Commit Graph

357 Commits

Author SHA1 Message Date
Michael
4c882c513b initial PR 2021-02-20 17:19:17 +08:00
Slavi Pantaleev
eaea215282 Allow Synapse workers to be used with an external nginx webserver
We're talking about a webserver running on the same machine, which
imports the configuration files generated by the `matrix-nginx-proxy`
in the `/matrix/nginx-proxy/conf.d` directory.

Users who run an nginx webserver on some other machine will need to do
something different.
2021-02-19 11:36:48 +02:00
Slavi Pantaleev
d6c4d41c2b Define instanceId property on workers
This give us the possibility to run multiple instances of
workers that that don't expose a port.

Right now, we don't support that, but in the future we could
run multiple `federation_sender` or `pusher` workers, without
them fighting over naming (previously, they'd all be named
something like `matrix-synapse-worker-pusher-0`, because
they'd all define `port` as `0`).
2021-02-18 18:19:51 +02:00
Slavi Pantaleev
5cfeae806b Merge branch 'master' into synapse-workers 2021-02-14 13:00:57 +02:00
Slavi Pantaleev
894679750e
Merge pull request #862 from s-thom/nginx-additional
Add additional domains for Let's Encrypt certificates to be obtained
2021-02-14 11:05:25 +02:00
Slavi Pantaleev
a8e9f35708 Touch up documentation a bit 2021-02-14 11:05:05 +02:00
Peetz0r
989100b1c1 Grafana nginx proxy config 2021-02-10 22:54:14 +01:00
Stuart Thomson
064b2e533c Add variable for extra domains to get LE certs for
I felt that adding another variable was probably going to be the easiest way to do this. I may end up adding another variable to enable this feature, for consistency with some of the other things.
2021-02-06 20:02:39 +13:00
Slavi Pantaleev
889b299bc2
Merge pull request #804 from pushytoxin/matrix-etherpad
Self-hosted Etherpad
2021-01-31 09:55:46 +02:00
Slavi Pantaleev
26b287bd17 Upgrade certbot (1.10.1 -> 1.11.0) 2021-01-27 21:51:46 +02:00
Slavi Pantaleev
d98a1ceadd Merge branch 'master' into synapse-workers 2021-01-27 10:27:17 +02:00
Slavi Pantaleev
512f42aa76 Do not report docker kill/rm attempts as errors
These are just defensive cleanup tasks that we run.
In the good case, there's nothing to kill or remove, so they trigger an
error like this:

> Error response from daemon: Cannot kill container: something: No such container: something

and:

> Error: No such container: something

People often ask us if this is a problem, so instead of always having to
answer with "no, this is to be expected", we'd rather eliminate it now
and make logs cleaner.

In the event that:
- a container is really stuck and needs cleanup using kill/rm
- and cleanup fails, and we fail to report it because of error
suppression (`2>/dev/null`)

.. we'd still get an error when launching ("container name already in use .."),
so it shouldn't be too hard to investigate.
2021-01-27 10:22:46 +02:00
Béla Becker
7bc9be95cb Add map directive to the base of nginx.conf
This needs to be added for WebSocket upgrades to work properly (see doc:
http://nginx.org/en/docs/http/websocket.html)
2021-01-26 05:04:47 +01:00
Slavi Pantaleev
778b66876c Merge branch 'master' into synapse-workers 2021-01-25 14:56:55 +02:00
Slavi Pantaleev
70796703d3 Run Synapse workers in their own containers
This switches the `docker exec` method of spawning
Synapse workers inside the `matrix-synapse` container with
dedicated containers for each worker.

We also have dedicated systemd services for each worker,
so this are now:
- more consistent with everything else (we don't use systemd
instantiated services anywhere)
- we don't need the "parse systemd instance name into worker name +
port" part
- we don't need to keep track of PIDs manually
- we don't need jq (less depenendencies)
- workers dying would be restarted by systemd correctly, like any other
service
- `docker ps` shows each worker separately and we can observe resource
usage
2021-01-25 12:14:46 +02:00
Slavi Pantaleev
4d62a75f6f Get matrix-corporal to play nicely with a Synapse worker setup
We do this by creating one more layer of indirection.

First we reach some generic vhost handling matrix.DOMAIN.
A bunch of override rules are added there (capturing traffic to send to
ma1sd, etc). nginx-status and similar generic things also live there.

We then proxy to the homeserver on some other vhost (only Synapse being
available right now, but repointing this to Dendrite or other will be
possible in the future).
Then that homeserver-specific vhost does its thing to proxy to the
homeserver. It may or may not use workers, etc.

Without matrix-corporal, the flow is now:
1. matrix.DOMAIN (matrix-nginx-proxy/matrix-domain.conf)
2. matrix-nginx-proxy/matrix-synapse.conf
3. matrix-synapse

With matrix-corporal enabled, it becomes:
1. matrix.DOMAIN (matrix-nginx-proxy/matrix-domain.conf)
2. matrix-corporal
3. matrix-nginx-proxy/matrix-synapse.conf
4. matrix-synapse

(matrix-corporal gets injected at step 2).
2021-01-25 09:46:41 +02:00
Slavi Pantaleev
5ca68210cd Do not handle /_matrix/federation on client-server port, nor /_matrix/client stuff on federation port
I guess it didn't hurt to do it until now, but it's not great serving
federation APIs on the client-server API port, etc.

matrix-corporal doesn't work yet (still something to be solved in the
future), but its firewalling operations will also be sabotaged
by Client-Server APIs being served on the federation port (it's a way to get around its firewalling).
2021-01-24 22:22:57 +02:00
Slavi Pantaleev
8fa913dca7 Fix Ansible warning 2021-01-24 19:11:35 +02:00
Marcel Partap
183adec3d8 Merge remote-tracking branch 'origin/master' into synapse-workers 2021-01-23 15:04:11 +01:00
pushytoxin
d51ea25219 When validating LE certs, do not wait for a random time
While administering we will occasionally invoke this script interactively with the "non-interactive" switch still there, yet still sit at the desk waiting for 300 seconds for this timer to run out.

