Commit graph

131 commits

Author SHA1 Message Date
Agustin Ferrario 5156c63a76 Clean up code
Code was clean up and simplified to make it simpler and easier to
maintain. No features were modified.
2021-01-08 18:35:27 +01:00
Agustin Ferrario 25d423e6b6 Fix errors per spantaleev suggestions
The different configurations are now all lower case, for consistent
naming.

`matrix_nginx_proxy_ssl_config` is now called
`matrix_nginx_proxy_ssl_preset`. The different options for "modern",
"intermediate" and "old" are stored in the main.yml file, instead of
being hardcoded in the configuration files. This will improve the
maintainability of the code.

The "custom" preset was removed. Now if one of the variables is set, it
will use it instead of the preset. This will allow to mix and match more
easily, for example using all the intermediate options but only
supporting TLSv1.2. This will also provide better backward
compatibility.
2021-01-08 11:32:10 +01:00
Agustin Ferrario 3cb71e7e84 Merge branch 'master' of https://github.com/spantaleev/matrix-docker-ansible-deploy 2021-01-03 13:18:21 +01:00
louis dcd4716636 add option to disable nginx access log 2020-12-21 21:26:49 +01:00
Agustin Ferrario 2082242499 Add matrix_nginx_proxy_ssl_config
A new variable called `matrix_nginx_proxy_ssl_config` is created for
configuring how the nginx proxy configures SSL. Also a new configuration
validation option and other auxiliary variables are created.

A new variable configuration called `matrix_nginx_proxy_ssl_config` is
created. This allow to set the SSL configuration easily using the
default options proposed by Mozilla. The default configuration is set to
"Intermediate", removing the weak ciphers used in the old
configurations.

The new variable can also be set to "Custom" for a more granular control.
This allows to set another three variables called:

- `matrix_nginx_proxy_ssl_protocols`,
- `matrix_nginx_proxy_ssl_prefer_server_ciphers`
- `matrix_nginx_proxy_ssl_ciphers`

Also a new task is added to validate the SSL configuration variable.
2020-12-16 10:35:37 +01:00
Slavi Pantaleev d08b27784f Fix systemd services autostart problem with Docker 20.10
The Docker 19.04 -> 20.10 upgrade contains the following change
in `/usr/lib/systemd/system/docker.service`:

```
-BindsTo=containerd.service
-After=network-online.target firewalld.service containerd.service
+After=network-online.target firewalld.service containerd.service multi-user.target
-Requires=docker.socket
+Requires=docker.socket containerd.service
Wants=network-online.target
```

The `multi-user.target` requirement in `After` seems to be in conflict
with our `WantedBy=multi-user.target` and `After=docker.service` /
`Requires=docker.service` definitions, causing the following error on
startup for all of our systemd services:

> Job matrix-synapse.service/start deleted to break ordering cycle starting with multi-user.target/start

A workaround which appears to work is to add `DefaultDependencies=no`
to all of our services.
2020-12-10 11:43:20 +02:00
Marcel Partap 851c25c47f matrix-synapse nginx template: fix invalid jinja comment syntax 2020-12-01 21:55:07 +01:00
Marcel Partap b73ac965ac Merge remote-tracking branch 'origin/master' into synapse-workers 2020-12-01 21:24:26 +01:00
Slavi Pantaleev b354155d7c Make JVB websockets reverse-proxying work 2020-11-27 17:57:15 +02:00
Slavi Pantaleev d702e74079 Fix matrix-nginx-proxy static files mounting when SSL retrieval is none
Fixup for 12867e9f18.

This shouldn't have been caught in the `if`.

Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/734
2020-11-26 18:40:15 +02:00
Slavi Pantaleev 12867e9f18 Do not try to mount /matrix/ssl when matrix_ssl_retrieval_method is 'none'
Since the switch from `-v` to `--mount` (in 1fca917ad1),
we've regressed when `matrix_ssl_retrieval_method == 'none'`.

In such a case, we don't create `/matrix/ssl` directories at all
and shouldn't be trying to mount them into the `matrix-nginx-proxy`
container.

