Commit graph

455 commits

Author SHA1 Message Date
Slavi Pantaleev 9202b2b8d9 Ensure systemd services are running when doing --tags=start
Fixes #129 (Github Issue).

Unfortunately, we rely on `service_facts`, which is only available
in Ansible >= 2.5.

There's little reason to stick to an old version such as Ansible 2.4:
- some time has passed since we've raised version requirements - it's
time to move into the future (a little bit)
- we've recently (in 82b4640072) improved the way one can run
Ansible in a Docker container

From now on, Ansible >= 2.5 is required.
2019-04-03 11:19:06 +03:00
Slavi Pantaleev 82b4640072 Use a more suitable Docker image for running Ansible
Inspired by #128 (Github Issue), we've created a new Docker image
to replace https://hub.docker.com/r/qmxme/ansible

Adding dnspython or dig to `qmxme/ansible` doesn't seem like a good
idea (that might be accepted by them), given that it's specific to our
use case. That's why we'll be maintaining our own image from now on.
2019-04-03 10:28:23 +03:00
Slavi Pantaleev 631b7cc6a6 Add support for adjusting Synapse rate-limiting configuration 2019-04-01 21:40:14 +03:00
Borjan Tchakaloff cbd629e7ea Specify that cron is likely required on the server
When using Let's Encrypt SSL certificates, a cronjob is set up to
automatically renew them. Though it does require a `cron`-compatible
program on the server.

This fixes the error that is caused by the `/etc/cron.d` directory
not existing and the `ansible-cron` module trying to write out a
file there -- without checking if the directory exists first.
2019-03-22 17:44:24 +01:00
Slavi Pantaleev 1939fc9113 Improve documentation a bit 2019-03-19 18:23:54 +02:00
Slavi Pantaleev 59e37105e8 Add TLS support to Coturn 2019-03-19 10:24:39 +02:00
Slavi Pantaleev 10d9293121 Indicate that TURN ports are a range 2019-03-13 08:23:10 +02:00
Slavi Pantaleev c545d3eb85 Add support for serving base domain via matrix-nginx-proxy 2019-03-12 23:01:16 +02:00
Slavi Pantaleev 1974935bc6 Update docs a bit 2019-03-12 11:38:59 +02:00
Slavi Pantaleev 54e79c10a1
Merge pull request #112 from NullIsNot0/master
Fix Dimension documentation
2019-03-10 21:53:33 +02:00
Slavi Pantaleev 52486356e5 Add some more links to Dimension's homepage 2019-03-10 21:43:03 +02:00
Edgars Voroboks c49ba1c4ab Fix Dimension documentation 2019-03-10 21:41:31 +02:00
Slavi Pantaleev a1f9869eb2 Improve documentation about getting the playbook 2019-03-10 17:02:20 +02:00
Edgars Voroboks 9f5215c95a Make some additions to Dimension documentation 2019-03-10 13:17:56 +02:00
Edgars Voroboks 1bff4893d9 Provide Dimension documentation 2019-03-10 10:12:31 +02:00
Slavi Pantaleev ae7e17e64a Add information about mxisd email template customization
Related to #108 (Github Pull Request).
2019-03-08 12:06:50 +02:00
Slavi Pantaleev 401d7560e9 Make Discord bridging instructions more detailed
It didn't mention `matrix_appservice_discord_client_id` and
`matrix_appservice_discord_bot_token`, which makes it hard for
beginners.

Related to #105 (Github Pull Request).
2019-03-05 09:10:32 +02:00
Lionstiger b5ae0254fd used ` backticks instead of double quotes 2019-03-04 14:41:58 +01:00
Lionstiger faa16617da add documentation 2019-03-03 19:34:30 +01:00
Lionstiger 835c349275 Add matrix-appservice-discord bridge
Bridge is setup to work on the matrix side with this, but the discord invite link is not automatically generated.
2019-03-03 18:22:52 +01:00
Slavi Pantaleev 041a1947b3 Update Synapse (0.99.1.1 -> 0.99.2) 2019-03-02 10:03:09 +02:00
frlae 6b47ebeaa7 fixed a small path typo in playbook telemetry docs 2019-03-01 07:48:45 +01:00
Slavi Pantaleev a43bcd81fe Rename some variables 2019-02-28 11:51:09 +02:00
Slavi Pantaleev 28bd6dc75b Improve Telegram/Whatsapp instructions 2019-02-22 14:50:07 +02:00
Slavi Pantaleev 747574ab56 Update Prerequisites a bit 2019-02-20 11:39:04 +02:00
Slavi Pantaleev b79db89221 Improve wording a bit 2019-02-15 10:03:33 +02:00
Slavi Pantaleev fcdc2a6c4f Fix incomplete sentence 2019-02-15 10:01:10 +02:00
Slavi Pantaleev eb08e20418 Upgrade Synapse (0.99.0 -> 0.99.1) and sync config
`matrix_synapse_no_tls` is now implicit, so we've gotten rid of it.