The systemd-timer already uses a 3h randomized delay for automatic renewals, which serves this purpose well.
2021-01-19 18:41:45 +01:00
Slavi Pantaleev
1692a28fe4 Work around annoying Docker warning about undefined $HOME
> WARNING: Error loading config file: .dockercfg: $HOME is not defined

.. which appeared in Docker 20.10.
2021-01-15 00:23:01 +02:00
Slavi Pantaleev
e1690722f7 Replace cronjobs with systemd timers
Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/756

Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/737

I feel like timers are somewhat more complicated and dirty (compared to
cronjobs), but they come with these benefits:

- log output goes to journald
- on newer systemd distros, you can see when the timer fired, when it
will fire, etc.
- we don't need to rely on cron (reducing our dependencies to just
systemd + Docker)

Cronjobs work well, but it's one more dependency that needs to be
installed. We were even asking people to install it manually
(in `docs/prerequisites.md`), which could have gone unnoticed.

Once in a while someone says "my SSL certificates didn't renew"
and it's likely because they forgot to install a cron daemon.

Switching to systemd timers means that installation is simpler
and more unified.
2021-01-14 23:35:50 +02:00
Slavi Pantaleev
05ca9357a8 Add .service suffix to systemd units list
We'll be adding `.timer` units later on, so it's good to be
more explicit.
2021-01-14 23:02:10 +02:00
Slavi Pantaleev
57ea43d8b0 Remove unused variable
This variable has been useless since 2019-01-08.
We probably don't need to check for its usage anymore,
given how much time has passed since then, but ..
2021-01-14 17:47:13 +02:00
Slavi Pantaleev
7a90eb6d4f Relocate some validation tasks 2021-01-14 17:00:46 +02:00
Marcel Partap
cd8100544b Merge remote-tracking branch 'origin/master' into synapse-workers
Sync with upstream
2021-01-08 20:58:50 +01:00
Slavi Pantaleev
f7ae050eaf Remove useless quotes around ssl_ciphers value
Not sure if it breaks with them or not, but no other directive
uses quotes and the nginx docs show examples without quotes,
so we're being consistent with all of that.
2021-01-08 21:22:44 +02:00
Slavi Pantaleev
5822ba0c01 Use a more natural if statement 2021-01-08 21:21:33 +02:00
Slavi Pantaleev
de6ecd8818
Update inaccurate comments 2021-01-08 21:15:14 +02:00
Agustin Ferrario
5156c63a76 Clean up code
Code was clean up and simplified to make it simpler and easier to
maintain. No features were modified.
2021-01-08 18:35:27 +01:00
Agustin Ferrario
25d423e6b6 Fix errors per spantaleev suggestions
The different configurations are now all lower case, for consistent
naming.

`matrix_nginx_proxy_ssl_config` is now called
`matrix_nginx_proxy_ssl_preset`. The different options for "modern",
"intermediate" and "old" are stored in the main.yml file, instead of
being hardcoded in the configuration files. This will improve the
maintainability of the code.

The "custom" preset was removed. Now if one of the variables is set, it
will use it instead of the preset. This will allow to mix and match more
easily, for example using all the intermediate options but only
supporting TLSv1.2. This will also provide better backward
compatibility.
2021-01-08 11:32:10 +01:00
Agustin Ferrario
3cb71e7e84 Merge branch 'master' of https://github.com/spantaleev/matrix-docker-ansible-deploy 2021-01-03 13:18:21 +01:00
Dan Arnfield
10e0fa17ad Update nginx (1.19.5 -> 1.19.6) 2020-12-22 08:23:37 -06:00
louis
dcd4716636 add option to disable nginx access log 2020-12-21 21:26:49 +01:00
Agustin Ferrario
2082242499 Add matrix_nginx_proxy_ssl_config
A new variable called `matrix_nginx_proxy_ssl_config` is created for
configuring how the nginx proxy configures SSL. Also a new configuration
validation option and other auxiliary variables are created.

A new variable configuration called `matrix_nginx_proxy_ssl_config` is
created. This allow to set the SSL configuration easily using the
default options proposed by Mozilla. The default configuration is set to
"Intermediate", removing the weak ciphers used in the old
configurations.

The new variable can also be set to "Custom" for a more granular control.
This allows to set another three variables called:

- `matrix_nginx_proxy_ssl_protocols`,
- `matrix_nginx_proxy_ssl_prefer_server_ciphers`
- `matrix_nginx_proxy_ssl_ciphers`

Also a new task is added to validate the SSL configuration variable.
2020-12-16 10:35:37 +01:00
Slavi Pantaleev
d08b27784f Fix systemd services autostart problem with Docker 20.10
The Docker 19.04 -> 20.10 upgrade contains the following change
in `/usr/lib/systemd/system/docker.service`:

```
-BindsTo=containerd.service
-After=network-online.target firewalld.service containerd.service
+After=network-online.target firewalld.service containerd.service multi-user.target
-Requires=docker.socket
+Requires=docker.socket containerd.service
Wants=network-online.target
```

The `multi-user.target` requirement in `After` seems to be in conflict
with our `WantedBy=multi-user.target` and `After=docker.service` /
`Requires=docker.service` definitions, causing the following error on
startup for all of our systemd services:

> Job matrix-synapse.service/start deleted to break ordering cycle starting with multi-user.target/start

A workaround which appears to work is to add `DefaultDependencies=no`
to all of our services.
2020-12-10 11:43:20 +02:00
Slavi Pantaleev
8c02f7b79b Upgrade services 2020-12-07 15:18:03 +02:00
Marcel Partap
851c25c47f matrix-synapse nginx template: fix invalid jinja comment syntax 2020-12-01 21:55:07 +01:00
Marcel Partap
b73ac965ac Merge remote-tracking branch 'origin/master' into synapse-workers 2020-12-01 21:24:26 +01:00
Slavi Pantaleev
b354155d7c Make JVB websockets reverse-proxying work 2020-11-27 17:57:15 +02:00
Slavi Pantaleev
d702e74079 Fix matrix-nginx-proxy static files mounting when SSL retrieval is none
Fixup for 12867e9f18.

