Commit graph

444 commits

Author SHA1 Message Date
Slavi Pantaleev df76ae707a Fix inaccurate comment 2019-02-13 14:07:16 +02:00
Slavi Pantaleev 7a1b5a2024 Update mxisd (1.2.2 -> 1.3.0) 2019-02-10 23:20:05 +02:00
Slavi Pantaleev 42c4de348c Revert "Bind metrics on :: too"
This reverts commit 536c85619f.

Looks like binding metrics on IPv6 (`::`) fails with an error:

socket.gaierror: [Errno -2] Name does not resolve
2019-02-09 13:21:18 +02:00
Slavi Pantaleev 08635666df Do not attempt to start coturn TLS listeners
We don't provide certificates, so it fails anyway,
but we'd rather suppress the warnings about it too.
2019-02-07 13:20:30 +02:00
Slavi Pantaleev f5cd916de8 Update coturn (4.5.0.8 -> 4.5.1.0) 2019-02-07 13:15:59 +02:00
Slavi Pantaleev 536c85619f Bind metrics on :: too
For consistency with all our other listeners,
we make this one bind on the `::` address too
(both IPv4 and IPv6).

Additional details are in #91 (Github Pull Request).
2019-02-06 14:24:10 +02:00
Slavi Pantaleev 91a757c581 Add support for reloading Synapse 2019-02-06 09:25:13 +02:00
Slavi Pantaleev 40f3793af7 Upgrade Synapse to v0.99 and simplify dummy TLS cert logic 2019-02-06 09:17:55 +02:00
Slavi Pantaleev 5db692f877 Remove some useless homeserver.yaml configuration 2019-02-05 14:02:01 +02:00
Slavi Pantaleev 738c592c27 Bump Synapse version (0.34.1.1 -> 0.99.0rc4) 2019-02-05 13:33:39 +02:00
Slavi Pantaleev 119016e858 Cache /.well-known/matrix files for longer 2019-02-05 13:06:17 +02:00
Slavi Pantaleev 764a040a90 Make /.well-known/matrix/server optional
People who wish to rely on SRV records can prevent
the `/.well-known/matrix/server` file from being generated
(and thus, served.. which causes trouble).
2019-02-05 12:09:46 +02:00
Slavi Pantaleev 74710427e5 Allow for the federation port (tcp/8448)'s certificate to be changed
If someone decides to not use `/.well-known/matrix/server` and only
relies on SRV records, then they would need to serve tcp/8448 using
a certificate for the base domain (not for the matrix) domain.

Until now, they could do that by giving the certificate to Synapse
and setting it terminate TLS. That makes swapping certificates
more annoying (Synapse requires a restart to re-read certificates),
so it's better if we can support it via matrix-nginx-proxy.

Mounting certificates (or any other file) into the matrix-nginx-proxy container
can be done with `matrix_nginx_proxy_container_additional_volumes`,
introduced in 96afbbb5a.
2019-02-05 12:09:46 +02:00
Slavi Pantaleev f6ebd4ce62 Initial work on Synapse 0.99/1.0 preparation 2019-02-05 12:09:46 +02:00
Slavi Pantaleev e06e5dd208 Fix syntax breakage
Regression since 96afbbb5af
2019-02-05 12:09:33 +02:00
Slavi Pantaleev 96afbbb5af Allow additional volumes to be mounted into matrix-nginx-proxy
Certain use-cases may require that people mount additional files
into the matrix-nginx-proxy container. Similarly to how we do it
for Synapse, we are introducing a new variable that makes this
possible (`matrix_nginx_proxy_container_additional_volumes`).

This makes the htpasswd file for Synapse Metrics (introduced in #86,
Github Pull Request) to also perform mounting using this new mechanism.
Hopefully, for such an "extension", keeping htpasswd file-creation and
volume definition in the same place (the tasks file) is better.

All other major volumes' mounting mechanism remains the same (explicit
mounting).
2019-02-05 11:46:16 +02:00
Slavi Pantaleev 9a251e4e46 Remove some more references to localhost
Continuation of 1f0cc92b33.

As an explanation for the problem:
when saying `localhost` on the host, it sometimes gets resolved to `::1`
and sometimes to `127.0.0.1`. On the unfortunate occassions that
it gets resolved to `::1`, the container won't be able to serve the
request, because Docker containers don't have IPv6 enabled by default.

