Commit Graph

4771 Commits

Author SHA1 Message Date
Hugues Morisset
a82d5ed281 Add tulir mautrix-facebook (https://github.com/tulir/mautrix-facebook) 2019-05-08 17:11:07 +02:00
Slavi Pantaleev
5f2f17cb1e
Merge pull request #160 from danbob/fix-matrix-mxisd-config
Fix template indentation
2019-05-08 08:01:00 +03:00
Hugues De Keyzer
c451025134 Fix indentation in templates
Use Jinja2 lstrip_blocks option in templates to ensure consistent
indentation in generated files.
2019-05-07 21:23:35 +02:00
Dan Arnfield
3abed49764 Fix jinja config for indented code blocks 2019-05-07 06:02:38 -05:00
Dan Arnfield
07e7d518d5 Revert "Fix template indentation"
This reverts commit 172d59ba05.
2019-05-07 05:57:20 -05:00
Slavi Pantaleev
0e7310fd7c
Merge pull request #164 from TheLastProject/fix/string_before_to_json
string before to_json when string value is expected
2019-05-07 10:41:41 +03:00
Sylvia van Os
9ea593df37 Fix incorrect casts 2019-05-07 09:35:51 +02:00
Sylvia van Os
ed0ecf5bea string before to_json when string value is expected
This prevents Ansible from sometimes failing to decrypt vault variables
2019-05-06 10:10:27 +02:00
Slavi Pantaleev
e0b7b4dc61
Merge pull request #159 from TheLastProject/feature/docker_add_hosts
Add the possibility to pass extra flags to the docker container
2019-05-05 10:22:59 +03:00
Slavi Pantaleev
1653e40239
Merge pull request #158 from lpopov/master
Add the ability to update user passwords with ansible
2019-05-05 10:21:45 +03:00
Slavi Pantaleev
6bea3237c9
Merge pull request #163 from aaronraimist/synapse-0.99.3.1
Update Synapse (0.99.3 -> 0.99.3.1)
2019-05-03 22:10:20 +03:00
Aaron Raimist
8051ea9ef9
Update Synapse (0.99.3.1 -> 0.99.3.2) 2019-05-03 13:34:45 -05:00
Aaron Raimist
d1646bb497
Update Synapse (0.99.3 -> 0.99.3.1) 2019-05-03 12:07:58 -05:00
Dan Arnfield
172d59ba05
Fix template indentation 2019-05-03 10:37:14 -05:00
Lyubomir Popov
c9a2380193 Merge remote-tracking branch 'upstream/master' 2019-05-03 11:05:03 +03:00
Lyubomir Popov
a206b65ed7 Use the '-p' non-interactive option to generate password hash instead of 'expect' 2019-05-03 11:02:17 +03:00
p5t2vspoqqw
79ad60cf0a Merge branch 'master' of https://github.com/spantaleev/matrix-docker-ansible-deploy 2019-05-02 14:31:18 +02:00
Slavi Pantaleev
0e391b5870 Add explicit |int casting for more variables
As discussed in #151 (Github Pull Request), it's
a good idea to not selectively apply casting, but to do it in all
cases involving arithmetic operations.
2019-04-30 18:26:03 +03:00
Sylvia van Os
75b1528d13 Add the possibility to pass extra flags to the docker container 2019-04-30 16:35:18 +02:00
Lyubomir Popov
134faa3139 Add the ability to update user passwords with ansible (when using the matrix-postgres container). 2019-04-30 16:30:26 +03:00
Sylvia van Os
bf77f776a2 Add variable to disable homeserver url preview 2019-04-30 13:58:48 +02:00
Slavi Pantaleev
db977ea584
Merge pull request #151 from huguesdk/bugfix/nginx_proxy_tmpfs_size
Fix value of nginx-proxy tmpfs size
2019-04-29 09:00:37 +03:00
Slavi Pantaleev
7c246b4a99 Make error about unset matrix_ssl_lets_encrypt_support_email more descriptive
Previously, we'd show an error like this:

{"changed": false, "item": null, "msg": "Detected an undefined required variable"}

.. which didn't mention the variable name
(`matrix_ssl_lets_encrypt_support_email`).
2019-04-28 11:02:17 +03:00
Slavi Pantaleev
00ec22688a Upgrade mxisd (1.4.1 -> 1.4.2)
Looks like we may not have to do this,
since 1.4.2 fixes edge cases for people who used the broken
1.4.0 release.

We jumped straight to 1.4.1, so maybe we're okay.
Still, upgrading anyway, just in case.
2019-04-28 10:15:46 +03:00
Slavi Pantaleev
817c7143ca
Merge pull request #154 from aaronraimist/mxisd-1.4.1
Update mxisd (1.3.1 -> 1.4.1)
2019-04-28 09:00:47 +03:00
Slavi Pantaleev
528f537db7
Merge pull request #152 from huguesdk/bugfix/remove_hardcoded_values_in_remove_all
Remove hardcoded values in matrix-remove-all
2019-04-28 08:54:34 +03:00
Aaron Raimist
e42fe4b18c
Include Slavi's improvements to keep roles independent 2019-04-27 17:09:21 -05:00
Aaron Raimist
5586eaddef
Set Riot's enable_presence_by_hs_url to false if presence is disabled 2019-04-27 16:35:26 -05:00
Aaron Raimist
ed442af96f
Update mxisd (1.3.1 -> 1.4.1) 2019-04-27 16:28:40 -05:00
Hugues De Keyzer
1e344d5a7a Remove hardcoded values in matrix-remove-all
Use matrix_docker_network and matrix_base_data_path in matrix-remove-all
instead of hardcoded default values.
2019-04-27 22:12:05 +02:00
Hugues De Keyzer
6aa6633ee7 Fix value of nginx-proxy tmpfs size
Use an int conversion in the computation of the value of
matrix_nginx_proxy_tmp_directory_size_mb, to have the integer value
multiplied by 50 instead of having the string repeated 50 times.
2019-04-27 21:54:21 +02:00
Ciaran Ainsworth
8624cf4a57 Fixed default url preview settings 2019-04-26 14:11:40 +01:00
p5t2vspoqqw
e0bc86875b Merge branch 'master' of https://github.com/spantaleev/matrix-docker-ansible-deploy 2019-04-26 14:30:51 +02:00
Slavi Pantaleev
f99b24f3be
Merge pull request #144 from dhoffend/welcome
make welcome.html customizable
2019-04-25 08:15:00 +03:00
Daniel Hoffend
ca15d219b9 make welcome.html customizable 2019-04-25 01:05:28 +02:00
p5t2vspoqqw
af8beb3627 Merge branch 'master' of https://github.com/spantaleev/matrix-docker-ansible-deploy 2019-04-24 15:03:47 +02:00
Slavi Pantaleev
ec0f936227 Try SSL renewal more frequently and reload later
It doesn't hurt to attempt renewal more frequently, as it only does
real work if it's actually necessary.

Reloading, we postpone some more, because certbot adds some random delay
(between 1 and 8 * 60 seconds) when renewing. We want to ensure
we reload at least 8 minutes later, which wasn't the case.

To make it even safer (in case future certbot versions use a longer
delay), we reload a whole hour later. We're in no rush to start using
the new certificates anyway, especially given that we attempt renewal
often.

Somewhat fixes #146 (Github Issue)
2019-04-23 17:59:02 +03:00
p5t2vspoqqw
c2eabf2b9d Merge branch 'master' of https://github.com/spantaleev/matrix-docker-ansible-deploy 2019-04-23 09:45:10 +02:00
p5t2vspoqqw
7ee6927ca9 add suggested change; correct indent 2019-04-23 09:44:02 +02:00
Slavi Pantaleev
892abdc700 Do not refer to Synapse as "Matrix Synapse" 2019-04-23 10:20:56 +03:00
Slavi Pantaleev
39566aa7fe Generate a Synapse signing key file, if missing
The code used to check for a `homeserver.yaml` file and generate
a configuration (+ key) only if such a configuration file didn't exist.

Certain rare cases (setting up with one server name and then
changing to another) lead to `homeserver.yaml` being there,
but a `matrix.DOMAIN.signing.key` file missing (because the domain
changed).
A new signing key file would never get generated, because `homeserver.yaml`'s
existence used to be (incorrectly) satisfactory for us.

From now on, we don't mix things up like that.
We don't care about `homeserver.yaml` anymore, but rather
about the actual signing key.

The rest of the configuration (`homeserver.yaml` and
`matrix.DOMAIN.log.config`) is rebuilt by us in any case, so whether
it exists or not is irrelevant and doesn't need checking.
2019-04-23 10:06:42 +03:00
Slavi Pantaleev
18a562c000 Upgrade services 2019-04-21 08:57:49 +03:00
p5t2vspoqqw
deeefac84c add ngnix-status to config
add doc
2019-04-17 13:45:42 +02:00
Lyubomir Popov
eab8f31eed Add additional room config options:
- matrix_enable_room_list_search - Controls whether searching the public room list is enabled.
 - matrix_alias_creation_rules - Controls who's allowed to create aliases on this server.
 - matrix_room_list_publication_rules - Controls who can publish and which rooms can be published in the public room list.
2019-04-16 12:40:38 +03:00
NullIsNot0
596f2ec1e2
Make Dimension communicat to Synapse through Docker network
Media is pulled from client side, so we specify external Matrix DNS name as mediaUrl
2019-04-14 16:09:29 +03:00
Slavi Pantaleev
9a05b030cb Fix unknown tag error when generating Goofys service
`{% matrix_s3_media_store_custom_endpoint_enabled %}` should have
been `{% if matrix_s3_media_store_custom_endpoint_enabled %}` instead.

Related to #132 (Github Pull Request).
2019-04-10 08:45:52 +03:00
Slavi Pantaleev
bec59c06bb Update images 2019-04-09 09:33:24 +03:00
Slavi Pantaleev
901516d806 Update matrix-corporal (1.3.0 -> 1.4.0) 2019-04-06 12:34:15 +03:00
Alexander Acevedo
6cc6638098
revert 3953705682
that's not how it works
2019-04-05 06:01:58 -04:00
Alexander Acevedo
3953705682
add custom endpoint environment variable 2019-04-05 05:56:36 -04:00
Alexander Acevedo
3ffb03f20e
missing whitespace 2019-04-05 05:54:58 -04:00
Alexander Acevedo
c55e49d733
add custom endpoint to matrix-goofys.service.j2
This (should) check if custom endpoint is enabled.
2019-04-05 05:48:31 -04:00
Alexander Acevedo
b5fbec8d83
add goofys custom
Creates the configuration variable to toggle custom endpoint and the default custom endpoint.
2019-04-05 05:33:38 -04:00
Slavi Pantaleev
af1c9ae59d Do not force firewalld on people
In most cases, there's not really a need to touch the system
firewall, as Docker manages iptables by itself
(see https://docs.docker.com/network/iptables/).

All ports exposed by Docker containers are automatically whitelisted
in iptables and wired to the correct container.

This made installing firewalld and whitelisting ports pointless,
as far as this playbook's services are concerned.

People that wish to install firewalld (for other reasons), can do so
manually from now on.

This is inspired by and fixes #97 (Github Issue).
2019-04-03 11:37:20 +03:00
Slavi Pantaleev
9202b2b8d9 Ensure systemd services are running when doing --tags=start
Fixes #129 (Github Issue).

Unfortunately, we rely on `service_facts`, which is only available
in Ansible >= 2.5.

