Commit graph

14 commits

Author SHA1 Message Date
Horvath Gergely 310aa685f9 refactor based on Slavi's requests 2020-03-08 00:24:00 +01:00
Slavi Pantaleev 9a33e5c7ad Make it possible to control Coturn ports and listen interfaces
Related to #330 (Github Issue).
2019-12-20 12:21:43 +02:00
Slavi Pantaleev 7d3adc4512 Automatically force-pull :latest images
We do use some `:latest` images by default for the following services:
- matrix-dimension
- Goofys (in the matrix-synapse role)
- matrix-bridge-appservice-irc
- matrix-bridge-appservice-discord
- matrix-bridge-mautrix-facebook
- matrix-bridge-mautrix-whatsapp

It's terribly unfortunate that those software projects don't release
anything other than `:latest`, but that's how it is for now.

Updating that software requires that users manually do `docker pull`
on the server. The playbook didn't force-repull images that it already
had.

With this patch, it starts doing so. Any image tagged `:latest` will be
force re-pulled by the playbook every time it's executed.

It should be noted that even though we ask the `docker_image` module to
force-pull, it only reports "changed" when it actually pulls something
new. This is nice, because it lets people know exactly when something
gets updated, as opposed to giving the indication that it's always
updating the images (even though it isn't).
2019-06-10 14:30:28 +03:00
Sylvia van Os 75b1528d13 Add the possibility to pass extra flags to the docker container 2019-04-30 16:35:18 +02:00
Slavi Pantaleev 59e37105e8 Add TLS support to Coturn 2019-03-19 10:24:39 +02:00
Slavi Pantaleev 018aeed5e9 Add support for mounting additional volumes to matrix-coturn 2019-03-19 09:16:30 +02:00
Slavi Pantaleev 24cf27c60c Isolate Coturn from services in the default Docker network
Most (all?) of our Matrix services are running in the `matrix` network,
so they were safe -- not accessible from Coturn to begin with.

Isolating Coturn into its own network is a security improvement
for people who were starting other services in the default
Docker network. Those services were potentially reachable over the
private Docker network from Coturn.

Discussed in #120 (Github Pull Request)
2019-03-18 17:41:14 +02:00
Slavi Pantaleev c6858d2a08 Define matrix_coturn_turn_external_ip_address in the playbook group vars
This is more explicit than hiding it in the role defaults.

People who reuse the roles in their own playbook (and not only) may
incorrectly define `ansible_host` to be a hostname or some local address.

Making it more explicit is more likely to prevent such mistakes.
2019-03-18 17:04:40 +02:00
Stuart Mumford e367a2d0de
Add nulls for quotas as well 2019-03-18 11:58:52 +00:00
Stuart Mumford 9d236c5466
Add defaults for ips 2019-03-18 11:44:40 +00:00
Slavi Pantaleev aae8757027 Update coturn (4.5.1.0 -> 4.5.1.1) 2019-03-06 19:59:40 +02:00
Slavi Pantaleev f5cd916de8 Update coturn (4.5.0.8 -> 4.5.1.0) 2019-02-07 13:15:59 +02:00
Slavi Pantaleev c10182e5a6 Make roles more independent of one another
With this change, the following roles are now only dependent
on the minimal `matrix-base` role:
- `matrix-corporal`
- `matrix-coturn`
- `matrix-mailer`
- `matrix-mxisd`
- `matrix-postgres`
- `matrix-riot-web`
- `matrix-synapse`

The `matrix-nginx-proxy` role still does too much and remains
dependent on the others.

Wiring up the various (now-independent) roles happens
via a glue variables file (`group_vars/matrix-servers`).
It's triggered for all hosts in the `matrix-servers` group.

According to Ansible's rules of priority, we have the following
chain of inclusion/overriding now:
- role defaults (mostly empty or good for independent usage)
- playbook glue variables (`group_vars/matrix-servers`)
- inventory host variables (`inventory/host_vars/matrix.<your-domain>`)

All roles default to enabling their main component
(e.g. `matrix_mxisd_enabled: true`, `matrix_riot_web_enabled: true`).
Reasoning: if a role is included in a playbook (especially separately,
in another playbook), it should "work" by default.

Our playbook disables some of those if they are not generally useful
(e.g. `matrix_corporal_enabled: false`).
2019-01-16 18:05:48 +02:00
Slavi Pantaleev 51312b8250 Split playbook into multiple roles
As suggested in #63 (Github issue), splitting the
playbook's logic into multiple roles will be beneficial for
maintainability.

This patch realizes this split. Still, some components
affect others, so the roles are not really independent of one
another. For example:
- disabling mxisd (`matrix_mxisd_enabled: false`), causes Synapse
and riot-web to reconfigure themselves with other (public)
Identity servers.

- enabling matrix-corporal (`matrix_corporal_enabled: true`) affects
how reverse-proxying (by `matrix-nginx-proxy`) is done, in order to
put matrix-corporal's gateway server in front of Synapse

We may be able to move away from such dependencies in the future,
at the expense of a more complicated manual configuration, but
it's probably not worth sacrificing the convenience we have now.

As part of this work, the way we do "start components" has been
redone now to use a loop, as suggested in #65 (Github issue).
This should make restarting faster and more reliable.
2019-01-12 18:01:10 +02:00