This shouldn't have been caught in the `if`.

Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/734
2020-11-26 18:40:15 +02:00
Slavi Pantaleev
12867e9f18 Do not try to mount /matrix/ssl when matrix_ssl_retrieval_method is 'none'
Since the switch from `-v` to `--mount` (in 1fca917ad1),
we've regressed when `matrix_ssl_retrieval_method == 'none'`.

In such a case, we don't create `/matrix/ssl` directories at all
and shouldn't be trying to mount them into the `matrix-nginx-proxy`
container.

Previously, with `-v`, Docker would auto-create them, effectively hiding
our mistake. Now that `--mount` doesn't do such auto-creation magic,
the `matrix-nginx-proxy` container was failing to start.

Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/734
2020-11-26 09:55:26 +02:00
Slavi Pantaleev
75f9fde7a4 Remove some more -v usage
Continuation of 1fca917ad1.

Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/722
2020-11-25 10:49:59 +02:00
Slavi Pantaleev
1fca917ad1 Replace some -v instances with --mount
`-v` magically creates the source destination as a directory,
if it doesn't exist already. We'd like to avoid this magic
and the potential breakage that it might cause.

We'd rather fail while Docker tries to find things to `--mount`
than have it automatically create directories and fail anyway,
while having contaminated the filesystem.

There's a lot more `-v` instances remaining to be fixed later on.
This is just some start.

Things like `matrix_synapse_container_additional_volumes` and
`matrix_nginx_proxy_container_additional_volumes` were not changed to
use `--mount`, as options for each one are passed differently
(`ro` is `ro`, but `rw` doesn't exist and `slave` is `bind-propagation=slave`).
To avoid breaking people's custom volume mounts, we keep it as it is for now.

A deficiency with `--mount` is that it lacks the `z` option (SELinux
ownership changes), and some of our `-v` instances use that. I'm not
sure how supported SELinux is for us right now, but it might be,
and breaking that would not be a good idea.
2020-11-24 10:26:05 +02:00
Slavi Pantaleev
ccabc82d4c Use more fully-qualified container images
This is both for consistency with 93cc71cb69976c
and for making things more obvious.
2020-11-14 23:01:11 +02:00
Marcel Partap
4678c5d7bd Merge remote-tracking branch 'origin/master' into synapse-workers
Also, replace vague FIXME by a proper NOTE on the complete
story of the user_dir endpoints..
2020-11-11 21:26:08 +01:00
Slavi Pantaleev
4d12a6f8e9
Merge pull request #681 from scottcrossen/slc/ddclient
Dynamic DNS
2020-11-10 23:54:21 +02:00
Slavi Pantaleev
1427286cec Integrate matrix-dynamic-dns with matrix-nginx-proxy without causing a dependency
We'd like the roles to be self-contained (as much as possible).

Thus, the `matrix-nginx-proxy` shouldn't reference any variables from
other roles. Instead, we rely on injection via
`group_vars/matrix_servers`.

Related to #681 (Github Pull Request)
2020-11-10 23:49:36 +02:00
Marcel Partap
b05d298ae4 synapse workers nginx rule: add client_max_body_size on media endpoints
so transfer limits are properly set in accord to the relevant setting
https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/456#issuecomment-719996778
2020-11-10 21:43:33 +01:00
Marcel Partap
e5072c20d9 synapse workers/nginx: handle media_repository worker endpoints on federation port
to prevent "404 on the federation port for the path `/_matrix/media`,
if a remote server is trying to get the media object on federation
port, see https://github.com/matrix-org/synapse/issues/8695 "

https://github.com/matrix-org/synapse/pull/8701
2020-11-10 20:35:39 +01:00
Slavi Pantaleev
235299939d Upgrade nginx (1.19.3 -> 1.19.4) 2020-11-10 09:30:00 +02:00
Scott Crossen
e894befd87 Updates to reviewer comments 2020-11-07 17:53:13 -08:00
Slavi Pantaleev
350c39d745 Update comment 2020-11-02 11:13:25 +02:00
Slavi Pantaleev
ef68d3d296 Add support for reverse-proxying /_synapse/oidc
This broke in 63a49bb2dc.

Proxying the OpenID Connect endpoints is now possible,
but needs to be enabled explicitly now.

Supersedes #702 (Github Pull Request).

This patch builds up on the idea from that Pull Request,
but does things in a cleaner way.
2020-11-02 11:10:03 +02:00
Slavi Pantaleev
9a46647010 Make https://matrix.DOMAIN/ redirect to https://element.DOMAIN/
Fixes #696 (Github Issue)
2020-10-28 10:39:12 +02:00
Slavi Pantaleev
4700e80389 Raise standalone default Matrix Client API client_max_body_size
We do this to match Synapse's new default "max_upload_size" (50MB).

This `matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb`
default value only affects standalone usage of the `matrix-nginx-proxy`
role. When the role is used in the context of the playbook,
the value is dynamically assigned from `group_vars/matrix_servers`.

Somewhat related to #692 (Github Issue).
2020-10-28 10:02:47 +02:00
Slavi Pantaleev
ef07aa8e5d Prevent certain nginx location blocks from being ignored
The regex introduced in 63a49bb2dc seems to take precedence
over the bare location blocks, causing a regression.

> It is important to understand that, by default, Nginx will serve regular expression matches in preference to prefix matches.
> However, it evaluates prefix locations first, allowing for the administer to override this tendency by specifying locations using the = and ^~ modifiers.