There's little reason to stick to an old version such as Ansible 2.4:
- some time has passed since we've raised version requirements - it's
time to move into the future (a little bit)
- we've recently (in 82b4640072) improved the way one can run
Ansible in a Docker container

From now on, Ansible >= 2.5 is required.
2019-04-03 11:19:06 +03:00
NullIsNot0
64556569da
Update Riot Web from 1.0.5 to 1.0.6 2019-04-02 07:20:25 +03:00
Slavi Pantaleev
631b7cc6a6 Add support for adjusting Synapse rate-limiting configuration 2019-04-01 21:40:14 +03:00
Slavi Pantaleev
77359ae867 Synchronize Synapse config with the sample from 0.99.3 2019-04-01 21:22:05 +03:00
Slavi Pantaleev
95e4234dca Update nginx (1.15.9 -> 1.15.10) 2019-04-01 19:54:53 +03:00
Aaron Raimist
c6f1f7aa23
Update Synapse (0.99.2 -> 0.99.3) 2019-04-01 11:26:46 -05:00
Slavi Pantaleev
60b0ba379b Update riot-web (1.0.4 -> 1.0.5) 2019-03-22 20:36:23 +02:00
Slavi Pantaleev
d9c6884b6a Update mautrix-telegram (0.4.0 -> 0.5.1) 2019-03-22 18:50:41 +02:00
Slavi Pantaleev
73af8f7bbb Make self-check not validate self-signed certificates
By default, `--tags=self-check` no longer validates certificates
when `matrix_ssl_retrieval_method` is set to `self-signed`.

Besides this default, people can also enable/disable validation using the
individual role variables manually.

Fixes #124 (Github Issue)
2019-03-22 09:41:08 +02:00
Slavi Pantaleev
59e37105e8 Add TLS support to Coturn 2019-03-19 10:24:39 +02:00
Slavi Pantaleev
018aeed5e9 Add support for mounting additional volumes to matrix-coturn 2019-03-19 09:16:30 +02:00
Slavi Pantaleev
a50ea0f0a9 Update riot-web (1.0.3 -> 1.0.4) 2019-03-19 08:00:48 +02:00
Slavi Pantaleev
24cf27c60c Isolate Coturn from services in the default Docker network
Most (all?) of our Matrix services are running in the `matrix` network,
so they were safe -- not accessible from Coturn to begin with.

Isolating Coturn into its own network is a security improvement
for people who were starting other services in the default
Docker network. Those services were potentially reachable over the
private Docker network from Coturn.

Discussed in #120 (Github Pull Request)
2019-03-18 17:41:14 +02:00
Slavi Pantaleev
c6858d2a08 Define matrix_coturn_turn_external_ip_address in the playbook group vars
This is more explicit than hiding it in the role defaults.

People who reuse the roles in their own playbook (and not only) may
incorrectly define `ansible_host` to be a hostname or some local address.

Making it more explicit is more likely to prevent such mistakes.
2019-03-18 17:04:40 +02:00
Stuart Mumford
e367a2d0de
Add nulls for quotas as well 2019-03-18 11:58:52 +00:00
Stuart Mumford
9d236c5466
Add defaults for ips 2019-03-18 11:44:40 +00:00
Stuart Mumford
c0dc56324a
Add config options to turnserver.conf 2019-03-18 11:18:30 +00:00
Slavi Pantaleev
221703f257
Merge pull request #118 from verb/systemctl
Use common path for systemctl in lets encrypt cron
2019-03-17 20:55:40 +02:00
Slavi Pantaleev
e65514223e
Merge branch 'master' into update-homeserver-yaml 2019-03-17 20:53:52 +02:00
Slavi Pantaleev
2f1662626e Use |to_json for matrix_synapse_push_include_content
Doing this for consistency.

Related to #117 (Github Pull Request).
2019-03-17 20:51:12 +02:00
Aaron Raimist
ae912c4529
Update homeserver.yaml with some new options we could enable 2019-03-16 15:51:41 -05:00
Lee Verberne
d90bc20690 Use common path for systemctl in lets encrypt cron
Currently the nginx reload cron fails on Debian 9 because the path to
systemctl is /bin/systemctl rather than /usr/bin/systemctl.

CentOS 7 places systemctl in both /bin and /usr/bin, so we can just use
/bin/systemctl as the full path.
2019-03-16 20:48:58 +01:00
Lee Verberne
71c7c74b7b Allow configuring push content for matrix-synapse
This allows overriding the default value for `include_content`. Setting
this to false allows homeserver admins to ensure that message content
isn't sent in the clear through third party servers.
2019-03-16 07:16:20 +01:00
Lorrin Nelson
ceba99eed3 Make federation self-check conditional on matrix_synapse_federation_enabled 2019-03-13 22:33:52 -07:00
Slavi Pantaleev
2d56ff0afa Skip some uninstall tasks if not necessary to run 2019-03-13 07:40:51 +02:00
Slavi Pantaleev
b066f8a0d8 Do not try to start matrix-coturn.service if not enabled 2019-03-13 07:36:28 +02:00
Slavi Pantaleev
c545d3eb85 Add support for serving base domain via matrix-nginx-proxy 2019-03-12 23:01:16 +02:00
Slavi Pantaleev
e645b0e372 Rename matrix_nginx_proxy_data_path to matrix_nginx_proxy_base_path
`matrix_nginx_proxy_data_path` has always served as a base path,
so we're renaming it to reflect that.

Along with this, we're also introducing a new "data path" variable
(`matrix_nginx_proxy_data_path`), which is really a data path this time.
It's used for storing additional, non-configuration, files related to
matrix-nginx-proxy.
2019-03-12 23:01:16 +02:00
Plailect
f6de3fd668
Start appservice-irc as non-root 2019-03-12 13:17:51 -04:00
Edgars Voroboks
610eef82b5 Add option to enable Dimension widgets serve sites with self signed certs 2019-03-12 12:17:12 +02:00
Edgars Voroboks
1d8fd9792f Fix Matrix homeserver name in Dimension configuration 2019-03-11 20:05:52 +02:00
Slavi Pantaleev
4067e09409 Fix rare YAML parsing problems in Dimension config
It's been reported that YAML parsing errors
would occur on certain Ansible/Python combinations for some reason.

It appears that a bare `{{ matrix_dimension_admins }}` would sometimes
yield things like `[u'@user:domain.com', ..]` (note the `u` string prefix).

To prevent such problems, we now explicitly serialize with `|to_json`.
2019-03-10 22:23:06 +02:00
Slavi Pantaleev
6c5cc173b0 Fix permission mode for some files 2019-03-09 21:15:16 +02:00
Slavi Pantaleev
ecabe8f814
Merge pull request #107 from NullIsNot0/master
Implement self-hosted Dimension server
2019-03-09 20:59:52 +02:00
Edgars Voroboks
5f13a1e50b Generate Dimension config from variable 2019-03-09 19:08:00 +02:00
Edgars Voroboks
bcbfc1e838 Make Matrix Federation required and fix internal federationUrl 2019-03-09 10:30:31 +02:00
Edgars Voroboks
27772a6420 Point federationUrl to matrix-synapse container 2019-03-08 22:01:11 +02:00
Edgars Voroboks
b2263f811a Disable logging to file. Set console logging to verbose. 2019-03-08 22:00:05 +02:00
Edgars Voroboks
30738d064e Fix errors 2019-03-08 19:14:15 +02:00
Edgars Voroboks
1eb78ca93e Add additional changes for Dimension to work 2019-03-08 15:00:53 +02:00
Slavi Pantaleev
390ec8a599 Skip some tasks when not necessary to run them 2019-03-08 12:14:58 +02:00
Sylvia van Os
93992f7756
Fix indenting of generators value 2019-03-08 10:50:51 +01:00
Slavi Pantaleev
62e2acada5
Merge pull request #104 from dangersalad/master
allow exposing mautrix_telegram port
2019-03-08 08:50:05 +02:00
paulbdavis
17e86ba817 implement requested changes 2019-03-07 12:45:58 -07:00
Sylvia van Os
8cc420da15
Upgrade riot-web to v1.0.3 2019-03-07 13:53:33 +01:00
Sylvia van Os
f297ff506b Explain how to set the template variables 2019-03-07 13:34:07 +01:00
Sylvia van Os
0cd8b99b00 Add support for custom MXISD templates 2019-03-07 13:28:00 +01:00
Edgars Voroboks
9735a2f600 Implement self-hosted Dimension server 2019-03-07 07:22:08 +02:00
Slavi Pantaleev
aae8757027 Update coturn (4.5.1.0 -> 4.5.1.1) 2019-03-06 19:59:40 +02:00
Slavi Pantaleev
85c5adfd69 Minor consistency improvements 2019-03-05 09:20:36 +02:00
Slavi Pantaleev
a310a01818 Use non-root and no-capability containers during Discord setup
Related to #105 (Github Pull Request).
2019-03-05 09:10:51 +02:00
Slavi Pantaleev
f037f63a07
Merge pull request #105 from Lionstiger/matrix-discord-bridge
Add Support for matrix-appservice-discord
2019-03-05 06:39:46 +00:00
Lionstiger
c2834d2226 running as matrix user from the start 2019-03-04 16:26:19 +01:00
Lionstiger
278484656b ensure systemd reloaded after bridge installation 2019-03-04 15:12:37 +01:00
Lionstiger
2d78c5f89d made matrix_appservice_discord_client_id lowercase 2019-03-04 15:11:06 +01:00
Lionstiger
7aadd8bbe9 undo changed synapse version 2019-03-03 19:55:56 +01:00
Lionstiger
4aeeb5cf31 Autogenerate Discord invite link
Generates the link required to add the Bridge to a Discord server.
2019-03-03 19:33:16 +01:00
Lionstiger
835c349275 Add matrix-appservice-discord bridge
Bridge is setup to work on the matrix side with this, but the discord invite link is not automatically generated.
2019-03-03 18:22:52 +01:00
Slavi Pantaleev
6f6dff3e2b Update some Docker images 2019-03-03 12:27:43 +02:00
Slavi Pantaleev
45618679f5 Reload systemd services when they get updated
Fixes #69 (Github Issue)
2019-03-03 11:55:15 +02:00
Slavi Pantaleev
041a1947b3 Update Synapse (0.99.1.1 -> 0.99.2) 2019-03-02 10:03:09 +02:00
paulbdavis
f2a2cad107 allow exposing mautrix_telegram port 2019-03-01 16:05:01 -07:00
Slavi Pantaleev
a43bcd81fe Rename some variables 2019-02-28 11:51:09 +02:00
Slavi Pantaleev
8cac29a5d5 Update matrix-synapse-rest-auth (0.1.1 -> 0.1.2) 2019-02-28 11:15:26 +02:00
Slavi Pantaleev
25bdc10617 Follow redirects for some well-known files
The Server spec says that redirects should be followed for
`/.well-known/matrix/server`. So we follow them.

The Client-Server specs doesn't mention redirects, so we don't
follow redirects there.
2019-02-25 21:03:33 +02:00
Slavi Pantaleev
433780384e Do not use docker_container module
Using `docker_container` with a `cap_drop` argument requires
Ansible >=2.7.

We want to support older versions too (2.4), so we either need to
stop invoking it with `cap_drop` (insecure), or just stop using
the module altogether.