The `homeserver.yaml.j2` template has been synchronized with the
configuration generated by Synapse v0.99.1 (some new options
are present, etc.)
2019-02-14 18:40:55 +02:00
Slavi Pantaleev 70b2f07fec Add PostgreSQL backup information 2019-02-09 14:36:47 +02:00
Slavi Pantaleev 46accfdb3c Add guide about certificates for other domains
We had something like that on the Server Delegation how-to page,
but it's better if we have it on the SSL certificates page.

Relocated there and improved linking.

Fixes #94 (Github Issue)
2019-02-08 11:59:00 +02:00
Slavi Pantaleev f4fa03d4b9 Re-iterate where one can find the well-known files 2019-02-07 19:43:00 +02:00
Slavi Pantaleev ef903fe544 Add some quick links 2019-02-06 13:30:24 +02:00
Slavi Pantaleev e9cfcb8429 Fix another YAML indentation problem on documentation page 2019-02-06 13:04:19 +02:00
Slavi Pantaleev 92aa5bfa2d Fix YAML indentation on documentation page 2019-02-06 13:03:26 +02:00
Slavi Pantaleev 33726cdb08 Fix anchor 2019-02-06 13:02:17 +02:00
Slavi Pantaleev 5148f8edf4 Update docs 2019-02-06 09:36:03 +02:00
Slavi Pantaleev 91a757c581 Add support for reloading Synapse 2019-02-06 09:25:13 +02:00
Slavi Pantaleev 772154f3b9 Update Server Delegation docs a bit 2019-02-05 13:38:20 +02:00
Slavi Pantaleev b540427974 Mention alternative ways to do Server Delegation 2019-02-05 13:02:15 +02:00
Slavi Pantaleev f6ebd4ce62 Initial work on Synapse 0.99/1.0 preparation 2019-02-05 12:09:46 +02:00
Plailect 29b40b428a
Database files must be stored on permanent storage 2019-02-01 11:44:06 -05:00
Slavi Pantaleev 5e8a7fd05b Update own-webserver guide and add sample Apache configuration
This supersedes #59 (Github Pull Request),
which was greatly beneficial in creating our sample Apache configuration.
2019-02-01 16:58:11 +02:00
Slavi Pantaleev 8681a5dc69 Add 'none' SSL certificate retrieval method 2019-02-01 16:50:25 +02:00
Slavi Pantaleev e09b7435d1 Update documentation a bit 2019-02-01 12:26:43 +02:00
Slavi Pantaleev cd332d9b4e Add TLS v1.3 support to matrix-nginx-proxy
This was mentioned in #27 (Github Pull Request),
but it's just now that the nginx Docker image actually supports
TLS v1.3 and we can enable it.
2019-02-01 11:49:22 +02:00
Slavi Pantaleev a9fae8e3b1 Revert "Use native OpenSSL module to generate passkey.pem"
This reverts commit 0dac5ea508.

Relying on pyOpenSSL is the Ansible way of doing things, but is
impractical and annoying for users.

`openssl` is easily available on most servers, even by default.
We'd better use that.
2019-01-31 20:45:14 +02:00
Plailect 0dac5ea508
Use native OpenSSL module to generate passkey.pem 2019-01-31 11:38:54 -05:00
Plailect 0a2a8e118c
Update example configuration and documentation 2019-01-31 11:05:27 -05:00
Plailect 1c057bf06d
Correct variable name in documentation 2019-01-31 10:58:45 -05:00
Plailect 3a4a671dd7
Add support for matrix-appservice-irc 2019-01-31 00:37:23 -05:00
Slavi Pantaleev 299a8c4c7c Make (most) containers start as non-root
This makes all containers (except mautrix-telegram and
mautrix-whatsapp), start as a non-root user.