Source: https://www.digitalocean.com/community/tutorials/understanding-nginx-server-and-location-block-selection-algorithms
2020-10-28 09:38:04 +02:00
Marcel Partap
2d1b9f2dbf synapse workers: reworkings + get endpoints from upstream docs via awk
(yes, a bit awkward and brittle… xD)
2020-10-28 07:13:19 +01:00
Slavi Pantaleev
63a49bb2dc Do not expose /_synapse/admin publicly by default
Fixes #685 (Github Issue).
2020-10-26 10:36:38 +02:00
Marcel Partap
87bd64ce9e Merge remote-tracking branch 'origin/master' into synapse-workers 2020-10-23 23:45:07 +02:00
Dan Arnfield
b65bfc38ce Update nginx (1.19.2 -> 1.19.3) 2020-10-14 06:23:33 -05:00
Slavi Pantaleev
d250727e8b Upgrade certbot (1.7.0 -> 1.9.0) 2020-10-13 09:44:32 +03:00
Max Klenk
fc2edcbecf
fix media routing 2020-09-18 10:45:01 +02:00
Max Klenk
132daba1af
fix worker routes 2020-09-18 10:18:32 +02:00
Max Klenk
9a3d84b931
Merge branch 'master' into feature/add-worker-support 2020-09-10 13:57:11 +02:00
Slavi Pantaleev
2a1ec38e3a Stop using Ansible's cron module
This is mainly to address SSL renewal not working for us due to:
- https://github.com/ansible/ansible/issues/71213
- https://github.com/ansible/ansible/pull/71207

Using the cron module was hacky anyway. We shouldn't need an extra
level of buggy abstraction to manage a cronjob file.
2020-09-06 10:49:19 +03:00
Max Klenk
06bc430c7c
refactor to use new workers and routes they serve 2020-08-28 13:53:39 +02:00
Max Klenk
59d1fb76b6
only apply worker redirects if workers are enabled 2020-08-27 15:25:32 +02:00
Max Klenk
567d0318b0
Merge branch 'synapse-workers' into feature/add-worker-support 2020-08-27 15:22:12 +02:00
Slavi Pantaleev
fc1655cd4b
Merge pull request #633 from thedanbob/certbot-1.7.0
Update certbot (1.6.0 -> 1.7.0)
2020-08-17 16:47:12 +03:00
Dan Arnfield
c8754f422a Update certbot (1.6.0 -> 1.7.0) 2020-08-16 15:01:13 -05:00
Dan Arnfield
8d373409b8 Update nginx (1.19.1 -> 1.19.2) 2020-08-16 14:59:48 -05:00
Justin Croonenberghs
31e2a1f06b
Undo ill-advised change
In #628 I proposed a CORS change that turns out not to be the root of the issue. Caffeine-addled diagnosis leads to sloppy thinking, and this change should be reverted. In fact, if left it will cause problems for new installations.
2020-08-09 14:20:37 -05:00
Justin Croonenberghs
c5d18733d2
Update CORS for ma1sd
Even with the v2 updates listed in #503 and partially addressed in #614, this is still needed to enable identity services to function with Element Desktop/Web. Testing on multiple clients with a clean config has confirmed this, at least for my installation.
2020-08-08 23:19:07 -05:00
Slavi Pantaleev
54195b22c7 Allow framing Jitsi
Hopefully fixes a regression caused by b106a9592e.

Related to #597 (Github Pull Request).
2020-08-04 16:08:11 +03:00
Slavi Pantaleev
3f8e5b4363 Allow framing Dimension
Fix regression since 2a50b8b6bb (#597).

Dimension is intended to be embedded in various clients,
be it the Element service that we host (at element.DOMAIN),
some other Element (element-desktop running locally), etc.
2020-07-25 07:08:32 +03:00
TwoTwenty
b106a9592e
Update matrix-jitsi.conf.j2 2020-07-22 10:39:24 -07:00
TwoTwenty
c97e7c5a3e
Update matrix-dimension.conf.j2 2020-07-22 10:39:07 -07:00
TwoTwenty
18ba885ca2
Update matrix-client-element.conf.j2 2020-07-22 10:38:50 -07:00
Slavi Pantaleev
c6ab1c6a90 Riot is now Element
Fixes #586 (Github Issue)
2020-07-17 11:31:20 +03:00
Dan Arnfield
c47a55d170 Update nginx (1.19.0 -> 1.19.1) and certbot (1.5.0 -> 1.6.0) 2020-07-16 06:34:14 -05:00
shadow
6293f1bdb0 Run all API self checks in check_mode 2020-07-04 15:24:33 +02:00
Slavi Pantaleev
65e5020596 Proxy other /_synapse endpoints to the client API
Besides /_synapse/admin, there are other things like
/_synapse/oidc, etc.

We should just proxy everything.

Fixes #534 (Github Issue).
2020-06-09 08:12:58 +03:00
Slavi Pantaleev
88a4a3ab55 Update components 2020-06-06 08:25:27 +03:00
Chris van Dijk
74df10633a Remove hardcoded command paths in playbook cron usage 2020-05-27 23:14:58 +02:00
Chris van Dijk
6e3b877dc2 Remove hardcoded command paths in playbook shell usage 2020-05-27 23:14:56 +02:00
Chris van Dijk
6334f6c1ea Remove hardcoded command paths in systemd unit files
Depending on the distro, common commands like sleep and chown may either
be located in /bin or /usr/bin.