Since it was suffering from other bugs too (not deleting containers
on failure), we've decided to remove `docker_container` usage completely.
2019-02-25 10:42:27 +02:00
Slavi Pantaleev
639fc0bb5c Treat empty string dig lookup responses as "missing record" 2019-02-22 18:02:10 +02:00
Slavi Pantaleev
4c512c8e64 Upgrade mxisd (1.3.0 -> 1.3.1) 2019-02-22 15:44:13 +02:00
Slavi Pantaleev
550d398e6c Remove some unnecessary slashes 2019-02-20 21:21:20 +02:00
Slavi Pantaleev
d552a742f8 Fix Riot caching troubles
Some resources shouldn't be cached right now,
as per https://github.com/vector-im/riot-web/pull/8702

(note all of the suggestions from that pull request were applied,
because some of them do not seem relevant - no such files)

Fixes #98 (Github Issue)
2019-02-16 17:59:41 +02:00
Slavi Pantaleev
350b25690d Add Riot v1.0 (v1.0.1) support 2019-02-16 11:48:17 +02:00
Slavi Pantaleev
0f55823c5f Update Synapse (0.99.1 -> 0.99.1.1)
It's not important for us, as it only contains
some ACME-related fix.
2019-02-14 19:43:13 +02:00
Slavi Pantaleev
eb08e20418 Upgrade Synapse (0.99.0 -> 0.99.1) and sync config
`matrix_synapse_no_tls` is now implicit, so we've gotten rid of it.

The `homeserver.yaml.j2` template has been synchronized with the
configuration generated by Synapse v0.99.1 (some new options
are present, etc.)
2019-02-14 18:40:55 +02:00
Slavi Pantaleev
df76ae707a Fix inaccurate comment 2019-02-13 14:07:16 +02:00
Slavi Pantaleev
7a1b5a2024 Update mxisd (1.2.2 -> 1.3.0) 2019-02-10 23:20:05 +02:00
Slavi Pantaleev
42c4de348c Revert "Bind metrics on :: too"
This reverts commit 536c85619f.

Looks like binding metrics on IPv6 (`::`) fails with an error:

socket.gaierror: [Errno -2] Name does not resolve
2019-02-09 13:21:18 +02:00
Slavi Pantaleev
08635666df Do not attempt to start coturn TLS listeners
We don't provide certificates, so it fails anyway,
but we'd rather suppress the warnings about it too.
2019-02-07 13:20:30 +02:00
Slavi Pantaleev
f5cd916de8 Update coturn (4.5.0.8 -> 4.5.1.0) 2019-02-07 13:15:59 +02:00
Slavi Pantaleev
536c85619f Bind metrics on :: too
For consistency with all our other listeners,
we make this one bind on the `::` address too
(both IPv4 and IPv6).

Additional details are in #91 (Github Pull Request).
2019-02-06 14:24:10 +02:00
Slavi Pantaleev
91a757c581 Add support for reloading Synapse 2019-02-06 09:25:13 +02:00
Slavi Pantaleev
40f3793af7 Upgrade Synapse to v0.99 and simplify dummy TLS cert logic 2019-02-06 09:17:55 +02:00
Slavi Pantaleev
5db692f877 Remove some useless homeserver.yaml configuration 2019-02-05 14:02:01 +02:00
Slavi Pantaleev
738c592c27 Bump Synapse version (0.34.1.1 -> 0.99.0rc4) 2019-02-05 13:33:39 +02:00
Slavi Pantaleev
119016e858 Cache /.well-known/matrix files for longer 2019-02-05 13:06:17 +02:00
Slavi Pantaleev
764a040a90 Make /.well-known/matrix/server optional
People who wish to rely on SRV records can prevent
the `/.well-known/matrix/server` file from being generated
(and thus, served.. which causes trouble).
2019-02-05 12:09:46 +02:00
Slavi Pantaleev
74710427e5 Allow for the federation port (tcp/8448)'s certificate to be changed
If someone decides to not use `/.well-known/matrix/server` and only
relies on SRV records, then they would need to serve tcp/8448 using
a certificate for the base domain (not for the matrix) domain.

Until now, they could do that by giving the certificate to Synapse
and setting it terminate TLS. That makes swapping certificates
more annoying (Synapse requires a restart to re-read certificates),
so it's better if we can support it via matrix-nginx-proxy.

Mounting certificates (or any other file) into the matrix-nginx-proxy container
can be done with `matrix_nginx_proxy_container_additional_volumes`,
introduced in 96afbbb5a.
2019-02-05 12:09:46 +02:00
Slavi Pantaleev
f6ebd4ce62 Initial work on Synapse 0.99/1.0 preparation 2019-02-05 12:09:46 +02:00
Slavi Pantaleev
e06e5dd208 Fix syntax breakage
Regression since 96afbbb5af
2019-02-05 12:09:33 +02:00
Slavi Pantaleev
96afbbb5af Allow additional volumes to be mounted into matrix-nginx-proxy
Certain use-cases may require that people mount additional files
into the matrix-nginx-proxy container. Similarly to how we do it
for Synapse, we are introducing a new variable that makes this
possible (`matrix_nginx_proxy_container_additional_volumes`).

This makes the htpasswd file for Synapse Metrics (introduced in #86,
Github Pull Request) to also perform mounting using this new mechanism.
Hopefully, for such an "extension", keeping htpasswd file-creation and
volume definition in the same place (the tasks file) is better.

All other major volumes' mounting mechanism remains the same (explicit
mounting).
2019-02-05 11:46:16 +02:00
Slavi Pantaleev
9a251e4e46 Remove some more references to localhost
Continuation of 1f0cc92b33.

As an explanation for the problem:
when saying `localhost` on the host, it sometimes gets resolved to `::1`
and sometimes to `127.0.0.1`. On the unfortunate occassions that
it gets resolved to `::1`, the container won't be able to serve the
request, because Docker containers don't have IPv6 enabled by default.

To avoid this problem, we simply prevent any lookups from happening
and explicitly use `127.0.0.1`.
2019-02-05 11:11:28 +02:00
Aaron Raimist
1f0cc92b33
Use IPv4 localhost everywhere (or almost everywhere) 2019-02-04 09:49:45 -06:00
Aaron Raimist
58ca2e7dfd
Turn off IPv6 when using your own Nginx server
Docker apparently doesn't like IPv6.
2019-02-04 09:03:43 -06:00
Slavi Pantaleev
52d5e540c0 Fix ownership of generated self-signed certificates (root -> matrix) 2019-02-02 17:32:13 +02:00
dhose
87e3deebfd Enable exposure of Prometheus metrics. 2019-02-01 20:02:11 +01:00
Plailect
29b40b428a
Database files must be stored on permanent storage 2019-02-01 11:44:06 -05:00
Slavi Pantaleev
897cfbdcba Fix /.well-known/matrix/client installation
Regression since 51312b82
2019-02-01 17:06:49 +02:00
Slavi Pantaleev
8681a5dc69 Add 'none' SSL certificate retrieval method 2019-02-01 16:50:25 +02:00
Slavi Pantaleev
cd332d9b4e Add TLS v1.3 support to matrix-nginx-proxy
This was mentioned in #27 (Github Pull Request),
but it's just now that the nginx Docker image actually supports
TLS v1.3 and we can enable it.
2019-02-01 11:49:22 +02:00
Slavi Pantaleev
a9fae8e3b1 Revert "Use native OpenSSL module to generate passkey.pem"
This reverts commit 0dac5ea508.

Relying on pyOpenSSL is the Ansible way of doing things, but is
impractical and annoying for users.

`openssl` is easily available on most servers, even by default.
We'd better use that.
2019-01-31 20:45:14 +02:00
Slavi Pantaleev
08321ea4bb
Merge pull request #87 from Plailect/master
Add support for matrix-appservice-irc
2019-01-31 20:20:32 +02:00
Plailect
0dac5ea508
Use native OpenSSL module to generate passkey.pem 2019-01-31 11:38:54 -05:00
Plailect
5e1d96c727
Add matrix_appservice_irc_container_expose_client_server_api_port 2019-01-31 11:20:45 -05:00
Plailect
0a2a8e118c
Update example configuration and documentation 2019-01-31 11:05:27 -05:00
Slavi Pantaleev
c2b1cf7f93 Fix SSL renewal script
Regression since 299a8c4c7c
2019-01-31 09:43:09 +02:00
Plailect
3a4a671dd7
Add support for matrix-appservice-irc 2019-01-31 00:37:23 -05:00
Slavi Pantaleev
0be7b25c64 Make (most) containers run with a read-only filesystem 2019-01-29 18:52:02 +02:00
Slavi Pantaleev
b77b967171 Merge branch 'master' into non-root-containers 2019-01-29 18:00:11 +02:00
Slavi Pantaleev
cbc1cdbbf0 Do not try to load certificates
Seems like we unintentionally removed the mounting of certificates
(the `/matrix-config` mount) as part of splitting the playbook into
roles in 51312b8250.

It appears that those certificates weren't necessary for coturn to
funciton though, so we might just get rid of the configuration as well.
2019-01-29 17:56:40 +02:00
Slavi Pantaleev
bf10331456 Make mautrix-whatsapp run as non-root and w/o capabilities 2019-01-28 15:55:58 +02:00
Slavi Pantaleev
8a3f942d93 Make mautrix-telegram run as non-root and w/o capabilities 2019-01-28 15:40:16 +02:00
Slavi Pantaleev
3e8a4159e6 Uncomment unintentionally-commented logic 2019-01-28 14:25:03 +02:00
Slavi Pantaleev
9830a0871d Fix self-check for mxisd not being enabled 2019-01-28 11:47:31 +02:00
Slavi Pantaleev
9438402f61 Drop capabilities in a few more places
Continuation of 316d653d3e
2019-01-28 11:43:32 +02:00
Slavi Pantaleev
316d653d3e Drop capabilities in containers
We run containers as a non-root user (no effective capabilities).

Still, if a setuid binary is available in a container image, it could
potentially be used to give the user the default capabilities that the
container was started with. For Docker, the default set currently is:
- "CAP_CHOWN"
- "CAP_DAC_OVERRIDE"
- "CAP_FSETID"
- "CAP_FOWNER"
- "CAP_MKNOD"
- "CAP_NET_RAW"
- "CAP_SETGID"
- "CAP_SETUID"
- "CAP_SETFCAP"
- "CAP_SETPCAP"
- "CAP_NET_BIND_SERVICE"
- "CAP_SYS_CHROOT"
- "CAP_KILL"
- "CAP_AUDIT_WRITE"

We'd rather prevent such a potential escalation by dropping ALL
capabilities.

The problem is nicely explained here: https://github.com/projectatomic/atomic-site/issues/203
2019-01-28 11:22:54 +02:00
Slavi Pantaleev
0ff6735546 Fall back to dig for SRV lookup, if no dnspython
This is a known/intentional regression since f92c4d5a27.

The new stance on this is that most people would not have
dnspython, but may have the `dig` tool. There's no good
reason for not increasing our chances of success by trying both
methods (Ansible dig lookup and using the `dig` CLI tool).

Fixes #85 (Github issue).
2019-01-28 09:42:10 +02:00
Slavi Pantaleev
299a8c4c7c Make (most) containers start as non-root
This makes all containers (except mautrix-telegram and
mautrix-whatsapp), start as a non-root user.

We do this, because we don't trust some of the images.
In any case, we'd rather not trust ALL images and avoid giving
`root` access at all. We can't be sure they would drop privileges
or what they might do before they do it.

Because Postfix doesn't support running as non-root,
it had to be replaced by an Exim mail server.

The matrix-nginx-proxy nginx container image is patched up
(by replacing its main configuration) so that it can work as non-root.
It seems like there's no other good image that we can use and that is up-to-date
(https://hub.docker.com/r/nginxinc/nginx-unprivileged is outdated).