To avoid this problem, we simply prevent any lookups from happening
and explicitly use `127.0.0.1`.
2019-02-05 11:11:28 +02:00
Aaron Raimist 1f0cc92b33
Use IPv4 localhost everywhere (or almost everywhere) 2019-02-04 09:49:45 -06:00
Aaron Raimist 58ca2e7dfd
Turn off IPv6 when using your own Nginx server
Docker apparently doesn't like IPv6.
2019-02-04 09:03:43 -06:00
Slavi Pantaleev 52d5e540c0 Fix ownership of generated self-signed certificates (root -> matrix) 2019-02-02 17:32:13 +02:00
dhose 87e3deebfd Enable exposure of Prometheus metrics. 2019-02-01 20:02:11 +01:00
Plailect 29b40b428a
Database files must be stored on permanent storage 2019-02-01 11:44:06 -05:00
Slavi Pantaleev 897cfbdcba Fix /.well-known/matrix/client installation
Regression since 51312b82
2019-02-01 17:06:49 +02:00
Slavi Pantaleev 8681a5dc69 Add 'none' SSL certificate retrieval method 2019-02-01 16:50:25 +02:00
Slavi Pantaleev cd332d9b4e Add TLS v1.3 support to matrix-nginx-proxy
This was mentioned in #27 (Github Pull Request),
but it's just now that the nginx Docker image actually supports
TLS v1.3 and we can enable it.
2019-02-01 11:49:22 +02:00
Slavi Pantaleev a9fae8e3b1 Revert "Use native OpenSSL module to generate passkey.pem"
This reverts commit 0dac5ea508.

Relying on pyOpenSSL is the Ansible way of doing things, but is
impractical and annoying for users.

`openssl` is easily available on most servers, even by default.
We'd better use that.
2019-01-31 20:45:14 +02:00
Slavi Pantaleev 08321ea4bb
Merge pull request #87 from Plailect/master
Add support for matrix-appservice-irc
2019-01-31 20:20:32 +02:00
Plailect 0dac5ea508
Use native OpenSSL module to generate passkey.pem 2019-01-31 11:38:54 -05:00
Plailect 5e1d96c727
Add matrix_appservice_irc_container_expose_client_server_api_port 2019-01-31 11:20:45 -05:00
Plailect 0a2a8e118c
Update example configuration and documentation 2019-01-31 11:05:27 -05:00
Slavi Pantaleev c2b1cf7f93 Fix SSL renewal script
Regression since 299a8c4c7c
2019-01-31 09:43:09 +02:00
Plailect 3a4a671dd7
Add support for matrix-appservice-irc 2019-01-31 00:37:23 -05:00
Slavi Pantaleev 0be7b25c64 Make (most) containers run with a read-only filesystem 2019-01-29 18:52:02 +02:00
Slavi Pantaleev b77b967171 Merge branch 'master' into non-root-containers 2019-01-29 18:00:11 +02:00
Slavi Pantaleev cbc1cdbbf0 Do not try to load certificates
Seems like we unintentionally removed the mounting of certificates
(the `/matrix-config` mount) as part of splitting the playbook into
roles in 51312b8250.

It appears that those certificates weren't necessary for coturn to
funciton though, so we might just get rid of the configuration as well.
2019-01-29 17:56:40 +02:00
Slavi Pantaleev bf10331456 Make mautrix-whatsapp run as non-root and w/o capabilities 2019-01-28 15:55:58 +02:00
Slavi Pantaleev 8a3f942d93 Make mautrix-telegram run as non-root and w/o capabilities 2019-01-28 15:40:16 +02:00
Slavi Pantaleev 3e8a4159e6 Uncomment unintentionally-commented logic 2019-01-28 14:25:03 +02:00
Slavi Pantaleev 9830a0871d Fix self-check for mxisd not being enabled 2019-01-28 11:47:31 +02:00
Slavi Pantaleev 9438402f61 Drop capabilities in a few more places
Continuation of 316d653d3e
2019-01-28 11:43:32 +02:00
Slavi Pantaleev 316d653d3e Drop capabilities in containers
We run containers as a non-root user (no effective capabilities).

Still, if a setuid binary is available in a container image, it could
potentially be used to give the user the default capabilities that the
container was started with. For Docker, the default set currently is:
- "CAP_CHOWN"
- "CAP_DAC_OVERRIDE"
- "CAP_FSETID"
- "CAP_FOWNER"
- "CAP_MKNOD"
- "CAP_NET_RAW"
- "CAP_SETGID"
- "CAP_SETUID"
- "CAP_SETFCAP"
- "CAP_SETPCAP"
- "CAP_NET_BIND_SERVICE"
- "CAP_SYS_CHROOT"
- "CAP_KILL"
- "CAP_AUDIT_WRITE"

We'd rather prevent such a potential escalation by dropping ALL
capabilities.

