If mxisd is enabled (which it is by default), we should reverse-proxy the following endpoint: /_matrix/client/r0/user_directory/search over to mxisd.

By default, mxisd uses Synapse's database as a source. So it may seem like it will be returning the same data in such a case. However, mxisd can also search by 3PIDs.

Another benefit would be for users who enable identity store (LDAP, etc.) - making the identity store's users searchable as well.

Additional integration information is here: https://github.com/kamax-matrix/mxisd/blob/master/docs/features/directory.md

As requested by @benparsons, it would be useful if notes like this are shown at the end of playbook execution:

"NOTE: Your setup is on an old Postgres version (postgres:10.7-alpine), while postgres:11.2-alpine is supported. You can upgrade using --tags=upgrade-postgres"

Otherwise, they scroll by and might go unnoticed.

We can probably show these notes whenever they happen, and also append them to some list.

We can then use the matrix-common-after role for iterating over the list and showing them again.

Is it possible for me to turn on report-stats?

I thought it was clear enough that only people who know what they are looking for should setup Matrix Corporal but @x0n:staubsaugertraum.de Had a bad experience after setting it up and not being able to find out why he couldn’t set his avatar.

I just rechecked the github docs. there is no mention of the optional parts being "advanced" and/or "this will fuck up your life because noone will be able to help you". maybe such a warning would suffice

You can assign this to me

When doing the self-check for /.well-known/matrix/client, we rely on Ansible's uri module to automatically parse JSON content for us.

This only happens if the HTTP response contains Content-Type: application/json.

If not, Ansible's uri module doesn't parse JSON for us and the self-check fails.

While it's nice to serve the file with the appropriate Content-Type header, according to the Server Discovery specification, supplying such a response header is not required.

We should fix the self-check, so that it doesn't rely on the header being there.
Success should be determined (by us) if:

• there's an HTTP response code of 200
• the content in the HTTP response can be parsed as JSON (we should do the parsing ourselves)

I'll put small things that I notice doing my audit of this here, which aren't big/important enough to get their own issue.

• self_check_dns.yml: maybe use the dig lookup plugin instead of a command, and if you use a command, use a command and not a shell.
• There are a lot of set_fact tasks, that don't depend on anything that is only available at runtime, moving those into defaults or vars (depending on what they are exactly) would make sense IMO.
• There should not be a default UID/GID for the matrix user (if this is even a user that should exist, having dedicated users for components would also be a possibility). When creating a user using ansible it has the UID/GID in the result and then you can use that.
• The whole letsencrypt business is a bit weird, I really don't like certbot. Have you thought about maybe using dehydrated here? I think it integrates with ansible+containers a lot better than certbot
• setup/ssl/setup_ssl_self_signed_obtain_for_domain.yml: You could generate the ssl cert manually only on hosts which don't provide up to date pyopenssl and do the proper way on other hosts
• periodic nginx restarts could be done with the crontab module instead of templating a cron.d file
• the start tasks thingy could (and should) be replaced with a loop. also, daemon_reload is not needed there. We also don't need daemon_reload in a lot of other cases, that should be handled with a handler and not a task.
• going from yaml truth values to json truth values via "true if var else false" is ugly, you can use the |to_json filter for that
• if the docker_container module of ansible is used for launching the containers, the env file templates are unnecessary, the vars can just be taken from vars directly

You can assign this to me

4bb8d4c

Maybe some cache factor advice and a note about presence

Related: matrix-org/synapse#4276 and your presence issue matrix-org/synapse#3971

https://matrix.org/docs/spec/client_server/r0.4.0.html#get-well-known-matrix-client

Example: https://matrix.org/.well-known/matrix/client

First of all, I want to thank you for making my life easier by creating this ansible playbook. Because I think it's a great idea to have this I want to contribute the following:

Currently, the playbook allows to configure custom postgresql servers. This is great to hear, but I think the playbook should then also enforce the usage of SSL encryption. In my custom version of the playbook I managed to do so by adding the following lines to the homeserver.yml.j2 template:

database:
  # The database engine name
  name: "psycopg2"
  args:
    user: {{ matrix_synapse_database_user|to_json }}
    password: {{ matrix_synapse_database_password|to_json }}
    database: "{{ matrix_synapse_database_database }}"
    host: "{{ matrix_synapse_database_host }}"
    sslcert: "/data/certs/postgres_chat_client/client.crt"
    sslkey: "/data/certs/postgres_chat_client/client.key"
    sslrootcert: "/data/certs/postgres_chat_client/rootCA.crt"
    sslmode: "verify-full"
    cp_min: 5
    cp_max: 10

To make this work you only have to copy the certificates to the correct location and chown it to the matrix user.

Btw: The documentation states that database servers running on the docker host are not supported, but I managed to configure my postgres database on the host with the role geerlingguy.postgresql quite fine. Yes, you will have to allow the postgres database to bind to the outside IP and also allow connections to that ip, but that can issue can be fixed by adding correct firewall rules and a sane pg_hba.conf:

---
---
- hosts: database
  become: true
  vars:
    ansible_ssh_private_key_file: "{{playbook_dir}}/ssh_keys/ansible_rsa"
    ansible_user: "ansible"
    check_free_diskspace_min_available: 5
    apt_update_cache: True
    apt_restart_after_dist_upgrade: True
    setup_additional_groups:
      - name: "postgres"
        requires_root_password: True
    setup_additional_users:
      - name: "postgres"
        group: "postgres"
        is_sudo: False
  roles:
    - role: check-free-space
    - role: user-setup
    - role: force-reconnect

- hosts: database
  become: true
  vars:
    ansible_ssh_private_key_file: "{{playbook_dir}}/ssh_keys/ansible_rsa"
    ansible_user: "ansible"
  tasks:
    - name: "ensure /etc/ansible exists"
      file:
        path: /etc/ansible
        state: directory
    - name: "ensure /etc/ansible/certs exists"
      file:
        path: /etc/ansible/certs
        state: directory
    - name: "copy postgres_chat certs"
      copy:
        src: "{{playbook_dir}}/files/certs/database/{{inventory_hostname}}/postgres_chat"
        dest: "/etc/ansible/certs"
        mode: 0700
        owner: postgres
        group: postgres

    - name: Ensure files in /etc/ansible/certs/postgres_chat 0400
      command: find /etc/ansible/certs/postgres_chat -type f -exec chmod 0400 {} \;

    - name: Allow incoming access to the postgres port 5432 for docker servers and the database ip
      ufw:
        rule: allow
        direction: in
        src: "{{ item }}"
        to_port: 5432
      with_items:
        - <ip>
        - 172.17.0.0/16
        - 172.18.0.0/16

- hosts: database
  become: true
  vars:
    ansible_ssh_private_key_file: "{{playbook_dir}}/ssh_keys/ansible_rsa"
    ansible_user: "ansible"
    check_free_diskspace_min_available: 5
    apt_update_cache: True

    postgresql_user: postgres
    postgresql_group: postgres

    postgresql_locales:
      - 'en_US.UTF-8'
        
    postgresql_users:
      - name: matrix
        password: "<password>"
        state: present

  roles:
    - role: geerlingguy.postgresql

# now that the basic setup is done setup everything for matrix
- hosts: database
  become: true
  vars:
    ansible_ssh_private_key_file: "{{playbook_dir}}/ssh_keys/ansible_rsa"
    ansible_user: "ansible"
    check_free_diskspace_min_available: 5
    apt_update_cache: True

    postgresql_user: postgres
    postgresql_group: postgres

    postgresql_locales:
      - 'en_US.UTF-8'

    postgresql_global_config_options:
      - option: unix_socket_directories
        value: '{{ postgresql_unix_socket_directories | join(",") }}'
      - option: "ssl"
        value: "on"
      - option: "ssl_ca_file"
        value: "/etc/ansible/certs/postgres_chat/rootCA.crt"
      - option: "ssl_cert_file"
        value: "/etc/ansible/certs/postgres_chat/server.crt"
      - option: "ssl_key_file"
        value: "/etc/ansible/certs/postgres_chat/server.key"
      - option: listen_addresses
        value: "*"
        
