Commit graph

27 commits

Author SHA1 Message Date
Slavi Pantaleev 2a1ec38e3a Stop using Ansible's cron module
This is mainly to address SSL renewal not working for us due to:
- https://github.com/ansible/ansible/issues/71213
- https://github.com/ansible/ansible/pull/71207

Using the cron module was hacky anyway. We shouldn't need an extra
level of buggy abstraction to manage a cronjob file.
2020-09-06 10:49:19 +03:00
Chris van Dijk 74df10633a Remove hardcoded command paths in playbook cron usage 2020-05-27 23:14:58 +02:00
Chris van Dijk 6e3b877dc2 Remove hardcoded command paths in playbook shell usage 2020-05-27 23:14:56 +02:00
Chris van Dijk 7585bcc4ac Allow the matrix user username and groupname to be configured separately
No migration steps should be required.
2020-05-01 19:59:32 +02:00
Christian Wolf 8c9b5ea6dd Removed a few syntax bugs in Archlinux configuration 2020-03-28 13:00:01 +01:00
Christian Wolf d84b2868b7 Added basic changes to make it compatible with Archlinux 2020-03-28 11:39:15 +01:00
mooomooo eebc6e13f8 Made directory variables for /etc/systemd/system , /etc/cron.d , /usr/local/bin 2020-03-24 11:27:58 -07:00
Slavi Pantaleev 89dbe5cfc5 Add the ability to control the certbot HTTP bind port
Fixes #330 (Github Issue).
2019-12-19 09:07:24 +02:00
Slavi Pantaleev 1316d36f8b Fix deprecation warning (using cron module without name) 2019-07-09 09:11:38 +03:00
Slavi Pantaleev 7d3adc4512 Automatically force-pull :latest images
We do use some `:latest` images by default for the following services:
- matrix-dimension
- Goofys (in the matrix-synapse role)
- matrix-bridge-appservice-irc
- matrix-bridge-appservice-discord
- matrix-bridge-mautrix-facebook
- matrix-bridge-mautrix-whatsapp

It's terribly unfortunate that those software projects don't release
anything other than `:latest`, but that's how it is for now.

Updating that software requires that users manually do `docker pull`
on the server. The playbook didn't force-repull images that it already
had.

With this patch, it starts doing so. Any image tagged `:latest` will be
force re-pulled by the playbook every time it's executed.

It should be noted that even though we ask the `docker_image` module to
force-pull, it only reports "changed" when it actually pulls something
new. This is nice, because it lets people know exactly when something
gets updated, as opposed to giving the indication that it's always
updating the images (even though it isn't).
2019-06-10 14:30:28 +03:00
Dan Arnfield 9c23d877fe Fix docker_image option for ansible < 2.8 2019-05-22 05:43:33 -05:00
Dan Arnfield fa38c84be2 Fix casting int to string warning 2019-05-21 10:37:05 -05:00
Dan Arnfield db15791819 Add source option to docker_image to fix deprecation warning 2019-05-21 10:29:12 -05:00
Dan Arnfield 3982f114af Fix CONDITIONAL_BARE_VARS deprecation warning in ansible 2.8 2019-05-21 10:25:59 -05:00
Slavi Pantaleev 5c821b581a Check fullchain.pem, not cert.pem
While using certbot means we'll have both files retrieved,
it's actually the fullchain.pem file that we use in nginx configuration.

Using that one for the check makes more sense.
2019-05-21 11:58:18 +09:00
Slavi Pantaleev 7c246b4a99 Make error about unset matrix_ssl_lets_encrypt_support_email more descriptive
Previously, we'd show an error like this:

{"changed": false, "item": null, "msg": "Detected an undefined required variable"}

.. which didn't mention the variable name
(`matrix_ssl_lets_encrypt_support_email`).
2019-04-28 11:02:17 +03:00
Slavi Pantaleev ec0f936227 Try SSL renewal more frequently and reload later
It doesn't hurt to attempt renewal more frequently, as it only does
real work if it's actually necessary.

Reloading, we postpone some more, because certbot adds some random delay
(between 1 and 8 * 60 seconds) when renewing. We want to ensure
we reload at least 8 minutes later, which wasn't the case.

To make it even safer (in case future certbot versions use a longer
delay), we reload a whole hour later. We're in no rush to start using
the new certificates anyway, especially given that we attempt renewal
often.

Somewhat fixes #146 (Github Issue)
2019-04-23 17:59:02 +03:00
Slavi Pantaleev af1c9ae59d Do not force firewalld on people
In most cases, there's not really a need to touch the system
firewall, as Docker manages iptables by itself
(see https://docs.docker.com/network/iptables/).

