Backslash Date: Fri, 27 Sep 2024 12:35:38 +1000 Subject: [PATCH 065/148] Update env.j2 --- roles/custom/matrix-element-call/templates/env.j2 | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/custom/matrix-element-call/templates/env.j2 b/roles/custom/matrix-element-call/templates/env.j2 index 71e9a06934f..1a1eb953d55 100644 --- a/roles/custom/matrix-element-call/templates/env.j2 +++ b/roles/custom/matrix-element-call/templates/env.j2 @@ -1,7 +1,8 @@ # Environment variables for Element Call ELEMENT_CALL_SERVER_URL=https://{{ matrix_element_call_domain }} +LIVEKIT_KEY=devkey LIVEKIT_SERVICE_URL={{ matrix_element_call_livekit_service_url }} -LIVEKIT_SECRET={{ matrix_element_call_livekit_dev_key }} +LIVEKIT_SECRET={{ matrix_element_call_jwt_secret }} JWT_SERVICE_URL={{ matrix_element_call_jwt_service_url }} # Optional additional environment variables provided by the user From a0917fa2833ec3ee0b42bd5a2b61396dc535bcb2 Mon Sep 17 00:00:00 2001 From: Backslash Date: Fri, 27 Sep 2024 12:37:36 +1000 Subject: [PATCH 066/148] Update main.yml --- roles/custom/matrix-element-call/defaults/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/custom/matrix-element-call/defaults/main.yml b/roles/custom/matrix-element-call/defaults/main.yml index 8d04028e4a5..c9e9aeabaf8 100644 --- a/roles/custom/matrix-element-call/defaults/main.yml +++ b/roles/custom/matrix-element-call/defaults/main.yml @@ -27,6 +27,7 @@ redis_port: "6379" # LiveKit configuration matrix_element_call_livekit_dev_key: "{{ matrix_livekit_dev_key }}" # Must be defined in host_vars +matrix_element_call_jwt_secret: "{{ matrix_jwt_secret }}" # Must be defined in host_vars matrix_element_call_livekit_service_url: "wss://sfu.{{ matrix_domain }}:443" matrix_element_call_livekit_hostname: "sfu.{{ matrix_domain }}" From 24926720252b0eb5d9d8344514a6eb3ab445304d Mon Sep 17 00:00:00 2001 From: Backslash Date: Fri, 27 Sep 2024 12:39:39 +1000 Subject: [PATCH 067/148] Update env.j2 --- roles/custom/matrix-element-call/templates/env.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-element-call/templates/env.j2 b/roles/custom/matrix-element-call/templates/env.j2 index 1a1eb953d55..b5a5d4be4fe 100644 --- a/roles/custom/matrix-element-call/templates/env.j2 +++ b/roles/custom/matrix-element-call/templates/env.j2 @@ -1,7 +1,7 @@ # Environment variables for Element Call ELEMENT_CALL_SERVER_URL=https://{{ matrix_element_call_domain }} LIVEKIT_KEY=devkey -LIVEKIT_SERVICE_URL={{ matrix_element_call_livekit_service_url }} +LIVEKIT_URL={{ matrix_element_call_livekit_service_url }} LIVEKIT_SECRET={{ matrix_element_call_jwt_secret }} JWT_SERVICE_URL={{ matrix_element_call_jwt_service_url }} From 5db9a5c061efb8c8806b0fdf9ffcc968e4fea2d3 Mon Sep 17 00:00:00 2001 From: Backslash Date: Fri, 27 Sep 2024 12:40:37 +1000 Subject: [PATCH 068/148] Removed env file --- .../templates/systemd/matrix-element-call.service.j2 | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/custom/matrix-element-call/templates/systemd/matrix-element-call.service.j2 b/roles/custom/matrix-element-call/templates/systemd/matrix-element-call.service.j2 index eded8dc6a53..b64e3fbe86c 100644 --- a/roles/custom/matrix-element-call/templates/systemd/matrix-element-call.service.j2 +++ b/roles/custom/matrix-element-call/templates/systemd/matrix-element-call.service.j2 @@ -17,7 +17,6 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ --cap-drop=ALL \ --network={{ matrix_element_call_container_network }} \ -p {{ matrix_element_call_port }}:8080 \ - --env-file={{ matrix_element_call_base_path }}/config/env \ --label-file={{ matrix_element_call_base_path }}/config/element-call-labels \ {{ matrix_element_call_image }} From a274d32c6d800379d2241449b68cea8bc4778042 Mon Sep 17 00:00:00 2001 From: Backslash Date: Fri, 27 Sep 2024 12:50:31 +1000 Subject: [PATCH 069/148] Removed serve function --- .../templates/systemd/matrix-jwt-service.service.j2 | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/roles/custom/matrix-element-call/templates/systemd/matrix-jwt-service.service.j2 b/roles/custom/matrix-element-call/templates/systemd/matrix-jwt-service.service.j2 index cdcac8b4002..7d2ac8fd88e 100644 --- a/roles/custom/matrix-element-call/templates/systemd/matrix-jwt-service.service.j2 +++ b/roles/custom/matrix-element-call/templates/systemd/matrix-jwt-service.service.j2 @@ -19,8 +19,7 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ -p {{ matrix_jwt_service_port }}:8080 \ --env-file={{ matrix_element_call_base_path }}/config/env \ --label-file={{ matrix_element_call_base_path }}/config/jwt-service-labels \ - {{ matrix_jwt_service_image }} \ - serve + {{ matrix_jwt_service_image }} {% for network in matrix_element_call_container_additional_networks %} ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-jwt-service From f036e18789ffd332c40d296bc4744a1dc508586a Mon Sep 17 00:00:00 2001 From: wjbeckett Date: Mon, 30 Sep 2024 11:05:11 +1000 Subject: [PATCH 070/148] Fix: Restructured Element call configuration files. --- group_vars/matrix_servers | 24 ++---- .../matrix-element-call/defaults/main.yml | 84 +++++++++++++++++-- .../matrix-element-call/tasks/install.yml | 2 +- .../templates/element-call-labels.j2 | 31 ++++--- .../systemd/matrix-element-call.service.j2 | 16 +++- 5 files changed, 117 insertions(+), 40 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 9da357c8844..4ba3e6eb201 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -5894,18 +5894,22 @@ matrix_element_call_container_image_registry_prefix: ghcr.io/ matrix_element_call_container_image_force_pull: true # Docker network configuration for Element Call -matrix_element_call_container_network: "{{ matrix_homeserver_container_network }}" # Use the homeserver network by default +matrix_element_call_container_network: "{{ matrix_addons_container_network }}" +matrix_element_call_container_additional_networks: "{{ [matrix_playbook_reverse_proxyable_services_additional_network] if (matrix_element_call_container_labels_traefik_enabled and matrix_playbook_reverse_proxyable_services_additional_network) else [] }}" + # Traefik Configuration for Element Call +matrix_element_call_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}" +matrix_element_call_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" +matrix_element_call_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" +matrix_element_call_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" + + matrix_element_call_container_labels_traefik_enabled: true matrix_element_call_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" matrix_element_call_container_labels_traefik_hostname: "{{ matrix_element_call_hostname }}" matrix_element_call_container_labels_traefik_path_prefix: "{{ matrix_element_call_path_prefix }}" matrix_element_call_container_labels_traefik_rule: "Host(`{{ matrix_element_call_container_labels_traefik_hostname }}`)" -matrix_element_call_container_labels_traefik_entrypoints: "websecure" -matrix_element_call_container_labels_traefik_tls_certResolver: "default" -matrix_element_call_container_labels_traefik_additional_response_headers: {} -matrix_element_call_container_extra_arguments: {} # JWT Service Configuration matrix_element_call_jwt_service_url: "https://sfu-jwt.{{ matrix_domain }}" # Default JWT service URL; adjust as needed @@ -5919,16 +5923,6 @@ matrix_element_call_redis_hostname: "localhost" # Default Redis hostname; can b matrix_element_call_redis_port: 6379 # Default Redis port; can be overridden matrix_element_call_redis_password: "" # Redis password; should be set in host_vars if needed -# Additional environment variables for the container -matrix_element_call_environment_variables_additional: {} - -# Additional arguments or configuration options for the Docker container -matrix_element_call_container_extra_arguments: [] - -# Enable or disable metrics collection -matrix_element_call_metrics_enabled: false -matrix_element_call_metrics_port: 2112 - ######################################################################## # # # /matrix-element-call # diff --git a/roles/custom/matrix-element-call/defaults/main.yml b/roles/custom/matrix-element-call/defaults/main.yml index c9e9aeabaf8..d5a9dbb2fe9 100644 --- a/roles/custom/matrix-element-call/defaults/main.yml +++ b/roles/custom/matrix-element-call/defaults/main.yml @@ -10,7 +10,8 @@ matrix_homeserver_config_path: "{{ matrix_base_data_path }}/synapse/config/homes element_web_config_path: "{{ matrix_base_data_path }}/static-files/public/.well-known/matrix/client" # Docker network configuration -matrix_element_call_container_network: "matrix_element_call_network" +matrix_element_call_container_network: '' +matrix_element_call_container_http_host_bind_port: '' matrix_element_call_container_labels_traefik_additional_response_headers: {} matrix_element_call_container_additional_networks: [] # No additional networks by default @@ -47,15 +48,88 @@ redis_password: "" # Traefik Configuration for Element Call matrix_element_call_container_labels_traefik_enabled: true +matrix_element_call_container_labels_traefik_docker_network: "{{ matrix_element_callcontainer_network }}" matrix_element_call_container_labels_traefik_hostname: "{{ matrix_element_call_domain }}" -matrix_element_call_container_labels_traefik_path_prefix: "/" -matrix_element_call_container_labels_traefik_rule: "Host(`{{ matrix_element_call_container_labels_traefik_hostname }}`)" -matrix_element_call_container_labels_traefik_entrypoints: "websecure" -matrix_element_call_container_labels_traefik_tls_certResolver: "default" +# The path prefix must either be `/` or not end with a slash (e.g. `/element`). +matrix_element_call_container_labels_traefik_path_prefix: "{{ matrix_element_callpath_prefix }}" +matrix_element_call_container_labels_traefik_rule: "Host(`{{ matrix_element_call_container_labels_traefik_hostname }}`){% if matrix_element_call_container_labels_traefik_path_prefix != '/' %} && PathPrefix(`{{ matrix_element_call_container_labels_traefik_path_prefix }}`){% endif %}" +matrix_element_call_container_labels_traefik_priority: 0 +matrix_element_call_container_labels_traefik_entrypoints: web-secure +matrix_element_call_container_labels_traefik_tls: "{{ matrix_element_call_container_labels_traefik_entrypoints != 'web' }}" +matrix_element_call_container_labels_traefik_tls_certResolver: default # noqa var-naming + +# Controls which additional headers to attach to all HTTP responses. +# To add your own headers, use `matrix_element_call_container_labels_traefik_additional_response_headers_custom` +matrix_element_call_container_labels_traefik_additional_response_headers: "{{ matrix_element_call_container_labels_traefik_additional_response_headers_auto | combine(matrix_element_call_container_labels_traefik_additional_response_headers_custom) }}" +matrix_element_call_container_labels_traefik_additional_response_headers_auto: | + {{ + {} + | combine ({'X-XSS-Protection': matrix_element_call_http_header_xss_protection} if matrix_element_call_http_header_xss_protection else {}) + | combine ({'X-Frame-Options': matrix_element_call_http_header_frame_options} if matrix_element_call_http_header_frame_options else {}) + | combine ({'X-Content-Type-Options': matrix_element_call_http_header_content_type_options} if matrix_element_call_http_header_content_type_options else {}) + | combine ({'Content-Security-Policy': matrix_element_call_http_header_content_security_policy} if matrix_element_call_http_header_content_security_policy else {}) + | combine ({'Permission-Policy': matrix_element_call_http_header_content_permission_policy} if matrix_element_call_http_header_content_permission_policy else {}) + | combine ({'Strict-Transport-Security': matrix_element_call_http_header_strict_transport_security} if matrix_element_call_http_header_strict_transport_security and matrix_element_call_container_labels_traefik_tls else {}) + }} +matrix_element_call_container_labels_traefik_additional_response_headers_custom: {} # Additional environment variables for the container matrix_element_call_environment_variables_additional: {} +# List of systemd services that matrix-client-element.service depends on +matrix_element_call_systemd_required_services_list: "{{ [devture_systemd_docker_base_docker_service_name] if devture_systemd_docker_base_docker_service_name else [] }}" + +# Specifies the value of the `X-XSS-Protection` header +# Stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. +# +# Learn more about it is here: +# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection +# - https://portswigger.net/web-security/cross-site-scripting/reflected +matrix_element_call_http_header_xss_protection: "1; mode=block" + +# Specifies the value of the `X-Frame-Options` header which controls whether framing can happen. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options +matrix_element_call_http_header_frame_options: SAMEORIGIN + +# Specifies the value of the `X-Content-Type-Options` header. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options +matrix_element_call_http_header_content_type_options: nosniff + +# Specifies the value of the `Content-Security-Policy` header. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy +matrix_element_call_http_header_content_security_policy: frame-ancestors 'self' + +# Specifies the value of the `Permission-Policy` header. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permission-Policy +matrix_element_call_http_header_content_permission_policy: "{{ 'interest-cohort=()' if matrix_element_callfloc_optout_enabled else '' }}" + +# Specifies the value of the `Strict-Transport-Security` header. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security +matrix_element_call_http_header_strict_transport_security: "max-age=31536000; includeSubDomains{{ '; preload' if matrix_element_callhsts_preload_enabled else '' }}" + +# Controls whether to send a "Permissions-Policy interest-cohort=();" header along with all responses +# +# Learn more about what it is here: +# - https://www.eff.org/deeplinks/2021/03/googles-floc-terrible-idea +# - https://paramdeo.com/blog/opting-your-website-out-of-googles-floc-network +# - https://amifloced.org/ +# +# Of course, a better solution is to just stop using browsers (like Chrome), which participate in such tracking practices. +# See: `matrix_element_callcontent_permission_policy` +matrix_element_callfloc_optout_enabled: true + +# Controls if HSTS preloading is enabled +# +# In its strongest and recommended form, the [HSTS policy](https://www.chromium.org/hsts) includes all subdomains, and +# indicates a willingness to be "preloaded" into browsers: +# `Strict-Transport-Security: max-age=31536000; includeSubDomains; preload` +# For more information visit: +# - https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security +# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security +# - https://hstspreload.org/#opt-in +# See: `matrix_element_call_http_header_strict_transport_security` +matrix_element_callhsts_preload_enabled: false + # Enable or disable metrics collection matrix_element_call_metrics_enabled: false matrix_element_call_metrics_port: 2112 diff --git a/roles/custom/matrix-element-call/tasks/install.yml b/roles/custom/matrix-element-call/tasks/install.yml index ba3a8704d1a..f036fa2f912 100644 --- a/roles/custom/matrix-element-call/tasks/install.yml +++ b/roles/custom/matrix-element-call/tasks/install.yml @@ -9,7 +9,7 @@ mode: 0750 owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" - loop: + with_items: - path: "{{ matrix_element_call_base_path }}" - path: "{{ matrix_element_call_base_path }}/data" - path: "{{ matrix_element_call_base_path }}/config" diff --git a/roles/custom/matrix-element-call/templates/element-call-labels.j2 b/roles/custom/matrix-element-call/templates/element-call-labels.j2 index 0428d056abd..feeeb2c656e 100644 --- a/roles/custom/matrix-element-call/templates/element-call-labels.j2 +++ b/roles/custom/matrix-element-call/templates/element-call-labels.j2 @@ -6,10 +6,6 @@ traefik.enable=true traefik.docker.network={{ matrix_element_call_container_labels_traefik_docker_network }} {% endif %} -# Traefik Router and Service configuration for Element Call -traefik.http.routers.element-call-router.rule=Host(`{{ matrix_element_call_container_labels_traefik_hostname }}`) -traefik.http.routers.element-call-router.entrypoints={{ matrix_element_call_container_labels_traefik_entrypoints }} -traefik.http.routers.element-call-router.tls.certresolver={{ matrix_element_call_container_labels_traefik_tls_certResolver }} traefik.http.services.element-call-service.loadbalancer.server.port=8080 {% set middlewares = [] %} @@ -24,24 +20,27 @@ traefik.http.middlewares.element-call-strip-prefix.stripprefix.prefixes={{ matri {% set middlewares = middlewares + ['element-call-strip-prefix'] %} {% endif %} -# Additional response headers for Element Call -{% if matrix_element_call_container_labels_traefik_additional_response_headers is defined and matrix_element_call_container_labels_traefik_additional_response_headers | length > 0 %} +{% if matrix_element_call_container_labels_traefik_additional_response_headers.keys() | length > 0 %} {% for name, value in matrix_element_call_container_labels_traefik_additional_response_headers.items() %} -traefik.http.middlewares.element-call-add-headers.headers.customresponseheaders.{{ name }}={{ value }} +traefik.http.middlewares.matrix-element-call-add-headers.headers.customresponseheaders.{{ name }}={{ value }} {% endfor %} -{% set middlewares = middlewares + ['element-call-add-headers'] %} +{% set middlewares = middlewares + ['matrix-element-call-add-headers'] %} {% endif %} -# Apply middlewares to the Element Call router +traefik.http.routers.matrix-element-call.rule={{ matrix_element_call_container_labels_traefik_rule }} +{% if matrix_element_call_container_labels_traefik_priority | int > 0 %} +traefik.http.routers.matrix-element-call.priority={{ matrix_element_call_container_labels_traefik_priority }} +{% endif %} +traefik.http.routers.matrix-element-call.service=matrix-element-call {% if middlewares | length > 0 %} -traefik.http.routers.element-call-router.middlewares={{ middlewares | join(',') }} +traefik.http.routers.matrix-element-call.middlewares={{ middlewares | join(',') }} {% endif %} - +traefik.http.routers.matrix-element-call.entrypoints={{ matrix_element_call_container_labels_traefik_entrypoints }} +traefik.http.routers.matrix-element-call.tls={{ matrix_element_call_container_labels_traefik_tls | to_json }} +{% if matrix_element_call_container_labels_traefik_tls %} +traefik.http.routers.matrix-element-call.tls.certResolver={{ matrix_element_call_container_labels_traefik_tls_certResolver }} {% endif %} -# Additional labels (if any) specified by the user -{% if matrix_element_call_container_extra_arguments is defined and matrix_element_call_container_extra_arguments | length > 0 %} -{% for key, value in matrix_element_call_container_extra_arguments.items() %} -{{ key }}={{ value }} -{% endfor %} {% endif %} + +{{ matrix_element_call_container_labels_additional_labels }} diff --git a/roles/custom/matrix-element-call/templates/systemd/matrix-element-call.service.j2 b/roles/custom/matrix-element-call/templates/systemd/matrix-element-call.service.j2 index b64e3fbe86c..b4bb602d0b8 100644 --- a/roles/custom/matrix-element-call/templates/systemd/matrix-element-call.service.j2 +++ b/roles/custom/matrix-element-call/templates/systemd/matrix-element-call.service.j2 @@ -1,7 +1,11 @@ +#jinja2: lstrip_blocks: "True" [Unit] Description=Matrix Element Call Service -After=docker.service -Requires=docker.service +{% for service in matrix_client_element_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +DefaultDependencies=no [Service] Type=simple @@ -15,9 +19,15 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ + --read-only \ --network={{ matrix_element_call_container_network }} \ - -p {{ matrix_element_call_port }}:8080 \ + {% if matrix_element_call_container_http_host_bind_port %} + -p {{ matrix_element_call_container_http_host_bind_port }}:8080 \ + {% endif %} --label-file={{ matrix_element_call_base_path }}/config/element-call-labels \ + {% for arg in matrix_element_call_container_extra_arguments %} + {{ arg }} \ + {% endfor %} {{ matrix_element_call_image }} {% for network in matrix_element_call_container_additional_networks %} From 1167e1ec13ab3f9e64a1ac35eabb0a392551baf4 Mon Sep 17 00:00:00 2001 From: wjbeckett Date: Mon, 30 Sep 2024 11:17:34 +1000 Subject: [PATCH 071/148] fix: changed matrix server name to matrix domain in element-call config. --- roles/custom/matrix-element-call/templates/config.json.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-element-call/templates/config.json.j2 b/roles/custom/matrix-element-call/templates/config.json.j2 index 7c75144e343..3dc7f0e8a51 100644 --- a/roles/custom/matrix-element-call/templates/config.json.j2 +++ b/roles/custom/matrix-element-call/templates/config.json.j2 @@ -2,7 +2,7 @@ "default_server_config": { "m.homeserver": { "base_url": "{{ matrix_homeserver_url }}", - "server_name": "{{ matrix_server_name }}" + "server_name": "{{ matrix_domain }}" } }, "livekit": { From 9dbee212d81f7584089ae0e77d69e2de52b04ff8 Mon Sep 17 00:00:00 2001 From: wjbeckett Date: Mon, 30 Sep 2024 11:37:08 +1000 Subject: [PATCH 072/148] fix: removed duplicate keys. --- group_vars/matrix_servers | 7 --- .../matrix-element-call/defaults/main.yml | 1 - .../templates/element-call-labels.j2-new | 47 ------------------- 3 files changed, 55 deletions(-) delete mode 100644 roles/custom/matrix-element-call/templates/element-call-labels.j2-new diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 4ba3e6eb201..bf55b9a43f9 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -5904,13 +5904,6 @@ matrix_element_call_container_labels_traefik_docker_network: "{{ matrix_playbook matrix_element_call_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" matrix_element_call_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" - -matrix_element_call_container_labels_traefik_enabled: true -matrix_element_call_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" -matrix_element_call_container_labels_traefik_hostname: "{{ matrix_element_call_hostname }}" -matrix_element_call_container_labels_traefik_path_prefix: "{{ matrix_element_call_path_prefix }}" -matrix_element_call_container_labels_traefik_rule: "Host(`{{ matrix_element_call_container_labels_traefik_hostname }}`)" - # JWT Service Configuration matrix_element_call_jwt_service_url: "https://sfu-jwt.{{ matrix_domain }}" # Default JWT service URL; adjust as needed diff --git a/roles/custom/matrix-element-call/defaults/main.yml b/roles/custom/matrix-element-call/defaults/main.yml index d5a9dbb2fe9..1b72ca0a15d 100644 --- a/roles/custom/matrix-element-call/defaults/main.yml +++ b/roles/custom/matrix-element-call/defaults/main.yml @@ -12,7 +12,6 @@ element_web_config_path: "{{ matrix_base_data_path }}/static-files/public/.well- # Docker network configuration matrix_element_call_container_network: '' matrix_element_call_container_http_host_bind_port: '' -matrix_element_call_container_labels_traefik_additional_response_headers: {} matrix_element_call_container_additional_networks: [] # No additional networks by default # Docker images diff --git a/roles/custom/matrix-element-call/templates/element-call-labels.j2-new b/roles/custom/matrix-element-call/templates/element-call-labels.j2-new deleted file mode 100644 index 0428d056abd..00000000000 --- a/roles/custom/matrix-element-call/templates/element-call-labels.j2-new +++ /dev/null @@ -1,47 +0,0 @@ -{% if matrix_element_call_container_labels_traefik_enabled %} -traefik.enable=true - -# Network configuration for Traefik -{% if matrix_element_call_container_labels_traefik_docker_network %} -traefik.docker.network={{ matrix_element_call_container_labels_traefik_docker_network }} -{% endif %} - -# Traefik Router and Service configuration for Element Call -traefik.http.routers.element-call-router.rule=Host(`{{ matrix_element_call_container_labels_traefik_hostname }}`) -traefik.http.routers.element-call-router.entrypoints={{ matrix_element_call_container_labels_traefik_entrypoints }} -traefik.http.routers.element-call-router.tls.certresolver={{ matrix_element_call_container_labels_traefik_tls_certResolver }} -traefik.http.services.element-call-service.loadbalancer.server.port=8080 - -{% set middlewares = [] %} - -# Path prefix handling for Element Call -{% if matrix_element_call_container_labels_traefik_path_prefix != '/' %} -traefik.http.middlewares.element-call-slashless-redirect.redirectregex.regex=({{ matrix_element_call_container_labels_traefik_path_prefix | quote }})$ -traefik.http.middlewares.element-call-slashless-redirect.redirectregex.replacement=${1}/ -{% set middlewares = middlewares + ['element-call-slashless-redirect'] %} - -traefik.http.middlewares.element-call-strip-prefix.stripprefix.prefixes={{ matrix_element_call_container_labels_traefik_path_prefix }} -{% set middlewares = middlewares + ['element-call-strip-prefix'] %} -{% endif %} - -# Additional response headers for Element Call -{% if matrix_element_call_container_labels_traefik_additional_response_headers is defined and matrix_element_call_container_labels_traefik_additional_response_headers | length > 0 %} -{% for name, value in matrix_element_call_container_labels_traefik_additional_response_headers.items() %} -traefik.http.middlewares.element-call-add-headers.headers.customresponseheaders.{{ name }}={{ value }} -{% endfor %} -{% set middlewares = middlewares + ['element-call-add-headers'] %} -{% endif %} - -# Apply middlewares to the Element Call router -{% if middlewares | length > 0 %} -traefik.http.routers.element-call-router.middlewares={{ middlewares | join(',') }} -{% endif %} - -{% endif %} - -# Additional labels (if any) specified by the user -{% if matrix_element_call_container_extra_arguments is defined and matrix_element_call_container_extra_arguments | length > 0 %} -{% for key, value in matrix_element_call_container_extra_arguments.items() %} -{{ key }}={{ value }} -{% endfor %} -{% endif %} From 93650cf20ea9b72a4ced744380d57132cc417313 Mon Sep 17 00:00:00 2001 From: wjbeckett Date: Mon, 30 Sep 2024 12:02:45 +1000 Subject: [PATCH 073/148] fix: Type in the element-call main.yml --- roles/custom/matrix-element-call/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-element-call/defaults/main.yml b/roles/custom/matrix-element-call/defaults/main.yml index 1b72ca0a15d..f1ab2626165 100644 --- a/roles/custom/matrix-element-call/defaults/main.yml +++ b/roles/custom/matrix-element-call/defaults/main.yml @@ -50,7 +50,7 @@ matrix_element_call_container_labels_traefik_enabled: true matrix_element_call_container_labels_traefik_docker_network: "{{ matrix_element_callcontainer_network }}" matrix_element_call_container_labels_traefik_hostname: "{{ matrix_element_call_domain }}" # The path prefix must either be `/` or not end with a slash (e.g. `/element`). -matrix_element_call_container_labels_traefik_path_prefix: "{{ matrix_element_callpath_prefix }}" +matrix_element_call_container_labels_traefik_path_prefix: "{{ matrix_element_call_path_prefix }}" matrix_element_call_container_labels_traefik_rule: "Host(`{{ matrix_element_call_container_labels_traefik_hostname }}`){% if matrix_element_call_container_labels_traefik_path_prefix != '/' %} && PathPrefix(`{{ matrix_element_call_container_labels_traefik_path_prefix }}`){% endif %}" matrix_element_call_container_labels_traefik_priority: 0 matrix_element_call_container_labels_traefik_entrypoints: web-secure From f762048a8dcaa691d183fee147f621c031cdd25d Mon Sep 17 00:00:00 2001 From: wjbeckett Date: Mon, 30 Sep 2024 12:15:27 +1000 Subject: [PATCH 074/148] fix: added missing labels to main. --- roles/custom/matrix-element-call/defaults/main.yml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/roles/custom/matrix-element-call/defaults/main.yml b/roles/custom/matrix-element-call/defaults/main.yml index f1ab2626165..787acf0a148 100644 --- a/roles/custom/matrix-element-call/defaults/main.yml +++ b/roles/custom/matrix-element-call/defaults/main.yml @@ -72,6 +72,18 @@ matrix_element_call_container_labels_traefik_additional_response_headers_auto: | }} matrix_element_call_container_labels_traefik_additional_response_headers_custom: {} +# matrix_client_element_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file. +# See `../templates/labels.j2` for details. +# +# Example: +# matrix_client_element_container_labels_additional_labels: | +# my.label=1 +# another.label="here" +matrix_element_call_container_labels_additional_labels: '' + +# A list of extra arguments to pass to the container +matrix_element_call_container_extra_arguments: [] + # Additional environment variables for the container matrix_element_call_environment_variables_additional: {} From 6143ad7ffa04d98714eb51acf5675921a1d96b86 Mon Sep 17 00:00:00 2001 From: wjbeckett Date: Mon, 30 Sep 2024 12:27:04 +1000 Subject: [PATCH 075/148] fix: removed the read-only tag from the element-call systemd file. --- .../templates/systemd/matrix-element-call.service.j2 | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/custom/matrix-element-call/templates/systemd/matrix-element-call.service.j2 b/roles/custom/matrix-element-call/templates/systemd/matrix-element-call.service.j2 index b4bb602d0b8..6048f9e4d4f 100644 --- a/roles/custom/matrix-element-call/templates/systemd/matrix-element-call.service.j2 +++ b/roles/custom/matrix-element-call/templates/systemd/matrix-element-call.service.j2 @@ -19,7 +19,6 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ - --read-only \ --network={{ matrix_element_call_container_network }} \ {% if matrix_element_call_container_http_host_bind_port %} -p {{ matrix_element_call_container_http_host_bind_port }}:8080 \ From 31a138a6ba7570b7bb9cd8ebc60c28d284c74302 Mon Sep 17 00:00:00 2001 From: wjbeckett Date: Mon, 30 Sep 2024 12:47:42 +1000 Subject: [PATCH 076/148] fixed traefik router issues. --- .../templates/element-call-labels.j2 | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/roles/custom/matrix-element-call/templates/element-call-labels.j2 b/roles/custom/matrix-element-call/templates/element-call-labels.j2 index feeeb2c656e..5287ab98c8f 100644 --- a/roles/custom/matrix-element-call/templates/element-call-labels.j2 +++ b/roles/custom/matrix-element-call/templates/element-call-labels.j2 @@ -22,23 +22,23 @@ traefik.http.middlewares.element-call-strip-prefix.stripprefix.prefixes={{ matri {% if matrix_element_call_container_labels_traefik_additional_response_headers.keys() | length > 0 %} {% for name, value in matrix_element_call_container_labels_traefik_additional_response_headers.items() %} -traefik.http.middlewares.matrix-element-call-add-headers.headers.customresponseheaders.{{ name }}={{ value }} +traefik.http.middlewares.element-call-add-headers.headers.customresponseheaders.{{ name }}={{ value }} {% endfor %} -{% set middlewares = middlewares + ['matrix-element-call-add-headers'] %} +{% set middlewares = middlewares + ['element-call-add-headers'] %} {% endif %} -traefik.http.routers.matrix-element-call.rule={{ matrix_element_call_container_labels_traefik_rule }} +traefik.http.routers.element-call.rule={{ matrix_element_call_container_labels_traefik_rule }} {% if matrix_element_call_container_labels_traefik_priority | int > 0 %} -traefik.http.routers.matrix-element-call.priority={{ matrix_element_call_container_labels_traefik_priority }} +traefik.http.routers.element-call.priority={{ matrix_element_call_container_labels_traefik_priority }} {% endif %} -traefik.http.routers.matrix-element-call.service=matrix-element-call +traefik.http.routers.element-call.service=matrix-element-call {% if middlewares | length > 0 %} -traefik.http.routers.matrix-element-call.middlewares={{ middlewares | join(',') }} +traefik.http.routers.element-call.middlewares={{ middlewares | join(',') }} {% endif %} -traefik.http.routers.matrix-element-call.entrypoints={{ matrix_element_call_container_labels_traefik_entrypoints }} -traefik.http.routers.matrix-element-call.tls={{ matrix_element_call_container_labels_traefik_tls | to_json }} +traefik.http.routers.element-call.entrypoints={{ matrix_element_call_container_labels_traefik_entrypoints }} +traefik.http.routers.element-call.tls={{ matrix_element_call_container_labels_traefik_tls | to_json }} {% if matrix_element_call_container_labels_traefik_tls %} -traefik.http.routers.matrix-element-call.tls.certResolver={{ matrix_element_call_container_labels_traefik_tls_certResolver }} +traefik.http.routers.element-call.tls.certResolver={{ matrix_element_call_container_labels_traefik_tls_certResolver }} {% endif %} {% endif %} From cb41fb02ae3611ae1211c73e044cb07b35d416e1 Mon Sep 17 00:00:00 2001 From: wjbeckett Date: Mon, 30 Sep 2024 13:00:10 +1000 Subject: [PATCH 077/148] testing traefik labels again. --- .../custom/matrix-element-call/templates/element-call-labels.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-element-call/templates/element-call-labels.j2 b/roles/custom/matrix-element-call/templates/element-call-labels.j2 index 5287ab98c8f..2a023b28e1a 100644 --- a/roles/custom/matrix-element-call/templates/element-call-labels.j2 +++ b/roles/custom/matrix-element-call/templates/element-call-labels.j2 @@ -31,7 +31,7 @@ traefik.http.routers.element-call.rule={{ matrix_element_call_container_labels_t {% if matrix_element_call_container_labels_traefik_priority | int > 0 %} traefik.http.routers.element-call.priority={{ matrix_element_call_container_labels_traefik_priority }} {% endif %} -traefik.http.routers.element-call.service=matrix-element-call +traefik.http.routers.element-call.service=element-call {% if middlewares | length > 0 %} traefik.http.routers.element-call.middlewares={{ middlewares | join(',') }} {% endif %} From b907777ae53475ee93aefcd827b08a47e0b44824 Mon Sep 17 00:00:00 2001 From: wjbeckett Date: Mon, 30 Sep 2024 13:13:29 +1000 Subject: [PATCH 078/148] fixing labels again. --- .../matrix-element-call/defaults/main.yml | 2 +- .../templates/element-call-labels.j2 | 30 +++++++++---------- 2 files changed, 16 insertions(+), 16 deletions(-) diff --git a/roles/custom/matrix-element-call/defaults/main.yml b/roles/custom/matrix-element-call/defaults/main.yml index 787acf0a148..d2660e7e382 100644 --- a/roles/custom/matrix-element-call/defaults/main.yml +++ b/roles/custom/matrix-element-call/defaults/main.yml @@ -87,7 +87,7 @@ matrix_element_call_container_extra_arguments: [] # Additional environment variables for the container matrix_element_call_environment_variables_additional: {} -# List of systemd services that matrix-client-element.service depends on +# List of systemd services that matrix-element-call.service depends on matrix_element_call_systemd_required_services_list: "{{ [devture_systemd_docker_base_docker_service_name] if devture_systemd_docker_base_docker_service_name else [] }}" # Specifies the value of the `X-XSS-Protection` header diff --git a/roles/custom/matrix-element-call/templates/element-call-labels.j2 b/roles/custom/matrix-element-call/templates/element-call-labels.j2 index 2a023b28e1a..10a84751b4d 100644 --- a/roles/custom/matrix-element-call/templates/element-call-labels.j2 +++ b/roles/custom/matrix-element-call/templates/element-call-labels.j2 @@ -6,39 +6,39 @@ traefik.enable=true traefik.docker.network={{ matrix_element_call_container_labels_traefik_docker_network }} {% endif %} -traefik.http.services.element-call-service.loadbalancer.server.port=8080 +traefik.http.services.matrix-element-call.loadbalancer.server.port=8080 {% set middlewares = [] %} # Path prefix handling for Element Call {% if matrix_element_call_container_labels_traefik_path_prefix != '/' %} -traefik.http.middlewares.element-call-slashless-redirect.redirectregex.regex=({{ matrix_element_call_container_labels_traefik_path_prefix | quote }})$ -traefik.http.middlewares.element-call-slashless-redirect.redirectregex.replacement=${1}/ -{% set middlewares = middlewares + ['element-call-slashless-redirect'] %} +traefik.http.middlewares.matrix-element-call-slashless-redirect.redirectregex.regex=({{ matrix_element_call_container_labels_traefik_path_prefix | quote }})$ +traefik.http.middlewares.matrix-element-call-slashless-redirect.redirectregex.replacement=${1}/ +{% set middlewares = middlewares + ['matrix-element-call-slashless-redirect'] %} -traefik.http.middlewares.element-call-strip-prefix.stripprefix.prefixes={{ matrix_element_call_container_labels_traefik_path_prefix }} -{% set middlewares = middlewares + ['element-call-strip-prefix'] %} +traefik.http.middlewares.matrix-element-call-strip-prefix.stripprefix.prefixes={{ matrix_element_call_container_labels_traefik_path_prefix }} +{% set middlewares = middlewares + ['matrix-element-call-strip-prefix'] %} {% endif %} {% if matrix_element_call_container_labels_traefik_additional_response_headers.keys() | length > 0 %} {% for name, value in matrix_element_call_container_labels_traefik_additional_response_headers.items() %} -traefik.http.middlewares.element-call-add-headers.headers.customresponseheaders.{{ name }}={{ value }} +traefik.http.middlewares.matrix-element-call-add-headers.headers.customresponseheaders.{{ name }}={{ value }} {% endfor %} -{% set middlewares = middlewares + ['element-call-add-headers'] %} +{% set middlewares = middlewares + ['matrix-element-call-add-headers'] %} {% endif %} -traefik.http.routers.element-call.rule={{ matrix_element_call_container_labels_traefik_rule }} +traefik.http.routers.matrix-element-call.rule={{ matrix_element_call_container_labels_traefik_rule }} {% if matrix_element_call_container_labels_traefik_priority | int > 0 %} -traefik.http.routers.element-call.priority={{ matrix_element_call_container_labels_traefik_priority }} +traefik.http.routers.matrix-element-call.priority={{ matrix_element_call_container_labels_traefik_priority }} {% endif %} -traefik.http.routers.element-call.service=element-call +traefik.http.routers.matrix-element-call.service=matrix-element-call {% if middlewares | length > 0 %} -traefik.http.routers.element-call.middlewares={{ middlewares | join(',') }} +traefik.http.routers.matrix-element-call.middlewares={{ middlewares | join(',') }} {% endif %} -traefik.http.routers.element-call.entrypoints={{ matrix_element_call_container_labels_traefik_entrypoints }} -traefik.http.routers.element-call.tls={{ matrix_element_call_container_labels_traefik_tls | to_json }} +traefik.http.routers.matrix-element-call.entrypoints={{ matrix_element_call_container_labels_traefik_entrypoints }} +traefik.http.routers.matrix-element-call.tls={{ matrix_element_call_container_labels_traefik_tls | to_json }} {% if matrix_element_call_container_labels_traefik_tls %} -traefik.http.routers.element-call.tls.certResolver={{ matrix_element_call_container_labels_traefik_tls_certResolver }} +traefik.http.routers.matrix-element-call.tls.certResolver={{ matrix_element_call_container_labels_traefik_tls_certResolver }} {% endif %} {% endif %} From 8cb3e33bbfddaa50b7370e65d1668e6e1333b606 Mon Sep 17 00:00:00 2001 From: wjbeckett Date: Mon, 30 Sep 2024 22:20:46 +1000 Subject: [PATCH 079/148] separated livekit and jwt to separate roles --- group_vars/matrix_servers | 84 +++++++-- .../matrix-element-call/defaults/main.yml | 26 +-- .../tasks/create_element_json.yml | 22 --- .../matrix-element-call/tasks/install.yml | 2 +- .../tasks/install_docker_containers.yml | 166 ------------------ .../tasks/update_element_web_config.yml | 29 --- .../tasks/update_homeserver_config.yml | 36 ---- .../tasks/update_well_known_client.yml | 24 --- .../tasks/validate_config.yml | 2 +- .../templates/config.json.j2 | 2 +- .../matrix-element-call/templates/env.j2 | 11 -- .../templates/jwt-service-labels.j2 | 13 -- .../templates/livekit-labels.j2 | 13 -- .../matrix-jwt-service/defaults/main.yml | 118 +++++++++++++ .../matrix-jwt-service/tasks/install.yml | 46 +++++ .../custom/matrix-jwt-service/tasks/main.yml | 21 +++ .../matrix-jwt-service/tasks/uninstall.yml | 22 +++ .../tasks/validate_config.yml | 12 ++ .../matrix-jwt-service/templates/env.j2 | 4 + .../matrix-jwt-service/templates/labels.j2 | 46 +++++ .../systemd/matrix-jwt-service.service.j2 | 8 +- roles/custom/matrix-livekit/defaults/main.yml | 119 +++++++++++++ roles/custom/matrix-livekit/tasks/install.yml | 47 +++++ roles/custom/matrix-livekit/tasks/main.yml | 21 +++ .../custom/matrix-livekit/tasks/uninstall.yml | 21 +++ .../matrix-livekit/tasks/validate_config.yml | 13 ++ .../custom/matrix-livekit/templates/labels.j2 | 46 +++++ .../templates/livekit.yaml.j2 | 2 +- .../systemd/matrix-livekit-server.service.j2} | 20 +-- 29 files changed, 632 insertions(+), 364 deletions(-) delete mode 100644 roles/custom/matrix-element-call/tasks/create_element_json.yml delete mode 100644 roles/custom/matrix-element-call/tasks/install_docker_containers.yml delete mode 100644 roles/custom/matrix-element-call/tasks/update_element_web_config.yml delete mode 100644 roles/custom/matrix-element-call/tasks/update_homeserver_config.yml delete mode 100644 roles/custom/matrix-element-call/tasks/update_well_known_client.yml delete mode 100644 roles/custom/matrix-element-call/templates/env.j2 delete mode 100644 roles/custom/matrix-element-call/templates/jwt-service-labels.j2 delete mode 100644 roles/custom/matrix-element-call/templates/livekit-labels.j2 create mode 100644 roles/custom/matrix-jwt-service/defaults/main.yml create mode 100644 roles/custom/matrix-jwt-service/tasks/install.yml create mode 100644 roles/custom/matrix-jwt-service/tasks/main.yml create mode 100644 roles/custom/matrix-jwt-service/tasks/uninstall.yml create mode 100644 roles/custom/matrix-jwt-service/tasks/validate_config.yml create mode 100644 roles/custom/matrix-jwt-service/templates/env.j2 create mode 100644 roles/custom/matrix-jwt-service/templates/labels.j2 rename roles/custom/{matrix-element-call => matrix-jwt-service}/templates/systemd/matrix-jwt-service.service.j2 (85%) create mode 100644 roles/custom/matrix-livekit/defaults/main.yml create mode 100644 roles/custom/matrix-livekit/tasks/install.yml create mode 100644 roles/custom/matrix-livekit/tasks/main.yml create mode 100644 roles/custom/matrix-livekit/tasks/uninstall.yml create mode 100644 roles/custom/matrix-livekit/tasks/validate_config.yml create mode 100644 roles/custom/matrix-livekit/templates/labels.j2 rename roles/custom/{matrix-element-call => matrix-livekit}/templates/livekit.yaml.j2 (83%) rename roles/custom/{matrix-element-call/templates/systemd/matrix-livekit.service.j2 => matrix-livekit/templates/systemd/matrix-livekit-server.service.j2} (71%) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index bf55b9a43f9..1739f54ddad 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -435,9 +435,9 @@ devture_systemd_service_manager_services_list_auto: | + ([{'name': 'matrix-element-call.service', 'priority': 4000, 'groups': ['matrix', 'element-call']}] if matrix_element_call_enabled else []) + - ([{'name': 'matrix-jwt-service.service', 'priority': 3000, 'groups': ['matrix', 'jwt-service']}] if matrix_element_call_enabled else []) + ([{'name': 'matrix-jwt-service.service', 'priority': 3000, 'groups': ['matrix', 'jwt-service']}] if matrix_jwt_service_enabled else []) + - ([{'name': 'matrix-livekit.service', 'priority': 3000, 'groups': ['matrix', 'livekit']}] if matrix_element_call_enabled else []) + ([{'name': 'matrix-livekit-server.service', 'priority': 3000, 'groups': ['matrix', 'livekit-server']}] if matrix_livekit_server_enabled else []) + ([{'name': 'matrix-redis.service', 'priority': 450, 'groups': ['matrix', 'redis']}] if matrix_element_call_enabled else []) + @@ -5897,27 +5897,87 @@ matrix_element_call_container_image_force_pull: true matrix_element_call_container_network: "{{ matrix_addons_container_network }}" matrix_element_call_container_additional_networks: "{{ [matrix_playbook_reverse_proxyable_services_additional_network] if (matrix_element_call_container_labels_traefik_enabled and matrix_playbook_reverse_proxyable_services_additional_network) else [] }}" - # Traefik Configuration for Element Call matrix_element_call_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}" matrix_element_call_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" matrix_element_call_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" matrix_element_call_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" -# JWT Service Configuration -matrix_element_call_jwt_service_url: "https://sfu-jwt.{{ matrix_domain }}" # Default JWT service URL; adjust as needed + +######################################################################## +# # +# /matrix-element-call # +# # +######################################################################## + +######################################################################## +# # +# matrix-livekit-server # +# # +######################################################################## + +# Matrix Livekit Server Configuration +matrix_livekit_server_enabled: false # Default is false; should be enabled in host_vars as needed +matrix_livekit_server_version: "latest" # Default version; can be overridden in host_vars +matrix_livekit_server_scheme: "https" +matrix_livekit_server_hostname: "sfu.{{ matrix_domain }}" # Default hostname; should be overridden in host_vars if different +matrix_livekit_server_path_prefix: "/" +matrix_livekit_server_base_path: "{{ matrix_base_data_path }}/livekit-server" +matrix_livekit_server_container_image: "livekit/livekit-server:{{ matrix_livekit_server_version }}" +matrix_livekit_server_container_image_force_pull: true + +# Docker network configuration for Livekit +matrix_livekit_server_container_network: "{{ matrix_addons_container_network }}" +matrix_livekit_server_container_additional_networks: "{{ [matrix_playbook_reverse_proxyable_services_additional_network] if (matrix_livekit_server_container_labels_traefik_enabled and matrix_playbook_reverse_proxyable_services_additional_network) else [] }}" + +# Traefik Configuration for Livekit +matrix_livekit_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}" +matrix_livekit_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" +matrix_livekit_server_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" +matrix_livekit_server_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" # LiveKit Service Configuration -matrix_element_call_livekit_service_url: "https://sfu.{{ matrix_domain }}" # Default LiveKit service URL; adjust as needed -matrix_element_call_livekit_dev_key: "{{ matrix_livekit_dev_key }}" # LiveKit dev key +matrix_livekit_server_livekit_dev_key: "{{ matrix_livekit_dev_key }}" # LiveKit dev key -# Redis Configuration for Element Call -matrix_element_call_redis_hostname: "localhost" # Default Redis hostname; can be overridden -matrix_element_call_redis_port: 6379 # Default Redis port; can be overridden -matrix_element_call_redis_password: "" # Redis password; should be set in host_vars if needed +######################################################################## +# # +# /matrix-livekit-server # +# # +######################################################################## ######################################################################## # # -# /matrix-element-call # +# matrix-jwt-service # # # ######################################################################## + +# Matrix JWT Service Configuration +matrix_jwt_service_enabled: false # Default is false; should be enabled in host_vars as needed +matrix_jwt_service_version: "latest-ci" # Default version; can be overridden in host_vars +matrix_jwt_service_scheme: "https" # Scheme for Element Call (e.g., https) +matrix_jwt_service_hostname: "lk-jwt-service" # Default hostname; should be overridden in host_vars if different +matrix_jwt_service_path_prefix: "/" # Path prefix for Element Call +matrix_jwt_service_base_path: "{{ matrix_base_data_path }}/jwt-service" # Base path for storing Element Call-related files +matrix_jwt_service_container_image: "ghcr.io/element-hq/lk-jwt-service:{{ matrix_jwt_service_version }}" +matrix_jwt_service_container_image_name_prefix: ghcr.io/ +matrix_jwt_service_container_image_registry_prefix: ghcr.io/ +matrix_jwt_service_container_image_force_pull: true + +# Docker network configuration for JWT Service +matrix_jwt_service_container_network: "{{ matrix_addons_container_network }}" +matrix_jwt_service_container_additional_networks: "{{ [matrix_playbook_reverse_proxyable_services_additional_network] if (matrix_jwt_service_container_labels_traefik_enabled and matrix_playbook_reverse_proxyable_services_additional_network) else [] }}" + +# Traefik Configuration for JWT Service +matrix_jwt_service_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}" +matrix_jwt_service_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" +matrix_jwt_service_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" +matrix_jwt_service_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" + +# JWT Service Configuration +matrix_jwt_service_url: "https://sfu-jwt.{{ matrix_domain }}" # Default JWT service URL; adjust as needed + +######################################################################## +# # +# /matrix-jwt-service # +# # +######################################################################## \ No newline at end of file diff --git a/roles/custom/matrix-element-call/defaults/main.yml b/roles/custom/matrix-element-call/defaults/main.yml index d2660e7e382..eb7652b1a70 100644 --- a/roles/custom/matrix-element-call/defaults/main.yml +++ b/roles/custom/matrix-element-call/defaults/main.yml @@ -4,8 +4,6 @@ matrix_element_call_enabled: false # Base path configuration matrix_element_call_base_path: "{{ matrix_base_data_path }}/element-call" -matrix_element_call_config_path: "{{ matrix_element_call_base_path }}/config" -matrix_element_call_backend_path: "{{ matrix_element_call_base_path }}/backend" matrix_homeserver_config_path: "{{ matrix_base_data_path }}/synapse/config/homeserver.yaml" element_web_config_path: "{{ matrix_base_data_path }}/static-files/public/.well-known/matrix/client" @@ -16,24 +14,12 @@ matrix_element_call_container_additional_networks: [] # No additional networks # Docker images matrix_element_call_image: "ghcr.io/element-hq/element-call:latest" -matrix_jwt_service_image: "ghcr.io/element-hq/lk-jwt-service:latest-ci" -matrix_livekit_image: "livekit/livekit-server:latest" redis_image: "redis:6-alpine" # Ports matrix_element_call_port: "8093" -matrix_jwt_service_port: "8881" redis_port: "6379" -# LiveKit configuration -matrix_element_call_livekit_dev_key: "{{ matrix_livekit_dev_key }}" # Must be defined in host_vars -matrix_element_call_jwt_secret: "{{ matrix_jwt_secret }}" # Must be defined in host_vars -matrix_element_call_livekit_service_url: "wss://sfu.{{ matrix_domain }}:443" -matrix_element_call_livekit_hostname: "sfu.{{ matrix_domain }}" - -# jwt configuration -matrix_element_call_jwt_hostname: "sfu-jwt.{{ matrix_domain }}" - # Well-known paths and domains (derived from matrix_domain) matrix_element_call_domain: "call.