    postgresql_hba_entries:
      - { type: local, database: all, user: postgres, auth_method: peer }
      - { type: local, database: homeserver, user: matrix, auth_method: md5 }
      - { type: hostssl, database: homeserver, address: "<outside_ip>", user: matrix, auth_method: md5, auth_options: "clientcert=1" }
     # for docker
      - { type: hostssl, database: homeserver, address: "172.17.0.0/16", user: matrix, auth_method: md5, auth_options: "clientcert=1" }
      - { type: hostssl, database: homeserver, address: "172.18.0.0/16", user: matrix, auth_method: md5, auth_options: "clientcert=1" }

    postgresql_databases:
      - name: homeserver
        lc_collate: 'en_US.UTF-8'
        lc_ctype: 'en_US.UTF-8'
        encoding: 'UTF-8'
        owner: 'matrix'
        state: present

    postgresql_users:
      - name: matrix
        password: "<password>"
        state: present
        #encrypted: # defaults to not set
        #priv: # defaults to not set
        #role_attr_flags: # defaults to not set
        #db: # defaults to not set
        #login_host: # defaults to 'localhost'
        #login_password: # defaults to not set
        #login_user: # defaults to '{{ postgresql_user }}'
        #login_unix_socket: # defaults to 1st of postgresql_unix_socket_directories
        #port: # defaults to not set

  roles:
    - role: geerlingguy.postgresql

Matrix-docker-ansible-deploy version: latest as of today
Docker version: 18.09.1
Ubuntu: 18.04

Install works great and have matrix/riot running fine. On system shutdown however, there's a 2-3minute delay on shutdown that was not there before the install (uninstalling via the instructions in the doc dir eliminates the issue).

Console shows the delay is during shutdown of the various matrix services. Systemd messages show pauses of up to 1 minute 30 seconds on each of the 6 containers. Message looks like this:

[ *** ] (1 of 6) A stop job is running for Matrix Coturn server (30s / 1:30)

This occurs when shutting down the system with /sbin/shutdown.

If I first stop the matrix services via 'sudo systemctl stop matrix*' then run '/sbin/shutdown -r 0' to restart the server, it goes down quickly. But if I don't stop the matrix services first, I see the delay during shutdown.

Note when stopping the services manually via 'sudo systemctl stop matrix*', the services go down quickly. Running a 'docker ps' confirms they all are down. Not sure why it's so slow during shutdown.

Spent some time tweaking settings in the matrix service files under /etc/systemd/system but nothing really helps outside of specifying a low TimeoutStopSec to reduce the delay but that's not ideal.

I do see a lot of these dockerd errors while these stop attempts are happening:

Jan 13 15:05:43 myserver dockerd[1889]: time="2019-01-13T15:05:43.593913457-08:00" level=error msg="failed to get event" error="rpc error: code
 = Unavailable desc = transport is closing" module=libcontainerd namespace=moby
Jan 13 15:05:43 myserver dockerd[1889]: time="2019-01-13T15:05:43.593929085-08:00" level=error msg="failed to get event" error="rpc error: code
 = Unavailable desc = transport is closing" module=libcontainerd namespace=moby
Jan 13 15:05:43 myserver systemd[1]: Stopping Matrix Riot web server...
Jan 13 15:05:43 myserver dockerd[1889]: time="2019-01-13T15:05:43.593945298-08:00" level=error msg="failed to get event" error="rpc error: code
 = Unavailable desc = transport is closing" module=libcontainerd namespace=moby
Jan 13 15:05:43 myserver dockerd[1889]: time="2019-01-13T15:05:43.593961409-08:00" level=error msg="failed to get event" error="rpc error: code
 = Unavailable desc = transport is closing" module=libcontainerd namespace=moby

Any help or pointers would be appreciated.

journalctl -f -u matrix-synapse etc

Hello!

