matrix: fix variable names

backups/gitea.sh

@@ -21,4 +21,7 @@ echo "Starting Backup of Gitea Data..."
 echo "Backup done. Pruning Gitea Data..."
 /usr/bin/borg prune -v --list --keep-daily=7 --keep-weekly=7 --keep-monthly=10 --keep-yearly=5 -a "data_*" ${BACKUP_REPO}
 
+echo "Compacting repo..."
+/usr/bin/borg compact ${BACKUP_REPO}
+
 echo "Done"

backups/keycloak.sh

@@ -14,4 +14,7 @@ docker exec keycloak_keycloak_db_1 pg_dump keycloak -U keycloak |
 echo "Backup done. Pruning backup-repo..."
 /usr/bin/borg prune -v --list --keep-daily=7 --keep-weekly=7 --keep-monthly=10 --keep-yearly=5 ${BACKUP_REPO}
 
+echo "Compacting repo..."
+/usr/bin/borg compact ${BACKUP_REPO}
+
 echo "Done"

backups/matrix.sh

@@ -21,4 +21,7 @@ echo "Starting Backup of Matrix / Synapse Storage..."
 echo "Backup done. Pruning Matrix / Synapse Storage..."
 /usr/bin/borg prune -v --list --keep-daily=7 --keep-weekly=7 --keep-monthly=10 --keep-yearly=5 -a "synapse-storage_*" ${BACKUP_REPO}
 
+echo "Compacting repo..."
+/usr/bin/borg compact ${BACKUP_REPO}
+
 echo "Done"

backups/nextcloud.sh

@@ -1,6 +1,7 @@
+#!/bin/bash
 # Immediatly exit on command failure (e)
 # and quit on unset variables (u)
-set -ue
+set -ueo pipefail
 
 export BACKUP_REPO=ssh://cttuebak/media/borg/cttue/cloud
 export BACKUP_NAME_DB="db_$(date -u +'%Y-%m-%dT%H:%M%Z')"
@@ -9,7 +10,7 @@ export BORG_PASSPHRASE=$(cat "$(dirname $0)/borg_passphrase.txt")
 
 # Dump the database into borg create
 echo "Starting Backup of Nextcloud Database..."
-docker exec nextcloud_nc_db_1 mysqldump -u nextcloud -pnextcloud --lock-tables --databases nextcloud |
+docker exec nextcloud-nc_db-1 mariadb-dump -u nextcloud -pnextcloud --lock-tables --databases nextcloud |
     /usr/bin/borg create --compression zstd --stats ${BACKUP_REPO}::${BACKUP_NAME_DB} -
 
 echo "Backup done. Pruning Nextcloud Database..."
@@ -21,4 +22,7 @@ echo "Starting Backup of Nextcloud Uploaded Files..."
 echo "Backup done. Pruning Nextcloud Uploaded Files..."
 /usr/bin/borg prune -v --list --keep-daily=7 --keep-weekly=7 --keep-monthly=10 --keep-yearly=5 -a "data_*" ${BACKUP_REPO}
 
+echo "Compacting repo..."
+/usr/bin/borg compact ${BACKUP_REPO}
+
 echo "Done"

backups/nginx-proxy.sh

@@ -12,4 +12,7 @@ echo "Starting Backup of nginx-proxy data..."
 echo "Backup done. Pruning backup-repo..."
 /usr/bin/borg prune -v --list --keep-daily=7 --keep-weekly=7 --keep-monthly=10 --keep-yearly=5 ${BACKUP_REPO}
 
+echo "Compacting repo..."
+/usr/bin/borg compact ${BACKUP_REPO}
+
 echo "Done"

docker-containers/gitea/docker-compose.yml

@@ -30,26 +30,12 @@ services:
       - GITEA__openid__ENABLE_OPENID_SIGNUP=true
       - GITEA__service__DISABLE_REGISTRATION=false
       - GITEA__service__ALLOW_ONLY_EXTERNAL_REGISTRATION=true
-      - GITEA__service__REGISTER_EMAIL_CONFIRM=false
-      - GITEA__service__ENABLE_CAPTCHA=false
-      - GITEA__oauth2_client__ENABLE_AUTO_REGISTRATION=true
       - VIRTUAL_HOST=git.cttue.de
       - VIRTUAL_PORT=3000
       - LETSENCRYPT_HOST=git.cttue.de
     restart: always
-    labels:
-      - traefik.enable=true
-      - traefik.docker.network=traefik
-      - traefik.http.routers.git.entrypoints=web-secure
-      - traefik.http.routers.git.service=git
-      - traefik.http.routers.git.rule=Host(`git.cttue.de`)
-      - traefik.http.routers.git.tls=true
-      - traefik.http.routers.git.tls.certResolver=default
-      - traefik.http.routers.git.tls.domains[0]=cttue.de
-      - traefik.http.routers.git.tls.domains[0].sans=git.cttue.de
-      - traefik.http.services.git.loadbalancer.server.port=3000
     networks:
-      - traefik
+      - cttue_web_services
       - gitea
     ports:
       - 127.0.0.1:2222:22
@@ -61,6 +47,6 @@ services:
 