All ports exposed by Docker containers are automatically whitelisted
in iptables and wired to the correct container.

This made installing firewalld and whitelisting ports pointless,
as far as this playbook's services are concerned.

People that wish to install firewalld (for other reasons), can do so
manually from now on.

This is inspired by and fixes #97 (Github Issue).
2019-04-03 11:37:20 +03:00
Lee Verberne d90bc20690 Use common path for systemctl in lets encrypt cron
Currently the nginx reload cron fails on Debian 9 because the path to
systemctl is /bin/systemctl rather than /usr/bin/systemctl.

CentOS 7 places systemctl in both /bin and /usr/bin, so we can just use
/bin/systemctl as the full path.
2019-03-16 20:48:58 +01:00
Slavi Pantaleev a43bcd81fe Rename some variables 2019-02-28 11:51:09 +02:00
Slavi Pantaleev 550d398e6c Remove some unnecessary slashes 2019-02-20 21:21:20 +02:00
Slavi Pantaleev 52d5e540c0 Fix ownership of generated self-signed certificates (root -> matrix) 2019-02-02 17:32:13 +02:00
Slavi Pantaleev 8681a5dc69 Add 'none' SSL certificate retrieval method 2019-02-01 16:50:25 +02:00
Slavi Pantaleev 9438402f61 Drop capabilities in a few more places
Continuation of 316d653d3e
2019-01-28 11:43:32 +02:00
Slavi Pantaleev 299a8c4c7c Make (most) containers start as non-root
This makes all containers (except mautrix-telegram and
mautrix-whatsapp), start as a non-root user.

We do this, because we don't trust some of the images.
In any case, we'd rather not trust ALL images and avoid giving
`root` access at all. We can't be sure they would drop privileges
or what they might do before they do it.

Because Postfix doesn't support running as non-root,
it had to be replaced by an Exim mail server.

The matrix-nginx-proxy nginx container image is patched up
(by replacing its main configuration) so that it can work as non-root.
It seems like there's no other good image that we can use and that is up-to-date
(https://hub.docker.com/r/nginxinc/nginx-unprivileged is outdated).

Likewise for riot-web (https://hub.docker.com/r/bubuntux/riot-web/),
we patch it up ourselves when starting (replacing the main nginx
configuration).
Ideally, it would be fixed upstream so we can simplify.
2019-01-27 20:25:13 +02:00
Slavi Pantaleev c10182e5a6 Make roles more independent of one another
With this change, the following roles are now only dependent
on the minimal `matrix-base` role:
- `matrix-corporal`
- `matrix-coturn`
- `matrix-mailer`
- `matrix-mxisd`
- `matrix-postgres`
- `matrix-riot-web`
- `matrix-synapse`

The `matrix-nginx-proxy` role still does too much and remains
dependent on the others.

Wiring up the various (now-independent) roles happens
via a glue variables file (`group_vars/matrix-servers`).
It's triggered for all hosts in the `matrix-servers` group.

According to Ansible's rules of priority, we have the following
chain of inclusion/overriding now:
- role defaults (mostly empty or good for independent usage)
- playbook glue variables (`group_vars/matrix-servers`)
- inventory host variables (`inventory/host_vars/matrix.<your-domain>`)

All roles default to enabling their main component
(e.g. `matrix_mxisd_enabled: true`, `matrix_riot_web_enabled: true`).
Reasoning: if a role is included in a playbook (especially separately,
in another playbook), it should "work" by default.

Our playbook disables some of those if they are not generally useful
(e.g. `matrix_corporal_enabled: false`).
2019-01-16 18:05:48 +02:00
Slavi Pantaleev 51312b8250 Split playbook into multiple roles
As suggested in #63 (Github issue), splitting the
playbook's logic into multiple roles will be beneficial for
maintainability.

This patch realizes this split. Still, some components
affect others, so the roles are not really independent of one
another. For example:
- disabling mxisd (`matrix_mxisd_enabled: false`), causes Synapse
and riot-web to reconfigure themselves with other (public)
Identity servers.

- enabling matrix-corporal (`matrix_corporal_enabled: true`) affects
how reverse-proxying (by `matrix-nginx-proxy`) is done, in order to
put matrix-corporal's gateway server in front of Synapse

We may be able to move away from such dependencies in the future,
at the expense of a more complicated manual configuration, but
it's probably not worth sacrificing the convenience we have now.

As part of this work, the way we do "start components" has been
redone now to use a loop, as suggested in #65 (Github issue).
This should make restarting faster and more reliable.
2019-01-12 18:01:10 +02:00