Commit Graph

55 Commits

Author SHA1 Message Date
Slavi Pantaleev
43fd3cc274 Move mautrix-facebook into a separate role 2019-05-15 09:34:31 +09:00
Slavi Pantaleev
bb816df557 Move mautrix telegram and whatsapp into separate roles
The goal is to move each bridge into its own separate role.
This commit starts off the work on this with 2 bridges:
- mautrix-telegram
- mautrix-whatsapp

Each bridge's role (including these 2) is meant to:

- depend only on the matrix-base role

- integrate nicely with the matrix-synapse role (if available)

- integrate nicely with the matrix-nginx-proxy role (if available and if
required). mautrix-telegram bridge benefits from integrating with
it.

- not break if matrix-synapse or matrix-nginx-proxy are not used at all

This has been provoked by #174 (Github Issue).
2019-05-14 23:47:22 +09:00
Slavi Pantaleev
216cdf8c74
Merge pull request #166 from izissise/mautrix-facebook
Mautrix facebook
2019-05-09 10:05:14 +03:00
Dan Arnfield
958ad68078 Add registrations_require_3pid synapse option 2019-05-08 12:29:18 -05:00
Hugues Morisset
a82d5ed281 Add tulir mautrix-facebook (https://github.com/tulir/mautrix-facebook) 2019-05-08 17:11:07 +02:00
Hugues De Keyzer
c451025134 Fix indentation in templates
Use Jinja2 lstrip_blocks option in templates to ensure consistent
indentation in generated files.
2019-05-07 21:23:35 +02:00
Slavi Pantaleev
0e7310fd7c
Merge pull request #164 from TheLastProject/fix/string_before_to_json
string before to_json when string value is expected
2019-05-07 10:41:41 +03:00
Sylvia van Os
9ea593df37 Fix incorrect casts 2019-05-07 09:35:51 +02:00
Sylvia van Os
ed0ecf5bea string before to_json when string value is expected
This prevents Ansible from sometimes failing to decrypt vault variables
2019-05-06 10:10:27 +02:00
Slavi Pantaleev
e0b7b4dc61
Merge pull request #159 from TheLastProject/feature/docker_add_hosts
Add the possibility to pass extra flags to the docker container
2019-05-05 10:22:59 +03:00
Slavi Pantaleev
6bea3237c9
Merge pull request #163 from aaronraimist/synapse-0.99.3.1
Update Synapse (0.99.3 -> 0.99.3.1)
2019-05-03 22:10:20 +03:00
Aaron Raimist
d1646bb497
Update Synapse (0.99.3 -> 0.99.3.1) 2019-05-03 12:07:58 -05:00
Sylvia van Os
75b1528d13 Add the possibility to pass extra flags to the docker container 2019-04-30 16:35:18 +02:00
Sylvia van Os
bf77f776a2 Add variable to disable homeserver url preview 2019-04-30 13:58:48 +02:00
Ciaran Ainsworth
8624cf4a57 Fixed default url preview settings 2019-04-26 14:11:40 +01:00
Slavi Pantaleev
892abdc700 Do not refer to Synapse as "Matrix Synapse" 2019-04-23 10:20:56 +03:00
Lyubomir Popov
eab8f31eed Add additional room config options:
- matrix_enable_room_list_search - Controls whether searching the public room list is enabled.
 - matrix_alias_creation_rules - Controls who's allowed to create aliases on this server.
 - matrix_room_list_publication_rules - Controls who can publish and which rooms can be published in the public room list.
2019-04-16 12:40:38 +03:00
Slavi Pantaleev
9a05b030cb Fix unknown tag error when generating Goofys service
`{% matrix_s3_media_store_custom_endpoint_enabled %}` should have
been `{% if matrix_s3_media_store_custom_endpoint_enabled %}` instead.

Related to #132 (Github Pull Request).
2019-04-10 08:45:52 +03:00
Alexander Acevedo
6cc6638098
revert 3953705682
that's not how it works
2019-04-05 06:01:58 -04:00
Alexander Acevedo
3953705682
add custom endpoint environment variable 2019-04-05 05:56:36 -04:00
Alexander Acevedo
3ffb03f20e
missing whitespace 2019-04-05 05:54:58 -04:00
Alexander Acevedo
c55e49d733
add custom endpoint to matrix-goofys.service.j2
This (should) check if custom endpoint is enabled.
2019-04-05 05:48:31 -04:00
Slavi Pantaleev
631b7cc6a6 Add support for adjusting Synapse rate-limiting configuration 2019-04-01 21:40:14 +03:00
Slavi Pantaleev
77359ae867 Synchronize Synapse config with the sample from 0.99.3 2019-04-01 21:22:05 +03:00
Slavi Pantaleev
e65514223e
Merge branch 'master' into update-homeserver-yaml 2019-03-17 20:53:52 +02:00
Slavi Pantaleev
2f1662626e Use |to_json for matrix_synapse_push_include_content
Doing this for consistency.