Likewise for riot-web (https://hub.docker.com/r/bubuntux/riot-web/),
we patch it up ourselves when starting (replacing the main nginx
configuration).
Ideally, it would be fixed upstream so we can simplify.
2019-01-27 20:25:13 +02:00
Slavi Pantaleev
56d501679d Be explicit about the UID/GID we start Synapse with
We do match the defaults anyway (by default that is),
but people can customize `matrix_user_uid` and `matrix_user_uid`
and it wouldn't be correct then.

In any case, it's better to be explicit about such an important thing.
2019-01-26 20:21:18 +02:00
Slavi Pantaleev
1a80058a2a Indent (non-YAML) using tabs
Fixes #83 (Github issue)
2019-01-26 09:37:29 +02:00
Slavi Pantaleev
a88b24ed2c Update matrix-corporal (1.2.2 -> 1.3.0) 2019-01-25 16:58:20 +02:00
Slavi Pantaleev
fcceb3143d Update riot-web (0.17.8 -> 0.17.9) 2019-01-23 08:13:27 +02:00
Slavi Pantaleev
a4e7ad5566 Use async Ansible task for importing Postgres
A long-running import task may hit the SSH timeout value
and die. Using async is supposed to improve reliability
in such scenarios.
2019-01-21 08:34:49 +02:00
Slavi Pantaleev
0392822aa7 Show Postgres import command and mention manual importing 2019-01-21 08:33:10 +02:00
Slavi Pantaleev
8d186e5194 Fix Postgres import when Postgres had never started
If this is a brand new server and Postgres had never started,
detecting it before we even start it is not possible.

This moves the logic, so that it happens later on, when Postgres
would have had the chance to start and possibly initialize
a new empty database.

Fixes #82 (Github issue)
2019-01-21 07:32:19 +02:00
Slavi Pantaleev
fef6c052c3 Pass Host/X-Forwarded-For everywhere
It hasn't mattered much to have these so far, but
it's probably a good idea to have them.
2019-01-17 16:25:08 +02:00
Slavi Pantaleev
ba75ab496d Send Host/X-Forwarded-For to mxisd
It worked without it too, but doing this is more consistent with the
mxisd recommendations.
2019-01-17 16:22:49 +02:00
Slavi Pantaleev
cb11548eec Use mxisd for user directory searches
Implements #77 (Github issue).
2019-01-17 15:55:23 +02:00
Slavi Pantaleev
df0d465482 Fix typos in some variables (matrix_mxid -> matrix_mxisd) 2019-01-17 14:47:37 +02:00
Slavi Pantaleev
f4f06ae068 Make matrix-nginx-proxy role independent of others
The matrix-nginx-proxy role can now be used independently.
This makes it consistent with all other roles, with
the `matrix-base` role remaining as their only dependency.

Separating matrix-nginx-proxy was relatively straightforward, with
the exception of the Mautrix Telegram reverse-proxying configuration.
Mautrix Telegram, being an extension/bridge, does not feel important enough
to justify its own special handling in matrix-nginx-proxy.

Thus, we've introduced the concept of "additional configuration blocks"
(`matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks`),
where any module can register its own custom nginx server blocks.

For such dynamic registration to work, the order of role execution
becomes important. To make it possible for each module participating
in dynamic registration to verify that the order of execution is
correct, we've also introduced a `matrix_nginx_proxy_role_executed`
variable.

It should be noted that this doesn't make the matrix-synapse role
dependent on matrix-nginx-proxy. It's optional runtime detection
and registration, and it only happens in the matrix-synapse role
when `matrix_mautrix_telegram_enabled: true`.
2019-01-17 13:32:46 +02:00
Slavi Pantaleev
c10182e5a6 Make roles more independent of one another
With this change, the following roles are now only dependent
on the minimal `matrix-base` role:
- `matrix-corporal`
- `matrix-coturn`
- `matrix-mailer`
- `matrix-mxisd`
- `matrix-postgres`
- `matrix-riot-web`
- `matrix-synapse`

The `matrix-nginx-proxy` role still does too much and remains
dependent on the others.

Wiring up the various (now-independent) roles happens
via a glue variables file (`group_vars/matrix-servers`).
It's triggered for all hosts in the `matrix-servers` group.

According to Ansible's rules of priority, we have the following
chain of inclusion/overriding now:
- role defaults (mostly empty or good for independent usage)
- playbook glue variables (`group_vars/matrix-servers`)
- inventory host variables (`inventory/host_vars/matrix.<your-domain>`)

All roles default to enabling their main component
(e.g. `matrix_mxisd_enabled: true`, `matrix_riot_web_enabled: true`).
Reasoning: if a role is included in a playbook (especially separately,
in another playbook), it should "work" by default.

Our playbook disables some of those if they are not generally useful
(e.g. `matrix_corporal_enabled: false`).
2019-01-16 18:05:48 +02:00
Slavi Pantaleev
294a5c9083 Fix YAML serialization of empty matrix_synapse_federation_domain_whitelist
We've previously changed a bunch of lists in `homeserver.yaml.j2`
to be serialized using `|to_nice_yaml`, as that generates a more
readable list in YAML.

`matrix_synapse_federation_domain_whitelist`, however, couldn't have
been changed to that, as it can potentially be an empty list.

We may be able to differentiate between empty and non-empty now
and serialize it accordingly (favoring `|to_nice_yaml` if non-empty),
but it's not important enough to be justified. Thus, always
serializing with `|to_json`.

Fixes #78 (Github issue)
2019-01-16 17:06:58 +02:00
Sylvia van Os
cec2aa61c1 Fix scalar widgets
Riot-web parses integrations_widgets_urls as a list, thus causing it to incorrectly think Scalar widgets are non-Scalar and not passing the scalar token
2019-01-16 14:03:39 +01:00
Stuart Mumford
f8ebd94d08
Make the mode of the base path configurable 2019-01-14 14:40:11 +00:00
Slavi Pantaleev
e8c78c1572 Merge branch 'master' into split-into-multiple-roles 2019-01-14 08:27:53 +02:00
Slavi Pantaleev
857603d9d7 Make nginx-proxy files owned by matrix:matrix, not root:root 2019-01-14 08:26:56 +02:00
Slavi Pantaleev
b80d44afaa Stop Postgres before finding files to move over 2019-01-12 18:16:08 +02:00
Slavi Pantaleev
51312b8250 Split playbook into multiple roles
As suggested in #63 (Github issue), splitting the
playbook's logic into multiple roles will be beneficial for
maintainability.

This patch realizes this split. Still, some components
affect others, so the roles are not really independent of one
another. For example:
- disabling mxisd (`matrix_mxisd_enabled: false`), causes Synapse
and riot-web to reconfigure themselves with other (public)
Identity servers.

- enabling matrix-corporal (`matrix_corporal_enabled: true`) affects
how reverse-proxying (by `matrix-nginx-proxy`) is done, in order to
put matrix-corporal's gateway server in front of Synapse

We may be able to move away from such dependencies in the future,
at the expense of a more complicated manual configuration, but
it's probably not worth sacrificing the convenience we have now.

As part of this work, the way we do "start components" has been
redone now to use a loop, as suggested in #65 (Github issue).
This should make restarting faster and more reliable.
2019-01-12 18:01:10 +02:00
Slavi Pantaleev
6d253ff571 Switch to a better riot-web image (avhost/docker-matrix-riot -> bubuntux/riot-web)
The new container image is about 20x smaller in size, faster to start up, etc.

This also fixes #26 (Github issue).
2019-01-11 21:20:21 +02:00
Slavi Pantaleev
14a237885a Fix missing SMTP configuration for mxisd
Regression since 9a9b7383e9.
2019-01-11 20:26:40 +02:00
Slavi Pantaleev
9a9b7383e9 Completely redo how mxisd configuration gets generated
This change is provoked by a few different things:

- #54 (Github Pull Request), which rightfully says that we need a
way to support ALL mxisd configuration options easily

- the upcoming mxisd 1.3.0 release, which drops support for
property-style configuration (dot-notation), forcing us to
redo the way we generate the configuration file

With this, mxisd is much more easily configurable now
and much more easily maintaneable by us in the future
(no need to introduce additional playbook variables and logic).
2019-01-11 19:33:54 +02:00
Slavi Pantaleev
fca2f2e036 Catch misconfigured REST Auth password provider during installation 2019-01-11 01:03:35 +02:00
Slavi Pantaleev
46c5d11d56 Update components 2019-01-10 19:29:56 +02:00
Slavi Pantaleev
2ae7c5e177
Merge pull request #68 from spantaleev/manage-cronjobs-with-cron-module
Switch to managing cronjobs with the Ansible cron module
2019-01-08 16:21:57 +02:00
Slavi Pantaleev
00ae435044 Use |to_json filter for serializing booleans to JSON
This should account for all cases where we were still doing such a thing.

Improvement suggested in #65 (Github issue).
2019-01-08 13:12:56 +02:00
Slavi Pantaleev
b222d26c86 Switch to managing cronjobs with the Ansible cron module
As suggested in #65 (Github issue), this patch switches
cronjob management from using templates to using Ansible's `cron` module.

It also moves the management of the nginx-reload cronjob to `setup_ssl_lets_encrypt.yml`,
which is a more fitting place for it (given that this cronjob is only required when
Let's Encrypt is used).

Pros:
- using a module is more Ansible-ish than templating our own files in
special directories

- more reliable: will fail early (during playbook execution) if `/usr/bin/crontab`
is not available, which is more of a guarantee that cron is working fine
(idea: we should probably install some cron package using the playbook)

Cons:
- invocation schedule is no longer configurable, unless we define individual
variables for everything or do something smart (splitting on ' ', etc.).
Likely not necessary, however.

- requires us to deprecate and clean-up after the old way of managing cronjobs,
because it's not compatible (using the same file as before means appending
additional jobs to it)
2019-01-08 12:52:03 +02:00
Slavi Pantaleev
ef2dc3745a Check DNS SRV record for _matrix-identity._tcp when mxisd enabled 2019-01-08 10:39:22 +02:00
Slavi Pantaleev
f92c4d5a27 Use Ansible dig lookup instead of calling the dig program
This means we no longer have a dependency on the `dig` program,
but we do have a dependency on `dnspython`.

Improves things as suggested in #65 (Github issue).
2019-01-08 10:19:45 +02:00
Jan Christian Grünhage
29d10804f0 Use yaml syntax instead of key=value syntax consistently
fixes #62
2019-01-07 23:38:39 +01:00
Slavi Pantaleev
5135c0cc0a Add Ansible guide and Ansible version checks
After having multiple people report issues with retrieving
SSL certificates, we've finally discovered the culprit to be
Ansible 2.5.1 (default and latest version on Ubuntu 18.04 LTS).

As silly as it is, certain distributions ("LTS" even) are 13 bugfix
versions of Ansible behind.

From now on, we try to auto-detect buggy Ansible versions and tell the
user. We also provide some tips for how to upgrade Ansible or
run it from inside a Docker container.

My testing shows that Ansible 2.4.0 and 2.4.6 are OK.
All other intermediate 2.4.x versions haven't been tested, but we
trust they're OK too.

