Commit Graph

156 Commits

Author SHA1 Message Date
Slavi Pantaleev
4d62a75f6f Get matrix-corporal to play nicely with a Synapse worker setup
We do this by creating one more layer of indirection.

First we reach some generic vhost handling matrix.DOMAIN.
A bunch of override rules are added there (capturing traffic to send to
ma1sd, etc). nginx-status and similar generic things also live there.

We then proxy to the homeserver on some other vhost (only Synapse being
available right now, but repointing this to Dendrite or other will be
possible in the future).
Then that homeserver-specific vhost does its thing to proxy to the
homeserver. It may or may not use workers, etc.

Without matrix-corporal, the flow is now:
1. matrix.DOMAIN (matrix-nginx-proxy/matrix-domain.conf)
2. matrix-nginx-proxy/matrix-synapse.conf
3. matrix-synapse

With matrix-corporal enabled, it becomes:
1. matrix.DOMAIN (matrix-nginx-proxy/matrix-domain.conf)
2. matrix-corporal
3. matrix-nginx-proxy/matrix-synapse.conf
4. matrix-synapse

(matrix-corporal gets injected at step 2).
2021-01-25 09:46:41 +02:00
Slavi Pantaleev
5ca68210cd Do not handle /_matrix/federation on client-server port, nor /_matrix/client stuff on federation port
I guess it didn't hurt to do it until now, but it's not great serving
federation APIs on the client-server API port, etc.

matrix-corporal doesn't work yet (still something to be solved in the
future), but its firewalling operations will also be sabotaged
by Client-Server APIs being served on the federation port (it's a way to get around its firewalling).
2021-01-24 22:22:57 +02:00
Marcel Partap
183adec3d8 Merge remote-tracking branch 'origin/master' into synapse-workers 2021-01-23 15:04:11 +01:00
Slavi Pantaleev
57ea43d8b0 Remove unused variable
This variable has been useless since 2019-01-08.
We probably don't need to check for its usage anymore,
given how much time has passed since then, but ..
2021-01-14 17:47:13 +02:00
Marcel Partap
cd8100544b Merge remote-tracking branch 'origin/master' into synapse-workers
Sync with upstream
2021-01-08 20:58:50 +01:00
Slavi Pantaleev
de6ecd8818
Update inaccurate comments 2021-01-08 21:15:14 +02:00
Agustin Ferrario
5156c63a76 Clean up code
Code was clean up and simplified to make it simpler and easier to
maintain. No features were modified.
2021-01-08 18:35:27 +01:00
Agustin Ferrario
25d423e6b6 Fix errors per spantaleev suggestions
The different configurations are now all lower case, for consistent
naming.

`matrix_nginx_proxy_ssl_config` is now called
`matrix_nginx_proxy_ssl_preset`. The different options for "modern",
"intermediate" and "old" are stored in the main.yml file, instead of
being hardcoded in the configuration files. This will improve the
maintainability of the code.

The "custom" preset was removed. Now if one of the variables is set, it
will use it instead of the preset. This will allow to mix and match more
easily, for example using all the intermediate options but only
supporting TLSv1.2. This will also provide better backward
compatibility.
2021-01-08 11:32:10 +01:00
Agustin Ferrario
3cb71e7e84 Merge branch 'master' of https://github.com/spantaleev/matrix-docker-ansible-deploy 2021-01-03 13:18:21 +01:00
Dan Arnfield
10e0fa17ad Update nginx (1.19.5 -> 1.19.6) 2020-12-22 08:23:37 -06:00
louis
dcd4716636 add option to disable nginx access log 2020-12-21 21:26:49 +01:00
Agustin Ferrario
2082242499 Add matrix_nginx_proxy_ssl_config
A new variable called `matrix_nginx_proxy_ssl_config` is created for
configuring how the nginx proxy configures SSL. Also a new configuration
validation option and other auxiliary variables are created.

A new variable configuration called `matrix_nginx_proxy_ssl_config` is
created. This allow to set the SSL configuration easily using the
default options proposed by Mozilla. The default configuration is set to
"Intermediate", removing the weak ciphers used in the old
configurations.