 
 networks:
-  gitea:
+  cttue_web_services:
-  traefik:
     external: true
+  gitea:

docker-containers/nextcloud/docker-compose.yml

@@ -15,7 +15,7 @@ services:
       backend:
 
   app:
-    image: nextcloud
+    image: nextcloud:32-apache
     restart: always
     environment:
       - MYSQL_PASSWORD=nextcloud
@@ -55,3 +55,4 @@ networks:
   backend:
   traefik:
     external: true
+

docker-containers/pad/docker-compose.yml

@@ -40,21 +40,33 @@ services:
       - VIRTUAL_PORT=3000
       - LETSENCRYPT_HOST=pad.cttue.de
     labels:
-      - traefik.enable=true
+      - "traefik.enable=true"
-      - traefik.docker.network=traefik
+
-      - traefik.http.routers.pad.entrypoints=web-secure
+      # Router for HTTP (redirects to HTTPS)
-      - traefik.http.routers.pad.service=pad
+      - "traefik.http.routers.pad.rule=Host(`pad.cttue.de`)"
-      - traefik.http.routers.pad.rule=Host(`pad.cttue.de`)
+      - "traefik.http.routers.pad.entrypoints=web"
-      - traefik.http.routers.pad.tls=true
+      - "traefik.http.routers.pad.middlewares=redirect-to-https"
-      - traefik.http.routers.pad.tls.certResolver=default
+
-      - traefik.http.routers.pad.tls.domains[0]=pad.cttue.de
+      # Router for HTTPS
-      - traefik.http.routers.pad.tls.domains[0].sans=test.pad.cttue.de
+      - "traefik.http.routers.pad-secure.rule=Host(`pad.cttue.de`)"
-      - traefik.http.services.pad.loadbalancer.server.port=3000
+      - "traefik.http.routers.pad-secure.entrypoints=websecure"
+      - "traefik.http.routers.pad-secure.tls.certresolver=http"
+
+      # Define service and backend port (matching old upstream: port 3000)
+      - "traefik.http.services.pad.loadbalancer.server.port=3000"
+
+      # Redirect middleware (HTTP -> HTTPS)
+      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
+
+      # Security Headers (Optional, mimics your Nginx security settings)
+      - "traefik.http.middlewares.secure-headers.headers.stsSeconds=31536000"
+      - "traefik.http.middlewares.secure-headers.headers.stsIncludeSubdomains=true"
+      - "traefik.http.middlewares.secure-headers.headers.stsPreload=true"
+      - "traefik.docker.network=cttue_web_services"
     volumes:
       - ./uploads:/hedgedoc/public/uploads
     networks:
       cttue_web_services:
-      traefik:
     restart: always
     depends_on:
       - database
@@ -62,5 +74,3 @@ services:
 networks:
   cttue_web_services:
     external: true
-  traefik:
-    external: true

matrix-docker-ansible/inventory/host_vars/matrix.cttue.de/vars.yml

@@ -15,8 +15,8 @@ matrix_server_fqn_element: "element.cttue.de"
 matrix_homeserver_implementation: synapse
 
 # docker already installed
-matrix_docker_installation_enabled: true
+#matrix_docker_installation_enabled: true # this one was changed during the upgrade - 30. Jan 2025 - Cal
-
+matrix_playbook_docker_installation_enabled: true
 # A secret used as a base, for generating various other secrets.
 # You can put any string here, but generating a strong one is preferred (e.g. `pwgen -s 64 1`).
 matrix_homeserver_generic_secret_key: "0XbMAGWcegWsDGdIwMDsZ11TF0Aeh4JEzSo5mC5iUET5UXgG3ku8IPbVsDvxKICQ"
@@ -25,56 +25,59 @@ matrix_homeserver_generic_secret_key: "0XbMAGWcegWsDGdIwMDsZ11TF0Aeh4JEzSo5mC5iU
 #
 # The playbook creates additional Postgres users and databases (one for each enabled service)
 # using this superuser account.
-matrix_postgres_connection_password: "SIHm7TtFF1ntGxKu"
+postgres_connection_password: "SIHm7TtFF1ntGxKu"
 
 #################### jwilder/nginx-proxy related ###################
 
 # Disable generation and retrieval of SSL certs
-matrix_ssl_retrieval_method: none
+# matrix_ssl_retrieval_method: none # this one was changed during the upgrade - 30. Jan 2025 - Cal
 
 # Configure Nginx to only use plain HTTP
-matrix_nginx_proxy_https_enabled: false
+# matrix_nginx_proxy_https_enabled: false # this one was changed during the upgrade - 30. Jan 2025 - Cal
 