I configured ansible as described in Readme file. When I run ansible-playbook -i inventory/hosts setup.yml --tags=setup-main I always get the error:

TASK [matrix-server : Determine domains to obtain certificates for (Matrix)] ***********************************************************************************************
fatal: [matrix.mobilap.ru]: FAILED! => {"failed": true, "msg": "the field 'args' has an invalid value, which appears to include a variable that is undefined. The error was: matrix.{{ hostname_identity }}: {{ host_specific_hostname_identity }}: 'host_specific_hostname_identity' is undefined\n\nThe error appears to have been in '/Volumes/ST1000/projects/WVV2/matrix-docker-ansible-deploy/roles/matrix-server/tasks/setup_ssl.yml': line 3, column 3, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n- name: Determine domains to obtain certificates for (Matrix)\n  ^ here\n"}

PLAY RECAP *****************************************************************************************************************************************************************
matrix.mobilap.ru          : ok=11   changed=0    unreachable=0    failed=1  

I double checked that my vars.yml is correct and it contains host_specific_hostname_identity variable

Just upgraded to Riot Web 1.0.1, but now I get lots of "missing translation en" messages in interface on browsers where previous release Riot Web was opened (see image here: https://ibb.co/YWMyvq7). New browsers open with correctly translated interface. Tried to clean browser's cache, but without any success.
Found a pull request on vector-im/riot-web about correct caching implementation on self-hosted solutions: element-hq/element-web@f9551dd
I'm not good at nginx configuration, so I could not provide a pull request for this issue.

We have a way to import the media store files from a previous installation.
We also have a way to import an SQLite database.

.. but we have no easy/automated way to import people's existing Postgres database.

@spantaleev What would you suggest as a final solution to use Keycloak/SSO together with a Matrix ?

We see several auth options on the link
https://github.com/spantaleev/matrix-docker-ansible-deploy

• (optional, default) an mxisd Matrix Identity server
• (optional, advanced) the matrix-synapse-rest-auth REST authentication password provider module

Another words do we to deploy mxisd or we need matrix-synapse-rest-auth ?

Originally posted by @eorlovsky in #93 (comment)

Sometimes people would run the playbook (--tags=setup-all) when changing configuration or simply updating.. and then they'd manage the services manually (systemctl restart matrix-...)..

Doing this, instead of using --tags=start means they would still use the old systemd service files.

systemctl should warn that the service file had changed, but maybe that gets ignored sometimes.

It'd be better if we automatically do a daemon-reload as soon as we update a service file (handlers may also work, but they're unreliable).

https://github.com/turt2live/matrix-monitor-bot

Running a self-check like shown below...

ansible-playbook -i inventory/hosts setup.yml --tags=self-check

... fails with message:

TASK [matrix-base : Check DNS SRV record for _matrix._tcp on mathminds.io.] ********************************************************************************************************************************************************************
fatal: [matrix.mathminds.io]: FAILED! => {"msg": "An unhandled exception occurred while running the lookup plugin 'dig'. Error was a <class 'ansible.errors.AnsibleError'>, original message: The dig lookup requires the python 'dnspython' library and it is not installed"}

Notice that from command line I can find the DNS record:

$ dig +short _matrix._tcp.mathminds.io srv
10 0 8448 matrix.mathminds.io.

https://github.com/turt2live/matrix-media-repo

Is it possible for the self-check to know whether you are running the latest Synapse version or are on the latest commit of matrix-docker-ansible-deploy?

It could probably at least tell you the version you are running

https://github.com/matrix-org/synapse/blob/67dbe4c89944cf5957f806ad63f60880e2242b23/contrib/grafana/README.md

Currently, the Let's Encrypt SSL certificates aren't optional. Therefore the role can't be used on a server that's behind a firewall. That would however be desirable for a test deployment, which doesn't have to be publicly reachable (and maybe shouldn't be).

Also, some people might want to use different certificates.