Previously, with `-v`, Docker would auto-create them, effectively hiding
our mistake. Now that `--mount` doesn't do such auto-creation magic,
the `matrix-nginx-proxy` container was failing to start.

Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/734
2020-11-26 09:55:26 +02:00
Slavi Pantaleev 75f9fde7a4 Remove some more -v usage
Continuation of 1fca917ad1.

Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/722
2020-11-25 10:49:59 +02:00
Slavi Pantaleev 1fca917ad1 Replace some -v instances with --mount
`-v` magically creates the source destination as a directory,
if it doesn't exist already. We'd like to avoid this magic
and the potential breakage that it might cause.

We'd rather fail while Docker tries to find things to `--mount`
than have it automatically create directories and fail anyway,
while having contaminated the filesystem.

There's a lot more `-v` instances remaining to be fixed later on.
This is just some start.

Things like `matrix_synapse_container_additional_volumes` and
`matrix_nginx_proxy_container_additional_volumes` were not changed to
use `--mount`, as options for each one are passed differently
(`ro` is `ro`, but `rw` doesn't exist and `slave` is `bind-propagation=slave`).
To avoid breaking people's custom volume mounts, we keep it as it is for now.

A deficiency with `--mount` is that it lacks the `z` option (SELinux
ownership changes), and some of our `-v` instances use that. I'm not
sure how supported SELinux is for us right now, but it might be,
and breaking that would not be a good idea.
2020-11-24 10:26:05 +02:00
Marcel Partap 4678c5d7bd Merge remote-tracking branch 'origin/master' into synapse-workers
Also, replace vague FIXME by a proper NOTE on the complete
story of the user_dir endpoints..
2020-11-11 21:26:08 +01:00
Marcel Partap b05d298ae4 synapse workers nginx rule: add client_max_body_size on media endpoints
so transfer limits are properly set in accord to the relevant setting
https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/456#issuecomment-719996778
2020-11-10 21:43:33 +01:00
Marcel Partap e5072c20d9 synapse workers/nginx: handle media_repository worker endpoints on federation port
to prevent "404 on the federation port for the path `/_matrix/media`,
if a remote server is trying to get the media object on federation
port, see https://github.com/matrix-org/synapse/issues/8695 "

https://github.com/matrix-org/synapse/pull/8701
2020-11-10 20:35:39 +01:00
Slavi Pantaleev 9a46647010 Make https://matrix.DOMAIN/ redirect to https://element.DOMAIN/
Fixes #696 (Github Issue)
2020-10-28 10:39:12 +02:00
Slavi Pantaleev ef07aa8e5d Prevent certain nginx location blocks from being ignored
The regex introduced in 63a49bb2dc seems to take precedence
over the bare location blocks, causing a regression.

> It is important to understand that, by default, Nginx will serve regular expression matches in preference to prefix matches.
> However, it evaluates prefix locations first, allowing for the administer to override this tendency by specifying locations using the = and ^~ modifiers.

Source: https://www.digitalocean.com/community/tutorials/understanding-nginx-server-and-location-block-selection-algorithms
2020-10-28 09:38:04 +02:00
Marcel Partap 2d1b9f2dbf synapse workers: reworkings + get endpoints from upstream docs via awk
(yes, a bit awkward and brittle… xD)
2020-10-28 07:13:19 +01:00
Slavi Pantaleev 63a49bb2dc Do not expose /_synapse/admin publicly by default
Fixes #685 (Github Issue).
2020-10-26 10:36:38 +02:00
Max Klenk 9a3d84b931
Merge branch 'master' into feature/add-worker-support 2020-09-10 13:57:11 +02:00
Slavi Pantaleev 2a1ec38e3a Stop using Ansible's cron module
This is mainly to address SSL renewal not working for us due to:
- https://github.com/ansible/ansible/issues/71213
- https://github.com/ansible/ansible/pull/71207

