🐳 Matrix (An open network for secure, decentralized communication) server setup using Ansible and Docker
Go to file
Slavi Pantaleev 299a8c4c7c Make (most) containers start as non-root
This makes all containers (except mautrix-telegram and
mautrix-whatsapp), start as a non-root user.

We do this, because we don't trust some of the images.
In any case, we'd rather not trust ALL images and avoid giving
`root` access at all. We can't be sure they would drop privileges
or what they might do before they do it.

Because Postfix doesn't support running as non-root,
it had to be replaced by an Exim mail server.

The matrix-nginx-proxy nginx container image is patched up
(by replacing its main configuration) so that it can work as non-root.
It seems like there's no other good image that we can use and that is up-to-date
(https://hub.docker.com/r/nginxinc/nginx-unprivileged is outdated).

Likewise for riot-web (https://hub.docker.com/r/bubuntux/riot-web/),
we patch it up ourselves when starting (replacing the main nginx
configuration).
Ideally, it would be fixed upstream so we can simplify.
2019-01-27 20:25:13 +02:00
docs Make (most) containers start as non-root 2019-01-27 20:25:13 +02:00
examples Make roles more independent of one another 2019-01-16 18:05:48 +02:00
group_vars Make (most) containers start as non-root 2019-01-27 20:25:13 +02:00
inventory Fix README instructions typo about Ansible host_vars 2018-01-17 15:57:01 +02:00
roles Make (most) containers start as non-root 2019-01-27 20:25:13 +02:00
.gitignore Initial commit 2017-07-31 23:08:20 +03:00
ansible.cfg Initial commit 2017-07-31 23:08:20 +03:00
CHANGELOG.md Make (most) containers start as non-root 2019-01-27 20:25:13 +02:00
LICENSE Add LICENSE file 2018-08-17 09:01:06 +03:00
README.md Make (most) containers start as non-root 2019-01-27 20:25:13 +02:00
setup.yml Split playbook into multiple roles 2019-01-12 18:01:10 +02:00

Matrix (An open network for secure, decentralized communication) server setup using Ansible and Docker

Purpose

This Ansible playbook is meant to easily let you run your own Matrix homeserver.

That is, it lets you join the Matrix network with your own @<username>:<your-domain> identifier, all hosted on your own server.

Using this playbook, you can get the following services configured on your server:

  • a Synapse homeserver - storing your data and managing your presence in the Matrix network

  • (optional) Amazon S3 storage for Synapse's content repository (media_store) files using Goofys

  • (optional, default) PostgreSQL database for Synapse. Using an external PostgreSQL server is also possible.

  • (optional, default) a coturn STUN/TURN server for WebRTC audio/video calls

  • (optional, default) free Let's Encrypt SSL certificate, which secures the connection to the Synapse server and the Riot web UI

  • (optional, default) a Riot web UI, which is configured to connect to your own Synapse server by default

  • (optional, default) an mxisd Matrix Identity server

  • (optional, default) an Exim mail server, through which all Matrix services send outgoing email (can be configured to relay through another SMTP server)

  • (optional, default) an nginx web server, listening on ports 80 and 443 - standing in front of all the other services. Using your own webserver is possible

  • (optional, advanced) the matrix-synapse-rest-auth REST authentication password provider module

  • (optional, advanced) the matrix-synapse-shared-secret-auth password provider module

  • (optional, advanced) the matrix-synapse-ldap3 LDAP Auth password provider module

  • (optional, advanced) the Matrix Corporal reconciliator and gateway for a managed Matrix server

  • (optional) the mautrix-telegram bridge for bridging your Matrix server to Telegram

  • (optional) the mautrix-whatsapp bridge for bridging your Matrix server to Whatsapp

Basically, this playbook aims to get you up-and-running with all the basic necessities around Matrix, without you having to do anything else.

Note: the list above is exhaustive. It includes optional or even some advanced components that you will most likely not need. Sticking with the defaults (which install a subset of the above components) is the best choice, especially for a new installation. You can always re-run the playbook later to add or remove components.

What's different about this Ansible playbook?

This is similar to the EMnify/matrix-synapse-auto-deploy Ansible deployment, but:

  • this one is a complete Ansible playbook (instead of just a role), so it's easier to run - especially for folks not familiar with Ansible

  • this one installs and hooks together a lot more Matrix-related services for you (see above)

  • this one can be re-ran many times without causing trouble

  • works on both CentOS (7.0+) and Debian-based distributions (Debian 9/Stretch+, Ubuntu 16.04+)

  • this one installs everything in a single directory (/matrix by default) and doesn't "contaminate" your server with files all over the place

  • this one doesn't necessarily take over ports 80 and 443. By default, it sets up nginx for you there, but you can also use your own webserver

  • this one runs everything in Docker containers, so it's likely more predictable and less fragile (see Docker images used by this playbook)

  • this one retrieves and automatically renews free Let's Encrypt SSL certificates for you

  • this one optionally can store the media_store content repository files on Amazon S3 (but defaults to storing files on the server's filesystem)

  • this one optionally allows you to use an external PostgreSQL server for Synapse's database (but defaults to running one in a container)

Installation

To configure and install Matrix on your own server, follow the README in the docs/ directory.

Changes

This playbook evolves over time, sometimes with backward-incompatible changes.

When updating the playbook, refer to the changelog to catch up with what's new.

Docker images used by this playbook

This playbook sets up your server using the following Docker images:

Deficiencies

This Ansible playbook can be improved in the following ways:

  • setting up automatic backups to one or more storage providers

Support