{{ matrix_domain }}" matrix_element_call_well_known_client_path: "{{ matrix_base_data_path }}/static-files/public/.well-known/matrix/client" @@ -47,7 +33,7 @@ redis_password: "" # Traefik Configuration for Element Call matrix_element_call_container_labels_traefik_enabled: true -matrix_element_call_container_labels_traefik_docker_network: "{{ matrix_element_callcontainer_network }}" +matrix_element_call_container_labels_traefik_docker_network: "{{ matrix_element_call_container_network }}" matrix_element_call_container_labels_traefik_hostname: "{{ matrix_element_call_domain }}" # The path prefix must either be `/` or not end with a slash (e.g. `/element`). matrix_element_call_container_labels_traefik_path_prefix: "{{ matrix_element_call_path_prefix }}" @@ -112,11 +98,11 @@ matrix_element_call_http_header_content_security_policy: frame-ancestors 'self' # Specifies the value of the `Permission-Policy` header. # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permission-Policy -matrix_element_call_http_header_content_permission_policy: "{{ 'interest-cohort=()' if matrix_element_callfloc_optout_enabled else '' }}" +matrix_element_call_http_header_content_permission_policy: "{{ 'interest-cohort=()' if matrix_element_call_floc_optout_enabled else '' }}" # Specifies the value of the `Strict-Transport-Security` header. # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security -matrix_element_call_http_header_strict_transport_security: "max-age=31536000; includeSubDomains{{ '; preload' if matrix_element_callhsts_preload_enabled else '' }}" +matrix_element_call_http_header_strict_transport_security: "max-age=31536000; includeSubDomains{{ '; preload' if matrix_element_call_hsts_preload_enabled else '' }}" # Controls whether to send a "Permissions-Policy interest-cohort=();" header along with all responses # @@ -126,8 +112,8 @@ matrix_element_call_http_header_strict_transport_security: "max-age=31536000; in # - https://amifloced.org/ # # Of course, a better solution is to just stop using browsers (like Chrome), which participate in such tracking practices. -# See: `matrix_element_callcontent_permission_policy` -matrix_element_callfloc_optout_enabled: true +# See: `matrix_element_call_content_permission_policy` +matrix_element_call_floc_optout_enabled: true # Controls if HSTS preloading is enabled # @@ -139,7 +125,7 @@ matrix_element_callfloc_optout_enabled: true # - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security # - https://hstspreload.org/#opt-in # See: `matrix_element_call_http_header_strict_transport_security` -matrix_element_callhsts_preload_enabled: false +matrix_element_call_hsts_preload_enabled: false # Enable or disable metrics collection matrix_element_call_metrics_enabled: false diff --git a/roles/custom/matrix-element-call/tasks/create_element_json.yml b/roles/custom/matrix-element-call/tasks/create_element_json.yml deleted file mode 100644 index 7fe68918396..00000000000 --- a/roles/custom/matrix-element-call/tasks/create_element_json.yml +++ /dev/null @@ -1,22 +0,0 @@ ---- ---- -# Create the element.json file to point to Element Call - -- name: Ensure .well-known/element directory exists - ansible.builtin.file: - path: "{{ matrix_element_call_well_known_element_path | dirname }}" - state: directory - mode: 0755 - -- name: Create or update the element.json file with Element Call config - ansible.builtin.copy: - dest: "{{ matrix_element_call_well_known_element_path }}" - content: | - { - "call": { - "widget_url": "{{ matrix_element_call_base_url }}" - } - } - mode: '0644' - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" \ No newline at end of file diff --git a/roles/custom/matrix-element-call/tasks/install.yml b/roles/custom/matrix-element-call/tasks/install.yml index f036fa2f912..48719f413bb 100644 --- a/roles/custom/matrix-element-call/tasks/install.yml +++ b/roles/custom/matrix-element-call/tasks/install.yml @@ -175,7 +175,7 @@ "org.matrix.msc4143.rtc_foci": [ { "type": "livekit", - "livekit_service_url": "{{ matrix_element_call_jwt_service_url }}" + "livekit_service_url": "{{ matrix_jwt_service_url }}" } ] marker: "# ANSIBLE MANAGED BLOCK - Element Call RTC FOCI" diff --git a/roles/custom/matrix-element-call/tasks/install_docker_containers.yml b/roles/custom/matrix-element-call/tasks/install_docker_containers.yml deleted file mode 100644 index a9d55ff85fd..00000000000 --- a/roles/custom/matrix-element-call/tasks/install_docker_containers.yml +++ /dev/null @@ -1,166 +0,0 @@ ---- -# Ensure Required Directories Exist -- name: Ensure matrix-element-call paths exist - ansible.builtin.file: - path: "{{ item.path }}" - state: directory - mode: 0750 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - loop: - - path: "{{ matrix_element_call_base_path }}" - - path: "{{ matrix_element_call_base_path }}/data" - - path: "{{ matrix_element_call_base_path }}/config" - - path: "{{ matrix_element_call_base_path }}/backend" # For LiveKit and Redis config - -# Ensure Configuration Files are in Place -- name: Ensure Element Call config.json is in place - ansible.builtin.template: - src: "{{ role_path }}/templates/config.json.j2" - dest: "{{ matrix_element_call_base_path }}/config/config.json" - mode: 0640 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - -- name: Ensure LiveKit livekit.yaml is in place - ansible.builtin.template: - src: "{{ role_path }}/templates/livekit.yaml.j2" - dest: "{{ matrix_element_call_base_path }}/backend/livekit.yaml" - mode: 0640 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - -- name: Ensure Redis redis.conf is in place - ansible.builtin.template: - src: "{{ role_path }}/templates/redis.conf.j2" - dest: "{{ matrix_element_call_base_path }}/backend/redis.conf" - mode: 0640 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - -- name: Ensure matrix-element-call environment file is in place - ansible.builtin.template: - src: "{{ role_path }}/templates/env.j2" - dest: "{{ matrix_element_call_base_path }}/config/env" - mode: 0640 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - -- name: Ensure matrix-element-call Docker labels file is in place - ansible.builtin.template: - src: "{{ role_path }}/templates/labels.j2" - dest: "{{ matrix_element_call_base_path }}/config/labels" - mode: 0640 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - -# Ensure Docker Images are Pulled -- name: Ensure matrix-element-call Docker image is pulled - community.docker.docker_image: - name: "{{ matrix_element_call_image }}" - source: pull - force_source: "{{ matrix_element_call_container_image_force_pull }}" - register: element_call_image_result - retries: "{{ devture_playbook_help_container_retries_count }}" - delay: "{{ devture_playbook_help_container_retries_delay }}" - until: element_call_image_result is not failed - -- name: Ensure jwt-service Docker image is pulled - community.docker.docker_image: - name: "ghcr.io/element-hq/lk-jwt-service:latest-ci" - source: pull - register: jwt_image_result - retries: 3 - delay: 10 - until: jwt_image_result is not failed - -- name: Ensure livekit Docker image is pulled - community.docker.docker_image: - name: "livekit/livekit-server:latest" - source: pull - register: livekit_image_result - retries: 3 - delay: 10 - until: livekit_image_result is not failed - -- name: Ensure redis Docker image is pulled - community.docker.docker_image: - name: "redis:6-alpine" - source: pull - register: redis_image_result - retries: 3 - delay: 10 - until: redis_image_result is not failed - -- name: Debug matrix_element_call_base_path - ansible.builtin.debug: - var: matrix_element_call_base_path - -- name: Debug labels file content - ansible.builtin.debug: - msg: "{{ lookup('file', matrix_element_call_base_path ~ '/config/labels') | from_yaml }}" - -# Ensure Docker Containers are Running -- name: Run matrix-element-call Docker container - community.docker.docker_container: - name: "matrix-element-call" - image: "{{ matrix_element_call_image }}" - state: started - restart_policy: unless-stopped - env_file: "{{ matrix_element_call_base_path }}/config/env" - labels: "{{ lookup('file', matrix_element_call_base_path ~ '/config/labels') | from_yaml }}" - networks: - - name: "{{ matrix_element_call_container_network }}" - volumes: - - "{{ matrix_element_call_base_path }}/config/config.json:/app/config.json" - - "{{ matrix_element_call_base_path }}/data:/data" - -- name: Run jwt-service Docker container - community.docker.docker_container: - name: "matrix-jwt-service" - image: "ghcr.io/element-hq/lk-jwt-service:latest-ci" - state: started - restart_policy: unless-stopped - environment: - LIVEKIT_SECRET: "{{ matrix_element_call_livekit_dev_key }}" # User-specified key - LIVEKIT_URL: "{{ matrix_element_call_livekit_service_url }}" - LIVEKIT_KEY: "devkey" - networks: - - name: "{{ matrix_element_call_container_network }}" - -- name: Run livekit Docker container - community.docker.docker_container: - name: "matrix-livekit" - image: "livekit/livekit-server:latest" - state: started - restart_policy: unless-stopped - command: "--dev --config /etc/livekit.yaml" - volumes: - - "{{ matrix_element_call_base_path }}/backend/livekit.yaml:/etc/livekit.yaml" - network_mode: "host" - -- name: Run redis Docker container - community.docker.docker_container: - name: "matrix-redis" - image: "redis:6-alpine" - state: started - restart_policy: unless-stopped - command: redis-server /etc/redis.conf - volumes: - - "{{ matrix_element_call_base_path }}/backend/redis.conf:/etc/redis.conf" - networks: - - name: "{{ matrix_element_call_container_network }}" - -# Ensure Systemd Services are Set Up -- name: Ensure matrix-element-call systemd service is installed - ansible.builtin.template: - src: "{{ role_path }}/templates/element-call.service.j2" - dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-element-call.service" - mode: 0644 - -- name: Ensure matrix-element-call systemd service is enabled and started - ansible.builtin.systemd: - name: matrix-element-call - enabled: true - state: started - daemon_reload: true diff --git a/roles/custom/matrix-element-call/tasks/update_element_web_config.yml b/roles/custom/matrix-element-call/tasks/update_element_web_config.yml deleted file mode 100644 index 0fa2271726a..00000000000 --- a/roles/custom/matrix-element-call/tasks/update_element_web_config.yml +++ /dev/null @@ -1,29 +0,0 @@ ---- -# Update Element-Web config.json with Element Call features - -- name: Ensure Element-Web config.json exists - ansible.builtin.file: - path: "{{ matrix_element_web_config_path }}" - state: file - mode: 0644 - -- name: Update Element-Web config.json with Element Call features - ansible.builtin.blockinfile: - path: "{{ matrix_element_web_config_path }}" - block: | - "features": { - "feature_video_rooms": true, - "feature_new_room_decoration_ui": true, - "feature_group_calls": true, - "feature_element_call_video_rooms": true - }, - "element_call": { - "url": "{{ matrix_element_call_base_url }}", - "participant_limit": 8, - "brand": "Element Call", - "use_exclusively": true - } - marker: "# ANSIBLE MANAGED BLOCK - Element Call features" - mode: '0644' - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" \ No newline at end of file diff --git a/roles/custom/matrix-element-call/tasks/update_homeserver_config.yml b/roles/custom/matrix-element-call/tasks/update_homeserver_config.yml deleted file mode 100644 index 46e4f5a0962..00000000000 --- a/roles/custom/matrix-element-call/tasks/update_homeserver_config.yml +++ /dev/null @@ -1,36 +0,0 @@ ---- -# Update the homeserver.yaml file with Element Call config - -- name: Ensure homeserver.yaml exists - ansible.builtin.file: - path: "{{ matrix_homeserver_config_path }}" - state: file - mode: 0644 - -- name: Add listeners section for Element Call to homeserver.yaml - ansible.builtin.blockinfile: - path: "{{ matrix_homeserver_config_path }}" - block: | - listeners: - - port: 8008 - tls: false - type: http - x_forwarded: true - - resources: - - names: [client, federation, openid] - compress: false - marker: "# ANSIBLE MANAGED BLOCK - Element Call listeners" - mode: '0644' - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - -- name: Ensure serve_server_wellknown is enabled in homeserver.yaml - ansible.builtin.lineinfile: - path: "{{ matrix_homeserver_config_path }}" - line: "serve_server_wellknown: true" - insertafter: EOF - state: present - mode: '0644' - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" \ No newline at end of file diff --git a/roles/custom/matrix-element-call/tasks/update_well_known_client.yml b/roles/custom/matrix-element-call/tasks/update_well_known_client.yml deleted file mode 100644 index b02269f1c5c..00000000000 --- a/roles/custom/matrix-element-call/tasks/update_well_known_client.yml +++ /dev/null @@ -1,24 +0,0 @@ ---- ---- -# Update the .well-known/matrix/client file with Element Call config - -- name: Ensure .well-known directory exists - ansible.builtin.file: - path: "{{ matrix_element_call_well_known_client_path | dirname }}" - state: directory - mode: 0755 - -- name: Update .well-known/matrix/client file with Element Call config - ansible.builtin.blockinfile: - path: "{{ matrix_element_call_well_known_client_path }}" - block: | - "org.matrix.msc4143.rtc_foci": [ - { - "type": "livekit", - "livekit_service_url": "{{ matrix_element_call_jwt_service_url }}" - } - ] - create: yes - mode: '0644' - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" \ No newline at end of file diff --git a/roles/custom/matrix-element-call/tasks/validate_config.yml b/roles/custom/matrix-element-call/tasks/validate_config.yml index c0e0ef94067..7760cb94e01 100644 --- a/roles/custom/matrix-element-call/tasks/validate_config.yml +++ b/roles/custom/matrix-element-call/tasks/validate_config.yml @@ -14,4 +14,4 @@ - {'name': 'matrix_livekit_image', when: true} - {'name': 'redis_image', when: true} - {'name': 'matrix_element_call_livekit_dev_key', when: true} - - {'name': 'matrix_element_call_livekit_service_url', when: true} + - {'name': 'matrix_jwt_service_url', when: true} diff --git a/roles/custom/matrix-element-call/templates/config.json.j2 b/roles/custom/matrix-element-call/templates/config.json.j2 index 3dc7f0e8a51..e58648e5070 100644 --- a/roles/custom/matrix-element-call/templates/config.json.j2 +++ b/roles/custom/matrix-element-call/templates/config.json.j2 @@ -6,6 +6,6 @@ } }, "livekit": { - "livekit_service_url": "{{ matrix_element_call_livekit_service_url }}" + "livekit_service_url": "{{ matrix_jwt_service_url }}" } } diff --git a/roles/custom/matrix-element-call/templates/env.j2 b/roles/custom/matrix-element-call/templates/env.j2 deleted file mode 100644 index b5a5d4be4fe..00000000000 --- a/roles/custom/matrix-element-call/templates/env.j2 +++ /dev/null @@ -1,11 +0,0 @@ -# Environment variables for Element Call -ELEMENT_CALL_SERVER_URL=https://{{ matrix_element_call_domain }} -LIVEKIT_KEY=devkey -LIVEKIT_URL={{ matrix_element_call_livekit_service_url }} -LIVEKIT_SECRET={{ matrix_element_call_jwt_secret }} -JWT_SERVICE_URL={{ matrix_element_call_jwt_service_url }} - -# Optional additional environment variables provided by the user -{% for key, value in matrix_element_call_environment_variables_additional.items() %} -{{ key }}={{ value }} -{% endfor %} diff --git a/roles/custom/matrix-element-call/templates/jwt-service-labels.j2 b/roles/custom/matrix-element-call/templates/jwt-service-labels.j2 deleted file mode 100644 index 603ced75824..00000000000 --- a/roles/custom/matrix-element-call/templates/jwt-service-labels.j2 +++ /dev/null @@ -1,13 +0,0 @@ -{% if matrix_element_call_container_labels_traefik_enabled %} -traefik.enable=true - -{% if matrix_element_call_container_labels_traefik_docker_network %} -traefik.docker.network={{ matrix_element_call_container_labels_traefik_docker_network }} -{% endif %} - -# Define the Traefik router rule for JWT Service -traefik.http.routers.jwt-router.rule=Host(`{{ matrix_element_call_jwt_hostname }}`) -traefik.http.routers.jwt-router.entrypoints={{ matrix_element_call_container_labels_traefik_entrypoints }} -traefik.http.routers.jwt-router.tls.certresolver={{ matrix_element_call_container_labels_traefik_tls_certResolver }} -traefik.http.services.jwt-service.loadbalancer.server.port=8881 -{% endif %} diff --git a/roles/custom/matrix-element-call/templates/livekit-labels.j2 b/roles/custom/matrix-element-call/templates/livekit-labels.j2 deleted file mode 100644 index 5fa0c51adc2..00000000000 --- a/roles/custom/matrix-element-call/templates/livekit-labels.j2 +++ /dev/null @@ -1,13 +0,0 @@ -{% if matrix_element_call_container_labels_traefik_enabled %} -traefik.enable=true - -{% if matrix_element_call_container_labels_traefik_docker_network %} -traefik.docker.network={{ matrix_element_call_container_labels_traefik_docker_network }} -{% endif %} - -# Define the Traefik router rule for LiveKit -traefik.http.routers.livekit-router.rule=Host(`{{ matrix_element_call_livekit_hostname }}`) -traefik.http.routers.livekit-router.entrypoints={{ matrix_element_call_container_labels_traefik_entrypoints }} -traefik.http.routers.livekit-router.tls.certresolver={{ matrix_element_call_container_labels_traefik_tls_certResolver }} -traefik.http.services.livekit-service.loadbalancer.server.port=7880 -{% endif %} diff --git a/roles/custom/matrix-jwt-service/defaults/main.yml b/roles/custom/matrix-jwt-service/defaults/main.yml new file mode 100644 index 00000000000..cf087da877f --- /dev/null +++ b/roles/custom/matrix-jwt-service/defaults/main.yml @@ -0,0 +1,118 @@ +--- +# Enable or disable matrix-element-call deployment +matrix_jwt_service_enabled: false + +# Base path configuration +matrix_jwt_service_base_path: "{{ matrix_base_data_path }}/jwt-service" +matrix_homeserver_config_path: "{{ matrix_base_data_path }}/synapse/config/homeserver.yaml" + +# Docker network configuration +matrix_jwt_service_container_network: '' +matrix_jwt_service_container_http_host_bind_port: '' +matrix_jwt_service_container_additional_networks: [] # No additional networks by default + +# Docker images +matrix_jwt_service_image: "ghcr.io/element-hq/lk-jwt-service:latest-ci" + +# Ports +matrix_jwt_service_port: "8881" + +# jwt configuration +matrix_jwt_service_hostname: "sfu-jwt.{{ matrix_domain }}" +matrix_jwt_service_url: "https://sfu-jwt.{{ matrix_domain }}" + +# Traefik Configuration for JWT Service +matrix_jwt_service_container_labels_traefik_enabled: true +matrix_jwt_service_container_labels_traefik_docker_network: "{{ matrix_jwt_service_container_network }}" +matrix_jwt_service_container_labels_traefik_hostname: "{{ matrix_jwt_service_hostname }}" +# The path prefix must either be `/` or not end with a slash (e.g. `/element`). +matrix_jwt_service_container_labels_traefik_path_prefix: "{{ matrix_jwt_service_path_prefix }}" +matrix_jwt_service_container_labels_traefik_rule: "Host(`{{ matrix_jwt_service_container_labels_traefik_hostname }}`){% if matrix_jwt_service_container_labels_traefik_path_prefix != '/' %} && PathPrefix(`{{ matrix_jwt_service_container_labels_traefik_path_prefix }}`){% endif %}" +matrix_jwt_service_container_labels_traefik_priority: 0 +matrix_jwt_service_container_labels_traefik_entrypoints: web-secure +matrix_jwt_service_container_labels_traefik_tls: "{{ matrix_jwt_service_container_labels_traefik_entrypoints != 'web' }}" +matrix_jwt_service_container_labels_traefik_tls_certResolver: default # noqa var-naming + +# Controls which additional headers to attach to all HTTP responses. +# To add your own headers, use `matrix_jwt_service_container_labels_traefik_additional_response_headers_custom` +matrix_jwt_service_container_labels_traefik_additional_response_headers: "{{ matrix_jwt_service_container_labels_traefik_additional_response_headers_auto | combine(matrix_jwt_service_container_labels_traefik_additional_response_headers_custom) }}" +matrix_jwt_service_container_labels_traefik_additional_response_headers_auto: | + {{ + {} + | combine ({'X-XSS-Protection': matrix_jwt_service_http_header_xss_protection} if matrix_jwt_service_http_header_xss_protection else {}) + | combine ({'X-Frame-Options': matrix_jwt_service_http_header_frame_options} if matrix_jwt_service_http_header_frame_options else {}) + | combine ({'X-Content-Type-Options': matrix_jwt_service_http_header_content_type_options} if matrix_jwt_service_http_header_content_type_options else {}) + | combine ({'Content-Security-Policy': matrix_jwt_service_http_header_content_security_policy} if matrix_jwt_service_http_header_content_security_policy else {}) + | combine ({'Permission-Policy': matrix_jwt_service_http_header_content_permission_policy} if matrix_jwt_service_http_header_content_permission_policy else {}) + | combine ({'Strict-Transport-Security': matrix_jwt_service_http_header_strict_transport_security} if matrix_jwt_service_http_header_strict_transport_security and matrix_jwt_service_container_labels_traefik_tls else {}) + }} +matrix_jwt_service_container_labels_traefik_additional_response_headers_custom: {} + +# matrix_client_element_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file. +# See `../templates/labels.j2` for details. +# +# Example: +# matrix_client_element_container_labels_additional_labels: | +# my.label=1 +# another.label="here" +matrix_jwt_service_container_labels_additional_labels: '' + +# A list of extra arguments to pass to the container +matrix_jwt_service_container_extra_arguments: [] + +# Additional environment variables for the container +matrix_jwt_service_environment_variables_additional: {} + +# List of systemd services that matrix-element-call.service depends on +matrix_jwt_service_systemd_required_services_list: "{{ [devture_systemd_docker_base_docker_service_name] if devture_systemd_docker_base_docker_service_name else [] }}" + +# Specifies the value of the `X-XSS-Protection` header +# Stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. +# +# Learn more about it is here: +# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection +# - https://portswigger.net/web-security/cross-site-scripting/reflected +matrix_jwt_service_http_header_xss_protection: "1; mode=block" + +# Specifies the value of the `X-Frame-Options` header which controls whether framing can happen. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options +matrix_jwt_service_http_header_frame_options: SAMEORIGIN + +# Specifies the value of the `X-Content-Type-Options` header. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options +matrix_jwt_service_http_header_content_type_options: nosniff + +# Specifies the value of the `Content-Security-Policy` header. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy +matrix_jwt_service_http_header_content_security_policy: frame-ancestors 'self' + +# Specifies the value of the `Permission-Policy` header. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permission-Policy +matrix_jwt_service_http_header_content_permission_policy: "{{ 'interest-cohort=()' if matrix_jwt_service_floc_optout_enabled else '' }}" + +# Specifies the value of the `Strict-Transport-Security` header. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security +matrix_jwt_service_http_header_strict_transport_security: "max-age=31536000; includeSubDomains{{ '; preload' if matrix_jwt_service_hsts_preload_enabled else '' }}" + +# Controls whether to send a "Permissions-Policy interest-cohort=();" header along with all responses +# +# Learn more about what it is here: +# - https://www.eff.org/deeplinks/2021/03/googles-floc-terrible-idea +# - https://paramdeo.com/blog/opting-your-website-out-of-googles-floc-network +# - https://amifloced.org/ +# +# Of course, a better solution is to just stop using browsers (like Chrome), which participate in such tracking practices. +# See: `matrix_jwt_service_content_permission_policy` +matrix_jwt_service_floc_optout_enabled: true + +# Controls if HSTS preloading is enabled +# +# In its strongest and recommended form, the [HSTS policy](https://www.chromium.org/hsts) includes all subdomains, and +# indicates a willingness to be "preloaded" into browsers: +# `Strict-Transport-Security: max-age=31536000; includeSubDomains; preload` +# For more information visit: +# - https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security +# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security +# - https://hstspreload.org/#opt-in +# See: `matrix_jwt_service_http_header_strict_transport_security` +matrix_jwt_service_hsts_preload_enabled: false \ No newline at end of file diff --git a/roles/custom/matrix-jwt-service/tasks/install.yml b/roles/custom/matrix-jwt-service/tasks/install.yml new file mode 100644 index 00000000000..9a51bdfd334 --- /dev/null +++ b/roles/custom/matrix-jwt-service/tasks/install.yml @@ -0,0 +1,46 @@ +--- +# roles/custom/matrix-jwt-service/tasks/install.yml + +# Ensure Required Directories Exist +- name: Ensure matrix-jwt-service paths exist + ansible.builtin.file: + path: "{{ item.path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - path: "{{ matrix_jwt_service_base_path }}" + +- name: Ensure matrix-jwt-service environment file is in place + ansible.builtin.template: + src: "{{ role_path }}/templates/env.j2" + dest: "{{ matrix_jwt_service_base_path }}/env" + mode: 0640 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure JWT Service labels file is in place + ansible.builtin.template: + src: "{{ role_path }}/templates/labels.j2" + dest: "{{ matrix_jwt_service_base_path }}/labels" + mode: 0640 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +# Ensure Docker Images are Pulled +- name: Ensure jwt-service Docker image is pulled + community.docker.docker_image: + name: "{{ matrix_jwt_service_image }}" + source: pull + register: jwt_image_result + retries: 3 + delay: 10 + until: jwt_image_result is not failed + +# Systemd Services for JWT Service +- name: Ensure jwt-service systemd service is installed + ansible.builtin.template: + src: "{{ role_path }}/templates/systemd/matrix-jwt-service.service.j2" + dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-jwt-service.service" + mode: 0644 \ No newline at end of file diff --git a/roles/custom/matrix-jwt-service/tasks/main.yml b/roles/custom/matrix-jwt-service/tasks/main.yml new file mode 100644 index 00000000000..ee74a8967b8 --- /dev/null +++ b/roles/custom/matrix-jwt-service/tasks/main.yml @@ -0,0 +1,21 @@ +--- +# Main task file for matrix-element-call + +- tags: + - setup-all + - setup-jwt-service + - install-all + - install-wt-service + block: + - when: matrix_jwt_service_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" + + - when: matrix_jwt_service_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/install.yml" + +- tags: + - setup-all + - setup-jwt-service + block: + - when: not matrix_jwt_service_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/uninstall.yml" diff --git a/roles/custom/matrix-jwt-service/tasks/uninstall.yml b/roles/custom/matrix-jwt-service/tasks/uninstall.yml new file mode 100644 index 00000000000..550c82951f3 --- /dev/null +++ b/roles/custom/matrix-jwt-service/tasks/uninstall.yml @@ -0,0 +1,22 @@ +--- +# Uninstall tasks for matrix-jwt-service + + +- name: Stop and remove jwt-service container + community.docker.docker_container: + name: "matrix-jwt-service" + state: absent + +- name: Remove jwt-service systemd service + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-jwt-service.service" + state: absent + +- name: Remove matrix-jwt-service configuration files + ansible.builtin.file: + path: "{{ matrix_jwt_service_base_path }}" + state: absent + +- name: Reload systemd daemon + ansible.builtin.systemd: + daemon_reload: true diff --git a/roles/custom/matrix-jwt-service/tasks/validate_config.yml b/roles/custom/matrix-jwt-service/tasks/validate_config.yml new file mode 100644 index 00000000000..a0105e940ac --- /dev/null +++ b/roles/custom/matrix-jwt-service/tasks/validate_config.yml @@ -0,0 +1,12 @@ +--- +# Validate configuration for matrix-jwt-service + +- name: Fail if required matrix-jwt-service settings are not defined + ansible.builtin.fail: + msg: > + You need to define a required configuration setting (`{{ item.name }}`). + when: "item.when | bool and vars[item.name] == ''" + with_items: + - {'name': 'matrix_jwt_service_base_path', when: true} + - {'name': 'matrix_jwt_service_container_network', when: true} + - {'name': 'matrix_jwt_service_image', when: true} diff --git a/roles/custom/matrix-jwt-service/templates/env.j2 b/roles/custom/matrix-jwt-service/templates/env.j2 new file mode 100644 index 00000000000..8034a9b33b5 --- /dev/null +++ b/roles/custom/matrix-jwt-service/templates/env.j2 @@ -0,0 +1,4 @@ +# Environment variables for JWT Service +LIVEKIT_KEY=devkey +LIVEKIT_URL=wss://{{ matrix_livekit_server_hostname }}:443 +LIVEKIT_SECRET={{ matrix_element_call_jwt_secret }} \ No newline at end of file diff --git a/roles/custom/matrix-jwt-service/templates/labels.j2 b/roles/custom/matrix-jwt-service/templates/labels.j2 new file mode 100644 index 00000000000..b547e19524e --- /dev/null +++ b/roles/custom/matrix-jwt-service/templates/labels.j2 @@ -0,0 +1,46 @@ +{% if matrix_element_call_container_labels_traefik_enabled %} +traefik.enable=true + +# Network configuration for Traefik +{% if matrix_jwt_service_container_labels_traefik_docker_network %} +traefik.docker.network={{ matrix_jwt_service_container_labels_traefik_docker_network }} +{% endif %} + +traefik.http.services.matrix-jwt-service.loadbalancer.server.port=8080 + +{% set middlewares = [] %} + +# Path prefix handling for JWT +{% if matrix_jwt_service_container_labels_traefik_path_prefix != '/' %} +traefik.http.middlewares.matrix-jwt-service-slashless-redirect.redirectregex.regex=({{ matrix_jwt_service_container_labels_traefik_path_prefix | quote }})$ +traefik.http.middlewares.matrix-jwt-service-slashless-redirect.redirectregex.replacement=${1}/ +{% set middlewares = middlewares + ['matrix-jwt-service-slashless-redirect'] %} + +traefik.http.middlewares.matrix-jwt-service-strip-prefix.stripprefix.prefixes={{ matrix_jwt_service_container_labels_traefik_path_prefix }} +{% set middlewares = middlewares + ['matrix-jwt-service-strip-prefix'] %} +{% endif %} + +{% if matrix_jwt_service_container_labels_traefik_additional_response_headers.keys() | length > 0 %} +{% for name, value in matrix_jwt_service_container_labels_traefik_additional_response_headers.items() %} +traefik.http.middlewares.matrix-jwt-service-add-headers.headers.customresponseheaders.{{ name }}={{ value }} +{% endfor %} +{% set middlewares = middlewares + ['matrix-jwt-service-add-headers'] %} +{% endif %} + +traefik.http.routers.matrix-jwt-service.rule={{ matrix_jwt_service_container_labels_traefik_rule }} +{% if matrix_jwt_service_container_labels_traefik_priority | int > 0 %} +traefik.http.routers.matrix-jwt-service.priority={{ matrix_jwt_service_container_labels_traefik_priority }} +{% endif %} +traefik.http.routers.matrix-jwt-service.service=matrix-jwt-service +{% if middlewares | length > 0 %} +traefik.http.routers.matrix-jwt-service.middlewares={{ middlewares | join(',') }} +{% endif %} +traefik.http.routers.matrix-jwt-service.entrypoints={{ matrix_jwt_service_container_labels_traefik_entrypoints }} +traefik.http.routers.matrix-jwt-service.tls={{ matrix_jwt_service_container_labels_traefik_tls | to_json }} +{% if matrix_jwt_service_container_labels_traefik_tls %} +traefik.http.routers.matrix-jwt-service.tls.certResolver={{ matrix_jwt_service_container_labels_traefik_tls_certResolver }} +{% endif %} + +{% endif %} + +{{ matrix_jwt_service_container_labels_additional_labels }} diff --git a/roles/custom/matrix-element-call/templates/systemd/matrix-jwt-service.service.j2 b/roles/custom/matrix-jwt-service/templates/systemd/matrix-jwt-service.service.j2 similarity index 85% rename from roles/custom/matrix-element-call/templates/systemd/matrix-jwt-service.service.j2 rename to roles/custom/matrix-jwt-service/templates/systemd/matrix-jwt-service.service.j2 index 7d2ac8fd88e..07c8ef1ed3c 100644 --- a/roles/custom/matrix-element-call/templates/systemd/matrix-jwt-service.service.j2 +++ b/roles/custom/matrix-jwt-service/templates/systemd/matrix-jwt-service.service.j2 @@ -15,13 +15,13 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ - --network={{ matrix_element_call_container_network }} \ + --network={{ matrix_jwt_service_container_network }} \ -p {{ matrix_jwt_service_port }}:8080 \ - --env-file={{ matrix_element_call_base_path }}/config/env \ - --label-file={{ matrix_element_call_base_path }}/config/jwt-service-labels \ + --env-file={{ matrix_jwt_service_base_path }}/env \ + --label-file={{ matrix_jwt_service_base_path }}/labels \ {{ matrix_jwt_service_image }} -{% for network in matrix_element_call_container_additional_networks %} +{% for network in matrix_jwt_service_container_additional_networks %} ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-jwt-service {% endfor %} diff --git a/roles/custom/matrix-livekit/defaults/main.yml b/roles/custom/matrix-livekit/defaults/main.yml new file mode 100644 index 00000000000..73ee72f6b66 --- /dev/null +++ b/roles/custom/matrix-livekit/defaults/main.yml @@ -0,0 +1,119 @@ +--- +# Enable or disable matrix-livekit-server deployment +matrix_livekit_server_enabled: false + +# Base path configuration +matrix_livekit_server_base_path: "{{ matrix_base_data_path }}/livekit-server" +matrix_livekit_server_config_path: "{{ matrix_livekit_server_base_path }}/config" +matrix_livekit_server_backend_path: "{{ matrix_livekit_server_base_path }}/backend" +matrix_homeserver_config_path: "{{ matrix_base_data_path }}/synapse/config/homeserver.yaml" +element_web_config_path: "{{ matrix_base_data_path }}/static-files/public/.well-known/matrix/client" + +# Docker network configuration +matrix_livekit_server_container_network: '' +matrix_livekit_server_container_http_host_bind_port: '' +matrix_livekit_server_container_additional_networks: [] # No additional networks by default + +# Docker images +matrix_livekit_server_image: "livekit/livekit-server:latest" + +# LiveKit configuration +matrix_livekit_server_livekit_server_dev_key: "{{ matrix_livekit_server_dev_key }}" # Must be defined in host_vars +matrix_livekit_server_jwt_secret: "{{ matrix_element_call_jwt_secret }}" # Must be defined in host_vars +matrix_livekit_server_hostname: "sfu.{{ matrix_domain }}" + +# Traefik Configuration for Element Call +matrix_livekit_server_container_labels_traefik_enabled: true +matrix_livekit_server_container_labels_traefik_docker_network: "{{ matrix_livekit_server_container_network }}" +matrix_livekit_server_container_labels_traefik_hostname: "{{ matrix_livekit_server_domain }}" +# The path prefix must either be `/` or not end with a slash (e.g. `/element`). +matrix_livekit_server_container_labels_traefik_path_prefix: "{{ matrix_livekit_server_path_prefix }}" +matrix_livekit_server_container_labels_traefik_rule: "Host(`{{ matrix_livekit_server_container_labels_traefik_hostname }}`){% if matrix_livekit_server_container_labels_traefik_path_prefix != '/' %} && PathPrefix(`{{ matrix_livekit_server_container_labels_traefik_path_prefix }}`){% endif %}" +matrix_livekit_server_container_labels_traefik_priority: 0 +matrix_livekit_server_container_labels_traefik_entrypoints: web-secure +matrix_livekit_server_container_labels_traefik_tls: "{{ matrix_livekit_server_container_labels_traefik_entrypoints != 'web' }}" +matrix_livekit_server_container_labels_traefik_tls_certResolver: default # noqa var-naming + +# Controls which additional headers to attach to all HTTP responses. +# To add your own headers, use `matrix_livekit_server_container_labels_traefik_additional_response_headers_custom` +matrix_livekit_server_container_labels_traefik_additional_response_headers: "{{ matrix_livekit_server_container_labels_traefik_additional_response_headers_auto | combine(matrix_livekit_server_container_labels_traefik_additional_response_headers_custom) }}" +matrix_livekit_server_container_labels_traefik_additional_response_headers_auto: | + {{ + {} + | combine ({'X-XSS-Protection': matrix_livekit_server_http_header_xss_protection} if matrix_livekit_server_http_header_xss_protection else {}) + | combine ({'X-Frame-Options': matrix_livekit_server_http_header_frame_options} if matrix_livekit_server_http_header_frame_options else {}) + | combine ({'X-Content-Type-Options': matrix_livekit_server_http_header_content_type_options} if matrix_livekit_server_http_header_content_type_options else {}) + | combine ({'Content-Security-Policy': matrix_livekit_server_http_header_content_security_policy} if matrix_livekit_server_http_header_content_security_policy else {}) + | combine ({'Permission-Policy': matrix_livekit_server_http_header_content_permission_policy} if matrix_livekit_server_http_header_content_permission_policy else {}) + | combine ({'Strict-Transport-Security': matrix_livekit_server_http_header_strict_transport_security} if matrix_livekit_server_http_header_strict_transport_security and matrix_livekit_server_container_labels_traefik_tls else {}) + }} +matrix_livekit_server_container_labels_traefik_additional_response_headers_custom: {} + +# matrix_client_element_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file. +# See `../templates/labels.j2` for details. +# +# Example: +# matrix_client_element_container_labels_additional_labels: | +# my.label=1 +# another.label="here" +matrix_livekit_server_container_labels_additional_labels: '' + +# A list of extra arguments to pass to the container +matrix_livekit_server_container_extra_arguments: [] + +# Additional environment variables for the container +matrix_livekit_server_environment_variables_additional: {} + +# List of systemd services that matrix-element-call.service depends on +matrix_livekit_server_systemd_required_services_list: "{{ [devture_systemd_docker_base_docker_service_name] if devture_systemd_docker_base_docker_service_name else [] }}" + +# Specifies the value of the `X-XSS-Protection` header +# Stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. +# +# Learn more about it is here: +# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection +# - https://portswigger.net/web-security/cross-site-scripting/reflected +matrix_livekit_server_http_header_xss_protection: "1; mode=block" + +# Specifies the value of the `X-Frame-Options` header which controls whether framing can happen. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options +matrix_livekit_server_http_header_frame_options: SAMEORIGIN + +# Specifies the value of the `X-Content-Type-Options` header. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options +matrix_livekit_server_http_header_content_type_options: nosniff + +# Specifies the value of the `Content-Security-Policy` header. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy +matrix_livekit_server_http_header_content_security_policy: frame-ancestors 'self' + +# Specifies the value of the `Permission-Policy` header. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permission-Policy +matrix_livekit_server_http_header_content_permission_policy: "{{ 'interest-cohort=()' if matrix_livekit_server_floc_optout_enabled else '' }}" + +# Specifies the value of the `Strict-Transport-Security` header. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security +matrix_livekit_server_http_header_strict_transport_security: "max-age=31536000; includeSubDomains{{ '; preload' if matrix_livekit_server_hsts_preload_enabled else '' }}" + +# Controls whether to send a "Permissions-Policy interest-cohort=();" header along with all responses +# +# Learn more about what it is here: +# - https://www.eff.org/deeplinks/2021/03/googles-floc-terrible-idea +# - https://paramdeo.com/blog/opting-your-website-out-of-googles-floc-network +# - https://amifloced.org/ +# +# Of course, a better solution is to just stop using browsers (like Chrome), which participate in such tracking practices. +# See: `matrix_livekit_server_content_permission_policy` +matrix_livekit_server_floc_optout_enabled: true + +# Controls if HSTS preloading is enabled +# +# In its strongest and recommended form, the [HSTS policy](https://www.chromium.org/hsts) includes all subdomains, and +# indicates a willingness to be "preloaded" into browsers: +# `Strict-Transport-Security: max-age=31536000; includeSubDomains; preload` +# For more information visit: +# - https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security +# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security +# - https://hstspreload.org/#opt-in +# See: `matrix_livekit_server_http_header_strict_transport_security` +matrix_livekit_server_hsts_preload_enabled: false \ No newline at end of file diff --git a/roles/custom/matrix-livekit/tasks/install.yml b/roles/custom/matrix-livekit/tasks/install.yml new file mode 100644 index 00000000000..cccb89deb4a --- /dev/null +++ b/roles/custom/matrix-livekit/tasks/install.yml @@ -0,0 +1,47 @@ +--- +# roles/custom/matrix-livekit-server/tasks/install.yml + +# Ensure Required Directories Exist +- name: Ensure matrix-livekit-server paths exist + ansible.builtin.file: + path: "{{ item.path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - path: "{{ matrix_livekit_server_base_path }}" + +# Ensure Configuration Files are in Place +- name: Ensure LiveKit livekit.yaml is in place + ansible.builtin.template: + src: "{{ role_path }}/templates/livekit.yaml.j2" + dest: "{{ matrix_livekit_server_base_path }}/livekit.yaml" + mode: 0640 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure LiveKit labels file is in place + ansible.builtin.template: + src: "{{ role_path }}/templates/labels.j2" + dest: "{{ matrix_livekit_server_base_path }}/labels" + mode: 0640 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +# Ensure Docker Images are Pulled +- name: Ensure livekit Docker image is pulled + community.docker.docker_image: + name: "{{ matrix_livekit_server_image }}" + source: pull + register: livekit_image_result + retries: 3 + delay: 10 + until: livekit_image_result is not failed + +# Systemd Services for LiveKit +- name: Ensure livekit systemd service is installed + ansible.builtin.template: + src: "{{ role_path }}/templates/systemd/matrix-livekit-server.service.j2" + dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-livekit.service" + mode: 0644 \ No newline at end of file diff --git a/roles/custom/matrix-livekit/tasks/main.yml b/roles/custom/matrix-livekit/tasks/main.yml new file mode 100644 index 00000000000..255906c75f5 --- /dev/null +++ b/roles/custom/matrix-livekit/tasks/main.yml @@ -0,0 +1,21 @@ +--- +# Main task file for matrix-livekit-server + +- tags: + - setup-all + - setup-livekit-server + - install-all + - install-livekit-server + block: + - when: matrix_livekit_server_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" + + - when: matrix_livekit_server_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/install.yml" + +- tags: + - setup-all + - setup-livekit-server + block: + - when: not matrix_livekit_server_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/uninstall.yml" diff --git a/roles/custom/matrix-livekit/tasks/uninstall.yml b/roles/custom/matrix-livekit/tasks/uninstall.yml new file mode 100644 index 00000000000..371db5c8398 --- /dev/null +++ b/roles/custom/matrix-livekit/tasks/uninstall.yml @@ -0,0 +1,21 @@ +--- +# Uninstall tasks for matrix-livekit-server + +- name: Stop and remove livekit container + community.docker.docker_container: + name: "matrix-livekit-server" + state: absent + +- name: Remove livekit systemd service + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-livekit-server.service" + state: absent + +- name: Remove matrix-livekit-server configuration files + ansible.builtin.file: + path: "{{ matrix_livekit_serverbase_path }}" + state: absent + +- name: Reload systemd daemon + ansible.builtin.systemd: + daemon_reload: true diff --git a/roles/custom/matrix-livekit/tasks/validate_config.yml b/roles/custom/matrix-livekit/tasks/validate_config.yml new file mode 100644 index 00000000000..55252431876 --- /dev/null +++ b/roles/custom/matrix-livekit/tasks/validate_config.yml @@ -0,0 +1,13 @@ +--- +# Validate configuration for matrix-livekit-server + +- name: Fail if required matrix-livekit-server settings are not defined + ansible.builtin.fail: + msg: > + You need to define a required configuration setting (`{{ item.name }}`). + when: "item.when | bool and vars[item.name] == ''" + with_items: + - {'name': 'matrix_livekit_server_base_path', when: true} + - {'name': 'matrix_livekit_server_container_network', when: true} + - {'name': 'matrix_livekit_server_image', when: true} + - {'name': 'matrix_livekit_image', when: true} diff --git a/roles/custom/matrix-livekit/templates/labels.j2 b/roles/custom/matrix-livekit/templates/labels.j2 new file mode 100644 index 00000000000..c41b7ed013e --- /dev/null +++ b/roles/custom/matrix-livekit/templates/labels.j2 @@ -0,0 +1,46 @@ +{% if matrix_livekit_server_container_labels_traefik_enabled %} +traefik.enable=true + +# Network configuration for Traefik +{% if matrix_livekit_server_container_labels_traefik_docker_network %} +traefik.docker.network={{ matrix_livekit_server_container_labels_traefik_docker_network }} +{% endif %} + +traefik.http.services.matrix-livekit-server.loadbalancer.server.port=7880 + +{% set middlewares = [] %} + +# Path prefix handling for Livekit +{% if matrix_livekit_server_container_labels_traefik_path_prefix != '/' %} +traefik.http.middlewares.matrix-livekit-server-slashless-redirect.redirectregex.regex=({{ matrix_livekit_server_container_labels_traefik_path_prefix | quote }})$ +traefik.http.middlewares.matrix-livekit-server-slashless-redirect.redirectregex.replacement=${1}/ +{% set middlewares = middlewares + ['matrix-livekit-server-slashless-redirect'] %} + +traefik.http.middlewares.matrix-livekit-server-strip-prefix.stripprefix.prefixes={{ matrix_livekit_server_container_labels_traefik_path_prefix }} +{% set middlewares = middlewares + ['matrix-livekit-server-strip-prefix'] %} +{% endif %} + +{% if matrix_livekit_server_container_labels_traefik_additional_response_headers.keys() | length > 0 %} +{% for name, value in matrix_livekit_server_container_labels_traefik_additional_response_headers.items() %} +traefik.http.middlewares.matrix-livekit-server-add-headers.headers.customresponseheaders.{{ name }}={{ value }} +{% endfor %} +{% set middlewares = middlewares + ['matrix-livekit-server-add-headers'] %} +{% endif %} + +traefik.http.routers.matrix-livekit-server.rule={{ matrix_livekit_server_container_labels_traefik_rule }} +{% if matrix_livekit_server_container_labels_traefik_priority | int > 0 %} +traefik.http.routers.matrix-livekit-server.priority={{ matrix_livekit_server_container_labels_traefik_priority }} +{% endif %} +traefik.http.routers.matrix-livekit-server.service=matrix-livekit-server +{% if middlewares | length > 0 %} +traefik.http.routers.matrix-livekit-server.middlewares={{ middlewares | join(',') }} +{% endif %} +traefik.http.routers.matrix-livekit-server.entrypoints={{ matrix_livekit_server_container_labels_traefik_entrypoints }} +traefik.http.routers.matrix-livekit-server.tls={{ matrix_livekit_server_container_labels_traefik_tls | to_json }} +{% if matrix_livekit_server_container_labels_traefik_tls %} +traefik.http.routers.matrix-livekit-server.tls.certResolver={{ matrix_livekit_server_container_labels_traefik_tls_certResolver }} +{% endif %} + +{% endif %} + +{{ matrix_livekit_server_container_labels_additional_labels }} diff --git a/roles/custom/matrix-element-call/templates/livekit.yaml.j2 b/roles/custom/matrix-livekit/templates/livekit.yaml.j2 similarity index 83% rename from roles/custom/matrix-element-call/templates/livekit.yaml.j2 rename to roles/custom/matrix-livekit/templates/livekit.yaml.j2 index 384cf372239..f8e2ad0c2d6 100644 --- a/roles/custom/matrix-element-call/templates/livekit.yaml.j2 +++ b/roles/custom/matrix-livekit/templates/livekit.yaml.j2 @@ -17,4 +17,4 @@ turn: external_tls: true keys: - devkey: "{{ matrix_element_call_livekit_dev_key }}" + devkey: "{{ matrix_livekit_server_livekit_dev_key }}" diff --git a/roles/custom/matrix-element-call/templates/systemd/matrix-livekit.service.j2 b/roles/custom/matrix-livekit/templates/systemd/matrix-livekit-server.service.j2 similarity index 71% rename from roles/custom/matrix-element-call/templates/systemd/matrix-livekit.service.j2 rename to roles/custom/matrix-livekit/templates/systemd/matrix-livekit-server.service.j2 index 4b7f3ea8ac7..0f416c82def 100644 --- a/roles/custom/matrix-element-call/templates/systemd/matrix-livekit.service.j2 +++ b/roles/custom/matrix-livekit/templates/systemd/matrix-livekit-server.service.j2 @@ -1,33 +1,33 @@ [Unit] -Description=Matrix LiveKit Service +Description=Matrix LiveKit Server After=docker.service Requires=docker.service [Service] Type=simple Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" -ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-livekit 2>/dev/null || true' -ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-livekit 2>/dev/null || true' +ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-livekit-server 2>/dev/null || true' +ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-livekit-server 2>/dev/null || true' ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ --rm \ - --name=matrix-livekit \ + --name=matrix-livekit-server \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ --network=host \ - --mount type=bind,src={{ matrix_element_call_backend_path }}/livekit.yaml,dst=/etc/livekit.yaml,ro \ - --label-file={{ matrix_element_call_base_path }}/config/livekit-labels \ + --mount type=bind,src={{ matrix_livekit_server_base_path }}/livekit.yaml,dst=/etc/livekit.yaml,ro \ + --label-file={{ matrix_livekit_server_base_path }}/labels \ {{ matrix_livekit_image }} \ --dev --config /etc/livekit.yaml -ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-livekit +ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-livekit-server -ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-livekit 2>/dev/null || true' -ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-livekit 2>/dev/null || true' +ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-livekit-server 2>/dev/null || true' +ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-livekit-server 2>/dev/null || true' Restart=always RestartSec=30 -SyslogIdentifier=matrix-livekit +SyslogIdentifier=matrix-livekit-server [Install] WantedBy=multi-user.target From e952ba1c3a0c4db903a1b595c5ce1804ae2db636 Mon Sep 17 00:00:00 2001 From: wjbeckett Date: Mon, 30 Sep 2024 22:35:59 +1000 Subject: [PATCH 080/148] removed duplicate tasks. --- .../matrix-element-call/tasks/install.yml | 69 +------------------ .../matrix-element-call/tasks/uninstall.yml | 20 ------ .../tasks/validate_config.yml | 4 -- .../systemd/matrix-element-call.service.j2 | 2 +- 4 files changed, 3 insertions(+), 92 deletions(-) diff --git a/roles/custom/matrix-element-call/tasks/install.yml b/roles/custom/matrix-element-call/tasks/install.yml index 48719f413bb..cd0612fce32 100644 --- a/roles/custom/matrix-element-call/tasks/install.yml +++ b/roles/custom/matrix-element-call/tasks/install.yml @@ -11,24 +11,13 @@ group: "{{ matrix_user_groupname }}" with_items: - path: "{{ matrix_element_call_base_path }}" - - path: "{{ matrix_element_call_base_path }}/data" - - path: "{{ matrix_element_call_base_path }}/config" - - path: "{{ matrix_element_call_base_path }}/backend" # For LiveKit and Redis config - path: "{{ matrix_base_data_path }}/static-files/public/.well-known/element" # Directory for element.json # Ensure Configuration Files are in Place - name: Ensure Element Call config.json is in place ansible.builtin.template: src: "{{ role_path }}/templates/config.json.j2" - dest: "{{ matrix_element_call_base_path }}/config/config.json" - mode: 0640 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - -- name: Ensure LiveKit livekit.yaml is in place - ansible.builtin.template: - src: "{{ role_path }}/templates/livekit.yaml.j2" - dest: "{{ matrix_element_call_base_path }}/backend/livekit.yaml" + dest: "{{ matrix_element_call_base_path }}/config.json" mode: 0640 owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" @@ -41,34 +30,10 @@ owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" -- name: Ensure matrix-element-call environment file is in place - ansible.builtin.template: - src: "{{ role_path }}/templates/env.j2" - dest: "{{ matrix_element_call_base_path }}/config/env" - mode: 0640 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - - name: Ensure matrix-element-call Docker labels file is in place ansible.builtin.template: src: "{{ role_path }}/templates/element-call-labels.j2" - dest: "{{ matrix_element_call_base_path }}/config/element-call-labels" - mode: 0640 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - -- name: Ensure LiveKit labels file is in place - ansible.builtin.template: - src: "{{ role_path }}/templates/livekit-labels.j2" - dest: "{{ matrix_element_call_base_path }}/config/livekit-labels" - mode: 0640 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - -- name: Ensure JWT Service labels file is in place - ansible.builtin.template: - src: "{{ role_path }}/templates/jwt-service-labels.j2" - dest: "{{ matrix_element_call_base_path }}/config/jwt-service-labels" + dest: "{{ matrix_element_call_base_path }}/element-call-labels" mode: 0640 owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" @@ -84,24 +49,6 @@ delay: "{{ devture_playbook_help_container_retries_delay }}" until: element_call_image_result is not failed -- name: Ensure jwt-service Docker image is pulled - community.docker.docker_image: - name: "{{ matrix_jwt_service_image }}" - source: pull - register: jwt_image_result - retries: 3 - delay: 10 - until: jwt_image_result is not failed - -- name: Ensure livekit Docker image is pulled - community.docker.docker_image: - name: "{{ matrix_livekit_image }}" - source: pull - register: livekit_image_result - retries: 3 - delay: 10 - until: livekit_image_result is not failed - - name: Ensure redis Docker image is pulled community.docker.docker_image: name: "{{ redis_image }}" @@ -119,18 +66,6 @@ dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-element-call.service" mode: 0644 -- name: Ensure jwt-service systemd service is installed - ansible.builtin.template: - src: "{{ role_path }}/templates/systemd/matrix-jwt-service.service.j2" - dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-jwt-service.service" - mode: 0644 - -- name: Ensure livekit systemd service is installed - ansible.builtin.template: - src: "{{ role_path }}/templates/systemd/matrix-livekit.service.j2" - dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-livekit.service" - mode: 0644 - - name: Ensure redis systemd service is installed ansible.builtin.template: src: "{{ role_path }}/templates/systemd/matrix-redis.service.j2" diff --git a/roles/custom/matrix-element-call/tasks/uninstall.yml b/roles/custom/matrix-element-call/tasks/uninstall.yml index d9a77415fb5..d137136c24c 100644 --- a/roles/custom/matrix-element-call/tasks/uninstall.yml +++ b/roles/custom/matrix-element-call/tasks/uninstall.yml @@ -6,16 +6,6 @@ name: "matrix-element-call" state: absent -- name: Stop and remove jwt-service container - community.docker.docker_container: - name: "matrix-jwt-service" - state: absent - -- name: Stop and remove livekit container - community.docker.docker_container: - name: "matrix-livekit" - state: absent - - name: Stop and remove redis container community.docker.docker_container: name: "matrix-redis" @@ -26,16 +16,6 @@ path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-element-call.service" state: absent -- name: Remove jwt-service systemd service - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-jwt-service.service" - state: absent - -- name: Remove livekit systemd service - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-livekit.service" - state: absent - - name: Remove redis systemd service ansible.builtin.file: path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-redis.service" diff --git a/roles/custom/matrix-element-call/tasks/validate_config.yml b/roles/custom/matrix-element-call/tasks/validate_config.yml index 7760cb94e01..5c00dcc9224 100644 --- a/roles/custom/matrix-element-call/tasks/validate_config.yml +++ b/roles/custom/matrix-element-call/tasks/validate_config.yml @@ -10,8 +10,4 @@ - {'name': 'matrix_element_call_base_path', when: true} - {'name': 'matrix_element_call_container_network', when: true} - {'name': 'matrix_element_call_image', when: true} - - {'name': 'matrix_jwt_service_image', when: true} - - {'name': 'matrix_livekit_image', when: true} - {'name': 'redis_image', when: true} - - {'name': 'matrix_element_call_livekit_dev_key', when: true} - - {'name': 'matrix_jwt_service_url', when: true} diff --git a/roles/custom/matrix-element-call/templates/systemd/matrix-element-call.service.j2 b/roles/custom/matrix-element-call/templates/systemd/matrix-element-call.service.j2 index 6048f9e4d4f..b9e2c315b4f 100644 --- a/roles/custom/matrix-element-call/templates/systemd/matrix-element-call.service.j2 +++ b/roles/custom/matrix-element-call/templates/systemd/matrix-element-call.service.j2 @@ -23,7 +23,7 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ {% if matrix_element_call_container_http_host_bind_port %} -p {{ matrix_element_call_container_http_host_bind_port }}:8080 \ {% endif %} - --label-file={{ matrix_element_call_base_path }}/config/element-call-labels \ + --label-file={{ matrix_element_call_base_path }}/element-call-labels \ {% for arg in matrix_element_call_container_extra_arguments %} {{ arg }} \ {% endfor %} From 3de399025f550973b04baeb6b66d062a16e1b884 Mon Sep 17 00:00:00 2001 From: wjbeckett Date: Mon, 30 Sep 2024 22:41:36 +1000 Subject: [PATCH 081/148] hard coded redis port. --- roles/custom/matrix-element-call/templates/redis.conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-element-call/templates/redis.conf.j2 b/roles/custom/matrix-element-call/templates/redis.conf.j2 index 9935720964a..32a39f7be80 100644 --- a/roles/custom/matrix-element-call/templates/redis.conf.j2 +++ b/roles/custom/matrix-element-call/templates/redis.conf.j2 @@ -1,5 +1,5 @@ bind 0.0.0.0 protected-mode yes -port {{ matrix_element_call_redis_port }} +port 6379 timeout 0 tcp-keepalive 300 From 58a9642e8c33fe87da03bd4db911d5569e22523b Mon Sep 17 00:00:00 2001 From: wjbeckett Date: Mon, 30 Sep 2024 22:45:56 +1000 Subject: [PATCH 082/148] fixed config file placement. --- .../templates/systemd/matrix-redis.service.