spantaleev · spantaleev · Jul 20, 2022 · Jun 20, 2022 · Jun 23, 2022 · Jun 23, 2022
diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers
@@ -1058,6 +1058,41 @@ matrix_bot_matrix_registration_bot_systemd_required_services_list: |
 #
 ######################################################################
 
+######################################################################
+#
+# matrix-bot-maubot
+#
+######################################################################
+
+# We don't enable bots by default.
+matrix_bot_maubot_enabled: false
+
+matrix_bot_maubot_container_image_self_build: "{{ matrix_architecture not in ['amd64'] }}"
+
+matrix_bot_maubot_systemd_required_services_list: |
+  {{
+    ['docker.service']
+    +
+    ['matrix-' + matrix_homeserver_implementation + '.service']
+    +
+    (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else [])
+  }}
+
+matrix_bot_maubot_registration_shared_secret: |-
+  {{
+    {
+      'synapse': matrix_synapse_registration_shared_secret,
+      'dendrite': matrix_dendrite_registration_shared_secret,
+    }[matrix_homeserver_implementation]
+  }}
+
+
+######################################################################
+#
+# /matrix-bot-maubot
+#
+######################################################################
+
 
 ######################################################################
 #

diff --git a/roles/matrix-bot-maubot/defaults/main.yml b/roles/matrix-bot-maubot/defaults/main.yml
@@ -0,0 +1,33 @@
+---
+
+matrix_bot_maubot_enabled: true
+matrix_bot_maubot_container_image_self_build: false
+matrix_bot_maubot_docker_repo: "https://mau.dev/maubot/maubot.git"
+matrix_bot_maubot_docker_src_files_path: "{{ matrix_bot_maubot_base_path }}/docker-src"
+
+matrix_bot_maubot_version: v0.3.1
+matrix_bot_maubot_docker_image: "dock.mau.dev/maubot/maubot:{{ matrix_bot_maubot_version }}"
+matrix_bot_maubot_docker_image_force_pull: "{{ matrix_bot_maubot_docker_image.endswith(':latest') }}"
+
+matrix_bot_maubot_base_path: "{{ matrix_base_data_path }}/maubot"
+matrix_bot_maubot_data_path: "{{ matrix_bot_maubot_base_path }}/data"
+matrix_bot_maubot_config_path: "{{ matrix_bot_maubot_base_path }}/config"
+
+matrix_bot_maubot_bot_server_public: "https://{{ matrix_server_fqn_matrix }}"
+matrix_bot_maubot_proxy_management_interface: false
+matrix_bot_maubot_expose_management_interface: true
+
+
+matrix_bot_maubot_secret: ''
+matrix_bot_maubot_admin_user: ''
+matrix_bot_maubot_admin_password: ''
+matrix_mau_environment_variables_extension: ''
-matrix_bot_maubot_admin_user: ''
-matrix_bot_maubot_admin_password: ''
-matrix_mau_environment_variables_extension: ''
-matrix_bot_maubot_admin_user: ''
-matrix_bot_maubot_admin_password: ''
-matrix_mau_environment_variables_extension: ''
+
+# A list of extra arguments to pass to the container
+matrix_bot_maubot_container_extra_arguments: []
+
+# List of systemd services that matrix-bot-maubot.service depends on
+matrix_bot_maubot_systemd_required_services_list: ['docker.service']
+
+# List of systemd services that matrix-bot-maubot.service wants
+matrix_bot_maubot_systemd_wanted_services_list: []
diff --git a/roles/matrix-bot-maubot/tasks/init.yml b/roles/matrix-bot-maubot/tasks/init.yml