 # Don't bind any HTTP or federation port to the host
-matrix_nginx_proxy_container_http_host_bind_port: ""
+# matrix_nginx_proxy_container_http_host_bind_port: "" # this one was changed during the upgrade - 30. Jan 2025 - Cal
-matrix_nginx_proxy_container_federation_host_bind_port: ""
+# matrix_nginx_proxy_container_federation_host_bind_port: "" # this one was changed during the upgrade - 30. Jan 2025 - Cal
 
 # Trust the reverse proxy to send the correct `X-Forwarded-Proto` header as it is handling the SSL connection.
-matrix_nginx_proxy_trust_forwarded_proto: true
+# matrix_nginx_proxy_trust_forwarded_proto: true # this one was changed during the upgrade - 30. Jan 2025 - Cal
 
 # Trust and use the other reverse proxy's `X-Forwarded-For` header.
-matrix_nginx_proxy_x_forwarded_for: "$proxy_add_x_forwarded_for"
+# matrix_nginx_proxy_x_forwarded_for: "$proxy_add_x_forwarded_for" # this one was changed during the upgrade - 30. Jan 2025 - Cal
 
 # Disable Coturn because it needs SSL certs
 # (Clients can, though exposing IP address, use Matrix.org TURN)
-matrix_coturn_enabled: true
+coturn_enabled: true
-matrix_coturn_turn_external_ip_address: "89.163.204.197"
+coturn_turn_external_ip_address: "89.163.204.197"
-matrix_coturn_turn_udp_min_port: 49152
+coturn_turn_udp_min_port: 49152
-matrix_coturn_turn_udp_max_port: 49272
+coturn_turn_udp_max_port: 49272
-matrix_coturn_container_extra_arguments:
+coturn_container_extra_arguments:
   - '-e "VIRTUAL_HOST=turn.cttue.de"'
   - '-e "VIRTUAL_PORT=3478"'
   - '-e "LETSENCRYPT_HOST=turn.cttue.de"'
 
-matrix_coturn_container_additional_volumes:
+coturn_container_additional_volumes:
   - {
       "src": "/srv/docker-containers/nginx-proxy/certs/turn.cttue.de",
       "dst": "/certs",
       "options": "ro",
     }
 
-matrix_coturn_tls_enabled: false
+coturn_tls_enabled: false
-matrix_coturn_tls_cert_path: "/certs/fullchain.pem"
+coturn_tls_cert_path: "/certs/fullchain.pem"
-matrix_coturn_tls_key_path: "/certs/key.pem"
+coturn_tls_key_path: "/certs/key.pem"
 
 # All containers need to be on the same Docker network as nginx-proxy
-matrix_docker_network: "cttue_web_services"
+#matrix_docker_network: "cttue_web_services" # this one was changed during the upgrade - 30. Jan 2025 - Cal
-matrix_coturn_docker_network: "cttue_web_services"
+matrix_homeserver_container_network: "cttue_web_services"
+# matrix_coturn_docker_network: "cttue_web_services" # this one was changed during the upgrade - 30. Jan 2025 - Cal
+coturn_container_network: "cttue_web_services"
 
-matrix_nginx_proxy_container_extra_arguments:
+# this one was changed during the upgrade - 30. Jan 2025 - Cal
-  - '-e "VIRTUAL_HOST={{ matrix_server_fqn_matrix }},{{ matrix_server_fqn_element }}"'
+# matrix_nginx_proxy_container_extra_arguments:
-  - '-e "VIRTUAL_PORT=8080"'
+#  - '-e "VIRTUAL_HOST={{ matrix_server_fqn_matrix }},{{ matrix_server_fqn_element }}"'
-  - '-e "LETSENCRYPT_HOST={{ matrix_server_fqn_matrix }},{{ matrix_server_fqn_element }}"'
+#  - '-e "VIRTUAL_PORT=8080"'
+#  - '-e "LETSENCRYPT_HOST={{ matrix_server_fqn_matrix }},{{ matrix_server_fqn_element }}"'
 
 # change federation to 443
 matrix_synapse_http_listener_resource_names: ["client", "federation"]
@@ -85,7 +88,7 @@ matrix_synapse_federation_port_enabled: false
 matrix_synapse_allow_public_rooms_over_federation: true
 
 # Enable synapse-admin
-matrix_synapse_admin_enabled: true
+matrix_ketesa_enabled: true
 
 # Mautrix Signal Bridge
 matrix_mautrix_signal_enabled: true
@@ -115,3 +118,7 @@ matrix_synapse_configuration_extension_yaml: |
           email_template: "{% raw %}{{ user.email }}{% endraw %}"
 
 
+# config for traefik
+matrix_playbook_reverse_proxy_type: playbook-managed-traefik
+traefik_config_certificatesResolvers_acme_email: pascal@cttue.de
+matrix_playbook_migration_validated_version: v2026.04.24.0