The problem is nicely explained here: https://github.com/projectatomic/atomic-site/issues/203
2019-01-28 11:22:54 +02:00
Slavi Pantaleev 0ff6735546 Fall back to dig for SRV lookup, if no dnspython
This is a known/intentional regression since f92c4d5a27.

The new stance on this is that most people would not have
dnspython, but may have the `dig` tool. There's no good
reason for not increasing our chances of success by trying both
methods (Ansible dig lookup and using the `dig` CLI tool).

Fixes #85 (Github issue).
2019-01-28 09:42:10 +02:00
Slavi Pantaleev 299a8c4c7c Make (most) containers start as non-root
This makes all containers (except mautrix-telegram and
mautrix-whatsapp), start as a non-root user.

We do this, because we don't trust some of the images.
In any case, we'd rather not trust ALL images and avoid giving
`root` access at all. We can't be sure they would drop privileges
or what they might do before they do it.

Because Postfix doesn't support running as non-root,
it had to be replaced by an Exim mail server.

The matrix-nginx-proxy nginx container image is patched up
(by replacing its main configuration) so that it can work as non-root.
It seems like there's no other good image that we can use and that is up-to-date
(https://hub.docker.com/r/nginxinc/nginx-unprivileged is outdated).

Likewise for riot-web (https://hub.docker.com/r/bubuntux/riot-web/),
we patch it up ourselves when starting (replacing the main nginx
configuration).
Ideally, it would be fixed upstream so we can simplify.
2019-01-27 20:25:13 +02:00
Slavi Pantaleev 56d501679d Be explicit about the UID/GID we start Synapse with
We do match the defaults anyway (by default that is),
but people can customize `matrix_user_uid` and `matrix_user_uid`
and it wouldn't be correct then.

In any case, it's better to be explicit about such an important thing.
2019-01-26 20:21:18 +02:00
Slavi Pantaleev 1a80058a2a Indent (non-YAML) using tabs
Fixes #83 (Github issue)
2019-01-26 09:37:29 +02:00
Slavi Pantaleev a88b24ed2c Update matrix-corporal (1.2.2 -> 1.3.0) 2019-01-25 16:58:20 +02:00
Slavi Pantaleev fcceb3143d Update riot-web (0.17.8 -> 0.17.9) 2019-01-23 08:13:27 +02:00
Slavi Pantaleev a4e7ad5566 Use async Ansible task for importing Postgres
A long-running import task may hit the SSH timeout value
and die. Using async is supposed to improve reliability
in such scenarios.
2019-01-21 08:34:49 +02:00
Slavi Pantaleev 0392822aa7 Show Postgres import command and mention manual importing 2019-01-21 08:33:10 +02:00
Slavi Pantaleev 8d186e5194 Fix Postgres import when Postgres had never started
If this is a brand new server and Postgres had never started,
detecting it before we even start it is not possible.

This moves the logic, so that it happens later on, when Postgres
would have had the chance to start and possibly initialize
a new empty database.

Fixes #82 (Github issue)
2019-01-21 07:32:19 +02:00
Slavi Pantaleev fef6c052c3 Pass Host/X-Forwarded-For everywhere
It hasn't mattered much to have these so far, but
it's probably a good idea to have them.
2019-01-17 16:25:08 +02:00
Slavi Pantaleev ba75ab496d Send Host/X-Forwarded-For to mxisd
It worked without it too, but doing this is more consistent with the
mxisd recommendations.
2019-01-17 16:22:49 +02:00
Slavi Pantaleev cb11548eec Use mxisd for user directory searches
Implements #77 (Github issue).
2019-01-17 15:55:23 +02:00
Slavi Pantaleev df0d465482 Fix typos in some variables (matrix_mxid -> matrix_mxisd) 2019-01-17 14:47:37 +02:00
Slavi Pantaleev f4f06ae068 Make matrix-nginx-proxy role independent of others
The matrix-nginx-proxy role can now be used independently.
This makes it consistent with all other roles, with
the `matrix-base` role remaining as their only dependency.

Separating matrix-nginx-proxy was relatively straightforward, with
the exception of the Mautrix Telegram reverse-proxying configuration.
Mautrix Telegram, being an extension/bridge, does not feel important enough
to justify its own special handling in matrix-nginx-proxy.