The new variable can also be set to "Custom" for a more granular control.
This allows to set another three variables called:

- `matrix_nginx_proxy_ssl_protocols`,
- `matrix_nginx_proxy_ssl_prefer_server_ciphers`
- `matrix_nginx_proxy_ssl_ciphers`

Also a new task is added to validate the SSL configuration variable.
2020-12-16 10:35:37 +01:00
Slavi Pantaleev
8c02f7b79b Upgrade services 2020-12-07 15:18:03 +02:00
Marcel Partap
b73ac965ac Merge remote-tracking branch 'origin/master' into synapse-workers 2020-12-01 21:24:26 +01:00
Slavi Pantaleev
ccabc82d4c Use more fully-qualified container images
This is both for consistency with 93cc71cb69976c
and for making things more obvious.
2020-11-14 23:01:11 +02:00
Marcel Partap
4678c5d7bd Merge remote-tracking branch 'origin/master' into synapse-workers
Also, replace vague FIXME by a proper NOTE on the complete
story of the user_dir endpoints..
2020-11-11 21:26:08 +01:00
Slavi Pantaleev
4d12a6f8e9
Merge pull request #681 from scottcrossen/slc/ddclient
Dynamic DNS
2020-11-10 23:54:21 +02:00
Slavi Pantaleev
1427286cec Integrate matrix-dynamic-dns with matrix-nginx-proxy without causing a dependency
We'd like the roles to be self-contained (as much as possible).

Thus, the `matrix-nginx-proxy` shouldn't reference any variables from
other roles. Instead, we rely on injection via
`group_vars/matrix_servers`.

Related to #681 (Github Pull Request)
2020-11-10 23:49:36 +02:00
Slavi Pantaleev
235299939d Upgrade nginx (1.19.3 -> 1.19.4) 2020-11-10 09:30:00 +02:00
Slavi Pantaleev
350c39d745 Update comment 2020-11-02 11:13:25 +02:00
Slavi Pantaleev
ef68d3d296 Add support for reverse-proxying /_synapse/oidc
This broke in 63a49bb2dc.

Proxying the OpenID Connect endpoints is now possible,
but needs to be enabled explicitly now.

Supersedes #702 (Github Pull Request).

This patch builds up on the idea from that Pull Request,
but does things in a cleaner way.
2020-11-02 11:10:03 +02:00
Slavi Pantaleev
9a46647010 Make https://matrix.DOMAIN/ redirect to https://element.DOMAIN/
Fixes #696 (Github Issue)
2020-10-28 10:39:12 +02:00
Slavi Pantaleev
4700e80389 Raise standalone default Matrix Client API client_max_body_size
We do this to match Synapse's new default "max_upload_size" (50MB).

This `matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb`
default value only affects standalone usage of the `matrix-nginx-proxy`
role. When the role is used in the context of the playbook,
the value is dynamically assigned from `group_vars/matrix_servers`.

