🛠 Refonte de la stack Matrix sans-nuage

Projets
, , , ,
21

le domaine tchatons.org est réservé :star_struck:

1 « J'aime »
22

Selon le plan de ljf, du coup :
les deux serveurs Matrix sont des VM Yunophost ?
Du coup est-ce qu’il serait judicieux de crĂ©er abord le serveur pour les bridges ? Comme ça on sort ce service du serveur Matrix actuel.

23

Ça peut ĂȘtre un dĂ©but.

Mais je ne vois pas comment ça marche là, on dit ensuite à notre serveur matrix sans-nuage d’aller chercher les bridges sur le nouveau que l’on aura mis en place ?

24

oui, c’est ça. On peut contacter une personne qui est sur un autre serveur.
Par exemple, on devra contacter les bots par @whahtsappbot:bridge.sans-nuage.fr

25

J’ai replongĂ© dans le guide d’installation d’une instance matrix avec Ansible.

Voici les pages les plus importantes Ă  lire pour commencer :

J’ai commencĂ© Ă  Ă©tablir une liste des composants que nous devrons paramĂ©trer dans le cas de la crĂ©ation du serveur dĂ©diĂ© aux bridges :

Les bridges qui nous intéressent :

1 « J'aime »
26

2 messages ont Ă©tĂ© scindĂ©s en un nouveau sujet : Bot Discourse → Matrix

27

https://forum.chatons.org/t/un-serveur-matrix-ouvert-par-cooptation-pour-les-chatons/7553

28

Il suffit de suivre cette doc’ et de bidouiller quelques enregistrements sur notre serveur DNS
https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/howto-srv-server-delegation.md
Sauf que notre serveur DNS n’est pas enregistrĂ© chez traefik https://doc.traefik.io/traefik/https/acme/#providers
Par contre OVH est supportĂ©, et vu que c’est lĂ -bas que j’ai pris le domaine c’est jouable.

Mais en fait je vois pas l’intĂ©rĂȘt, on peut rester avec un fichier .well_known https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/howto-server-delegation.md#downsides-of-well-known-based-server-delegation

Par contre il faut peut-ĂȘtre regarder les histoires de worker pour anticiper le scaling du serveur

29

@sepp @totor le compte-rendu de la réunion de lancement avec les chatons
https://pad.sans-nuage.fr/p/arn_slash_2025-2026

Il n’y avait personne de vraiment calĂ© sur synapse, par contre une personne avec pas mal d’expĂ©rience sur la modĂ©ration avec le bot draupnir.

1 « J'aime »
30

C’est notĂ©,
Jvais voir pour en discuté avec la réu FFDN de ce mois ci.

1 « J'aime »
31

Un chouette graphique d’infrastructure matrix
https://lacontrevoie.fr/blog/2025/nouveau-service-visioconference-et-messagerie-instantanee/

26/03/2026 Ă  21h00 - 🧭 La CoollĂ©giale #14, la rĂ©union de coordination d’ARN
Résumé des todo
27/11/2025 Ă  20h30 - 🧭 La CoollĂ©giale #8, la rĂ©union de coordination d’ARN
32

Voici le fichier de configuration vars.yml en l’état.

Pour info, voici la source : https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/examples/vars.yml

Note du 6 avril : Remplacer Synapse Admin par Ketesa (https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/configuring-playbook-ketesa.md)

---
# This variable acknowledges that you've reviewed breaking changes up to this version.
# The playbook will fail if this is outdated, guiding you through what changed.
# See the changelog: https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/CHANGELOG.md

matrix_playbook_migration_validated_version: v2026.04.03.0

# The bare domain name which represents your Matrix identity.
# Matrix user IDs for your server will be of the form (`@alice:example.com`).
#
# Note: this playbook does not touch the server referenced here.
# Installation happens on another server ("matrix.example.com", see `matrix_server_fqn_matrix`).
#
# If you've deployed using the wrong domain, you'll have to run the Uninstalling step,
# because you can't change the Domain after deployment.
matrix_domain: example.com

#
# CONFIGURATION DU SERVEUR
#
# Documentation : https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/configuring-playbook-synapse.md
#