Hello,

Trying to get the reverse-proxy for .well-known to work on centos 7 I get the following error from nxinx:

2019/02/08 11:36:35 [error] 18043#0: *3 connect() failed (111: Connection refused) while connecting to upstream, client: 1.2.3.4, server: www.e.org, request: "GET /.well-known/matrix/client HTTP/2.0", upstream: "https://a.b.c.d:443//client", host: "e.org"

I've dug around a little but not been able to find anything really useful. Is this something you've seen before?

(p.s.: sorry, had not confirmed the service was running. since matrix.e.org/.well-known/matrix/server doesn't return a file, something must not have worked with the install, despite ansible reporting everything as fine. best delete this I should think.)

The docker binary is just a rest client that is talking to the docker daemon, which means that you aren't supervising the services but just the docker binary. I'm not sure what the reason for this is, but it means you can't use this playbook on alpinelinux, voidlinux, gentoo and possibly more.

I have multiple suggestions on how to solve this:

• Switch to a different container stack, that doesn't rely on a background daemon to run containers (podman.io for example), which interacts more nicely with supervision suites, and add support for more supervisors
• Don't supervise the docker binary but let the docker daemon manage the containers completely (which it will anyway, it's just a matter of not wrapping it in systemd)

I strongly prefer option 1 for my usecases, but since podman isn't available to most users, that probably won't be possible.

We’ve also discovered that jemalloc works very well at improving RAM usage on Python 2 under Linux (we haven’t tried it on Python 3 yet) by providing a more fragmentation-resistent malloc implementation; if you are having problems with your Synapse RAM spiking up we recommend giving it a go. All of the Matrix.org server is using it now.

from https://matrix.org/blog/2018/09/15/this-week-in-matrix-2018-09-14/

Sorry I've no experience with this type of record so there may be an obvious solution to this problem.
But so far as I've been able to try, Cloudflare makes it impossible to create a plain "_matrix._tcp" value for an SRV records.

You have to make it "_matrix._tcp.domain.com"

You enter "_matrix._tcp" in "Service"
TCP in protocol
then you HAVE TO add a "Name" which can be "@", your domain or anything.

in doubt I've created both needed records with both Name filled with "<domain.com>" and "matrix.<domain.com>"

As a consequence I believe I've the self-check ansible command failing with:

TASK [matrix-base : Fail if DNS SRV record incorrect (Ansible dig lookup)] ************************************************************
fatal: [matrix.mychinaroots.com]: FAILED! => {"msg": "The conditional check 'lookup_dig_srv is defined and (lookup_dig_srv.target != dns_srv_record_check.expected_target or lookup_dig_srv.port != dns_srv_record_check.expected_port)' failed. The error was: error while e$aluating conditional (lookup_dig_srv is defined and (lookup_dig_srv.target != dns_srv_record_check.expected_target or lookup_dig_srv.p$rt != dns_srv_record_check.expected_port)): 'ansible.utils.unsafe_proxy.AnsibleUnsafeText object' has no attribute 'target'\n\nThe err$r appears to have been in '/root/project/matrix-docker-ansible-deploy/roles/matrix-base/tasks/self_check_dns_srv.yml': line 40, column 3, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n- name: Fail if $NS SRV record incorrect (Ansible dig lookup)\n  ^ here\n"}

Looking at the content of ./roles/matrix-base/tasks/self_check_dns.yml
it must be the comparison with service_and_protocol value that fails.

And quite unnervingly I can't even know whether my setup is ok or not due my lack of SRV record understanding.

Using https://neo.lain.haus/fed-tester/ with <mydomain.com> returns a valid result though, all be it with a Warning WARN: Self-signed cert found for ...IP blabla which is weird. As I though I understood Let's Encrypt WAS used to cerate a cert.

Could you please submit the roles to https://galaxy.ansible.com/ so that they can be added to other playbooks more easily? :)

On Fedora 28+, the python2 package for firewalld was removed: https://bugzilla.redhat.com/show_bug.cgi?id=1575428 so you need to use the python3-firewalld package and therefore use python3.