Somewhat related to #692 (Github Issue).
2020-10-28 10:02:47 +02:00
Marcel Partap
2d1b9f2dbf synapse workers: reworkings + get endpoints from upstream docs via awk
(yes, a bit awkward and brittle… xD)
2020-10-28 07:13:19 +01:00
Slavi Pantaleev
63a49bb2dc Do not expose /_synapse/admin publicly by default
Fixes #685 (Github Issue).
2020-10-26 10:36:38 +02:00
Marcel Partap
87bd64ce9e Merge remote-tracking branch 'origin/master' into synapse-workers 2020-10-23 23:45:07 +02:00
Dan Arnfield
b65bfc38ce Update nginx (1.19.2 -> 1.19.3) 2020-10-14 06:23:33 -05:00
Slavi Pantaleev
d250727e8b Upgrade certbot (1.7.0 -> 1.9.0) 2020-10-13 09:44:32 +03:00
Max Klenk
fc2edcbecf
fix media routing 2020-09-18 10:45:01 +02:00
Max Klenk
132daba1af
fix worker routes 2020-09-18 10:18:32 +02:00
Max Klenk
06bc430c7c
refactor to use new workers and routes they serve 2020-08-28 13:53:39 +02:00
Slavi Pantaleev
fc1655cd4b
Merge pull request #633 from thedanbob/certbot-1.7.0
Update certbot (1.6.0 -> 1.7.0)
2020-08-17 16:47:12 +03:00
Dan Arnfield
c8754f422a Update certbot (1.6.0 -> 1.7.0) 2020-08-16 15:01:13 -05:00
Dan Arnfield
8d373409b8 Update nginx (1.19.1 -> 1.19.2) 2020-08-16 14:59:48 -05:00
Slavi Pantaleev
c6ab1c6a90 Riot is now Element
Fixes #586 (Github Issue)
2020-07-17 11:31:20 +03:00
Dan Arnfield
c47a55d170 Update nginx (1.19.0 -> 1.19.1) and certbot (1.5.0 -> 1.6.0) 2020-07-16 06:34:14 -05:00
Slavi Pantaleev
88a4a3ab55 Update components 2020-06-06 08:25:27 +03:00
Slavi Pantaleev
7a2dbdc2d7 Update components 2020-05-19 15:06:35 +03:00
Slavi Pantaleev
554da8338a
Merge pull request #463 from hooger/architecture
Architecture
2020-04-20 16:45:59 +03:00
Dan Arnfield
e2de6a1569 Update nginx (1.17.9 -> 1.17.10) 2020-04-19 08:38:53 -05:00
Horvath Gergely
bd61598faf add experimental(?) architecture support for arm32 and arm64
the changes are necessary because certbot images are tagged, so docker does not recognize the necessary architecture
2020-04-18 22:55:19 +02:00
Marcel Partap
874e2e1fc0 Rename variables (s/mxisd/ma1sd/) and adapt roles 2020-04-02 11:31:38 +02:00
Slavi Pantaleev
8bcc9712d0 Make follow_redirects configurable when checking /.well-known/matrix/client
Discussed in #101 (Github Issue).
2020-03-31 11:45:32 +03:00
Slavi Pantaleev
cdd9ee1962 Add Jitsi support 2020-03-23 17:19:15 +02:00
Dan Arnfield
c7440b723a Update certbot (1.2.0 -> 1.3.0) 2020-03-18 06:54:10 -05:00
Dan Arnfield
4065d74a5f Update nginx (1.17.8 -> 1.17.9) 2020-03-18 06:53:59 -05:00
Slavi Pantaleev
da98a06553
Merge pull request #377 from thedanbob/certbot-1.2.0
Update certbot (1.0.0 -> 1.2.0)
2020-02-12 13:58:32 +01:00
Dan Arnfield
bb08022623 Update certbot (1.0.0 -> 1.2.0) 2020-02-12 06:56:25 -06:00
Dan Arnfield
74235df820 Update nginx (1.17.7 -> 1.17.8) 2020-02-12 06:52:11 -06:00
Daniel Hoffend
b280b05c25 matrix-nginx-proxy: adding additional configuration blocks 2020-02-10 23:42:41 +01:00
Slavi Pantaleev
f18037ae42 Disable TLSv1.1 by default 2020-01-30 12:56:20 +02:00
Slavi Pantaleev
a84a24d9f5 Upgrade nginx (1.17.6 -> 1.17.7) 2020-01-11 17:32:02 +02:00
Slavi Pantaleev
89dbe5cfc5 Add the ability to control the certbot HTTP bind port
Fixes #330 (Github Issue).
2019-12-19 09:07:24 +02:00
Slavi Pantaleev
a78002f12b Upgrade certbot (0.40.1 -> 1.0.0) 2019-12-13 14:52:29 +02:00
Slavi Pantaleev
ca3b158d94 Add support to matrix-nginx-proxy to work in HTTP-only mode 2019-12-06 11:53:15 +02:00
Dan Arnfield
24646dc506 Update nginx (1.17.5 -> 1.17.6) 2019-11-21 09:38:59 -06:00
Dan Arnfield
140002ed49 Update certbot (0.38.0 -> 0.40.1) 2019-11-13 15:19:38 -06:00
Dan Arnfield
9b187eca8f Update nginx (1.17.4 -> 1.17.5) 2019-10-29 11:08:56 -05:00
Paul Tötterman
aabb16d78b Fix spelling ngnix -> nginx 2019-10-04 11:07:37 +03:00
Slavi Pantaleev
810d0fb0e4 Make it possible to serve static websites from the base domain 2019-10-03 11:24:04 +03:00
Slavi Pantaleev
1dd1f9602f
Merge pull request #271 from thedanbob/certbot-0.38
Update certbot (0.37.1 -> 0.38.0)
2019-09-25 16:31:36 +03:00
Dan Arnfield
c12ca8fff0 Update certbot (0.37.1 -> 0.38.0) 2019-09-25 06:17:12 -05:00
Dan Arnfield
2dd9dc4882 Update nginx (1.17.3 -> 1.17.4) 2019-09-25 06:00:44 -05:00
Slavi Pantaleev
db57618abd Update nginx and certbot 2019-08-17 10:21:23 +03:00
p5t2vspoqqw
c32a3e3204 correct defaults 2019-08-07 10:56:29 +02:00
p5t2vspoqqw
51d5741bb3 Merge branch 'master' of https://github.com/spantaleev/matrix-docker-ansible-deploy 2019-08-05 09:34:30 +02:00
Dan Arnfield
9296dfd094 Update nginx (1.17.1 -> 1.17.2) 2019-07-24 06:21:37 -05:00
p5t2vspoqqw
d88e261150 Merge branch 'master' of https://github.com/spantaleev/matrix-docker-ansible-deploy 2019-07-05 16:12:29 +02:00
Dan Arnfield
f83bbf8525 Bump nginx version 2019-07-04 22:59:21 -05:00
p5t2vspoqqw
9874c3df90 Merge branch 'master' of https://github.com/spantaleev/matrix-docker-ansible-deploy 2019-06-26 10:41:14 +02:00
Dan Arnfield
ae3a1bb148 Update nginx to 1.17.0 2019-06-24 13:10:58 -05:00
p5t2vspoqqw
8fcdac3738 Merge branch 'master' of https://github.com/spantaleev/matrix-docker-ansible-deploy 2019-06-12 10:10:52 +02:00
Slavi Pantaleev
7d3adc4512 Automatically force-pull :latest images
We do use some `:latest` images by default for the following services:
- matrix-dimension
- Goofys (in the matrix-synapse role)
- matrix-bridge-appservice-irc
- matrix-bridge-appservice-discord
- matrix-bridge-mautrix-facebook
- matrix-bridge-mautrix-whatsapp