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-element-call/templates/systemd/matrix-redis.service.j2 b/roles/custom/matrix-element-call/templates/systemd/matrix-redis.service.j2 index 5cccced1664..f65b0c76604 100644 --- a/roles/custom/matrix-element-call/templates/systemd/matrix-redis.service.j2 +++ b/roles/custom/matrix-element-call/templates/systemd/matrix-redis.service.j2 @@ -16,7 +16,7 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ --network={{ matrix_element_call_container_network }} \ - --mount type=bind,src={{ matrix_element_call_backend_path }}/redis.conf,dst=/etc/redis.conf,ro \ + --mount type=bind,src={{ matrix_element_call_base_path }}/redis.conf,dst=/etc/redis.conf,ro \ {{ redis_image }} \ redis-server /etc/redis.conf From 71dff50a65ccd00a328f1f6f068889bb2d6bc205 Mon Sep 17 00:00:00 2001 From: wjbeckett Date: Mon, 30 Sep 2024 22:53:21 +1000 Subject: [PATCH 083/148] fixed livekit service name --- roles/custom/matrix-livekit/tasks/install.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-livekit/tasks/install.yml b/roles/custom/matrix-livekit/tasks/install.yml index cccb89deb4a..8e859565b07 100644 --- a/roles/custom/matrix-livekit/tasks/install.yml +++ b/roles/custom/matrix-livekit/tasks/install.yml @@ -43,5 +43,5 @@ - name: Ensure livekit systemd service is installed ansible.builtin.template: src: "{{ role_path }}/templates/systemd/matrix-livekit-server.service.j2" - dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-livekit.service" + dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-livekit-server.service" mode: 0644 \ No newline at end of file From 8cb7deff15e585571f69dfc3e7de63ce96b9c9c8 Mon Sep 17 00:00:00 2001 From: wjbeckett Date: Mon, 30 Sep 2024 23:04:10 +1000 Subject: [PATCH 084/148] cleaned up old services again --- roles/custom/matrix-livekit/defaults/main.yml | 4 ---- .../templates/systemd/matrix-livekit-server.service.j2 | 1 + 2 files changed, 1 insertion(+), 4 deletions(-) diff --git a/roles/custom/matrix-livekit/defaults/main.yml b/roles/custom/matrix-livekit/defaults/main.yml index 73ee72f6b66..2a549df767d 100644 --- a/roles/custom/matrix-livekit/defaults/main.yml +++ b/roles/custom/matrix-livekit/defaults/main.yml @@ -4,10 +4,6 @@ matrix_livekit_server_enabled: false # Base path configuration matrix_livekit_server_base_path: "{{ matrix_base_data_path }}/livekit-server" -matrix_livekit_server_config_path: "{{ matrix_livekit_server_base_path }}/config" -matrix_livekit_server_backend_path: "{{ matrix_livekit_server_base_path }}/backend" -matrix_homeserver_config_path: "{{ matrix_base_data_path }}/synapse/config/homeserver.yaml" -element_web_config_path: "{{ matrix_base_data_path }}/static-files/public/.well-known/matrix/client" # Docker network configuration matrix_livekit_server_container_network: '' diff --git a/roles/custom/matrix-livekit/templates/systemd/matrix-livekit-server.service.j2 b/roles/custom/matrix-livekit/templates/systemd/matrix-livekit-server.service.j2 index 0f416c82def..b28739ac439 100644 --- a/roles/custom/matrix-livekit/templates/systemd/matrix-livekit-server.service.j2 +++ b/roles/custom/matrix-livekit/templates/systemd/matrix-livekit-server.service.j2 @@ -1,3 +1,4 @@ +#jinja2: lstrip_blocks: "True" [Unit] Description=Matrix LiveKit Server After=docker.service From 97f93ebd76d984e80c398161335d036f40e1e280 Mon Sep 17 00:00:00 2001 From: wjbeckett Date: Tue, 1 Oct 2024 09:31:42 +1000 Subject: [PATCH 085/148] renamed the livekit role and added livekit-server and jwt-service roles to the setup file. --- .../{matrix-livekit => matrix-livekit-server}/defaults/main.yml | 0 .../{matrix-livekit => matrix-livekit-server}/tasks/install.yml | 0 .../{matrix-livekit => matrix-livekit-server}/tasks/main.yml | 0 .../tasks/uninstall.yml | 0 .../tasks/validate_config.yml | 0 .../templates/labels.j2 | 0 .../templates/livekit.yaml.j2 | 0 .../templates/systemd/matrix-livekit-server.service.j2 | 0 setup.yml | 2 ++ 9 files changed, 2 insertions(+) rename roles/custom/{matrix-livekit => matrix-livekit-server}/defaults/main.yml (100%) rename roles/custom/{matrix-livekit => matrix-livekit-server}/tasks/install.yml (100%) rename roles/custom/{matrix-livekit => matrix-livekit-server}/tasks/main.yml (100%) rename roles/custom/{matrix-livekit => matrix-livekit-server}/tasks/uninstall.yml (100%) rename roles/custom/{matrix-livekit => matrix-livekit-server}/tasks/validate_config.yml (100%) rename roles/custom/{matrix-livekit => matrix-livekit-server}/templates/labels.j2 (100%) rename roles/custom/{matrix-livekit => matrix-livekit-server}/templates/livekit.yaml.j2 (100%) rename roles/custom/{matrix-livekit => matrix-livekit-server}/templates/systemd/matrix-livekit-server.service.j2 (100%) diff --git a/roles/custom/matrix-livekit/defaults/main.yml b/roles/custom/matrix-livekit-server/defaults/main.yml similarity index 100% rename from roles/custom/matrix-livekit/defaults/main.yml rename to roles/custom/matrix-livekit-server/defaults/main.yml diff --git a/roles/custom/matrix-livekit/tasks/install.yml b/roles/custom/matrix-livekit-server/tasks/install.yml similarity index 100% rename from roles/custom/matrix-livekit/tasks/install.yml rename to roles/custom/matrix-livekit-server/tasks/install.yml diff --git a/roles/custom/matrix-livekit/tasks/main.yml b/roles/custom/matrix-livekit-server/tasks/main.yml similarity index 100% rename from roles/custom/matrix-livekit/tasks/main.yml rename to roles/custom/matrix-livekit-server/tasks/main.yml diff --git a/roles/custom/matrix-livekit/tasks/uninstall.yml b/roles/custom/matrix-livekit-server/tasks/uninstall.yml similarity index 100% rename from roles/custom/matrix-livekit/tasks/uninstall.yml rename to roles/custom/matrix-livekit-server/tasks/uninstall.yml diff --git a/roles/custom/matrix-livekit/tasks/validate_config.yml b/roles/custom/matrix-livekit-server/tasks/validate_config.yml similarity index 100% rename from roles/custom/matrix-livekit/tasks/validate_config.yml rename to roles/custom/matrix-livekit-server/tasks/validate_config.yml diff --git a/roles/custom/matrix-livekit/templates/labels.j2 b/roles/custom/matrix-livekit-server/templates/labels.j2 similarity index 100% rename from roles/custom/matrix-livekit/templates/labels.j2 rename to roles/custom/matrix-livekit-server/templates/labels.j2 diff --git a/roles/custom/matrix-livekit/templates/livekit.yaml.j2 b/roles/custom/matrix-livekit-server/templates/livekit.yaml.j2 similarity index 100% rename from roles/custom/matrix-livekit/templates/livekit.yaml.j2 rename to roles/custom/matrix-livekit-server/templates/livekit.yaml.j2 diff --git a/roles/custom/matrix-livekit/templates/systemd/matrix-livekit-server.service.j2 b/roles/custom/matrix-livekit-server/templates/systemd/matrix-livekit-server.service.j2 similarity index 100% rename from roles/custom/matrix-livekit/templates/systemd/matrix-livekit-server.service.j2 rename to roles/custom/matrix-livekit-server/templates/systemd/matrix-livekit-server.service.j2 diff --git a/setup.yml b/setup.yml index cbc3e1673b3..8055b46bacf 100644 --- a/setup.yml +++ b/setup.yml @@ -131,6 +131,8 @@ - custom/matrix-media-repo - custom/matrix-pantalaimon - custom/matrix-element-call + - custom/matrix-livekit-server + - custom/matrix-jwt-service - role: galaxy/postgres_backup From b7b8ed573b9a56034785e17f232c707524fe4f16 Mon Sep 17 00:00:00 2001 From: wjbeckett Date: Tue, 1 Oct 2024 09:48:44 +1000 Subject: [PATCH 086/148] typo in livekit-server validate. --- roles/custom/matrix-livekit-server/tasks/validate_config.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-livekit-server/tasks/validate_config.yml b/roles/custom/matrix-livekit-server/tasks/validate_config.yml index 55252431876..7fdfa051118 100644 --- a/roles/custom/matrix-livekit-server/tasks/validate_config.yml +++ b/roles/custom/matrix-livekit-server/tasks/validate_config.yml @@ -10,4 +10,4 @@ - {'name': 'matrix_livekit_server_base_path', when: true} - {'name': 'matrix_livekit_server_container_network', when: true} - {'name': 'matrix_livekit_server_image', when: true} - - {'name': 'matrix_livekit_image', when: true} + - {'name': 'matrix_livekit_server_image', when: true} From 812b57cfaa81d19b959bc13919abcba4c88b5336 Mon Sep 17 00:00:00 2001 From: wjbeckett Date: Tue, 1 Oct 2024 09:54:02 +1000 Subject: [PATCH 087/148] resolved missing key. --- group_vars/matrix_servers | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 1739f54ddad..c9769701121 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -5937,7 +5937,7 @@ matrix_livekit_server_container_labels_traefik_entrypoints: "{{ devture_traefik_ matrix_livekit_server_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" # LiveKit Service Configuration -matrix_livekit_server_livekit_dev_key: "{{ matrix_livekit_dev_key }}" # LiveKit dev key +matrix_livekit_server_livekit_dev_key: "{{ matrix_livekit_server_dev_key }}" # LiveKit dev key ######################################################################## # # From fd2f505b34092a8f0267023b9f6ac9c41308f1f9 Mon Sep 17 00:00:00 2001 From: wjbeckett Date: Tue, 1 Oct 2024 10:00:30 +1000 Subject: [PATCH 088/148] Fixed typo in livekit server hostname --- roles/custom/matrix-livekit-server/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-livekit-server/defaults/main.yml b/roles/custom/matrix-livekit-server/defaults/main.yml index 2a549df767d..5b8edc5c279 100644 --- a/roles/custom/matrix-livekit-server/defaults/main.yml +++ b/roles/custom/matrix-livekit-server/defaults/main.yml @@ -21,7 +21,7 @@ matrix_livekit_server_hostname: "sfu.{{ matrix_domain }}" # Traefik Configuration for Element Call matrix_livekit_server_container_labels_traefik_enabled: true matrix_livekit_server_container_labels_traefik_docker_network: "{{ matrix_livekit_server_container_network }}" -matrix_livekit_server_container_labels_traefik_hostname: "{{ matrix_livekit_server_domain }}" +matrix_livekit_server_container_labels_traefik_hostname: "{{ matrix_livekit_server_hostname }}" # The path prefix must either be `/` or not end with a slash (e.g. `/element`). matrix_livekit_server_container_labels_traefik_path_prefix: "{{ matrix_livekit_server_path_prefix }}" matrix_livekit_server_container_labels_traefik_rule: "Host(`{{ matrix_livekit_server_container_labels_traefik_hostname }}`){% if matrix_livekit_server_container_labels_traefik_path_prefix != '/' %} && PathPrefix(`{{ matrix_livekit_server_container_labels_traefik_path_prefix }}`){% endif %}" From 7cdec5f2513c5c31d018c41468065f766fdbea57 Mon Sep 17 00:00:00 2001 From: wjbeckett Date: Tue, 1 Oct 2024 10:17:34 +1000 Subject: [PATCH 089/148] fixed type in livekit image --- .../templates/systemd/matrix-livekit-server.service.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-livekit-server/templates/systemd/matrix-livekit-server.service.j2 b/roles/custom/matrix-livekit-server/templates/systemd/matrix-livekit-server.service.j2 index b28739ac439..30505a2dc3e 100644 --- a/roles/custom/matrix-livekit-server/templates/systemd/matrix-livekit-server.service.j2 +++ b/roles/custom/matrix-livekit-server/templates/systemd/matrix-livekit-server.service.j2 @@ -19,7 +19,7 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ --network=host \ --mount type=bind,src={{ matrix_livekit_server_base_path }}/livekit.yaml,dst=/etc/livekit.yaml,ro \ --label-file={{ matrix_livekit_server_base_path }}/labels \ - {{ matrix_livekit_image }} \ + {{ matrix_livekit_server_image }} \ --dev --config /etc/livekit.yaml ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-livekit-server From d5aabc85be569354dc99f967ba3c397e371880ac Mon Sep 17 00:00:00 2001 From: wjbeckett Date: Tue, 1 Oct 2024 10:41:30 +1000 Subject: [PATCH 090/148] removed redis images in favor of the inbuilt keyDB --- group_vars/matrix_servers | 2 -- .../matrix-element-call/defaults/main.yml | 7 ---- .../matrix-element-call/tasks/install.yml | 26 +-------------- .../matrix-element-call/tasks/uninstall.yml | 10 ------ .../tasks/validate_config.yml | 1 - .../templates/redis.conf.j2 | 5 --- .../templates/systemd/matrix-redis.service.j2 | 32 ------------------- 7 files changed, 1 insertion(+), 82 deletions(-) delete mode 100644 roles/custom/matrix-element-call/templates/redis.conf.j2 delete mode 100644 roles/custom/matrix-element-call/templates/systemd/matrix-redis.service.j2 diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index c9769701121..6728825fa84 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -439,8 +439,6 @@ devture_systemd_service_manager_services_list_auto: | + ([{'name': 'matrix-livekit-server.service', 'priority': 3000, 'groups': ['matrix', 'livekit-server']}] if matrix_livekit_server_enabled else []) + - ([{'name': 'matrix-redis.service', 'priority': 450, 'groups': ['matrix', 'redis']}] if matrix_element_call_enabled else []) - + ([{'name': 'matrix-registration.service', 'priority': 4000, 'groups': ['matrix', 'registration', 'matrix-registration']}] if matrix_registration_enabled else []) + ([{'name': 'matrix-sliding-sync.service', 'priority': 1500, 'groups': ['matrix', 'sliding-sync']}] if matrix_sliding_sync_enabled else []) diff --git a/roles/custom/matrix-element-call/defaults/main.yml b/roles/custom/matrix-element-call/defaults/main.yml index eb7652b1a70..393863ad5e6 100644 --- a/roles/custom/matrix-element-call/defaults/main.yml +++ b/roles/custom/matrix-element-call/defaults/main.yml @@ -14,11 +14,9 @@ matrix_element_call_container_additional_networks: [] # No additional networks # Docker images matrix_element_call_image: "ghcr.io/element-hq/element-call:latest" -redis_image: "redis:6-alpine" # Ports matrix_element_call_port: "8093" -redis_port: "6379" # Well-known paths and domains (derived from matrix_domain) matrix_element_call_domain: "call.{{ matrix_domain }}" @@ -26,11 +24,6 @@ matrix_element_call_well_known_client_path: "{{ matrix_base_data_path }}/static- matrix_element_call_well_known_element_path: "{{ matrix_base_data_path }}/static-files/public/.well-known/element/element.json" matrix_element_call_base_url: "https://{{ matrix_element_call_domain }}" -# Redis Configuration for Element Call -redis_hostname: "localhost" -#redis_port: 6379 -redis_password: "" - # Traefik Configuration for Element Call matrix_element_call_container_labels_traefik_enabled: true matrix_element_call_container_labels_traefik_docker_network: "{{ matrix_element_call_container_network }}" diff --git a/roles/custom/matrix-element-call/tasks/install.yml b/roles/custom/matrix-element-call/tasks/install.yml index cd0612fce32..266a9407bb7 100644 --- a/roles/custom/matrix-element-call/tasks/install.yml +++ b/roles/custom/matrix-element-call/tasks/install.yml @@ -22,14 +22,6 @@ owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" -- name: Ensure Redis redis.conf is in place - ansible.builtin.template: - src: "{{ role_path }}/templates/redis.conf.j2" - dest: "{{ matrix_element_call_base_path }}/backend/redis.conf" - mode: 0640 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - - name: Ensure matrix-element-call Docker labels file is in place ansible.builtin.template: src: "{{ role_path }}/templates/element-call-labels.j2" @@ -49,29 +41,13 @@ delay: "{{ devture_playbook_help_container_retries_delay }}" until: element_call_image_result is not failed -- name: Ensure redis Docker image is pulled - community.docker.docker_image: - name: "{{ redis_image }}" - source: pull - register: redis_image_result - retries: 3 - delay: 10 - until: redis_image_result is not failed - -# Systemd Services for Element Call, JWT Service, LiveKit, and Redis - +# Systemd Services for Element Call - name: Ensure matrix-element-call systemd service is installed ansible.builtin.template: src: "{{ role_path }}/templates/systemd/matrix-element-call.service.j2" dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-element-call.service" mode: 0644 -- name: Ensure redis systemd service is installed - ansible.builtin.template: - src: "{{ role_path }}/templates/systemd/matrix-redis.service.j2" - dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-redis.service" - mode: 0644 - # Update homeserver.yaml for Element Call - name: Add listeners section for Element Call to homeserver.yaml ansible.builtin.blockinfile: diff --git a/roles/custom/matrix-element-call/tasks/uninstall.yml b/roles/custom/matrix-element-call/tasks/uninstall.yml index d137136c24c..184f88ac2b5 100644 --- a/roles/custom/matrix-element-call/tasks/uninstall.yml +++ b/roles/custom/matrix-element-call/tasks/uninstall.yml @@ -6,21 +6,11 @@ name: "matrix-element-call" state: absent -- name: Stop and remove redis container - community.docker.docker_container: - name: "matrix-redis" - state: absent - - name: Remove matrix-element-call systemd service ansible.builtin.file: path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-element-call.service" state: absent -- name: Remove redis systemd service - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-redis.service" - state: absent - - name: Remove matrix-element-call configuration files ansible.builtin.file: path: "{{ matrix_element_call_base_path }}" diff --git a/roles/custom/matrix-element-call/tasks/validate_config.yml b/roles/custom/matrix-element-call/tasks/validate_config.yml index 5c00dcc9224..084e510d6cc 100644 --- a/roles/custom/matrix-element-call/tasks/validate_config.yml +++ b/roles/custom/matrix-element-call/tasks/validate_config.yml @@ -10,4 +10,3 @@ - {'name': 'matrix_element_call_base_path', when: true} - {'name': 'matrix_element_call_container_network', when: true} - {'name': 'matrix_element_call_image', when: true} - - {'name': 'redis_image', when: true} diff --git a/roles/custom/matrix-element-call/templates/redis.conf.j2 b/roles/custom/matrix-element-call/templates/redis.conf.j2 deleted file mode 100644 index 32a39f7be80..00000000000 --- a/roles/custom/matrix-element-call/templates/redis.conf.j2 +++ /dev/null @@ -1,5 +0,0 @@ -bind 0.0.0.0 -protected-mode yes -port 6379 -timeout 0 -tcp-keepalive 300 diff --git a/roles/custom/matrix-element-call/templates/systemd/matrix-redis.service.j2 b/roles/custom/matrix-element-call/templates/systemd/matrix-redis.service.j2 deleted file mode 100644 index f65b0c76604..00000000000 --- a/roles/custom/matrix-element-call/templates/systemd/matrix-redis.service.j2 +++ /dev/null @@ -1,32 +0,0 @@ -[Unit] -Description=Matrix Redis Service -After=docker.service -Requires=docker.service - -[Service] -Type=simple -Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" -ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-redis 2>/dev/null || true' -ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-redis 2>/dev/null || true' - -ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ - --rm \ - --name=matrix-redis \ - --log-driver=none \ - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ - --cap-drop=ALL \ - --network={{ matrix_element_call_container_network }} \ - --mount type=bind,src={{ matrix_element_call_base_path }}/redis.conf,dst=/etc/redis.conf,ro \ - {{ redis_image }} \ - redis-server /etc/redis.conf - -ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-redis - -ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-redis 2>/dev/null || true' -ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-redis 2>/dev/null || true' -Restart=always -RestartSec=30 -SyslogIdentifier=matrix-redis - -[Install] -WantedBy=multi-user.target From f98a505df82526e8acc4460eea45a41fd9293382 Mon Sep 17 00:00:00 2001 From: wjbeckett Date: Tue, 1 Oct 2024 11:00:56 +1000 Subject: [PATCH 091/148] changed jwt-service port label. --- roles/custom/matrix-jwt-service/templates/labels.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-jwt-service/templates/labels.j2 b/roles/custom/matrix-jwt-service/templates/labels.j2 index b547e19524e..62e2755ce6c 100644 --- a/roles/custom/matrix-jwt-service/templates/labels.j2 +++ b/roles/custom/matrix-jwt-service/templates/labels.j2 @@ -6,7 +6,7 @@ traefik.enable=true traefik.docker.network={{ matrix_jwt_service_container_labels_traefik_docker_network }} {% endif %} -traefik.http.services.matrix-jwt-service.loadbalancer.server.port=8080 +traefik.http.services.matrix-jwt-service.loadbalancer.server.port=8881 {% set middlewares = [] %} From d53c2428b8cfb9da1a7e668802716fc4f2caaf6c Mon Sep 17 00:00:00 2001 From: wjbeckett Date: Tue, 1 Oct 2024 12:29:35 +1000 Subject: [PATCH 092/148] updated jwt hostname. --- group_vars/matrix_servers | 4 ++-- roles/custom/matrix-jwt-service/defaults/main.yml | 5 ++--- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 6728825fa84..ef138b1fea9 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -5953,9 +5953,9 @@ matrix_livekit_server_livekit_dev_key: "{{ matrix_livekit_server_dev_key }}" # matrix_jwt_service_enabled: false # Default is false; should be enabled in host_vars as needed matrix_jwt_service_version: "latest-ci" # Default version; can be overridden in host_vars matrix_jwt_service_scheme: "https" # Scheme for Element Call (e.g., https) -matrix_jwt_service_hostname: "lk-jwt-service" # Default hostname; should be overridden in host_vars if different +matrix_jwt_service_hostname: "{{ matrix_jwt_service_hostname }}" # Default hostname; should be overridden in host_vars if different matrix_jwt_service_path_prefix: "/" # Path prefix for Element Call -matrix_jwt_service_base_path: "{{ matrix_base_data_path }}/jwt-service" # Base path for storing Element Call-related files +matrix_jwt_service_base_path: "{{ matrix_base_data_path }}/matrix-jwt-service" # Base path for storing Element Call-related files matrix_jwt_service_container_image: "ghcr.io/element-hq/lk-jwt-service:{{ matrix_jwt_service_version }}" matrix_jwt_service_container_image_name_prefix: ghcr.io/ matrix_jwt_service_container_image_registry_prefix: ghcr.io/ diff --git a/roles/custom/matrix-jwt-service/defaults/main.yml b/roles/custom/matrix-jwt-service/defaults/main.yml index cf087da877f..eef19f621a9 100644 --- a/roles/custom/matrix-jwt-service/defaults/main.yml +++ b/roles/custom/matrix-jwt-service/defaults/main.yml @@ -4,11 +4,10 @@ matrix_jwt_service_enabled: false # Base path configuration matrix_jwt_service_base_path: "{{ matrix_base_data_path }}/jwt-service" -matrix_homeserver_config_path: "{{ matrix_base_data_path }}/synapse/config/homeserver.yaml" # Docker network configuration matrix_jwt_service_container_network: '' -matrix_jwt_service_container_http_host_bind_port: '' +matrix_jwt_service_container_http_host_bind_port: '8881' matrix_jwt_service_container_additional_networks: [] # No additional networks by default # Docker images @@ -115,4 +114,4 @@ matrix_jwt_service_floc_optout_enabled: true # - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security # - https://hstspreload.org/#opt-in # See: `matrix_jwt_service_http_header_strict_transport_security` -matrix_jwt_service_hsts_preload_enabled: false \ No newline at end of file +matrix_jwt_service_hsts_preload_enabled: true \ No newline at end of file From dbbaae4fbebd1bdd06d20d7ddf6325aa347918a2 Mon Sep 17 00:00:00 2001 From: wjbeckett Date: Tue, 1 Oct 2024 12:34:25 +1000 Subject: [PATCH 093/148] stopping the recursive loop --- group_vars/matrix_servers | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index ef138b1fea9..97c5e3b4106 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -5953,7 +5953,7 @@ matrix_livekit_server_livekit_dev_key: "{{ matrix_livekit_server_dev_key }}" # matrix_jwt_service_enabled: false # Default is false; should be enabled in host_vars as needed matrix_jwt_service_version: "latest-ci" # Default version; can be overridden in host_vars matrix_jwt_service_scheme: "https" # Scheme for Element Call (e.g., https) -matrix_jwt_service_hostname: "{{ matrix_jwt_service_hostname }}" # Default hostname; should be overridden in host_vars if different +matrix_jwt_service_hostname: "sfu-jwt.{{ matrix_domain }}" # Default hostname; should be overridden in host_vars if different matrix_jwt_service_path_prefix: "/" # Path prefix for Element Call matrix_jwt_service_base_path: "{{ matrix_base_data_path }}/matrix-jwt-service" # Base path for storing Element Call-related files matrix_jwt_service_container_image: "ghcr.io/element-hq/lk-jwt-service:{{ matrix_jwt_service_version }}" From 9864996aad36de6350c66095a4bb224ba022648b Mon Sep 17 00:00:00 2001 From: wjbeckett Date: Tue, 1 Oct 2024 12:46:37 +1000 Subject: [PATCH 094/148] adjusted jwt service ports for traefik --- roles/custom/matrix-jwt-service/defaults/main.yml | 2 +- roles/custom/matrix-jwt-service/templates/labels.j2 | 2 +- .../templates/systemd/matrix-jwt-service.service.j2 | 4 +++- 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/roles/custom/matrix-jwt-service/defaults/main.yml b/roles/custom/matrix-jwt-service/defaults/main.yml index eef19f621a9..3496e55db78 100644 --- a/roles/custom/matrix-jwt-service/defaults/main.yml +++ b/roles/custom/matrix-jwt-service/defaults/main.yml @@ -7,7 +7,7 @@ matrix_jwt_service_base_path: "{{ matrix_base_data_path }}/jwt-service" # Docker network configuration matrix_jwt_service_container_network: '' -matrix_jwt_service_container_http_host_bind_port: '8881' +matrix_jwt_service_container_http_host_bind_port: '' matrix_jwt_service_container_additional_networks: [] # No additional networks by default # Docker images diff --git a/roles/custom/matrix-jwt-service/templates/labels.j2 b/roles/custom/matrix-jwt-service/templates/labels.j2 index 62e2755ce6c..b547e19524e 100644 --- a/roles/custom/matrix-jwt-service/templates/labels.j2 +++ b/roles/custom/matrix-jwt-service/templates/labels.j2 @@ -6,7 +6,7 @@ traefik.enable=true traefik.docker.network={{ matrix_jwt_service_container_labels_traefik_docker_network }} {% endif %} -traefik.http.services.matrix-jwt-service.loadbalancer.server.port=8881 +traefik.http.services.matrix-jwt-service.loadbalancer.server.port=8080 {% set middlewares = [] %} diff --git a/roles/custom/matrix-jwt-service/templates/systemd/matrix-jwt-service.service.j2 b/roles/custom/matrix-jwt-service/templates/systemd/matrix-jwt-service.service.j2 index 07c8ef1ed3c..bdf36635a73 100644 --- a/roles/custom/matrix-jwt-service/templates/systemd/matrix-jwt-service.service.j2 +++ b/roles/custom/matrix-jwt-service/templates/systemd/matrix-jwt-service.service.j2 @@ -16,7 +16,9 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ --network={{ matrix_jwt_service_container_network }} \ - -p {{ matrix_jwt_service_port }}:8080 \ + {% if matrix_jwt_service_container_http_host_bind_port %} + -p {{ matrix_jwt_service_container_http_host_bind_port }}:8080 \ + {% endif %} --env-file={{ matrix_jwt_service_base_path }}/env \ --label-file={{ matrix_jwt_service_base_path }}/labels \ {{ matrix_jwt_service_image }} From 5507fb3bab5fb89733f82715dfac67ff1457f99a Mon Sep 17 00:00:00 2001 From: wjbeckett Date: Tue, 1 Oct 2024 13:08:21 +1000 Subject: [PATCH 095/148] added element-call config.json to systemd file --- .../templates/systemd/matrix-element-call.service.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/custom/matrix-element-call/templates/systemd/matrix-element-call.service.j2 b/roles/custom/matrix-element-call/templates/systemd/matrix-element-call.service.j2 index b9e2c315b4f..791c62ddcd4 100644 --- a/roles/custom/matrix-element-call/templates/systemd/matrix-element-call.service.j2 +++ b/roles/custom/matrix-element-call/templates/systemd/matrix-element-call.service.j2 @@ -20,6 +20,7 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ --network={{ matrix_element_call_container_network }} \ + --mount type=bind,src={{ matrix_element_call_base_path }}/config.json,dst=/app/config.json,ro \ {% if matrix_element_call_container_http_host_bind_port %} -p {{ matrix_element_call_container_http_host_bind_port }}:8080 \ {% endif %} From e421852af5a0d571c9ef74e8c3cade58111d67ad Mon Sep 17 00:00:00 2001 From: wjbeckett Date: Tue, 1 Oct 2024 13:09:00 +1000 Subject: [PATCH 096/148] updated jwt bind port --- roles/custom/matrix-jwt-service/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-jwt-service/defaults/main.yml b/roles/custom/matrix-jwt-service/defaults/main.yml index 3496e55db78..eef19f621a9 100644 --- a/roles/custom/matrix-jwt-service/defaults/main.yml +++ b/roles/custom/matrix-jwt-service/defaults/main.yml @@ -7,7 +7,7 @@ matrix_jwt_service_base_path: "{{ matrix_base_data_path }}/jwt-service" # Docker network configuration matrix_jwt_service_container_network: '' -matrix_jwt_service_container_http_host_bind_port: '' +matrix_jwt_service_container_http_host_bind_port: '8881' matrix_jwt_service_container_additional_networks: [] # No additional networks by default # Docker images From 4acb025130278f2a8426b41f2ec4920f9d409ed4 Mon Sep 17 00:00:00 2001 From: wjbeckett Date: Tue, 1 Oct 2024 13:35:53 +1000 Subject: [PATCH 097/148] testing livekit configuration --- roles/custom/matrix-jwt-service/templates/env.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-jwt-service/templates/env.j2 b/roles/custom/matrix-jwt-service/templates/env.j2 index 8034a9b33b5..4bb12aaf540 100644 --- a/roles/custom/matrix-jwt-service/templates/env.j2 +++ b/roles/custom/matrix-jwt-service/templates/env.j2 @@ -1,4 +1,4 @@ # Environment variables for JWT Service LIVEKIT_KEY=devkey LIVEKIT_URL=wss://{{ matrix_livekit_server_hostname }}:443 -LIVEKIT_SECRET={{ matrix_element_call_jwt_secret }} \ No newline at end of file +LIVEKIT_SECRET={{ matrix_livekit_server_dev_key }} \ No newline at end of file From 46109565e1235be5203df505d4a1455acd8be4a3 Mon Sep 17 00:00:00 2001 From: wjbeckett Date: Tue, 1 Oct 2024 16:33:48 +1000 Subject: [PATCH 098/148] updated headers for each of the call services. --- .../custom/matrix-element-call/defaults/main.yml | 16 ++++++++-------- .../custom/matrix-jwt-service/defaults/main.yml | 14 +++++++------- .../matrix-livekit-server/defaults/main.yml | 16 ++++++++-------- .../templates/livekit.yaml.j2 | 2 +- 4 files changed, 24 insertions(+), 24 deletions(-) diff --git a/roles/custom/matrix-element-call/defaults/main.yml b/roles/custom/matrix-element-call/defaults/main.yml index 393863ad5e6..e627032715a 100644 --- a/roles/custom/matrix-element-call/defaults/main.yml +++ b/roles/custom/matrix-element-call/defaults/main.yml @@ -75,27 +75,27 @@ matrix_element_call_systemd_required_services_list: "{{ [devture_systemd_docker_ # Learn more about it is here: # - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection # - https://portswigger.net/web-security/cross-site-scripting/reflected -matrix_element_call_http_header_xss_protection: "1; mode=block" +#matrix_element_call_http_header_xss_protection: "1; mode=block" # Specifies the value of the `X-Frame-Options` header which controls whether framing can happen. # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options -matrix_element_call_http_header_frame_options: SAMEORIGIN +#matrix_element_call_http_header_frame_options: SAMEORIGIN # Specifies the value of the `X-Content-Type-Options` header. # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options -matrix_element_call_http_header_content_type_options: nosniff +#matrix_element_call_http_header_content_type_options: nosniff # Specifies the value of the `Content-Security-Policy` header. # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy -matrix_element_call_http_header_content_security_policy: frame-ancestors 'self' +#matrix_element_call_http_header_content_security_policy: frame-ancestors 'self' # Specifies the value of the `Permission-Policy` header. # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permission-Policy -matrix_element_call_http_header_content_permission_policy: "{{ 'interest-cohort=()' if matrix_element_call_floc_optout_enabled else '' }}" +#matrix_element_call_http_header_content_permission_policy: "{{ 'interest-cohort=()' if matrix_element_call_floc_optout_enabled else '' }}" # Specifies the value of the `Strict-Transport-Security` header. # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security -matrix_element_call_http_header_strict_transport_security: "max-age=31536000; includeSubDomains{{ '; preload' if matrix_element_call_hsts_preload_enabled else '' }}" +#matrix_element_call_http_header_strict_transport_security: "max-age=31536000; includeSubDomains{{ '; preload' if matrix_element_call_hsts_preload_enabled else '' }}" # Controls whether to send a "Permissions-Policy interest-cohort=();" header along with all responses # @@ -106,7 +106,7 @@ matrix_element_call_http_header_strict_transport_security: "max-age=31536000; in # # Of course, a better solution is to just stop using browsers (like Chrome), which participate in such tracking practices. # See: `matrix_element_call_content_permission_policy` -matrix_element_call_floc_optout_enabled: true +#matrix_element_call_floc_optout_enabled: true # Controls if HSTS preloading is enabled # @@ -118,7 +118,7 @@ matrix_element_call_floc_optout_enabled: true # - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security # - https://hstspreload.org/#opt-in # See: `matrix_element_call_http_header_strict_transport_security` -matrix_element_call_hsts_preload_enabled: false +matrix_element_call_hsts_preload_enabled: true # Enable or disable metrics collection matrix_element_call_metrics_enabled: false diff --git a/roles/custom/matrix-jwt-service/defaults/main.yml b/roles/custom/matrix-jwt-service/defaults/main.yml index eef19f621a9..2d5fd90137e 100644 --- a/roles/custom/matrix-jwt-service/defaults/main.yml +++ b/roles/custom/matrix-jwt-service/defaults/main.yml @@ -71,27 +71,27 @@ matrix_jwt_service_systemd_required_services_list: "{{ [devture_systemd_docker_b # Learn more about it is here: # - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection # - https://portswigger.net/web-security/cross-site-scripting/reflected -matrix_jwt_service_http_header_xss_protection: "1; mode=block" +#matrix_jwt_service_http_header_xss_protection: "1; mode=block" # Specifies the value of the `X-Frame-Options` header which controls whether framing can happen. # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options -matrix_jwt_service_http_header_frame_options: SAMEORIGIN +#matrix_jwt_service_http_header_frame_options: SAMEORIGIN # Specifies the value of the `X-Content-Type-Options` header. # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options -matrix_jwt_service_http_header_content_type_options: nosniff +#matrix_jwt_service_http_header_content_type_options: nosniff # Specifies the value of the `Content-Security-Policy` header. # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy -matrix_jwt_service_http_header_content_security_policy: frame-ancestors 'self' +#matrix_jwt_service_http_header_content_security_policy: frame-ancestors 'self' # Specifies the value of the `Permission-Policy` header. # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permission-Policy -matrix_jwt_service_http_header_content_permission_policy: "{{ 'interest-cohort=()' if matrix_jwt_service_floc_optout_enabled else '' }}" +#matrix_jwt_service_http_header_content_permission_policy: "{{ 'interest-cohort=()' if matrix_jwt_service_floc_optout_enabled else '' }}" # Specifies the value of the `Strict-Transport-Security` header. # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security -matrix_jwt_service_http_header_strict_transport_security: "max-age=31536000; includeSubDomains{{ '; preload' if matrix_jwt_service_hsts_preload_enabled else '' }}" +#matrix_jwt_service_http_header_strict_transport_security: "max-age=31536000; includeSubDomains{{ '; preload' if matrix_jwt_service_hsts_preload_enabled else '' }}" # Controls whether to send a "Permissions-Policy interest-cohort=();" header along with all responses # @@ -102,7 +102,7 @@ matrix_jwt_service_http_header_strict_transport_security: "max-age=31536000; inc # # Of course, a better solution is to just stop using browsers (like Chrome), which participate in such tracking practices. # See: `matrix_jwt_service_content_permission_policy` -matrix_jwt_service_floc_optout_enabled: true +#matrix_jwt_service_floc_optout_enabled: true # Controls if HSTS preloading is enabled # diff --git a/roles/custom/matrix-livekit-server/defaults/main.yml b/roles/custom/matrix-livekit-server/defaults/main.yml index 5b8edc5c279..662bc4e817c 100644 --- a/roles/custom/matrix-livekit-server/defaults/main.yml +++ b/roles/custom/matrix-livekit-server/defaults/main.yml @@ -69,27 +69,27 @@ matrix_livekit_server_systemd_required_services_list: "{{ [devture_systemd_docke # Learn more about it is here: # - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection # - https://portswigger.net/web-security/cross-site-scripting/reflected -matrix_livekit_server_http_header_xss_protection: "1; mode=block" +#matrix_livekit_server_http_header_xss_protection: "1; mode=block" # Specifies the value of the `X-Frame-Options` header which controls whether framing can happen. # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options -matrix_livekit_server_http_header_frame_options: SAMEORIGIN +#matrix_livekit_server_http_header_frame_options: SAMEORIGIN # Specifies the value of the `X-Content-Type-Options` header. # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options -matrix_livekit_server_http_header_content_type_options: nosniff +#matrix_livekit_server_http_header_content_type_options: nosniff # Specifies the value of the `Content-Security-Policy` header. # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy -matrix_livekit_server_http_header_content_security_policy: frame-ancestors 'self' +#matrix_livekit_server_http_header_content_security_policy: frame-ancestors 'self' # Specifies the value of the `Permission-Policy` header. # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permission-Policy -matrix_livekit_server_http_header_content_permission_policy: "{{ 'interest-cohort=()' if matrix_livekit_server_floc_optout_enabled else '' }}" +#matrix_livekit_server_http_header_content_permission_policy: "{{ 'interest-cohort=()' if matrix_livekit_server_floc_optout_enabled else '' }}" # Specifies the value of the `Strict-Transport-Security` header. # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security -matrix_livekit_server_http_header_strict_transport_security: "max-age=31536000; includeSubDomains{{ '; preload' if matrix_livekit_server_hsts_preload_enabled else '' }}" +#matrix_livekit_server_http_header_strict_transport_security: "max-age=31536000; includeSubDomains{{ '; preload' if matrix_livekit_server_hsts_preload_enabled else '' }}" # Controls whether to send a "Permissions-Policy interest-cohort=();" header along with all responses # @@ -100,7 +100,7 @@ matrix_livekit_server_http_header_strict_transport_security: "max-age=31536000; # # Of course, a better solution is to just stop using browsers (like Chrome), which participate in such tracking practices. # See: `matrix_livekit_server_content_permission_policy` -matrix_livekit_server_floc_optout_enabled: true +#matrix_livekit_server_floc_optout_enabled: true # Controls if HSTS preloading is enabled # @@ -112,4 +112,4 @@ matrix_livekit_server_floc_optout_enabled: true # - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security # - https://hstspreload.org/#opt-in # See: `matrix_livekit_server_http_header_strict_transport_security` -matrix_livekit_server_hsts_preload_enabled: false \ No newline at end of file +matrix_livekit_server_hsts_preload_enabled: true \ No newline at end of file diff --git a/roles/custom/matrix-livekit-server/templates/livekit.yaml.j2 b/roles/custom/matrix-livekit-server/templates/livekit.yaml.j2 index f8e2ad0c2d6..492a12214b0 100644 --- a/roles/custom/matrix-livekit-server/templates/livekit.yaml.j2 +++ b/roles/custom/matrix-livekit-server/templates/livekit.yaml.j2 @@ -5,7 +5,7 @@ rtc: tcp_port: 7881 port_range_start: 50100 port_range_end: 50200 - use_external_ip: false + use_external_ip: true turn: enabled: false From 9691577b2239e894f9c8c1ae52f38b3c29802b80 Mon Sep 17 00:00:00 2001 From: wjbeckett Date: Tue, 1 Oct 2024 16:45:07 +1000 Subject: [PATCH 099/148] removed additinoal headers --- .../matrix-element-call/defaults/main.yml | 26 +++++++++---------- .../matrix-jwt-service/defaults/main.yml | 26 +++++++++---------- .../matrix-livekit-server/defaults/main.yml | 26 +++++++++---------- 3 files changed, 39 insertions(+), 39 deletions(-) diff --git a/roles/custom/matrix-element-call/defaults/main.yml b/roles/custom/matrix-element-call/defaults/main.yml index e627032715a..d445e7ab42e 100644 --- a/roles/custom/matrix-element-call/defaults/main.yml +++ b/roles/custom/matrix-element-call/defaults/main.yml @@ -38,18 +38,18 @@ matrix_element_call_container_labels_traefik_tls_certResolver: default # noqa v # Controls which additional headers to attach to all HTTP responses. # To add your own headers, use `matrix_element_call_container_labels_traefik_additional_response_headers_custom` -matrix_element_call_container_labels_traefik_additional_response_headers: "{{ matrix_element_call_container_labels_traefik_additional_response_headers_auto | combine(matrix_element_call_container_labels_traefik_additional_response_headers_custom) }}" -matrix_element_call_container_labels_traefik_additional_response_headers_auto: | - {{ - {} - | combine ({'X-XSS-Protection': matrix_element_call_http_header_xss_protection} if matrix_element_call_http_header_xss_protection else {}) - | combine ({'X-Frame-Options': matrix_element_call_http_header_frame_options} if matrix_element_call_http_header_frame_options else {}) - | combine ({'X-Content-Type-Options': matrix_element_call_http_header_content_type_options} if matrix_element_call_http_header_content_type_options else {}) - | combine ({'Content-Security-Policy': matrix_element_call_http_header_content_security_policy} if matrix_element_call_http_header_content_security_policy else {}) - | combine ({'Permission-Policy': matrix_element_call_http_header_content_permission_policy} if matrix_element_call_http_header_content_permission_policy else {}) - | combine ({'Strict-Transport-Security': matrix_element_call_http_header_strict_transport_security} if matrix_element_call_http_header_strict_transport_security and matrix_element_call_container_labels_traefik_tls else {}) - }} -matrix_element_call_container_labels_traefik_additional_response_headers_custom: {} +#matrix_element_call_container_labels_traefik_additional_response_headers: "{{ matrix_element_call_container_labels_traefik_additional_response_headers_auto | combine(matrix_element_call_container_labels_traefik_additional_response_headers_custom) }}" +#matrix_element_call_container_labels_traefik_additional_response_headers_auto: | +# {{ +# {} +# | combine ({'X-XSS-Protection': matrix_element_call_http_header_xss_protection} if matrix_element_call_http_header_xss_protection else {}) +# | combine ({'X-Frame-Options': matrix_element_call_http_header_frame_options} if matrix_element_call_http_header_frame_options else {}) +# | combine ({'X-Content-Type-Options': matrix_element_call_http_header_content_type_options} if matrix_element_call_http_header_content_type_options else {}) +# | combine ({'Content-Security-Policy': matrix_element_call_http_header_content_security_policy} if matrix_element_call_http_header_content_security_policy else {}) +# | combine ({'Permission-Policy': matrix_element_call_http_header_content_permission_policy} if matrix_element_call_http_header_content_permission_policy else {}) +# | combine ({'Strict-Transport-Security': matrix_element_call_http_header_strict_transport_security} if matrix_element_call_http_header_strict_transport_security and matrix_element_call_container_labels_traefik_tls else {}) +# }} +#matrix_element_call_container_labels_traefik_additional_response_headers_custom: {} # matrix_client_element_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file. # See `../templates/labels.j2` for details. @@ -118,7 +118,7 @@ matrix_element_call_systemd_required_services_list: "{{ [devture_systemd_docker_ # - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security # - https://hstspreload.org/#opt-in # See: `matrix_element_call_http_header_strict_transport_security` -matrix_element_call_hsts_preload_enabled: true +#matrix_element_call_hsts_preload_enabled: true # Enable or disable metrics collection matrix_element_call_metrics_enabled: false diff --git a/roles/custom/matrix-jwt-service/defaults/main.yml b/roles/custom/matrix-jwt-service/defaults/main.yml index 2d5fd90137e..e688556f343 100644 --- a/roles/custom/matrix-jwt-service/defaults/main.yml +++ b/roles/custom/matrix-jwt-service/defaults/main.yml @@ -34,18 +34,18 @@ matrix_jwt_service_container_labels_traefik_tls_certResolver: default # noqa va # Controls which additional headers to attach to all HTTP responses. # To add your own headers, use `matrix_jwt_service_container_labels_traefik_additional_response_headers_custom` -matrix_jwt_service_container_labels_traefik_additional_response_headers: "{{ matrix_jwt_service_container_labels_traefik_additional_response_headers_auto | combine(matrix_jwt_service_container_labels_traefik_additional_response_headers_custom) }}" -matrix_jwt_service_container_labels_traefik_additional_response_headers_auto: | - {{ - {} - | combine ({'X-XSS-Protection': matrix_jwt_service_http_header_xss_protection} if matrix_jwt_service_http_header_xss_protection else {}) - | combine ({'X-Frame-Options': matrix_jwt_service_http_header_frame_options} if matrix_jwt_service_http_header_frame_options else {}) - | combine ({'X-Content-Type-Options': matrix_jwt_service_http_header_content_type_options} if matrix_jwt_service_http_header_content_type_options else {}) - | combine ({'Content-Security-Policy': matrix_jwt_service_http_header_content_security_policy} if matrix_jwt_service_http_header_content_security_policy else {}) - | combine ({'Permission-Policy': matrix_jwt_service_http_header_content_permission_policy} if matrix_jwt_service_http_header_content_permission_policy else {}) - | combine ({'Strict-Transport-Security': matrix_jwt_service_http_header_strict_transport_security} if matrix_jwt_service_http_header_strict_transport_security and matrix_jwt_service_container_labels_traefik_tls else {}) - }} -matrix_jwt_service_container_labels_traefik_additional_response_headers_custom: {} +#matrix_jwt_service_container_labels_traefik_additional_response_headers: "{{ matrix_jwt_service_container_labels_traefik_additional_response_headers_auto | combine(matrix_jwt_service_container_labels_traefik_additional_response_headers_custom) }}" +#matrix_jwt_service_container_labels_traefik_additional_response_headers_auto: | +# {{ +# {} +# | combine ({'X-XSS-Protection': matrix_jwt_service_http_header_xss_protection} if matrix_jwt_service_http_header_xss_protection else {}) +# | combine ({'X-Frame-Options': matrix_jwt_service_http_header_frame_options} if matrix_jwt_service_http_header_frame_options else {}) +# | combine ({'X-Content-Type-Options': matrix_jwt_service_http_header_content_type_options} if matrix_jwt_service_http_header_content_type_options else {}) +# | combine ({'Content-Security-Policy': matrix_jwt_service_http_header_content_security_policy} if matrix_jwt_service_http_header_content_security_policy else {}) +## | combine ({'Permission-Policy': matrix_jwt_service_http_header_content_permission_policy} if matrix_jwt_service_http_header_content_permission_policy else {}) +# | combine ({'Strict-Transport-Security': matrix_jwt_service_http_header_strict_transport_security} if matrix_jwt_service_http_header_strict_transport_security and matrix_jwt_service_container_labels_traefik_tls else {}) +# }} +#matrix_jwt_service_container_labels_traefik_additional_response_headers_custom: {} # matrix_client_element_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file. # See `../templates/labels.j2` for details. @@ -114,4 +114,4 @@ matrix_jwt_service_systemd_required_services_list: "{{ [devture_systemd_docker_b # - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security # - https://hstspreload.org/#opt-in # See: `matrix_jwt_service_http_header_strict_transport_security` -matrix_jwt_service_hsts_preload_enabled: true \ No newline at end of file +#matrix_jwt_service_hsts_preload_enabled: true \ No newline at end of file diff --git a/roles/custom/matrix-livekit-server/defaults/main.yml b/roles/custom/matrix-livekit-server/defaults/main.yml index 662bc4e817c..b392aefe6b8 100644 --- a/roles/custom/matrix-livekit-server/defaults/main.yml +++ b/roles/custom/matrix-livekit-server/defaults/main.yml @@ -32,18 +32,18 @@ matrix_livekit_server_container_labels_traefik_tls_certResolver: default # noqa # Controls which additional headers to attach to all HTTP responses. # To add your own headers, use `matrix_livekit_server_container_labels_traefik_additional_response_headers_custom` -matrix_livekit_server_container_labels_traefik_additional_response_headers: "{{ matrix_livekit_server_container_labels_traefik_additional_response_headers_auto | combine(matrix_livekit_server_container_labels_traefik_additional_response_headers_custom) }}" -matrix_livekit_server_container_labels_traefik_additional_response_headers_auto: | - {{ - {} - | combine ({'X-XSS-Protection': matrix_livekit_server_http_header_xss_protection} if matrix_livekit_server_http_header_xss_protection else {}) - | combine ({'X-Frame-Options': matrix_livekit_server_http_header_frame_options} if matrix_livekit_server_http_header_frame_options else {}) - | combine ({'X-Content-Type-Options': matrix_livekit_server_http_header_content_type_options} if matrix_livekit_server_http_header_content_type_options else {}) - | combine ({'Content-Security-Policy': matrix_livekit_server_http_header_content_security_policy} if matrix_livekit_server_http_header_content_security_policy else {}) - | combine ({'Permission-Policy': matrix_livekit_server_http_header_content_permission_policy} if matrix_livekit_server_http_header_content_permission_policy else {}) - | combine ({'Strict-Transport-Security': matrix_livekit_server_http_header_strict_transport_security} if matrix_livekit_server_http_header_strict_transport_security and matrix_livekit_server_container_labels_traefik_tls else {}) - }} -matrix_livekit_server_container_labels_traefik_additional_response_headers_custom: {} +#matrix_livekit_server_container_labels_traefik_additional_response_headers: "{{ matrix_livekit_server_container_labels_traefik_additional_response_headers_auto | combine(matrix_livekit_server_container_labels_traefik_additional_response_headers_custom) }}" +#matrix_livekit_server_container_labels_traefik_additional_response_headers_auto: | +# {{ +# {} +# | combine ({'X-XSS-Protection': matrix_livekit_server_http_header_xss_protection} if matrix_livekit_server_http_header_xss_protection else {}) +# | combine ({'X-Frame-Options': matrix_livekit_server_http_header_frame_options} if matrix_livekit_server_http_header_frame_options else {}) +# | combine ({'X-Content-Type-Options': matrix_livekit_server_http_header_content_type_options} if matrix_livekit_server_http_header_content_type_options else {}) +# | combine ({'Content-Security-Policy': matrix_livekit_server_http_header_content_security_policy} if matrix_livekit_server_http_header_content_security_policy else {}) +# | combine ({'Permission-Policy': matrix_livekit_server_http_header_content_permission_policy} if matrix_livekit_server_http_header_content_permission_policy else {}) +# | combine ({'Strict-Transport-Security': matrix_livekit_server_http_header_strict_transport_security} if matrix_livekit_server_http_header_strict_transport_security and matrix_livekit_server_container_labels_traefik_tls else {}) +# }} +#matrix_livekit_server_container_labels_traefik_additional_response_headers_custom: {} # matrix_client_element_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file. # See `../templates/labels.j2` for details. @@ -112,4 +112,4 @@ matrix_livekit_server_systemd_required_services_list: "{{ [devture_systemd_docke # - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security # - https://hstspreload.org/#opt-in # See: `matrix_livekit_server_http_header_strict_transport_security` -matrix_livekit_server_hsts_preload_enabled: true \ No newline at end of file +#matrix_livekit_server_hsts_preload_enabled: true \ No newline at end of file From 6c8923ae2879948fbdaa794bdb5992aee1a13e3c Mon Sep 17 00:00:00 2001 From: wjbeckett Date: Tue, 1 Oct 2024 16:51:06 +1000 Subject: [PATCH 100/148] removed headers. --- .../templates/element-call-labels.j2 | 12 ++++++------ roles/custom/matrix-jwt-service/templates/labels.j2 | 12 ++++++------ .../custom/matrix-livekit-server/templates/labels.j2 | 12 ++++++------ 3 files changed, 18 insertions(+), 18 deletions(-) diff --git a/roles/custom/matrix-element-call/templates/element-call-labels.j2 b/roles/custom/matrix-element-call/templates/element-call-labels.j2 index 10a84751b4d..28d7d714af6 100644 --- a/roles/custom/matrix-element-call/templates/element-call-labels.j2 +++ b/roles/custom/matrix-element-call/templates/element-call-labels.j2 @@ -20,12 +20,12 @@ traefik.http.middlewares.matrix-element-call-strip-prefix.stripprefix.prefixes={ {% set middlewares = middlewares + ['matrix-element-call-strip-prefix'] %} {% endif %} -{% if matrix_element_call_container_labels_traefik_additional_response_headers.keys() | length > 0 %} -{% for name, value in matrix_element_call_container_labels_traefik_additional_response_headers.items() %} -traefik.http.middlewares.matrix-element-call-add-headers.headers.customresponseheaders.