From the 2.5.x releases, only 2.5.0 and 2.5.1 seem to be affected.
Ansible 2.5.2 corrects the problem with `include_tasks` + `with_items`.
2019-01-03 16:24:14 +02:00
Slavi Pantaleev
99af4543ac Replace include usage with include_tasks and import_tasks
The long-deprecated (since Ansible 2.4) use of include is
no more.
2019-01-03 15:24:08 +02:00
Slavi Pantaleev
76506f34e0 Make media-store restore work with server files, not local
This is a simplification and a way to make it consistent with
how we do Postgres imports (see 6d89319822), using
files coming from the server, not from the local machine.

By encouraging people NOT to use local files,
we potentially avoid problems such as #34 (Github issue),
where people would download `media_store` to their Mac's filesystem
and case-sensitivity issues will actually corrupt it.

By not encouraging local files usage, it's less likely that
people would copy (huge) directories to their local machine like that.
2019-01-01 15:57:50 +02:00
Slavi Pantaleev
e604a7bd43 Fix error message inaccuracy 2019-01-01 15:25:52 +02:00
Slavi Pantaleev
4c2e1a0588 Make SQLite database import work with server files, not local
This is a simplification and a way to make it consistent with
how we do Postgres imports (see 6d89319822), using
files coming from the server, not from the local machine.
2019-01-01 15:21:52 +02:00
Slavi Pantaleev
f153c70a60 Reorganize some files 2019-01-01 14:47:22 +02:00
Slavi Pantaleev
6d89319822 Add support for importing an existing Postgres database 2019-01-01 14:45:37 +02:00
Slavi Pantaleev
f472c1b9e5 Ensure psql returns a failure exit code when it fails
Until now, if the .sql file contained invalid data, psql would
choke on it, but still return an exit code of 0.
This is very misleading.

We need to pass `-v ON_ERROR_STOP=1` to make it exit
with a proper error exit code when failures happen.
2019-01-01 14:05:11 +02:00
Slavi Pantaleev
a7f791f8f9 Make Postgres version detection logic reusable to ease maintenance
We've had that logic in 2 places so far, leading to duplication
and a maintenance burden.

In the future, we'll also have an import-postgres feature,
which will also need Postgres version detection,
leading to more benefit from that logic being reusable.
2019-01-01 13:43:51 +02:00
Slavi Pantaleev
c59a53551a Make well-known self-check not depend on Content-Type: application/json
Fixes #60 (Github issue)
2018-12-31 11:19:59 +02:00
Hardy Erlinger
2fc0f5f3cf Set MAILNAME env variable to FQDN hostname for matrix-mailer. 2018-12-30 21:50:59 +01:00
Slavi Pantaleev
87b5f0a4d4 Server non-scary page at matrix domain (take 2)
Fix for 12b65d8ccc.
2018-12-29 20:11:37 +02:00
Slavi Pantaleev
f7aa362961 Make "obtain certificates" tasks have unique names
We always skip at least one of these tasks, depending on which
SSL retrieval method is enabled, so it could have been confusing why.
2018-12-24 09:39:27 +02:00
Slavi Pantaleev
4757c13a2e Do not install openssl if not necessary
Fix for d28bdb3258.

We were only supposed to install openssl when the self-signed
SSL certificate retrieval method is used, not always.
2018-12-24 09:38:00 +02:00
Slavi Pantaleev
12b65d8ccc Serve a non-scary page at the matrix domain
Fixes #18 (Github issue).

It would probably be better if we serve our own page,
as the Matrix one says:

"To use this server you'll need a Matrix client", which
is true, but we install Riot by default and it'd be better if we mention
that instead.
2018-12-23 19:45:03 +02:00
Slavi Pantaleev
b9b5674b8a Lowercase host_specific_hostname_identity to prevent troubles
If uppercase is used, certain tools (like certbot) would cause trouble.
They would retrieve a certificate for the lowercased domain name,
but we'd try to use it from an uppercase-named directory, which will
fail.

Besides certbot, we may experience other trouble too.
(it hasn't been investigated how far the breakage goes).

To fix it all, we lowercase `host_specific_hostname_identity` by default,
which takes care of the general use-case (people only setting that
and relying on us to build the other domain names - `hostname_matrix`
and `hostname_riot`).

For others, who decide to override these other variables directly
(and who may work around us and introduce uppercase there directly),
we also have the sanity-check tool warn if uppercase is detected
in any of the final domains.
2018-12-23 19:25:57 +02:00
Slavi Pantaleev
fe9b9773c0 Move setup sanity checks to a central place 2018-12-23 19:15:23 +02:00
Slavi Pantaleev
91567fc41d Remove debug 2018-12-23 17:26:39 +02:00
Slavi Pantaleev
e033eb443b Do not set up nginx-proxy auto-restart if not using Let's Encrypt
Fix for d28bdb3258
2018-12-23 15:38:33 +02:00
Slavi Pantaleev
268e9b5b66 Escape homeserver variables to prevent rare breakage
Strings containing double-quotes would cause YAML syntax breakage.
Not anymore.

Closes #48 and #49.
2018-12-23 15:20:01 +02:00
Slavi Pantaleev
727dcda7d7 Organize Synapse setup files better 2018-12-23 14:26:40 +02:00
Slavi Pantaleev
d28bdb3258 Add support for 2 more SSL certificate retrieval methods
Adds support for managing certificates manually and for
having the playbook generate self-signed certificates for you.

With this, Let's Encrypt usage is no longer required.

Fixes Github issue #50.
2018-12-23 11:00:12 +02:00
Slavi Pantaleev
bfcba5256e Upgrade mxisd (1.2.1 -> 1.2.2) 2018-12-23 08:49:21 +02:00
Slavi Pantaleev
57ee350420 Raise default timeout value for matrix-corporal
This is in line with what the recommendation is for matrix-corporal.

A value higher than 30 seconds is required to satisfy Riot
(and other clients') default long-polling behavior.
2018-12-21 12:19:16 +02:00
Slavi Pantaleev
cc9d3aef59 Upgrade matrix-corporal (1.2.1 -> 1.2.2) 2018-12-21 11:55:35 +02:00
Slavi Pantaleev
6124effbe1 Register shared-secret-auth password provider first
For people using multiple password providers, it makes sense
to have the fastest one (which doesn't make network requests) be first.
2018-12-21 10:16:36 +02:00
Slavi Pantaleev
40626ff8df Upgrade Synapse (0.33.9/Python 2 -> 0.33.4/Python 3) 2018-12-21 10:15:58 +02:00
Slavi Pantaleev
9f163b2bf5 Do not disable SELinux on RedHat systems
It looks like SELinux can be left running without any (so far) negative
effects on our Matrix services.

There's no need to use `:z` or `:Z` options when mounting volumes either.
This means that files we create are labeled with a default context
(which may not be ideal if we only want them used from containers),
but it's compatible and doesn't cause issues.

Relabelling files is probably something we wish to stay away from,
especially for things like the media store, which contains lots of
files and is possibly on a fuse-mounted (S3/goofys) filesystem.
2018-12-20 15:30:43 +02:00
Slavi Pantaleev
b9e5ad6c66 Upgrade Docker images for various components 2018-12-20 15:10:53 +02:00
Slavi Pantaleev
97280c7cc1 Change Goofys Docker image (clodproto/goofys -> ewoutp/goofys)
The new image is built in a much better way (2-stage build)
and is 10x smaller.

In terms of Goofys version recency, it's about the same..
Both images (and others alike) seem to not use version tags,
but rather some `:latest` (master), with ewoutp/goofys being a bit
more recent than clodproto/goofys.

Not using version tags is good (in this case),
because the last Goofys release seems to be from about a year ago
and there had been a bunch of bugfixes afterwards.
2018-12-20 14:30:24 +02:00
Slavi Pantaleev
bfcceb1e82 Make it safer to override matrix_synapse_media_store_path
This is described in Github issue #58.

Until now, we had the variable, but if you redefined it, you'd run
into multiple problems:

- we actually always mounted some "storage" directory to the Synapse
container. So if your media store is not there, you're out of luck

- homeserver.yaml always hardcoded the path to the media store,
as a directory called "media-store" inside the storage directory.

Relocating to outside the storage directory was out of the question.

Moreover, even if you had simply renamed the media store directory
(e.g. "media-store" -> "media_store"), it would have also caused trouble.

With this patch, we mount the media store's parent to the Synapse container.
This way, we don't care where the media store is (inside storage or
not). We also don't assume (anymore) that the final part of the path
is called "media-store" -- anything can be used.

The "storage" directory and variable (`matrix_synapse_storage_path`)
still remain for compatibility purposes. People who were previously
overriding `matrix_synapse_storage_path` can continue doing so
and their media store will be at the same place.

The playbook no longer explicitly creates the `matrix_synapse_storage_path` directory
though. It's not necessary. If the media store is specified to be within it, it will
get created when the media store directory is created by the playbook.
2018-12-20 13:39:01 +02:00
Slavi Pantaleev
e693b12d28 Relocate fail check to a better place 2018-12-20 13:00:07 +02:00
Slavi Pantaleev
60c7af93fe
Do not restart matrix-nginx-proxy during media store import
Previously, it was more necessary to have it
(because we had a dependency between matrix-synapse and matrix-nginx-proxy)..
But nowadays, it can be removed without negative side effects.

Restarting matrix-nginx-proxy is especially bad when the proxy is not installed at all.
2018-12-14 16:34:23 +09:00
Slavi Pantaleev
59afa841cb Add unintentionally removed quote 2018-12-13 14:44:27 +09:00
Slavi Pantaleev
bf8023057a Fix SQLite importing failure
Fixes a problem where importing would lead to this error:
    Cannot link to /matrix-postgres, as it does not belond to the default network.
2018-12-13 14:40:30 +09:00
Slavi Pantaleev
b11a4c07a8 Upgrade mxisd (1.2.0 -> 1.2.1) 2018-12-13 10:18:56 +09:00
Slavi Pantaleev
fcf43eeacc Fix "missing translation" warning on riot-web homepage
Small bugfix related to #55
2018-12-12 10:48:30 +09:00
anadahz
57bfb970a9 Enable support for custom HTML in riot-web homepage
* Add default template file for homepage HTML
* Add default riot-web config options for homepage
2018-12-11 13:48:54 +00:00
Slavi Pantaleev
cb874da1f7
Merge pull request #52 from aaronraimist/utf8-encoding
Add utf8 encoding option to log config
2018-12-05 10:57:23 +09:00
haslersn
22523c0e42 Support configuring mxisd's identity stores (two of them)
mxisd supports several identity stores. Add support to configure two of them:

* synapseSql (storing identities directly in Synapse's database)
* LDAP

This removed the need to copy `mxisd.yaml.j2` to the inventory in case one wants
to use LDAP as identity store. Note that the previous solution (copying
`mxisd.yaml.j2` was poor because of two reasons:

* The copy remains outdated in case the original is updated in future versions
  of this repo.
* The role's configuration should be in one place (configured only through role
  variables) instead of in multiple.

Configuring more identity stores through role variables can be supported in the
future.
2018-12-04 17:19:49 +01:00
Aaron Raimist
9028e3714e
Add utf8 encoding option to log config 2018-12-04 09:34:32 -06:00
Hugues Morisset
f8987cb775 Set default mautrix-telegram image to 0.4.0 2018-11-30 19:32:29 +01:00
Slavi Pantaleev
9dad4c7c2d Fix /.well-known/matrix/client for CORS
This is provoked by Github issue #46.

No client had made use of the well-known mechanism
so far, so the set up performed by this playbook was not tested
and turned out to be a little deficient.

Even though /.well-known/matrix/client is usually requested with a
simple request (no preflight), it's still considered cross-origin
and [CORS](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS)
applies. Thus, the file always needs to be served with the appropriate
`Access-Control-Allow-Origin` header.