Using the cron module was hacky anyway. We shouldn't need an extra
level of buggy abstraction to manage a cronjob file.
2020-09-06 10:49:19 +03:00
Max Klenk 06bc430c7c
refactor to use new workers and routes they serve 2020-08-28 13:53:39 +02:00
Max Klenk 59d1fb76b6
only apply worker redirects if workers are enabled 2020-08-27 15:25:32 +02:00
Max Klenk 567d0318b0
Merge branch 'synapse-workers' into feature/add-worker-support 2020-08-27 15:22:12 +02:00
Justin Croonenberghs 31e2a1f06b
Undo ill-advised change
In #628 I proposed a CORS change that turns out not to be the root of the issue. Caffeine-addled diagnosis leads to sloppy thinking, and this change should be reverted. In fact, if left it will cause problems for new installations.
2020-08-09 14:20:37 -05:00
Justin Croonenberghs c5d18733d2
Update CORS for ma1sd
Even with the v2 updates listed in #503 and partially addressed in #614, this is still needed to enable identity services to function with Element Desktop/Web. Testing on multiple clients with a clean config has confirmed this, at least for my installation.
2020-08-08 23:19:07 -05:00
Slavi Pantaleev 54195b22c7 Allow framing Jitsi
Hopefully fixes a regression caused by b106a9592e.

Related to #597 (Github Pull Request).
2020-08-04 16:08:11 +03:00
Slavi Pantaleev 3f8e5b4363 Allow framing Dimension
Fix regression since 2a50b8b6bb (#597).

Dimension is intended to be embedded in various clients,
be it the Element service that we host (at element.DOMAIN),
some other Element (element-desktop running locally), etc.
2020-07-25 07:08:32 +03:00
TwoTwenty b106a9592e
Update matrix-jitsi.conf.j2 2020-07-22 10:39:24 -07:00
TwoTwenty c97e7c5a3e
Update matrix-dimension.conf.j2 2020-07-22 10:39:07 -07:00
TwoTwenty 18ba885ca2
Update matrix-client-element.conf.j2 2020-07-22 10:38:50 -07:00
Slavi Pantaleev c6ab1c6a90 Riot is now Element
Fixes #586 (Github Issue)
2020-07-17 11:31:20 +03:00
Slavi Pantaleev 65e5020596 Proxy other /_synapse endpoints to the client API
Besides /_synapse/admin, there are other things like
/_synapse/oidc, etc.

We should just proxy everything.

Fixes #534 (Github Issue).
2020-06-09 08:12:58 +03:00
Chris van Dijk 6334f6c1ea Remove hardcoded command paths in systemd unit files
Depending on the distro, common commands like sleep and chown may either
be located in /bin or /usr/bin.

Systemd added path lookup to ExecStart in v239, allowing only the
command name to be put in unit files and not the full path as
historically required. At least Ubuntu 18.04 LTS is however still on
v237 so we should maintain portability for a while longer.
2020-05-27 23:14:54 +02:00
Marcel Partap 46984a4f99 Nginx conf: more testing less b0rk 2020-04-19 21:42:34 +02:00
Christoph Johannes Kleine 765c046beb
add missing ; to matrix-synapse.conf.j2 2020-04-19 19:50:42 +02:00
Marcel Partap e4763c21bc nginx config: route traffic to workers on matrix-synapse
FIXME: horrid duplication in template file
2020-04-19 19:05:03 +02:00
Marcel Partap a14b9c09ad Add to synapse nginx template conditional URL rewrites for workers
· 😅 How to keep this in sync with the matrix-synapse documentation?
· regex location matching is expensive
· nginx syntax limit: one location only per block / statement
· thus, lots of duplicate statements in this file
2020-04-19 19:05:03 +02:00
Chris van Dijk d83236ea0e Fix inconsistent whitespace 2020-04-17 00:53:26 +02:00
Slavi Pantaleev 0f39cb9987 Fix incorrect server_name for Jitsi
Fixes #417 (Github Issue)
2020-03-24 17:57:39 +02:00
Slavi Pantaleev cdd9ee1962 Add Jitsi support 2020-03-23 17:19:15 +02:00
Daniel Hoffend b280b05c25 matrix-nginx-proxy: adding additional configuration blocks 2020-02-10 23:42:41 +01:00
Yuri Moens 0866f98957 Render vhost directives in https server block 2019-12-08 00:58:32 +01:00
Slavi Pantaleev ca3b158d94 Add support to matrix-nginx-proxy to work in HTTP-only mode 2019-12-06 11:53:15 +02:00
Slavi Pantaleev 3e57a1463a Serve nginx status page over HTTPS as well
Continuation of #234 (Github Pull Request).