{{ name }}={{ value }} -{% endfor %} -{% set middlewares = middlewares + ['matrix-element-call-add-headers'] %} -{% endif %} +#{% if matrix_element_call_container_labels_traefik_additional_response_headers.keys() | length > 0 %} +#{% for name, value in matrix_element_call_container_labels_traefik_additional_response_headers.items() %} +#traefik.http.middlewares.matrix-element-call-add-headers.headers.customresponseheaders.{{ name }}={{ value }} +#{% endfor %} +#{% set middlewares = middlewares + ['matrix-element-call-add-headers'] %} +#{% endif %} traefik.http.routers.matrix-element-call.rule={{ matrix_element_call_container_labels_traefik_rule }} {% if matrix_element_call_container_labels_traefik_priority | int > 0 %} diff --git a/roles/custom/matrix-jwt-service/templates/labels.j2 b/roles/custom/matrix-jwt-service/templates/labels.j2 index b547e19524e..939c8d4d3fc 100644 --- a/roles/custom/matrix-jwt-service/templates/labels.j2 +++ b/roles/custom/matrix-jwt-service/templates/labels.j2 @@ -20,12 +20,12 @@ traefik.http.middlewares.matrix-jwt-service-strip-prefix.stripprefix.prefixes={{ {% set middlewares = middlewares + ['matrix-jwt-service-strip-prefix'] %} {% endif %} -{% if matrix_jwt_service_container_labels_traefik_additional_response_headers.keys() | length > 0 %} -{% for name, value in matrix_jwt_service_container_labels_traefik_additional_response_headers.items() %} -traefik.http.middlewares.matrix-jwt-service-add-headers.headers.customresponseheaders.{{ name }}={{ value }} -{% endfor %} -{% set middlewares = middlewares + ['matrix-jwt-service-add-headers'] %} -{% endif %} +#{% if matrix_jwt_service_container_labels_traefik_additional_response_headers.keys() | length > 0 %} +#{% for name, value in matrix_jwt_service_container_labels_traefik_additional_response_headers.items() %} +#traefik.http.middlewares.matrix-jwt-service-add-headers.headers.customresponseheaders.{{ name }}={{ value }} +#{% endfor %} +#{% set middlewares = middlewares + ['matrix-jwt-service-add-headers'] %} +#{% endif %} traefik.http.routers.matrix-jwt-service.rule={{ matrix_jwt_service_container_labels_traefik_rule }} {% if matrix_jwt_service_container_labels_traefik_priority | int > 0 %} diff --git a/roles/custom/matrix-livekit-server/templates/labels.j2 b/roles/custom/matrix-livekit-server/templates/labels.j2 index c41b7ed013e..141045f2fc5 100644 --- a/roles/custom/matrix-livekit-server/templates/labels.j2 +++ b/roles/custom/matrix-livekit-server/templates/labels.j2 @@ -20,12 +20,12 @@ traefik.http.middlewares.matrix-livekit-server-strip-prefix.stripprefix.prefixes {% set middlewares = middlewares + ['matrix-livekit-server-strip-prefix'] %} {% endif %} -{% if matrix_livekit_server_container_labels_traefik_additional_response_headers.keys() | length > 0 %} -{% for name, value in matrix_livekit_server_container_labels_traefik_additional_response_headers.items() %} -traefik.http.middlewares.matrix-livekit-server-add-headers.headers.customresponseheaders.{{ name }}={{ value }} -{% endfor %} -{% set middlewares = middlewares + ['matrix-livekit-server-add-headers'] %} -{% endif %} +#{% if matrix_livekit_server_container_labels_traefik_additional_response_headers.keys() | length > 0 %} +#{% for name, value in matrix_livekit_server_container_labels_traefik_additional_response_headers.items() %} +#traefik.http.middlewares.matrix-livekit-server-add-headers.headers.customresponseheaders.{{ name }}={{ value }} +#{% endfor %} +#{% set middlewares = middlewares + ['matrix-livekit-server-add-headers'] %} +#{% endif %} traefik.http.routers.matrix-livekit-server.rule={{ matrix_livekit_server_container_labels_traefik_rule }} {% if matrix_livekit_server_container_labels_traefik_priority | int > 0 %} From 2b4fdea70fd8572cc1074bd5f7eaff84ed1247de Mon Sep 17 00:00:00 2001 From: wjbeckett Date: Tue, 1 Oct 2024 17:04:11 +1000 Subject: [PATCH 101/148] added header flags back in. --- .../matrix-element-call/defaults/main.yml | 40 +++++++++---------- .../templates/element-call-labels.j2 | 12 +++--- .../matrix-jwt-service/defaults/main.yml | 40 +++++++++---------- .../matrix-jwt-service/templates/labels.j2 | 12 +++--- .../matrix-livekit-server/defaults/main.yml | 40 +++++++++---------- .../matrix-livekit-server/templates/labels.j2 | 12 +++--- 6 files changed, 78 insertions(+), 78 deletions(-) diff --git a/roles/custom/matrix-element-call/defaults/main.yml b/roles/custom/matrix-element-call/defaults/main.yml index d445e7ab42e..0a227a1bcca 100644 --- a/roles/custom/matrix-element-call/defaults/main.yml +++ b/roles/custom/matrix-element-call/defaults/main.yml @@ -38,18 +38,18 @@ matrix_element_call_container_labels_traefik_tls_certResolver: default # noqa v # Controls which additional headers to attach to all HTTP responses. # To add your own headers, use `matrix_element_call_container_labels_traefik_additional_response_headers_custom` -#matrix_element_call_container_labels_traefik_additional_response_headers: "{{ matrix_element_call_container_labels_traefik_additional_response_headers_auto | combine(matrix_element_call_container_labels_traefik_additional_response_headers_custom) }}" -#matrix_element_call_container_labels_traefik_additional_response_headers_auto: | -# {{ -# {} -# | combine ({'X-XSS-Protection': matrix_element_call_http_header_xss_protection} if matrix_element_call_http_header_xss_protection else {}) -# | combine ({'X-Frame-Options': matrix_element_call_http_header_frame_options} if matrix_element_call_http_header_frame_options else {}) -# | combine ({'X-Content-Type-Options': matrix_element_call_http_header_content_type_options} if matrix_element_call_http_header_content_type_options else {}) -# | combine ({'Content-Security-Policy': matrix_element_call_http_header_content_security_policy} if matrix_element_call_http_header_content_security_policy else {}) -# | combine ({'Permission-Policy': matrix_element_call_http_header_content_permission_policy} if matrix_element_call_http_header_content_permission_policy else {}) -# | combine ({'Strict-Transport-Security': matrix_element_call_http_header_strict_transport_security} if matrix_element_call_http_header_strict_transport_security and matrix_element_call_container_labels_traefik_tls else {}) -# }} -#matrix_element_call_container_labels_traefik_additional_response_headers_custom: {} +matrix_element_call_container_labels_traefik_additional_response_headers: "{{ matrix_element_call_container_labels_traefik_additional_response_headers_auto | combine(matrix_element_call_container_labels_traefik_additional_response_headers_custom) }}" +matrix_element_call_container_labels_traefik_additional_response_headers_auto: | + {{ + {} + | combine ({'X-XSS-Protection': matrix_element_call_http_header_xss_protection} if matrix_element_call_http_header_xss_protection else {}) + | combine ({'X-Frame-Options': matrix_element_call_http_header_frame_options} if matrix_element_call_http_header_frame_options else {}) + | combine ({'X-Content-Type-Options': matrix_element_call_http_header_content_type_options} if matrix_element_call_http_header_content_type_options else {}) + | combine ({'Content-Security-Policy': matrix_element_call_http_header_content_security_policy} if matrix_element_call_http_header_content_security_policy else {}) + | combine ({'Permission-Policy': matrix_element_call_http_header_content_permission_policy} if matrix_element_call_http_header_content_permission_policy else {}) + | combine ({'Strict-Transport-Security': matrix_element_call_http_header_strict_transport_security} if matrix_element_call_http_header_strict_transport_security and matrix_element_call_container_labels_traefik_tls else {}) + }} +matrix_element_call_container_labels_traefik_additional_response_headers_custom: {} # matrix_client_element_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file. # See `../templates/labels.j2` for details. @@ -75,27 +75,27 @@ matrix_element_call_systemd_required_services_list: "{{ [devture_systemd_docker_ # Learn more about it is here: # - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection # - https://portswigger.net/web-security/cross-site-scripting/reflected -#matrix_element_call_http_header_xss_protection: "1; mode=block" +matrix_element_call_http_header_xss_protection: '' # Specifies the value of the `X-Frame-Options` header which controls whether framing can happen. # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options -#matrix_element_call_http_header_frame_options: SAMEORIGIN +matrix_element_call_http_header_frame_options: '' # Specifies the value of the `X-Content-Type-Options` header. # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options -#matrix_element_call_http_header_content_type_options: nosniff +matrix_element_call_http_header_content_type_options: '' # Specifies the value of the `Content-Security-Policy` header. # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy -#matrix_element_call_http_header_content_security_policy: frame-ancestors 'self' +matrix_element_call_http_header_content_security_policy: '' # Specifies the value of the `Permission-Policy` header. # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permission-Policy -#matrix_element_call_http_header_content_permission_policy: "{{ 'interest-cohort=()' if matrix_element_call_floc_optout_enabled else '' }}" +matrix_element_call_http_header_content_permission_policy: '' # Specifies the value of the `Strict-Transport-Security` header. # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security -#matrix_element_call_http_header_strict_transport_security: "max-age=31536000; includeSubDomains{{ '; preload' if matrix_element_call_hsts_preload_enabled else '' }}" +matrix_element_call_http_header_strict_transport_security: '' # Controls whether to send a "Permissions-Policy interest-cohort=();" header along with all responses # @@ -106,7 +106,7 @@ matrix_element_call_systemd_required_services_list: "{{ [devture_systemd_docker_ # # Of course, a better solution is to just stop using browsers (like Chrome), which participate in such tracking practices. # See: `matrix_element_call_content_permission_policy` -#matrix_element_call_floc_optout_enabled: true +matrix_element_call_floc_optout_enabled: false # Controls if HSTS preloading is enabled # @@ -118,7 +118,7 @@ matrix_element_call_systemd_required_services_list: "{{ [devture_systemd_docker_ # - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security # - https://hstspreload.org/#opt-in # See: `matrix_element_call_http_header_strict_transport_security` -#matrix_element_call_hsts_preload_enabled: true +matrix_element_call_hsts_preload_enabled: false # Enable or disable metrics collection matrix_element_call_metrics_enabled: false diff --git a/roles/custom/matrix-element-call/templates/element-call-labels.j2 b/roles/custom/matrix-element-call/templates/element-call-labels.j2 index 28d7d714af6..cfc5c72f74d 100644 --- a/roles/custom/matrix-element-call/templates/element-call-labels.j2 +++ b/roles/custom/matrix-element-call/templates/element-call-labels.j2 @@ -20,12 +20,12 @@ traefik.http.middlewares.matrix-element-call-strip-prefix.stripprefix.prefixes={ {% set middlewares = middlewares + ['matrix-element-call-strip-prefix'] %} {% endif %} -#{% if matrix_element_call_container_labels_traefik_additional_response_headers.keys() | length > 0 %} -#{% for name, value in matrix_element_call_container_labels_traefik_additional_response_headers.items() %} -#traefik.http.middlewares.matrix-element-call-add-headers.headers.customresponseheaders.{{ name }}={{ value }} -#{% endfor %} -#{% set middlewares = middlewares + ['matrix-element-call-add-headers'] %} -#{% endif %} +{% if matrix_element_call_container_labels_traefik_additional_response_headers.keys() | length > 0 %} +{% for name, value in matrix_element_call_container_labels_traefik_additional_response_headers.items() %} +traefik.http.middlewares.matrix-element-call-add-headers.headers.customresponseheaders.{{ name }}={{ value }} +{% endfor %} +{% set middlewares = middlewares + ['matrix-element-call-add-headers'] %} + {% endif %} traefik.http.routers.matrix-element-call.rule={{ matrix_element_call_container_labels_traefik_rule }} {% if matrix_element_call_container_labels_traefik_priority | int > 0 %} diff --git a/roles/custom/matrix-jwt-service/defaults/main.yml b/roles/custom/matrix-jwt-service/defaults/main.yml index e688556f343..97d58a273aa 100644 --- a/roles/custom/matrix-jwt-service/defaults/main.yml +++ b/roles/custom/matrix-jwt-service/defaults/main.yml @@ -34,18 +34,18 @@ matrix_jwt_service_container_labels_traefik_tls_certResolver: default # noqa va # Controls which additional headers to attach to all HTTP responses. # To add your own headers, use `matrix_jwt_service_container_labels_traefik_additional_response_headers_custom` -#matrix_jwt_service_container_labels_traefik_additional_response_headers: "{{ matrix_jwt_service_container_labels_traefik_additional_response_headers_auto | combine(matrix_jwt_service_container_labels_traefik_additional_response_headers_custom) }}" -#matrix_jwt_service_container_labels_traefik_additional_response_headers_auto: | -# {{ -# {} -# | combine ({'X-XSS-Protection': matrix_jwt_service_http_header_xss_protection} if matrix_jwt_service_http_header_xss_protection else {}) -# | combine ({'X-Frame-Options': matrix_jwt_service_http_header_frame_options} if matrix_jwt_service_http_header_frame_options else {}) -# | combine ({'X-Content-Type-Options': matrix_jwt_service_http_header_content_type_options} if matrix_jwt_service_http_header_content_type_options else {}) -# | combine ({'Content-Security-Policy': matrix_jwt_service_http_header_content_security_policy} if matrix_jwt_service_http_header_content_security_policy else {}) -## | combine ({'Permission-Policy': matrix_jwt_service_http_header_content_permission_policy} if matrix_jwt_service_http_header_content_permission_policy else {}) -# | combine ({'Strict-Transport-Security': matrix_jwt_service_http_header_strict_transport_security} if matrix_jwt_service_http_header_strict_transport_security and matrix_jwt_service_container_labels_traefik_tls else {}) -# }} -#matrix_jwt_service_container_labels_traefik_additional_response_headers_custom: {} +matrix_jwt_service_container_labels_traefik_additional_response_headers: "{{ matrix_jwt_service_container_labels_traefik_additional_response_headers_auto | combine(matrix_jwt_service_container_labels_traefik_additional_response_headers_custom) }}" +matrix_jwt_service_container_labels_traefik_additional_response_headers_auto: | + {{ + {} + | combine ({'X-XSS-Protection': matrix_jwt_service_http_header_xss_protection} if matrix_jwt_service_http_header_xss_protection else {}) + | combine ({'X-Frame-Options': matrix_jwt_service_http_header_frame_options} if matrix_jwt_service_http_header_frame_options else {}) + | combine ({'X-Content-Type-Options': matrix_jwt_service_http_header_content_type_options} if matrix_jwt_service_http_header_content_type_options else {}) + | combine ({'Content-Security-Policy': matrix_jwt_service_http_header_content_security_policy} if matrix_jwt_service_http_header_content_security_policy else {}) + | combine ({'Permission-Policy': matrix_jwt_service_http_header_content_permission_policy} if matrix_jwt_service_http_header_content_permission_policy else {}) + | combine ({'Strict-Transport-Security': matrix_jwt_service_http_header_strict_transport_security} if matrix_jwt_service_http_header_strict_transport_security and matrix_jwt_service_container_labels_traefik_tls else {}) + }} +matrix_jwt_service_container_labels_traefik_additional_response_headers_custom: {} # matrix_client_element_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file. # See `../templates/labels.j2` for details. @@ -71,27 +71,27 @@ matrix_jwt_service_systemd_required_services_list: "{{ [devture_systemd_docker_b # Learn more about it is here: # - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection # - https://portswigger.net/web-security/cross-site-scripting/reflected -#matrix_jwt_service_http_header_xss_protection: "1; mode=block" +matrix_jwt_service_http_header_xss_protection: '' # Specifies the value of the `X-Frame-Options` header which controls whether framing can happen. # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options -#matrix_jwt_service_http_header_frame_options: SAMEORIGIN +matrix_jwt_service_http_header_frame_options: '' # Specifies the value of the `X-Content-Type-Options` header. # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options -#matrix_jwt_service_http_header_content_type_options: nosniff +matrix_jwt_service_http_header_content_type_options: '' # Specifies the value of the `Content-Security-Policy` header. # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy -#matrix_jwt_service_http_header_content_security_policy: frame-ancestors 'self' +matrix_jwt_service_http_header_content_security_policy: '' # Specifies the value of the `Permission-Policy` header. # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permission-Policy -#matrix_jwt_service_http_header_content_permission_policy: "{{ 'interest-cohort=()' if matrix_jwt_service_floc_optout_enabled else '' }}" +matrix_jwt_service_http_header_content_permission_policy: '' # Specifies the value of the `Strict-Transport-Security` header. # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security -#matrix_jwt_service_http_header_strict_transport_security: "max-age=31536000; includeSubDomains{{ '; preload' if matrix_jwt_service_hsts_preload_enabled else '' }}" +matrix_jwt_service_http_header_strict_transport_security: '' # Controls whether to send a "Permissions-Policy interest-cohort=();" header along with all responses # @@ -102,7 +102,7 @@ matrix_jwt_service_systemd_required_services_list: "{{ [devture_systemd_docker_b # # Of course, a better solution is to just stop using browsers (like Chrome), which participate in such tracking practices. # See: `matrix_jwt_service_content_permission_policy` -#matrix_jwt_service_floc_optout_enabled: true +matrix_jwt_service_floc_optout_enabled: false # Controls if HSTS preloading is enabled # @@ -114,4 +114,4 @@ matrix_jwt_service_systemd_required_services_list: "{{ [devture_systemd_docker_b # - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security # - https://hstspreload.org/#opt-in # See: `matrix_jwt_service_http_header_strict_transport_security` -#matrix_jwt_service_hsts_preload_enabled: true \ No newline at end of file +matrix_jwt_service_hsts_preload_enabled: true \ No newline at end of file diff --git a/roles/custom/matrix-jwt-service/templates/labels.j2 b/roles/custom/matrix-jwt-service/templates/labels.j2 index 939c8d4d3fc..b547e19524e 100644 --- a/roles/custom/matrix-jwt-service/templates/labels.j2 +++ b/roles/custom/matrix-jwt-service/templates/labels.j2 @@ -20,12 +20,12 @@ traefik.http.middlewares.matrix-jwt-service-strip-prefix.stripprefix.prefixes={{ {% set middlewares = middlewares + ['matrix-jwt-service-strip-prefix'] %} {% endif %} -#{% if matrix_jwt_service_container_labels_traefik_additional_response_headers.keys() | length > 0 %} -#{% for name, value in matrix_jwt_service_container_labels_traefik_additional_response_headers.items() %} -#traefik.http.middlewares.matrix-jwt-service-add-headers.headers.customresponseheaders.{{ name }}={{ value }} -#{% endfor %} -#{% set middlewares = middlewares + ['matrix-jwt-service-add-headers'] %} -#{% endif %} +{% if matrix_jwt_service_container_labels_traefik_additional_response_headers.keys() | length > 0 %} +{% for name, value in matrix_jwt_service_container_labels_traefik_additional_response_headers.items() %} +traefik.http.middlewares.matrix-jwt-service-add-headers.headers.customresponseheaders.{{ name }}={{ value }} +{% endfor %} +{% set middlewares = middlewares + ['matrix-jwt-service-add-headers'] %} +{% endif %} traefik.http.routers.matrix-jwt-service.rule={{ matrix_jwt_service_container_labels_traefik_rule }} {% if matrix_jwt_service_container_labels_traefik_priority | int > 0 %} diff --git a/roles/custom/matrix-livekit-server/defaults/main.yml b/roles/custom/matrix-livekit-server/defaults/main.yml index b392aefe6b8..8175af0ea8b 100644 --- a/roles/custom/matrix-livekit-server/defaults/main.yml +++ b/roles/custom/matrix-livekit-server/defaults/main.yml @@ -32,18 +32,18 @@ matrix_livekit_server_container_labels_traefik_tls_certResolver: default # noqa # Controls which additional headers to attach to all HTTP responses. # To add your own headers, use `matrix_livekit_server_container_labels_traefik_additional_response_headers_custom` -#matrix_livekit_server_container_labels_traefik_additional_response_headers: "{{ matrix_livekit_server_container_labels_traefik_additional_response_headers_auto | combine(matrix_livekit_server_container_labels_traefik_additional_response_headers_custom) }}" -#matrix_livekit_server_container_labels_traefik_additional_response_headers_auto: | -# {{ -# {} -# | combine ({'X-XSS-Protection': matrix_livekit_server_http_header_xss_protection} if matrix_livekit_server_http_header_xss_protection else {}) -# | combine ({'X-Frame-Options': matrix_livekit_server_http_header_frame_options} if matrix_livekit_server_http_header_frame_options else {}) -# | combine ({'X-Content-Type-Options': matrix_livekit_server_http_header_content_type_options} if matrix_livekit_server_http_header_content_type_options else {}) -# | combine ({'Content-Security-Policy': matrix_livekit_server_http_header_content_security_policy} if matrix_livekit_server_http_header_content_security_policy else {}) -# | combine ({'Permission-Policy': matrix_livekit_server_http_header_content_permission_policy} if matrix_livekit_server_http_header_content_permission_policy else {}) -# | combine ({'Strict-Transport-Security': matrix_livekit_server_http_header_strict_transport_security} if matrix_livekit_server_http_header_strict_transport_security and matrix_livekit_server_container_labels_traefik_tls else {}) -# }} -#matrix_livekit_server_container_labels_traefik_additional_response_headers_custom: {} +matrix_livekit_server_container_labels_traefik_additional_response_headers: "{{ matrix_livekit_server_container_labels_traefik_additional_response_headers_auto | combine(matrix_livekit_server_container_labels_traefik_additional_response_headers_custom) }}" +matrix_livekit_server_container_labels_traefik_additional_response_headers_auto: | + {{ + {} + | combine ({'X-XSS-Protection': matrix_livekit_server_http_header_xss_protection} if matrix_livekit_server_http_header_xss_protection else {}) + | combine ({'X-Frame-Options': matrix_livekit_server_http_header_frame_options} if matrix_livekit_server_http_header_frame_options else {}) + | combine ({'X-Content-Type-Options': matrix_livekit_server_http_header_content_type_options} if matrix_livekit_server_http_header_content_type_options else {}) + | combine ({'Content-Security-Policy': matrix_livekit_server_http_header_content_security_policy} if matrix_livekit_server_http_header_content_security_policy else {}) + | combine ({'Permission-Policy': matrix_livekit_server_http_header_content_permission_policy} if matrix_livekit_server_http_header_content_permission_policy else {}) + | combine ({'Strict-Transport-Security': matrix_livekit_server_http_header_strict_transport_security} if matrix_livekit_server_http_header_strict_transport_security and matrix_livekit_server_container_labels_traefik_tls else {}) + }} +matrix_livekit_server_container_labels_traefik_additional_response_headers_custom: {} # matrix_client_element_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file. # See `../templates/labels.j2` for details. @@ -69,27 +69,27 @@ matrix_livekit_server_systemd_required_services_list: "{{ [devture_systemd_docke # Learn more about it is here: # - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection # - https://portswigger.net/web-security/cross-site-scripting/reflected -#matrix_livekit_server_http_header_xss_protection: "1; mode=block" +matrix_livekit_server_http_header_xss_protection: '' # Specifies the value of the `X-Frame-Options` header which controls whether framing can happen. # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options -#matrix_livekit_server_http_header_frame_options: SAMEORIGIN +matrix_livekit_server_http_header_frame_options: '' # Specifies the value of the `X-Content-Type-Options` header. # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options -#matrix_livekit_server_http_header_content_type_options: nosniff +matrix_livekit_server_http_header_content_type_options: '' # Specifies the value of the `Content-Security-Policy` header. # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy -#matrix_livekit_server_http_header_content_security_policy: frame-ancestors 'self' +matrix_livekit_server_http_header_content_security_policy: '' # Specifies the value of the `Permission-Policy` header. # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permission-Policy -#matrix_livekit_server_http_header_content_permission_policy: "{{ 'interest-cohort=()' if matrix_livekit_server_floc_optout_enabled else '' }}" +matrix_livekit_server_http_header_content_permission_policy: '' # Specifies the value of the `Strict-Transport-Security` header. # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security -#matrix_livekit_server_http_header_strict_transport_security: "max-age=31536000; includeSubDomains{{ '; preload' if matrix_livekit_server_hsts_preload_enabled else '' }}" +matrix_livekit_server_http_header_strict_transport_security: '' # Controls whether to send a "Permissions-Policy interest-cohort=();" header along with all responses # @@ -100,7 +100,7 @@ matrix_livekit_server_systemd_required_services_list: "{{ [devture_systemd_docke # # Of course, a better solution is to just stop using browsers (like Chrome), which participate in such tracking practices. # See: `matrix_livekit_server_content_permission_policy` -#matrix_livekit_server_floc_optout_enabled: true +matrix_livekit_server_floc_optout_enabled: false # Controls if HSTS preloading is enabled # @@ -112,4 +112,4 @@ matrix_livekit_server_systemd_required_services_list: "{{ [devture_systemd_docke # - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security # - https://hstspreload.org/#opt-in # See: `matrix_livekit_server_http_header_strict_transport_security` -#matrix_livekit_server_hsts_preload_enabled: true \ No newline at end of file +matrix_livekit_server_hsts_preload_enabled: true \ No newline at end of file diff --git a/roles/custom/matrix-livekit-server/templates/labels.j2 b/roles/custom/matrix-livekit-server/templates/labels.j2 index 141045f2fc5..c41b7ed013e 100644 --- a/roles/custom/matrix-livekit-server/templates/labels.j2 +++ b/roles/custom/matrix-livekit-server/templates/labels.j2 @@ -20,12 +20,12 @@ traefik.http.middlewares.matrix-livekit-server-strip-prefix.stripprefix.prefixes {% set middlewares = middlewares + ['matrix-livekit-server-strip-prefix'] %} {% endif %} -#{% if matrix_livekit_server_container_labels_traefik_additional_response_headers.keys() | length > 0 %} -#{% for name, value in matrix_livekit_server_container_labels_traefik_additional_response_headers.items() %} -#traefik.http.middlewares.matrix-livekit-server-add-headers.headers.customresponseheaders.{{ name }}={{ value }} -#{% endfor %} -#{% set middlewares = middlewares + ['matrix-livekit-server-add-headers'] %} -#{% endif %} +{% if matrix_livekit_server_container_labels_traefik_additional_response_headers.keys() | length > 0 %} +{% for name, value in matrix_livekit_server_container_labels_traefik_additional_response_headers.items() %} +traefik.http.middlewares.matrix-livekit-server-add-headers.headers.customresponseheaders.{{ name }}={{ value }} +{% endfor %} +{% set middlewares = middlewares + ['matrix-livekit-server-add-headers'] %} +{% endif %} traefik.http.routers.matrix-livekit-server.rule={{ matrix_livekit_server_container_labels_traefik_rule }} {% if matrix_livekit_server_container_labels_traefik_priority | int > 0 %} From a6e3203398fbb6c28a98127ca59ed8ad112ca68c Mon Sep 17 00:00:00 2001 From: wjbeckett Date: Tue, 1 Oct 2024 22:20:50 +1000 Subject: [PATCH 102/148] updated docs, broke the well-known and element client modifications out to separate tasks. --- docs/configuring-playbook-element-call.md | 14 ++----- .../matrix-element-call/defaults/main.yml | 2 +- .../matrix-element-call/tasks/install.yml | 40 ++++--------------- .../tasks/update_element_web_config.yml | 27 +++++++++++++ .../tasks/update_well_known_client.yml | 21 ++++++++++ 5 files changed, 60 insertions(+), 44 deletions(-) create mode 100644 roles/custom/matrix-element-call/tasks/update_element_web_config.yml create mode 100644 roles/custom/matrix-element-call/tasks/update_well_known_client.yml diff --git a/docs/configuring-playbook-element-call.md b/docs/configuring-playbook-element-call.md index bd36357ab5e..188b06d5e51 100644 --- a/docs/configuring-playbook-element-call.md +++ b/docs/configuring-playbook-element-call.md @@ -28,21 +28,15 @@ Ensure that the following DNS names have a public IP/FQDN: Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file: ```yaml +# Enable dependent services +keydb_enabled: true matrix_element_call_enabled: true +matrix_livekit_server_enabled: true +matrix_jwt_service_enabled: true # Set a secure key for LiveKit authentication matrix_element_call_livekit_dev_key: 'your-secure-livekit-key' ``` -## External databases - -If your setup utilizes an external database, you may need to adjust the default configuration for Redis used by Element Call. Modify the defaults in group_vars/matrix_servers.yml or host_vars to suit your setup: - -```yaml -matrix_element_call_redis_hostname: 'localhost' -matrix_element_call_redis_port: 6379 -matrix_element_call_redis_password: '' -``` - ## Installing After potentially adjusting DNS records and configuring the playbook, run the installation command again: ```yaml diff --git a/roles/custom/matrix-element-call/defaults/main.yml b/roles/custom/matrix-element-call/defaults/main.yml index 0a227a1bcca..02c91073475 100644 --- a/roles/custom/matrix-element-call/defaults/main.yml +++ b/roles/custom/matrix-element-call/defaults/main.yml @@ -5,7 +5,7 @@ matrix_element_call_enabled: false # Base path configuration matrix_element_call_base_path: "{{ matrix_base_data_path }}/element-call" matrix_homeserver_config_path: "{{ matrix_base_data_path }}/synapse/config/homeserver.yaml" -element_web_config_path: "{{ matrix_base_data_path }}/static-files/public/.well-known/matrix/client" +element_web_config_path: "{{ matrix_base_data_path }}/client-element/config.json" # Docker network configuration matrix_element_call_container_network: '' diff --git a/roles/custom/matrix-element-call/tasks/install.yml b/roles/custom/matrix-element-call/tasks/install.yml index 266a9407bb7..2c7aebf3850 100644 --- a/roles/custom/matrix-element-call/tasks/install.yml +++ b/roles/custom/matrix-element-call/tasks/install.yml @@ -79,20 +79,10 @@ when: matrix_element_call_enabled | bool # Update the well-known client file for Element Call (adding RTC FOCI) -- name: Update the existing well-known client file for Element Call (RTC FOCI) - ansible.builtin.blockinfile: - path: "{{ matrix_base_data_path }}/static-files/public/.well-known/matrix/client" - block: | - "org.matrix.msc4143.rtc_foci": [ - { - "type": "livekit", - "livekit_service_url": "{{ matrix_jwt_service_url }}" - } - ] - marker: "# ANSIBLE MANAGED BLOCK - Element Call RTC FOCI" - mode: '0644' - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" +- name: Update the well-known client file for Element Call + ansible.builtin.include_tasks: update_well_known_client.yml + when: matrix_element_call_enabled | bool + # Create .well-known/element/element.json for Element Call - name: Create the well-known element.json file @@ -105,22 +95,6 @@ # Update Element Web config.json with Element Call settings - name: Update Element Web config.json - ansible.builtin.blockinfile: - path: "{{ element_web_config_path }}" - block: | - "features": { - "feature_video_rooms": true, - "feature_new_room_decoration_ui": true, - "feature_group_calls": true, - "feature_element_call_video_rooms": true - }, - "element_call": { - "url": "https://{{ matrix_element_call_domain }}", - "participant_limit": 8, - "brand": "Element Call", - "use_exclusively": true - } - marker: "# ANSIBLE MANAGED BLOCK - Element Call settings" - mode: '0644' - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" + ansible.builtin.include_tasks: "tasks/update_element_web_config.yml" + when: matrix_element_call_enabled | bool + diff --git a/roles/custom/matrix-element-call/tasks/update_element_web_config.yml b/roles/custom/matrix-element-call/tasks/update_element_web_config.yml new file mode 100644 index 00000000000..3025b432e58 --- /dev/null +++ b/roles/custom/matrix-element-call/tasks/update_element_web_config.yml @@ -0,0 +1,27 @@ +- name: Update Element Web config.json settings + vars: + additional_settings: | + { + "features": { + "feature_video_rooms": true, + "feature_new_room_decoration_ui": true, + "feature_group_calls": true, + "feature_element_call_video_rooms": true + }, + "element_call": { + "url": "https://{{ matrix_element_call_domain }}", + "participant_limit": 8, + "brand": "Element Call", + "use_exclusively": true + } + } + set_fact: + updated_element_web_config: "{{ (element_web_config_content.content | b64decode | from_json) | combine(additional_settings | from_json, recursive=True) }}" + +- name: Write updated Element Web config.json + copy: + content: "{{ updated_element_web_config | to_nice_json }}" + dest: "{{ element_web_config_path }}" + mode: '0644' + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" diff --git a/roles/custom/matrix-element-call/tasks/update_well_known_client.yml b/roles/custom/matrix-element-call/tasks/update_well_known_client.yml new file mode 100644 index 00000000000..96d568c4c47 --- /dev/null +++ b/roles/custom/matrix-element-call/tasks/update_well_known_client.yml @@ -0,0 +1,21 @@ +--- +- name: Read the existing well-known client file + ansible.builtin.slurp: + path: "{{ matrix_base_data_path }}/static-files/public/.well-known/matrix/client" + register: client_file_content + +- name: Load the existing JSON content + ansible.builtin.set_fact: + client_json: "{{ client_file_content['content'] | b64decode | from_json }}" + +- name: Update the existing well-known client file for Element Call (RTC FOCI) + ansible.builtin.set_fact: + updated_client_json: "{{ client_json | combine({'org.matrix.msc4143.rtc_foci': [{'type': 'livekit', 'livekit_service_url': matrix_jwt_service_url}]}, recursive=True) }}" + +- name: Write the updated well-known client file + ansible.builtin.copy: + content: "{{ updated_client_json | to_nice_json }}" + dest: "{{ matrix_base_data_path }}/static-files/public/.well-known/matrix/client" + mode: '0644' + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" From f684719b2a732d846aa5f6d145aed6d8a45596c3 Mon Sep 17 00:00:00 2001 From: wjbeckett Date: Tue, 1 Oct 2024 22:30:09 +1000 Subject: [PATCH 103/148] fixed error with element client update task --- .../matrix-element-call/tasks/install.yml | 3 +- .../tasks/update_element_web_config.yml | 55 +++++++++++-------- 2 files changed, 35 insertions(+), 23 deletions(-) diff --git a/roles/custom/matrix-element-call/tasks/install.yml b/roles/custom/matrix-element-call/tasks/install.yml index 2c7aebf3850..dd401e89c90 100644 --- a/roles/custom/matrix-element-call/tasks/install.yml +++ b/roles/custom/matrix-element-call/tasks/install.yml @@ -80,7 +80,7 @@ # Update the well-known client file for Element Call (adding RTC FOCI) - name: Update the well-known client file for Element Call - ansible.builtin.include_tasks: update_well_known_client.yml + ansible.builtin.include_tasks: "tasks/update_well_known_client.yml" when: matrix_element_call_enabled | bool @@ -98,3 +98,4 @@ ansible.builtin.include_tasks: "tasks/update_element_web_config.yml" when: matrix_element_call_enabled | bool + diff --git a/roles/custom/matrix-element-call/tasks/update_element_web_config.yml b/roles/custom/matrix-element-call/tasks/update_element_web_config.yml index 3025b432e58..6dd318c24dc 100644 --- a/roles/custom/matrix-element-call/tasks/update_element_web_config.yml +++ b/roles/custom/matrix-element-call/tasks/update_element_web_config.yml @@ -1,27 +1,38 @@ +- name: Load Element Web config.json content + ansible.builtin.slurp: + src: "{{ element_web_config_path }}" + register: element_web_config_content_raw + ignore_errors: no + +- name: Parse Element Web config.json content + ansible.builtin.set_fact: + element_web_config_content: "{{ element_web_config_content_raw['content'] | b64decode | from_json }}" + when: element_web_config_content_raw is defined and element_web_config_content_raw['content'] is defined + - name: Update Element Web config.json settings - vars: - additional_settings: | - { - "features": { - "feature_video_rooms": true, - "feature_new_room_decoration_ui": true, - "feature_group_calls": true, - "feature_element_call_video_rooms": true - }, - "element_call": { - "url": "https://{{ matrix_element_call_domain }}", - "participant_limit": 8, - "brand": "Element Call", - "use_exclusively": true - } - } - set_fact: - updated_element_web_config: "{{ (element_web_config_content.content | b64decode | from_json) | combine(additional_settings | from_json, recursive=True) }}" - -- name: Write updated Element Web config.json - copy: - content: "{{ updated_element_web_config | to_nice_json }}" + ansible.builtin.set_fact: + element_web_config_content: + "{{ element_web_config_content | combine({ + 'features': { + 'feature_video_rooms': true, + 'feature_new_room_decoration_ui': true, + 'feature_group_calls': true, + 'feature_element_call_video_rooms': true + }, + 'element_call': { + 'url': 'https://{{ matrix_element_call_domain }}', + 'participant_limit': 8, + 'brand': 'Element Call', + 'use_exclusively': true + } + }, recursive=True) }}" + when: element_web_config_content is defined + +- name: Write updated Element Web config.json back to disk + ansible.builtin.copy: + content: "{{ element_web_config_content | to_nice_json }}" dest: "{{ element_web_config_path }}" mode: '0644' owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" + when: element_web_config_content is defined From 1e6698cb994b360b06b4d101bad4412cace6f3cc Mon Sep 17 00:00:00 2001 From: wjbeckett Date: Wed, 2 Oct 2024 13:27:02 +1000 Subject: [PATCH 104/148] updated documentation or the new roles. --- docs/configuring-playbook-jwt-service.md | 45 +++++++++++++++++ docs/configuring-playbook-livekit-server.md | 56 +++++++++++++++++++++ docs/configuring-playbook.md | 4 ++ 3 files changed, 105 insertions(+) create mode 100644 docs/configuring-playbook-jwt-service.md create mode 100644 docs/configuring-playbook-livekit-server.md diff --git a/docs/configuring-playbook-jwt-service.md b/docs/configuring-playbook-jwt-service.md new file mode 100644 index 00000000000..7910c09202e --- /dev/null +++ b/docs/configuring-playbook-jwt-service.md @@ -0,0 +1,45 @@ +# Setting up JWT Service (optional) + +The playbook can install and configure [JWT Service](https://github.com/element-hq/lk-jwt-service) for you. + +LK-JWT-Service is currently used for a single reason: generate JWT tokens with a given identity for a given room, so that users can use them to authenticate against LiveKit SFU. + +See the project's [documentation](https://github.com/element-hq/lk-jwt-service/) to learn more. + +## Decide on a domain and path + +By default, JWT Service is configured to be served on the Matrix domain (`sfu-jwt.DOMAIN`, controlled by the `matrix_jwt-service_hostname` variable). + +This makes it easy to set it up, **without** having to adjust your DNS records manually. + +If you'd like to run JWT Service on another hostname or path, use the `matrix_jwt-service_hostname` variable. + +## Adjusting DNS records + +If you've changed the default hostname, **you may need to adjust your DNS** records accordingly to point to the correct server. + +Ensure that the following DNS names have a public IP/FQDN: +- `sfu-jwt.DOMAIN` + +## Adjusting the playbook configuration + +Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file: + +```yaml +matrix_jwt_service_enabled: true +# Set a secure key for LiveKit authentication +matrix_element_call_livekit_dev_key: 'your-secure-livekit-key' +``` + +## Installing +After potentially adjusting DNS records and configuring the playbook, run the installation command again: +```yaml +ansible-playbook -i inventory setup.yml +``` + +## Usage +Once installed, a new `org.matrix.msc4143.rtc_foci` section is added to the element web client to point to your JWT service URL (e.g., `https://sfu-jwt.DOMAIN`). + +## Additional Information + +Refer to the JWT-Service documentation for more details on configuring and using JWT Service. \ No newline at end of file diff --git a/docs/configuring-playbook-livekit-server.md b/docs/configuring-playbook-livekit-server.md new file mode 100644 index 00000000000..dd1b4b229e0 --- /dev/null +++ b/docs/configuring-playbook-livekit-server.md @@ -0,0 +1,56 @@ +# Setting up Livekit (optional) + +The playbook can install and configure [Livekit](https://github.com/livekit/livekit) for you. + +LiveKit is an open source project that provides scalable, multi-user conferencing based on WebRTC. It's designed to provide everything you need to build real-time video audio data capabilities in your applications. + +See the project's [documentation](https://github.com/livekit/livekit) to learn more. + +## Decide on a domain and path + +By default, Livekit is configured to be served on the Matrix domain (`sfu.DOMAIN`, controlled by the `matrix_livekit_server_hostname` variable). + +This makes it easy to set it up, **without** having to adjust your DNS records manually. + +If you'd like to run Livekit on another hostname or path, use the `matrix_livekit_server_hostname` variable. + +## Adjusting DNS records + +If you've changed the default hostname, **you may need to adjust your DNS** records accordingly to point to the correct server. + +Ensure that the following DNS names have a public IP/FQDN: +- `sfu.DOMAIN` + +## Adjusting the playbook configuration + +Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file: + +```yaml +matrix_livekit_server_enabled: true +# Set a secure key for LiveKit authentication +matrix_element_call_livekit_dev_key: 'your-secure-livekit-key' +``` + +## Installing +After potentially adjusting DNS records and configuring the playbook, run the installation command again: +```yaml +ansible-playbook -i inventory setup.yml +``` + +## Usage +Once installed, and in conjunction with Element Call and JWT Service, Livekit will become the WebRTC backend for all Element client calls. + +## Required Firewall and Port Forwarding Rules + +To ensure the services function correctly, the following firewall rules and port forwarding settings are required: + +LiveKit: + + • Forward UDP ports 50100:50200 to the Docker instance running LiveKit. + • Forward TCP port 7881 to the Docker instance running LiveKit. + +Ensure these ports are open and forwarded appropriately to allow traffic to flow correctly between the services. + +## Additional Information + +Refer to the Livekit documentation for more details on configuring and using Livekit. \ No newline at end of file diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index fb0704e0851..fc75ceaa6df 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -234,3 +234,7 @@ When you're done with all the configuration you'd like to do, continue with [Ins - [Setting up Prometheus Alertmanager integration via matrix-alertmanager-receiver](configuring-playbook-alertmanager-receiver.md) (optional) - [Setting up the Element Call server](configuring-playbook-element-call.md) (optional) + +- [Setting up the JWT Service](configuring-playbook-jwt-service.md) (optional) + +- [Setting up the Livekit server](configuring-playbook-livekit-server.md) (optional) From a03f5985a536e461653bfc30dc6ccc8372180d25 Mon Sep 17 00:00:00 2001 From: wjbeckett Date: Thu, 3 Oct 2024 12:38:34 +1000 Subject: [PATCH 105/148] removed trailing whitespaces --- docs/configuring-playbook-livekit-server.md | 2 +- group_vars/matrix_servers | 3 +-- roles/custom/matrix-element-call/defaults/main.yml | 2 +- roles/custom/matrix-element-call/tasks/install.yml | 4 +--- roles/custom/matrix-element-call/tasks/main.yml | 2 +- roles/custom/matrix-element-call/tasks/uninstall.yml | 2 +- .../matrix-element-call/tasks/update_element_web_config.yml | 5 +++-- .../matrix-element-call/tasks/update_well_known_client.yml | 2 +- roles/custom/matrix-element-call/tasks/validate_config.yml | 2 +- roles/custom/matrix-element-call/templates/config.json.j2 | 2 +- .../matrix-element-call/templates/element-call-labels.j2 | 2 +- .../templates/systemd/matrix-element-call.service.j2 | 2 +- .../matrix-element-call/templates/well_known_element.json.j2 | 2 +- roles/custom/matrix-jwt-service/defaults/main.yml | 2 +- roles/custom/matrix-jwt-service/tasks/main.yml | 2 +- roles/custom/matrix-jwt-service/tasks/uninstall.yml | 2 +- roles/custom/matrix-jwt-service/tasks/validate_config.yml | 2 +- roles/custom/matrix-jwt-service/templates/labels.j2 | 2 +- .../templates/systemd/matrix-jwt-service.service.j2 | 3 ++- roles/custom/matrix-livekit-server/tasks/main.yml | 2 +- roles/custom/matrix-livekit-server/tasks/uninstall.yml | 2 +- roles/custom/matrix-livekit-server/tasks/validate_config.yml | 2 +- roles/custom/matrix-livekit-server/templates/labels.j2 | 2 +- roles/custom/matrix-livekit-server/templates/livekit.yaml.j2 | 2 +- .../templates/systemd/matrix-livekit-server.service.j2 | 2 +- 25 files changed, 28 insertions(+), 29 deletions(-) diff --git a/docs/configuring-playbook-livekit-server.md b/docs/configuring-playbook-livekit-server.md index dd1b4b229e0..309d9ecf30f 100644 --- a/docs/configuring-playbook-livekit-server.md +++ b/docs/configuring-playbook-livekit-server.md @@ -38,7 +38,7 @@ ansible-playbook -i inventory setup.yml ``` ## Usage -Once installed, and in conjunction with Element Call and JWT Service, Livekit will become the WebRTC backend for all Element client calls. +Once installed, and in conjunction with Element Call and JWT Service, Livekit will become the WebRTC backend for all Element client calls. ## Required Firewall and Port Forwarding Rules diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 97c5e3b4106..3df71e737c5 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -5901,7 +5901,6 @@ matrix_element_call_container_labels_traefik_docker_network: "{{ matrix_playbook matrix_element_call_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" matrix_element_call_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" - ######################################################################## # # # /matrix-element-call # @@ -5919,7 +5918,7 @@ matrix_livekit_server_enabled: false # Default is false; should be enabled in h matrix_livekit_server_version: "latest" # Default version; can be overridden in host_vars matrix_livekit_server_scheme: "https" matrix_livekit_server_hostname: "sfu.