We do this, because we don't trust some of the images.
In any case, we'd rather not trust ALL images and avoid giving
`root` access at all. We can't be sure they would drop privileges
or what they might do before they do it.

Because Postfix doesn't support running as non-root,
it had to be replaced by an Exim mail server.

The matrix-nginx-proxy nginx container image is patched up
(by replacing its main configuration) so that it can work as non-root.
It seems like there's no other good image that we can use and that is up-to-date
(https://hub.docker.com/r/nginxinc/nginx-unprivileged is outdated).

Likewise for riot-web (https://hub.docker.com/r/bubuntux/riot-web/),
we patch it up ourselves when starting (replacing the main nginx
configuration).
Ideally, it would be fixed upstream so we can simplify.
2019-01-27 20:25:13 +02:00
Slavi Pantaleev c10182e5a6 Make roles more independent of one another
With this change, the following roles are now only dependent
on the minimal `matrix-base` role:
- `matrix-corporal`
- `matrix-coturn`
- `matrix-mailer`
- `matrix-mxisd`
- `matrix-postgres`
- `matrix-riot-web`
- `matrix-synapse`

The `matrix-nginx-proxy` role still does too much and remains
dependent on the others.

Wiring up the various (now-independent) roles happens
via a glue variables file (`group_vars/matrix-servers`).
It's triggered for all hosts in the `matrix-servers` group.

According to Ansible's rules of priority, we have the following
chain of inclusion/overriding now:
- role defaults (mostly empty or good for independent usage)
- playbook glue variables (`group_vars/matrix-servers`)
- inventory host variables (`inventory/host_vars/matrix.<your-domain>`)

All roles default to enabling their main component
(e.g. `matrix_mxisd_enabled: true`, `matrix_riot_web_enabled: true`).
Reasoning: if a role is included in a playbook (especially separately,
in another playbook), it should "work" by default.

Our playbook disables some of those if they are not generally useful
(e.g. `matrix_corporal_enabled: false`).
2019-01-16 18:05:48 +02:00
Slavi Pantaleev 51312b8250 Split playbook into multiple roles
As suggested in #63 (Github issue), splitting the
playbook's logic into multiple roles will be beneficial for
maintainability.

This patch realizes this split. Still, some components
affect others, so the roles are not really independent of one
another. For example:
- disabling mxisd (`matrix_mxisd_enabled: false`), causes Synapse
and riot-web to reconfigure themselves with other (public)
Identity servers.

- enabling matrix-corporal (`matrix_corporal_enabled: true`) affects
how reverse-proxying (by `matrix-nginx-proxy`) is done, in order to
put matrix-corporal's gateway server in front of Synapse

We may be able to move away from such dependencies in the future,
at the expense of a more complicated manual configuration, but
it's probably not worth sacrificing the convenience we have now.

As part of this work, the way we do "start components" has been
redone now to use a loop, as suggested in #65 (Github issue).
This should make restarting faster and more reliable.
2019-01-12 18:01:10 +02:00
Slavi Pantaleev 9a9b7383e9 Completely redo how mxisd configuration gets generated
This change is provoked by a few different things:

- #54 (Github Pull Request), which rightfully says that we need a
way to support ALL mxisd configuration options easily

- the upcoming mxisd 1.3.0 release, which drops support for
property-style configuration (dot-notation), forcing us to
redo the way we generate the configuration file

With this, mxisd is much more easily configurable now
and much more easily maintaneable by us in the future
(no need to introduce additional playbook variables and logic).
2019-01-11 19:33:54 +02:00
Slavi Pantaleev 5135c0cc0a Add Ansible guide and Ansible version checks
After having multiple people report issues with retrieving
SSL certificates, we've finally discovered the culprit to be
Ansible 2.5.1 (default and latest version on Ubuntu 18.04 LTS).

As silly as it is, certain distributions ("LTS" even) are 13 bugfix
versions of Ansible behind.

From now on, we try to auto-detect buggy Ansible versions and tell the
user. We also provide some tips for how to upgrade Ansible or
run it from inside a Docker container.