Github issue #46 attempts to fix it at the "reverse-proxying" layer,
which may work, but would need to be done for every server.
It's better if it's done "upstream", so that all reverse-proxy
configurations can benefit.
2018-11-29 09:13:25 +02:00
Thomas vO
bb849bd34f Merge branch 'master' of https://github.com/spantaleev/matrix-docker-ansible-deploy into new-cmds 2018-11-28 11:03:47 +01:00
Thomas vO
caba16ea0d add script + doc to remove everything 2018-11-28 11:02:51 +01:00
Thomas vO
2bdc35de63 add script + doc to change a user to admin 2018-11-28 11:02:15 +01:00
Slavi Pantaleev
9f212adc1d Rename variable (matrix_synapse_ext_password_provider_ldap -> matrix_synapse_ext_password_provider_ldap_enabled)
This makes it more consistent with other usage throughout the playbook.
2018-11-28 11:19:19 +02:00
Thomas vO
bbf8928831 fix template and vars for ldap auth, add setup 2018-11-28 09:04:09 +01:00
Thomas vO
9cf9a1ec54 [auth-ldap] add template + vars for ldap auth 2018-11-27 16:40:22 +01:00
Slavi Pantaleev
18e1dda4c8 Revert "Update riot-web (0.17.6 -> 0.17.7)"
As Github issue #42 says, 0.17.7 is not available.
We shouldn't have tried to use it.

This reverts commit 529b5b222d.
2018-11-27 16:40:26 +02:00
Slavi Pantaleev
529b5b222d Update riot-web (0.17.6 -> 0.17.7) 2018-11-25 09:57:30 +02:00
Slavi Pantaleev
5b70ec67a4 Add support for controlling Synapse's autocreate_auto_join_rooms 2018-11-23 11:16:40 +02:00
Slavi Pantaleev
de91293d0d Update homeserver.yaml with new options and comments from upstream 2018-11-23 11:16:00 +02:00
Slavi Pantaleev
a454feb5df Render trusted_third_party_id_servers more prettily 2018-11-23 11:07:22 +02:00
Slavi Pantaleev
bc15db3316 Fix a few minor things for consistency
Trying to:

- stay closer to naming in Synapse (autojoin -> auto_join)

- not create new variable namespaces (`matrix_homeserver_`),
when existing ones (`matrix_synapse_`) are more suitable

- allow `null` (`~`) values for `matrix_riot_web_welcome_user_id`

- render things like `auto_join_rooms` in `homeserver.yaml` more prettily

- fix breakage in `config.json` where `matrix_riot_web_roomdir_servers`
was rendered as YAML and not as JSON

- simplify code (especially in riot-web's `config.json`), which used
`if` statements that could have been omitted

- avoid changing comments in `homeserver.yaml` which are not ours,
so that we can keep closer to the configuration file generated by upstream
2018-11-23 11:00:08 +02:00
anadahz
4febb117f4 Merge remote-tracking branch 'upstream/master' into fix/add/config 2018-11-23 00:58:32 +00:00
anadahz
792bed3f5a Fix add/config based on comments by @spantaleev 2018-11-23 00:42:54 +00:00
Aaron Raimist
d13aa7316e
Remove riot.im from list of trusted identity servers
This brings the list in line with the new default as of https://github.com/matrix-org/synapse/pull/4207
2018-11-20 20:15:26 -06:00
Slavi Pantaleev
0e02dbd569 Update dependencies 2018-11-20 09:02:27 +02:00
anadahz
3cb3f17a90 Add more configured options for riot-web and homeserver. 2018-11-18 02:00:08 +00:00
Slavi Pantaleev
d3c9be2cdf
Merge pull request #37 from aaronraimist/fix-well-known-self-check
Fix well known self check
2018-11-17 10:04:14 +01:00
Aaron Raimist
5a2069fa63
Fix well known self check 2018-11-16 16:12:13 -06:00
Aaron Raimist
ddec99b899
Allow Synapse log levels to be configured (#23) 2018-11-14 13:39:52 -06:00
Slavi Pantaleev
12c4591a58 Update mxisd 2018-11-12 08:32:13 +02:00
Slavi Pantaleev
19257677c5 Update dependencies 2018-11-10 10:41:10 +02:00
Slavi Pantaleev
f88b0ca33f
Merge branch 'master' into riot-web-config-json 2018-11-03 12:00:48 +02:00
Aaron Raimist
ef2e330d22
Allow a few parts of Riot config.json to be configured (#24) 2018-11-02 20:14:03 -05:00
Aaron Raimist
ebab95c9ec
Add new variable matrix_nginx_proxy_ssl_protocols 2018-11-02 18:20:05 -05:00
Aaron Raimist
3254a4d161
Disable TLS 1.0 and enable TLS 1.3 2018-11-01 22:14:09 -05:00
Slavi Pantaleev
9e8f216b9b Upgrade Synapse (v0.33.7 -> v0.33.8) 2018-11-01 12:50:33 +02:00
Slavi Pantaleev
4c0970d31e Make postgres_start_wait_time (affecting upgrades) configurable
This also raises the default from 5 seconds to 15 seconds.
2018-11-01 10:11:08 +02:00
Slavi Pantaleev
e417ac4922 Add support for Postgres 11 2018-11-01 09:48:56 +02:00
Slavi Pantaleev
a0a4ee526e Fix bug in Postgres dump/import causing upgrades to fail
Regression since 3fd6fd647f
2018-11-01 09:48:56 +02:00
Slavi Pantaleev
009bb1b776 Add support for configuring Postgres auto-upgrade-backup path 2018-11-01 09:48:56 +02:00
Slavi Pantaleev
ac8d5a839d
Merge pull request #21 from Cadair/flags
Allow specifying which parts of the role run from playbooks
2018-11-01 08:58:42 +02:00
Slavi Pantaleev
fb5115a544 Rename playbook variables so they are consistently prefixed
Pretty much all variables live in their own `matrix_<whatever>`
prefix now and are grouped closer together in the default
variables file (`roles/matrix-server/defaults/main.yml`).
2018-11-01 08:46:47 +02:00
Aaron Raimist
1955aac4bd
Update riot-web (0.17.0 -> 0.17.3) 2018-10-31 11:47:17 -05:00
Stuart Mumford
67e2bf285d
A simple idea to allow playbooks to control which bit of the role to run 2018-10-30 20:49:39 +00:00
Slavi Pantaleev
2186031be2 Remove unnecessary code causing troubles on Debian-based systems
It should be `/bin/mkdir` and `/bin/chown` on Ubuntu 18.04 for example.
Still, it doesn't seem like we need to create and chown these
directories at all, since the playbook takes care of creating them
and setting appropriate permission by itself.
2018-10-29 20:47:56 +02:00
Stuart Mumford
8498c4c5de
comment out all the things 2018-10-28 15:16:21 +00:00
Slavi Pantaleev
cf0a5b3d2e
Merge pull request #20 from izissise/mautrix-whatsapp
Mautrix whatsapp
2018-10-26 19:39:14 +03:00
Slavi Pantaleev
95a6519876 Fix yaml syntax breakage
Regression since 67a445a74a
2018-10-25 18:15:56 +03:00
Slavi Pantaleev
67a445a74a Add support for controlling Matrix federation 2018-10-25 18:02:04 +03:00
Hugues Morisset
b3fcc641c4 Add documentation and fix templates 2018-10-24 18:23:39 +02:00
Hugues Morisset
7a94fc0e24 Add mautrix-whatsapp 2018-10-24 17:09:23 +02:00
Slavi Pantaleev
3ecb16bbef Use disable_guests=true for Riot 2018-10-24 13:59:06 +03:00
Hugues Morisset
83a17f8439 Expose mautrix-telegram public endpoint through nginx
It used to allow user to logging with their own account to the bot
see: https://github.com/tulir/mautrix-telegram/wiki/Authentication#replacing-telegram-accounts-matrix-puppet-with-matrix-account
for more informations
2018-10-21 23:20:37 +02:00
Slavi Pantaleev
c7188e06f9 Relocate some playbook task files to make it easier to navigate 2018-10-21 13:14:47 +03:00
Slavi Pantaleev
d0c2ef10e4 Add self-check command 2018-10-21 12:58:25 +03:00
anadahz
2313907faa Add missing tag to task
The setup-all should include the setup_well_known task as well
2018-10-19 15:07:31 +01:00
Slavi Pantaleev
a0320346e1 Upgrade Synapse (v0.33.7rc2 -> 0.33.7) 2018-10-18 18:15:07 +03:00
Slavi Pantaleev
9b3c882483 Update riot-web (0.16.4 -> 0.17.0) 2018-10-18 15:13:13 +03:00
Slavi Pantaleev
6cc528ba5a Upgrade Synapse (v0.33.5.1 -> v0.33.7rc2)
We skipped v0.33.6 because of matrix-org/synapse#4014,
but v0.33.7rc2 fixed the problem.
2018-10-18 14:49:21 +03:00
Slavi Pantaleev
36658addcd Work around buggy docker_network sometimes failing to work
If a network like `matrix-whatever` already exists for some reason,
the `docker_network` module would not create our `matrix` network.
Working around it by avoiding `docker_network` and doing it manually.

Fixes Github issue #12
2018-10-15 07:49:44 +03:00
Slavi Pantaleev
17ea05683b Fix yum/apt module invocation
The old way is deprecated and would stop working
after Ansible 2.11.
2018-10-12 09:00:53 +03:00
Slavi Pantaleev
a1c1ec9b7f Update dependencies 2018-10-08 08:24:20 +03:00
Slavi Pantaleev
2185177957 Remove lt-cred-mech Coturn option
Coturn reports it as an option that conflicts with `use-auth-secret`.
Some reasoning is here: fa523e8d09
2018-10-08 08:22:40 +03:00
Slavi Pantaleev
cc3e34b128 Fix to_yaml silliness 2018-10-05 10:59:02 +03:00
Slavi Pantaleev
b49f4531e8 Make user presence-status tracking configurable 2018-10-05 10:35:16 +03:00
Slavi Pantaleev
7350842d9b Pull in homeserver.yaml template updates 2018-09-27 10:43:31 +03:00
Slavi Pantaleev
242f388af3 Make Synapse cache factor configurable 2018-09-27 10:03:31 +03:00
Slavi Pantaleev
161854e6d7 Disable Docker container logging
`--log-driver=none` is used for all Docker containers now.

All these containers are started through systemd anyway and get logged in journald,
so there's no need for Docker to be logging the same thing using the default `json-file` driver.
Doing that was growing `/var/lib/docker/containers/..` infinitely until service/container restart.

As a result of this, things like `docker logs matrix-synapse` won't work anymore.
`journalctl -u matrix-synapse` is how one can see the logs.
2018-09-26 09:11:19 +03:00
Slavi Pantaleev
4fbaa02bef Update Synapse (v0.33.4 -> v0.33.5.1) 2018-09-26 08:48:30 +03:00
Slavi Pantaleev
de5f4f7a05 Update matrix-corporal dependency 2018-09-20 10:34:11 +03:00
Slavi Pantaleev
2df4349606 Fix matrix-corporal nginx configuration trouble in certain conditions
If the playbook were to run with `--tags=setup-nginx-proxy`,
it wouldn't go into `setup_corporal.yml`, which meant it wouldn't
perform a bunch of `set_fact` calls which override important
nginx proxy configuration.