# The Matrix homeserver software to install.
# See:
#  - `roles/custom/matrix-base/defaults/main.yml` for valid options
#  - the `docs/configuring-playbook-IMPLEMENTATION_NAME.md` documentation page, if one is available for your implementation choice
#
# By default, we use Synapse, because it's the only full-featured Matrix server at the moment.
#
# Note that the homeserver implementation of a server will not be able to be changed without data loss.
matrix_homeserver_implementation: synapse

# A secret used as a base, for generating various other secrets.
# You can put any string here, but generating a strong one is preferred. You can create one with a command like `pwgen -s 64 1`.
matrix_homeserver_generic_secret_key: 'à definir ultérieurement'

# To have Synapse gracefully handle thousands of users, worker support should be enabled. It factors out some homeserver tasks and spreads the load of incoming client and server-to-server traffic between multiple processes.
matrix_synapse_workers_enabled: true
matrix_synapse_workers_preset: one-of-each

# /!\ JE NE MAITRISE PAS LA PARTIE DNS /!\

# By default, the playbook manages its own Traefik (https://doc.traefik.io/traefik/) reverse-proxy server.
# It will retrieve SSL certificates for you on-demand and forward requests to all other components.
# For alternatives, see `docs/configuring-playbook-own-webserver.md`.
# matrix_playbook_reverse_proxy_type: playbook-managed-traefik

# /!\ JE NE MAITRISE PAS LA PARTIE DNS /!\

# To make your server only federate with servers of your choosing, add the following configuration.
# Documentation : https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/configuring-playbook-federation.md

matrix_synapse_federation_domain_whitelist:
- example.com
- example.net
# To completely disable federation, isolating your server from the rest of the Matrix network, add the following configuration.
matrix_homeserver_federation_enabled: false

# You can limit heavy room joins on constrained hosts.
# See: docs/configuring-playbook-synapse.md#limit-joining-heavy-rooms-on-constrained-hosts
matrix_synapse_limit_remote_rooms_enabled: true
matrix_synapse_limit_remote_rooms_complexity: 1.0
matrix_synapse_limit_remote_rooms_admins_can_join: false

# Error message returned when a user attempts to join a too-complex room.
matrix_synapse_limit_remote_rooms_complexity_error: "Notre serveur ne permet pas de rejoindre des salons trop gros. Veuillez contactez l'association à ■■■■■■■■■■■■■■■.net pour en savoir plus."

# Controls the maximum file size upload limit
matrix_synapse_max_upload_size_mb: 10

# The tmpfs at /tmp needs to be large enough to handle multiple concurrent file uploads.
matrix_synapse_tmp_directory_size_mb: "{{ matrix_synapse_max_upload_size_mb * 100 }}"

# Controls whether local media should be removed under certain conditions, typically for the purpose of saving space.
# should be empty to disable
matrix_synapse_media_retention_local_media_lifetime: "90d"

# Controls whether remote media cache (media that is downloaded from other homeservers)
# should be removed under certain conditions, typically for the purpose of saving space.
# should be empty to disable
matrix_synapse_media_retention_remote_media_lifetime: "90d"

# Controls message retention policies
matrix_synapse_retention_enabled: true
# "A single var to control them all" - applied to all retention period vars, applied only if a value is set, e.g. : "1d", "1w", "1m", "1y"
matrix_synapse_retention_period: "2y"

# Users who register on this homeserver will automatically be joined to these rooms.
# Rooms are to be specified using addresses (e.g. `#address:example.com`)
matrix_synapse_auto_join_rooms: [#arn:sans-nuage.fr]

# Controls whether container networks will be created with IPv6 support.
#
# If you also have IPv6 support on your server/network and AAAA DNS records pointing to the server,
# enabling this will effectively give you full public IPv6 connectivity (powered by NAT66).
#
# We recommend leaving this enabled even if you don't currently have IPv6 connectivity on your server/network.
# This way, once you eventually get IPv6 connectivity, you won't have to change anything (besides DNS records).
#
# Flipping this setting later on requires manual work (stopping services, deleting and recreating all container networks).
#
# In the future, this setting will likely default to `true`, so if you really want IPv6 disabled, explicitly set this to `false`.
#
# People managing Docker themselves and running an older Docker version will need additional configuration.
#
# Learn more in `docs/configuring-ipv6.md`.
devture_systemd_docker_base_ipv6_enabled: true