My testing shows that Ansible 2.4.0 and 2.4.6 are OK.
All other intermediate 2.4.x versions haven't been tested, but we
trust they're OK too.

From the 2.5.x releases, only 2.5.0 and 2.5.1 seem to be affected.
Ansible 2.5.2 corrects the problem with `include_tasks` + `with_items`.
2019-01-03 16:24:14 +02:00
Slavi Pantaleev 76506f34e0 Make media-store restore work with server files, not local
This is a simplification and a way to make it consistent with
how we do Postgres imports (see 6d89319822), using
files coming from the server, not from the local machine.

By encouraging people NOT to use local files,
we potentially avoid problems such as #34 (Github issue),
where people would download `media_store` to their Mac's filesystem
and case-sensitivity issues will actually corrupt it.

By not encouraging local files usage, it's less likely that
people would copy (huge) directories to their local machine like that.
2019-01-01 15:57:50 +02:00
Slavi Pantaleev 543b98d24c Update documentation 2019-01-01 15:35:33 +02:00
Slavi Pantaleev 4c2e1a0588 Make SQLite database import work with server files, not local
This is a simplification and a way to make it consistent with
how we do Postgres imports (see 6d89319822), using
files coming from the server, not from the local machine.
2019-01-01 15:21:52 +02:00
Slavi Pantaleev 6d89319822 Add support for importing an existing Postgres database 2019-01-01 14:45:37 +02:00
Slavi Pantaleev c48e31381d Add minimum version requirement for Ansible 2018-12-29 15:31:05 +02:00
Slavi Pantaleev d28bdb3258 Add support for 2 more SSL certificate retrieval methods
Adds support for managing certificates manually and for
having the playbook generate self-signed certificates for you.

With this, Let's Encrypt usage is no longer required.

Fixes Github issue #50.
2018-12-23 11:00:12 +02:00
Slavi Pantaleev 4fd8b66b6e Update documentation about email configuration (relayhost brackets)
Relay hostnames that have MX records are looked up by postfix
and the MX record's payload is used instead.

This special behavior may be undesirable, so we make sure to
point it out.
2018-12-13 16:32:10 +09:00
Slavi Pantaleev 2b2409bf1e Update documentation about email configuration
This makes it explicit that outgoing traffic (25/587) needs
to be let through, as well as documenting how to debug
other non-delivery issues.
2018-12-13 15:19:01 +09:00
Aaron Raimist 92ef6986a2
Link to Synapse Homeowners room 2018-12-11 10:15:09 -06:00
Slavi Pantaleev 9dad4c7c2d Fix /.well-known/matrix/client for CORS
This is provoked by Github issue #46.

No client had made use of the well-known mechanism
so far, so the set up performed by this playbook was not tested
and turned out to be a little deficient.

Even though /.well-known/matrix/client is usually requested with a
simple request (no preflight), it's still considered cross-origin
and [CORS](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS)
applies. Thus, the file always needs to be served with the appropriate
`Access-Control-Allow-Origin` header.

Github issue #46 attempts to fix it at the "reverse-proxying" layer,
which may work, but would need to be done for every server.
It's better if it's done "upstream", so that all reverse-proxy
configurations can benefit.
2018-11-29 09:13:25 +02:00
Thomas vO bb849bd34f Merge branch 'master' of https://github.com/spantaleev/matrix-docker-ansible-deploy into new-cmds 2018-11-28 11:03:47 +01:00
Thomas vO caba16ea0d add script + doc to remove everything 2018-11-28 11:02:51 +01:00
Thomas vO 2bdc35de63 add script + doc to change a user to admin 2018-11-28 11:02:15 +01:00
Slavi Pantaleev 3fec9dfa0e Add LDAP auth password provider documentation and changelog description 2018-11-28 11:21:03 +02:00
Slavi Pantaleev 5533db8a28 Add a note about trying to use local PostgreSQL instances 2018-11-26 07:27:53 +02:00
Slavi Pantaleev 733b806833 Annotate certain features as optional/advanced
We've had some people get confused into installing
Matrix Corporal and having pain with that.

With this documentation change, we try to make it clearer
that it's an advanced feature not to be touched unless
you know what you're doing.