We run these variable overrides on each call now (tagged with `always`)
to avoid such problems in the future.
2018-09-20 09:25:00 +03:00
Slavi Pantaleev
0d0ccde286 Add Service Discovery (/.well-known/matrix/client) support 2018-09-17 10:51:46 +03:00
Slavi Pantaleev
38e3ffa29c Rename variable (matrix_riot_web_default_identity_server_url -> matrix_identity_server_url) 2018-09-17 08:44:29 +03:00
Slavi Pantaleev
4f48508014 Rename variable (matrix_nginx_riot_web_data_path -> matrix_riot_web_data_path) 2018-09-17 08:43:31 +03:00
Slavi Pantaleev
3fed0ec594 Remove now-useless file 2018-09-17 08:18:15 +03:00
Slavi Pantaleev
2446b4845c Update matrix-corporal dependency 2018-09-15 11:50:02 +03:00
Slavi Pantaleev
8bbb6f0c60 Update dependencies 2018-09-12 20:04:54 +03:00
Slavi Pantaleev
21916c1a3c Update matrix-corporal (1.1 -> 1.1.1) 2018-09-08 11:19:39 +03:00
Slavi Pantaleev
620553e408 Update README 2018-09-07 23:35:04 +03:00
Hugues Morisset
6ef934a416 Mautrix telegram minimum config variable requirement 2018-09-07 20:03:56 +02:00
Hugues Morisset
45fb2df43f Fix some problem with permissions
Fix typo
Move mautrix variable in `defaults/main.yml` exclusively
2018-09-07 20:02:46 +02:00
Hugues Morisset
7b5f68c431 Add mautrix-telegram to bridge with telegram services 2018-09-07 20:02:46 +02:00
Slavi Pantaleev
7adcdf3040 Add the ability to control event_cache_size for Synapse
I've found the previous 10K default value to be way too low
on a bunch of servers I'm running, so it's now up to
100K and made configurable.
2018-09-07 16:15:40 +03:00
Slavi Pantaleev
b52d91e180 Add the ability to controll password-peppering for Synapse
Closes Github issue #5
2018-09-07 15:01:38 +03:00
Slavi Pantaleev
6d6a6412fa Add the ability to control statistics-reporting for Synapse
Closes Github issue #3
2018-09-07 14:49:51 +03:00
Slavi Pantaleev
88b4434da9 Fix incorrect path 2018-09-07 13:59:29 +03:00
Slavi Pantaleev
7310498f71 Update certbot 2018-09-06 18:23:16 +03:00
Slavi Pantaleev
49e0d0e6db Update dependencies 2018-09-06 18:13:06 +03:00
Slavi Pantaleev
7428b941c8 Remove old s3fs stuff
We've been using Goofys for a long time instead.
2018-08-29 10:14:48 +03:00
Slavi Pantaleev
23e4a4734b Switch from acmetool to certbot for SSL certificate retrieval 2018-08-29 09:37:44 +03:00
Slavi Pantaleev
d5346656e3 Use 0.16.1 for riot-web, as the image for 0.16.2 is still unavailable 2018-08-29 08:46:21 +03:00
Slavi Pantaleev
51ac3421b5 Update matrix-corporal (1.0.1 -> 1.1) 2018-08-24 17:13:58 +03:00
Slavi Pantaleev
314ff09846 Update dependencies 2018-08-24 10:01:25 +03:00
Slavi Pantaleev
92e6fdd279 Update dependencies 2018-08-23 08:35:38 +03:00
Slavi Pantaleev
861957b6f1 Add missing when statement 2018-08-23 08:35:30 +03:00
Slavi Pantaleev
5398d80f01 Add support for matrix-corporal 2018-08-21 13:34:34 +03:00
Slavi Pantaleev
02d5b54fa5 Add controls for influencing Matrix Synapse's rate-limiting 2018-08-20 21:25:06 +03:00
Slavi Pantaleev
14d7d3e670 Add support for matrix-synapse-shared-secret-auth 2018-08-20 17:11:55 +03:00
Slavi Pantaleev
f72882fe1a Fix user registration regression
Regression since a302a7d748,
which made the Matrix Client API only available on
the http port (8008) and not over the federation port (8448).
2018-08-17 12:23:25 +03:00
Slavi Pantaleev
b0f1a1c80f Fix nginx warning: adding already-default text/html to gzip_types 2018-08-17 10:44:34 +03:00
Slavi Pantaleev
832a4d71c1 Default to INFO logging for matrix-synapse-rest-auth, not DEBUG 2018-08-17 09:35:52 +03:00
Slavi Pantaleev
21a108262f Remove some leftover debug statements 2018-08-17 09:30:41 +03:00
Slavi Pantaleev
25becc63d5 Minor fixups for the matrix-synapse-rest-auth handling 2018-08-17 09:25:54 +03:00
Slavi Pantaleev
ea43d46b70 Add matrix-synapse-rest-auth support 2018-08-17 09:02:17 +03:00
Slavi Pantaleev
df79901f8b Improve compression support 2018-08-17 08:00:38 +03:00
Slavi Pantaleev
a302a7d748 Only run federation on 8448 and client on 80
This disables federation on the 80 port, as it's
not necessary. We also disable the old Angular webclient.

For the federation port (8448), we disable the client APIs
as those are not necessary. Those can even cause trouble
if one doesn't know about them and thinks that guarding the client
APIs at the 80 port is enough.
2018-08-17 07:55:58 +03:00
Slavi Pantaleev
74093dfb15 Add mxisd Identity Server support 2018-08-15 10:46:13 +03:00
Slavi Pantaleev
617712000e Minor wording improvements 2018-08-15 10:19:31 +03:00
Slavi Pantaleev
1c71cb110e Change SSL certificate obtaining a bit 2018-08-14 14:50:10 +03:00
Slavi Pantaleev
21da2f572b Add email-sending support 2018-08-14 14:47:44 +03:00
Slavi Pantaleev
cab54879d1 Update dependencies 2018-08-11 09:44:11 +03:00
Slavi Pantaleev
084a0a0e53 Minor consistency improvement 2018-08-08 10:47:03 +03:00
Slavi Pantaleev
700602eed3 Rename a bunch of playbook variables for better consistency 2018-08-08 09:17:18 +03:00
Slavi Pantaleev
336785d1ed Rename Ansible playbook tag (setup-main -> setup-all) 2018-08-08 09:03:37 +03:00
Slavi Pantaleev
3fd6fd647f Put all containers in their own isolated Docker network (matrix)
Moving away from using the default bridge network to using our own.
This isolates our services from other Docker containers running
on the default network on the same host.

The benefits are that:

- isolation is a little better - we no longer share a default
bridge network with any other containers that might be running on the host

- there are no longer hard dependencies - we do service discovery
by DNS name, and not via explicit `--link` usage during container start,
so containers can start out of order and fail without bringing down others
with them
(`matrix-nginx-proxy` can continue running, even if one of the other services dies)

In the future, when other services get introduced,
the increased resilience and simplicity will help as well.
2018-08-08 08:57:48 +03:00
Slavi Pantaleev
b88fe971d6 Fix matrix-nginx-proxy.service dependency on riot-web, if riot-web disabled 2018-08-07 15:39:57 +03:00
Slavi Pantaleev
cdf4eefdf9 Fix typos 2018-08-07 15:08:46 +03:00
Slavi Pantaleev
f6950612a5 Upgrade dependencies 2018-08-02 21:26:25 +03:00
Slavi Pantaleev
6cb14be162 Upgrade dependencies 2018-07-30 16:18:17 +03:00
Slavi Pantaleev
ae7e8e61c6 Update dependencies 2018-07-20 08:28:02 -04:00
Slavi Pantaleev
e4d0a68460 Update riot-web (0.15.5 -> 0.15.6) 2018-06-30 18:51:25 +03:00
Slavi Pantaleev
839b401b28 Set up Synapse configuration using a template (not line/regexp replacements)
Until now, we were starting from a fresh configuration, as generated
by Synapse and manipulating it with regex and line replacements,
until we made it work.

This is more fragile and less predictable, so we're moving to a static
configuration file generated from a Jinja template.

The upside is that configuration will be stable and predictable.

The downside of this new approach is that any manual configuration changes
after the playbook is done, will be thrown away on future playbook
invocations.

There are 2 ways to work around the need for manual configuration
changes though:
- making them part of this playbook and its default template
configuration files (which benefits everyone)
- going your own way for a given host and overriding the template files
that gets used (that is, the
`matrix_synapse_template_synapse_homeserver` or
`matrix_synapse_template_synapse_log` variables)
2018-06-26 21:05:59 +03:00
Slavi Pantaleev
add8169c33 Remove deprecated "ssl" directive from nginx configuration 2018-06-26 20:43:57 +03:00
Slavi Pantaleev
053328be08 Fix nginx failing to start on certain low-cache CPUs 2018-06-26 20:40:48 +03:00
Slavi Pantaleev
1725c3e698 Upgrade riot-web (0.15.4 -> 0.15.5) 2018-06-21 09:44:38 +03:00
Slavi Pantaleev
6335485ad3 Upgrade Synapse (0.31.1 -> 0.31.2) 2018-06-15 00:00:01 +03:00
Slavi Pantaleev
a5877eadd4 Upgrade Synapse (0.31.0 -> 0.31.1) 2018-06-08 18:25:12 +03:00
Slavi Pantaleev
4ebf6bbf27 Upgrade Synapse (0.30.0 -> 0.31.0) 2018-06-07 10:14:36 +03:00
Slavi Pantaleev
ff8f1bc65f Upgrade Docker images 2018-06-06 17:35:29 +03:00
Slavi Pantaleev
1670a20937 Clean up riot-web UI (disable custom URLs and guest usage)
This playbook does not set up guest access in Synapse anyway,
so until the need comes (or someone asks for it), guest access
is removed from riot-web's UI too.

As for supporting custom URLs, this is also not something
that seems like it'd be useful to most deployments.
2018-05-30 15:36:09 +03:00
Slavi Pantaleev
5399e2b6bb Do not require (but want) matrix-coturn.service in matrix-synapse
It's not really a requirement, as it can function without it.
Also, restarting matrix-coturn doesn't need to restart matrix-synapse.
2018-05-29 13:38:41 +03:00
Slavi Pantaleev
62d1b13c91 Minor improvements to the Postgres-upgrade tasks 2018-05-29 11:23:17 +03:00
Slavi Pantaleev
d107ab2540 Add support for upgrading Postgres
Since cbee084ac1, this playbook supports Postgres 10.x,
but keeps existing Postgres-9.x installs on 9.x.

This playbook can now also be ran with `--tags=upgrade-postgres`
to make it upgrade from Postgres 9.x to 10.x (or other versions
in the future).
2018-05-28 20:40:42 +03:00
Slavi Pantaleev
cbee084ac1 Use Postgres 10.x by default (only for new installs)
This playbook just tries to avoid trying to setup a Postgres 10
database with existing 9.x files, as that makes Postgres complain.

Due to this, existing installs (still on 9.x) are detected
and left on Postgres 9.x.
They need to be upgraded to Postgres 10.x manually.
2018-05-28 20:16:02 +03:00
Slavi Pantaleev
f1b4730e82 Update Docker images 2018-05-26 12:25:09 +03:00
Slavi Pantaleev
b3e62126db Switch Docker image to official one
Switching from from avhost/docker-matrix (silviof/docker-matrix)
to matrixdotorg/synapse.