I had unintentionally updated the documentation for the feature,
saying the page is available at `https://matrix.DOMAIN/nginx_status`.

Looks like it wasn't the case, going against my expectations.

I'm correcting this with this patch.
The status page is being made available on both HTTP and HTTPS.
Serving over HTTP is likely necessary for services like
Longview
(https://www.linode.com/docs/platform/longview/longview-app-for-nginx/)
2019-08-07 12:53:53 +03:00
p5t2vspoqqw 4b8190dc3f serve status page for matrix.DOMAIN only 2019-08-07 10:54:14 +02:00
p5t2vspoqqw 4b657b3822 Merge branch 'master' of https://github.com/spantaleev/matrix-docker-ansible-deploy 2019-06-03 10:13:25 +02:00
Slavi Pantaleev 7d8dde8a53 Add support for proxying /_synapse/admin APIs
Fixes #191 (Github Issue).
2019-05-29 08:32:24 +03:00
p5t2vspoqqw 0cfa73f153 Merge branch 'master' of https://github.com/spantaleev/matrix-docker-ansible-deploy 2019-05-23 10:48:22 +02:00
Slavi Pantaleev ae7c8d1524 Use SyslogIdentifier to improve logging
Reasoning is the same as for matrix-org/synapse#5023.

For us, the journal used to contain `docker` for all services, which
is not very helpful when looking at them all together (`journalctl -f`).
2019-05-16 09:43:46 +09:00
p5t2vspoqqw 4315b472af Merge branch 'master' of https://github.com/spantaleev/matrix-docker-ansible-deploy 2019-05-09 09:34:09 +02:00
Dan Arnfield 171c6db41e Add option to proxy 3pid registration endpoints 2019-05-08 13:49:51 -05:00
Hugues De Keyzer c451025134 Fix indentation in templates
Use Jinja2 lstrip_blocks option in templates to ensure consistent
indentation in generated files.
2019-05-07 21:23:35 +02:00
Sylvia van Os 75b1528d13 Add the possibility to pass extra flags to the docker container 2019-04-30 16:35:18 +02:00
p5t2vspoqqw 7ee6927ca9 add suggested change; correct indent 2019-04-23 09:44:02 +02:00
p5t2vspoqqw deeefac84c add ngnix-status to config
add doc
2019-04-17 13:45:42 +02:00
Slavi Pantaleev c545d3eb85 Add support for serving base domain via matrix-nginx-proxy 2019-03-12 23:01:16 +02:00
Slavi Pantaleev e645b0e372 Rename matrix_nginx_proxy_data_path to matrix_nginx_proxy_base_path
`matrix_nginx_proxy_data_path` has always served as a base path,
so we're renaming it to reflect that.

Along with this, we're also introducing a new "data path" variable
(`matrix_nginx_proxy_data_path`), which is really a data path this time.
It's used for storing additional, non-configuration, files related to
matrix-nginx-proxy.
2019-03-12 23:01:16 +02:00
Slavi Pantaleev 6c5cc173b0 Fix permission mode for some files 2019-03-09 21:15:16 +02:00
Edgars Voroboks 9735a2f600 Implement self-hosted Dimension server 2019-03-07 07:22:08 +02:00
Slavi Pantaleev 119016e858 Cache /.well-known/matrix files for longer 2019-02-05 13:06:17 +02:00
Slavi Pantaleev 74710427e5 Allow for the federation port (tcp/8448)'s certificate to be changed
If someone decides to not use `/.well-known/matrix/server` and only
relies on SRV records, then they would need to serve tcp/8448 using
a certificate for the base domain (not for the matrix) domain.

Until now, they could do that by giving the certificate to Synapse
and setting it terminate TLS. That makes swapping certificates
more annoying (Synapse requires a restart to re-read certificates),
so it's better if we can support it via matrix-nginx-proxy.