On a similar note, we also make sure other things are properly
labeled as "(optional)" and/or "(advanced)".
2018-11-26 07:23:42 +02:00
Aaron Raimist d260b17508
Add initial version of maintenance and troubleshooting doc 2018-11-14 14:34:24 -06:00
Aaron Raimist a1609ce6e4
Link to the restoring media store guide
It isn't below anymore
2018-11-12 19:11:47 -06:00
TheForcer 20bba449c4
Updated "Controlling Matrix federation" link
Missing file ending results in 404
2018-11-04 00:30:17 +01:00
Slavi Pantaleev 3bccec63b4 Add details about the telemetry data that gets sent (if enabled) 2018-11-01 18:40:45 +02:00
Slavi Pantaleev f364e080be Add documentation about Telemetry configuration 2018-11-01 18:21:38 +02:00
Slavi Pantaleev 099558bee8 Fix doc file name inconsistency (configuration -> configuring) 2018-11-01 18:20:49 +02:00
Slavi Pantaleev 009bb1b776 Add support for configuring Postgres auto-upgrade-backup path 2018-11-01 09:48:56 +02:00
Slavi Pantaleev 4bb8d4cb60 Fix up well-known documentation a bit 2018-10-29 22:39:04 +02:00
Slavi Pantaleev 5e3c6ebf49 Update documentation 2018-10-26 19:44:58 +03:00
Slavi Pantaleev cf0a5b3d2e
Merge pull request #20 from izissise/mautrix-whatsapp
Mautrix whatsapp
2018-10-26 19:39:14 +03:00
Slavi Pantaleev 67a445a74a Add support for controlling Matrix federation 2018-10-25 18:02:04 +03:00
Hugues Morisset b3fcc641c4 Add documentation and fix templates 2018-10-24 18:23:39 +02:00
Slavi Pantaleev caa32b6d76 Fix incorrect documentation
It's been incorrect since 23e4a473
2018-10-24 16:21:21 +03:00
Slavi Pantaleev 3ecb16bbef Use disable_guests=true for Riot 2018-10-24 13:59:06 +03:00
Slavi Pantaleev 7921799c6c Make matrix-corporal documentation more detailed 2018-10-23 09:24:09 +03:00
Slavi Pantaleev d5655b7527 Use CNAME for riot in the example table 2018-10-21 16:34:00 +03:00
anadahz 423e1e191a Add DNS records table 2018-10-21 13:04:13 +01:00
Slavi Pantaleev d0c2ef10e4 Add self-check command 2018-10-21 12:58:25 +03:00
anadahz 12d96f5e23 Add sample .well-know config for Caddy 2018-10-19 15:22:27 +01:00
anadahz 5c63f2ecec Fix minor typo in install instructions 2018-10-14 20:52:35 +01:00
Slavi Pantaleev 0d0ccde286 Add Service Discovery (/.well-known/matrix/client) support 2018-09-17 10:51:46 +03:00
Devr a3765f89cd
Update installing.md 2018-09-08 16:23:34 -05:00
Slavi Pantaleev 620553e408 Update README 2018-09-07 23:35:04 +03:00
Hugues Morisset 6ef934a416 Mautrix telegram minimum config variable requirement 2018-09-07 20:03:56 +02:00
Hugues Morisset 3cd7f097eb Add small doc on Mautrix Telegram 2018-09-07 20:02:46 +02:00
Slavi Pantaleev 5398d80f01 Add support for matrix-corporal 2018-08-21 13:34:34 +03:00
Slavi Pantaleev 14d7d3e670 Add support for matrix-synapse-shared-secret-auth 2018-08-20 17:11:55 +03:00
Slavi Pantaleev 2b2e996cf9 Fix typo 2018-08-17 09:04:20 +03:00
Slavi Pantaleev ea43d46b70 Add matrix-synapse-rest-auth support 2018-08-17 09:02:17 +03:00
Slavi Pantaleev 74093dfb15 Add mxisd Identity Server support 2018-08-15 10:46:13 +03:00
Slavi Pantaleev 617712000e Minor wording improvements 2018-08-15 10:19:31 +03:00
Slavi Pantaleev 21da2f572b Add email-sending support 2018-08-14 14:47:44 +03:00
Slavi Pantaleev f254aaf44a Improve wording a bit 2018-08-08 10:10:16 +03:00
Slavi Pantaleev 30c53cdea2 Split README into a bunch of files in docs/ 2018-08-08 10:07:02 +03:00