Systemd added path lookup to ExecStart in v239, allowing only the
command name to be put in unit files and not the full path as
historically required. At least Ubuntu 18.04 LTS is however still on
v237 so we should maintain portability for a while longer.
2020-05-27 23:14:54 +02:00
Slavi Pantaleev
7a2dbdc2d7 Update components 2020-05-19 15:06:35 +03:00
Chris van Dijk
7585bcc4ac Allow the matrix user username and groupname to be configured separately
No migration steps should be required.
2020-05-01 19:59:32 +02:00
Slavi Pantaleev
554da8338a
Merge pull request #463 from hooger/architecture
Architecture
2020-04-20 16:45:59 +03:00
Marcel Partap
46984a4f99 Nginx conf: more testing less b0rk 2020-04-19 21:42:34 +02:00
Christoph Johannes Kleine
765c046beb
add missing ; to matrix-synapse.conf.j2 2020-04-19 19:50:42 +02:00
Marcel Partap
e4763c21bc nginx config: route traffic to workers on matrix-synapse
FIXME: horrid duplication in template file
2020-04-19 19:05:03 +02:00
Marcel Partap
a14b9c09ad Add to synapse nginx template conditional URL rewrites for workers
· 😅 How to keep this in sync with the matrix-synapse documentation?
· regex location matching is expensive
· nginx syntax limit: one location only per block / statement
· thus, lots of duplicate statements in this file
2020-04-19 19:05:03 +02:00
Dan Arnfield
e2de6a1569 Update nginx (1.17.9 -> 1.17.10) 2020-04-19 08:38:53 -05:00
Horvath Gergely
bd61598faf add experimental(?) architecture support for arm32 and arm64
the changes are necessary because certbot images are tagged, so docker does not recognize the necessary architecture
2020-04-18 22:55:19 +02:00
Chris van Dijk
d83236ea0e Fix inconsistent whitespace 2020-04-17 00:53:26 +02:00
Marcel Partap
874e2e1fc0 Rename variables (s/mxisd/ma1sd/) and adapt roles 2020-04-02 11:31:38 +02:00
Slavi Pantaleev
8bcc9712d0 Make follow_redirects configurable when checking /.well-known/matrix/client
Discussed in #101 (Github Issue).
2020-03-31 11:45:32 +03:00
Christian Wolf
8c9b5ea6dd Removed a few syntax bugs in Archlinux configuration 2020-03-28 13:00:01 +01:00
Christian Wolf
d84b2868b7 Added basic changes to make it compatible with Archlinux 2020-03-28 11:39:15 +01:00
mooomooo
eebc6e13f8 Made directory variables for /etc/systemd/system , /etc/cron.d , /usr/local/bin 2020-03-24 11:27:58 -07:00
Slavi Pantaleev
0f39cb9987 Fix incorrect server_name for Jitsi
Fixes #417 (Github Issue)
2020-03-24 17:57:39 +02:00
Slavi Pantaleev
cdd9ee1962 Add Jitsi support 2020-03-23 17:19:15 +02:00
Dan Arnfield
c7440b723a Update certbot (1.2.0 -> 1.3.0) 2020-03-18 06:54:10 -05:00
Dan Arnfield
4065d74a5f Update nginx (1.17.8 -> 1.17.9) 2020-03-18 06:53:59 -05:00
Slavi Pantaleev
da98a06553
Merge pull request #377 from thedanbob/certbot-1.2.0
Update certbot (1.0.0 -> 1.2.0)
2020-02-12 13:58:32 +01:00
Dan Arnfield
bb08022623 Update certbot (1.0.0 -> 1.2.0) 2020-02-12 06:56:25 -06:00
Dan Arnfield
74235df820 Update nginx (1.17.7 -> 1.17.8) 2020-02-12 06:52:11 -06:00
Daniel Hoffend
b280b05c25 matrix-nginx-proxy: adding additional configuration blocks 2020-02-10 23:42:41 +01:00
Slavi Pantaleev
f18037ae42 Disable TLSv1.1 by default 2020-01-30 12:56:20 +02:00
Dan Arnfield
86eff45e8b uri.follow_redirects is now a string field 2020-01-22 15:36:54 -06:00
Slavi Pantaleev
a84a24d9f5 Upgrade nginx (1.17.6 -> 1.17.7) 2020-01-11 17:32:02 +02:00
Slavi Pantaleev
89dbe5cfc5 Add the ability to control the certbot HTTP bind port
Fixes #330 (Github Issue).
2019-12-19 09:07:24 +02:00
Slavi Pantaleev
a78002f12b Upgrade certbot (0.40.1 -> 1.0.0) 2019-12-13 14:52:29 +02:00
Yuri Moens
0866f98957 Render vhost directives in https server block 2019-12-08 00:58:32 +01:00
Slavi Pantaleev
ca3b158d94 Add support to matrix-nginx-proxy to work in HTTP-only mode 2019-12-06 11:53:15 +02:00
Dan Arnfield
24646dc506 Update nginx (1.17.5 -> 1.17.6) 2019-11-21 09:38:59 -06:00
Dan Arnfield
140002ed49 Update certbot (0.38.0 -> 0.40.1) 2019-11-13 15:19:38 -06:00
Dan Arnfield
9b187eca8f Update nginx (1.17.4 -> 1.17.5) 2019-10-29 11:08:56 -05:00
Paul Tötterman
aabb16d78b Fix spelling ngnix -> nginx 2019-10-04 11:07:37 +03:00
Slavi Pantaleev
810d0fb0e4 Make it possible to serve static websites from the base domain 2019-10-03 11:24:04 +03:00
Slavi Pantaleev
1dd1f9602f
Merge pull request #271 from thedanbob/certbot-0.38
Update certbot (0.37.1 -> 0.38.0)
2019-09-25 16:31:36 +03:00
Dan Arnfield
c12ca8fff0 Update certbot (0.37.1 -> 0.38.0) 2019-09-25 06:17:12 -05:00
Dan Arnfield
2dd9dc4882 Update nginx (1.17.3 -> 1.17.4) 2019-09-25 06:00:44 -05:00
Slavi Pantaleev
db57618abd Update nginx and certbot 2019-08-17 10:21:23 +03:00
Slavi Pantaleev
3e57a1463a Serve nginx status page over HTTPS as well
Continuation of #234 (Github Pull Request).

I had unintentionally updated the documentation for the feature,
saying the page is available at `https://matrix.DOMAIN/nginx_status`.

Looks like it wasn't the case, going against my expectations.