To make this happen, we need to overwrite ansible_python_interpreter (according to https://docs.ansible.com/ansible/latest/user_guide/intro_inventory.html#list-of-behavioral-inventory-parameters):
ansible_python_interpreter: "/usr/bin/python3"

Just like we did for mxisd, we can do the same for matrix-corporal configuration .

.. except that we need to generate JSON. Which begs the question: if matrix-corporal uses JSON (that we generate), wouldn't it better if the default configuration and its extension/override are also JSON?

I happen to have set the .well-known folder on an Nginx server directive that redirect to another server. (
So the --tags=self-check task chokes on the Check .well-known on the identity hostname task because it doesn't follow redirect.

- name: Check .well-known on the identity hostname
  uri:
    url: "{{ well_known_url_identity }}"
    follow_redirects: false
    return_content: true
  register: result_well_known_identity
  ignore_errors: true

simply making follow_redirects: true makes the whole of self-check works with my setup.

People that want to put the media store elsewhere would currently be made to believe that redefining matrix_synapse_media_store_path would help (default is: matrix_synapse_media_store_path: "{{ matrix_synapse_storage_path }}/media-store").

While matrix_synapse_media_store_path is used in certain parts of the configuration (when ensuring paths are created, etc.), it's not actually used by Synapse directly. Synapse currently receives a mount to the storage directory and tries to find a ./media-store directory inside it.

For legacy purposes (media store on s3fs), which may still apply now with Goofys (needs to be verified), we could not directly mount matrix_synapse_media_store_path into the Synapse container. We had to mount some parent directory (the storage directory) and access the media store through there.

Things we can do to fix this confusion:

• check whether our workaround is still required (now that we're using Goofys and not s3fs).. If not, we can mount matrix_synapse_media_store_path directly in the Synapse container and avoid all this confusion

• whether we can mount the media store in a smarter way. Perhaps mounting -v {{ matrix_synapse_media_store_path|dirname }}:/matrix-media-store-parent and then using media_store_path: "/matrix-media-store-parent/media-store" in homeserver.yaml.j2

• whether we should define some configuration sanity-check tasks, which would fail: when not matrix_synapse_media_store_path.startswith(matrix_synapse_storage_path)

• if all else fails, whether we should define some configuration variables (like matrix_synapse_media_store_path) as "private" and discourage them from being touched

You can assign this to me

It seems the playbook tries to install v0.17.7 of the docker image, which cannot be found, as the latest release seems to be v0.17.6 (https://github.com/AVENTER-UG/docker-matrix-riot/releases).

This change in roles/matrix-server/defaults/main.yml does the job :

-matrix_riot_web_docker_image: "avhost/docker-matrix-riot:v0.17.7"
+matrix_riot_web_docker_image: "avhost/docker-matrix-riot:v0.17.6"

As proposed by @anadahz, we should make the homepage at matrix.DOMAIN show something useful or redirect somewhere else, instead of being a 404 page.

Redirecting to riot.DOMAIN is one option, but also an option that would fail if matrix_riot_web_enabled: false.

It would probably be ideal if we have our own simple HTML page there, which contains an introduction to Matrix and possibly a link to this playbook.

If you install --tags=setup-all and then try to import a Postgres database, it would fail.

It happens because we try to detect the local Postgres version first, before doing the import. And Postgres hasn't been started to populate the PG_VERSION file.

I followed the install documentation and successfully run the role with the tags setup-all and start by issuing the following commands:

ansible-playbook -v -i inventory/hosts setup.yml --tags=setup-all
ansible-playbook -v -i inventory/hosts setup.yml --tags=start

However when I run the role with the register-user tag I get the error : Error: No such container: matrix-synapse.