Thus, we've introduced the concept of "additional configuration blocks"
(`matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks`),
where any module can register its own custom nginx server blocks.

For such dynamic registration to work, the order of role execution
becomes important. To make it possible for each module participating
in dynamic registration to verify that the order of execution is
correct, we've also introduced a `matrix_nginx_proxy_role_executed`
variable.

It should be noted that this doesn't make the matrix-synapse role
dependent on matrix-nginx-proxy. It's optional runtime detection
and registration, and it only happens in the matrix-synapse role
when `matrix_mautrix_telegram_enabled: true`.
2019-01-17 13:32:46 +02:00
Slavi Pantaleev c10182e5a6 Make roles more independent of one another
With this change, the following roles are now only dependent
on the minimal `matrix-base` role:
- `matrix-corporal`
- `matrix-coturn`
- `matrix-mailer`
- `matrix-mxisd`
- `matrix-postgres`
- `matrix-riot-web`
- `matrix-synapse`

The `matrix-nginx-proxy` role still does too much and remains
dependent on the others.

Wiring up the various (now-independent) roles happens
via a glue variables file (`group_vars/matrix-servers`).
It's triggered for all hosts in the `matrix-servers` group.

According to Ansible's rules of priority, we have the following
chain of inclusion/overriding now:
- role defaults (mostly empty or good for independent usage)
- playbook glue variables (`group_vars/matrix-servers`)
- inventory host variables (`inventory/host_vars/matrix.<your-domain>`)

All roles default to enabling their main component
(e.g. `matrix_mxisd_enabled: true`, `matrix_riot_web_enabled: true`).
Reasoning: if a role is included in a playbook (especially separately,
in another playbook), it should "work" by default.

Our playbook disables some of those if they are not generally useful
(e.g. `matrix_corporal_enabled: false`).
2019-01-16 18:05:48 +02:00
Slavi Pantaleev 294a5c9083 Fix YAML serialization of empty matrix_synapse_federation_domain_whitelist
We've previously changed a bunch of lists in `homeserver.yaml.j2`
to be serialized using `|to_nice_yaml`, as that generates a more
readable list in YAML.

`matrix_synapse_federation_domain_whitelist`, however, couldn't have
been changed to that, as it can potentially be an empty list.

We may be able to differentiate between empty and non-empty now
and serialize it accordingly (favoring `|to_nice_yaml` if non-empty),
but it's not important enough to be justified. Thus, always
serializing with `|to_json`.

Fixes #78 (Github issue)
2019-01-16 17:06:58 +02:00
Sylvia van Os cec2aa61c1 Fix scalar widgets
Riot-web parses integrations_widgets_urls as a list, thus causing it to incorrectly think Scalar widgets are non-Scalar and not passing the scalar token
2019-01-16 14:03:39 +01:00
Stuart Mumford f8ebd94d08
Make the mode of the base path configurable 2019-01-14 14:40:11 +00:00
Slavi Pantaleev e8c78c1572 Merge branch 'master' into split-into-multiple-roles 2019-01-14 08:27:53 +02:00
Slavi Pantaleev 857603d9d7 Make nginx-proxy files owned by matrix:matrix, not root:root 2019-01-14 08:26:56 +02:00
Slavi Pantaleev b80d44afaa Stop Postgres before finding files to move over 2019-01-12 18:16:08 +02:00
Slavi Pantaleev 51312b8250 Split playbook into multiple roles
As suggested in #63 (Github issue), splitting the
playbook's logic into multiple roles will be beneficial for
maintainability.

This patch realizes this split. Still, some components
affect others, so the roles are not really independent of one
another. For example:
- disabling mxisd (`matrix_mxisd_enabled: false`), causes Synapse
and riot-web to reconfigure themselves with other (public)
Identity servers.

- enabling matrix-corporal (`matrix_corporal_enabled: true`) affects
how reverse-proxying (by `matrix-nginx-proxy`) is done, in order to
put matrix-corporal's gateway server in front of Synapse

We may be able to move away from such dependencies in the future,
at the expense of a more complicated manual configuration, but
it's probably not worth sacrificing the convenience we have now.

As part of this work, the way we do "start components" has been
redone now to use a loop, as suggested in #65 (Github issue).
This should make restarting faster and more reliable.
2019-01-12 18:01:10 +02:00
Slavi Pantaleev 6d253ff571 Switch to a better riot-web image (avhost/docker-matrix-riot -> bubuntux/riot-web)
The new container image is about 20x smaller in size, faster to start up, etc.

