Commit graph

34 commits

Author SHA1 Message Date
Slavi Pantaleev 3fd6fd647f Put all containers in their own isolated Docker network (matrix)
Moving away from using the default bridge network to using our own.
This isolates our services from other Docker containers running
on the default network on the same host.

The benefits are that:

- isolation is a little better - we no longer share a default
bridge network with any other containers that might be running on the host

- there are no longer hard dependencies - we do service discovery
by DNS name, and not via explicit `--link` usage during container start,
so containers can start out of order and fail without bringing down others
with them
(`matrix-nginx-proxy` can continue running, even if one of the other services dies)

In the future, when other services get introduced,
the increased resilience and simplicity will help as well.
2018-08-08 08:57:48 +03:00
Slavi Pantaleev f6950612a5 Upgrade dependencies 2018-08-02 21:26:25 +03:00
Slavi Pantaleev 6cb14be162 Upgrade dependencies 2018-07-30 16:18:17 +03:00
Slavi Pantaleev ae7e8e61c6 Update dependencies 2018-07-20 08:28:02 -04:00
Slavi Pantaleev e4d0a68460 Update riot-web (0.15.5 -> 0.15.6) 2018-06-30 18:51:25 +03:00
Slavi Pantaleev 839b401b28 Set up Synapse configuration using a template (not line/regexp replacements)
Until now, we were starting from a fresh configuration, as generated
by Synapse and manipulating it with regex and line replacements,
until we made it work.

This is more fragile and less predictable, so we're moving to a static
configuration file generated from a Jinja template.

The upside is that configuration will be stable and predictable.

The downside of this new approach is that any manual configuration changes
after the playbook is done, will be thrown away on future playbook
invocations.

There are 2 ways to work around the need for manual configuration
changes though:
- making them part of this playbook and its default template
configuration files (which benefits everyone)
- going your own way for a given host and overriding the template files
that gets used (that is, the
`matrix_synapse_template_synapse_homeserver` or
`matrix_synapse_template_synapse_log` variables)
2018-06-26 21:05:59 +03:00
Slavi Pantaleev 1725c3e698 Upgrade riot-web (0.15.4 -> 0.15.5) 2018-06-21 09:44:38 +03:00
Slavi Pantaleev 6335485ad3 Upgrade Synapse (0.31.1 -> 0.31.2) 2018-06-15 00:00:01 +03:00
Slavi Pantaleev a5877eadd4 Upgrade Synapse (0.31.0 -> 0.31.1) 2018-06-08 18:25:12 +03:00
Slavi Pantaleev 4ebf6bbf27 Upgrade Synapse (0.30.0 -> 0.31.0) 2018-06-07 10:14:36 +03:00
Slavi Pantaleev ff8f1bc65f Upgrade Docker images 2018-06-06 17:35:29 +03:00
Slavi Pantaleev cbee084ac1 Use Postgres 10.x by default (only for new installs)
This playbook just tries to avoid trying to setup a Postgres 10
database with existing 9.x files, as that makes Postgres complain.

Due to this, existing installs (still on 9.x) are detected
and left on Postgres 9.x.
They need to be upgraded to Postgres 10.x manually.
2018-05-28 20:16:02 +03:00
Slavi Pantaleev f1b4730e82 Update Docker images 2018-05-26 12:25:09 +03:00
Slavi Pantaleev b3e62126db Switch Docker image to official one
Switching from from avhost/docker-matrix (silviof/docker-matrix)
to matrixdotorg/synapse.