It's terribly unfortunate that those software projects don't release
anything other than `:latest`, but that's how it is for now.

Updating that software requires that users manually do `docker pull`
on the server. The playbook didn't force-repull images that it already
had.

With this patch, it starts doing so. Any image tagged `:latest` will be
force re-pulled by the playbook every time it's executed.

It should be noted that even though we ask the `docker_image` module to
force-pull, it only reports "changed" when it actually pulls something
new. This is nice, because it lets people know exactly when something
gets updated, as opposed to giving the indication that it's always
updating the images (even though it isn't).
2019-06-10 14:30:28 +03:00
p5t2vspoqqw
4315b472af Merge branch 'master' of https://github.com/spantaleev/matrix-docker-ansible-deploy 2019-05-09 09:34:09 +02:00
Dan Arnfield
171c6db41e Add option to proxy 3pid registration endpoints 2019-05-08 13:49:51 -05:00
Slavi Pantaleev
e0b7b4dc61
Merge pull request #159 from TheLastProject/feature/docker_add_hosts
Add the possibility to pass extra flags to the docker container
2019-05-05 10:22:59 +03:00
p5t2vspoqqw
79ad60cf0a Merge branch 'master' of https://github.com/spantaleev/matrix-docker-ansible-deploy 2019-05-02 14:31:18 +02:00
Slavi Pantaleev
0e391b5870 Add explicit |int casting for more variables
As discussed in #151 (Github Pull Request), it's
a good idea to not selectively apply casting, but to do it in all
cases involving arithmetic operations.
2019-04-30 18:26:03 +03:00
Sylvia van Os
75b1528d13 Add the possibility to pass extra flags to the docker container 2019-04-30 16:35:18 +02:00
Hugues De Keyzer
6aa6633ee7 Fix value of nginx-proxy tmpfs size
Use an int conversion in the computation of the value of
matrix_nginx_proxy_tmp_directory_size_mb, to have the integer value
multiplied by 50 instead of having the string repeated 50 times.
2019-04-27 21:54:21 +02:00
p5t2vspoqqw
c2eabf2b9d Merge branch 'master' of https://github.com/spantaleev/matrix-docker-ansible-deploy 2019-04-23 09:45:10 +02:00
p5t2vspoqqw
7ee6927ca9 add suggested change; correct indent 2019-04-23 09:44:02 +02:00
Slavi Pantaleev
18a562c000 Upgrade services 2019-04-21 08:57:49 +03:00
p5t2vspoqqw
deeefac84c add ngnix-status to config
add doc
2019-04-17 13:45:42 +02:00
Slavi Pantaleev
bec59c06bb Update images 2019-04-09 09:33:24 +03:00
Slavi Pantaleev
95e4234dca Update nginx (1.15.9 -> 1.15.10) 2019-04-01 19:54:53 +03:00
Slavi Pantaleev
73af8f7bbb Make self-check not validate self-signed certificates
By default, `--tags=self-check` no longer validates certificates
when `matrix_ssl_retrieval_method` is set to `self-signed`.