{{ matrix_domain }}" # Default hostname; should be overridden in host_vars if different -matrix_livekit_server_path_prefix: "/" +matrix_livekit_server_path_prefix: "/" matrix_livekit_server_base_path: "{{ matrix_base_data_path }}/livekit-server" matrix_livekit_server_container_image: "livekit/livekit-server:{{ matrix_livekit_server_version }}" matrix_livekit_server_container_image_force_pull: true diff --git a/roles/custom/matrix-element-call/defaults/main.yml b/roles/custom/matrix-element-call/defaults/main.yml index 02c91073475..5675531795d 100644 --- a/roles/custom/matrix-element-call/defaults/main.yml +++ b/roles/custom/matrix-element-call/defaults/main.yml @@ -122,4 +122,4 @@ matrix_element_call_hsts_preload_enabled: false # Enable or disable metrics collection matrix_element_call_metrics_enabled: false -matrix_element_call_metrics_port: 2112 +matrix_element_call_metrics_port: 2112 \ No newline at end of file diff --git a/roles/custom/matrix-element-call/tasks/install.yml b/roles/custom/matrix-element-call/tasks/install.yml index dd401e89c90..ca6b5903b03 100644 --- a/roles/custom/matrix-element-call/tasks/install.yml +++ b/roles/custom/matrix-element-call/tasks/install.yml @@ -96,6 +96,4 @@ # Update Element Web config.json with Element Call settings - name: Update Element Web config.json ansible.builtin.include_tasks: "tasks/update_element_web_config.yml" - when: matrix_element_call_enabled | bool - - + when: matrix_element_call_enabled | bool \ No newline at end of file diff --git a/roles/custom/matrix-element-call/tasks/main.yml b/roles/custom/matrix-element-call/tasks/main.yml index ad50c2d9660..183c0c6ed5b 100644 --- a/roles/custom/matrix-element-call/tasks/main.yml +++ b/roles/custom/matrix-element-call/tasks/main.yml @@ -18,4 +18,4 @@ - setup-element-call block: - when: not matrix_element_call_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/uninstall.yml" + ansible.builtin.include_tasks: "{{ role_path }}/tasks/uninstall.yml" \ No newline at end of file diff --git a/roles/custom/matrix-element-call/tasks/uninstall.yml b/roles/custom/matrix-element-call/tasks/uninstall.yml index 184f88ac2b5..c93837b6390 100644 --- a/roles/custom/matrix-element-call/tasks/uninstall.yml +++ b/roles/custom/matrix-element-call/tasks/uninstall.yml @@ -18,4 +18,4 @@ - name: Reload systemd daemon ansible.builtin.systemd: - daemon_reload: true + daemon_reload: true \ No newline at end of file diff --git a/roles/custom/matrix-element-call/tasks/update_element_web_config.yml b/roles/custom/matrix-element-call/tasks/update_element_web_config.yml index 6dd318c24dc..d4471e7e440 100644 --- a/roles/custom/matrix-element-call/tasks/update_element_web_config.yml +++ b/roles/custom/matrix-element-call/tasks/update_element_web_config.yml @@ -1,8 +1,9 @@ +--- - name: Load Element Web config.json content ansible.builtin.slurp: src: "{{ element_web_config_path }}" register: element_web_config_content_raw - ignore_errors: no + ignore_errors: false - name: Parse Element Web config.json content ansible.builtin.set_fact: @@ -35,4 +36,4 @@ mode: '0644' owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" - when: element_web_config_content is defined + when: element_web_config_content is defined \ No newline at end of file diff --git a/roles/custom/matrix-element-call/tasks/update_well_known_client.yml b/roles/custom/matrix-element-call/tasks/update_well_known_client.yml index 96d568c4c47..bcf3f726b3f 100644 --- a/roles/custom/matrix-element-call/tasks/update_well_known_client.yml +++ b/roles/custom/matrix-element-call/tasks/update_well_known_client.yml @@ -18,4 +18,4 @@ dest: "{{ matrix_base_data_path }}/static-files/public/.well-known/matrix/client" mode: '0644' owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" + group: "{{ matrix_user_groupname }}" \ No newline at end of file diff --git a/roles/custom/matrix-element-call/tasks/validate_config.yml b/roles/custom/matrix-element-call/tasks/validate_config.yml index 084e510d6cc..3b6712727cc 100644 --- a/roles/custom/matrix-element-call/tasks/validate_config.yml +++ b/roles/custom/matrix-element-call/tasks/validate_config.yml @@ -9,4 +9,4 @@ with_items: - {'name': 'matrix_element_call_base_path', when: true} - {'name': 'matrix_element_call_container_network', when: true} - - {'name': 'matrix_element_call_image', when: true} + - {'name': 'matrix_element_call_image', when: true} \ No newline at end of file diff --git a/roles/custom/matrix-element-call/templates/config.json.j2 b/roles/custom/matrix-element-call/templates/config.json.j2 index e58648e5070..e10fc4f6116 100644 --- a/roles/custom/matrix-element-call/templates/config.json.j2 +++ b/roles/custom/matrix-element-call/templates/config.json.j2 @@ -8,4 +8,4 @@ "livekit": { "livekit_service_url": "{{ matrix_jwt_service_url }}" } -} +} \ No newline at end of file diff --git a/roles/custom/matrix-element-call/templates/element-call-labels.j2 b/roles/custom/matrix-element-call/templates/element-call-labels.j2 index cfc5c72f74d..685a56294c5 100644 --- a/roles/custom/matrix-element-call/templates/element-call-labels.j2 +++ b/roles/custom/matrix-element-call/templates/element-call-labels.j2 @@ -43,4 +43,4 @@ traefik.http.routers.matrix-element-call.tls.certResolver={{ matrix_element_call {% endif %} -{{ matrix_element_call_container_labels_additional_labels }} +{{ matrix_element_call_container_labels_additional_labels }} \ No newline at end of file diff --git a/roles/custom/matrix-element-call/templates/systemd/matrix-element-call.service.j2 b/roles/custom/matrix-element-call/templates/systemd/matrix-element-call.service.j2 index 791c62ddcd4..dcb3fa7c203 100644 --- a/roles/custom/matrix-element-call/templates/systemd/matrix-element-call.service.j2 +++ b/roles/custom/matrix-element-call/templates/systemd/matrix-element-call.service.j2 @@ -43,4 +43,4 @@ RestartSec=30 SyslogIdentifier=matrix-element-call [Install] -WantedBy=multi-user.target +WantedBy=multi-user.target \ No newline at end of file diff --git a/roles/custom/matrix-element-call/templates/well_known_element.json.j2 b/roles/custom/matrix-element-call/templates/well_known_element.json.j2 index eae63cf8349..01146e656e2 100644 --- a/roles/custom/matrix-element-call/templates/well_known_element.json.j2 +++ b/roles/custom/matrix-element-call/templates/well_known_element.json.j2 @@ -2,4 +2,4 @@ "call": { "widget_url": "https://{{ matrix_element_call_domain }}" } -} +} \ No newline at end of file diff --git a/roles/custom/matrix-jwt-service/defaults/main.yml b/roles/custom/matrix-jwt-service/defaults/main.yml index 97d58a273aa..ee95afefd7a 100644 --- a/roles/custom/matrix-jwt-service/defaults/main.yml +++ b/roles/custom/matrix-jwt-service/defaults/main.yml @@ -16,7 +16,7 @@ matrix_jwt_service_image: "ghcr.io/element-hq/lk-jwt-service:latest-ci" # Ports matrix_jwt_service_port: "8881" -# jwt configuration +# jwt configuration matrix_jwt_service_hostname: "sfu-jwt.{{ matrix_domain }}" matrix_jwt_service_url: "https://sfu-jwt.{{ matrix_domain }}" diff --git a/roles/custom/matrix-jwt-service/tasks/main.yml b/roles/custom/matrix-jwt-service/tasks/main.yml index ee74a8967b8..8fbe41d58c9 100644 --- a/roles/custom/matrix-jwt-service/tasks/main.yml +++ b/roles/custom/matrix-jwt-service/tasks/main.yml @@ -18,4 +18,4 @@ - setup-jwt-service block: - when: not matrix_jwt_service_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/uninstall.yml" + ansible.builtin.include_tasks: "{{ role_path }}/tasks/uninstall.yml" \ No newline at end of file diff --git a/roles/custom/matrix-jwt-service/tasks/uninstall.yml b/roles/custom/matrix-jwt-service/tasks/uninstall.yml index 550c82951f3..7338d5b95a6 100644 --- a/roles/custom/matrix-jwt-service/tasks/uninstall.yml +++ b/roles/custom/matrix-jwt-service/tasks/uninstall.yml @@ -19,4 +19,4 @@ - name: Reload systemd daemon ansible.builtin.systemd: - daemon_reload: true + daemon_reload: true \ No newline at end of file diff --git a/roles/custom/matrix-jwt-service/tasks/validate_config.yml b/roles/custom/matrix-jwt-service/tasks/validate_config.yml index a0105e940ac..38e39ad60cb 100644 --- a/roles/custom/matrix-jwt-service/tasks/validate_config.yml +++ b/roles/custom/matrix-jwt-service/tasks/validate_config.yml @@ -9,4 +9,4 @@ with_items: - {'name': 'matrix_jwt_service_base_path', when: true} - {'name': 'matrix_jwt_service_container_network', when: true} - - {'name': 'matrix_jwt_service_image', when: true} + - {'name': 'matrix_jwt_service_image', when: true} \ No newline at end of file diff --git a/roles/custom/matrix-jwt-service/templates/labels.j2 b/roles/custom/matrix-jwt-service/templates/labels.j2 index b547e19524e..6db7722363e 100644 --- a/roles/custom/matrix-jwt-service/templates/labels.j2 +++ b/roles/custom/matrix-jwt-service/templates/labels.j2 @@ -43,4 +43,4 @@ traefik.http.routers.matrix-jwt-service.tls.certResolver={{ matrix_jwt_service_c {% endif %} -{{ matrix_jwt_service_container_labels_additional_labels }} +{{ matrix_jwt_service_container_labels_additional_labels }} \ No newline at end of file diff --git a/roles/custom/matrix-jwt-service/templates/systemd/matrix-jwt-service.service.j2 b/roles/custom/matrix-jwt-service/templates/systemd/matrix-jwt-service.service.j2 index bdf36635a73..b940e75a291 100644 --- a/roles/custom/matrix-jwt-service/templates/systemd/matrix-jwt-service.service.j2 +++ b/roles/custom/matrix-jwt-service/templates/systemd/matrix-jwt-service.service.j2 @@ -1,3 +1,4 @@ +#jinja2: lstrip_blocks: "True" [Unit] Description=Matrix JWT Service After=docker.service @@ -36,4 +37,4 @@ RestartSec=30 SyslogIdentifier=matrix-jwt-service [Install] -WantedBy=multi-user.target +WantedBy=multi-user.target \ No newline at end of file diff --git a/roles/custom/matrix-livekit-server/tasks/main.yml b/roles/custom/matrix-livekit-server/tasks/main.yml index 255906c75f5..1884596b82a 100644 --- a/roles/custom/matrix-livekit-server/tasks/main.yml +++ b/roles/custom/matrix-livekit-server/tasks/main.yml @@ -18,4 +18,4 @@ - setup-livekit-server block: - when: not matrix_livekit_server_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/uninstall.yml" + ansible.builtin.include_tasks: "{{ role_path }}/tasks/uninstall.yml" \ No newline at end of file diff --git a/roles/custom/matrix-livekit-server/tasks/uninstall.yml b/roles/custom/matrix-livekit-server/tasks/uninstall.yml index 371db5c8398..0709dca1299 100644 --- a/roles/custom/matrix-livekit-server/tasks/uninstall.yml +++ b/roles/custom/matrix-livekit-server/tasks/uninstall.yml @@ -18,4 +18,4 @@ - name: Reload systemd daemon ansible.builtin.systemd: - daemon_reload: true + daemon_reload: true \ No newline at end of file diff --git a/roles/custom/matrix-livekit-server/tasks/validate_config.yml b/roles/custom/matrix-livekit-server/tasks/validate_config.yml index 7fdfa051118..ddf750b9b1a 100644 --- a/roles/custom/matrix-livekit-server/tasks/validate_config.yml +++ b/roles/custom/matrix-livekit-server/tasks/validate_config.yml @@ -10,4 +10,4 @@ - {'name': 'matrix_livekit_server_base_path', when: true} - {'name': 'matrix_livekit_server_container_network', when: true} - {'name': 'matrix_livekit_server_image', when: true} - - {'name': 'matrix_livekit_server_image', when: true} + - {'name': 'matrix_livekit_server_image', when: true} \ No newline at end of file diff --git a/roles/custom/matrix-livekit-server/templates/labels.j2 b/roles/custom/matrix-livekit-server/templates/labels.j2 index c41b7ed013e..77a3ce426c1 100644 --- a/roles/custom/matrix-livekit-server/templates/labels.j2 +++ b/roles/custom/matrix-livekit-server/templates/labels.j2 @@ -43,4 +43,4 @@ traefik.http.routers.matrix-livekit-server.tls.certResolver={{ matrix_livekit_se {% endif %} -{{ matrix_livekit_server_container_labels_additional_labels }} +{{ matrix_livekit_server_container_labels_additional_labels }} \ No newline at end of file diff --git a/roles/custom/matrix-livekit-server/templates/livekit.yaml.j2 b/roles/custom/matrix-livekit-server/templates/livekit.yaml.j2 index 492a12214b0..77ac841a83b 100644 --- a/roles/custom/matrix-livekit-server/templates/livekit.yaml.j2 +++ b/roles/custom/matrix-livekit-server/templates/livekit.yaml.j2 @@ -17,4 +17,4 @@ turn: external_tls: true keys: - devkey: "{{ matrix_livekit_server_livekit_dev_key }}" + devkey: "{{ matrix_livekit_server_livekit_dev_key }}" \ No newline at end of file diff --git a/roles/custom/matrix-livekit-server/templates/systemd/matrix-livekit-server.service.j2 b/roles/custom/matrix-livekit-server/templates/systemd/matrix-livekit-server.service.j2 index 30505a2dc3e..ddaa3518112 100644 --- a/roles/custom/matrix-livekit-server/templates/systemd/matrix-livekit-server.service.j2 +++ b/roles/custom/matrix-livekit-server/templates/systemd/matrix-livekit-server.service.j2 @@ -31,4 +31,4 @@ RestartSec=30 SyslogIdentifier=matrix-livekit-server [Install] -WantedBy=multi-user.target +WantedBy=multi-user.target \ No newline at end of file From 1906d61c39eae8b8be44722a857b7a90d494bb4f Mon Sep 17 00:00:00 2001 From: wjbeckett Date: Thu, 3 Oct 2024 13:25:40 +1000 Subject: [PATCH 106/148] updated traefik label to be in line with the latest change from devture_traefik_ to traefik_ --- group_vars/matrix_servers | 12 ++++++------ .../templates/element-call-labels.j2 | 2 +- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 62d3b34074f..d4f0cc07f83 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -5898,8 +5898,8 @@ matrix_element_call_container_additional_networks: "{{ [matrix_playbook_reverse_ # Traefik Configuration for Element Call matrix_element_call_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}" matrix_element_call_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" -matrix_element_call_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" -matrix_element_call_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" +matrix_element_call_container_labels_traefik_entrypoints: "{{ traefik_entrypoint_primary }}" +matrix_element_call_container_labels_traefik_tls_certResolver: "{{ traefik_certResolver_primary }}" ######################################################################## # # @@ -5930,8 +5930,8 @@ matrix_livekit_server_container_additional_networks: "{{ [matrix_playbook_revers # Traefik Configuration for Livekit matrix_livekit_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}" matrix_livekit_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" -matrix_livekit_server_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" -matrix_livekit_server_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" +matrix_livekit_server_container_labels_traefik_entrypoints: "{{ traefik_entrypoint_primary }}" +matrix_livekit_server_container_labels_traefik_tls_certResolver: "{{ traefik_certResolver_primary }}" # LiveKit Service Configuration matrix_livekit_server_livekit_dev_key: "{{ matrix_livekit_server_dev_key }}" # LiveKit dev key @@ -5967,8 +5967,8 @@ matrix_jwt_service_container_additional_networks: "{{ [matrix_playbook_reverse_p # Traefik Configuration for JWT Service matrix_jwt_service_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}" matrix_jwt_service_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" -matrix_jwt_service_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" -matrix_jwt_service_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" +matrix_jwt_service_container_labels_traefik_entrypoints: "{{ traefik_entrypoint_primary }}" +matrix_jwt_service_container_labels_traefik_tls_certResolver: "{{ traefik_certResolver_primary }}" # JWT Service Configuration matrix_jwt_service_url: "https://sfu-jwt.{{ matrix_domain }}" # Default JWT service URL; adjust as needed diff --git a/roles/custom/matrix-element-call/templates/element-call-labels.j2 b/roles/custom/matrix-element-call/templates/element-call-labels.j2 index 685a56294c5..014add79aed 100644 --- a/roles/custom/matrix-element-call/templates/element-call-labels.j2 +++ b/roles/custom/matrix-element-call/templates/element-call-labels.j2 @@ -25,7 +25,7 @@ traefik.http.middlewares.matrix-element-call-strip-prefix.stripprefix.prefixes={ traefik.http.middlewares.matrix-element-call-add-headers.headers.customresponseheaders.{{ name }}={{ value }} {% endfor %} {% set middlewares = middlewares + ['matrix-element-call-add-headers'] %} - {% endif %} +{% endif %} traefik.http.routers.matrix-element-call.rule={{ matrix_element_call_container_labels_traefik_rule }} {% if matrix_element_call_container_labels_traefik_priority | int > 0 %} From e18b28136cb8055574cc2f1367c7d6a784afb770 Mon Sep 17 00:00:00 2001 From: wjbeckett Date: Thu, 3 Oct 2024 15:28:56 +1000 Subject: [PATCH 107/148] Updated Element call docs with dependent services and fixed typo. --- docs/configuring-playbook-element-call.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/docs/configuring-playbook-element-call.md b/docs/configuring-playbook-element-call.md index 188b06d5e51..6a6b5a496e4 100644 --- a/docs/configuring-playbook-element-call.md +++ b/docs/configuring-playbook-element-call.md @@ -25,6 +25,9 @@ Ensure that the following DNS names have a public IP/FQDN: ## Adjusting the playbook configuration +NOTE: Element call is dependent on two other services for it to function as intended. In orter to utilise Element Call you need to also enable the [JWT Service](configuring-playbook-jwt-service.md) and [Livekit Server](configuring-playbook-livekit-server.md). + + Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file: ```yaml @@ -34,7 +37,7 @@ matrix_element_call_enabled: true matrix_livekit_server_enabled: true matrix_jwt_service_enabled: true # Set a secure key for LiveKit authentication -matrix_element_call_livekit_dev_key: 'your-secure-livekit-key' +matrix_livekit_server_dev_key: 'your-secure-livekit-key' ``` ## Installing From fa2a913d39fb5f89dfc2f1017a266878aa5825b0 Mon Sep 17 00:00:00 2001 From: wjbeckett Date: Thu, 3 Oct 2024 16:20:54 +1000 Subject: [PATCH 108/148] fixing issue with element call domain not being expanded when writing the element web config.json. --- .../tasks/update_element_web_config.yml | 53 ++++++++++--------- 1 file changed, 27 insertions(+), 26 deletions(-) diff --git a/roles/custom/matrix-element-call/tasks/update_element_web_config.yml b/roles/custom/matrix-element-call/tasks/update_element_web_config.yml index d4471e7e440..2dead411ece 100644 --- a/roles/custom/matrix-element-call/tasks/update_element_web_config.yml +++ b/roles/custom/matrix-element-call/tasks/update_element_web_config.yml @@ -1,39 +1,40 @@ ---- -- name: Load Element Web config.json content +- name: Read Element Web config.json ansible.builtin.slurp: src: "{{ element_web_config_path }}" - register: element_web_config_content_raw - ignore_errors: false + register: element_web_config_content -- name: Parse Element Web config.json content +- name: Load JSON data from config.json ansible.builtin.set_fact: - element_web_config_content: "{{ element_web_config_content_raw['content'] | b64decode | from_json }}" - when: element_web_config_content_raw is defined and element_web_config_content_raw['content'] is defined + element_web_config: "{{ element_web_config_content['content'] | b64decode | from_json }}" -- name: Update Element Web config.json settings +- name: Update Element Call configuration in config.json ansible.builtin.set_fact: - element_web_config_content: - "{{ element_web_config_content | combine({ - 'features': { - 'feature_video_rooms': true, - 'feature_new_room_decoration_ui': true, - 'feature_group_calls': true, - 'feature_element_call_video_rooms': true - }, - 'element_call': { - 'url': 'https://{{ matrix_element_call_domain }}', - 'participant_limit': 8, - 'brand': 'Element Call', - 'use_exclusively': true + updated_element_call_config: > + {{ + { + "element_call": { + "url": "https://{{ matrix_element_call_domain }}", + "participant_limit": 8, + "brand": "Element Call", + "use_exclusively": true + }, + "features": { + "feature_video_rooms": true, + "feature_new_room_decoration_ui": true, + "feature_group_calls": true, + "feature_element_call_video_rooms": true + } } - }, recursive=True) }}" - when: element_web_config_content is defined + }} + +- name: Merge updated Element Call configuration with existing config.json + ansible.builtin.set_fact: + element_web_config: "{{ element_web_config | combine(updated_element_call_config, recursive=True) }}" -- name: Write updated Element Web config.json back to disk +- name: Write updated Element Web config.json ansible.builtin.copy: - content: "{{ element_web_config_content | to_nice_json }}" + content: "{{ element_web_config | to_nice_json }}" dest: "{{ element_web_config_path }}" mode: '0644' owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" - when: element_web_config_content is defined \ No newline at end of file From 10df1451015e48739fc7589012aa6c10de9bb472 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 21 Nov 2024 15:57:31 +0200 Subject: [PATCH 109/148] Update roles/custom/matrix-livekit-server/tasks/install.yml Co-authored-by: Suguru Hirahara --- roles/custom/matrix-livekit-server/tasks/install.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-livekit-server/tasks/install.yml b/roles/custom/matrix-livekit-server/tasks/install.yml index 8e859565b07..b24c4a23b12 100644 --- a/roles/custom/matrix-livekit-server/tasks/install.yml +++ b/roles/custom/matrix-livekit-server/tasks/install.yml @@ -30,7 +30,7 @@ group: "{{ matrix_user_groupname }}" # Ensure Docker Images are Pulled -- name: Ensure livekit Docker image is pulled +- name: Ensure LiveKit Docker image is pulled community.docker.docker_image: name: "{{ matrix_livekit_server_image }}" source: pull From b691f39d392c42b8286896a4c04d78f0f5a9e711 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 21 Nov 2024 15:57:44 +0200 Subject: [PATCH 110/148] Update roles/custom/matrix-livekit-server/tasks/install.yml Co-authored-by: Suguru Hirahara --- roles/custom/matrix-livekit-server/tasks/install.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-livekit-server/tasks/install.yml b/roles/custom/matrix-livekit-server/tasks/install.yml index b24c4a23b12..8f348b4722f 100644 --- a/roles/custom/matrix-livekit-server/tasks/install.yml +++ b/roles/custom/matrix-livekit-server/tasks/install.yml @@ -40,7 +40,7 @@ until: livekit_image_result is not failed # Systemd Services for LiveKit -- name: Ensure livekit systemd service is installed +- name: Ensure LiveKit systemd service is installed ansible.builtin.template: src: "{{ role_path }}/templates/systemd/matrix-livekit-server.service.j2" dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-livekit-server.service" From 85c0ffa9e1d84e3d85083634db00b22a785db9c7 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 21 Nov 2024 15:57:51 +0200 Subject: [PATCH 111/148] Update roles/custom/matrix-livekit-server/tasks/uninstall.yml Co-authored-by: Suguru Hirahara --- roles/custom/matrix-livekit-server/tasks/uninstall.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-livekit-server/tasks/uninstall.yml b/roles/custom/matrix-livekit-server/tasks/uninstall.yml index 0709dca1299..692545cdb64 100644 --- a/roles/custom/matrix-livekit-server/tasks/uninstall.yml +++ b/roles/custom/matrix-livekit-server/tasks/uninstall.yml @@ -6,7 +6,7 @@ name: "matrix-livekit-server" state: absent -- name: Remove livekit systemd service +- name: Remove LiveKit systemd service ansible.builtin.file: path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-livekit-server.service" state: absent From 82127830b39995cb74fff5393fd3b945d65aefdc Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 21 Nov 2024 15:58:01 +0200 Subject: [PATCH 112/148] Update roles/custom/matrix-livekit-server/tasks/uninstall.yml Co-authored-by: Suguru Hirahara --- roles/custom/matrix-livekit-server/tasks/uninstall.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-livekit-server/tasks/uninstall.yml b/roles/custom/matrix-livekit-server/tasks/uninstall.yml index 692545cdb64..fdedf475a5d 100644 --- a/roles/custom/matrix-livekit-server/tasks/uninstall.yml +++ b/roles/custom/matrix-livekit-server/tasks/uninstall.yml @@ -1,7 +1,7 @@ --- # Uninstall tasks for matrix-livekit-server -- name: Stop and remove livekit container +- name: Stop and remove LiveKit container community.docker.docker_container: name: "matrix-livekit-server" state: absent From 1838a541aef4fba960ffdedd47010311ea58b31f Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 21 Nov 2024 16:15:54 +0200 Subject: [PATCH 113/148] Variables rename (matrix_livekit_server_ -> livekit_server_) to prepare for role extraction --- docs/configuring-playbook-element-call.md | 6 +- docs/configuring-playbook-livekit-server.md | 8 +- group_vars/matrix_servers | 30 +++---- .../matrix-jwt-service/templates/env.j2 | 4 +- .../matrix-livekit-server/defaults/main.yml | 84 +++++++++---------- .../matrix-livekit-server/tasks/install.yml | 10 +-- .../matrix-livekit-server/tasks/main.yml | 8 +- .../tasks/validate_config.yml | 8 +- .../matrix-livekit-server/templates/labels.j2 | 32 +++---- .../templates/livekit.yaml.j2 | 2 +- .../systemd/matrix-livekit-server.service.j2 | 8 +- 11 files changed, 100 insertions(+), 100 deletions(-) diff --git a/docs/configuring-playbook-element-call.md b/docs/configuring-playbook-element-call.md index 6a6b5a496e4..d94357f554f 100644 --- a/docs/configuring-playbook-element-call.md +++ b/docs/configuring-playbook-element-call.md @@ -34,10 +34,10 @@ Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars. # Enable dependent services keydb_enabled: true matrix_element_call_enabled: true -matrix_livekit_server_enabled: true +livekit_server_enabled: true matrix_jwt_service_enabled: true # Set a secure key for LiveKit authentication -matrix_livekit_server_dev_key: 'your-secure-livekit-key' +livekit_server_dev_key: 'your-secure-livekit-key' ``` ## Installing @@ -68,4 +68,4 @@ Ensure these ports are open and forwarded appropriately to allow traffic to flow ## Additional Information -Refer to the Element Call documentation for more details on configuring and using Element Call. \ No newline at end of file +Refer to the Element Call documentation for more details on configuring and using Element Call. diff --git a/docs/configuring-playbook-livekit-server.md b/docs/configuring-playbook-livekit-server.md index 309d9ecf30f..91a75f80c1e 100644 --- a/docs/configuring-playbook-livekit-server.md +++ b/docs/configuring-playbook-livekit-server.md @@ -8,11 +8,11 @@ See the project's [documentation](https://github.com/livekit/livekit) to learn m ## Decide on a domain and path -By default, Livekit is configured to be served on the Matrix domain (`sfu.DOMAIN`, controlled by the `matrix_livekit_server_hostname` variable). +By default, Livekit is configured to be served on the Matrix domain (`sfu.DOMAIN`, controlled by the `livekit_server_hostname` variable). This makes it easy to set it up, **without** having to adjust your DNS records manually. -If you'd like to run Livekit on another hostname or path, use the `matrix_livekit_server_hostname` variable. +If you'd like to run Livekit on another hostname or path, use the `livekit_server_hostname` variable. ## Adjusting DNS records @@ -26,7 +26,7 @@ Ensure that the following DNS names have a public IP/FQDN: Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file: ```yaml -matrix_livekit_server_enabled: true +livekit_server_enabled: true # Set a secure key for LiveKit authentication matrix_element_call_livekit_dev_key: 'your-secure-livekit-key' ``` @@ -53,4 +53,4 @@ Ensure these ports are open and forwarded appropriately to allow traffic to flow ## Additional Information -Refer to the Livekit documentation for more details on configuring and using Livekit. \ No newline at end of file +Refer to the Livekit documentation for more details on configuring and using Livekit. diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index f60b2a04195..6b5b6d53cb9 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -442,7 +442,7 @@ devture_systemd_service_manager_services_list_auto: | + ([{'name': 'matrix-jwt-service.service', 'priority': 3000, 'groups': ['matrix', 'jwt-service']}] if matrix_jwt_service_enabled else []) + - ([{'name': 'matrix-livekit-server.service', 'priority': 3000, 'groups': ['matrix', 'livekit-server']}] if matrix_livekit_server_enabled else []) + ([{'name': 'matrix-livekit-server.service', 'priority': 3000, 'groups': ['matrix', 'livekit-server']}] if livekit_server_enabled else []) + ([{'name': 'matrix-registration.service', 'priority': 4000, 'groups': ['matrix', 'registration', 'matrix-registration']}] if matrix_registration_enabled else []) + @@ -6063,27 +6063,27 @@ matrix_element_call_container_labels_traefik_tls_certResolver: "{{ traefik_certR ######################################################################## # Matrix Livekit Server Configuration -matrix_livekit_server_enabled: false # Default is false; should be enabled in host_vars as needed -matrix_livekit_server_version: "latest" # Default version; can be overridden in host_vars -matrix_livekit_server_scheme: "https" -matrix_livekit_server_hostname: "sfu.{{ matrix_domain }}" # Default hostname; should be overridden in host_vars if different -matrix_livekit_server_path_prefix: "/" -matrix_livekit_server_base_path: "{{ matrix_base_data_path }}/livekit-server" -matrix_livekit_server_container_image: "livekit/livekit-server:{{ matrix_livekit_server_version }}" -matrix_livekit_server_container_image_force_pull: true +livekit_server_enabled: false # Default is false; should be enabled in host_vars as needed +livekit_server_version: "latest" # Default version; can be overridden in host_vars +livekit_server_scheme: "https" +livekit_server_hostname: "sfu.{{ matrix_domain }}" # Default hostname; should be overridden in host_vars if different +livekit_server_path_prefix: "/" +livekit_server_base_path: "{{ matrix_base_data_path }}/livekit-server" +livekit_server_container_image: "livekit/livekit-server:{{ livekit_server_version }}" +livekit_server_container_image_force_pull: true # Docker network configuration for Livekit -matrix_livekit_server_container_network: "{{ matrix_addons_container_network }}" -matrix_livekit_server_container_additional_networks: "{{ [matrix_playbook_reverse_proxyable_services_additional_network] if (matrix_livekit_server_container_labels_traefik_enabled and matrix_playbook_reverse_proxyable_services_additional_network) else [] }}" +livekit_server_container_network: "{{ matrix_addons_container_network }}" +livekit_server_container_additional_networks: "{{ [matrix_playbook_reverse_proxyable_services_additional_network] if (livekit_server_container_labels_traefik_enabled and matrix_playbook_reverse_proxyable_services_additional_network) else [] }}" # Traefik Configuration for Livekit matrix_livekit_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}" matrix_livekit_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" -matrix_livekit_server_container_labels_traefik_entrypoints: "{{ traefik_entrypoint_primary }}" -matrix_livekit_server_container_labels_traefik_tls_certResolver: "{{ traefik_certResolver_primary }}" +livekit_server_container_labels_traefik_entrypoints: "{{ traefik_entrypoint_primary }}" +livekit_server_container_labels_traefik_tls_certResolver: "{{ traefik_certResolver_primary }}" # LiveKit Service Configuration -matrix_livekit_server_livekit_dev_key: "{{ matrix_livekit_server_dev_key }}" # LiveKit dev key +livekit_server_livekit_dev_key: "{{ livekit_server_dev_key }}" # LiveKit dev key ######################################################################## # # @@ -6126,4 +6126,4 @@ matrix_jwt_service_url: "https://sfu-jwt.{{ matrix_domain }}" # Default JWT ser # # # /matrix-jwt-service # # # -######################################################################## \ No newline at end of file +######################################################################## diff --git a/roles/custom/matrix-jwt-service/templates/env.j2 b/roles/custom/matrix-jwt-service/templates/env.j2 index 4bb12aaf540..7135bb0875e 100644 --- a/roles/custom/matrix-jwt-service/templates/env.j2 +++ b/roles/custom/matrix-jwt-service/templates/env.j2 @@ -1,4 +1,4 @@ # Environment variables for JWT Service LIVEKIT_KEY=devkey -LIVEKIT_URL=wss://{{ matrix_livekit_server_hostname }}:443 -LIVEKIT_SECRET={{ matrix_livekit_server_dev_key }} \ No newline at end of file +LIVEKIT_URL=wss://{{ livekit_server_hostname }}:443 +LIVEKIT_SECRET={{ livekit_server_dev_key }} diff --git a/roles/custom/matrix-livekit-server/defaults/main.yml b/roles/custom/matrix-livekit-server/defaults/main.yml index 8175af0ea8b..c20f7247fc3 100644 --- a/roles/custom/matrix-livekit-server/defaults/main.yml +++ b/roles/custom/matrix-livekit-server/defaults/main.yml @@ -1,49 +1,49 @@ --- # Enable or disable matrix-livekit-server deployment -matrix_livekit_server_enabled: false +livekit_server_enabled: false # Base path configuration -matrix_livekit_server_base_path: "{{ matrix_base_data_path }}/livekit-server" +livekit_server_base_path: "{{ matrix_base_data_path }}/livekit-server" # Docker network configuration -matrix_livekit_server_container_network: '' -matrix_livekit_server_container_http_host_bind_port: '' -matrix_livekit_server_container_additional_networks: [] # No additional networks by default +livekit_server_container_network: '' +livekit_server_container_http_host_bind_port: '' +livekit_server_container_additional_networks: [] # No additional networks by default # Docker images -matrix_livekit_server_image: "livekit/livekit-server:latest" +livekit_server_image: "livekit/livekit-server:latest" # LiveKit configuration -matrix_livekit_server_livekit_server_dev_key: "{{ matrix_livekit_server_dev_key }}" # Must be defined in host_vars -matrix_livekit_server_jwt_secret: "{{ matrix_element_call_jwt_secret }}" # Must be defined in host_vars -matrix_livekit_server_hostname: "sfu.{{ matrix_domain }}" +livekit_server_livekit_server_dev_key: "{{ livekit_server_dev_key }}" # Must be defined in host_vars +livekit_server_jwt_secret: "{{ matrix_element_call_jwt_secret }}" # Must be defined in host_vars +livekit_server_hostname: "sfu.{{ matrix_domain }}" # Traefik Configuration for Element Call -matrix_livekit_server_container_labels_traefik_enabled: true -matrix_livekit_server_container_labels_traefik_docker_network: "{{ matrix_livekit_server_container_network }}" -matrix_livekit_server_container_labels_traefik_hostname: "{{ matrix_livekit_server_hostname }}" +livekit_server_container_labels_traefik_enabled: true +livekit_server_container_labels_traefik_docker_network: "{{ livekit_server_container_network }}" +livekit_server_container_labels_traefik_hostname: "{{ livekit_server_hostname }}" # The path prefix must either be `/` or not end with a slash (e.g. `/element`). -matrix_livekit_server_container_labels_traefik_path_prefix: "{{ matrix_livekit_server_path_prefix }}" -matrix_livekit_server_container_labels_traefik_rule: "Host(`{{ matrix_livekit_server_container_labels_traefik_hostname }}`){% if matrix_livekit_server_container_labels_traefik_path_prefix != '/' %} && PathPrefix(`{{ matrix_livekit_server_container_labels_traefik_path_prefix }}`){% endif %}" -matrix_livekit_server_container_labels_traefik_priority: 0 -matrix_livekit_server_container_labels_traefik_entrypoints: web-secure -matrix_livekit_server_container_labels_traefik_tls: "{{ matrix_livekit_server_container_labels_traefik_entrypoints != 'web' }}" -matrix_livekit_server_container_labels_traefik_tls_certResolver: default # noqa var-naming +livekit_server_container_labels_traefik_path_prefix: "{{ livekit_server_path_prefix }}" +livekit_server_container_labels_traefik_rule: "Host(`{{ livekit_server_container_labels_traefik_hostname }}`){% if livekit_server_container_labels_traefik_path_prefix != '/' %} && PathPrefix(`{{ livekit_server_container_labels_traefik_path_prefix }}`){% endif %}" +livekit_server_container_labels_traefik_priority: 0 +livekit_server_container_labels_traefik_entrypoints: web-secure +livekit_server_container_labels_traefik_tls: "{{ livekit_server_container_labels_traefik_entrypoints != 'web' }}" +livekit_server_container_labels_traefik_tls_certResolver: default # noqa var-naming # Controls which additional headers to attach to all HTTP responses. -# To add your own headers, use `matrix_livekit_server_container_labels_traefik_additional_response_headers_custom` -matrix_livekit_server_container_labels_traefik_additional_response_headers: "{{ matrix_livekit_server_container_labels_traefik_additional_response_headers_auto | combine(matrix_livekit_server_container_labels_traefik_additional_response_headers_custom) }}" -matrix_livekit_server_container_labels_traefik_additional_response_headers_auto: | +# To add your own headers, use `livekit_server_container_labels_traefik_additional_response_headers_custom` +livekit_server_container_labels_traefik_additional_response_headers: "{{ livekit_server_container_labels_traefik_additional_response_headers_auto | combine(livekit_server_container_labels_traefik_additional_response_headers_custom) }}" +livekit_server_container_labels_traefik_additional_response_headers_auto: | {{ {} - | combine ({'X-XSS-Protection': matrix_livekit_server_http_header_xss_protection} if matrix_livekit_server_http_header_xss_protection else {}) - | combine ({'X-Frame-Options': matrix_livekit_server_http_header_frame_options} if matrix_livekit_server_http_header_frame_options else {}) - | combine ({'X-Content-Type-Options': matrix_livekit_server_http_header_content_type_options} if matrix_livekit_server_http_header_content_type_options else {}) - | combine ({'Content-Security-Policy': matrix_livekit_server_http_header_content_security_policy} if matrix_livekit_server_http_header_content_security_policy else {}) - | combine ({'Permission-Policy': matrix_livekit_server_http_header_content_permission_policy} if matrix_livekit_server_http_header_content_permission_policy else {}) - | combine ({'Strict-Transport-Security': matrix_livekit_server_http_header_strict_transport_security} if matrix_livekit_server_http_header_strict_transport_security and matrix_livekit_server_container_labels_traefik_tls else {}) + | combine ({'X-XSS-Protection': livekit_server_http_header_xss_protection} if livekit_server_http_header_xss_protection else {}) + | combine ({'X-Frame-Options': livekit_server_http_header_frame_options} if livekit_server_http_header_frame_options else {}) + | combine ({'X-Content-Type-Options': livekit_server_http_header_content_type_options} if livekit_server_http_header_content_type_options else {}) + | combine ({'Content-Security-Policy': livekit_server_http_header_content_security_policy} if livekit_server_http_header_content_security_policy else {}) + | combine ({'Permission-Policy': livekit_server_http_header_content_permission_policy} if livekit_server_http_header_content_permission_policy else {}) + | combine ({'Strict-Transport-Security': livekit_server_http_header_strict_transport_security} if livekit_server_http_header_strict_transport_security and livekit_server_container_labels_traefik_tls else {}) }} -matrix_livekit_server_container_labels_traefik_additional_response_headers_custom: {} +livekit_server_container_labels_traefik_additional_response_headers_custom: {} # matrix_client_element_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file. # See `../templates/labels.j2` for details. @@ -52,16 +52,16 @@ matrix_livekit_server_container_labels_traefik_additional_response_headers_custo # matrix_client_element_container_labels_additional_labels: | # my.label=1 # another.label="here" -matrix_livekit_server_container_labels_additional_labels: '' +livekit_server_container_labels_additional_labels: '' # A list of extra arguments to pass to the container -matrix_livekit_server_container_extra_arguments: [] +livekit_server_container_extra_arguments: [] # Additional environment variables for the container -matrix_livekit_server_environment_variables_additional: {} +livekit_server_environment_variables_additional: {} # List of systemd services that matrix-element-call.service depends on -matrix_livekit_server_systemd_required_services_list: "{{ [devture_systemd_docker_base_docker_service_name] if devture_systemd_docker_base_docker_service_name else [] }}" +livekit_server_systemd_required_services_list: "{{ [devture_systemd_docker_base_docker_service_name] if devture_systemd_docker_base_docker_service_name else [] }}" # Specifies the value of the `X-XSS-Protection` header # Stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. @@ -69,27 +69,27 @@ matrix_livekit_server_systemd_required_services_list: "{{ [devture_systemd_docke # Learn more about it is here: # - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection # - https://portswigger.net/web-security/cross-site-scripting/reflected -matrix_livekit_server_http_header_xss_protection: '' +livekit_server_http_header_xss_protection: '' # Specifies the value of the `X-Frame-Options` header which controls whether framing can happen. # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options -matrix_livekit_server_http_header_frame_options: '' +livekit_server_http_header_frame_options: '' # Specifies the value of the `X-Content-Type-Options` header. # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options -matrix_livekit_server_http_header_content_type_options: '' +livekit_server_http_header_content_type_options: '' # Specifies the value of the `Content-Security-Policy` header. # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy -matrix_livekit_server_http_header_content_security_policy: '' +livekit_server_http_header_content_security_policy: '' # Specifies the value of the `Permission-Policy` header. # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permission-Policy -matrix_livekit_server_http_header_content_permission_policy: '' +livekit_server_http_header_content_permission_policy: '' # Specifies the value of the `Strict-Transport-Security` header. # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security -matrix_livekit_server_http_header_strict_transport_security: '' +livekit_server_http_header_strict_transport_security: '' # Controls whether to send a "Permissions-Policy interest-cohort=();" header along with all responses # @@ -99,8 +99,8 @@ matrix_livekit_server_http_header_strict_transport_security: '' # - https://amifloced.org/ # # Of course, a better solution is to just stop using browsers (like Chrome), which participate in such tracking practices. -# See: `matrix_livekit_server_content_permission_policy` -matrix_livekit_server_floc_optout_enabled: false +# See: `livekit_server_content_permission_policy` +livekit_server_floc_optout_enabled: false # Controls if HSTS preloading is enabled # @@ -111,5 +111,5 @@ matrix_livekit_server_floc_optout_enabled: false # - https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security # - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security # - https://hstspreload.org/#opt-in -# See: `matrix_livekit_server_http_header_strict_transport_security` -matrix_livekit_server_hsts_preload_enabled: true \ No newline at end of file +# See: `livekit_server_http_header_strict_transport_security` +livekit_server_hsts_preload_enabled: true diff --git a/roles/custom/matrix-livekit-server/tasks/install.yml b/roles/custom/matrix-livekit-server/tasks/install.yml index 8f348b4722f..35aec98c2a1 100644 --- a/roles/custom/matrix-livekit-server/tasks/install.yml +++ b/roles/custom/matrix-livekit-server/tasks/install.yml @@ -10,13 +10,13 @@ owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" with_items: - - path: "{{ matrix_livekit_server_base_path }}" + - path: "{{ livekit_server_base_path }}" # Ensure Configuration Files are in Place - name: Ensure LiveKit livekit.yaml is in place ansible.builtin.template: src: "{{ role_path }}/templates/livekit.yaml.j2" - dest: "{{ matrix_livekit_server_base_path }}/livekit.yaml" + dest: "{{ livekit_server_base_path }}/livekit.yaml" mode: 0640 owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" @@ -24,7 +24,7 @@ - name: Ensure LiveKit labels file is in place ansible.builtin.template: src: "{{ role_path }}/templates/labels.j2" - dest: "{{ matrix_livekit_server_base_path }}/labels" + dest: "{{ livekit_server_base_path }}/labels" mode: 0640 owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" @@ -32,7 +32,7 @@ # Ensure Docker Images are Pulled - name: Ensure LiveKit Docker image is pulled community.docker.docker_image: - name: "{{ matrix_livekit_server_image }}" + name: "{{ livekit_server_image }}" source: pull register: livekit_image_result retries: 3 @@ -44,4 +44,4 @@ ansible.builtin.template: src: "{{ role_path }}/templates/systemd/matrix-livekit-server.service.j2" dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-livekit-server.service" - mode: 0644 \ No newline at end of file + mode: 0644 diff --git a/roles/custom/matrix-livekit-server/tasks/main.yml b/roles/custom/matrix-livekit-server/tasks/main.yml index 1884596b82a..349d63be692 100644 --- a/roles/custom/matrix-livekit-server/tasks/main.yml +++ b/roles/custom/matrix-livekit-server/tasks/main.yml @@ -7,15 +7,15 @@ - install-all - install-livekit-server block: - - when: matrix_livekit_server_enabled | bool + - when: livekit_server_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - - when: matrix_livekit_server_enabled | bool + - when: livekit_server_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/install.yml" - tags: - setup-all - setup-livekit-server block: - - when: not matrix_livekit_server_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/uninstall.yml" \ No newline at end of file + - when: not livekit_server_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/uninstall.yml" diff --git a/roles/custom/matrix-livekit-server/tasks/validate_config.yml b/roles/custom/matrix-livekit-server/tasks/validate_config.yml index ddf750b9b1a..0694efed8d9 100644 --- a/roles/custom/matrix-livekit-server/tasks/validate_config.yml +++ b/roles/custom/matrix-livekit-server/tasks/validate_config.yml @@ -7,7 +7,7 @@ You need to define a required configuration setting (`{{ item.name }}`). when: "item.when | bool and vars[item.name] == ''" with_items: - - {'name': 'matrix_livekit_server_base_path', when: true} - - {'name': 'matrix_livekit_server_container_network', when: true} - - {'name': 'matrix_livekit_server_image', when: true} - - {'name': 'matrix_livekit_server_image', when: true} \ No newline at end of file + - {'name': 'livekit_server_base_path', when: true} + - {'name': 'livekit_server_container_network', when: true} + - {'name': 'livekit_server_image', when: true} + - {'name': 'livekit_server_image', when: true} diff --git a/roles/custom/matrix-livekit-server/templates/labels.j2 b/roles/custom/matrix-livekit-server/templates/labels.j2 index 77a3ce426c1..2200c41ac7d 100644 --- a/roles/custom/matrix-livekit-server/templates/labels.j2 +++ b/roles/custom/matrix-livekit-server/templates/labels.j2 @@ -1,9 +1,9 @@ -{% if matrix_livekit_server_container_labels_traefik_enabled %} +{% if livekit_server_container_labels_traefik_enabled %} traefik.enable=true # Network configuration for Traefik -{% if matrix_livekit_server_container_labels_traefik_docker_network %} -traefik.docker.network={{ matrix_livekit_server_container_labels_traefik_docker_network }} +{% if livekit_server_container_labels_traefik_docker_network %} +traefik.docker.network={{ livekit_server_container_labels_traefik_docker_network }} {% endif %} traefik.http.services.matrix-livekit-server.loadbalancer.server.port=7880 @@ -11,36 +11,36 @@ traefik.http.services.matrix-livekit-server.loadbalancer.server.port=7880 {% set middlewares = [] %} # Path prefix handling for Livekit -{% if matrix_livekit_server_container_labels_traefik_path_prefix != '/' %} -traefik.http.middlewares.matrix-livekit-server-slashless-redirect.redirectregex.regex=({{ matrix_livekit_server_container_labels_traefik_path_prefix | quote }})$ +{% if livekit_server_container_labels_traefik_path_prefix != '/' %} +traefik.http.middlewares.matrix-livekit-server-slashless-redirect.redirectregex.regex=({{ livekit_server_container_labels_traefik_path_prefix | quote }})$ traefik.http.middlewares.matrix-livekit-server-slashless-redirect.redirectregex.replacement=${1}/ {% set middlewares = middlewares + ['matrix-livekit-server-slashless-redirect'] %} -traefik.http.middlewares.matrix-livekit-server-strip-prefix.stripprefix.prefixes={{ matrix_livekit_server_container_labels_traefik_path_prefix }} +traefik.http.middlewares.matrix-livekit-server-strip-prefix.stripprefix.prefixes={{ livekit_server_container_labels_traefik_path_prefix }} {% set middlewares = middlewares + ['matrix-livekit-server-strip-prefix'] %} {% endif %} -{% if matrix_livekit_server_container_labels_traefik_additional_response_headers.keys() | length > 0 %} -{% for name, value in matrix_livekit_server_container_labels_traefik_additional_response_headers.items() %} +{% if livekit_server_container_labels_traefik_additional_response_headers.keys() | length > 0 %} +{% for name, value in livekit_server_container_labels_traefik_additional_response_headers.items() %} traefik.http.middlewares.matrix-livekit-server-add-headers.headers.customresponseheaders.