Related to #117 (Github Pull Request).
2019-03-17 20:51:12 +02:00
Aaron Raimist
ae912c4529
Update homeserver.yaml with some new options we could enable 2019-03-16 15:51:41 -05:00
Lee Verberne
71c7c74b7b Allow configuring push content for matrix-synapse
This allows overriding the default value for `include_content`. Setting
this to false allows homeserver admins to ensure that message content
isn't sent in the clear through third party servers.
2019-03-16 07:16:20 +01:00
Plailect
f6de3fd668
Start appservice-irc as non-root 2019-03-12 13:17:51 -04:00
Slavi Pantaleev
62e2acada5
Merge pull request #104 from dangersalad/master
allow exposing mautrix_telegram port
2019-03-08 08:50:05 +02:00
paulbdavis
17e86ba817 implement requested changes 2019-03-07 12:45:58 -07:00
Lionstiger
c2834d2226 running as matrix user from the start 2019-03-04 16:26:19 +01:00
Lionstiger
835c349275 Add matrix-appservice-discord bridge
Bridge is setup to work on the matrix side with this, but the discord invite link is not automatically generated.
2019-03-03 18:22:52 +01:00
paulbdavis
f2a2cad107 allow exposing mautrix_telegram port 2019-03-01 16:05:01 -07:00
Slavi Pantaleev
a43bcd81fe Rename some variables 2019-02-28 11:51:09 +02:00
Slavi Pantaleev
eb08e20418 Upgrade Synapse (0.99.0 -> 0.99.1) and sync config
`matrix_synapse_no_tls` is now implicit, so we've gotten rid of it.

The `homeserver.yaml.j2` template has been synchronized with the
configuration generated by Synapse v0.99.1 (some new options
are present, etc.)
2019-02-14 18:40:55 +02:00
Slavi Pantaleev
42c4de348c Revert "Bind metrics on :: too"
This reverts commit 536c85619f.

Looks like binding metrics on IPv6 (`::`) fails with an error:

socket.gaierror: [Errno -2] Name does not resolve
2019-02-09 13:21:18 +02:00
Slavi Pantaleev
536c85619f Bind metrics on :: too
For consistency with all our other listeners,
we make this one bind on the `::` address too
(both IPv4 and IPv6).

Additional details are in #91 (Github Pull Request).
2019-02-06 14:24:10 +02:00
Slavi Pantaleev
91a757c581 Add support for reloading Synapse 2019-02-06 09:25:13 +02:00
Slavi Pantaleev
5db692f877 Remove some useless homeserver.yaml configuration 2019-02-05 14:02:01 +02:00
Slavi Pantaleev
f6ebd4ce62 Initial work on Synapse 0.99/1.0 preparation 2019-02-05 12:09:46 +02:00
Aaron Raimist
58ca2e7dfd
Turn off IPv6 when using your own Nginx server
Docker apparently doesn't like IPv6.
2019-02-04 09:03:43 -06:00
dhose
87e3deebfd Enable exposure of Prometheus metrics. 2019-02-01 20:02:11 +01:00
Plailect
5e1d96c727
Add matrix_appservice_irc_container_expose_client_server_api_port 2019-01-31 11:20:45 -05:00
Plailect
3a4a671dd7
Add support for matrix-appservice-irc 2019-01-31 00:37:23 -05:00
Slavi Pantaleev
0be7b25c64 Make (most) containers run with a read-only filesystem 2019-01-29 18:52:02 +02:00
Slavi Pantaleev
bf10331456 Make mautrix-whatsapp run as non-root and w/o capabilities 2019-01-28 15:55:58 +02:00
Slavi Pantaleev
8a3f942d93 Make mautrix-telegram run as non-root and w/o capabilities 2019-01-28 15:40:16 +02:00
Slavi Pantaleev
316d653d3e Drop capabilities in containers
We run containers as a non-root user (no effective capabilities).

Still, if a setuid binary is available in a container image, it could
potentially be used to give the user the default capabilities that the
container was started with. For Docker, the default set currently is:
- "CAP_CHOWN"
- "CAP_DAC_OVERRIDE"
- "CAP_FSETID"
- "CAP_FOWNER"
- "CAP_MKNOD"
- "CAP_NET_RAW"
- "CAP_SETGID"
- "CAP_SETUID"
- "CAP_SETFCAP"
- "CAP_SETPCAP"
- "CAP_NET_BIND_SERVICE"
- "CAP_SYS_CHROOT"
- "CAP_KILL"
- "CAP_AUDIT_WRITE"

We'd rather prevent such a potential escalation by dropping ALL
capabilities.

The problem is nicely explained here: https://github.com/projectatomic/atomic-site/issues/203
2019-01-28 11:22:54 +02:00
Slavi Pantaleev
299a8c4c7c Make (most) containers start as non-root
This makes all containers (except mautrix-telegram and
mautrix-whatsapp), start as a non-root user.

We do this, because we don't trust some of the images.
In any case, we'd rather not trust ALL images and avoid giving
`root` access at all. We can't be sure they would drop privileges
or what they might do before they do it.

Because Postfix doesn't support running as non-root,
it had to be replaced by an Exim mail server.

The matrix-nginx-proxy nginx container image is patched up
(by replacing its main configuration) so that it can work as non-root.
It seems like there's no other good image that we can use and that is up-to-date
(https://hub.docker.com/r/nginxinc/nginx-unprivileged is outdated).

Likewise for riot-web (https://hub.docker.com/r/bubuntux/riot-web/),
we patch it up ourselves when starting (replacing the main nginx
configuration).
Ideally, it would be fixed upstream so we can simplify.
2019-01-27 20:25:13 +02:00