Mounting certificates (or any other file) into the matrix-nginx-proxy container
can be done with `matrix_nginx_proxy_container_additional_volumes`,
introduced in 96afbbb5a.
2019-02-05 12:09:46 +02:00
Slavi Pantaleev f6ebd4ce62 Initial work on Synapse 0.99/1.0 preparation 2019-02-05 12:09:46 +02:00
Slavi Pantaleev 96afbbb5af Allow additional volumes to be mounted into matrix-nginx-proxy
Certain use-cases may require that people mount additional files
into the matrix-nginx-proxy container. Similarly to how we do it
for Synapse, we are introducing a new variable that makes this
possible (`matrix_nginx_proxy_container_additional_volumes`).

This makes the htpasswd file for Synapse Metrics (introduced in #86,
Github Pull Request) to also perform mounting using this new mechanism.
Hopefully, for such an "extension", keeping htpasswd file-creation and
volume definition in the same place (the tasks file) is better.

All other major volumes' mounting mechanism remains the same (explicit
mounting).
2019-02-05 11:46:16 +02:00
Slavi Pantaleev 9a251e4e46 Remove some more references to localhost
Continuation of 1f0cc92b33.

As an explanation for the problem:
when saying `localhost` on the host, it sometimes gets resolved to `::1`
and sometimes to `127.0.0.1`. On the unfortunate occassions that
it gets resolved to `::1`, the container won't be able to serve the
request, because Docker containers don't have IPv6 enabled by default.

To avoid this problem, we simply prevent any lookups from happening
and explicitly use `127.0.0.1`.
2019-02-05 11:11:28 +02:00
Aaron Raimist 1f0cc92b33
Use IPv4 localhost everywhere (or almost everywhere) 2019-02-04 09:49:45 -06:00
Aaron Raimist 58ca2e7dfd
Turn off IPv6 when using your own Nginx server
Docker apparently doesn't like IPv6.
2019-02-04 09:03:43 -06:00
dhose 87e3deebfd Enable exposure of Prometheus metrics. 2019-02-01 20:02:11 +01:00
Slavi Pantaleev c2b1cf7f93 Fix SSL renewal script
Regression since 299a8c4c7c
2019-01-31 09:43:09 +02:00
Slavi Pantaleev 0be7b25c64 Make (most) containers run with a read-only filesystem 2019-01-29 18:52:02 +02:00
Slavi Pantaleev 9438402f61 Drop capabilities in a few more places
Continuation of 316d653d3e
2019-01-28 11:43:32 +02:00
Slavi Pantaleev 316d653d3e Drop capabilities in containers
We run containers as a non-root user (no effective capabilities).

Still, if a setuid binary is available in a container image, it could
potentially be used to give the user the default capabilities that the
container was started with. For Docker, the default set currently is:
- "CAP_CHOWN"
- "CAP_DAC_OVERRIDE"
- "CAP_FSETID"
- "CAP_FOWNER"
- "CAP_MKNOD"
- "CAP_NET_RAW"
- "CAP_SETGID"
- "CAP_SETUID"
- "CAP_SETFCAP"
- "CAP_SETPCAP"
- "CAP_NET_BIND_SERVICE"
- "CAP_SYS_CHROOT"
- "CAP_KILL"
- "CAP_AUDIT_WRITE"

We'd rather prevent such a potential escalation by dropping ALL
capabilities.

The problem is nicely explained here: https://github.com/projectatomic/atomic-site/issues/203
2019-01-28 11:22:54 +02:00
Slavi Pantaleev 299a8c4c7c Make (most) containers start as non-root
This makes all containers (except mautrix-telegram and
mautrix-whatsapp), start as a non-root user.

We do this, because we don't trust some of the images.
In any case, we'd rather not trust ALL images and avoid giving
`root` access at all. We can't be sure they would drop privileges
or what they might do before they do it.

Because Postfix doesn't support running as non-root,
it had to be replaced by an Exim mail server.

The matrix-nginx-proxy nginx container image is patched up
(by replacing its main configuration) so that it can work as non-root.
It seems like there's no other good image that we can use and that is up-to-date
(https://hub.docker.com/r/nginxinc/nginx-unprivileged is outdated).