@@ -0,0 +1,5 @@
+---
+
+- set_fact:
+    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-bot-maubot.service'] }}"
+  when: matrix_bot_maubot_enabled|bool
diff --git a/roles/matrix-bot-maubot/tasks/main.yml b/roles/matrix-bot-maubot/tasks/main.yml
@@ -0,0 +1,23 @@
+---
+
+- import_tasks: "{{ role_path }}/tasks/init.yml"
+  tags:
+    - always
+
+- import_tasks: "{{ role_path }}/tasks/validate_config.yml"
+  when: "run_setup|bool and matrix_bot_maubot_enabled|bool"
+  tags:
+    - setup-all
+    - setup-bot-maubot
+
+- import_tasks: "{{ role_path }}/tasks/setup_install.yml"
+  when: "run_setup|bool and matrix_bot_maubot_enabled|bool"
+  tags:
+    - setup-all
+    - setup-bot-maubot
+
+- import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"
+  when: "run_setup|bool and not matrix_bot_maubot_enabled|bool"
+  tags:
+    - setup-all
+    - setup-bot-maubot
diff --git a/roles/matrix-bot-maubot/tasks/setup_install.yml b/roles/matrix-bot-maubot/tasks/setup_install.yml
@@ -0,0 +1,113 @@
+---
+
+- name: Ensure maubot paths exist
+  file:
+    path: "{{ item.path }}"
+    state: directory
+    mode: 0755
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+  with_items:
+    - {path: "{{ matrix_bot_maubot_base_path }}", when: true}
+    - {path: "{{ matrix_bot_maubot_data_path }}", when: true}
+    - {path: "{{ matrix_bot_maubot_docker_src_files_path }}", when: "{{ matrix_bot_maubot_container_image_self_build }}"}
+  when: "item.when|bool"
+
+- name: Ensure maubot configuration file created
+  template:
+    src: "{{ role_path }}/templates/config/config.yaml.j2"
+    dest: "{{ matrix_bot_maubot_data_path }}/config.yaml"
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+    mode: "u=rwx"
+
+- name: Generate Maubot proxying configuration for matrix-nginx-proxy
+  set_fact:
+    matrix_bot_maubot_matrix_nginx_proxy_configuration: |
+      location ~ ^/(_matrix/maubot/.*) {
+      {% if matrix_nginx_proxy_enabled|default(False) %}
+      	{# Use the embedded DNS resolver in Docker containers to discover the service #}
+      	resolver 127.0.0.11 valid=5s;
+      	set $backend "matrix-maubot:{{ matrix_bot_maubot_port }}/$1";
+      	proxy_pass http://$backend;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+      {% else %}
+      	{# Generic configuration for use outside of our container setup #}
+      	proxy_pass http://127.0.0.1:{{ matrix_bot_maubot_port }}/$1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+      {% endif %}
+      }
+  when: matrix_bot_maubot_proxy_management_interface|bool
+
+- name: Register Maubot's proxying configuration with matrix-nginx-proxy
+  set_fact:
+    matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: |
+      {{
+        matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks|default([])
+        +
+        [matrix_bot_maubot_matrix_nginx_proxy_configuration]
+      }}
+  when: matrix_bot_maubot_proxy_management_interface|bool
+
+- name: Warn about reverse-proxying if matrix-nginx-proxy not used
+  debug:
+    msg: >-
+      NOTE: You've enabled Maubot but are not using the matrix-nginx-proxy
+      reverse proxy.
+      Please make sure that you're proxying the `/_matrix/maubot`
+      URL endpoint to the matrix-maubot container.