# A Postgres password to use for the superuser Postgres user (called `matrix` by default).
#
# The playbook creates additional Postgres users and databases (one for each enabled service) using this superuser account.
#
# Changing this value subsequently requires manual work.
# The value used here must be shorter than 100 characters.
postgres_connection_password: ''

#
# CONFIGURATION DU CLIENT ELEMENT
#
# Documentation : https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/configuring-playbook-client-element-web.md
#

# Set the country code for phone number inputs. You can change the country code (default: GB) to use when showing phone number inputs.
matrix_client_element_default_country_code: "FR"

# You can change the look of Element Web by pulling themes provided by the aaronraimist/element-themes (https://github.com/aaronraimist/element-themes) project or defining your own themes manually.
matrix_client_element_themes_enabled: true

# By tweaking the matrix_client_element_hostname and matrix_client_element_path_prefix variables, you can easily make the service available at a different hostname and/or path than the default one.
# Switch to the domain used for Matrix services (`matrix.example.com`),
# so we won't need to add additional DNS records for Element Web.
matrix_client_element_hostname: "{{ matrix_server_fqn_matrix }}"
# Expose under the /element subpath
matrix_client_element_path_prefix: /element

#
# CONFIGURATION DU SERVICE D'AUTHENTIFICATION MATRIX (MAS)
#
# Documentation : https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/configuring-playbook-matrix-authentication-service.md
#

# Matrix Authentication Service is an implementation of MSC3861: Next-generation auth for Matrix, based on OAuth 2.0/OIDC and still work in progress.
# To enable Matrix Authentication Service, add the following configuration.
matrix_authentication_service_enabled: true
# Generate this encryption secret with: `openssl rand -hex 32`
matrix_authentication_service_config_secrets_encryption: 'à definir ultérieurement'

# By tweaking the matrix_authentication_service_hostname and matrix_authentication_service_path_prefix variables, you can easily make the service available at a different hostname and/or path than the default one.
# Change the default hostname and path prefix
matrix_authentication_service_hostname: auth.example.com
matrix_authentication_service_path_prefix: /

#
# CONFIGURATION DU DOUBLE PUPPETING
#
# Documentation : https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/configuring-playbook-appservice-double-puppet.md
#

# Appservice Double Puppet service is a homeserver appservice through which bridges (and potentially other services) can impersonate any user on the homeserver.
# This is useful for performing double-puppeting via the appservice method. The service is an implementation of this approach.

# To enable the Appservice Double Puppet service, add the following configuration.
matrix_appservice_double_puppet_enabled: true

#
# CONFIGURATION DE KETESA
#
# Documentation : https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/configuring-playbook-ketesa.md
# 

# Ketesa is a fully-featured admin interface for Matrix homeservers — manage users, rooms, media, sessions, and more from one clean, responsive web UI.

# To enable Ketesa, add the following configuration.
matrix_ketesa_enabled: true
matrix_ketesa_path_prefix: /ketesa

# /!\ JE NE MAITRISE PAS LA PARTIE LDAP /!\

#
# CONFIGURATION DU MODULE D'AUTHENTIFICATION LDAP
#

# This is a password auth provider module for Synapse, the Matrix homeserver implementation. This module allows users to log in to Synapse with their username and password from an LDAP server.

matrix_synapse_ext_password_provider_ldap_enabled: true
matrix_synapse_ext_password_provider_ldap_uri:
  - "ldap://ldap-01.example.com:389"
  - "ldap://ldap-02.example.com:389"
matrix_synapse_ext_password_provider_ldap_start_tls: true
matrix_synapse_ext_password_provider_ldap_base: "ou=users,dc=example,dc=com"
matrix_synapse_ext_password_provider_ldap_attributes_uid: "uid"
matrix_synapse_ext_password_provider_ldap_attributes_mail: "mail"
matrix_synapse_ext_password_provider_ldap_attributes_name: "cn"
matrix_synapse_ext_password_provider_ldap_bind_dn: ""
matrix_synapse_ext_password_provider_ldap_bind_password: ""
matrix_synapse_ext_password_provider_ldap_filter: ""

# /!\ JE NE MAITRISE PAS LA PARTIE LDAP /!\

#
# CONFIGURATION GENERALE DES BRIDGES
#
# Documentation : https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/configuring-playbook-bridge-mautrix-bridges.md
# 