Likewise for riot-web (https://hub.docker.com/r/bubuntux/riot-web/),
we patch it up ourselves when starting (replacing the main nginx
configuration).
Ideally, it would be fixed upstream so we can simplify.
2019-01-27 20:25:13 +02:00
Slavi Pantaleev 1a80058a2a Indent (non-YAML) using tabs
Fixes #83 (Github issue)
2019-01-26 09:37:29 +02:00
Slavi Pantaleev fef6c052c3 Pass Host/X-Forwarded-For everywhere
It hasn't mattered much to have these so far, but
it's probably a good idea to have them.
2019-01-17 16:25:08 +02:00
Slavi Pantaleev ba75ab496d Send Host/X-Forwarded-For to mxisd
It worked without it too, but doing this is more consistent with the
mxisd recommendations.
2019-01-17 16:22:49 +02:00
Slavi Pantaleev cb11548eec Use mxisd for user directory searches
Implements #77 (Github issue).
2019-01-17 15:55:23 +02:00
Slavi Pantaleev f4f06ae068 Make matrix-nginx-proxy role independent of others
The matrix-nginx-proxy role can now be used independently.
This makes it consistent with all other roles, with
the `matrix-base` role remaining as their only dependency.

Separating matrix-nginx-proxy was relatively straightforward, with
the exception of the Mautrix Telegram reverse-proxying configuration.
Mautrix Telegram, being an extension/bridge, does not feel important enough
to justify its own special handling in matrix-nginx-proxy.

Thus, we've introduced the concept of "additional configuration blocks"
(`matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks`),
where any module can register its own custom nginx server blocks.

For such dynamic registration to work, the order of role execution
becomes important. To make it possible for each module participating
in dynamic registration to verify that the order of execution is
correct, we've also introduced a `matrix_nginx_proxy_role_executed`
variable.

It should be noted that this doesn't make the matrix-synapse role
dependent on matrix-nginx-proxy. It's optional runtime detection
and registration, and it only happens in the matrix-synapse role
when `matrix_mautrix_telegram_enabled: true`.
2019-01-17 13:32:46 +02:00
Slavi Pantaleev c10182e5a6 Make roles more independent of one another
With this change, the following roles are now only dependent
on the minimal `matrix-base` role:
- `matrix-corporal`
- `matrix-coturn`
- `matrix-mailer`
- `matrix-mxisd`
- `matrix-postgres`
- `matrix-riot-web`
- `matrix-synapse`

The `matrix-nginx-proxy` role still does too much and remains
dependent on the others.

Wiring up the various (now-independent) roles happens
via a glue variables file (`group_vars/matrix-servers`).
It's triggered for all hosts in the `matrix-servers` group.

According to Ansible's rules of priority, we have the following
chain of inclusion/overriding now:
- role defaults (mostly empty or good for independent usage)
- playbook glue variables (`group_vars/matrix-servers`)
- inventory host variables (`inventory/host_vars/matrix.<your-domain>`)

All roles default to enabling their main component
(e.g. `matrix_mxisd_enabled: true`, `matrix_riot_web_enabled: true`).
Reasoning: if a role is included in a playbook (especially separately,
in another playbook), it should "work" by default.

Our playbook disables some of those if they are not generally useful
(e.g. `matrix_corporal_enabled: false`).
2019-01-16 18:05:48 +02:00
Slavi Pantaleev 51312b8250 Split playbook into multiple roles
As suggested in #63 (Github issue), splitting the
playbook's logic into multiple roles will be beneficial for
maintainability.

This patch realizes this split. Still, some components
affect others, so the roles are not really independent of one
another. For example:
- disabling mxisd (`matrix_mxisd_enabled: false`), causes Synapse
and riot-web to reconfigure themselves with other (public)
Identity servers.

- enabling matrix-corporal (`matrix_corporal_enabled: true`) affects
how reverse-proxying (by `matrix-nginx-proxy`) is done, in order to
put matrix-corporal's gateway server in front of Synapse

We may be able to move away from such dependencies in the future,
at the expense of a more complicated manual configuration, but
it's probably not worth sacrificing the convenience we have now.

As part of this work, the way we do "start components" has been
redone now to use a loop, as suggested in #65 (Github issue).
This should make restarting faster and more reliable.
2019-01-12 18:01:10 +02:00