The avhost/docker-matrix (silviof/docker-matrix) image used to bundle
in the coturn STUN/TURN server, so as part of the move,
we're separating this to a separately-ran service
(matrix-coturn.service, powered by instrumentisto/coturn-docker-image)
2018-05-25 21:58:53 +03:00
Slavi Pantaleev
3af3ef48fc Make .log.config modifications respect whitespace
A `.log.config` file may be generated with a different
level of indentation depending on which (Docker image, etc.)
generates it.

With this patch, we tolerate different levels of indentation
(2 spaces, 4 spaces, etc.) and don't break the configuration.
2018-05-25 13:15:17 +03:00
Slavi Pantaleev
67a98e51d9 Make the riot-web container run without root privileges 2018-05-14 14:31:43 +03:00
Slavi Pantaleev
bd580d3b9a Update dependencies 2018-05-14 14:31:00 +03:00
Slavi Pantaleev
a367172b67 Update dependencies 2018-04-28 13:38:44 +03:00
Slavi Pantaleev
7de11261b1 Update Docker images 2018-04-11 18:51:32 +02:00
Slavi Pantaleev
af54d60b0f Update Docker images 2018-04-03 18:49:05 +03:00
Slavi Pantaleev
5d9ddd1627 Update Docker images 2018-03-16 10:22:09 +02:00
Slavi Pantaleev
efc78fb9d3 Switch from s3fs to Goofys
Improves performance of media store operations.
2018-02-20 21:36:08 +02:00
Slavi Pantaleev
db686c3f8e Update dependencies 2018-02-13 23:19:50 +02:00
Slavi Pantaleev
bfca91ac1f Switch Matrix Docker images (silviof -> AVENTER-UG)
Silvio announced that he's no longer maintaining his images,
so we're jumping to AVENTER-UG's fork.
2018-01-10 22:11:32 +02:00
Slavi Pantaleev
534f78f9d0 Update Docker image versions 2017-12-07 22:53:43 +02:00
Slavi Pantaleev
d14ef08d5b Fix SSL certificate renewal for the custom-proxy-server case
When using matrix-nginx-proxy, the file permissions are organized
in a way that matrix-nginx-proxy could read the challenge files
produced by acmetool.

However, when another own/external webserver was used (like nginx
with our generated sample configuration), this could not work.
From on we're proxying the HTTP requests to port :402 in such a case,
which fixes the problem.
2017-12-01 12:07:27 +01:00
Slavi Pantaleev
f476e49e64 Make SSL renewal time configurable and nginx-proxy reload time adequate
The matrix-nginx-proxy was reloaded on the 3rd day of the month (`15 4 3 * *`),
which makes no sense - it's too infrequently.

It's in line with the renewal time now (+5 minutes).
2017-11-11 10:38:38 +02:00
Slavi Pantaleev
57e4f12ad3 Add support for using a pre-configured Macaroon secret key 2017-10-24 15:29:19 +09:00
Slavi Pantaleev
dd5cabf658 Make /matrix owned by matrix:matrix 2017-10-24 13:01:11 +09:00
Slavi Pantaleev
19e191f0bd Do not assign Docker container name for certificate renewal
Prevents clashes with other services like this one.
2017-10-16 08:42:27 +03:00
Slavi Pantaleev
1c2d59ae91 Stop using patched synapse_port_db script
The non-working script is supposed to be fixed
by https://github.com/matrix-org/synapse/pull/2375

To have it work, we'd need an updated Docker image
of `silviof/matrix-riot-docker:latest`, which is not yet available
at the time of this commit.

Still, the previous patched synapse_port_db didn't work well either,
so it's not like we're regressing much by getting rid of it.
2017-10-14 09:58:06 +03:00
Slavi Pantaleev
767b321f60 Do not mount certain Docker volumes as read-write unnecessarily 2017-10-01 11:36:30 +03:00
Slavi Pantaleev
2906ec3045 Fix SSL-renewal problem caused by incorrect permissions 2017-10-01 11:26:20 +03:00
Slavi Pantaleev
3a5f82267b Do not use Let's Encrypt certificate for Synapse's federation port
As described here (
https://github.com/matrix-org/synapse/issues/2438#issuecomment-327424711
), using own SSL certificates for the federation port is more fragile,
as renewing them could cause federation outages.

The recommended setup is to use the self-signed certificates generated
by Synapse.

On the 443 port (matrix-nginx-proxy) side, we still use the Let's Encrypt
certificates, which ensures API consumers work without having to trust
"our own CA".

Having done this, we also don't need to ever restart Synapse anymore,
as no new SSL certificates need to be applied there.

It's just matrix-nginx-proxy that needs to be restarted, and it doesn't
even need a full restart as an "nginx reload" does the job of swithing
to the new SSL certificates.
2017-09-23 15:29:15 +03:00
Slavi Pantaleev
6962bfcc42 Add support for not taking over a server (no matrix-nginx-proxy) and disabling Riot 2017-09-12 12:41:44 +03:00
Slavi Pantaleev
cb323f5b4c Move SSL certificates from /etc/pki/acmetool-certs to /matrix/ssl
Moving keeps everything in the /matrix directory, so that we
wouldn't contaminate anything else on the system or risk
clashing with something else.

Also retrieving certificates separately for the Riot and Matrix domains,
which should help in multiple ways:

- allows them to be very different (completely separate base domain..)

- allows for Riot to be disabled for the playbook some time later
  and still have the code not break
2017-09-11 23:50:14 +03:00
Slavi Pantaleev
ded7c274f6 Add support for Debian (9+) and Ubuntu (16.04+) 2017-09-11 23:24:05 +03:00
Slavi Pantaleev
13ab9eb238 Do not touch hostname and timezone
Let's let the admin set them as they wish.
We don't care what they are anyway.

If other things run on the same server,
it's also better not to hijack these for our
own purposes, especially when we don't need to.

The timedatectl call also seems to fail on Ubuntu 17.04
for some reason (missing timezones information file?).
2017-09-11 22:55:05 +03:00
Slavi Pantaleev
7c049be11a Update postgres and nginx 2017-09-11 22:16:51 +03:00
Slavi Pantaleev
f422e379c2 Do not try to start postgres when it's external 2017-09-11 00:58:22 +03:00
Slavi Pantaleev
ab1a9fd87e Add support for using an external PostgreSQL server 2017-09-08 17:24:27 +03:00
Slavi Pantaleev
f6be25a6ae Fix idempotency problem when getting rid of S3 setup 2017-09-08 16:34:40 +03:00
Slavi Pantaleev
ac59192696 Do not leave containers behind after matrix-postgres-cli usage 2017-09-08 14:18:12 +03:00
Slavi Pantaleev
49e5dad86d Do not do the S3 setup so early
It was never intended to be there, but was while testing/development
and got forgotten later.
2017-09-08 10:50:31 +03:00
Slavi Pantaleev
0f43abb91d Do not assume /usr/local/bin is always on the PATH 2017-09-08 10:47:12 +03:00
Slavi Pantaleev
9c68b057b0 Add support for storing Matrix Synapse's media_store to Amazon S3 2017-09-07 18:26:41 +03:00
Slavi Pantaleev
9b97ab6a90 Do not wastefully preserve owner/group when importing media store files 2017-09-07 12:27:32 +03:00
Slavi Pantaleev
0f723c9574 Ensure media store files are owned by the correct user/group after importing (recursively) 2017-09-07 12:24:04 +03:00
Slavi Pantaleev
a6760f4469 Ensure media store files are owned by the correct user/group after importing 2017-09-07 12:23:22 +03:00
Slavi Pantaleev
ea91ef7fb2 Move media_store & logs out of /data. Allow logging to be configured
The goal is to allow these to be on separate partitions
(including remote ones in the future).

Because the `silviof/docker-matrix` image chowns
everything to MATRIX_UID:MATRIX_GID on startup,
we definitely don't want to include `media_store` in it.
If it's on a remote FS, it would cause a slow startup.

Also, adding some safety checks to the "import media store"
task, after passing a wrong path to it on multiple occassions and
wondering what's wrong.

Also, making logging configurable. The default of keeping 10x100MB
log files is likely excessive and people may want to change that.
2017-09-07 12:12:31 +03:00
Slavi Pantaleev
2bb8bb96d4 Add support for configuring max_upload_size 2017-08-30 12:07:03 +03:00
Slavi Pantaleev
b046052aed Switch from playbook vars to role defaults
By using role defauts, we can have inventory variables
which overide the defaults.
2017-08-30 12:05:13 +03:00
Slavi Pantaleev
ce3c31eb41 Adjust x_forwarded setting for the plain (8008) port
Port 8008 is forwarded in our case, so unless we adjust
`x_forwaded` for it, Docker's local network IPs are
logged/displayed for devices.

The TLS port (8448) is not proxied in our setup,
so its `x_forwarded` setting remains `false`.
2017-08-12 18:32:24 +03:00
Slavi Pantaleev
1cd227b699 Increase max body size for the nginx proxy
Otherwise, we can't support large media file uploads.
2017-08-12 15:39:21 +03:00
Slavi Pantaleev
887d14884e Do not generate a new Matrix Synapse config, if one already exists
Otherwise certains values in the config file,
such as `macaroon_secret_key`, would be regenerated,
which is not something that we want.

If `macaroon_secret_key` is regenerated, all users'
auth tokens will become invalid (effectively logging out
all users).
2017-08-12 11:06:57 +03:00
Slavi Pantaleev
7d74dced28 Disable TURN for guests and enable URL previews 2017-08-12 10:36:34 +03:00
Slavi Pantaleev
fc3386dff7 Fix matrix-synapse-register-user for when the non-admin case
It was trying to omit the `-a` flag, but that wasn't enough,
because the underlying `register_new_matrix_user` command
prompts interactively if it doesn't see the `-a` flag
(it doesn't default to non-admin).

We need to answer such interactive prompts.
2017-08-11 08:21:34 +03:00
Slavi Pantaleev
b074030d59 Fix problem detecting matrix-nginx-proxy state when it is not installed 2017-08-08 14:31:01 +03:00
Slavi Pantaleev
02bdb7c7bc Ensure firewalld is installed and Docker launcher after firewalld
Some CentOS 7 hosts may not have firewalld installed.
We shouldn't expect it to be, but should ensure by ourselves that it is.

Docker likes to mess around with iptables forwarding rules,
so it ought to start after firewalld.
2017-08-08 14:29:14 +03:00
Slavi Pantaleev
a3ecb7bfd9 Add http->http redirection for Matrix/Riot
Doing this means that matrix-nginx-proxy now starts
occupying port 80, which necessitates that
SSL renewal happens slightly differently.
2017-08-06 19:10:50 +03:00
Slavi Pantaleev
0d1a2071de Ensure playbook works if running at SSL-renewal time
matrix-nginx-proxy will be occupying port 80 soon,
so that we can be more user-friendly and have
http->https forwarding for the Riot hostname.

During the playbook run, acmetool also expects to use
port 80 for domain verification.

During an initial playbook run, this wouldn't cause trouble
because matrix-nginx-proxy is not installed yet.

However, on subsequent playbook runs, it would cause trouble.

This ensures that if matrix-nginx-proxy is available
and running, it would be stopped before running acmetool
and started right after.
2017-08-06 18:40:16 +03:00
Slavi Pantaleev
13eaee2463 Enable TURN support and UDP for STUN 2017-08-06 18:26:06 +03:00
Slavi Pantaleev
81077e6cdf Allow regular users to be created as well (not only admins) 2017-08-01 11:11:29 +03:00
Slavi Pantaleev
87f5883f24 Initial commit 2017-07-31 23:08:20 +03:00