Following verbose output:

ansible-playbook -vvvv -i inventory/hosts setup.yml --extra-vars='username=user password=password admin=yes' --tags=register-user

TASK [matrix-server : Register user] **********************************************************************************************************************************
task path: /home/user/matrix-docker-ansible-deploy/roles/matrix-server/tasks/register_user.yml:23
fatal: [matrix.domain.tld]: FAILED! => {                                            
    "changed": true,                                                                
    "cmd": "/usr/local/bin/matrix-synapse-register-user user password 1",           
    "delta": "0:00:00.103034",                                                      
    "end": "2018-10-13 13:24:39.089012",                                            
    "invocation": {                                                                 
        "module_args": {                                                            
            "_raw_params": "/usr/local/bin/matrix-synapse-register-user user password 1", 
            "_uses_shell": true,                                                    
            "argv": null,                                                           
            "chdir": null,                                                          
            "creates": null,                                                        
            "executable": null,                                                     
            "removes": null,                                                        
            "stdin": null,                                                          
            "warn": true                                                            
        }                                                                           
    },                                                                              
    "msg": "non-zero return code",                                                  
    "rc": 1,                                                                        
    "start": "2018-10-13 13:24:38.985978",                                          
    "stderr": "Error: No such container: matrix-synapse",                           
    "stderr_lines": [                                                               
        "Error: No such container: matrix-synapse"                                  
    ],                                                                              
    "stdout": "",                                                                   
    "stdout_lines": []                                                              
}                                                                                   
                                                                                    
PLAY RECAP **********************************************************************************************************************************
matrix.domain.tld        : ok=2    changed=0    unreachable=0    failed=1           

Any ideas to help debug and solve this issue are greatly appreciated.

The documentation states that you can set matrix_synapse_federation_domain_whitelist to [] to disable federation:

However, if you actually do so, invalid YAML gets generated into homeserver.yaml:

federation_domain_whitelist:
[]

This means that matrix-synapse fails to start:

Traceback (most recent call last):
  File "/usr/local/lib/python3.6/runpy.py", line 193, in _run_module_as_main
    "__main__", mod_spec)
  File "/usr/local/lib/python3.6/runpy.py", line 85, in _run_code
    exec(code, run_globals)
  File "/usr/local/lib/python3.6/site-packages/synapse/app/homeserver.py", line 576, in <module>
    main()
  File "/usr/local/lib/python3.6/site-packages/synapse/app/homeserver.py", line 571, in main
    hs = setup(sys.argv[1:])
  File "/usr/local/lib/python3.6/site-packages/synapse/app/homeserver.py", line 312, in setup
    config_options,
  File "/usr/local/lib/python3.6/site-packages/synapse/config/_base.py", line 356, in load_or_generate_config
    generate_keys=generate_keys,
  File "/usr/local/lib/python3.6/site-packages/synapse/config/_base.py", line 374, in read_config_files
    yaml_config = self.read_config_file(config_file)
  File "/usr/local/lib/python3.6/site-packages/synapse/config/_base.py", line 140, in read_config_file
    return yaml.load(file_stream)
  File "/usr/local/lib/python3.6/site-packages/yaml/__init__.py", line 72, in load
    return loader.get_single_data()
  File "/usr/local/lib/python3.6/site-packages/yaml/constructor.py", line 35, in get_single_data
    node = self.get_single_node()
  File "/usr/local/lib/python3.6/site-packages/yaml/composer.py", line 36, in get_single_node
    document = self.compose_document()
  File "/usr/local/lib/python3.6/site-packages/yaml/composer.py", line 55, in compose_document
    node = self.compose_node(None, None)
  File "/usr/local/lib/python3.6/site-packages/yaml/composer.py", line 84, in compose_node
    node = self.compose_mapping_node(anchor)
  File "/usr/local/lib/python3.6/site-packages/yaml/composer.py", line 133, in compose_mapping_node
    item_value = self.compose_node(node, item_key)
  File "/usr/local/lib/python3.6/site-packages/yaml/composer.py", line 64, in compose_node
    if self.check_event(AliasEvent):
  File "/usr/local/lib/python3.6/site-packages/yaml/parser.py", line 98, in check_event
    self.current_event = self.state()
  File "/usr/local/lib/python3.6/site-packages/yaml/parser.py", line 449, in parse_block_mapping_value
    if not self.check_token(KeyToken, ValueToken, BlockEndToken):
  File "/usr/local/lib/python3.6/site-packages/yaml/scanner.py", line 116, in check_token
    self.fetch_more_tokens()
  File "/usr/local/lib/python3.6/site-packages/yaml/scanner.py", line 159, in fetch_more_tokens
    self.stale_possible_simple_keys()
  File "/usr/local/lib/python3.6/site-packages/yaml/scanner.py", line 289, in stale_possible_simple_keys
    "could not find expected ':'", self.get_mark())
yaml.scanner.ScannerError: while scanning a simple key
  in "/data/homeserver.yaml", line 123, column 1
could not find expected ':'
  in "/data/homeserver.yaml", line 128, column 1
Traceback (most recent call last):
  File "/start.py", line 66, in <module>
    subprocess.check_output(args + ["--generate-keys"])
  File "/usr/local/lib/python3.6/subprocess.py", line 356, in check_output
    **kwargs).stdout
  File "/usr/local/lib/python3.6/subprocess.py", line 438, in run
    output=stdout, stderr=stderr)
subprocess.CalledProcessError: Command '['python', '-m', 'synapse.app.homeserver', '--config-path', '/data/homeserver.yaml', '--generate-keys']' returned non-zero exit status 1.