+  when: "matrix_bot_maubot_enabled|bool and matrix_bot_maubot_proxy_management_interface|bool and matrix_nginx_proxy_enabled is not defined"
+
+
+- name: Ensure maubot image is pulled
+  docker_image:
+    name: "{{ matrix_bot_maubot_docker_image }}"
+    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
+    force_source: "{{ matrix_bot_maubot_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
+    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_bot_maubot_docker_image_force_pull }}"
+  when: "not matrix_bot_maubot_container_image_self_build|bool"
+  register: result
+  retries: "{{ matrix_container_retries_count }}"
+  delay: "{{ matrix_container_retries_delay }}"
+  until: result is not failed
+
+- name: Ensure maubot repository is present on self-build
+  git:
+    repo: "{{ matrix_bot_maubot_docker_repo }}"
+    dest: "{{ matrix_bot_maubot_docker_src_files_path }}"
+    force: "yes"
+  become: true
+  become_user: "{{ matrix_user_username }}"
+  register: matrix_bot_maubot_git_pull_results
+  when: "matrix_bot_maubot_container_image_self_build|bool"
+
+- name: Ensure maubot image is built
+  docker_image:
+    name: "{{ matrix_bot_maubot_docker_image }}"
+    source: build
+    force_source: "{{ matrix_bot_maubot_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
+    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mailer_git_pull_results.changed }}"
+    build:
+      dockerfile: Dockerfile
+      path: "{{ matrix_bot_maubot_docker_src_files_path }}"
+      pull: true
+  when: "matrix_bot_maubot_container_image_self_build|bool"
+
+- name: Ensure matrix-bot-maubot.service installed
+  template:
+    src: "{{ role_path }}/templates/systemd/matrix-bot-maubot.service.j2"
+    dest: "{{ matrix_systemd_path }}/matrix-bot-maubot.service"
+    mode: 0644
+  register: matrix_bot_maubot_systemd_service_result
+
+- name: Ensure systemd reloaded after matrix-bot-maubot.service installation
+  service:
+    daemon_reload: true
+  when: "matrix_bot_maubot_systemd_service_result.changed|bool"
+
+- name: Ensure matrix-bot-maubot.service restarted, if necessary
+  service:
+    name: "matrix-bot-maubot.service"
+    state: restarted
diff --git a/roles/matrix-bot-maubot/tasks/setup_uninstall.yml b/roles/matrix-bot-maubot/tasks/setup_uninstall.yml
@@ -0,0 +1,36 @@
+---
+
+- name: Check existence of matrix-maubot service
+  stat:
+    path: "{{ matrix_systemd_path }}/matrix-maubot.service"
+  register: matrix_bot_maubot_service_stat
+
+- name: Ensure matrix-maubot is stopped
+  service:
+    name: matrix-maubot
+    state: stopped
+    enabled: false
+    daemon_reload: true
+  register: stopping_result
+  when: "matrix_bot_maubot_service_stat.stat.exists|bool"
+
+- name: Ensure matrix-maubot.service doesn't exist
+  file:
+    path: "{{ matrix_systemd_path }}/matrix-maubot.service"
+    state: absent
+  when: "matrix_bot_maubot_service_stat.stat.exists|bool"
+
+- name: Ensure systemd reloaded after matrix-maubot.service removal
+  service:
+    daemon_reload: true
+  when: "matrix_bot_maubot_service_stat.stat.exists|bool"
+
+- name: Ensure Matrix maubot paths don't exist
+  file:
+    path: "{{ matrix_bot_maubot_base_path }}"
+    state: absent
+
+- name: Ensure maubot Docker image doesn't exist
+  docker_image:
+    name: "{{ matrix_bot_maubot_docker_image }}"
+    state: absent
diff --git a/roles/matrix-bot-maubot/tasks/validate_config.yml b/roles/matrix-bot-maubot/tasks/validate_config.yml
@@ -0,0 +1,10 @@
+---
+
+- name: Fail if required settings not defined
+  fail:
+    msg: >-
+      You need to define a required configuration setting (`{{ item }}`).
+  when: "vars[item] == ''"
+  with_items:
+    - matrix_bot_maubot_secret
+    - matrix_bot_maubot_admins
diff --git a/roles/matrix-bot-maubot/templates/config/config.yaml.j2 b/roles/matrix-bot-maubot/templates/config/config.yaml.j2
@@ -0,0 +1,123 @@
+# The full URI to the database. SQLite and Postgres are fully supported.
+# Other DBMSes supported by SQLAlchemy may or may not work.
+# Format examples:
+#   SQLite:   sqlite:///filename.db
+#   Postgres: postgresql://username:password@hostname/dbname
+database: sqlite:////data/maubot.db
+
+# Separate database URL for the crypto database. "default" means use the same database as above.
+crypto_database: default
+
+# Additional arguments for asyncpg.create_pool() or sqlite3.connect()
+# https://magicstack.github.io/asyncpg/current/api/index.html#asyncpg.pool.create_pool
+# https://docs.python.org/3/library/sqlite3.html#sqlite3.connect
+# For sqlite, min_size is used as the connection thread pool size and max_size is ignored.
+database_opts:
+    min_size: 1
+    max_size: 10
+plugin_directories:
+    # The directory where uploaded new plugins should be stored.