Besides this default, people can also enable/disable validation using the
individual role variables manually.

Fixes #124 (Github Issue)
2019-03-22 09:41:08 +02:00
Slavi Pantaleev
c545d3eb85 Add support for serving base domain via matrix-nginx-proxy 2019-03-12 23:01:16 +02:00
Slavi Pantaleev
e645b0e372 Rename matrix_nginx_proxy_data_path to matrix_nginx_proxy_base_path
`matrix_nginx_proxy_data_path` has always served as a base path,
so we're renaming it to reflect that.

Along with this, we're also introducing a new "data path" variable
(`matrix_nginx_proxy_data_path`), which is really a data path this time.
It's used for storing additional, non-configuration, files related to
matrix-nginx-proxy.
2019-03-12 23:01:16 +02:00
Slavi Pantaleev
6c5cc173b0 Fix permission mode for some files 2019-03-09 21:15:16 +02:00
Edgars Voroboks
9735a2f600 Implement self-hosted Dimension server 2019-03-07 07:22:08 +02:00
Slavi Pantaleev
6f6dff3e2b Update some Docker images 2019-03-03 12:27:43 +02:00
Slavi Pantaleev
a43bcd81fe Rename some variables 2019-02-28 11:51:09 +02:00
Slavi Pantaleev
74710427e5 Allow for the federation port (tcp/8448)'s certificate to be changed
If someone decides to not use `/.well-known/matrix/server` and only
relies on SRV records, then they would need to serve tcp/8448 using
a certificate for the base domain (not for the matrix) domain.

Until now, they could do that by giving the certificate to Synapse
and setting it terminate TLS. That makes swapping certificates
more annoying (Synapse requires a restart to re-read certificates),
so it's better if we can support it via matrix-nginx-proxy.

Mounting certificates (or any other file) into the matrix-nginx-proxy container
can be done with `matrix_nginx_proxy_container_additional_volumes`,
introduced in 96afbbb5a.
2019-02-05 12:09:46 +02:00
Slavi Pantaleev
f6ebd4ce62 Initial work on Synapse 0.99/1.0 preparation 2019-02-05 12:09:46 +02:00
Slavi Pantaleev
96afbbb5af Allow additional volumes to be mounted into matrix-nginx-proxy
Certain use-cases may require that people mount additional files
into the matrix-nginx-proxy container. Similarly to how we do it
for Synapse, we are introducing a new variable that makes this
possible (`matrix_nginx_proxy_container_additional_volumes`).

This makes the htpasswd file for Synapse Metrics (introduced in #86,
Github Pull Request) to also perform mounting using this new mechanism.
Hopefully, for such an "extension", keeping htpasswd file-creation and
volume definition in the same place (the tasks file) is better.

All other major volumes' mounting mechanism remains the same (explicit
mounting).
2019-02-05 11:46:16 +02:00
Aaron Raimist
1f0cc92b33
Use IPv4 localhost everywhere (or almost everywhere) 2019-02-04 09:49:45 -06:00
dhose
87e3deebfd Enable exposure of Prometheus metrics. 2019-02-01 20:02:11 +01:00
Slavi Pantaleev
8681a5dc69 Add 'none' SSL certificate retrieval method 2019-02-01 16:50:25 +02:00
Slavi Pantaleev
cd332d9b4e Add TLS v1.3 support to matrix-nginx-proxy
This was mentioned in #27 (Github Pull Request),
but it's just now that the nginx Docker image actually supports
TLS v1.3 and we can enable it.
2019-02-01 11:49:22 +02:00