Not sure if any other files do, also not sure which one you want otherwise I would have PR'd

Might be nice to add an editorconfig file https://editorconfig.org

Hello!

First of all, I'd like to thank you for your work!

Would you please help me to find out where things go wrong.

The first task I'd like to solve is to make a Matrix-Keycloak connection. I suppose there is a module mxisd that could help me with that.

Got synapse installed. Can successfully connect via Riot mobile client and via web-based client as well:
https://matrix.perfsys.io
https://riot.perfsys.io
So I assume that Server Delegation via a DNS SRV record (https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/howto-server-delegation.md) was made in the right way.
But I can't get JSON file neither visiting https://perfsys.io/.well-known/matrix/server nor https://perfsys.io/.well-known/matrix/client, I get "Cannot communicate securely with peer: no common encryption algorithm(s). Error code: SSL_ERROR_NO_CYPHER_OVERLAP" instead.

Got mxisd enabled. But self-check (ansible-playbook -i inventory/hosts setup.yml --tags=self-check) returns:

TASK [matrix-mxisd : Check mxisd Identity Service]
fatal: [matrix.perfsys.io -> 127.0.0.1]: FAILED! => {"changed": false, "connection": "close", "content": "\n\n <title>404 - No Such Resource</title>\n \n

No Such Resource

\n

Sorry. No luck finding that resource.

\n \n\n", "content_length": "167", "content_type": "text/html; charset=utf-8", "date": "Thu, 07 Feb 2019 15:22:37 GMT", "msg": "Status code was 404 and not [200]: HTTP Error 404: Not Found", "redirected": false, "server": "nginx", "status": 404, "url": "https://matrix.perfsys.io/_matrix/identity/api/v1"}

So is it Reverse Proxying or incompatible SSL issue?
Thanks in advance for your help

[..]/tasks/import/import_media_store.yml for example has a mix of both formats which hurts readability IMO

I need to use my ldap directory as provider for passwords. During my tests (only with matrix-synapse), I used these lines in homeserver.yaml and it worked ok:

password_providers:
    - module: "ldap_auth_provider.LdapAuthProvider"
      …

Is there a way to:

• either specifiy these settings in host_vars.yml
• or connect to matrix-synapse afterwards to change these?

Thanks!

Just like we did for mxisd, we can do the same for riot-web.

.. except that we need to generate JSON. Which begs the question: if riot-web uses JSON (that we generate), wouldn't it better if the default configuration and its extension/override are also JSON?

I keep checking https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/configuring-playbook-ssl-certificates.md for the info but it's actually in https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/howto-server-delegation.md#server-delegation-via-a-well-known-file