I'm correcting this with this patch.
The status page is being made available on both HTTP and HTTPS.
Serving over HTTP is likely necessary for services like
Longview
(https://www.linode.com/docs/platform/longview/longview-app-for-nginx/)
2019-08-07 12:53:53 +03:00
p5t2vspoqqw
c32a3e3204 correct defaults 2019-08-07 10:56:29 +02:00
p5t2vspoqqw
4b8190dc3f serve status page for matrix.DOMAIN only 2019-08-07 10:54:14 +02:00
p5t2vspoqqw
51d5741bb3 Merge branch 'master' of https://github.com/spantaleev/matrix-docker-ansible-deploy 2019-08-05 09:34:30 +02:00
Slavi Pantaleev
6fc779dc83 Ensure matrix_ssl_retrieval_method value is valid
We recently had someone in the support room who set it to `false`
and the playbook ran without any issues.

This currently seems to yield the same result as 'none', but it's
better to avoid such behavior.
2019-08-02 11:59:10 +03:00
Dan Arnfield
9296dfd094 Update nginx (1.17.1 -> 1.17.2) 2019-07-24 06:21:37 -05:00
p5t2vspoqqw
5054fff88b Merge branch 'master' of https://github.com/spantaleev/matrix-docker-ansible-deploy 2019-07-12 15:45:19 +02:00
Slavi Pantaleev
1316d36f8b Fix deprecation warning (using cron module without name) 2019-07-09 09:11:38 +03:00
p5t2vspoqqw
d88e261150 Merge branch 'master' of https://github.com/spantaleev/matrix-docker-ansible-deploy 2019-07-05 16:12:29 +02:00
Dan Arnfield
f83bbf8525 Bump nginx version 2019-07-04 22:59:21 -05:00
p5t2vspoqqw
9874c3df90 Merge branch 'master' of https://github.com/spantaleev/matrix-docker-ansible-deploy 2019-06-26 10:41:14 +02:00
Dan Arnfield
ae3a1bb148 Update nginx to 1.17.0 2019-06-24 13:10:58 -05:00
p5t2vspoqqw
8fcdac3738 Merge branch 'master' of https://github.com/spantaleev/matrix-docker-ansible-deploy 2019-06-12 10:10:52 +02:00
Slavi Pantaleev
7d3adc4512 Automatically force-pull :latest images
We do use some `:latest` images by default for the following services:
- matrix-dimension
- Goofys (in the matrix-synapse role)
- matrix-bridge-appservice-irc
- matrix-bridge-appservice-discord
- matrix-bridge-mautrix-facebook
- matrix-bridge-mautrix-whatsapp

It's terribly unfortunate that those software projects don't release
anything other than `:latest`, but that's how it is for now.

Updating that software requires that users manually do `docker pull`
on the server. The playbook didn't force-repull images that it already
had.

With this patch, it starts doing so. Any image tagged `:latest` will be
force re-pulled by the playbook every time it's executed.

It should be noted that even though we ask the `docker_image` module to
force-pull, it only reports "changed" when it actually pulls something
new. This is nice, because it lets people know exactly when something
gets updated, as opposed to giving the indication that it's always
updating the images (even though it isn't).
2019-06-10 14:30:28 +03:00
p5t2vspoqqw
4b657b3822 Merge branch 'master' of https://github.com/spantaleev/matrix-docker-ansible-deploy 2019-06-03 10:13:25 +02:00
Slavi Pantaleev
7d8dde8a53 Add support for proxying /_synapse/admin APIs
Fixes #191 (Github Issue).
2019-05-29 08:32:24 +03:00
Slavi Pantaleev
ab59cc50bd Add support for more flexible container port exposing
Fixes #171 (Github Issue).
2019-05-25 07:41:08 +09:00
p5t2vspoqqw
0cfa73f153 Merge branch 'master' of https://github.com/spantaleev/matrix-docker-ansible-deploy 2019-05-23 10:48:22 +02:00
Dan Arnfield
9c23d877fe Fix docker_image option for ansible < 2.8 2019-05-22 05:43:33 -05:00
Dan Arnfield
fa38c84be2 Fix casting int to string warning 2019-05-21 10:37:05 -05:00
Dan Arnfield
db15791819 Add source option to docker_image to fix deprecation warning 2019-05-21 10:29:12 -05:00
Dan Arnfield
3982f114af Fix CONDITIONAL_BARE_VARS deprecation warning in ansible 2.8 2019-05-21 10:25:59 -05:00
Slavi Pantaleev
5c821b581a Check fullchain.pem, not cert.pem
While using certbot means we'll have both files retrieved,
it's actually the fullchain.pem file that we use in nginx configuration.

Using that one for the check makes more sense.
2019-05-21 11:58:18 +09:00
Slavi Pantaleev
ae7c8d1524 Use SyslogIdentifier to improve logging
Reasoning is the same as for matrix-org/synapse#5023.

For us, the journal used to contain `docker` for all services, which
is not very helpful when looking at them all together (`journalctl -f`).
2019-05-16 09:43:46 +09:00
p5t2vspoqqw
4315b472af Merge branch 'master' of https://github.com/spantaleev/matrix-docker-ansible-deploy 2019-05-09 09:34:09 +02:00
Dan Arnfield
171c6db41e Add option to proxy 3pid registration endpoints 2019-05-08 13:49:51 -05:00
Hugues De Keyzer
c451025134 Fix indentation in templates
Use Jinja2 lstrip_blocks option in templates to ensure consistent
indentation in generated files.
2019-05-07 21:23:35 +02:00
Slavi Pantaleev
e0b7b4dc61
Merge pull request #159 from TheLastProject/feature/docker_add_hosts
Add the possibility to pass extra flags to the docker container
2019-05-05 10:22:59 +03:00
p5t2vspoqqw
79ad60cf0a Merge branch 'master' of https://github.com/spantaleev/matrix-docker-ansible-deploy 2019-05-02 14:31:18 +02:00
Slavi Pantaleev
0e391b5870 Add explicit |int casting for more variables
As discussed in #151 (Github Pull Request), it's
a good idea to not selectively apply casting, but to do it in all
cases involving arithmetic operations.
2019-04-30 18:26:03 +03:00
Sylvia van Os
75b1528d13 Add the possibility to pass extra flags to the docker container 2019-04-30 16:35:18 +02:00
Slavi Pantaleev
db977ea584
Merge pull request #151 from huguesdk/bugfix/nginx_proxy_tmpfs_size
Fix value of nginx-proxy tmpfs size
2019-04-29 09:00:37 +03:00
Slavi Pantaleev
7c246b4a99 Make error about unset matrix_ssl_lets_encrypt_support_email more descriptive
Previously, we'd show an error like this:

{"changed": false, "item": null, "msg": "Detected an undefined required variable"}

.. which didn't mention the variable name
(`matrix_ssl_lets_encrypt_support_email`).
2019-04-28 11:02:17 +03:00
Hugues De Keyzer
6aa6633ee7 Fix value of nginx-proxy tmpfs size
Use an int conversion in the computation of the value of
matrix_nginx_proxy_tmp_directory_size_mb, to have the integer value
multiplied by 50 instead of having the string repeated 50 times.
2019-04-27 21:54:21 +02:00
p5t2vspoqqw
af8beb3627 Merge branch 'master' of https://github.com/spantaleev/matrix-docker-ansible-deploy 2019-04-24 15:03:47 +02:00
Slavi Pantaleev
ec0f936227 Try SSL renewal more frequently and reload later
It doesn't hurt to attempt renewal more frequently, as it only does
real work if it's actually necessary.

Reloading, we postpone some more, because certbot adds some random delay
(between 1 and 8 * 60 seconds) when renewing. We want to ensure
we reload at least 8 minutes later, which wasn't the case.

To make it even safer (in case future certbot versions use a longer
delay), we reload a whole hour later. We're in no rush to start using
the new certificates anyway, especially given that we attempt renewal
often.

Somewhat fixes #146 (Github Issue)
2019-04-23 17:59:02 +03:00
p5t2vspoqqw
c2eabf2b9d Merge branch 'master' of https://github.com/spantaleev/matrix-docker-ansible-deploy 2019-04-23 09:45:10 +02:00
p5t2vspoqqw
7ee6927ca9 add suggested change; correct indent 2019-04-23 09:44:02 +02:00
Slavi Pantaleev
18a562c000 Upgrade services 2019-04-21 08:57:49 +03:00
p5t2vspoqqw
deeefac84c add ngnix-status to config
add doc
2019-04-17 13:45:42 +02:00
Slavi Pantaleev
bec59c06bb Update images 2019-04-09 09:33:24 +03:00
Slavi Pantaleev
af1c9ae59d Do not force firewalld on people
In most cases, there's not really a need to touch the system
firewall, as Docker manages iptables by itself
(see https://docs.docker.com/network/iptables/).

All ports exposed by Docker containers are automatically whitelisted
in iptables and wired to the correct container.

This made installing firewalld and whitelisting ports pointless,
as far as this playbook's services are concerned.

People that wish to install firewalld (for other reasons), can do so
manually from now on.

This is inspired by and fixes #97 (Github Issue).
2019-04-03 11:37:20 +03:00
Slavi Pantaleev
95e4234dca Update nginx (1.15.9 -> 1.15.10) 2019-04-01 19:54:53 +03:00
Slavi Pantaleev
73af8f7bbb Make self-check not validate self-signed certificates
By default, `--tags=self-check` no longer validates certificates
when `matrix_ssl_retrieval_method` is set to `self-signed`.

Besides this default, people can also enable/disable validation using the
individual role variables manually.

Fixes #124 (Github Issue)
2019-03-22 09:41:08 +02:00
Lee Verberne
d90bc20690 Use common path for systemctl in lets encrypt cron
Currently the nginx reload cron fails on Debian 9 because the path to
systemctl is /bin/systemctl rather than /usr/bin/systemctl.

CentOS 7 places systemctl in both /bin and /usr/bin, so we can just use
/bin/systemctl as the full path.
2019-03-16 20:48:58 +01:00
Slavi Pantaleev
2d56ff0afa Skip some uninstall tasks if not necessary to run 2019-03-13 07:40:51 +02:00
Slavi Pantaleev
c545d3eb85 Add support for serving base domain via matrix-nginx-proxy 2019-03-12 23:01:16 +02:00
Slavi Pantaleev
e645b0e372 Rename matrix_nginx_proxy_data_path to matrix_nginx_proxy_base_path
`matrix_nginx_proxy_data_path` has always served as a base path,
so we're renaming it to reflect that.

Along with this, we're also introducing a new "data path" variable
(`matrix_nginx_proxy_data_path`), which is really a data path this time.
It's used for storing additional, non-configuration, files related to
matrix-nginx-proxy.
2019-03-12 23:01:16 +02:00
Slavi Pantaleev
6c5cc173b0 Fix permission mode for some files 2019-03-09 21:15:16 +02:00
Edgars Voroboks
9735a2f600 Implement self-hosted Dimension server 2019-03-07 07:22:08 +02:00
Slavi Pantaleev
6f6dff3e2b Update some Docker images 2019-03-03 12:27:43 +02:00
Slavi Pantaleev
45618679f5 Reload systemd services when they get updated
Fixes #69 (Github Issue)
2019-03-03 11:55:15 +02:00
Slavi Pantaleev
a43bcd81fe Rename some variables 2019-02-28 11:51:09 +02:00
Slavi Pantaleev
25bdc10617 Follow redirects for some well-known files
The Server spec says that redirects should be followed for
`/.well-known/matrix/server`. So we follow them.

The Client-Server specs doesn't mention redirects, so we don't
follow redirects there.
2019-02-25 21:03:33 +02:00
Slavi Pantaleev
550d398e6c Remove some unnecessary slashes 2019-02-20 21:21:20 +02:00
Slavi Pantaleev
119016e858 Cache /.well-known/matrix files for longer 2019-02-05 13:06:17 +02:00
Slavi Pantaleev
764a040a90 Make /.well-known/matrix/server optional
People who wish to rely on SRV records can prevent
the `/.well-known/matrix/server` file from being generated
(and thus, served.. which causes trouble).
2019-02-05 12:09:46 +02:00
Slavi Pantaleev
74710427e5 Allow for the federation port (tcp/8448)'s certificate to be changed
If someone decides to not use `/.well-known/matrix/server` and only
relies on SRV records, then they would need to serve tcp/8448 using
a certificate for the base domain (not for the matrix) domain.