The avhost/docker-matrix (silviof/docker-matrix) image used to bundle
in the coturn STUN/TURN server, so as part of the move,
we're separating this to a separately-ran service
(matrix-coturn.service, powered by instrumentisto/coturn-docker-image)
2018-05-25 21:58:53 +03:00
Slavi Pantaleev bd580d3b9a Update dependencies 2018-05-14 14:31:00 +03:00
Slavi Pantaleev a367172b67 Update dependencies 2018-04-28 13:38:44 +03:00
Slavi Pantaleev 7de11261b1 Update Docker images 2018-04-11 18:51:32 +02:00
Slavi Pantaleev af54d60b0f Update Docker images 2018-04-03 18:49:05 +03:00
Slavi Pantaleev 5d9ddd1627 Update Docker images 2018-03-16 10:22:09 +02:00
Slavi Pantaleev efc78fb9d3 Switch from s3fs to Goofys
Improves performance of media store operations.
2018-02-20 21:36:08 +02:00
Slavi Pantaleev db686c3f8e Update dependencies 2018-02-13 23:19:50 +02:00
Slavi Pantaleev bfca91ac1f Switch Matrix Docker images (silviof -> AVENTER-UG)
Silvio announced that he's no longer maintaining his images,
so we're jumping to AVENTER-UG's fork.
2018-01-10 22:11:32 +02:00
Slavi Pantaleev 534f78f9d0 Update Docker image versions 2017-12-07 22:53:43 +02:00
Slavi Pantaleev f476e49e64 Make SSL renewal time configurable and nginx-proxy reload time adequate
The matrix-nginx-proxy was reloaded on the 3rd day of the month (`15 4 3 * *`),
which makes no sense - it's too infrequently.

It's in line with the renewal time now (+5 minutes).
2017-11-11 10:38:38 +02:00
Slavi Pantaleev 57e4f12ad3 Add support for using a pre-configured Macaroon secret key 2017-10-24 15:29:19 +09:00
Slavi Pantaleev 3a5f82267b Do not use Let's Encrypt certificate for Synapse's federation port
As described here (
https://github.com/matrix-org/synapse/issues/2438#issuecomment-327424711
), using own SSL certificates for the federation port is more fragile,
as renewing them could cause federation outages.

The recommended setup is to use the self-signed certificates generated
by Synapse.

On the 443 port (matrix-nginx-proxy) side, we still use the Let's Encrypt
certificates, which ensures API consumers work without having to trust
"our own CA".

Having done this, we also don't need to ever restart Synapse anymore,
as no new SSL certificates need to be applied there.

It's just matrix-nginx-proxy that needs to be restarted, and it doesn't
even need a full restart as an "nginx reload" does the job of swithing
to the new SSL certificates.
2017-09-23 15:29:15 +03:00
Slavi Pantaleev 6962bfcc42 Add support for not taking over a server (no matrix-nginx-proxy) and disabling Riot 2017-09-12 12:41:44 +03:00
Slavi Pantaleev cb323f5b4c Move SSL certificates from /etc/pki/acmetool-certs to /matrix/ssl
Moving keeps everything in the /matrix directory, so that we
wouldn't contaminate anything else on the system or risk
clashing with something else.

Also retrieving certificates separately for the Riot and Matrix domains,
which should help in multiple ways:

- allows them to be very different (completely separate base domain..)

- allows for Riot to be disabled for the playbook some time later
  and still have the code not break
2017-09-11 23:50:14 +03:00
Slavi Pantaleev 7c049be11a Update postgres and nginx 2017-09-11 22:16:51 +03:00
Slavi Pantaleev ab1a9fd87e Add support for using an external PostgreSQL server 2017-09-08 17:24:27 +03:00
Slavi Pantaleev 9c68b057b0 Add support for storing Matrix Synapse's media_store to Amazon S3 2017-09-07 18:26:41 +03:00
Slavi Pantaleev ea91ef7fb2 Move media_store & logs out of /data. Allow logging to be configured
The goal is to allow these to be on separate partitions
(including remote ones in the future).

Because the `silviof/docker-matrix` image chowns
everything to MATRIX_UID:MATRIX_GID on startup,
we definitely don't want to include `media_store` in it.
If it's on a remote FS, it would cause a slow startup.

Also, adding some safety checks to the "import media store"
task, after passing a wrong path to it on multiple occassions and
wondering what's wrong.

Also, making logging configurable. The default of keeping 10x100MB
log files is likely excessive and people may want to change that.
2017-09-07 12:12:31 +03:00
Slavi Pantaleev 2bb8bb96d4 Add support for configuring max_upload_size 2017-08-30 12:07:03 +03:00
Slavi Pantaleev b046052aed Switch from playbook vars to role defaults
By using role defauts, we can have inventory variables
which overide the defaults.
2017-08-30 12:05:13 +03:00