+    upload: /data/plugins
+    # The directories from which plugins should be loaded.
+    # Duplicate plugin IDs will be moved to the trash.
+    load:
+    - /data/plugins
+    trash: /data/trash
+
+# Configuration for storing plugin databases
+plugin_databases:
+    # The directory where SQLite plugin databases should be stored.
+    sqlite: /data/dbs
+    # The connection URL for plugin databases. If null, all plugins will get SQLite databases.
+    # If set, plugins using the new asyncpg interface will get a Postgres connection instead.
+    # Plugins using the legacy SQLAlchemy interface will always get a SQLite connection.
+    #
+    # To use the same connection pool as the default database, set to "default"
+    # (the default database above must be postgres to do this).
+    #
+    # When enabled, maubot will create separate Postgres schemas in the database for each plugin.
+    # To view schemas in psql, use `\dn`. To view enter and interact with a specific schema,
+    # use `SET search_path = name` (where `name` is the name found with `\dn`) and then use normal
+    # SQL queries/psql commands.
+    postgres:
+    # Maximum number of connections per plugin instance.
+    postgres_max_conns_per_plugin: 3
+    # Overrides for the default database_opts when using a non-"default" postgres connection string.
+    postgres_opts: {}
+
+server:
+    # The IP and port to listen to.
+    hostname: 0.0.0.0
+    port: 29316
+    # Public base URL where the server is visible.
+    public_url: {{ matrix_bot_maubot_bot_server_public }}
+    # The base management API path.
+    base_path: /_matrix/maubot/v1
+    # The base path for the UI.
+    ui_base_path: /_matrix/maubot
+    # The base path for plugin endpoints. The instance ID will be appended directly.
+    plugin_base_path: /_matrix/maubot/plugin/
+    # Override path from where to load UI resources.
+    # Set to false to using pkg_resources to find the path.
+    override_resource_path: /opt/maubot/frontend
+    # The base appservice API path. Use / for legacy appservice API and /_matrix/app/v1 for v1.
+    appservice_base_path: /_matrix/app/v1
+    # The shared secret to sign API access tokens.
+    # Set to "generate" to generate and save a new token at startup.
+    unshared_secret: {{ matrix_bot_maubot_secret|to_json }}
+
+# Known homeservers. This is required for the `mbc auth` command and also allows
+# more convenient access from the management UI. This is not required to create
+# clients in the management UI, since you can also just type the homeserver URL
+# into the box there.
+homeservers:
+  {{  matrix_domain }}:
+    # Client-server API URL
+        url: {{ matrix_server_fqn_matrix }}
+    # registration_shared_secret from synapse config
+    # You can leave this empty if you don't have access to the homeserver.
+    # When this is empty, `mbc auth --register` won't work, but `mbc auth` (login) will.
+        secret: {{ matrix_bot_maubot_registration_shared_secret|to_json }}
+
+# List of administrator users. Plaintext passwords will be bcrypted on startup. Set empty password
+# to prevent normal login. Root is a special user that can't have a password and will always exist.
+admins: {{ matrix_bot_maubot_admins | combine( {"root": ""} ) }}
+
+api_features:
+    login: true
+    plugin: true
+    plugin_upload: true
+    instance: true
+    instance_database: true
+    client: true
+    client_proxy: true
+    client_auth: true
+    dev_open: true
+    log: true
+
+# Python logging configuration.
+#
+# See section 16.7.2 of the Python documentation for more info:
+# https://docs.python.org/3.6/library/logging.config.html#configuration-dictionary-schema
+logging:
+    version: 1
+    formatters:
+        colored:
+            (): maubot.lib.color_log.ColorFormatter
+            format: '[%(asctime)s] [%(levelname)s@%(name)s] %(message)s'
+        normal:
+            format: '[%(asctime)s] [%(levelname)s@%(name)s] %(message)s'
+    handlers:
+        console:
+            class: logging.StreamHandler
+            formatter: colored
+    loggers:
+        maubot:
+            level: DEBUG
+        mau:
+            level: DEBUG
+        aiohttp:
+            level: INFO
+    root:
+        level: DEBUG
+        handlers: [console]