Commit graph

161 commits

Author SHA1 Message Date
Agustin Ferrario 5156c63a76 Clean up code
Code was clean up and simplified to make it simpler and easier to
maintain. No features were modified.
2021-01-08 18:35:27 +01:00
Agustin Ferrario 25d423e6b6 Fix errors per spantaleev suggestions
The different configurations are now all lower case, for consistent
naming.

`matrix_nginx_proxy_ssl_config` is now called
`matrix_nginx_proxy_ssl_preset`. The different options for "modern",
"intermediate" and "old" are stored in the main.yml file, instead of
being hardcoded in the configuration files. This will improve the
maintainability of the code.

The "custom" preset was removed. Now if one of the variables is set, it
will use it instead of the preset. This will allow to mix and match more
easily, for example using all the intermediate options but only
supporting TLSv1.2. This will also provide better backward
compatibility.
2021-01-08 11:32:10 +01:00
Agustin Ferrario 3cb71e7e84 Merge branch 'master' of https://github.com/spantaleev/matrix-docker-ansible-deploy 2021-01-03 13:18:21 +01:00
Dan Arnfield 10e0fa17ad Update nginx (1.19.5 -> 1.19.6) 2020-12-22 08:23:37 -06:00
louis dcd4716636 add option to disable nginx access log 2020-12-21 21:26:49 +01:00
Agustin Ferrario 2082242499 Add matrix_nginx_proxy_ssl_config
A new variable called `matrix_nginx_proxy_ssl_config` is created for
configuring how the nginx proxy configures SSL. Also a new configuration
validation option and other auxiliary variables are created.

A new variable configuration called `matrix_nginx_proxy_ssl_config` is
created. This allow to set the SSL configuration easily using the
default options proposed by Mozilla. The default configuration is set to
"Intermediate", removing the weak ciphers used in the old
configurations.

The new variable can also be set to "Custom" for a more granular control.
This allows to set another three variables called:

- `matrix_nginx_proxy_ssl_protocols`,
- `matrix_nginx_proxy_ssl_prefer_server_ciphers`
- `matrix_nginx_proxy_ssl_ciphers`

Also a new task is added to validate the SSL configuration variable.
2020-12-16 10:35:37 +01:00
Slavi Pantaleev d08b27784f Fix systemd services autostart problem with Docker 20.10
The Docker 19.04 -> 20.10 upgrade contains the following change
in `/usr/lib/systemd/system/docker.service`:

```
-BindsTo=containerd.service
-After=network-online.target firewalld.service containerd.service
+After=network-online.target firewalld.service containerd.service multi-user.target
-Requires=docker.socket
+Requires=docker.socket containerd.service
Wants=network-online.target
```

The `multi-user.target` requirement in `After` seems to be in conflict
with our `WantedBy=multi-user.target` and `After=docker.service` /
`Requires=docker.service` definitions, causing the following error on
startup for all of our systemd services:

> Job matrix-synapse.service/start deleted to break ordering cycle starting with multi-user.target/start

A workaround which appears to work is to add `DefaultDependencies=no`
to all of our services.
2020-12-10 11:43:20 +02:00
Slavi Pantaleev 8c02f7b79b Upgrade services 2020-12-07 15:18:03 +02:00
Slavi Pantaleev b354155d7c Make JVB websockets reverse-proxying work 2020-11-27 17:57:15 +02:00
Slavi Pantaleev d702e74079 Fix matrix-nginx-proxy static files mounting when SSL retrieval is none
Fixup for 12867e9f18.

This shouldn't have been caught in the `if`.

Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/734
2020-11-26 18:40:15 +02:00
Slavi Pantaleev 12867e9f18 Do not try to mount /matrix/ssl when matrix_ssl_retrieval_method is 'none'
Since the switch from `-v` to `--mount` (in 1fca917ad1),
we've regressed when `matrix_ssl_retrieval_method == 'none'`.

In such a case, we don't create `/matrix/ssl` directories at all
and shouldn't be trying to mount them into the `matrix-nginx-proxy`
container.

Previously, with `-v`, Docker would auto-create them, effectively hiding
our mistake. Now that `--mount` doesn't do such auto-creation magic,
the `matrix-nginx-proxy` container was failing to start.

Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/734
2020-11-26 09:55:26 +02:00
Slavi Pantaleev 75f9fde7a4 Remove some more -v usage
Continuation of 1fca917ad1.

Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/722
2020-11-25 10:49:59 +02:00
Slavi Pantaleev 1fca917ad1 Replace some -v instances with --mount
`-v` magically creates the source destination as a directory,
if it doesn't exist already. We'd like to avoid this magic
and the potential breakage that it might cause.

We'd rather fail while Docker tries to find things to `--mount`
than have it automatically create directories and fail anyway,
while having contaminated the filesystem.

There's a lot more `-v` instances remaining to be fixed later on.
This is just some start.

Things like `matrix_synapse_container_additional_volumes` and
`matrix_nginx_proxy_container_additional_volumes` were not changed to
use `--mount`, as options for each one are passed differently
(`ro` is `ro`, but `rw` doesn't exist and `slave` is `bind-propagation=slave`).
To avoid breaking people's custom volume mounts, we keep it as it is for now.

A deficiency with `--mount` is that it lacks the `z` option (SELinux
ownership changes), and some of our `-v` instances use that. I'm not
sure how supported SELinux is for us right now, but it might be,
and breaking that would not be a good idea.
2020-11-24 10:26:05 +02:00
Slavi Pantaleev ccabc82d4c Use more fully-qualified container images
This is both for consistency with 93cc71cb69976c
and for making things more obvious.
2020-11-14 23:01:11 +02:00
Slavi Pantaleev 4d12a6f8e9
Merge pull request #681 from scottcrossen/slc/ddclient
Dynamic DNS
2020-11-10 23:54:21 +02:00
Slavi Pantaleev 1427286cec Integrate matrix-dynamic-dns with matrix-nginx-proxy without causing a dependency
We'd like the roles to be self-contained (as much as possible).

Thus, the `matrix-nginx-proxy` shouldn't reference any variables from
other roles. Instead, we rely on injection via
`group_vars/matrix_servers`.

Related to #681 (Github Pull Request)
2020-11-10 23:49:36 +02:00
Slavi Pantaleev 235299939d Upgrade nginx (1.19.3 -> 1.19.4) 2020-11-10 09:30:00 +02:00
Scott Crossen e894befd87 Updates to reviewer comments 2020-11-07 17:53:13 -08:00
Slavi Pantaleev 350c39d745 Update comment 2020-11-02 11:13:25 +02:00
Slavi Pantaleev ef68d3d296 Add support for reverse-proxying /_synapse/oidc
This broke in 63a49bb2dc.

Proxying the OpenID Connect endpoints is now possible,
but needs to be enabled explicitly now.

Supersedes #702 (Github Pull Request).

This patch builds up on the idea from that Pull Request,
but does things in a cleaner way.
2020-11-02 11:10:03 +02:00
Slavi Pantaleev 9a46647010 Make https://matrix.DOMAIN/ redirect to https://element.DOMAIN/
Fixes #696 (Github Issue)
2020-10-28 10:39:12 +02:00
Slavi Pantaleev 4700e80389 Raise standalone default Matrix Client API client_max_body_size
We do this to match Synapse's new default "max_upload_size" (50MB).

This `matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb`
default value only affects standalone usage of the `matrix-nginx-proxy`
role. When the role is used in the context of the playbook,
the value is dynamically assigned from `group_vars/matrix_servers`.

Somewhat related to #692 (Github Issue).
2020-10-28 10:02:47 +02:00
Slavi Pantaleev ef07aa8e5d Prevent certain nginx location blocks from being ignored
The regex introduced in 63a49bb2dc seems to take precedence
over the bare location blocks, causing a regression.

> It is important to understand that, by default, Nginx will serve regular expression matches in preference to prefix matches.
> However, it evaluates prefix locations first, allowing for the administer to override this tendency by specifying locations using the = and ^~ modifiers.

Source: https://www.digitalocean.com/community/tutorials/understanding-nginx-server-and-location-block-selection-algorithms
2020-10-28 09:38:04 +02:00
Slavi Pantaleev 63a49bb2dc Do not expose /_synapse/admin publicly by default
Fixes #685 (Github Issue).
2020-10-26 10:36:38 +02:00
Dan Arnfield b65bfc38ce Update nginx (1.19.2 -> 1.19.3) 2020-10-14 06:23:33 -05:00
Slavi Pantaleev d250727e8b Upgrade certbot (1.7.0 -> 1.9.0) 2020-10-13 09:44:32 +03:00
Slavi Pantaleev 2a1ec38e3a Stop using Ansible's cron module
This is mainly to address SSL renewal not working for us due to:
- https://github.com/ansible/ansible/issues/71213
- https://github.com/ansible/ansible/pull/71207