# To configure a user as an administrator for all bridges, add the following configuration.
matrix_admin: "@alice:{{ matrix_domain }}"
# Encryption (End-to-Bridge Encryption, E2BE) support is off by default. If you would like to enable encryption, add the following configuration.
matrix_bridges_encryption_enabled: true
matrix_bridges_encryption_default: true
# Alternatively, for a specific bridge:
# matrix_mautrix_SERVICENAME_bridge_encryption_enabled: true
# matrix_mautrix_SERVICENAME_bridge_encryption_default: true

# Relay mode is off by default. Check the table on the official documentation for bridges which support relay mode.
# For all bridges with relay mode support :
matrix_bridges_relay_enabled: true

# To set the bot's username, add the following configuration
matrix_mautrix_SERVICENAME_appservice_bot_username: "BOTNAME"

#
# CONFIGURATION DU BRIDGE TELEGRAM
#
# Documentation : https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/configuring-playbook-bridge-mautrix-telegram.md
#

# To enable the bridge, add the following configuration.
matrix_mautrix_telegram_enabled: true
matrix_mautrix_telegram_api_id: YOUR_TELEGRAM_APP_ID
matrix_mautrix_telegram_api_hash: YOUR_TELEGRAM_API_HASH

#
# CONFIGURATION DU BRIDGE WHATSAPP
#
# Documentation : https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/configuring-playbook-bridge-mautrix-whatsapp.md
#

# To enable the bridge, add the following configuration
matrix_mautrix_whatsapp_enabled: true

#
# CONFIGURATION DU BRIDGE SIGNAL
#
# Documentation : https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/configuring-playbook-bridge-mautrix-signal.md
#

# To enable the bridge, add the following configuration.
matrix_mautrix_signal_enabled: true

#
# CONFIGURATION DU BRIDGE IRC
#
# Documentation : https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/configuring-playbook-bridge-appservice-irc.md
#

# To enable the bridge, add the following configuration.
matrix_appservice_irc_enabled: true

# /!\ JE NE CONNAIS PAS LES INFORMATIONS DE CONNEXION IRC /!\

matrix_appservice_irc_ircService_servers:
  irc.example.com:
    name: "ExampleNet"
    port: 6697
    ssl: true
    sasl: false
    allowExpiredCerts: false
    sendConnectionMessages: true
    botConfig:
      enabled: true
      nick: "MatrixBot"
      joinChannelsIfNoUsers: true
    privateMessages:
      enabled: true
      federate: true
    dynamicChannels:
      enabled: true
      createAlias: true
      published: true
      joinRule: public
      groupId: +myircnetwork:localhost
      federate: true
      aliasTemplate: "#irc_$CHANNEL"
    membershipLists:
      enabled: false
      floodDelayMs: 10000
      global:
        ircToMatrix:
          initial: false
          incremental: false
        matrixToIrc:
          initial: false
          incremental: false
    matrixClients:
      userTemplate: "@irc_$NICK"
      displayName: "$NICK (IRC)"
      joinAttempts: -1
    ircClients:
      nickTemplate: "$DISPLAY[m]"
      allowNickChanges: true
      maxClients: 30
      idleTimeout: 10800
      reconnectIntervalMs: 5000
      concurrentReconnectLimit: 50
      lineLimit: 3
      
      
#
# CONFIGURATION DU BOT D'INSCRIPTION
#
# Documentation : https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/configuring-playbook-bot-matrix-registration-bot.md
#

# /!\ POUR LE SERVEUR AVEC INSCRIPTION PAR COOPTATION /!\

#
# CONFIGURATION DU BOT DE MODERATION DRAUPNIR
#
# Documentation : https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/configuring-playbook-bot-draupnir.md
#

# To enable the native E2EE support, you need to obtain an access token for Draupnir
matrix_bot_draupnir_config_experimentalRustCrypto: true
# Access token which the bot will use for logging in.
# Comment out `matrix_bot_draupnir_login_native` when using this option.
matrix_bot_draupnir_config_accessToken: "CLEAN_ACCESS_TOKEN_HERE"