{{ name }}={{ value }} {% endfor %} {% set middlewares = middlewares + ['matrix-livekit-server-add-headers'] %} {% endif %} -traefik.http.routers.matrix-livekit-server.rule={{ matrix_livekit_server_container_labels_traefik_rule }} -{% if matrix_livekit_server_container_labels_traefik_priority | int > 0 %} -traefik.http.routers.matrix-livekit-server.priority={{ matrix_livekit_server_container_labels_traefik_priority }} +traefik.http.routers.matrix-livekit-server.rule={{ livekit_server_container_labels_traefik_rule }} +{% if livekit_server_container_labels_traefik_priority | int > 0 %} +traefik.http.routers.matrix-livekit-server.priority={{ livekit_server_container_labels_traefik_priority }} {% endif %} traefik.http.routers.matrix-livekit-server.service=matrix-livekit-server {% if middlewares | length > 0 %} traefik.http.routers.matrix-livekit-server.middlewares={{ middlewares | join(',') }} {% endif %} -traefik.http.routers.matrix-livekit-server.entrypoints={{ matrix_livekit_server_container_labels_traefik_entrypoints }} -traefik.http.routers.matrix-livekit-server.tls={{ matrix_livekit_server_container_labels_traefik_tls | to_json }} -{% if matrix_livekit_server_container_labels_traefik_tls %} -traefik.http.routers.matrix-livekit-server.tls.certResolver={{ matrix_livekit_server_container_labels_traefik_tls_certResolver }} +traefik.http.routers.matrix-livekit-server.entrypoints={{ livekit_server_container_labels_traefik_entrypoints }} +traefik.http.routers.matrix-livekit-server.tls={{ livekit_server_container_labels_traefik_tls | to_json }} +{% if livekit_server_container_labels_traefik_tls %} +traefik.http.routers.matrix-livekit-server.tls.certResolver={{ livekit_server_container_labels_traefik_tls_certResolver }} {% endif %} {% endif %} -{{ matrix_livekit_server_container_labels_additional_labels }} \ No newline at end of file +{{ livekit_server_container_labels_additional_labels }} diff --git a/roles/custom/matrix-livekit-server/templates/livekit.yaml.j2 b/roles/custom/matrix-livekit-server/templates/livekit.yaml.j2 index 77ac841a83b..04fcb117043 100644 --- a/roles/custom/matrix-livekit-server/templates/livekit.yaml.j2 +++ b/roles/custom/matrix-livekit-server/templates/livekit.yaml.j2 @@ -17,4 +17,4 @@ turn: external_tls: true keys: - devkey: "{{ matrix_livekit_server_livekit_dev_key }}" \ No newline at end of file + devkey: "{{ livekit_server_livekit_dev_key }}" diff --git a/roles/custom/matrix-livekit-server/templates/systemd/matrix-livekit-server.service.j2 b/roles/custom/matrix-livekit-server/templates/systemd/matrix-livekit-server.service.j2 index ddaa3518112..98c19e4dc86 100644 --- a/roles/custom/matrix-livekit-server/templates/systemd/matrix-livekit-server.service.j2 +++ b/roles/custom/matrix-livekit-server/templates/systemd/matrix-livekit-server.service.j2 @@ -17,9 +17,9 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ --network=host \ - --mount type=bind,src={{ matrix_livekit_server_base_path }}/livekit.yaml,dst=/etc/livekit.yaml,ro \ - --label-file={{ matrix_livekit_server_base_path }}/labels \ - {{ matrix_livekit_server_image }} \ + --mount type=bind,src={{ livekit_server_base_path }}/livekit.yaml,dst=/etc/livekit.yaml,ro \ + --label-file={{ livekit_server_base_path }}/labels \ + {{ livekit_server_image }} \ --dev --config /etc/livekit.yaml ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-livekit-server @@ -31,4 +31,4 @@ RestartSec=30 SyslogIdentifier=matrix-livekit-server [Install] -WantedBy=multi-user.target \ No newline at end of file +WantedBy=multi-user.target From 88d4668450c9eea6bf53432dd20fcd3c5424b2b2 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 21 Nov 2024 16:16:43 +0200 Subject: [PATCH 114/148] Variable rename (livekit_server_image -> livekit_server_container_image) for consistency with other roles --- roles/custom/matrix-livekit-server/defaults/main.yml | 2 +- roles/custom/matrix-livekit-server/tasks/install.yml | 2 +- roles/custom/matrix-livekit-server/tasks/validate_config.yml | 4 ++-- .../templates/systemd/matrix-livekit-server.service.j2 | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/roles/custom/matrix-livekit-server/defaults/main.yml b/roles/custom/matrix-livekit-server/defaults/main.yml index c20f7247fc3..a71c955cc18 100644 --- a/roles/custom/matrix-livekit-server/defaults/main.yml +++ b/roles/custom/matrix-livekit-server/defaults/main.yml @@ -11,7 +11,7 @@ livekit_server_container_http_host_bind_port: '' livekit_server_container_additional_networks: [] # No additional networks by default # Docker images -livekit_server_image: "livekit/livekit-server:latest" +livekit_server_container_image: "livekit/livekit-server:latest" # LiveKit configuration livekit_server_livekit_server_dev_key: "{{ livekit_server_dev_key }}" # Must be defined in host_vars diff --git a/roles/custom/matrix-livekit-server/tasks/install.yml b/roles/custom/matrix-livekit-server/tasks/install.yml index 35aec98c2a1..30c2e87cdb4 100644 --- a/roles/custom/matrix-livekit-server/tasks/install.yml +++ b/roles/custom/matrix-livekit-server/tasks/install.yml @@ -32,7 +32,7 @@ # Ensure Docker Images are Pulled - name: Ensure LiveKit Docker image is pulled community.docker.docker_image: - name: "{{ livekit_server_image }}" + name: "{{ livekit_server_container_image }}" source: pull register: livekit_image_result retries: 3 diff --git a/roles/custom/matrix-livekit-server/tasks/validate_config.yml b/roles/custom/matrix-livekit-server/tasks/validate_config.yml index 0694efed8d9..6340ed26ac0 100644 --- a/roles/custom/matrix-livekit-server/tasks/validate_config.yml +++ b/roles/custom/matrix-livekit-server/tasks/validate_config.yml @@ -9,5 +9,5 @@ with_items: - {'name': 'livekit_server_base_path', when: true} - {'name': 'livekit_server_container_network', when: true} - - {'name': 'livekit_server_image', when: true} - - {'name': 'livekit_server_image', when: true} + - {'name': 'livekit_server_container_image', when: true} + - {'name': 'livekit_server_container_image', when: true} diff --git a/roles/custom/matrix-livekit-server/templates/systemd/matrix-livekit-server.service.j2 b/roles/custom/matrix-livekit-server/templates/systemd/matrix-livekit-server.service.j2 index 98c19e4dc86..e078a898fb5 100644 --- a/roles/custom/matrix-livekit-server/templates/systemd/matrix-livekit-server.service.j2 +++ b/roles/custom/matrix-livekit-server/templates/systemd/matrix-livekit-server.service.j2 @@ -19,7 +19,7 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ --network=host \ --mount type=bind,src={{ livekit_server_base_path }}/livekit.yaml,dst=/etc/livekit.yaml,ro \ --label-file={{ livekit_server_base_path }}/labels \ - {{ livekit_server_image }} \ + {{ livekit_server_container_image }} \ --dev --config /etc/livekit.yaml ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-livekit-server From 925ebfbd4bc2302ca282ef2f576a738781a6157a Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 21 Nov 2024 16:21:42 +0200 Subject: [PATCH 115/148] Update docs/configuring-playbook-element-call.md Co-authored-by: Suguru Hirahara --- docs/configuring-playbook-element-call.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/configuring-playbook-element-call.md b/docs/configuring-playbook-element-call.md index 6a6b5a496e4..4754722be5f 100644 --- a/docs/configuring-playbook-element-call.md +++ b/docs/configuring-playbook-element-call.md @@ -19,9 +19,9 @@ If you'd like to run Element Call on another hostname or path, use the `matrix_e If you've changed the default hostname, **you may need to adjust your DNS** records accordingly to point to the correct server. Ensure that the following DNS names have a public IP/FQDN: -- `call.DOMAIN` -- `sfu.DOMAIN` -- `sfu-jwt.DOMAIN` +- `call.example.com` +- `sfu.example.com` +- `sfu-jwt.example.com` ## Adjusting the playbook configuration From 55da5c3213ce9581654b128d0ff66a7b6a1d38ad Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 21 Nov 2024 16:21:55 +0200 Subject: [PATCH 116/148] Update docs/configuring-playbook-element-call.md Co-authored-by: Suguru Hirahara --- docs/configuring-playbook-element-call.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/configuring-playbook-element-call.md b/docs/configuring-playbook-element-call.md index 4754722be5f..c600b3fb991 100644 --- a/docs/configuring-playbook-element-call.md +++ b/docs/configuring-playbook-element-call.md @@ -36,6 +36,7 @@ keydb_enabled: true matrix_element_call_enabled: true matrix_livekit_server_enabled: true matrix_jwt_service_enabled: true + # Set a secure key for LiveKit authentication matrix_livekit_server_dev_key: 'your-secure-livekit-key' ``` From 25a8cb3b4a3a43f592a894a2170da5d9c164cd34 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 21 Nov 2024 16:22:17 +0200 Subject: [PATCH 117/148] Update docs/configuring-playbook-element-call.md Co-authored-by: Suguru Hirahara --- docs/configuring-playbook-element-call.md | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/docs/configuring-playbook-element-call.md b/docs/configuring-playbook-element-call.md index c600b3fb991..4ec65d0ec3e 100644 --- a/docs/configuring-playbook-element-call.md +++ b/docs/configuring-playbook-element-call.md @@ -42,10 +42,8 @@ matrix_livekit_server_dev_key: 'your-secure-livekit-key' ``` ## Installing -After potentially adjusting DNS records and configuring the playbook, run the installation command again: -```yaml -ansible-playbook -i inventory setup.yml -``` + +After configuring the playbook and potentially [adjusting your DNS records](#adjusting-dns-records), run the [installation](installing.md) command: `just install-all` or `just setup-all` ## Usage Once installed, Element Call integrates seamlessly with Matrix clients like Element Web. When the Element Call service is installed, the `/.well-known/matrix/client` file is also updated. A new `org.matrix.msc4143.rtc_foci` section is added to point to your JWT service URL (e.g., `https://sfu-jwt.DOMAIN`). From 32ea60fdc5547d931b0797ce9e04b570b0c71255 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 21 Nov 2024 16:22:44 +0200 Subject: [PATCH 118/148] Update docs/configuring-playbook-element-call.md Co-authored-by: Suguru Hirahara --- docs/configuring-playbook-element-call.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/docs/configuring-playbook-element-call.md b/docs/configuring-playbook-element-call.md index 4ec65d0ec3e..6ed90320df2 100644 --- a/docs/configuring-playbook-element-call.md +++ b/docs/configuring-playbook-element-call.md @@ -46,9 +46,10 @@ matrix_livekit_server_dev_key: 'your-secure-livekit-key' After configuring the playbook and potentially [adjusting your DNS records](#adjusting-dns-records), run the [installation](installing.md) command: `just install-all` or `just setup-all` ## Usage -Once installed, Element Call integrates seamlessly with Matrix clients like Element Web. When the Element Call service is installed, the `/.well-known/matrix/client` file is also updated. A new `org.matrix.msc4143.rtc_foci` section is added to point to your JWT service URL (e.g., `https://sfu-jwt.DOMAIN`). -Additionally, the `/.well-known/element/element.json` file is created to help Element clients discover the Element Call URL (e.g., `https://call.DOMAIN`). +Once installed, Element Call integrates seamlessly with Matrix clients like Element Web. When the Element Call service is installed, the `/.well-known/matrix/client` file is also updated. A new `org.matrix.msc4143.rtc_foci` section is added to point to your JWT service URL (e.g., `https://sfu-jwt.example.com`). + +Additionally, the `/.well-known/element/element.json` file is created to help Element clients discover the Element Call URL (e.g., `https://call.example.com`). ## Required Firewall and Port Forwarding Rules From ccb29beb303a56f3b52ed48d3631859ca5d36eaa Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 21 Nov 2024 16:22:56 +0200 Subject: [PATCH 119/148] Update docs/configuring-playbook-jwt-service.md Co-authored-by: Suguru Hirahara --- docs/configuring-playbook-jwt-service.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/configuring-playbook-jwt-service.md b/docs/configuring-playbook-jwt-service.md index 7910c09202e..f64a86d4912 100644 --- a/docs/configuring-playbook-jwt-service.md +++ b/docs/configuring-playbook-jwt-service.md @@ -27,6 +27,7 @@ Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars. ```yaml matrix_jwt_service_enabled: true + # Set a secure key for LiveKit authentication matrix_element_call_livekit_dev_key: 'your-secure-livekit-key' ``` From eb048da8a1e374aca5f1dc04c46a3245933b22c4 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 21 Nov 2024 16:23:06 +0200 Subject: [PATCH 120/148] Update docs/configuring-playbook-jwt-service.md Co-authored-by: Suguru Hirahara --- docs/configuring-playbook-jwt-service.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuring-playbook-jwt-service.md b/docs/configuring-playbook-jwt-service.md index f64a86d4912..664b4d4923f 100644 --- a/docs/configuring-playbook-jwt-service.md +++ b/docs/configuring-playbook-jwt-service.md @@ -23,7 +23,7 @@ Ensure that the following DNS names have a public IP/FQDN: ## Adjusting the playbook configuration -Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file: +Add the following configuration to your `inventory/host_vars/matrix.example.com/vars.yml` file: ```yaml matrix_jwt_service_enabled: true From df6ef106d1cf9e062ec38fed60374c4724ad0630 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 21 Nov 2024 16:23:18 +0200 Subject: [PATCH 121/148] Update docs/configuring-playbook-jwt-service.md Co-authored-by: Suguru Hirahara --- docs/configuring-playbook-jwt-service.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/configuring-playbook-jwt-service.md b/docs/configuring-playbook-jwt-service.md index 664b4d4923f..5b84ffb16a2 100644 --- a/docs/configuring-playbook-jwt-service.md +++ b/docs/configuring-playbook-jwt-service.md @@ -39,7 +39,8 @@ ansible-playbook -i inventory setup.yml ``` ## Usage -Once installed, a new `org.matrix.msc4143.rtc_foci` section is added to the element web client to point to your JWT service URL (e.g., `https://sfu-jwt.DOMAIN`). + +Once installed, a new `org.matrix.msc4143.rtc_foci` section is added to the element web client to point to your JWT service URL (e.g., `https://sfu-jwt.example.com`). ## Additional Information From ec41c1aba5746e23b2696e6968e8744478d7e889 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 21 Nov 2024 16:23:28 +0200 Subject: [PATCH 122/148] Update docs/configuring-playbook-jwt-service.md Co-authored-by: Suguru Hirahara --- docs/configuring-playbook-jwt-service.md | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/docs/configuring-playbook-jwt-service.md b/docs/configuring-playbook-jwt-service.md index 5b84ffb16a2..85f142da571 100644 --- a/docs/configuring-playbook-jwt-service.md +++ b/docs/configuring-playbook-jwt-service.md @@ -33,10 +33,8 @@ matrix_element_call_livekit_dev_key: 'your-secure-livekit-key' ``` ## Installing -After potentially adjusting DNS records and configuring the playbook, run the installation command again: -```yaml -ansible-playbook -i inventory setup.yml -``` + +After configuring the playbook and potentially [adjusting your DNS records](#adjusting-dns-records), run the [installation](installing.md) command: `just install-all` or `just setup-all` ## Usage From 66cc36466c0e72bff5ecc5452ab7d4ebd8244889 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 21 Nov 2024 16:23:36 +0200 Subject: [PATCH 123/148] Update docs/configuring-playbook-livekit-server.md Co-authored-by: Suguru Hirahara --- docs/configuring-playbook-livekit-server.md | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/docs/configuring-playbook-livekit-server.md b/docs/configuring-playbook-livekit-server.md index 309d9ecf30f..5656abc51c6 100644 --- a/docs/configuring-playbook-livekit-server.md +++ b/docs/configuring-playbook-livekit-server.md @@ -32,10 +32,8 @@ matrix_element_call_livekit_dev_key: 'your-secure-livekit-key' ``` ## Installing -After potentially adjusting DNS records and configuring the playbook, run the installation command again: -```yaml -ansible-playbook -i inventory setup.yml -``` + +After configuring the playbook and potentially [adjusting your DNS records](#adjusting-dns-records), run the [installation](installing.md) command: `just install-all` or `just setup-all` ## Usage Once installed, and in conjunction with Element Call and JWT Service, Livekit will become the WebRTC backend for all Element client calls. From 378392227563f90b664754d283b03fddbedd15f8 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 21 Nov 2024 16:23:47 +0200 Subject: [PATCH 124/148] Update docs/configuring-playbook-livekit-server.md Co-authored-by: Suguru Hirahara --- docs/configuring-playbook-livekit-server.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuring-playbook-livekit-server.md b/docs/configuring-playbook-livekit-server.md index 5656abc51c6..2b533bbca96 100644 --- a/docs/configuring-playbook-livekit-server.md +++ b/docs/configuring-playbook-livekit-server.md @@ -27,9 +27,9 @@ Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars. ```yaml matrix_livekit_server_enabled: true + # Set a secure key for LiveKit authentication matrix_element_call_livekit_dev_key: 'your-secure-livekit-key' -``` ## Installing From 83bb546c643d3d7a4c9f6271084d221a0de98a1f Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 21 Nov 2024 16:23:55 +0200 Subject: [PATCH 125/148] Update docs/configuring-playbook-livekit-server.md Co-authored-by: Suguru Hirahara --- docs/configuring-playbook-livekit-server.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuring-playbook-livekit-server.md b/docs/configuring-playbook-livekit-server.md index 2b533bbca96..c3abbdc4f69 100644 --- a/docs/configuring-playbook-livekit-server.md +++ b/docs/configuring-playbook-livekit-server.md @@ -1,4 +1,4 @@ -# Setting up Livekit (optional) +# Setting up LiveKit (optional) The playbook can install and configure [Livekit](https://github.com/livekit/livekit) for you. From 0f23e36e12a652965552424b5547cdd7e04035d8 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 21 Nov 2024 16:24:05 +0200 Subject: [PATCH 126/148] Update docs/configuring-playbook-livekit-server.md Co-authored-by: Suguru Hirahara --- docs/configuring-playbook-livekit-server.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuring-playbook-livekit-server.md b/docs/configuring-playbook-livekit-server.md index c3abbdc4f69..7882aae8e6b 100644 --- a/docs/configuring-playbook-livekit-server.md +++ b/docs/configuring-playbook-livekit-server.md @@ -1,6 +1,6 @@ # Setting up LiveKit (optional) -The playbook can install and configure [Livekit](https://github.com/livekit/livekit) for you. +The playbook can install and configure [LiveKit](https://github.com/livekit/livekit) for you. LiveKit is an open source project that provides scalable, multi-user conferencing based on WebRTC. It's designed to provide everything you need to build real-time video audio data capabilities in your applications. From 164be875b0e3305191135784e1183b94143ff7c1 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 21 Nov 2024 16:24:15 +0200 Subject: [PATCH 127/148] Update docs/configuring-playbook-livekit-server.md Co-authored-by: Suguru Hirahara --- docs/configuring-playbook-livekit-server.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuring-playbook-livekit-server.md b/docs/configuring-playbook-livekit-server.md index 7882aae8e6b..fa5264954b1 100644 --- a/docs/configuring-playbook-livekit-server.md +++ b/docs/configuring-playbook-livekit-server.md @@ -8,7 +8,7 @@ See the project's [documentation](https://github.com/livekit/livekit) to learn m ## Decide on a domain and path -By default, Livekit is configured to be served on the Matrix domain (`sfu.DOMAIN`, controlled by the `matrix_livekit_server_hostname` variable). +By default, LiveKit is configured to be served on the Matrix domain (`sfu.example.com`, controlled by the `matrix_livekit_server_hostname` variable). This makes it easy to set it up, **without** having to adjust your DNS records manually. From c321ca160ecbeec8f3ed9a96802aa436510779f8 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 21 Nov 2024 16:24:26 +0200 Subject: [PATCH 128/148] Update docs/configuring-playbook-livekit-server.md Co-authored-by: Suguru Hirahara --- docs/configuring-playbook-livekit-server.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuring-playbook-livekit-server.md b/docs/configuring-playbook-livekit-server.md index fa5264954b1..561d8f7fe60 100644 --- a/docs/configuring-playbook-livekit-server.md +++ b/docs/configuring-playbook-livekit-server.md @@ -19,7 +19,7 @@ If you'd like to run Livekit on another hostname or path, use the `matrix_liveki If you've changed the default hostname, **you may need to adjust your DNS** records accordingly to point to the correct server. Ensure that the following DNS names have a public IP/FQDN: -- `sfu.DOMAIN` +- `sfu.example.com` ## Adjusting the playbook configuration From c07b0939022dcbc8667d37d987ca7a5137bf7cea Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 21 Nov 2024 16:24:34 +0200 Subject: [PATCH 129/148] Update docs/configuring-playbook-livekit-server.md Co-authored-by: Suguru Hirahara --- docs/configuring-playbook-livekit-server.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuring-playbook-livekit-server.md b/docs/configuring-playbook-livekit-server.md index 561d8f7fe60..34008ffa34b 100644 --- a/docs/configuring-playbook-livekit-server.md +++ b/docs/configuring-playbook-livekit-server.md @@ -23,7 +23,7 @@ Ensure that the following DNS names have a public IP/FQDN: ## Adjusting the playbook configuration -Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file: +Add the following configuration to your `inventory/host_vars/matrix.example.com/vars.yml` file: ```yaml matrix_livekit_server_enabled: true From fa4ebd2a64af5900eda1399cefe5f6b9b9b7334a Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 21 Nov 2024 16:37:01 +0200 Subject: [PATCH 130/148] Cleanups --- group_vars/matrix_servers | 14 ++++---------- .../custom/matrix-livekit-server/defaults/main.yml | 5 ++++- .../tasks/validate_config.yml | 1 + 3 files changed, 9 insertions(+), 11 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 8fc11fbe4d5..0b1707b7fc7 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -6064,14 +6064,10 @@ matrix_element_call_container_labels_traefik_tls_certResolver: "{{ traefik_certR livekit_server_enabled: "{{ matrix_element_call_enabled }}" -livekit_server_scheme: "https" -livekit_server_hostname: "sfu.{{ matrix_domain }}" # Default hostname; should be overridden in host_vars if different -livekit_server_path_prefix: "/" -livekit_server_base_path: "{{ matrix_base_data_path }}/livekit-server" -livekit_server_container_image: "livekit/livekit-server:{{ livekit_server_version }}" -livekit_server_container_image_force_pull: true - -# Docker network configuration for Livekit +livekit_server_hostname: "sfu.{{ matrix_domain }}" + +livekit_server_container_image_self_build: "{{ matrix_architecture not in ['arm64', 'amd64'] }}" + livekit_server_container_network: "{{ matrix_addons_container_network }}" livekit_server_container_additional_networks_auto: "{{ [matrix_playbook_reverse_proxyable_services_additional_network] if (livekit_server_container_labels_traefik_enabled and matrix_playbook_reverse_proxyable_services_additional_network) else [] }}" @@ -6081,8 +6077,6 @@ matrix_livekit_container_labels_traefik_docker_network: "{{ matrix_playbook_reve livekit_server_container_labels_traefik_entrypoints: "{{ traefik_entrypoint_primary }}" livekit_server_container_labels_traefik_tls_certResolver: "{{ traefik_certResolver_primary }}" -# LiveKit Service Configuration -livekit_server_livekit_dev_key: "{{ livekit_server_dev_key }}" # LiveKit dev key ######################################################################## # # diff --git a/roles/custom/matrix-livekit-server/defaults/main.yml b/roles/custom/matrix-livekit-server/defaults/main.yml index 17a894e2e88..b080f1022a4 100644 --- a/roles/custom/matrix-livekit-server/defaults/main.yml +++ b/roles/custom/matrix-livekit-server/defaults/main.yml @@ -10,6 +10,9 @@ livekit_server_base_path: "{{ matrix_base_data_path }}/livekit-server" # renovate: datasource=docker depName=livekit/livekit-server livekit_server_version: v1.8.0 +livekit_server_hostname: "" +livekit_server_path_prefix: "/" + # Docker network configuration livekit_server_container_network: '' livekit_server_container_http_host_bind_port: '' @@ -23,7 +26,7 @@ livekit_server_container_repo: "https://github.com/livekit/livekit.git" livekit_server_container_repo_version: "{{ 'main' if livekit_server_version == 'latest' else livekit_server_version }}" livekit_server_container_src_files_path: "{{ livekit_server_base_path }}/container-src" -livekit_server_container_image: "livekit/livekit-server:latest" +livekit_server_container_image: "{{ livekit_server_container_image_name_prefix }}livekit/livekit-server:{{ livekit_server_version }}" livekit_server_container_image_name_prefix: "{{ 'localhost/' if livekit_server_container_image_self_build else 'docker.io/' }}" livekit_server_container_image_force_pull: "{{ livekit_server_container_image.endswith(':latest') }}" diff --git a/roles/custom/matrix-livekit-server/tasks/validate_config.yml b/roles/custom/matrix-livekit-server/tasks/validate_config.yml index 6340ed26ac0..9d55b373358 100644 --- a/roles/custom/matrix-livekit-server/tasks/validate_config.yml +++ b/roles/custom/matrix-livekit-server/tasks/validate_config.yml @@ -7,6 +7,7 @@ You need to define a required configuration setting (`{{ item.name }}`). when: "item.when | bool and vars[item.name] == ''" with_items: + - {'name': 'livekit_server_hostname', when: true} - {'name': 'livekit_server_base_path', when: true} - {'name': 'livekit_server_container_network', when: true} - {'name': 'livekit_server_container_image', when: true} From 783d4a23f82cfb65143991f9266c89dd4034d87d Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 21 Nov 2024 16:54:45 +0200 Subject: [PATCH 131/148] Add livekit_server_identifier --- docs/configuring-playbook-element-call.md | 2 +- group_vars/matrix_servers | 12 ++++--- .../matrix-livekit-server/defaults/main.yml | 19 ++++------ .../matrix-livekit-server/tasks/install.yml | 19 ++++------ .../matrix-livekit-server/tasks/main.yml | 1 - .../matrix-livekit-server/tasks/uninstall.yml | 36 ++++++++++--------- .../tasks/validate_config.yml | 7 ++-- .../templates/livekit.yaml.j2 | 2 +- ...r.service.j2 => livekit-server.service.j2} | 0 9 files changed, 46 insertions(+), 52 deletions(-) rename roles/custom/matrix-livekit-server/templates/systemd/{matrix-livekit-server.service.j2 => livekit-server.service.j2} (100%) diff --git a/docs/configuring-playbook-element-call.md b/docs/configuring-playbook-element-call.md index 19ce11d6b6c..663a0703879 100644 --- a/docs/configuring-playbook-element-call.md +++ b/docs/configuring-playbook-element-call.md @@ -34,7 +34,7 @@ Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars. matrix_element_call_enabled: true # Set a secure key for LiveKit authentication -livekit_server_dev_key: 'your-secure-livekit-key' +livekit_server_config_keys_devkey: 'your-secure-livekit-key' ``` ## Installing diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 0b1707b7fc7..b1948b0a672 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -442,7 +442,7 @@ devture_systemd_service_manager_services_list_auto: | + ([{'name': 'matrix-jwt-service.service', 'priority': 3000, 'groups': ['matrix', 'jwt-service']}] if matrix_jwt_service_enabled else []) + - ([{'name': 'matrix-livekit-server.service', 'priority': 3000, 'groups': ['matrix', 'livekit-server']}] if livekit_server_enabled else []) + ([{'name': (livekit_server_identifier + '.service'), 'priority': 3000, 'groups': ['matrix', 'livekit-server']}] if livekit_server_enabled else []) + ([{'name': 'matrix-registration.service', 'priority': 4000, 'groups': ['matrix', 'registration', 'matrix-registration']}] if matrix_registration_enabled else []) + @@ -6064,6 +6064,10 @@ matrix_element_call_container_labels_traefik_tls_certResolver: "{{ traefik_certR livekit_server_enabled: "{{ matrix_element_call_enabled }}" +livekit_server_identifier: matrix-livekit-server + +livekit_server_base_path: "{{ matrix_base_data_path }}/livekit-server" + livekit_server_hostname: "sfu.{{ matrix_domain }}" livekit_server_container_image_self_build: "{{ matrix_architecture not in ['arm64', 'amd64'] }}" @@ -6071,13 +6075,11 @@ livekit_server_container_image_self_build: "{{ matrix_architecture not in ['arm6 livekit_server_container_network: "{{ matrix_addons_container_network }}" livekit_server_container_additional_networks_auto: "{{ [matrix_playbook_reverse_proxyable_services_additional_network] if (livekit_server_container_labels_traefik_enabled and matrix_playbook_reverse_proxyable_services_additional_network) else [] }}" -# Traefik Configuration for Livekit -matrix_livekit_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}" -matrix_livekit_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" +livekit_server_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}" +livekit_server_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" livekit_server_container_labels_traefik_entrypoints: "{{ traefik_entrypoint_primary }}" livekit_server_container_labels_traefik_tls_certResolver: "{{ traefik_certResolver_primary }}" - ######################################################################## # # # /livekit-server # diff --git a/roles/custom/matrix-livekit-server/defaults/main.yml b/roles/custom/matrix-livekit-server/defaults/main.yml index b080f1022a4..bd918011f90 100644 --- a/roles/custom/matrix-livekit-server/defaults/main.yml +++ b/roles/custom/matrix-livekit-server/defaults/main.yml @@ -4,18 +4,17 @@ livekit_server_enabled: false -# Base path configuration -livekit_server_base_path: "{{ matrix_base_data_path }}/livekit-server" +livekit_server_identifier: livekit-server + +livekit_server_base_path: "/{{ livekit_server_identifier }}" # renovate: datasource=docker depName=livekit/livekit-server livekit_server_version: v1.8.0 livekit_server_hostname: "" -livekit_server_path_prefix: "/" +livekit_server_path_prefix: / -# Docker network configuration -livekit_server_container_network: '' -livekit_server_container_http_host_bind_port: '' +livekit_server_container_network: "{{ livekit_server_identifier }}" livekit_server_container_additional_networks: "{{ livekit_server_container_additional_networks_auto + livekit_server_container_additional_networks_custom }}" livekit_server_container_additional_networks_auto: [] @@ -30,12 +29,6 @@ livekit_server_container_image: "{{ livekit_server_container_image_name_prefix } livekit_server_container_image_name_prefix: "{{ 'localhost/' if livekit_server_container_image_self_build else 'docker.io/' }}" livekit_server_container_image_force_pull: "{{ livekit_server_container_image.endswith(':latest') }}" -# LiveKit configuration -livekit_server_livekit_server_dev_key: "{{ livekit_server_dev_key }}" # Must be defined in host_vars -livekit_server_jwt_secret: "{{ matrix_element_call_jwt_secret }}" # Must be defined in host_vars -livekit_server_hostname: "sfu.{{ matrix_domain }}" - -# Traefik Configuration for Element Call livekit_server_container_labels_traefik_enabled: true livekit_server_container_labels_traefik_docker_network: "{{ livekit_server_container_network }}" livekit_server_container_labels_traefik_hostname: "{{ livekit_server_hostname }}" @@ -130,3 +123,5 @@ livekit_server_floc_optout_enabled: false # - https://hstspreload.org/#opt-in # See: `livekit_server_http_header_strict_transport_security` livekit_server_hsts_preload_enabled: true + +livekit_server_config_keys_devkey: "" diff --git a/roles/custom/matrix-livekit-server/tasks/install.yml b/roles/custom/matrix-livekit-server/tasks/install.yml index 30c2e87cdb4..70b2b39a129 100644 --- a/roles/custom/matrix-livekit-server/tasks/install.yml +++ b/roles/custom/matrix-livekit-server/tasks/install.yml @@ -1,8 +1,6 @@ --- -# roles/custom/matrix-livekit-server/tasks/install.yml -# Ensure Required Directories Exist -- name: Ensure matrix-livekit-server paths exist +- name: Ensure LiveKit Server paths exist ansible.builtin.file: path: "{{ item.path }}" state: directory @@ -12,8 +10,7 @@ with_items: - path: "{{ livekit_server_base_path }}" -# Ensure Configuration Files are in Place -- name: Ensure LiveKit livekit.yaml is in place +- name: Ensure LiveKit Server livekit.yaml is in place ansible.builtin.template: src: "{{ role_path }}/templates/livekit.yaml.j2" dest: "{{ livekit_server_base_path }}/livekit.yaml" @@ -21,7 +18,7 @@ owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" -- name: Ensure LiveKit labels file is in place +- name: Ensure LiveKit Server labels file is in place ansible.builtin.template: src: "{{ role_path }}/templates/labels.j2" dest: "{{ livekit_server_base_path }}/labels" @@ -29,8 +26,7 @@ owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" -# Ensure Docker Images are Pulled -- name: Ensure LiveKit Docker image is pulled +- name: Ensure LiveKit Server container image is pulled community.docker.docker_image: name: "{{ livekit_server_container_image }}" source: pull @@ -39,9 +35,8 @@ delay: 10 until: livekit_image_result is not failed -# Systemd Services for LiveKit -- name: Ensure LiveKit systemd service is installed +- name: Ensure LiveKit Server systemd service is installed ansible.builtin.template: - src: "{{ role_path }}/templates/systemd/matrix-livekit-server.service.j2" - dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-livekit-server.service" + src: "{{ role_path }}/templates/systemd/livekit-server.service.j2" + dest: "{{ devture_systemd_docker_base_systemd_path }}/{{ livekit_server_identifier }}.service" mode: 0644 diff --git a/roles/custom/matrix-livekit-server/tasks/main.yml b/roles/custom/matrix-livekit-server/tasks/main.yml index 349d63be692..2929a2917e8 100644 --- a/roles/custom/matrix-livekit-server/tasks/main.yml +++ b/roles/custom/matrix-livekit-server/tasks/main.yml @@ -1,5 +1,4 @@ --- -# Main task file for matrix-livekit-server - tags: - setup-all diff --git a/roles/custom/matrix-livekit-server/tasks/uninstall.yml b/roles/custom/matrix-livekit-server/tasks/uninstall.yml index fdedf475a5d..141fe0c21a2 100644 --- a/roles/custom/matrix-livekit-server/tasks/uninstall.yml +++ b/roles/custom/matrix-livekit-server/tasks/uninstall.yml @@ -1,21 +1,25 @@ --- -# Uninstall tasks for matrix-livekit-server -- name: Stop and remove LiveKit container - community.docker.docker_container: - name: "matrix-livekit-server" - state: absent +- name: Check existence of LiveKit Server service + ansible.builtin.stat: + path: "{{ devture_systemd_docker_base_systemd_path }}/{{ livekit_server_identifier }}.service" + register: livekit_server_service_stat -- name: Remove LiveKit systemd service - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-livekit-server.service" - state: absent +- when: livekit_server_service_stat.stat.exists | bool + block: + - name: Ensure LiveKit Server is stopped + ansible.builtin.service: + name: "{{ livekit_server_identifier }}" + state: stopped + enabled: false + daemon_reload: true -- name: Remove matrix-livekit-server configuration files - ansible.builtin.file: - path: "{{ matrix_livekit_serverbase_path }}" - state: absent + - name: Ensure LiveKit Server systemd service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/{{ livekit_server_identifier }}.service" + state: absent -- name: Reload systemd daemon - ansible.builtin.systemd: - daemon_reload: true \ No newline at end of file + - name: Ensure LiveKit Server paths don't exist + ansible.builtin.file: + path: "{{ livekit_server_base_path }}" + state: absent diff --git a/roles/custom/matrix-livekit-server/tasks/validate_config.yml b/roles/custom/matrix-livekit-server/tasks/validate_config.yml index 9d55b373358..54532668e55 100644 --- a/roles/custom/matrix-livekit-server/tasks/validate_config.yml +++ b/roles/custom/matrix-livekit-server/tasks/validate_config.yml @@ -1,14 +1,13 @@ --- -# Validate configuration for matrix-livekit-server -- name: Fail if required matrix-livekit-server settings are not defined +- name: Fail if required LiveKit Server settings are not defined ansible.builtin.fail: msg: > You need to define a required configuration setting (`{{ item.name }}`). - when: "item.when | bool and vars[item.name] == ''" + when: "item.when | bool and vars[item.name] | length == 0" with_items: - {'name': 'livekit_server_hostname', when: true} - {'name': 'livekit_server_base_path', when: true} - {'name': 'livekit_server_container_network', when: true} - {'name': 'livekit_server_container_image', when: true} - - {'name': 'livekit_server_container_image', when: true} + - {'name': 'livekit_server_config_keys_devkey', when: true} diff --git a/roles/custom/matrix-livekit-server/templates/livekit.yaml.j2 b/roles/custom/matrix-livekit-server/templates/livekit.yaml.j2 index 04fcb117043..f6b2f716f82 100644 --- a/roles/custom/matrix-livekit-server/templates/livekit.yaml.j2 +++ b/roles/custom/matrix-livekit-server/templates/livekit.yaml.j2 @@ -17,4 +17,4 @@ turn: external_tls: true keys: - devkey: "{{ livekit_server_livekit_dev_key }}" + devkey: {{ livekit_server_config_keys_devkey | to_json }} diff --git a/roles/custom/matrix-livekit-server/templates/systemd/matrix-livekit-server.service.j2 b/roles/custom/matrix-livekit-server/templates/systemd/livekit-server.service.j2 similarity index 100% rename from roles/custom/matrix-livekit-server/templates/systemd/matrix-livekit-server.service.j2 rename to roles/custom/matrix-livekit-server/templates/systemd/livekit-server.service.j2 From 721fb39aa28ae275c4924a15fde62438b215a1ac Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 21 Nov 2024 17:28:06 +0200 Subject: [PATCH 132/148] More progress on the LiveKit role --- group_vars/matrix_servers | 3 ++ .../matrix-livekit-server/defaults/main.yml | 24 ++++++++++++- .../matrix-livekit-server/tasks/install.yml | 27 +++++++------- .../tasks/validate_config.yml | 7 ++-- .../templates/config.yaml.j2 | 21 +++++++++++ .../matrix-livekit-server/templates/labels.j2 | 3 +- .../templates/livekit.yaml.j2 | 20 ----------- .../systemd/livekit-server.service.j2 | 36 ++++++++++--------- 8 files changed, 86 insertions(+), 55 deletions(-) create mode 100644 roles/custom/matrix-livekit-server/templates/config.yaml.j2 delete mode 100644 roles/custom/matrix-livekit-server/templates/livekit.yaml.j2 diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index b1948b0a672..d88305467f5 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -6066,6 +6066,9 @@ livekit_server_enabled: "{{ matrix_element_call_enabled }}" livekit_server_identifier: matrix-livekit-server +livekit_server_uid: "{{ matrix_user_uid }}" +livekit_server_gid: "{{ matrix_user_gid }}" + livekit_server_base_path: "{{ matrix_base_data_path }}/livekit-server" livekit_server_hostname: "sfu.{{ matrix_domain }}" diff --git a/roles/custom/matrix-livekit-server/defaults/main.yml b/roles/custom/matrix-livekit-server/defaults/main.yml index bd918011f90..3350ecdd3f3 100644 --- a/roles/custom/matrix-livekit-server/defaults/main.yml +++ b/roles/custom/matrix-livekit-server/defaults/main.yml @@ -6,7 +6,11 @@ livekit_server_enabled: false livekit_server_identifier: livekit-server +livekit_server_uid: '' +livekit_server_gid: '' + livekit_server_base_path: "/{{ livekit_server_identifier }}" +livekit_server_config_path: "{{ livekit_server_base_path }}/config" # renovate: datasource=docker depName=livekit/livekit-server livekit_server_version: v1.8.0 @@ -124,4 +128,22 @@ livekit_server_floc_optout_enabled: false # See: `livekit_server_http_header_strict_transport_security` livekit_server_hsts_preload_enabled: true -livekit_server_config_keys_devkey: "" +# Controls the `port` configuration property. +livekit_server_config_port: 7880 + +# Controls the `rtc.tcp_port` configuration property +livekit_server_config_rtc_tcp_port: 7881 + +# Controls the `rtc.port_range_start` configuration property +livekit_server_config_rtc_port_range_start: 50100 + +# Controls the `rtc.port_range_end` configuration property +livekit_server_config_rtc_port_range_end: 50200 + +# Controls the `rtc.use_external_ip` configuration property +livekit_server_config_rtc_use_external_ip: true + +# Controls the `keys` configuration property. +livekit_server_config_keys: "{{ livekit_server_config_keys_auto | combine(livekit_server_config_keys_custom, recursive=True) }}" +livekit_server_config_keys_auto: {} +livekit_server_config_keys_custom: {} diff --git a/roles/custom/matrix-livekit-server/tasks/install.yml b/roles/custom/matrix-livekit-server/tasks/install.yml index 70b2b39a129..934897d9f21 100644 --- a/roles/custom/matrix-livekit-server/tasks/install.yml +++ b/roles/custom/matrix-livekit-server/tasks/install.yml @@ -5,34 +5,37 @@ path: "{{ item.path }}" state: directory mode: 0750 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" + owner: "{{ livekit_server_uid }}" + group: "{{ livekit_server_gid }}" with_items: - - path: "{{ livekit_server_base_path }}" + - {path: "{{ livekit_server_base_path }}", when: true} + - {path: "{{ livekit_server_config_path }}", when: true} + - {path: "{{ livekit_server_container_src_files_path }}", when: "{{ livekit_server_container_image_self_build }}"} + when: "item.when | bool" -- name: Ensure LiveKit Server livekit.yaml is in place +- name: Ensure LiveKit Server configuration is in place ansible.builtin.template: - src: "{{ role_path }}/templates/livekit.yaml.j2" - dest: "{{ livekit_server_base_path }}/livekit.yaml" + src: "{{ role_path }}/templates/config.yaml.j2" + dest: "{{ livekit_server_config_path }}/config.yaml" mode: 0640 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" + owner: "{{ livekit_server_uid }}" + group: "{{ livekit_server_gid }}" - name: Ensure LiveKit Server labels file is in place ansible.builtin.template: src: "{{ role_path }}/templates/labels.j2" dest: "{{ livekit_server_base_path }}/labels" mode: 0640 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" + owner: "{{ livekit_server_uid }}" + group: "{{ livekit_server_gid }}" - name: Ensure LiveKit Server container image is pulled community.docker.docker_image: name: "{{ livekit_server_container_image }}" source: pull register: livekit_image_result - retries: 3 - delay: 10 + retries: "{{ devture_playbook_help_container_retries_count }}" + delay: "{{ devture_playbook_help_container_retries_delay }}" until: livekit_image_result is not failed - name: Ensure LiveKit Server systemd service is installed diff --git a/roles/custom/matrix-livekit-server/tasks/validate_config.yml b/roles/custom/matrix-livekit-server/tasks/validate_config.yml index 54532668e55..1b7139d105a 100644 --- a/roles/custom/matrix-livekit-server/tasks/validate_config.yml +++ b/roles/custom/matrix-livekit-server/tasks/validate_config.yml @@ -7,7 +7,6 @@ when: "item.when | bool and vars[item.name] | length == 0" with_items: - {'name': 'livekit_server_hostname', when: true} - - {'name': 'livekit_server_base_path', when: true} - - {'name': 'livekit_server_container_network', when: true} - - {'name': 'livekit_server_container_image', when: true} - - {'name': 'livekit_server_config_keys_devkey', when: true} + - {'name': 'livekit_server_identifier', when: true} + - {'name': 'livekit_server_uid', when: true} + - {'name': 'livekit_server_gid', when: true} diff --git a/roles/custom/matrix-livekit-server/templates/config.yaml.j2 b/roles/custom/matrix-livekit-server/templates/config.yaml.j2 new file mode 100644 index 00000000000..560dba32d14 --- /dev/null +++ b/roles/custom/matrix-livekit-server/templates/config.yaml.j2 @@ -0,0 +1,21 @@ +port: {{ livekit_server_config_port | int | to_json }} + +bind_addresses: + - "0.0.0.0" + +rtc: + tcp_port: {{ livekit_server_config_rtc_tcp_port | int | to_json }} + port_range_start: {{ livekit_server_config_rtc_port_range_start | int | to_json }} + port_range_end: {{ livekit_server_config_rtc_port_range_end | int | to_json }} + use_external_ip: {{ livekit_server_config_rtc_use_external_ip | to_json }} + +turn: + enabled: false + domain: localhost + cert_file: "" + key_file: "" + tls_port: 5349 + udp_port: 443 + external_tls: true + +keys: {{ livekit_server_config_keys | to_json }} diff --git a/roles/custom/matrix-livekit-server/templates/labels.j2 b/roles/custom/matrix-livekit-server/templates/labels.j2 index 2200c41ac7d..d1aad01216c 100644 --- a/roles/custom/matrix-livekit-server/templates/labels.j2 +++ b/roles/custom/matrix-livekit-server/templates/labels.j2 @@ -6,11 +6,10 @@ traefik.enable=true traefik.docker.network={{ livekit_server_container_labels_traefik_docker_network }} {% endif %} -traefik.http.services.matrix-livekit-server.loadbalancer.server.port=7880 +traefik.http.services.matrix-livekit-server.loadbalancer.server.port={{ livekit_server_config_port }} {% set middlewares = [] %} -# Path prefix handling for Livekit {% if livekit_server_container_labels_traefik_path_prefix != '/' %} traefik.http.middlewares.matrix-livekit-server-slashless-redirect.redirectregex.regex=({{ livekit_server_container_labels_traefik_path_prefix | quote }})$ traefik.http.middlewares.matrix-livekit-server-slashless-redirect.redirectregex.replacement=${1}/ diff --git a/roles/custom/matrix-livekit-server/templates/livekit.yaml.j2 b/roles/custom/matrix-livekit-server/templates/livekit.yaml.j2 deleted file mode 100644 index f6b2f716f82..00000000000 --- a/roles/custom/matrix-livekit-server/templates/livekit.yaml.j2 +++ /dev/null @@ -1,20 +0,0 @@ -port: 7880 -bind_addresses: - - "0.0.0.0" -rtc: - tcp_port: 7881 - port_range_start: 50100 - port_range_end: 50200 - use_external_ip: true - -turn: - enabled: false - domain: localhost - cert_file: "" - key_file: "" - tls_port: 5349 - udp_port: 443 - external_tls: true - -keys: - devkey: {{ livekit_server_config_keys_devkey | to_json }} diff --git a/roles/custom/matrix-livekit-server/templates/systemd/livekit-server.service.j2 b/roles/custom/matrix-livekit-server/templates/systemd/livekit-server.service.j2 index e078a898fb5..9cf263a8cf3 100644 --- a/roles/custom/matrix-livekit-server/templates/systemd/livekit-server.service.j2 +++ b/roles/custom/matrix-livekit-server/templates/systemd/livekit-server.service.j2 @@ -1,34 +1,38 @@ #jinja2: lstrip_blocks: "True" [Unit] -Description=Matrix LiveKit Server +Description=LiveKit Server After=docker.service Requires=docker.service [Service] Type=simple Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" -ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-livekit-server 2>/dev/null || true' -ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-livekit-server 2>/dev/null || true' +ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} {{ livekit_server_identifier }} 2>/dev/null || true' +ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm {{ livekit_server_identifier }} 2>/dev/null || true' ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ - --rm \ - --name=matrix-livekit-server \ - --log-driver=none \ - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ - --cap-drop=ALL \ - --network=host \ - --mount type=bind,src={{ livekit_server_base_path }}/livekit.yaml,dst=/etc/livekit.yaml,ro \ + --rm \ + --name={{ livekit_server_identifier }} \ + --log-driver=none \ + --user={{ livekit_server_uid }}:{{ livekit_server_gid }} \ + --cap-drop=ALL \ + --network={{ livekit_server_container_network }} \ + --mount type=bind,src={{ livekit_server_config_path }}/config.yaml,dst=/livekit-config.yaml,ro \ --label-file={{ livekit_server_base_path }}/labels \ - {{ livekit_server_container_image }} \ - --dev --config /etc/livekit.yaml + {{ livekit_server_container_image }} \ + --dev --config /livekit-config.yaml -ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-livekit-server +{% for network in livekit_server_container_additional_networks %} +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} {{ livekit_server_identifier }} +{% endfor %} -ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-livekit-server 2>/dev/null || true' -ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-livekit-server 2>/dev/null || true' +ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach {{ livekit_server_identifier }} + +ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} {{ livekit_server_identifier }} 2>/dev/null || true' +ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm {{ livekit_server_identifier }} 2>/dev/null || true' Restart=always RestartSec=30 -SyslogIdentifier=matrix-livekit-server +SyslogIdentifier={{ livekit_server_identifier }} [Install] WantedBy=multi-user.target From 3e86adac0d76123c5558cc627b58ca9e8fbc7cca Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 21 Nov 2024 18:00:43 +0200 Subject: [PATCH 133/148] Fix port exposure for LiveKit Server --- .../custom/matrix-livekit-server/defaults/main.yml | 13 +++++++++++++ .../templates/systemd/livekit-server.service.j2 | 6 ++++++ 2 files changed, 19 insertions(+) diff --git a/roles/custom/matrix-livekit-server/defaults/main.yml b/roles/custom/matrix-livekit-server/defaults/main.yml index 3350ecdd3f3..9d131468342 100644 --- a/roles/custom/matrix-livekit-server/defaults/main.yml +++ b/roles/custom/matrix-livekit-server/defaults/main.yml @@ -24,6 +24,19 @@ livekit_server_container_additional_networks: "{{ livekit_server_container_addit livekit_server_container_additional_networks_auto: [] livekit_server_container_additional_networks_custom: [] +# Controls whether the LiveKit Server container exposes its RCT TCP port (`livekit_server_config_rtc_tcp_port`) +# +# Takes an ":" or "" value (e.g. "127.0.0.1:5349"), or empty string to not expose. +livekit_server_container_rtc_tcp_host_bind_port: "{{ livekit_server_config_rtc_tcp_port if livekit_server_container_network != 'host' else '' }}" + +# Controls whether the LiveKit Server container exposes its RTC UDP port range and which interface to do it on. +# +# Takes an interface "" (e.g. "127.0.0.1"), or empty string to listen on all interfaces. +# Takes a null/none value (`~`) or 'none' (as a string) to prevent listening. +# +# The UDP port-range itself is specified using `livekit_server_config_rtc_port_range_start` and `livekit_server_config_rtc_port_range_end`. +livekit_server_container_rtc_range_listen_interface: "{{ '' if livekit_server_container_network != 'host' else 'none' }}" + livekit_server_container_image_self_build: false livekit_server_container_repo: "https://github.com/livekit/livekit.git" livekit_server_container_repo_version: "{{ 'main' if livekit_server_version == 'latest' else livekit_server_version }}" diff --git a/roles/custom/matrix-livekit-server/templates/systemd/livekit-server.service.j2 b/roles/custom/matrix-livekit-server/templates/systemd/livekit-server.service.j2 index 9cf263a8cf3..cb56801ffc6 100644 --- a/roles/custom/matrix-livekit-server/templates/systemd/livekit-server.service.j2 +++ b/roles/custom/matrix-livekit-server/templates/systemd/livekit-server.service.j2 @@ -17,6 +17,12 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ --user={{ livekit_server_uid }}:{{ livekit_server_gid }} \ --cap-drop=ALL \ --network={{ livekit_server_container_network }} \ + {% if livekit_server_container_rtc_tcp_host_bind_port != '' %} + -p {{ livekit_server_container_rtc_tcp_host_bind_port }}:{{ livekit_server_config_rtc_tcp_port }} \ + {% endif %} + {% if livekit_server_container_rtc_range_listen_interface is not in [none, 'none'] %} + -p {{ livekit_server_container_rtc_range_listen_interface }}{{ ':' if livekit_server_container_rtc_range_listen_interface else '' }}{{ livekit_server_config_rtc_port_range_start }}-{{ livekit_server_config_rtc_port_range_end }}:{{ livekit_server_config_rtc_port_range_start }}-{{ livekit_server_config_rtc_port_range_end }}/udp \ + {% endif %} --mount type=bind,src={{ livekit_server_config_path }}/config.yaml,dst=/livekit-config.yaml,ro \ --label-file={{ livekit_server_base_path }}/labels \ {{ livekit_server_container_image }} \ From 8b84eb639096e9bf5be51e9ed5c337cedcb89d44 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 21 Nov 2024 18:04:53 +0200 Subject: [PATCH 134/148] Default LiveKit Server to a smaller RTC range for faster startup on non-host networks --- roles/custom/matrix-livekit-server/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-livekit-server/defaults/main.yml b/roles/custom/matrix-livekit-server/defaults/main.yml index 9d131468342..5789566dd39 100644 --- a/roles/custom/matrix-livekit-server/defaults/main.yml +++ b/roles/custom/matrix-livekit-server/defaults/main.yml @@ -151,7 +151,7 @@ livekit_server_config_rtc_tcp_port: 7881 livekit_server_config_rtc_port_range_start: 50100 # Controls the `rtc.port_range_end` configuration property -livekit_server_config_rtc_port_range_end: 50200 +livekit_server_config_rtc_port_range_end: 50120 # Controls the `rtc.use_external_ip` configuration property livekit_server_config_rtc_use_external_ip: true From be7271760e465c898572746a764b1db373266431 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 21 Nov 2024 18:13:07 +0200 Subject: [PATCH 135/148] Make LiveKit Server logging config configurable --- .../matrix-livekit-server/defaults/main.yml | 16 ++++++++++++++++ .../templates/config.yaml.j2 | 6 ++++++ 2 files changed, 22 insertions(+) diff --git a/roles/custom/matrix-livekit-server/defaults/main.yml b/roles/custom/matrix-livekit-server/defaults/main.yml index 5789566dd39..38a630a5ae6 100644 --- a/roles/custom/matrix-livekit-server/defaults/main.yml +++ b/roles/custom/matrix-livekit-server/defaults/main.yml @@ -160,3 +160,19 @@ livekit_server_config_rtc_use_external_ip: true livekit_server_config_keys: "{{ livekit_server_config_keys_auto | combine(livekit_server_config_keys_custom, recursive=True) }}" livekit_server_config_keys_auto: {} livekit_server_config_keys_custom: {} + +# Controls the `logging.level` configuration property. +# Known values: debug, info, warn, error +livekit_server_config_logging_level: info + +# Controls the `logging.pion_level` configuration property +livekit_server_config_logging_pion_level: error + +# Controls the `logging.json` configuration property. +# When set to true, emits json fields. +livekit_server_config_logging_json: false + +# Controls the `logging.sample` configuration property. +# For production setups, enables sampling algorithm. +# See: https://github.com/uber-go/zap/blob/master/FAQ.md#why-sample-application-logs +livekit_server_config_logging_sample: false diff --git a/roles/custom/matrix-livekit-server/templates/config.yaml.j2 b/roles/custom/matrix-livekit-server/templates/config.yaml.j2 index 560dba32d14..a9317735c97 100644 --- a/roles/custom/matrix-livekit-server/templates/config.yaml.j2 +++ b/roles/custom/matrix-livekit-server/templates/config.yaml.j2 @@ -19,3 +19,9 @@ turn: external_tls: true keys: {{ livekit_server_config_keys | to_json }} + +logging: + level: {{ livekit_server_config_logging_level | to_json }} + pion_level: {{ livekit_server_config_logging_pion_level | to_json }} + json: {{ livekit_server_config_logging_json | to_json }} + sample: {{ livekit_server_config_logging_sample | to_json }} From f0466d5a996d609abeacd7edc3c682c0073d165a Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 21 Nov 2024 18:19:36 +0200 Subject: [PATCH 136/148] Make LiveKit Server configuration extensible --- .../matrix-livekit-server/defaults/main.yml | 31 ++++++++++++++++++- .../matrix-livekit-server/tasks/install.yml | 8 ++--- 2 files changed, 34 insertions(+), 5 deletions(-) diff --git a/roles/custom/matrix-livekit-server/defaults/main.yml b/roles/custom/matrix-livekit-server/defaults/main.yml index 38a630a5ae6..cd11a67321f 100644 --- a/roles/custom/matrix-livekit-server/defaults/main.yml +++ b/roles/custom/matrix-livekit-server/defaults/main.yml @@ -141,6 +141,33 @@ livekit_server_floc_optout_enabled: false # See: `livekit_server_http_header_strict_transport_security` livekit_server_hsts_preload_enabled: true +# Holds the final LiveKit Server configuration (a combination of the default and its extension). +# You most likely don't need to touch this variable. Instead, see `livekit_server_configuration_yaml` or `livekit_server_configuration_extension_yaml`. +livekit_server_configuration: "{{ livekit_server_configuration_yaml | from_yaml | combine(livekit_server_configuration_extension, recursive=True) }}" + +# Default LiveKit Server configuration template which covers the generic use case. +# You can customize it by controlling the various variables inside it. +# +# For a more advanced customization, you can extend the default (see `livekit_server_configuration_extension_yaml`) +# or completely replace this variable with your own template. +livekit_server_configuration_yaml: "{{ lookup('template', 'templates/config.yaml.j2') }}" + +livekit_server_configuration_extension_yaml: | + # Your custom YAML configuration for baibot goes here. + # This configuration extends the default starting configuration (`livekit_server_configuration_yaml`). + # + # You can override individual variables from the default configuration, or introduce new ones. + # + # If you need something more special, you can take full control by + # completely redefining `livekit_server_configuration_yaml`. + # + # Example configuration extension follows: + # + # logging: + # level: debug + +livekit_server_configuration_extension: "{{ livekit_server_configuration_extension_yaml | from_yaml if livekit_server_configuration_extension_yaml | from_yaml is mapping else {} }}" + # Controls the `port` configuration property. livekit_server_config_port: 7880 @@ -153,7 +180,9 @@ livekit_server_config_rtc_port_range_start: 50100 # Controls the `rtc.port_range_end` configuration property livekit_server_config_rtc_port_range_end: 50120 -# Controls the `rtc.use_external_ip` configuration property +# Controls the `rtc.use_external_ip` configuration property. +# When set to true, attempts to discover the host's public IP via STUN. +# This is useful for cloud environments such as AWS & Google where hosts have an internal IP that maps to an external one. livekit_server_config_rtc_use_external_ip: true # Controls the `keys` configuration property. diff --git a/roles/custom/matrix-livekit-server/tasks/install.yml b/roles/custom/matrix-livekit-server/tasks/install.yml index 934897d9f21..7f6217969cd 100644 --- a/roles/custom/matrix-livekit-server/tasks/install.yml +++ b/roles/custom/matrix-livekit-server/tasks/install.yml @@ -13,15 +13,15 @@ - {path: "{{ livekit_server_container_src_files_path }}", when: "{{ livekit_server_container_image_self_build }}"} when: "item.when | bool" -- name: Ensure LiveKit Server configuration is in place - ansible.builtin.template: - src: "{{ role_path }}/templates/config.yaml.j2" +- name: Ensure LiveKit Server configuration installed + ansible.builtin.copy: + content: "{{ livekit_server_configuration | to_nice_yaml(indent=2, width=999999) }}" dest: "{{ livekit_server_config_path }}/config.yaml" mode: 0640 owner: "{{ livekit_server_uid }}" group: "{{ livekit_server_gid }}" -- name: Ensure LiveKit Server labels file is in place +- name: Ensure LiveKit Server labels file installed ansible.builtin.template: src: "{{ role_path }}/templates/labels.j2" dest: "{{ livekit_server_base_path }}/labels" From 394fdca0660714f09406f6c9b8649f2495318614 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 21 Nov 2024 18:54:29 +0200 Subject: [PATCH 137/148] Relocate org.matrix.msc4143.rtc_foci setup to /.well-known/matrix/client to matrix-static-files instead of ugly patching --- group_vars/matrix_servers | 8 +++++++ .../matrix-element-call/tasks/install.yml | 8 +------ .../tasks/update_well_known_client.yml | 21 ------------------- .../matrix-livekit-server/defaults/main.yml | 1 + .../matrix-livekit-server/vars/main.yml | 1 + .../matrix-static-files/defaults/main.yml | 10 +++++++++ .../public/.well-known/matrix/client.j2 | 3 +++ 7 files changed, 24 insertions(+), 28 deletions(-) delete mode 100644 roles/custom/matrix-element-call/tasks/update_well_known_client.yml create mode 100644 roles/custom/matrix-livekit-server/vars/main.yml diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index d88305467f5..dad4e29d450 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -5912,6 +5912,14 @@ matrix_static_files_file_matrix_client_property_m_tile_server_map_style_url: "{{ # See: https://github.com/etkecc/synapse-admin/pull/126 matrix_static_files_file_matrix_client_property_cc_etke_synapse_admin_auto: "{{ matrix_synapse_admin_configuration if matrix_homeserver_implementation == 'synapse' else {} }}" +matrix_static_files_file_matrix_client_property_org_matrix_msc4143_rtc_foci_enabled: "{{ matrix_element_call_enabled }}" +matrix_static_files_file_matrix_client_property_org_matrix_msc4143_rtc_foci_auto: |- + {{ + ( + [{'type': 'livekit', 'livekit_service_url': matrix_jwt_service_url}] if matrix_jwt_service_enabled else [] + ) + }} + matrix_static_files_file_matrix_server_property_m_server: "{{ matrix_server_fqn_matrix_federation }}:{{ matrix_federation_public_port }}" matrix_static_files_scheme: "{{ 'https' if matrix_playbook_ssl_enabled else 'http' }}" diff --git a/roles/custom/matrix-element-call/tasks/install.yml b/roles/custom/matrix-element-call/tasks/install.yml index ca6b5903b03..f11d002e315 100644 --- a/roles/custom/matrix-element-call/tasks/install.yml +++ b/roles/custom/matrix-element-call/tasks/install.yml @@ -78,12 +78,6 @@ group: "{{ matrix_user_groupname }}" when: matrix_element_call_enabled | bool -# Update the well-known client file for Element Call (adding RTC FOCI) -- name: Update the well-known client file for Element Call - ansible.builtin.include_tasks: "tasks/update_well_known_client.yml" - when: matrix_element_call_enabled | bool - - # Create .well-known/element/element.json for Element Call - name: Create the well-known element.json file ansible.builtin.template: @@ -96,4 +90,4 @@ # Update Element Web config.json with Element Call settings - name: Update Element Web config.json ansible.builtin.include_tasks: "tasks/update_element_web_config.yml" - when: matrix_element_call_enabled | bool \ No newline at end of file + when: matrix_element_call_enabled | bool diff --git a/roles/custom/matrix-element-call/tasks/update_well_known_client.yml b/roles/custom/matrix-element-call/tasks/update_well_known_client.yml deleted file mode 100644 index bcf3f726b3f..00000000000 --- a/roles/custom/matrix-element-call/tasks/update_well_known_client.yml +++ /dev/null @@ -1,21 +0,0 @@ ---- -- name: Read the existing well-known client file - ansible.builtin.slurp: - path: "{{ matrix_base_data_path }}/static-files/public/.well-known/matrix/client" - register: client_file_content - -- name: Load the existing JSON content - ansible.builtin.set_fact: - client_json: "{{ client_file_content['content'] | b64decode | from_json }}" - -- name: Update the existing well-known client file for Element Call (RTC FOCI) - ansible.builtin.set_fact: - updated_client_json: "{{ client_json | combine({'org.matrix.msc4143.rtc_foci': [{'type': 'livekit', 'livekit_service_url': matrix_jwt_service_url}]}, recursive=True) }}" - -- name: Write the updated well-known client file - ansible.builtin.copy: - content: "{{ updated_client_json | to_nice_json }}" - dest: "{{ matrix_base_data_path }}/static-files/public/.well-known/matrix/client" - mode: '0644' - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" \ No newline at end of file diff --git a/roles/custom/matrix-livekit-server/defaults/main.yml b/roles/custom/matrix-livekit-server/defaults/main.yml index cd11a67321f..c52e9173629 100644 --- a/roles/custom/matrix-livekit-server/defaults/main.yml +++ b/roles/custom/matrix-livekit-server/defaults/main.yml @@ -15,6 +15,7 @@ livekit_server_config_path: "{{ livekit_server_base_path }}/config" # renovate: datasource=docker depName=livekit/livekit-server livekit_server_version: v1.8.0 +livekit_server_scheme: https livekit_server_hostname: "" livekit_server_path_prefix: / diff --git a/roles/custom/matrix-livekit-server/vars/main.yml b/roles/custom/matrix-livekit-server/vars/main.yml new file mode 100644 index 00000000000..e2f8c0ee75c --- /dev/null +++ b/roles/custom/matrix-livekit-server/vars/main.yml @@ -0,0 +1 @@ +livekit_server_public_url: "{{ livekit_server_scheme }}://{{ livekit_server_hostname }}{{ livekit_server_path_prefix }}" diff --git a/roles/custom/matrix-static-files/defaults/main.yml b/roles/custom/matrix-static-files/defaults/main.yml index 7e3abf2f5f5..06a3af62464 100644 --- a/roles/custom/matrix-static-files/defaults/main.yml +++ b/roles/custom/matrix-static-files/defaults/main.yml @@ -203,6 +203,16 @@ matrix_static_files_file_matrix_client_property_cc_etke_synapse_admin: "{{ matri matrix_static_files_file_matrix_client_property_cc_etke_synapse_admin_auto: {} matrix_static_files_file_matrix_client_property_cc_etke_synapse_admin_custom: {} +# Controls whether `org.matrix.msc4143.rtc_foci`-related entries should be added to the client well-known. +# By default, if there are entries in `matrix_static_files_file_matrix_client_property_org_matrix_msc4143_rtc_foci`, we show them (by enabling this). +matrix_static_files_file_matrix_client_property_org_matrix_msc4143_rtc_foci_enabled: "{{ matrix_static_files_file_matrix_client_property_org_matrix_msc4143_rtc_foci | default({}) | dict2items | length > 0 }}" + +# Controls the org.matrix.msc4143.rtc_foci property in the /.well-known/matrix/client file. +# See `matrix_static_files_file_matrix_client_property_org_matrix_msc4143_rtc_foci_enabled` +matrix_static_files_file_matrix_client_property_org_matrix_msc4143_rtc_foci: "{{ matrix_static_files_file_matrix_client_property_org_matrix_msc4143_rtc_foci_auto | combine(matrix_static_files_file_matrix_client_property_org_matrix_msc4143_rtc_foci_custom, recursive=True) }}" +matrix_static_files_file_matrix_client_property_org_matrix_msc4143_rtc_foci_auto: {} +matrix_static_files_file_matrix_client_property_org_matrix_msc4143_rtc_foci_custom: {} + # Default /.well-known/matrix/client configuration template which covers the generic use case. # You can customize it by controlling the various variables inside it. # diff --git a/roles/custom/matrix-static-files/templates/public/.well-known/matrix/client.j2 b/roles/custom/matrix-static-files/templates/public/.well-known/matrix/client.j2 index 86882893a25..600e8f4c7bb 100644 --- a/roles/custom/matrix-static-files/templates/public/.well-known/matrix/client.j2 +++ b/roles/custom/matrix-static-files/templates/public/.well-known/matrix/client.j2 @@ -57,4 +57,7 @@ {% if matrix_static_files_file_matrix_client_property_cc_etke_synapse_admin_enabled %}, "cc.etke.synapse-admin": {{ matrix_static_files_file_matrix_client_property_cc_etke_synapse_admin | to_json }} {% endif %} + {% if matrix_static_files_file_matrix_client_property_org_matrix_msc4143_rtc_foci_enabled %}, + "org.matrix.msc4143.rtc_foci": {{ matrix_static_files_file_matrix_client_property_org_matrix_msc4143_rtc_foci | to_json }} + {% endif %} } From 7a6fcaa4020fbaf5f2db13edf1e9a9dbeac6b449 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 21 Nov 2024 18:59:11 +0200 Subject: [PATCH 138/148] Fix typo --- roles/custom/matrix-livekit-server/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-livekit-server/defaults/main.yml b/roles/custom/matrix-livekit-server/defaults/main.yml index c52e9173629..a0976d70a8c 100644 --- a/roles/custom/matrix-livekit-server/defaults/main.yml +++ b/roles/custom/matrix-livekit-server/defaults/main.yml @@ -154,7 +154,7 @@ livekit_server_configuration: "{{ livekit_server_configuration_yaml | from_yaml livekit_server_configuration_yaml: "{{ lookup('template', 'templates/config.yaml.j2') }}" livekit_server_configuration_extension_yaml: | - # Your custom YAML configuration for baibot goes here. + # Your custom YAML configuration for LiveKit Server goes here. # This configuration extends the default starting configuration (`livekit_server_configuration_yaml`). # # You can override individual variables from the default configuration, or introduce new ones. From 3f52cec25c971ece0082a39d75e1c81c8733302b Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 21 Nov 2024 19:17:30 +0200 Subject: [PATCH 139/148] Relocate Element Web features & element_call configuration to Element role, instead of ugly patching from the Element Call role --- group_vars/matrix_servers | 8 +++ .../matrix-client-element/defaults/main.yml | 61 +++++++++++++++++++ .../templates/config.json.j2 | 4 +- .../matrix-element-call/defaults/main.yml | 14 ++--- .../matrix-element-call/tasks/install.yml | 5 -- .../tasks/update_element_web_config.yml | 40 ------------ .../templates/well_known_element.json.j2 | 4 +- .../custom/matrix-element-call/vars/main.yml | 4 +- 8 files changed, 80 insertions(+), 60 deletions(-) delete mode 100644 roles/custom/matrix-element-call/tasks/update_element_web_config.yml diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index dad4e29d450..614ccea80b3 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -4498,6 +4498,14 @@ matrix_client_element_enable_presence_by_hs_url: |- matrix_client_element_jitsi_preferred_domain: "{{ matrix_server_fqn_jitsi if jitsi_enabled else '' }}" +matrix_client_element_features_feature_video_rooms: "{{ matrix_element_call_enabled }}" +matrix_client_element_features_feature_group_calls: "{{ matrix_element_call_enabled }}" +matrix_client_element_features_feature_element_call_video_rooms: "{{ matrix_element_call_enabled }}" +matrix_client_element_features_feature_oidc_native_flow: "{{ matrix_authentication_service_enabled }}" + +matrix_client_element_element_call_enabled: "{{ matrix_element_call_enabled }}" +matrix_client_element_element_call_url: "{{ matrix_element_call_public_url if matrix_element_call_enabled else '' }}" + ###################################################################### # # /matrix-client-element diff --git a/roles/custom/matrix-client-element/defaults/main.yml b/roles/custom/matrix-client-element/defaults/main.yml index 4cea592b2c7..50f62fb2209 100644 --- a/roles/custom/matrix-client-element/defaults/main.yml +++ b/roles/custom/matrix-client-element/defaults/main.yml @@ -180,6 +180,67 @@ matrix_client_element_branding_auth_header_logo_url: "{{ matrix_client_element_w # URL to Wallpaper, shown in background of welcome page matrix_client_element_branding_welcome_background_url: ~ # noqa var-naming +# Controls the `features` section of the Element Web configuration. +matrix_client_element_features: "{{ matrix_client_element_features_default | combine(matrix_client_element_features_auto, recursive=True) | combine(matrix_client_element_features_custom, recursive=True) }}" +matrix_client_element_features_default: |- + {{ + {} + + | combine( + {'feature_video_rooms': true} if matrix_client_element_features_feature_video_rooms else {} + ) + | combine( + {'feature_group_calls': true} if matrix_client_element_features_feature_group_calls else {} + ) + | combine( + {'feature_element_call_video_rooms': true} if matrix_client_element_features_feature_element_call_video_rooms else {} + ) + | combine( + {'feature_oidc_native_flow': true} if matrix_client_element_features_feature_oidc_native_flow else {} + ) + }} + +matrix_client_element_features_auto: {} +matrix_client_element_features_custom: {} + +matrix_client_element_features_feature_video_rooms: false +matrix_client_element_features_feature_group_calls: false +matrix_client_element_features_feature_element_call_video_rooms: false +matrix_client_element_features_feature_oidc_native_flow: false + +matrix_client_element_element_call_enabled: false +matrix_client_element_element_call: "{{ matrix_client_element_element_call_default | combine(matrix_client_element_element_call_auto, recursive=True) | combine(matrix_client_element_element_call_custom, recursive=True) }}" +matrix_client_element_element_call_default: |- + {{ + {} + | combine( + {'url': matrix_client_element_element_call_url} if matrix_client_element_element_call_url else {} + ) + | combine( + {'participant_limit': matrix_client_element_element_call_participant_limit} if matrix_client_element_element_call_participant_limit else {} + ) + | combine( + {'brand': matrix_client_element_element_call_brand} if matrix_client_element_element_call_brand else {} + ) + | combine( + {'use_exclusively': matrix_client_element_element_call_use_exclusively} if matrix_client_element_element_call_use_exclusively else {} + ) + }} +matrix_client_element_element_call_auto: {} +matrix_client_element_element_call_custom: {} + +# Controls the `element_call.url` setting in the Element Web configuration. +matrix_client_element_element_call_url: '' + +# Controls the `element_call.participant_limit` setting in the Element Web configuration. +matrix_client_element_element_call_participant_limit: 8 + +# Controls the `element_call.brand` setting in the Element Web configuration. +matrix_client_element_element_call_brand: "Element Call" + +# Controls the `element_call.use_exclusively` setting in the Element Web configuration. +matrix_client_element_element_call_use_exclusively: true + matrix_client_element_page_template_welcome_path: "{{ role_path }}/templates/welcome.html.j2" # By default, there's no Element Web homepage (when logged in). If you wish to have one, diff --git a/roles/custom/matrix-client-element/templates/config.json.j2 b/roles/custom/matrix-client-element/templates/config.json.j2 index e45e680655c..8dba3e2dfb9 100644 --- a/roles/custom/matrix-client-element/templates/config.json.j2 +++ b/roles/custom/matrix-client-element/templates/config.json.j2 @@ -44,5 +44,7 @@ "auth_footer_links": {{ matrix_client_element_branding_auth_footer_links | to_json }}, "auth_header_logo_url": {{ matrix_client_element_branding_auth_header_logo_url | to_json }}, "welcome_background_url": {{ matrix_client_element_branding_welcome_background_url | to_json }} - } + }, + "features": {{ matrix_client_element_features | to_json }}, + "element_call": {{ (matrix_client_element_element_call if matrix_client_element_element_call_enabled else {}) | to_json }} } diff --git a/roles/custom/matrix-element-call/defaults/main.yml b/roles/custom/matrix-element-call/defaults/main.yml index 5675531795d..c65c6d078fa 100644 --- a/roles/custom/matrix-element-call/defaults/main.yml +++ b/roles/custom/matrix-element-call/defaults/main.yml @@ -2,10 +2,12 @@ # Enable or disable matrix-element-call deployment matrix_element_call_enabled: false +matrix_element_call_scheme: https +matrix_element_call_hostname: "call.{{ matrix_domain }}" + # Base path configuration matrix_element_call_base_path: "{{ matrix_base_data_path }}/element-call" matrix_homeserver_config_path: "{{ matrix_base_data_path }}/synapse/config/homeserver.yaml" -element_web_config_path: "{{ matrix_base_data_path }}/client-element/config.json" # Docker network configuration matrix_element_call_container_network: '' @@ -18,16 +20,10 @@ matrix_element_call_image: "ghcr.io/element-hq/element-call:latest" # Ports matrix_element_call_port: "8093" -# Well-known paths and domains (derived from matrix_domain) -matrix_element_call_domain: "call.{{ matrix_domain }}" -matrix_element_call_well_known_client_path: "{{ matrix_base_data_path }}/static-files/public/.well-known/matrix/client" -matrix_element_call_well_known_element_path: "{{ matrix_base_data_path }}/static-files/public/.well-known/element/element.json" -matrix_element_call_base_url: "https://{{ matrix_element_call_domain }}" - # Traefik Configuration for Element Call matrix_element_call_container_labels_traefik_enabled: true matrix_element_call_container_labels_traefik_docker_network: "{{ matrix_element_call_container_network }}" -matrix_element_call_container_labels_traefik_hostname: "{{ matrix_element_call_domain }}" +matrix_element_call_container_labels_traefik_hostname: "{{ matrix_element_call_hostname }}" # The path prefix must either be `/` or not end with a slash (e.g. `/element`). matrix_element_call_container_labels_traefik_path_prefix: "{{ matrix_element_call_path_prefix }}" matrix_element_call_container_labels_traefik_rule: "Host(`{{ matrix_element_call_container_labels_traefik_hostname }}`){% if matrix_element_call_container_labels_traefik_path_prefix != '/' %} && PathPrefix(`{{ matrix_element_call_container_labels_traefik_path_prefix }}`){% endif %}" @@ -122,4 +118,4 @@ matrix_element_call_hsts_preload_enabled: false # Enable or disable metrics collection matrix_element_call_metrics_enabled: false -matrix_element_call_metrics_port: 2112 \ No newline at end of file +matrix_element_call_metrics_port: 2112 diff --git a/roles/custom/matrix-element-call/tasks/install.yml b/roles/custom/matrix-element-call/tasks/install.yml index f11d002e315..f35f2a67028 100644 --- a/roles/custom/matrix-element-call/tasks/install.yml +++ b/roles/custom/matrix-element-call/tasks/install.yml @@ -86,8 +86,3 @@ mode: '0644' owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" - -# Update Element Web config.json with Element Call settings -- name: Update Element Web config.json - ansible.builtin.include_tasks: "tasks/update_element_web_config.yml" - when: matrix_element_call_enabled | bool diff --git a/roles/custom/matrix-element-call/tasks/update_element_web_config.yml b/roles/custom/matrix-element-call/tasks/update_element_web_config.yml deleted file mode 100644 index 2dead411ece..00000000000 --- a/roles/custom/matrix-element-call/tasks/update_element_web_config.yml +++ /dev/null @@ -1,40 +0,0 @@ -- name: Read Element Web config.json - ansible.builtin.slurp: - src: "{{ element_web_config_path }}" - register: element_web_config_content - -- name: Load JSON data from config.json - ansible.builtin.set_fact: - element_web_config: "{{ element_web_config_content['content'] | b64decode | from_json }}" - -- name: Update Element Call configuration in config.json - ansible.builtin.set_fact: - updated_element_call_config: > - {{ - { - "element_call": { - "url": "https://{{ matrix_element_call_domain }}", - "participant_limit": 8, - "brand": "Element Call", - "use_exclusively": true - }, - "features": { - "feature_video_rooms": true, - "feature_new_room_decoration_ui": true, - "feature_group_calls": true, - "feature_element_call_video_rooms": true - } - } - }} - -- name: Merge updated Element Call configuration with existing config.json - ansible.builtin.set_fact: - element_web_config: "{{ element_web_config | combine(updated_element_call_config, recursive=True) }}" - -- name: Write updated Element Web config.json - ansible.builtin.copy: - content: "{{ element_web_config | to_nice_json }}" - dest: "{{ element_web_config_path }}" - mode: '0644' - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" diff --git a/roles/custom/matrix-element-call/templates/well_known_element.json.j2 b/roles/custom/matrix-element-call/templates/well_known_element.json.j2 index 01146e656e2..f7a7838b2a5 100644 --- a/roles/custom/matrix-element-call/templates/well_known_element.json.j2 +++ b/roles/custom/matrix-element-call/templates/well_known_element.json.j2 @@ -1,5 +1,5 @@ { "call": { - "widget_url": "https://{{ matrix_element_call_domain }}" + "widget_url": "https://{{ matrix_element_call_hostname }}" } -} \ No newline at end of file +} diff --git a/roles/custom/matrix-element-call/vars/main.yml b/roles/custom/matrix-element-call/vars/main.yml index 1f224472a19..cb65e277cb1 100644 --- a/roles/custom/matrix-element-call/vars/main.yml +++ b/roles/custom/matrix-element-call/vars/main.yml @@ -1,5 +1,3 @@ --- -# roles/custom/matrix-element-call/vars/main.yml -# Variables specific to matrix-element-call, like service configurations, can go here. -# Any environment-specific values can be overridden here. \ No newline at end of file +matrix_element_call_public_url: "{{ matrix_element_call_scheme }}://{{ matrix_element_call_hostname }}" From 252ca52f60d79b16345802cb2980dfd8e0258881 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 21 Nov 2024 19:32:15 +0200 Subject: [PATCH 140/148] Relocate /.well-known/element/element.json setup to matrix-static-files, instead of ugly patching from the Element Call role --- group_vars/matrix_servers | 10 ++-- .../matrix-element-call/tasks/install.yml | 9 ---- .../templates/well_known_element.json.j2 | 5 -- .../matrix-static-files/defaults/main.yml | 51 +++++++++++++++++++ .../matrix-static-files/tasks/install.yml | 24 ++++++--- .../.well-known/element/element.json.j2 | 7 +++ 6 files changed, 83 insertions(+), 23 deletions(-) delete mode 100644 roles/custom/matrix-element-call/templates/well_known_element.json.j2 create mode 100644 roles/custom/matrix-static-files/templates/public/.well-known/element/element.json.j2 diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 614ccea80b3..48609fc02dc 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -5930,6 +5930,8 @@ matrix_static_files_file_matrix_client_property_org_matrix_msc4143_rtc_foci_auto matrix_static_files_file_matrix_server_property_m_server: "{{ matrix_server_fqn_matrix_federation }}:{{ matrix_federation_public_port }}" +matrix_static_files_file_element_element_json_property_call_widget_url: "{{ matrix_element_call_public_url if matrix_element_call_enabled else '' }}" + matrix_static_files_scheme: "{{ 'https' if matrix_playbook_ssl_enabled else 'http' }}" matrix_static_files_self_check_hostname_matrix: "{{ matrix_server_fqn_matrix }}" @@ -6044,10 +6046,12 @@ traefik_certs_dumper_ssl_dir_path: "{{ traefik_ssl_dir_path if traefik_enabled e # # ######################################################################## -# Matrix Element Call Configuration -matrix_element_call_enabled: false # Default is false; should be enabled in host_vars as needed +matrix_element_call_enabled: false + +matrix_element_call_scheme: "{{ 'https' if matrix_playbook_ssl_enabled else 'http' }}" + matrix_element_call_version: "latest" # Default version; can be overridden in host_vars -matrix_element_call_scheme: "https" # Scheme for Element Call (e.g., https) + matrix_element_call_hostname: "call.{{ matrix_domain }}" # Default hostname; should be overridden in host_vars if different matrix_element_call_path_prefix: "/" # Path prefix for Element Call matrix_element_call_base_path: "{{ matrix_base_data_path }}/element-call" # Base path for storing Element Call-related files diff --git a/roles/custom/matrix-element-call/tasks/install.yml b/roles/custom/matrix-element-call/tasks/install.yml index f35f2a67028..23b1879a74d 100644 --- a/roles/custom/matrix-element-call/tasks/install.yml +++ b/roles/custom/matrix-element-call/tasks/install.yml @@ -77,12 +77,3 @@ owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" when: matrix_element_call_enabled | bool - -# Create .well-known/element/element.json for Element Call -- name: Create the well-known element.json file - ansible.builtin.template: - src: "{{ role_path }}/templates/well_known_element.json.j2" - dest: "{{ matrix_base_data_path }}/static-files/public/.well-known/element/element.json" - mode: '0644' - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" diff --git a/roles/custom/matrix-element-call/templates/well_known_element.json.j2 b/roles/custom/matrix-element-call/templates/well_known_element.json.j2 deleted file mode 100644 index f7a7838b2a5..00000000000 --- a/roles/custom/matrix-element-call/templates/well_known_element.json.j2 +++ /dev/null @@ -1,5 +0,0 @@ -{ - "call": { - "widget_url": "https://{{ matrix_element_call_hostname }}" - } -} diff --git a/roles/custom/matrix-static-files/defaults/main.yml b/roles/custom/matrix-static-files/defaults/main.yml index 06a3af62464..a107d36af51 100644 --- a/roles/custom/matrix-static-files/defaults/main.yml +++ b/roles/custom/matrix-static-files/defaults/main.yml @@ -15,6 +15,7 @@ matrix_static_files_config_path: "{{ matrix_static_files_base_path }}/config" matrix_static_files_public_path: "{{ matrix_static_files_base_path }}/public" matrix_static_files_public_well_known_path: "{{ matrix_static_files_public_path }}/.well-known" matrix_static_files_public_well_known_matrix_path: "{{ matrix_static_files_public_well_known_path }}/matrix" +matrix_static_files_public_well_known_element_path: "{{ matrix_static_files_public_well_known_path }}/element" # List of systemd services that matrix-static-files.service depends on matrix_static_files_systemd_required_services_list: "{{ [devture_systemd_docker_base_docker_service_name] if devture_systemd_docker_base_docker_service_name else [] }}" @@ -360,6 +361,56 @@ matrix_static_files_file_matrix_support_configuration: "{{ matrix_static_files_f ######################################################################## +######################################################################## +# # +# Related to /.well-known/element/element.json # +# # +######################################################################## + +# Controls whether a `/.well-known/element/element.json` file is generated and used at all. +matrix_static_files_file_element_element_json_enabled: true + +# Controls the call.widget_url property in the /.well-known/element/element.json file +matrix_static_files_file_element_element_json_property_call_widget_url: '' + +# Default /.well-known/element/element.json configuration template which covers the generic use case. +# You can customize it by controlling the various variables inside it. +# +# For a more advanced customization, you can extend the default (see `matrix_static_files_file_matrix_support_configuration_extension_json`) +# or completely replace this variable with your own template. +matrix_static_files_file_element_element_json_configuration_json: "{{ lookup('template', 'templates/public/.well-known/element/element.json.j2') }}" + +# Your custom JSON configuration for /.well-known/element/element.json should go to `matrix_static_files_file_element_element_json_configuration_extension_json`. +# This configuration extends the default starting configuration (`matrix_static_files_file_matrix_support_configuration_extension_json`). +# +# You can override individual variables from the default configuration, or introduce new ones. +# +# If you need something more special, you can take full control by +# completely redefining `matrix_static_files_file_matrix_support_configuration_json`. +# +# Example configuration extension follows: +# +# matrix_static_files_file_element_element_json_configuration_extension_json: | +# { +# "call": { +# "url": "value" +# } +# } +matrix_static_files_file_element_element_json_configuration_extension_json: '{}' + +matrix_static_files_file_element_element_json_configuration_extension: "{{ matrix_static_files_file_element_element_json_configuration_extension_json | from_json if matrix_static_files_file_element_element_json_configuration_extension_json | from_json is mapping else {} }}" + +# Holds the final /.well-known/matrix/support configuration (a combination of the default and its extension). +# You most likely don't need to touch this variable. Instead, see `matrix_static_files_file_element_element_json_configuration_json` or `matrix_static_files_file_element_element_json_configuration_extension_json`. +matrix_static_files_file_element_element_json_configuration: "{{ matrix_static_files_file_element_element_json_configuration_json | combine(matrix_static_files_file_element_element_json_configuration_extension, recursive=True) }}" + +######################################################################## +# # +# /Related to /.well-known/element/element.json # +# # +######################################################################## + + ######################################################################## # # # Related to index.html # diff --git a/roles/custom/matrix-static-files/tasks/install.yml b/roles/custom/matrix-static-files/tasks/install.yml index 3cbd9d4c630..b70079434d7 100644 --- a/roles/custom/matrix-static-files/tasks/install.yml +++ b/roles/custom/matrix-static-files/tasks/install.yml @@ -2,17 +2,19 @@ - name: Ensure matrix-static-files paths exist ansible.builtin.file: - path: "{{ item }}" + path: "{{ item.path }}" state: directory mode: 0750 owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" with_items: - - "{{ matrix_static_files_base_path }}" - - "{{ matrix_static_files_config_path }}" - - "{{ matrix_static_files_public_path }}" - - "{{ matrix_static_files_public_well_known_path }}" - - "{{ matrix_static_files_public_well_known_matrix_path }}" + - {path: "{{ matrix_static_files_base_path }}", when: true} + - {path: "{{ matrix_static_files_config_path }}", when: true} + - {path: "{{ matrix_static_files_public_path }}", when: true} + - {path: "{{ matrix_static_files_public_well_known_path }}", when: true} + - {path: "{{ matrix_static_files_public_well_known_matrix_path }}", when: true} + - {path: "{{ matrix_static_files_public_well_known_element_path }}", when: true} + when: "item.when | bool" - name: Ensure matrix-static-files is configured ansible.builtin.template: @@ -52,6 +54,10 @@ dest: "{{ matrix_static_files_public_well_known_matrix_path }}/support" when: "{{ matrix_static_files_file_matrix_support_enabled }}" + - content: "{{ matrix_static_files_file_element_element_json_configuration | to_nice_json }}" + dest: "{{ matrix_static_files_public_well_known_element_path }}/element.json" + when: "{{ matrix_static_files_file_element_element_json_enabled }}" + # This one will not be deleted if `matrix_static_files_file_index_html_enabled` flips to `false`. # See the comment for `matrix_static_files_file_index_html_enabled` to learn why. - content: "{{ matrix_static_files_file_index_html_template }}" @@ -70,6 +76,12 @@ state: absent when: "not matrix_static_files_file_matrix_support_enabled | bool" +- name: Ensure /.well-known/element/element.json file deleted if not enabled + ansible.builtin.file: + path: "{{ matrix_static_files_public_well_known_element_path }}/element.json" + state: absent + when: "not matrix_static_files_file_element_element_json_enabled | bool" + - name: Ensure matrix-static-files container image is pulled community.docker.docker_image: name: "{{ matrix_static_files_container_image }}" diff --git a/roles/custom/matrix-static-files/templates/public/.well-known/element/element.json.j2 b/roles/custom/matrix-static-files/templates/public/.well-known/element/element.json.j2 new file mode 100644 index 00000000000..68d13f09823 --- /dev/null +++ b/roles/custom/matrix-static-files/templates/public/.well-known/element/element.json.j2 @@ -0,0 +1,7 @@ +{ + {% if matrix_static_files_file_element_element_json_property_call_widget_url %} + "call": { + "widget_url": {{ matrix_static_files_file_element_element_json_property_call_widget_url | to_json }} + } + {% endif %} +} From 69d702643f850354ba0afe35596f8e8c53967399 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 21 Nov 2024 19:36:55 +0200 Subject: [PATCH 141/148] Remove homeserver.yaml patching from Element Call role --- .../matrix-element-call/defaults/main.yml | 1 - .../matrix-element-call/tasks/install.yml | 30 ------------------- 2 files changed, 31 deletions(-) diff --git a/roles/custom/matrix-element-call/defaults/main.yml b/roles/custom/matrix-element-call/defaults/main.yml index c65c6d078fa..dd8bb98cb69 100644 --- a/roles/custom/matrix-element-call/defaults/main.yml +++ b/roles/custom/matrix-element-call/defaults/main.yml @@ -7,7 +7,6 @@ matrix_element_call_hostname: "call.{{ matrix_domain }}" # Base path configuration matrix_element_call_base_path: "{{ matrix_base_data_path }}/element-call" -matrix_homeserver_config_path: "{{ matrix_base_data_path }}/synapse/config/homeserver.yaml" # Docker network configuration matrix_element_call_container_network: '' diff --git a/roles/custom/matrix-element-call/tasks/install.yml b/roles/custom/matrix-element-call/tasks/install.yml index 23b1879a74d..bc2238ae7a6 100644 --- a/roles/custom/matrix-element-call/tasks/install.yml +++ b/roles/custom/matrix-element-call/tasks/install.yml @@ -47,33 +47,3 @@ src: "{{ role_path }}/templates/systemd/matrix-element-call.service.j2" dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-element-call.service" mode: 0644 - -# Update homeserver.yaml for Element Call -- name: Add listeners section for Element Call to homeserver.yaml - ansible.builtin.blockinfile: - path: "{{ matrix_homeserver_config_path }}" - block: | - listeners: - - port: 8008 - tls: false - type: http - x_forwarded: true - resources: - - names: [client, federation, openid] - compress: false - marker: "# ANSIBLE MANAGED BLOCK - Element Call listeners" - mode: '0644' - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - when: matrix_element_call_enabled | bool - -- name: Ensure serve_server_wellknown is enabled in homeserver.yaml - ansible.builtin.lineinfile: - path: "{{ matrix_homeserver_config_path }}" - line: "serve_server_wellknown: true" - insertafter: EOF - state: present - mode: '0644' - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - when: matrix_element_call_enabled | bool From 006920882c54408e77b70cbd2719602fe63bab69 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 21 Nov 2024 19:38:23 +0200 Subject: [PATCH 142/148] Rename file (element-call-labels -> labels) --- roles/custom/matrix-element-call/tasks/install.yml | 4 ++-- .../templates/{element-call-labels.j2 => labels.j2} | 0 .../templates/systemd/matrix-element-call.service.j2 | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) rename roles/custom/matrix-element-call/templates/{element-call-labels.j2 => labels.j2} (100%) diff --git a/roles/custom/matrix-element-call/tasks/install.yml b/roles/custom/matrix-element-call/tasks/install.yml index bc2238ae7a6..21f1808fccb 100644 --- a/roles/custom/matrix-element-call/tasks/install.yml +++ b/roles/custom/matrix-element-call/tasks/install.yml @@ -24,8 +24,8 @@ - name: Ensure matrix-element-call Docker labels file is in place ansible.builtin.template: - src: "{{ role_path }}/templates/element-call-labels.j2" - dest: "{{ matrix_element_call_base_path }}/element-call-labels" + src: "{{ role_path }}/templates/labels.j2" + dest: "{{ matrix_element_call_base_path }}/labels" mode: 0640 owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" diff --git a/roles/custom/matrix-element-call/templates/element-call-labels.j2 b/roles/custom/matrix-element-call/templates/labels.j2 similarity index 100% rename from roles/custom/matrix-element-call/templates/element-call-labels.j2 rename to roles/custom/matrix-element-call/templates/labels.j2 diff --git a/roles/custom/matrix-element-call/templates/systemd/matrix-element-call.service.j2 b/roles/custom/matrix-element-call/templates/systemd/matrix-element-call.service.j2 index dcb3fa7c203..a22ff17f11c 100644 --- a/roles/custom/matrix-element-call/templates/systemd/matrix-element-call.service.j2 +++ b/roles/custom/matrix-element-call/templates/systemd/matrix-element-call.service.j2 @@ -24,7 +24,7 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ {% if matrix_element_call_container_http_host_bind_port %} -p {{ matrix_element_call_container_http_host_bind_port }}:8080 \ {% endif %} - --label-file={{ matrix_element_call_base_path }}/element-call-labels \ + --label-file={{ matrix_element_call_base_path }}/labels \ {% for arg in matrix_element_call_container_extra_arguments %} {{ arg }} \ {% endfor %} @@ -43,4 +43,4 @@ RestartSec=30 SyslogIdentifier=matrix-element-call [Install] -WantedBy=multi-user.target \ No newline at end of file +WantedBy=multi-user.target From c57d0d192d281e6bcfa921ad737d157a86f7359f Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 21 Nov 2024 19:45:07 +0200 Subject: [PATCH 143/148] Eliminate remaining matrix references from LiveKit Server role --- .../matrix-livekit-server/defaults/main.yml | 11 +++--- .../matrix-livekit-server/templates/labels.j2 | 36 ++++++++++--------- 2 files changed, 27 insertions(+), 20 deletions(-) diff --git a/roles/custom/matrix-livekit-server/defaults/main.yml b/roles/custom/matrix-livekit-server/defaults/main.yml index a0976d70a8c..f8ed88fcd8b 100644 --- a/roles/custom/matrix-livekit-server/defaults/main.yml +++ b/roles/custom/matrix-livekit-server/defaults/main.yml @@ -73,11 +73,11 @@ livekit_server_container_labels_traefik_additional_response_headers_auto: | }} livekit_server_container_labels_traefik_additional_response_headers_custom: {} -# matrix_client_element_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file. +# livekit_server_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file. # See `../templates/labels.j2` for details. # # Example: -# matrix_client_element_container_labels_additional_labels: | +# livekit_server_container_labels_additional_labels: | # my.label=1 # another.label="here" livekit_server_container_labels_additional_labels: '' @@ -88,8 +88,11 @@ livekit_server_container_extra_arguments: [] # Additional environment variables for the container livekit_server_environment_variables_additional: {} -# List of systemd services that matrix-element-call.service depends on -livekit_server_systemd_required_services_list: "{{ [devture_systemd_docker_base_docker_service_name] if devture_systemd_docker_base_docker_service_name else [] }}" +# List of systemd services that LiveKit Server service depends on +livekit_server_systemd_required_services_list: "{{ livekit_server_systemd_required_services_list_default + livekit_server_systemd_required_services_list_auto + livekit_server_systemd_required_services_list_custom }}" +livekit_server_systemd_required_services_list_default: "{{ [devture_systemd_docker_base_docker_service_name] if devture_systemd_docker_base_docker_service_name else [] }}" +livekit_server_systemd_required_services_list_auto: [] +livekit_server_systemd_required_services_list_custom: [] # Specifies the value of the `X-XSS-Protection` header # Stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. diff --git a/roles/custom/matrix-livekit-server/templates/labels.j2 b/roles/custom/matrix-livekit-server/templates/labels.j2 index d1aad01216c..fb93ebea811 100644 --- a/roles/custom/matrix-livekit-server/templates/labels.j2 +++ b/roles/custom/matrix-livekit-server/templates/labels.j2 @@ -1,43 +1,47 @@ {% if livekit_server_container_labels_traefik_enabled %} traefik.enable=true -# Network configuration for Traefik {% if livekit_server_container_labels_traefik_docker_network %} traefik.docker.network={{ livekit_server_container_labels_traefik_docker_network }} {% endif %} -traefik.http.services.matrix-livekit-server.loadbalancer.server.port={{ livekit_server_config_port }} +traefik.http.services.{{ livekit_server_identifier }}.loadbalancer.server.port={{ livekit_server_config_port }} {% set middlewares = [] %} {% if livekit_server_container_labels_traefik_path_prefix != '/' %} -traefik.http.middlewares.matrix-livekit-server-slashless-redirect.redirectregex.regex=({{ livekit_server_container_labels_traefik_path_prefix | quote }})$ -traefik.http.middlewares.matrix-livekit-server-slashless-redirect.redirectregex.replacement=${1}/ -{% set middlewares = middlewares + ['matrix-livekit-server-slashless-redirect'] %} +traefik.http.middlewares.{{ livekit_server_identifier }}-slashless-redirect.redirectregex.regex=({{ livekit_server_container_labels_traefik_path_prefix | quote }})$ +traefik.http.middlewares.{{ livekit_server_identifier }}-slashless-redirect.redirectregex.replacement=${1}/ +{% set middlewares = middlewares + [livekit_server_identifier + '-server-slashless-redirect'] %} -traefik.http.middlewares.matrix-livekit-server-strip-prefix.stripprefix.prefixes={{ livekit_server_container_labels_traefik_path_prefix }} -{% set middlewares = middlewares + ['matrix-livekit-server-strip-prefix'] %} +traefik.http.middlewares.{{ livekit_server_identifier }}-strip-prefix.stripprefix.prefixes={{ livekit_server_container_labels_traefik_path_prefix }} +{% set middlewares = middlewares + [livekit_server_identifier + '-strip-prefix'] %} {% endif %} {% if livekit_server_container_labels_traefik_additional_response_headers.keys() | length > 0 %} {% for name, value in livekit_server_container_labels_traefik_additional_response_headers.items() %} -traefik.http.middlewares.matrix-livekit-server-add-headers.headers.customresponseheaders.{{ name }}={{ value }} +traefik.http.middlewares.{{ livekit_server_identifier }}-add-headers.headers.customresponseheaders.{{ name }}={{ value }} {% endfor %} -{% set middlewares = middlewares + ['matrix-livekit-server-add-headers'] %} +{% set middlewares = middlewares + [livekit_server_identifier + '-add-headers'] %} {% endif %} -traefik.http.routers.matrix-livekit-server.rule={{ livekit_server_container_labels_traefik_rule }} +traefik.http.routers.{{ livekit_server_identifier }}.rule={{ livekit_server_container_labels_traefik_rule }} + {% if livekit_server_container_labels_traefik_priority | int > 0 %} -traefik.http.routers.matrix-livekit-server.priority={{ livekit_server_container_labels_traefik_priority }} +traefik.http.routers.{{ livekit_server_identifier }}.priority={{ livekit_server_container_labels_traefik_priority }} {% endif %} -traefik.http.routers.matrix-livekit-server.service=matrix-livekit-server + +traefik.http.routers.{{ livekit_server_identifier }}.service={{ livekit_server_identifier }} + {% if middlewares | length > 0 %} -traefik.http.routers.matrix-livekit-server.middlewares={{ middlewares | join(',') }} +traefik.http.routers.{{ livekit_server_identifier }}.middlewares={{ middlewares | join(',') }} {% endif %} -traefik.http.routers.matrix-livekit-server.entrypoints={{ livekit_server_container_labels_traefik_entrypoints }} -traefik.http.routers.matrix-livekit-server.tls={{ livekit_server_container_labels_traefik_tls | to_json }} + +traefik.http.routers.{{ livekit_server_identifier }}.entrypoints={{ livekit_server_container_labels_traefik_entrypoints }} + +traefik.http.routers.{{ livekit_server_identifier }}.tls={{ livekit_server_container_labels_traefik_tls | to_json }} {% if livekit_server_container_labels_traefik_tls %} -traefik.http.routers.matrix-livekit-server.tls.certResolver={{ livekit_server_container_labels_traefik_tls_certResolver }} +traefik.http.routers.{{ livekit_server_identifier }}.tls.certResolver={{ livekit_server_container_labels_traefik_tls_certResolver }} {% endif %} {% endif %} From 5642755273614e1bdd1f8cf89750874c5ecf3fd7 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 23 Nov 2024 16:40:50 +0200 Subject: [PATCH 144/148] Rework LiveKit JWT Service role --- docs/configuring-playbook-element-call.md | 9 +- docs/configuring-playbook-jwt-service.md | 21 ++-- docs/configuring-playbook.md | 2 +- group_vars/matrix_servers | 64 ++++++---- .../templates/config.json.j2 | 4 +- .../matrix-jwt-service/defaults/main.yml | 117 ------------------ .../matrix-jwt-service/tasks/install.yml | 46 ------- .../matrix-jwt-service/tasks/uninstall.yml | 22 ---- .../tasks/validate_config.yml | 12 -- .../matrix-jwt-service/templates/env.j2 | 4 - .../matrix-jwt-service/templates/labels.j2 | 46 ------- .../defaults/main.yml | 81 ++++++++++++ .../tasks/install.yml | 69 +++++++++++ .../tasks/main.yml | 13 +- .../tasks/uninstall.yml | 25 ++++ .../tasks/validate_config.yml | 13 ++ .../templates/env.j2 | 7 ++ .../templates/labels.j2 | 48 +++++++ .../matrix-livekit-jwt-service.service.j2} | 38 +++--- .../matrix-livekit-jwt-service/vars/main.yml | 3 + .../matrix-livekit-server/defaults/main.yml | 2 +- .../matrix-livekit-server/tasks/install.yml | 38 +++++- .../systemd/livekit-server.service.j2 | 6 +- .../matrix-livekit-server/vars/main.yml | 2 + setup.yml | 2 +- 25 files changed, 369 insertions(+), 325 deletions(-) delete mode 100644 roles/custom/matrix-jwt-service/defaults/main.yml delete mode 100644 roles/custom/matrix-jwt-service/tasks/install.yml delete mode 100644 roles/custom/matrix-jwt-service/tasks/uninstall.yml delete mode 100644 roles/custom/matrix-jwt-service/tasks/validate_config.yml delete mode 100644 roles/custom/matrix-jwt-service/templates/env.j2 delete mode 100644 roles/custom/matrix-jwt-service/templates/labels.j2 create mode 100644 roles/custom/matrix-livekit-jwt-service/defaults/main.yml create mode 100644 roles/custom/matrix-livekit-jwt-service/tasks/install.yml rename roles/custom/{matrix-jwt-service => matrix-livekit-jwt-service}/tasks/main.yml (57%) create mode 100644 roles/custom/matrix-livekit-jwt-service/tasks/uninstall.yml create mode 100644 roles/custom/matrix-livekit-jwt-service/tasks/validate_config.yml create mode 100644 roles/custom/matrix-livekit-jwt-service/templates/env.j2 create mode 100644 roles/custom/matrix-livekit-jwt-service/templates/labels.j2 rename roles/custom/{matrix-jwt-service/templates/systemd/matrix-jwt-service.service.j2 => matrix-livekit-jwt-service/templates/systemd/matrix-livekit-jwt-service.service.j2} (52%) create mode 100644 roles/custom/matrix-livekit-jwt-service/vars/main.yml diff --git a/docs/configuring-playbook-element-call.md b/docs/configuring-playbook-element-call.md index 663a0703879..d9f2e3a449a 100644 --- a/docs/configuring-playbook-element-call.md +++ b/docs/configuring-playbook-element-call.md @@ -25,16 +25,13 @@ Ensure that the following DNS names have a public IP/FQDN: ## Adjusting the playbook configuration -NOTE: Element call is dependent on two other services for it to function as intended. In orter to utilise Element Call you need to also enable the [JWT Service](configuring-playbook-jwt-service.md) and [Livekit Server](configuring-playbook-livekit-server.md). +NOTE: Enabling Element Call will automatically enable the [LiveKit JWT Service](configuring-playbook-livekit-jwt-service.md) and Livekit Server services. Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file: ```yaml matrix_element_call_enabled: true - -# Set a secure key for LiveKit authentication -livekit_server_config_keys_devkey: 'your-secure-livekit-key' ``` ## Installing @@ -43,7 +40,7 @@ After configuring the playbook and potentially [adjusting your DNS records](#adj ## Usage -Once installed, Element Call integrates seamlessly with Matrix clients like Element Web. When the Element Call service is installed, the `/.well-known/matrix/client` file is also updated. A new `org.matrix.msc4143.rtc_foci` section is added to point to your JWT service URL (e.g., `https://sfu-jwt.example.com`). +Once installed, Element Call integrates seamlessly with Matrix clients like [Element Web](configuring-playbook-client-element-web.md). When the Element Call service is installed, the `/.well-known/matrix/client` file is also updated. A new `org.matrix.msc4143.rtc_foci` section is added to point to your LiveKit JWT service URL (e.g., `https://matrix.example.com/lk-jwt-service`). Additionally, the `/.well-known/element/element.json` file is created to help Element clients discover the Element Call URL (e.g., `https://call.example.com`). @@ -53,7 +50,7 @@ To ensure the services function correctly, the following firewall rules and port LiveKit: - • Forward UDP ports 50100:50200 to the Docker instance running LiveKit. + • Forward UDP ports 50100:50120 to the Docker instance running LiveKit. • Forward TCP port 7881 to the Docker instance running LiveKit. Element Call: diff --git a/docs/configuring-playbook-jwt-service.md b/docs/configuring-playbook-jwt-service.md index 85f142da571..b8c06a0cc59 100644 --- a/docs/configuring-playbook-jwt-service.md +++ b/docs/configuring-playbook-jwt-service.md @@ -1,6 +1,6 @@ # Setting up JWT Service (optional) -The playbook can install and configure [JWT Service](https://github.com/element-hq/lk-jwt-service) for you. +The playbook can install and configure [LiveKit JWT Service](https://github.com/element-hq/lk-jwt-service) for you. LK-JWT-Service is currently used for a single reason: generate JWT tokens with a given identity for a given room, so that users can use them to authenticate against LiveKit SFU. @@ -8,28 +8,23 @@ See the project's [documentation](https://github.com/element-hq/lk-jwt-service/) ## Decide on a domain and path -By default, JWT Service is configured to be served on the Matrix domain (`sfu-jwt.DOMAIN`, controlled by the `matrix_jwt-service_hostname` variable). +By default, JWT Service is configured to be served: -This makes it easy to set it up, **without** having to adjust your DNS records manually. +- on the Matrix domain (`matrix.example.com`), configurable via `matrix_livekit_jwt_service_hostname` +- under a `/lk-jwt-service` path prefix, configurable via `matrix_livekit_jwt_service_path_prefix` -If you'd like to run JWT Service on another hostname or path, use the `matrix_jwt-service_hostname` variable. +This makes it easy to set it up, **without** having to adjust your DNS records manually. ## Adjusting DNS records If you've changed the default hostname, **you may need to adjust your DNS** records accordingly to point to the correct server. -Ensure that the following DNS names have a public IP/FQDN: -- `sfu-jwt.DOMAIN` - ## Adjusting the playbook configuration Add the following configuration to your `inventory/host_vars/matrix.example.com/vars.yml` file: ```yaml -matrix_jwt_service_enabled: true - -# Set a secure key for LiveKit authentication -matrix_element_call_livekit_dev_key: 'your-secure-livekit-key' +matrix_livekit_jwt_service_enabled: true ``` ## Installing @@ -38,8 +33,8 @@ After configuring the playbook and potentially [adjusting your DNS records](#adj ## Usage -Once installed, a new `org.matrix.msc4143.rtc_foci` section is added to the element web client to point to your JWT service URL (e.g., `https://sfu-jwt.example.com`). +Once installed, a new `org.matrix.msc4143.rtc_foci` section is added to the Element web client to point to your JWT service URL (e.g., `https://matrix.example.com/lk-jwt-service`). ## Additional Information -Refer to the JWT-Service documentation for more details on configuring and using JWT Service. \ No newline at end of file +Refer to the LiveKit JWT-Service documentation for more details on configuring and using JWT Service. diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index 632f09568ac..72eef2fb0fc 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -214,7 +214,7 @@ Various services that don't fit any other categories. - [Setting up the Element Call server](configuring-playbook-element-call.md) (optional) -- [Setting up the JWT Service](configuring-playbook-jwt-service.md) (optional) +- [Setting up the LiveKit JWT Service](configuring-playbook-livekit-jwt-service.md) (optional) - [Setting up the Livekit server](configuring-playbook-livekit-server.md) (optional) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 35009746a4b..fd6279e8918 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -442,7 +442,7 @@ devture_systemd_service_manager_services_list_auto: | + ([{'name': 'matrix-element-call.service', 'priority': 4000, 'groups': ['matrix', 'element-call']}] if matrix_element_call_enabled else []) + - ([{'name': 'matrix-jwt-service.service', 'priority': 3000, 'groups': ['matrix', 'jwt-service']}] if matrix_jwt_service_enabled else []) + ([{'name': 'matrix-livekit-jwt-service.service', 'priority': 3500, 'groups': ['matrix', 'livekit-jwt-service']}] if matrix_livekit_jwt_service_enabled else []) + ([{'name': (livekit_server_identifier + '.service'), 'priority': 3000, 'groups': ['matrix', 'livekit-server']}] if livekit_server_enabled else []) + @@ -5959,7 +5959,7 @@ matrix_static_files_file_matrix_client_property_org_matrix_msc4143_rtc_foci_enab matrix_static_files_file_matrix_client_property_org_matrix_msc4143_rtc_foci_auto: |- {{ ( - [{'type': 'livekit', 'livekit_service_url': matrix_jwt_service_url}] if matrix_jwt_service_enabled else [] + [{'type': 'livekit', 'livekit_service_url': matrix_livekit_jwt_service_public_url}] if matrix_livekit_jwt_service_enabled else [] ) }} @@ -6138,45 +6138,61 @@ livekit_server_container_labels_traefik_docker_network: "{{ matrix_playbook_reve livekit_server_container_labels_traefik_entrypoints: "{{ traefik_entrypoint_primary }}" livekit_server_container_labels_traefik_tls_certResolver: "{{ traefik_certResolver_primary }}" +livekit_server_config_keys_auto: |- + {{ + {} + | combine( + {matrix_livekit_jwt_service_environment_variable_livekit_key: matrix_livekit_jwt_service_environment_variable_livekit_secret} + if matrix_livekit_jwt_service_enabled else {} + ) + }} + ######################################################################## # # # /livekit-server # # # ######################################################################## + ######################################################################## # # -# matrix-jwt-service # +# matrix-livekit-jwt-service # # # ######################################################################## -matrix_jwt_service_enabled: "{{ matrix_element_call_enabled }}" +matrix_livekit_jwt_service_enabled: "{{ matrix_element_call_enabled and livekit_server_enabled }}" + +matrix_livekit_jwt_service_scheme: "{{ 'https' if matrix_playbook_ssl_enabled else 'http' }}" + +matrix_livekit_jwt_service_hostname: "{{ matrix_server_fqn_matrix }}" +matrix_livekit_jwt_service_path_prefix: "/lk-jwt-service" + +matrix_livekit_jwt_service_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm64'] }}" + +matrix_livekit_jwt_service_container_network: "{{ matrix_addons_container_network }}" + +matrix_livekit_jwt_service_container_additional_networks_auto: | + {{ + ( + ([matrix_playbook_reverse_proxyable_services_additional_network] if (matrix_livekit_jwt_service_container_labels_traefik_enabled and matrix_playbook_reverse_proxyable_services_additional_network) else []) + + + ([livekit_server_container_network] if livekit_server_enabled and (matrix_livekit_jwt_service_environment_variable_livekit_url == livekit_server_websocket_container_url and livekit_server_container_network != matrix_livekit_jwt_service_container_network) else []) + ) | unique + }} -matrix_jwt_service_version: "latest-ci" # Default version; can be overridden in host_vars -matrix_jwt_service_scheme: "https" # Scheme for Element Call (e.g., https) -matrix_jwt_service_hostname: "sfu-jwt.{{ matrix_domain }}" # Default hostname; should be overridden in host_vars if different -matrix_jwt_service_path_prefix: "/" # Path prefix for Element Call -matrix_jwt_service_base_path: "{{ matrix_base_data_path }}/matrix-jwt-service" # Base path for storing Element Call-related files -matrix_jwt_service_container_image: "ghcr.io/element-hq/lk-jwt-service:{{ matrix_jwt_service_version }}" -matrix_jwt_service_container_image_name_prefix: ghcr.io/ -matrix_jwt_service_container_image_registry_prefix: ghcr.io/ -matrix_jwt_service_container_image_force_pull: true +matrix_livekit_jwt_service_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}" +matrix_livekit_jwt_service_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" +matrix_livekit_jwt_service_container_labels_traefik_entrypoints: "{{ traefik_entrypoint_primary }}" +matrix_livekit_jwt_service_container_labels_traefik_tls_certResolver: "{{ traefik_certResolver_primary }}" -# Docker network configuration for JWT Service -matrix_jwt_service_container_network: "{{ matrix_addons_container_network }}" -matrix_jwt_service_container_additional_networks: "{{ [matrix_playbook_reverse_proxyable_services_additional_network] if (matrix_jwt_service_container_labels_traefik_enabled and matrix_playbook_reverse_proxyable_services_additional_network) else [] }}" +matrix_livekit_jwt_service_environment_variable_livekit_url: "{{ livekit_server_websocket_container_url }}" -# Traefik Configuration for JWT Service -matrix_jwt_service_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}" -matrix_jwt_service_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" -matrix_jwt_service_container_labels_traefik_entrypoints: "{{ traefik_entrypoint_primary }}" -matrix_jwt_service_container_labels_traefik_tls_certResolver: "{{ traefik_certResolver_primary }}" +matrix_livekit_jwt_service_environment_variable_livekit_key: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'lk.key', rounds=655555) | to_uuid }}" -# JWT Service Configuration -matrix_jwt_service_url: "https://sfu-jwt.{{ matrix_domain }}" # Default JWT service URL; adjust as needed +matrix_livekit_jwt_service_environment_variable_livekit_secret: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'lk.secret', rounds=655555) | to_uuid }}" ######################################################################## # # -# /matrix-jwt-service # +# /matrix-livekit-jwt-service # # # ######################################################################## diff --git a/roles/custom/matrix-element-call/templates/config.json.j2 b/roles/custom/matrix-element-call/templates/config.json.j2 index e10fc4f6116..4ad4e2b5170 100644 --- a/roles/custom/matrix-element-call/templates/config.json.j2 +++ b/roles/custom/matrix-element-call/templates/config.json.j2 @@ -6,6 +6,6 @@ } }, "livekit": { - "livekit_service_url": "{{ matrix_jwt_service_url }}" + "livekit_service_url": "{{ matrix_livekit_jwt_service_public_url }}" } -} \ No newline at end of file +} diff --git a/roles/custom/matrix-jwt-service/defaults/main.yml b/roles/custom/matrix-jwt-service/defaults/main.yml deleted file mode 100644 index ee95afefd7a..00000000000 --- a/roles/custom/matrix-jwt-service/defaults/main.yml +++ /dev/null @@ -1,117 +0,0 @@ ---- -# Enable or disable matrix-element-call deployment -matrix_jwt_service_enabled: false - -# Base path configuration -matrix_jwt_service_base_path: "{{ matrix_base_data_path }}/jwt-service" - -# Docker network configuration -matrix_jwt_service_container_network: '' -matrix_jwt_service_container_http_host_bind_port: '8881' -matrix_jwt_service_container_additional_networks: [] # No additional networks by default - -# Docker images -matrix_jwt_service_image: "ghcr.io/element-hq/lk-jwt-service:latest-ci" - -# Ports -matrix_jwt_service_port: "8881" - -# jwt configuration -matrix_jwt_service_hostname: "sfu-jwt.{{ matrix_domain }}" -matrix_jwt_service_url: "https://sfu-jwt.{{ matrix_domain }}" - -# Traefik Configuration for JWT Service -matrix_jwt_service_container_labels_traefik_enabled: true -matrix_jwt_service_container_labels_traefik_docker_network: "{{ matrix_jwt_service_container_network }}" -matrix_jwt_service_container_labels_traefik_hostname: "{{ matrix_jwt_service_hostname }}" -# The path prefix must either be `/` or not end with a slash (e.g. `/element`). -matrix_jwt_service_container_labels_traefik_path_prefix: "{{ matrix_jwt_service_path_prefix }}" -matrix_jwt_service_container_labels_traefik_rule: "Host(`{{ matrix_jwt_service_container_labels_traefik_hostname }}`){% if matrix_jwt_service_container_labels_traefik_path_prefix != '/' %} && PathPrefix(`{{ matrix_jwt_service_container_labels_traefik_path_prefix }}`){% endif %}" -matrix_jwt_service_container_labels_traefik_priority: 0 -matrix_jwt_service_container_labels_traefik_entrypoints: web-secure -matrix_jwt_service_container_labels_traefik_tls: "{{ matrix_jwt_service_container_labels_traefik_entrypoints != 'web' }}" -matrix_jwt_service_container_labels_traefik_tls_certResolver: default # noqa var-naming - -# Controls which additional headers to attach to all HTTP responses. -# To add your own headers, use `matrix_jwt_service_container_labels_traefik_additional_response_headers_custom` -matrix_jwt_service_container_labels_traefik_additional_response_headers: "{{ matrix_jwt_service_container_labels_traefik_additional_response_headers_auto | combine(matrix_jwt_service_container_labels_traefik_additional_response_headers_custom) }}" -matrix_jwt_service_container_labels_traefik_additional_response_headers_auto: | - {{ - {} - | combine ({'X-XSS-Protection': matrix_jwt_service_http_header_xss_protection} if matrix_jwt_service_http_header_xss_protection else {}) - | combine ({'X-Frame-Options': matrix_jwt_service_http_header_frame_options} if matrix_jwt_service_http_header_frame_options else {}) - | combine ({'X-Content-Type-Options': matrix_jwt_service_http_header_content_type_options} if matrix_jwt_service_http_header_content_type_options else {}) - | combine ({'Content-Security-Policy': matrix_jwt_service_http_header_content_security_policy} if matrix_jwt_service_http_header_content_security_policy else {}) - | combine ({'Permission-Policy': matrix_jwt_service_http_header_content_permission_policy} if matrix_jwt_service_http_header_content_permission_policy else {}) - | combine ({'Strict-Transport-Security': matrix_jwt_service_http_header_strict_transport_security} if matrix_jwt_service_http_header_strict_transport_security and matrix_jwt_service_container_labels_traefik_tls else {}) - }} -matrix_jwt_service_container_labels_traefik_additional_response_headers_custom: {} - -# matrix_client_element_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file. -# See `../templates/labels.j2` for details. -# -# Example: -# matrix_client_element_container_labels_additional_labels: | -# my.label=1 -# another.label="here" -matrix_jwt_service_container_labels_additional_labels: '' - -# A list of extra arguments to pass to the container -matrix_jwt_service_container_extra_arguments: [] - -# Additional environment variables for the container -matrix_jwt_service_environment_variables_additional: {} - -# List of systemd services that matrix-element-call.service depends on -matrix_jwt_service_systemd_required_services_list: "{{ [devture_systemd_docker_base_docker_service_name] if devture_systemd_docker_base_docker_service_name else [] }}" - -# Specifies the value of the `X-XSS-Protection` header -# Stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. -# -# Learn more about it is here: -# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection -# - https://portswigger.net/web-security/cross-site-scripting/reflected -matrix_jwt_service_http_header_xss_protection: '' - -# Specifies the value of the `X-Frame-Options` header which controls whether framing can happen. -# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options -matrix_jwt_service_http_header_frame_options: '' - -# Specifies the value of the `X-Content-Type-Options` header. -# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options -matrix_jwt_service_http_header_content_type_options: '' - -# Specifies the value of the `Content-Security-Policy` header. -# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy -matrix_jwt_service_http_header_content_security_policy: '' - -# Specifies the value of the `Permission-Policy` header. -# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permission-Policy -matrix_jwt_service_http_header_content_permission_policy: '' - -# Specifies the value of the `Strict-Transport-Security` header. -# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security -matrix_jwt_service_http_header_strict_transport_security: '' - -# Controls whether to send a "Permissions-Policy interest-cohort=();" header along with all responses -# -# Learn more about what it is here: -# - https://www.eff.org/deeplinks/2021/03/googles-floc-terrible-idea -# - https://paramdeo.com/blog/opting-your-website-out-of-googles-floc-network -# - https://amifloced.org/ -# -# Of course, a better solution is to just stop using browsers (like Chrome), which participate in such tracking practices. -# See: `matrix_jwt_service_content_permission_policy` -matrix_jwt_service_floc_optout_enabled: false - -# Controls if HSTS preloading is enabled -# -# In its strongest and recommended form, the [HSTS policy](https://www.chromium.org/hsts) includes all subdomains, and -# indicates a willingness to be "preloaded" into browsers: -# `Strict-Transport-Security: max-age=31536000; includeSubDomains; preload` -# For more information visit: -# - https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security -# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security -# - https://hstspreload.org/#opt-in -# See: `matrix_jwt_service_http_header_strict_transport_security` -matrix_jwt_service_hsts_preload_enabled: true \ No newline at end of file diff --git a/roles/custom/matrix-jwt-service/tasks/install.yml b/roles/custom/matrix-jwt-service/tasks/install.yml deleted file mode 100644 index 9a51bdfd334..00000000000 --- a/roles/custom/matrix-jwt-service/tasks/install.yml +++ /dev/null @@ -1,46 +0,0 @@ ---- -# roles/custom/matrix-jwt-service/tasks/install.yml - -# Ensure Required Directories Exist -- name: Ensure matrix-jwt-service paths exist - ansible.builtin.file: - path: "{{ item.path }}" - state: directory - mode: 0750 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - with_items: - - path: "{{ matrix_jwt_service_base_path }}" - -- name: Ensure matrix-jwt-service environment file is in place - ansible.builtin.template: - src: "{{ role_path }}/templates/env.j2" - dest: "{{ matrix_jwt_service_base_path }}/env" - mode: 0640 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - -- name: Ensure JWT Service labels file is in place - ansible.builtin.template: - src: "{{ role_path }}/templates/labels.j2" - dest: "{{ matrix_jwt_service_base_path }}/labels" - mode: 0640 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - -# Ensure Docker Images are Pulled -- name: Ensure jwt-service Docker image is pulled - community.docker.docker_image: - name: "{{ matrix_jwt_service_image }}" - source: pull - register: jwt_image_result - retries: 3 - delay: 10 - until: jwt_image_result is not failed - -# Systemd Services for JWT Service -- name: Ensure jwt-service systemd service is installed - ansible.builtin.template: - src: "{{ role_path }}/templates/systemd/matrix-jwt-service.service.j2" - dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-jwt-service.service" - mode: 0644 \ No newline at end of file diff --git a/roles/custom/matrix-jwt-service/tasks/uninstall.yml b/roles/custom/matrix-jwt-service/tasks/uninstall.yml deleted file mode 100644 index 7338d5b95a6..00000000000 --- a/roles/custom/matrix-jwt-service/tasks/uninstall.yml +++ /dev/null @@ -1,22 +0,0 @@ ---- -# Uninstall tasks for matrix-jwt-service - - -- name: Stop and remove jwt-service container - community.docker.docker_container: - name: "matrix-jwt-service" - state: absent - -- name: Remove jwt-service systemd service - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-jwt-service.service" - state: absent - -- name: Remove matrix-jwt-service configuration files - ansible.builtin.file: - path: "{{ matrix_jwt_service_base_path }}" - state: absent - -- name: Reload systemd daemon - ansible.builtin.systemd: - daemon_reload: true \ No newline at end of file diff --git a/roles/custom/matrix-jwt-service/tasks/validate_config.yml b/roles/custom/matrix-jwt-service/tasks/validate_config.yml deleted file mode 100644 index 38e39ad60cb..00000000000 --- a/roles/custom/matrix-jwt-service/tasks/validate_config.yml +++ /dev/null @@ -1,12 +0,0 @@ ---- -# Validate configuration for matrix-jwt-service - -- name: Fail if required matrix-jwt-service settings are not defined - ansible.builtin.fail: - msg: > - You need to define a required configuration setting (`{{ item.name }}`). - when: "item.when | bool and vars[item.name] == ''" - with_items: - - {'name': 'matrix_jwt_service_base_path', when: true} - - {'name': 'matrix_jwt_service_container_network', when: true} - - {'name': 'matrix_jwt_service_image', when: true} \ No newline at end of file diff --git a/roles/custom/matrix-jwt-service/templates/env.j2 b/roles/custom/matrix-jwt-service/templates/env.j2 deleted file mode 100644 index 7135bb0875e..00000000000 --- a/roles/custom/matrix-jwt-service/templates/env.j2 +++ /dev/null @@ -1,4 +0,0 @@ -# Environment variables for JWT Service -LIVEKIT_KEY=devkey -LIVEKIT_URL=wss://{{ livekit_server_hostname }}:443 -LIVEKIT_SECRET={{ livekit_server_dev_key }} diff --git a/roles/custom/matrix-jwt-service/templates/labels.j2 b/roles/custom/matrix-jwt-service/templates/labels.j2 deleted file mode 100644 index 6db7722363e..00000000000 --- a/roles/custom/matrix-jwt-service/templates/labels.j2 +++ /dev/null @@ -1,46 +0,0 @@ -{% if matrix_element_call_container_labels_traefik_enabled %} -traefik.enable=true - -# Network configuration for Traefik -{% if matrix_jwt_service_container_labels_traefik_docker_network %} -traefik.docker.network={{ matrix_jwt_service_container_labels_traefik_docker_network }} -{% endif %} - -traefik.http.services.matrix-jwt-service.loadbalancer.server.port=8080 - -{% set middlewares = [] %} - -# Path prefix handling for JWT -{% if matrix_jwt_service_container_labels_traefik_path_prefix != '/' %} -traefik.http.middlewares.matrix-jwt-service-slashless-redirect.redirectregex.regex=({{ matrix_jwt_service_container_labels_traefik_path_prefix | quote }})$ -traefik.http.middlewares.matrix-jwt-service-slashless-redirect.redirectregex.replacement=${1}/ -{% set middlewares = middlewares + ['matrix-jwt-service-slashless-redirect'] %} - -traefik.http.middlewares.matrix-jwt-service-strip-prefix.stripprefix.prefixes={{ matrix_jwt_service_container_labels_traefik_path_prefix }} -{% set middlewares = middlewares + ['matrix-jwt-service-strip-prefix'] %} -{% endif %} - -{% if matrix_jwt_service_container_labels_traefik_additional_response_headers.keys() | length > 0 %} -{% for name, value in matrix_jwt_service_container_labels_traefik_additional_response_headers.items() %} -traefik.http.middlewares.matrix-jwt-service-add-headers.headers.customresponseheaders.{{ name }}={{ value }} -{% endfor %} -{% set middlewares = middlewares + ['matrix-jwt-service-add-headers'] %} -{% endif %} - -traefik.http.routers.matrix-jwt-service.rule={{ matrix_jwt_service_container_labels_traefik_rule }} -{% if matrix_jwt_service_container_labels_traefik_priority | int > 0 %} -traefik.http.routers.matrix-jwt-service.priority={{ matrix_jwt_service_container_labels_traefik_priority }} -{% endif %} -traefik.http.routers.matrix-jwt-service.service=matrix-jwt-service -{% if middlewares | length > 0 %} -traefik.http.routers.matrix-jwt-service.middlewares={{ middlewares | join(',') }} -{% endif %} -traefik.http.routers.matrix-jwt-service.entrypoints={{ matrix_jwt_service_container_labels_traefik_entrypoints }} -traefik.http.routers.matrix-jwt-service.tls={{ matrix_jwt_service_container_labels_traefik_tls | to_json }} -{% if matrix_jwt_service_container_labels_traefik_tls %} -traefik.http.routers.matrix-jwt-service.tls.certResolver={{ matrix_jwt_service_container_labels_traefik_tls_certResolver }} -{% endif %} - -{% endif %} - -{{ matrix_jwt_service_container_labels_additional_labels }} \ No newline at end of file diff --git a/roles/custom/matrix-livekit-jwt-service/defaults/main.yml b/roles/custom/matrix-livekit-jwt-service/defaults/main.yml new file mode 100644 index 00000000000..85970872900 --- /dev/null +++ b/roles/custom/matrix-livekit-jwt-service/defaults/main.yml @@ -0,0 +1,81 @@ +--- + +# Project source code URL: https://github.com/element-hq/lk-jwt-service + +matrix_livekit_jwt_service_enabled: false + +matrix_livekit_jwt_service_scheme: https +matrix_livekit_jwt_service_hostname: "" +matrix_livekit_jwt_service_path_prefix: "/lk-jwt-service" + +matrix_livekit_jwt_service_base_path: "{{ matrix_base_data_path }}/livekit-jwt-service" + +matrix_livekit_jwt_service_container_network: '' + +matrix_livekit_jwt_service_container_http_host_bind_port: '' + +matrix_livekit_jwt_service_container_additional_networks: "{{ (matrix_livekit_jwt_service_container_additional_networks_auto + matrix_livekit_jwt_service_container_additional_networks_custom) | unique }}" +matrix_livekit_jwt_service_container_additional_networks_auto: [] +matrix_livekit_jwt_service_container_additional_networks_custom: [] + +# renovate: datasource=docker depName=ghcr.io/element-hq/lk-jwt-service +matrix_livekit_jwt_service_version: latest-ci + +matrix_livekit_jwt_service_container_image_self_build: false +matrix_livekit_jwt_service_container_repo: "https://github.com/element-hq/lk-jwt-service.git" +matrix_livekit_jwt_service_container_repo_version: "{{ 'main' if matrix_livekit_jwt_service_version in ['latest', 'latest-ci'] else livekit_server_version }}" +matrix_livekit_jwt_service_container_src_files_path: "{{ matrix_livekit_jwt_service_base_path }}/container-src" + +matrix_livekit_jwt_service_container_image: "{{ matrix_livekit_jwt_service_container_image_name_prefix }}element-hq/lk-jwt-service:{{ matrix_livekit_jwt_service_version }}" +matrix_livekit_jwt_service_container_image_name_prefix: "{{ 'localhost/' if matrix_livekit_jwt_service_container_image_self_build else 'ghcr.io/' }}" +matrix_livekit_jwt_service_container_image_force_pull: "{{ matrix_livekit_jwt_service_container_image.endswith(':latest') }}" + +matrix_livekit_jwt_service_container_labels_traefik_enabled: true +matrix_livekit_jwt_service_container_labels_traefik_docker_network: "{{ matrix_livekit_jwt_service_container_network }}" +matrix_livekit_jwt_service_container_labels_traefik_hostname: "{{ matrix_livekit_jwt_service_hostname }}" +# The path prefix must either be `/` or not end with a slash (e.g. `/lk-jwt-service`). +matrix_livekit_jwt_service_container_labels_traefik_path_prefix: "{{ matrix_livekit_jwt_service_path_prefix }}" +matrix_livekit_jwt_service_container_labels_traefik_rule: "Host(`{{ matrix_livekit_jwt_service_container_labels_traefik_hostname }}`){% if matrix_livekit_jwt_service_container_labels_traefik_path_prefix != '/' %} && PathPrefix(`{{ matrix_livekit_jwt_service_container_labels_traefik_path_prefix }}`){% endif %}" +matrix_livekit_jwt_service_container_labels_traefik_priority: 0 +matrix_livekit_jwt_service_container_labels_traefik_entrypoints: web-secure +matrix_livekit_jwt_service_container_labels_traefik_tls: "{{ matrix_livekit_jwt_service_container_labels_traefik_entrypoints != 'web' }}" +matrix_livekit_jwt_service_container_labels_traefik_tls_certResolver: default # noqa var-naming + +# Controls which additional headers to attach to all HTTP responses. +# To add your own headers, use `matrix_livekit_jwt_service_container_labels_traefik_additional_response_headers_custom` +matrix_livekit_jwt_service_container_labels_traefik_additional_response_headers: "{{ matrix_livekit_jwt_service_container_labels_traefik_additional_response_headers_auto | combine(matrix_livekit_jwt_service_container_labels_traefik_additional_response_headers_custom) }}" +matrix_livekit_jwt_service_container_labels_traefik_additional_response_headers_auto: {} +matrix_livekit_jwt_service_container_labels_traefik_additional_response_headers_custom: {} + +# matrix_client_element_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file. +# See `../templates/labels.j2` for details. +# +# Example: +# matrix_client_element_container_labels_additional_labels: | +# my.label=1 +# another.label="here" +matrix_livekit_jwt_service_container_labels_additional_labels: '' + +# A list of extra arguments to pass to the container +matrix_livekit_jwt_service_container_extra_arguments: [] + +# Controls the LK_JWT_PORT environment variable +matrix_livekit_jwt_service_environment_variable_lk_jwt_port: 8080 + +# Controls the LIVEKIT_KEY environment variable +matrix_livekit_jwt_service_environment_variable_livekit_key: "" + +# Controls the LIVEKIT_URL environment variable +matrix_livekit_jwt_service_environment_variable_livekit_url: "" + +# Controls the LIVEKIT_SECRET environment variable +matrix_livekit_jwt_service_environment_variable_livekit_secret: "" + +# Additional environment variables for the container +matrix_livekit_jwt_service_environment_variables_additional: {} + +# List of systemd services that LiveKit JWT Service service depends on +matrix_livekit_jwt_service_systemd_required_services_list: "{{ matrix_livekit_jwt_service_systemd_required_services_list_default + matrix_livekit_jwt_service_systemd_required_services_list_auto + matrix_livekit_jwt_service_systemd_required_services_list_custom }}" +matrix_livekit_jwt_service_systemd_required_services_list_default: "{{ [devture_systemd_docker_base_docker_service_name] if devture_systemd_docker_base_docker_service_name else [] }}" +matrix_livekit_jwt_service_systemd_required_services_list_auto: [] +matrix_livekit_jwt_service_systemd_required_services_list_custom: [] diff --git a/roles/custom/matrix-livekit-jwt-service/tasks/install.yml b/roles/custom/matrix-livekit-jwt-service/tasks/install.yml new file mode 100644 index 00000000000..1900ac6f3da --- /dev/null +++ b/roles/custom/matrix-livekit-jwt-service/tasks/install.yml @@ -0,0 +1,69 @@ +--- + +- name: Ensure LiveKit JWT Service paths exist + ansible.builtin.file: + path: "{{ item.path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - path: "{{ matrix_livekit_jwt_service_base_path }}" + +- name: Ensure LiveKit JWT Service support files installed + ansible.builtin.template: + src: "{{ role_path }}/templates/{{ item }}.j2" + dest: "{{ matrix_livekit_jwt_service_base_path }}/{{ item }}" + mode: 0640 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - env + - labels + +- name: Ensure LiveKit JWT Service container image is pulled + community.docker.docker_image: + name: "{{ matrix_livekit_jwt_service_container_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_livekit_jwt_service_container_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_livekit_jwt_service_container_image_force_pull }}" + when: "not matrix_livekit_jwt_service_container_image_self_build | bool" + register: result + retries: "{{ devture_playbook_help_container_retries_count }}" + delay: "{{ devture_playbook_help_container_retries_delay }}" + until: result is not failed + +- when: "matrix_livekit_jwt_service_container_image_self_build | bool" + block: + - name: Ensure LiveKit JWT Service repository is present on self-build + ansible.builtin.git: + repo: "{{ matrix_livekit_jwt_service_container_repo }}" + version: "{{ matrix_livekit_jwt_service_container_repo_version }}" + dest: "{{ matrix_livekit_jwt_service_container_src_files_path }}" + force: "yes" + become: true + become_user: "{{ matrix_user_username }}" + register: matrix_livekit_jwt_service_git_pull_results + + - name: Ensure LiveKit JWT Service container image is built + community.docker.docker_image: + name: "{{ matrix_livekit_jwt_service_container_image }}" + source: build + force_source: "{{ matrix_livekit_jwt_service_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_livekit_jwt_service_git_pull_results.changed }}" + build: + dockerfile: Dockerfile + path: "{{ matrix_livekit_jwt_service_container_src_files_path }}" + pull: true + +- name: Ensure LiveKit JWT Service container network is created + community.general.docker_network: + enable_ipv6: "{{ devture_systemd_docker_base_ipv6_enabled }}" + name: "{{ matrix_livekit_jwt_service_container_network }}" + driver: bridge + +- name: Ensure LiveKit JWT Service systemd service is installed + ansible.builtin.template: + src: "{{ role_path }}/templates/systemd/matrix-livekit-jwt-service.service.j2" + dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-livekit-jwt-service.service" + mode: 0644 diff --git a/roles/custom/matrix-jwt-service/tasks/main.yml b/roles/custom/matrix-livekit-jwt-service/tasks/main.yml similarity index 57% rename from roles/custom/matrix-jwt-service/tasks/main.yml rename to roles/custom/matrix-livekit-jwt-service/tasks/main.yml index 8fbe41d58c9..7713acc1d68 100644 --- a/roles/custom/matrix-jwt-service/tasks/main.yml +++ b/roles/custom/matrix-livekit-jwt-service/tasks/main.yml @@ -1,21 +1,20 @@ --- -# Main task file for matrix-element-call - tags: - setup-all - setup-jwt-service - install-all - - install-wt-service + - install-livekit-jwt-service block: - - when: matrix_jwt_service_enabled | bool + - when: matrix_livekit_jwt_service_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - - when: matrix_jwt_service_enabled | bool + - when: matrix_livekit_jwt_service_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/install.yml" - tags: - setup-all - - setup-jwt-service + - setup-livekit-jwt-service block: - - when: not matrix_jwt_service_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/uninstall.yml" \ No newline at end of file + - when: not matrix_livekit_jwt_service_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/uninstall.yml" diff --git a/roles/custom/matrix-livekit-jwt-service/tasks/uninstall.yml b/roles/custom/matrix-livekit-jwt-service/tasks/uninstall.yml new file mode 100644 index 00000000000..b898af8d6d4 --- /dev/null +++ b/roles/custom/matrix-livekit-jwt-service/tasks/uninstall.yml @@ -0,0 +1,25 @@ +--- + +- name: Check existence of LiveKit JWT Service systemd service + ansible.builtin.stat: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-livekit-jwt-service.service" + register: matrix_livekit_jwt_service_service_stat + +- when: matrix_livekit_jwt_service_service_stat.stat.exists | bool + block: + - name: Ensure LiveKit JWT Service systemd service is stopped + ansible.builtin.service: + name: matrix-livekit-jwt-service + state: stopped + enabled: false + daemon_reload: true + + - name: Ensure LiveKit JWT Service systemd service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-livekit-jwt-service.service" + state: absent + + - name: Ensure LiveKit JWT Service paths don't exist + ansible.builtin.file: + path: "{{ matrix_livekit_jwt_service_base_path }}" + state: absent diff --git a/roles/custom/matrix-livekit-jwt-service/tasks/validate_config.yml b/roles/custom/matrix-livekit-jwt-service/tasks/validate_config.yml new file mode 100644 index 00000000000..5d393d629c9 --- /dev/null +++ b/roles/custom/matrix-livekit-jwt-service/tasks/validate_config.yml @@ -0,0 +1,13 @@ +--- + +- name: Fail if required LiveKit JWT Service settings are not defined + ansible.builtin.fail: + msg: > + You need to define a required configuration setting (`{{ item.name }}`). + when: "item.when | bool and vars[item.name] | length == 0" + with_items: + - {'name': 'matrix_livekit_jwt_service_hostname', when: true} + - {'name': 'matrix_livekit_jwt_service_container_network', when: true} + - {'name': 'matrix_livekit_jwt_service_environment_variable_livekit_key', when: true} + - {'name': 'matrix_livekit_jwt_service_environment_variable_livekit_url', when: true} + - {'name': 'matrix_livekit_jwt_service_environment_variable_livekit_secret', when: true} diff --git a/roles/custom/matrix-livekit-jwt-service/templates/env.j2 b/roles/custom/matrix-livekit-jwt-service/templates/env.j2 new file mode 100644 index 00000000000..d8613b453ab --- /dev/null +++ b/roles/custom/matrix-livekit-jwt-service/templates/env.j2 @@ -0,0 +1,7 @@ +LK_JWT_PORT={{ matrix_livekit_jwt_service_environment_variable_lk_jwt_port | int | to_json }} + +LIVEKIT_KEY={{ matrix_livekit_jwt_service_environment_variable_livekit_key }} +LIVEKIT_URL={{ matrix_livekit_jwt_service_environment_variable_livekit_url }} +LIVEKIT_SECRET={{ matrix_livekit_jwt_service_environment_variable_livekit_secret }} + +{{ matrix_livekit_jwt_service_environment_variables_additional }} diff --git a/roles/custom/matrix-livekit-jwt-service/templates/labels.j2 b/roles/custom/matrix-livekit-jwt-service/templates/labels.j2 new file mode 100644 index 00000000000..91b615a7a53 --- /dev/null +++ b/roles/custom/matrix-livekit-jwt-service/templates/labels.j2 @@ -0,0 +1,48 @@ +{% if matrix_element_call_container_labels_traefik_enabled %} +traefik.enable=true + +traefik.docker.network={{ matrix_livekit_jwt_service_container_labels_traefik_docker_network }} + +traefik.http.services.matrix-livekit-jwt-service.loadbalancer.server.port={{ matrix_livekit_jwt_service_environment_variable_lk_jwt_port }} + +{% set middlewares = [] %} + +{% if matrix_livekit_jwt_service_container_labels_traefik_path_prefix != '/' %} +traefik.http.middlewares.matrix-livekit-jwt-service-slashless-redirect.redirectregex.regex=({{ matrix_livekit_jwt_service_container_labels_traefik_path_prefix | quote }})$ +traefik.http.middlewares.matrix-livekit-jwt-service-slashless-redirect.redirectregex.replacement=${1}/ +{% set middlewares = middlewares + ['matrix-livekit-jwt-service-slashless-redirect'] %} + +traefik.http.middlewares.matrix-livekit-jwt-service-strip-prefix.stripprefix.prefixes={{ matrix_livekit_jwt_service_container_labels_traefik_path_prefix }} +{% set middlewares = middlewares + ['matrix-livekit-jwt-service-strip-prefix'] %} +{% endif %} + +{% if matrix_livekit_jwt_service_container_labels_traefik_additional_response_headers.keys() | length > 0 %} +{% for name, value in matrix_livekit_jwt_service_container_labels_traefik_additional_response_headers.items() %} +traefik.http.middlewares.matrix-livekit-jwt-service-add-headers.headers.customresponseheaders.{{ name }}={{ value }} +{% endfor %} +{% set middlewares = middlewares + ['matrix-livekit-jwt-service-add-headers'] %} +{% endif %} + +traefik.http.routers.matrix-livekit-jwt-service.rule={{ matrix_livekit_jwt_service_container_labels_traefik_rule }} + +{% if matrix_livekit_jwt_service_container_labels_traefik_priority | int > 0 %} +traefik.http.routers.matrix-livekit-jwt-service.priority={{ matrix_livekit_jwt_service_container_labels_traefik_priority }} +{% endif %} + +traefik.http.routers.matrix-livekit-jwt-service.service=matrix-livekit-jwt-service + +{% if middlewares | length > 0 %} +traefik.http.routers.matrix-livekit-jwt-service.middlewares={{ middlewares | join(',') }} +{% endif %} + +traefik.http.routers.matrix-livekit-jwt-service.entrypoints={{ matrix_livekit_jwt_service_container_labels_traefik_entrypoints }} + +traefik.http.routers.matrix-livekit-jwt-service.tls={{ matrix_livekit_jwt_service_container_labels_traefik_tls | to_json }} + +{% if matrix_livekit_jwt_service_container_labels_traefik_tls %} +traefik.http.routers.matrix-livekit-jwt-service.tls.certResolver={{ matrix_livekit_jwt_service_container_labels_traefik_tls_certResolver }} +{% endif %} + +{% endif %} + +{{ matrix_livekit_jwt_service_container_labels_additional_labels }} diff --git a/roles/custom/matrix-jwt-service/templates/systemd/matrix-jwt-service.service.j2 b/roles/custom/matrix-livekit-jwt-service/templates/systemd/matrix-livekit-jwt-service.service.j2 similarity index 52% rename from roles/custom/matrix-jwt-service/templates/systemd/matrix-jwt-service.service.j2 rename to roles/custom/matrix-livekit-jwt-service/templates/systemd/matrix-livekit-jwt-service.service.j2 index b940e75a291..0c2127a1773 100644 --- a/roles/custom/matrix-jwt-service/templates/systemd/matrix-jwt-service.service.j2 +++ b/roles/custom/matrix-livekit-jwt-service/templates/systemd/matrix-livekit-jwt-service.service.j2 @@ -1,40 +1,42 @@ #jinja2: lstrip_blocks: "True" [Unit] -Description=Matrix JWT Service -After=docker.service -Requires=docker.service +Description=Matrix LiveKit JWT Service +{% for service in matrix_livekit_jwt_service_systemd_required_services_list %} +After={{ service }} +Requires={{ service }} +{% endfor %} [Service] Type=simple Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" -ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-jwt-service 2>/dev/null || true' -ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-jwt-service 2>/dev/null || true' +ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-livekit-jwt-service 2>/dev/null || true' +ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-livekit-jwt-service 2>/dev/null || true' ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ --rm \ - --name=matrix-jwt-service \ + --name=matrix-livekit-jwt-service \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ - --network={{ matrix_jwt_service_container_network }} \ - {% if matrix_jwt_service_container_http_host_bind_port %} - -p {{ matrix_jwt_service_container_http_host_bind_port }}:8080 \ + --network={{ matrix_livekit_jwt_service_container_network }} \ + {% if matrix_livekit_jwt_service_container_http_host_bind_port %} + -p {{ matrix_livekit_jwt_service_container_http_host_bind_port }}:{{ matrix_livekit_jwt_service_environment_variable_lk_jwt_port }} \ {% endif %} - --env-file={{ matrix_jwt_service_base_path }}/env \ - --label-file={{ matrix_jwt_service_base_path }}/labels \ - {{ matrix_jwt_service_image }} + --env-file={{ matrix_livekit_jwt_service_base_path }}/env \ + --label-file={{ matrix_livekit_jwt_service_base_path }}/labels \ + {{ matrix_livekit_jwt_service_container_image }} -{% for network in matrix_jwt_service_container_additional_networks %} -ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-jwt-service +{% for network in matrix_livekit_jwt_service_container_additional_networks %} +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-livekit-jwt-service {% endfor %} -ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-jwt-service +ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-livekit-jwt-service -ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-jwt-service 2>/dev/null || true' +ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-livekit-jwt-service 2>/dev/null || true' ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-jwt-service 2>/dev/null || true' Restart=always RestartSec=30 -SyslogIdentifier=matrix-jwt-service +SyslogIdentifier=matrix-livekit-jwt-service [Install] -WantedBy=multi-user.target \ No newline at end of file +WantedBy=multi-user.target diff --git a/roles/custom/matrix-livekit-jwt-service/vars/main.yml b/roles/custom/matrix-livekit-jwt-service/vars/main.yml new file mode 100644 index 00000000000..c2d7ce3e74d --- /dev/null +++ b/roles/custom/matrix-livekit-jwt-service/vars/main.yml @@ -0,0 +1,3 @@ +--- + +matrix_livekit_jwt_service_public_url: "{{ matrix_livekit_jwt_service_scheme }}://{{ matrix_livekit_jwt_service_hostname }}" diff --git a/roles/custom/matrix-livekit-server/defaults/main.yml b/roles/custom/matrix-livekit-server/defaults/main.yml index f8ed88fcd8b..5c0d8bf4260 100644 --- a/roles/custom/matrix-livekit-server/defaults/main.yml +++ b/roles/custom/matrix-livekit-server/defaults/main.yml @@ -12,7 +12,7 @@ livekit_server_gid: '' livekit_server_base_path: "/{{ livekit_server_identifier }}" livekit_server_config_path: "{{ livekit_server_base_path }}/config" -# renovate: datasource=docker depName=livekit/livekit-server +# renovate: datasource=docker depName=docker.io/livekit/livekit-server livekit_server_version: v1.8.0 livekit_server_scheme: https diff --git a/roles/custom/matrix-livekit-server/tasks/install.yml b/roles/custom/matrix-livekit-server/tasks/install.yml index 7f6217969cd..cec65bb6413 100644 --- a/roles/custom/matrix-livekit-server/tasks/install.yml +++ b/roles/custom/matrix-livekit-server/tasks/install.yml @@ -32,11 +32,43 @@ - name: Ensure LiveKit Server container image is pulled community.docker.docker_image: name: "{{ livekit_server_container_image }}" - source: pull - register: livekit_image_result + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ livekit_server_container_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else livekit_server_container_image_force_pull }}" + when: "not livekit_server_container_image_self_build | bool" + register: result retries: "{{ devture_playbook_help_container_retries_count }}" delay: "{{ devture_playbook_help_container_retries_delay }}" - until: livekit_image_result is not failed + until: result is not failed + +- when: "livekit_server_container_image_self_build | bool" + block: + - name: Ensure LiveKit Server repository is present on self-build + ansible.builtin.git: + repo: "{{ livekit_server_container_repo }}" + version: "{{ livekit_server_container_repo_version }}" + dest: "{{ livekit_server_container_src_files_path }}" + force: "yes" + become: true + become_user: "{{ matrix_user_username }}" + register: livekit_server_git_pull_results + + - name: Ensure LiveKit Server container image is built + community.docker.docker_image: + name: "{{ livekit_server_container_image }}" + source: build + force_source: "{{ livekit_server_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else livekit_server_git_pull_results.changed }}" + build: + dockerfile: Dockerfile + path: "{{ livekit_server_container_src_files_path }}" + pull: true + +- name: Ensure LiveKit Server container network is created + community.general.docker_network: + enable_ipv6: "{{ devture_systemd_docker_base_ipv6_enabled }}" + name: "{{ livekit_server_container_network }}" + driver: bridge - name: Ensure LiveKit Server systemd service is installed ansible.builtin.template: diff --git a/roles/custom/matrix-livekit-server/templates/systemd/livekit-server.service.j2 b/roles/custom/matrix-livekit-server/templates/systemd/livekit-server.service.j2 index cb56801ffc6..6ff03d660b1 100644 --- a/roles/custom/matrix-livekit-server/templates/systemd/livekit-server.service.j2 +++ b/roles/custom/matrix-livekit-server/templates/systemd/livekit-server.service.j2 @@ -1,8 +1,10 @@ #jinja2: lstrip_blocks: "True" [Unit] Description=LiveKit Server -After=docker.service -Requires=docker.service +{% for service in livekit_server_systemd_required_services_list %} +After={{ service }} +Requires={{ service }} +{% endfor %} [Service] Type=simple diff --git a/roles/custom/matrix-livekit-server/vars/main.yml b/roles/custom/matrix-livekit-server/vars/main.yml index e2f8c0ee75c..87f0be0dd7c 100644 --- a/roles/custom/matrix-livekit-server/vars/main.yml +++ b/roles/custom/matrix-livekit-server/vars/main.yml @@ -1 +1,3 @@ livekit_server_public_url: "{{ livekit_server_scheme }}://{{ livekit_server_hostname }}{{ livekit_server_path_prefix }}" + +livekit_server_websocket_container_url: "ws://{{ livekit_server_identifier }}:{{ livekit_server_config_port}}" diff --git a/setup.yml b/setup.yml index 2cb9a41a3aa..86b9dfa7f37 100644 --- a/setup.yml +++ b/setup.yml @@ -135,7 +135,7 @@ - custom/matrix-pantalaimon - custom/matrix-element-call - custom/matrix-livekit-server - - custom/matrix-jwt-service + - custom/matrix-livekit-jwt-service - role: galaxy/postgres_backup From 74fbacbd9f161e568c82de86dd07698bc1ede13c Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 23 Nov 2024 17:42:54 +0200 Subject: [PATCH 145/148] Update docs/configuring-playbook-element-call.md Co-authored-by: Suguru Hirahara --- docs/configuring-playbook-element-call.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/configuring-playbook-element-call.md b/docs/configuring-playbook-element-call.md index d9f2e3a449a..6321c45d7c9 100644 --- a/docs/configuring-playbook-element-call.md +++ b/docs/configuring-playbook-element-call.md @@ -50,8 +50,8 @@ To ensure the services function correctly, the following firewall rules and port LiveKit: - • Forward UDP ports 50100:50120 to the Docker instance running LiveKit. - • Forward TCP port 7881 to the Docker instance running LiveKit. +- Forward UDP ports 50100:50120 to the Docker instance running LiveKit. +- Forward TCP port 7881 to the Docker instance running LiveKit. Element Call: From bb403e1aee1106d19af57f1f78c24fadd51172f6 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 23 Nov 2024 17:43:15 +0200 Subject: [PATCH 146/148] Update docs/configuring-playbook-jwt-service.md Co-authored-by: Suguru Hirahara --- docs/configuring-playbook-jwt-service.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuring-playbook-jwt-service.md b/docs/configuring-playbook-jwt-service.md index b8c06a0cc59..961f72c78f5 100644 --- a/docs/configuring-playbook-jwt-service.md +++ b/docs/configuring-playbook-jwt-service.md @@ -33,7 +33,7 @@ After configuring the playbook and potentially [adjusting your DNS records](#adj ## Usage -Once installed, a new `org.matrix.msc4143.rtc_foci` section is added to the Element web client to point to your JWT service URL (e.g., `https://matrix.example.com/lk-jwt-service`). +Once installed, a new `org.matrix.msc4143.rtc_foci` section is added to the Element Web client to point to your JWT service URL (e.g., `https://matrix.example.com/lk-jwt-service`). ## Additional Information From 9a8a56943187b24ecf721e8f0aeeda578cbc9a48 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 23 Nov 2024 17:43:29 +0200 Subject: [PATCH 147/148] Update docs/configuring-playbook-element-call.md Co-authored-by: Suguru Hirahara --- docs/configuring-playbook-element-call.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuring-playbook-element-call.md b/docs/configuring-playbook-element-call.md index 6321c45d7c9..53350df90f5 100644 --- a/docs/configuring-playbook-element-call.md +++ b/docs/configuring-playbook-element-call.md @@ -55,7 +55,7 @@ LiveKit: Element Call: - • Forward TCP port 443 to the server running Traefik (for Element Call). +- Forward TCP port 443 to the server running Traefik (for Element Call). Ensure these ports are open and forwarded appropriately to allow traffic to flow correctly between the services. From 0b9389fd6492d0c26c5ed16ba17d51d36c378016 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 23 Nov 2024 17:43:52 +0200 Subject: [PATCH 148/148] Update docs/configuring-playbook-livekit-server.md Co-authored-by: Suguru Hirahara --- docs/configuring-playbook-livekit-server.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/configuring-playbook-livekit-server.md b/docs/configuring-playbook-livekit-server.md index 3e406fb8b8a..48aa4c36fd5 100644 --- a/docs/configuring-playbook-livekit-server.md +++ b/docs/configuring-playbook-livekit-server.md @@ -45,8 +45,8 @@ To ensure the services function correctly, the following firewall rules and port LiveKit: - • Forward UDP ports 50100:50200 to the Docker instance running LiveKit. - • Forward TCP port 7881 to the Docker instance running LiveKit. +- Forward UDP ports 50100:50200 to the Docker instance running LiveKit. +- Forward TCP port 7881 to the Docker instance running LiveKit. Ensure these ports are open and forwarded appropriately to allow traffic to flow correctly between the services.