Using the cron module was hacky anyway. We shouldn't need an extra
level of buggy abstraction to manage a cronjob file.
2020-09-06 10:49:19 +03:00
Slavi Pantaleev fc1655cd4b
Merge pull request #633 from thedanbob/certbot-1.7.0
Update certbot (1.6.0 -> 1.7.0)
2020-08-17 16:47:12 +03:00
Dan Arnfield c8754f422a Update certbot (1.6.0 -> 1.7.0) 2020-08-16 15:01:13 -05:00
Dan Arnfield 8d373409b8 Update nginx (1.19.1 -> 1.19.2) 2020-08-16 14:59:48 -05:00
Justin Croonenberghs 31e2a1f06b
Undo ill-advised change
In #628 I proposed a CORS change that turns out not to be the root of the issue. Caffeine-addled diagnosis leads to sloppy thinking, and this change should be reverted. In fact, if left it will cause problems for new installations.
2020-08-09 14:20:37 -05:00
Justin Croonenberghs c5d18733d2
Update CORS for ma1sd
Even with the v2 updates listed in #503 and partially addressed in #614, this is still needed to enable identity services to function with Element Desktop/Web. Testing on multiple clients with a clean config has confirmed this, at least for my installation.
2020-08-08 23:19:07 -05:00
Slavi Pantaleev 54195b22c7 Allow framing Jitsi
Hopefully fixes a regression caused by b106a9592e.

Related to #597 (Github Pull Request).
2020-08-04 16:08:11 +03:00
Slavi Pantaleev 3f8e5b4363 Allow framing Dimension
Fix regression since 2a50b8b6bb (#597).

Dimension is intended to be embedded in various clients,
be it the Element service that we host (at element.DOMAIN),
some other Element (element-desktop running locally), etc.
2020-07-25 07:08:32 +03:00
TwoTwenty b106a9592e
Update matrix-jitsi.conf.j2 2020-07-22 10:39:24 -07:00
TwoTwenty c97e7c5a3e
Update matrix-dimension.conf.j2 2020-07-22 10:39:07 -07:00
TwoTwenty 18ba885ca2
Update matrix-client-element.conf.j2 2020-07-22 10:38:50 -07:00
Slavi Pantaleev c6ab1c6a90 Riot is now Element
Fixes #586 (Github Issue)
2020-07-17 11:31:20 +03:00
Dan Arnfield c47a55d170 Update nginx (1.19.0 -> 1.19.1) and certbot (1.5.0 -> 1.6.0) 2020-07-16 06:34:14 -05:00
shadow 6293f1bdb0 Run all API self checks in check_mode 2020-07-04 15:24:33 +02:00
Slavi Pantaleev 65e5020596 Proxy other /_synapse endpoints to the client API
Besides /_synapse/admin, there are other things like
/_synapse/oidc, etc.

We should just proxy everything.

Fixes #534 (Github Issue).
2020-06-09 08:12:58 +03:00
Slavi Pantaleev 88a4a3ab55 Update components 2020-06-06 08:25:27 +03:00
Chris van Dijk 74df10633a Remove hardcoded command paths in playbook cron usage 2020-05-27 23:14:58 +02:00
Chris van Dijk 6e3b877dc2 Remove hardcoded command paths in playbook shell usage 2020-05-27 23:14:56 +02:00
Chris van Dijk 6334f6c1ea Remove hardcoded command paths in systemd unit files
Depending on the distro, common commands like sleep and chown may either
be located in /bin or /usr/bin.

Systemd added path lookup to ExecStart in v239, allowing only the
command name to be put in unit files and not the full path as
historically required. At least Ubuntu 18.04 LTS is however still on
v237 so we should maintain portability for a while longer.
2020-05-27 23:14:54 +02:00
Slavi Pantaleev 7a2dbdc2d7 Update components 2020-05-19 15:06:35 +03:00
Chris van Dijk 7585bcc4ac Allow the matrix user username and groupname to be configured separately
No migration steps should be required.
2020-05-01 19:59:32 +02:00
Slavi Pantaleev 554da8338a
Merge pull request #463 from hooger/architecture
Architecture
2020-04-20 16:45:59 +03:00
Dan Arnfield e2de6a1569 Update nginx (1.17.9 -> 1.17.10) 2020-04-19 08:38:53 -05:00
Horvath Gergely bd61598faf add experimental(?) architecture support for arm32 and arm64
the changes are necessary because certbot images are tagged, so docker does not recognize the necessary architecture
2020-04-18 22:55:19 +02:00