Until now, they could do that by giving the certificate to Synapse
and setting it terminate TLS. That makes swapping certificates
more annoying (Synapse requires a restart to re-read certificates),
so it's better if we can support it via matrix-nginx-proxy.

Mounting certificates (or any other file) into the matrix-nginx-proxy container
can be done with `matrix_nginx_proxy_container_additional_volumes`,
introduced in 96afbbb5a.
2019-02-05 12:09:46 +02:00
Slavi Pantaleev
f6ebd4ce62 Initial work on Synapse 0.99/1.0 preparation 2019-02-05 12:09:46 +02:00
Slavi Pantaleev
e06e5dd208 Fix syntax breakage
Regression since 96afbbb5af
2019-02-05 12:09:33 +02:00
Slavi Pantaleev
96afbbb5af Allow additional volumes to be mounted into matrix-nginx-proxy
Certain use-cases may require that people mount additional files
into the matrix-nginx-proxy container. Similarly to how we do it
for Synapse, we are introducing a new variable that makes this
possible (`matrix_nginx_proxy_container_additional_volumes`).

This makes the htpasswd file for Synapse Metrics (introduced in #86,
Github Pull Request) to also perform mounting using this new mechanism.
Hopefully, for such an "extension", keeping htpasswd file-creation and
volume definition in the same place (the tasks file) is better.

All other major volumes' mounting mechanism remains the same (explicit
mounting).
2019-02-05 11:46:16 +02:00
Slavi Pantaleev
9a251e4e46 Remove some more references to localhost
Continuation of 1f0cc92b33.

As an explanation for the problem:
when saying `localhost` on the host, it sometimes gets resolved to `::1`
and sometimes to `127.0.0.1`. On the unfortunate occassions that
it gets resolved to `::1`, the container won't be able to serve the
request, because Docker containers don't have IPv6 enabled by default.

To avoid this problem, we simply prevent any lookups from happening
and explicitly use `127.0.0.1`.
2019-02-05 11:11:28 +02:00
Aaron Raimist
1f0cc92b33
Use IPv4 localhost everywhere (or almost everywhere) 2019-02-04 09:49:45 -06:00
Aaron Raimist
58ca2e7dfd
Turn off IPv6 when using your own Nginx server
Docker apparently doesn't like IPv6.
2019-02-04 09:03:43 -06:00
Slavi Pantaleev
52d5e540c0 Fix ownership of generated self-signed certificates (root -> matrix) 2019-02-02 17:32:13 +02:00
dhose
87e3deebfd Enable exposure of Prometheus metrics. 2019-02-01 20:02:11 +01:00
Slavi Pantaleev
8681a5dc69 Add 'none' SSL certificate retrieval method 2019-02-01 16:50:25 +02:00
Slavi Pantaleev
cd332d9b4e Add TLS v1.3 support to matrix-nginx-proxy
This was mentioned in #27 (Github Pull Request),
but it's just now that the nginx Docker image actually supports
TLS v1.3 and we can enable it.
2019-02-01 11:49:22 +02:00
Slavi Pantaleev
c2b1cf7f93 Fix SSL renewal script
Regression since 299a8c4c7c
2019-01-31 09:43:09 +02:00
Slavi Pantaleev
0be7b25c64 Make (most) containers run with a read-only filesystem 2019-01-29 18:52:02 +02:00
Slavi Pantaleev
9438402f61 Drop capabilities in a few more places
Continuation of 316d653d3e
2019-01-28 11:43:32 +02:00
Slavi Pantaleev
316d653d3e Drop capabilities in containers
We run containers as a non-root user (no effective capabilities).

Still, if a setuid binary is available in a container image, it could
potentially be used to give the user the default capabilities that the
container was started with. For Docker, the default set currently is:
- "CAP_CHOWN"
- "CAP_DAC_OVERRIDE"
- "CAP_FSETID"
- "CAP_FOWNER"
- "CAP_MKNOD"
- "CAP_NET_RAW"
- "CAP_SETGID"
- "CAP_SETUID"
- "CAP_SETFCAP"
- "CAP_SETPCAP"
- "CAP_NET_BIND_SERVICE"
- "CAP_SYS_CHROOT"
- "CAP_KILL"
- "CAP_AUDIT_WRITE"

We'd rather prevent such a potential escalation by dropping ALL
capabilities.

The problem is nicely explained here: https://github.com/projectatomic/atomic-site/issues/203
2019-01-28 11:22:54 +02:00
Slavi Pantaleev
299a8c4c7c Make (most) containers start as non-root
This makes all containers (except mautrix-telegram and
mautrix-whatsapp), start as a non-root user.

We do this, because we don't trust some of the images.
In any case, we'd rather not trust ALL images and avoid giving
`root` access at all. We can't be sure they would drop privileges
or what they might do before they do it.

Because Postfix doesn't support running as non-root,
it had to be replaced by an Exim mail server.

The matrix-nginx-proxy nginx container image is patched up
(by replacing its main configuration) so that it can work as non-root.
It seems like there's no other good image that we can use and that is up-to-date
(https://hub.docker.com/r/nginxinc/nginx-unprivileged is outdated).

Likewise for riot-web (https://hub.docker.com/r/bubuntux/riot-web/),
we patch it up ourselves when starting (replacing the main nginx
configuration).
Ideally, it would be fixed upstream so we can simplify.
2019-01-27 20:25:13 +02:00
Slavi Pantaleev
1a80058a2a Indent (non-YAML) using tabs
Fixes #83 (Github issue)
2019-01-26 09:37:29 +02:00