# To enable the bot, add the following configuration.
matrix_bot_draupnir_enabled: true

# Uncomment and adjust this part if you'd like to use a username different than the default
matrix_bot_draupnir_login: bot.draupnir
# Generate a strong password for the bot. You can create one with a command like `pwgen -s 64 1`.
# If creating the user on your own and using `matrix_bot_draupnir_config_accessToken` to login you can comment out this line.
matrix_bot_draupnir_password: PASSWORD_FOR_THE_BOT
# Comment out if using `matrix_bot_draupnir_config_experimentalRustCrypto: true` or `matrix_bot_draupnir_config_accessToken` to login.
matrix_bot_draupnir_login_native: true
# Make sure to replace MANAGEMENT_ROOM_ID_HERE with the one of the room which you have created earlier.
matrix_bot_draupnir_config_managementRoom: "MANAGEMENT_ROOM_ID_HERE"

# If your homeserver's implementation is Synapse, you will need to prevent it from rate limiting the bot's account. This is a highly recommended step.
# If you do not configure it, Draupnir performance will be degraded.
# This can be done using Synapse's Admin APIs. They can be accessed both externally and internally.
# The APIs can be accessed via Synapse Admin, a web UI tool you can use to administrate users, rooms, media, etc. on your Matrix server. 

#
# CONFIGURATION DE ELEMENT CALL
#
# Documentation : https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/configuring-playbook-element-call.md
#



#
# CONFIGURATION DU SERVEUR DE NOTIFICATIONS NTFY
#
# Documentation : https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/configuring-playbook-ntfy.md
#



#
# CONFIGURATION DE SYNAPSE AUTO-COMPRESSOR
#
# Documentation : https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/configuring-playbook-synapse-auto-compressor.md
#

matrix_synapse_auto_compressor_enabled: true

# By default the task will around 0 a.m. every day based on the matrix_synapse_auto_compressor_schedule variable with a randomized delay of 6 hours (controlled by the matrix_synapse_auto_compressor_schedule_randomized_delay_sec variable). It is defined in the format of systemd timer calendar.
matrix_synapse_auto_compressor_schedule: "*-*-* 00:01:00"

# Consider adjusting the randomized delay or setting it to 0 to disable randomized delays.
matrix_synapse_auto_compressor_schedule_randomized_delay_sec: 0h
33

Petit retour d’expĂ©rience du week-end :

Mon instance Matrix n’a cessĂ© de grossir depuis que je l’utilise, et il a fallu que je m’en occupe cet aprĂšs-midi.

34

J’ai aussi remarquĂ© que les fichiers mĂ©dias prenaient de la place. Je vais voir les options de configuration de Synapse, prĂ©sentes dans ce fichier roles/custom/matrix-synapse/defaults/main.yml pour limiter ça @GautGaut

1 « J'aime »
35

Pour info aprĂšs avoir fait tournĂ© le playbook pendant heu je dirais 4 ans (± 1 an). J’ai beaucoup de conteneur inutilisĂ©s (bon je mais Ă  jour au moins une fois par semaine) ce que me donne 130GB utilisĂ©s dont 110 GB rĂ©cupĂ©rables. Par contre la taille totale des conteneurs (alors ça inclus un nextcloud) c’est de 2,2GB dont la moitiĂ© est “rĂ©cupĂ©rable”.
C’est sur une instance de deux personnes avec des messages qui ont pas de date de pĂ©remption.

Nb: Je le tourne derriĂšre un reverse proxy nginx ce qui peut poser des problĂšmes en cas de reboot de la machine.

1 « J'aime »
36

Hier soir je me suis dit que nos problĂšmes de DB venaient peut-ĂȘtre du fait qu’on avait pas mĂ j nos room bridgĂ©es.

Je me suis aussi dit qu’on pourrait bien poser une dalle de bĂ©ton sur la stack actuelle plutĂŽt qu’essayer de migrer. A l’époque oĂč on a commencĂ© matrix, les bridges et arn-messager Ă©taient pas secs. Si on faisait une annonce “tous les salons vont ĂȘtre dĂ©brigdĂ© et il faudra que vous les rebridgiez”, je pense pas qu’on perdrait pas grand monde, there is no alternative :smiley:

Ou plutĂŽt on dĂ©ploie la nouvelle stack et dans un an on coupe l’ancienne ? Ca pose juste la question du nom de domaine, mais a priori ce serait tchatons.org pour le serveur principal sans (pupetting) bridges ? Il en faudrait un autre pour la stack des bridges.