This also fixes #26 (Github issue).
2019-01-11 21:20:21 +02:00
Slavi Pantaleev 14a237885a Fix missing SMTP configuration for mxisd
Regression since 9a9b7383e9.
2019-01-11 20:26:40 +02:00
Slavi Pantaleev 9a9b7383e9 Completely redo how mxisd configuration gets generated
This change is provoked by a few different things:

- #54 (Github Pull Request), which rightfully says that we need a
way to support ALL mxisd configuration options easily

- the upcoming mxisd 1.3.0 release, which drops support for
property-style configuration (dot-notation), forcing us to
redo the way we generate the configuration file

With this, mxisd is much more easily configurable now
and much more easily maintaneable by us in the future
(no need to introduce additional playbook variables and logic).
2019-01-11 19:33:54 +02:00
Slavi Pantaleev fca2f2e036 Catch misconfigured REST Auth password provider during installation 2019-01-11 01:03:35 +02:00
Slavi Pantaleev 46c5d11d56 Update components 2019-01-10 19:29:56 +02:00
Slavi Pantaleev 2ae7c5e177
Merge pull request #68 from spantaleev/manage-cronjobs-with-cron-module
Switch to managing cronjobs with the Ansible cron module
2019-01-08 16:21:57 +02:00
Slavi Pantaleev 00ae435044 Use |to_json filter for serializing booleans to JSON
This should account for all cases where we were still doing such a thing.

Improvement suggested in #65 (Github issue).
2019-01-08 13:12:56 +02:00
Slavi Pantaleev b222d26c86 Switch to managing cronjobs with the Ansible cron module
As suggested in #65 (Github issue), this patch switches
cronjob management from using templates to using Ansible's `cron` module.

It also moves the management of the nginx-reload cronjob to `setup_ssl_lets_encrypt.yml`,
which is a more fitting place for it (given that this cronjob is only required when
Let's Encrypt is used).

Pros:
- using a module is more Ansible-ish than templating our own files in
special directories

- more reliable: will fail early (during playbook execution) if `/usr/bin/crontab`
is not available, which is more of a guarantee that cron is working fine
(idea: we should probably install some cron package using the playbook)

Cons:
- invocation schedule is no longer configurable, unless we define individual
variables for everything or do something smart (splitting on ' ', etc.).
Likely not necessary, however.

- requires us to deprecate and clean-up after the old way of managing cronjobs,
because it's not compatible (using the same file as before means appending
additional jobs to it)
2019-01-08 12:52:03 +02:00
Slavi Pantaleev ef2dc3745a Check DNS SRV record for _matrix-identity._tcp when mxisd enabled 2019-01-08 10:39:22 +02:00
Slavi Pantaleev f92c4d5a27 Use Ansible dig lookup instead of calling the dig program
This means we no longer have a dependency on the `dig` program,
but we do have a dependency on `dnspython`.

Improves things as suggested in #65 (Github issue).
2019-01-08 10:19:45 +02:00
Jan Christian Grünhage 29d10804f0 Use yaml syntax instead of key=value syntax consistently
fixes #62
2019-01-07 23:38:39 +01:00
Slavi Pantaleev 5135c0cc0a Add Ansible guide and Ansible version checks
After having multiple people report issues with retrieving
SSL certificates, we've finally discovered the culprit to be
Ansible 2.5.1 (default and latest version on Ubuntu 18.04 LTS).

As silly as it is, certain distributions ("LTS" even) are 13 bugfix
versions of Ansible behind.

From now on, we try to auto-detect buggy Ansible versions and tell the
user. We also provide some tips for how to upgrade Ansible or
run it from inside a Docker container.

My testing shows that Ansible 2.4.0 and 2.4.6 are OK.
All other intermediate 2.4.x versions haven't been tested, but we
trust they're OK too.

From the 2.5.x releases, only 2.5.0 and 2.5.1 seem to be affected.
Ansible 2.5.2 corrects the problem with `include_tasks` + `with_items`.
2019-01-03 16:24:14 +02:00
Slavi Pantaleev 99af4543ac Replace include usage with include_tasks and import_tasks
The long-deprecated (since Ansible 2.4) use of include is
no more.
2019-01-03 15:24:08 +02:00
Slavi Pantaleev 76506f34e0 Make media-store restore work with server files, not local
This is a simplification and a way to make it consistent with
how we do Postgres imports (see 6d89319822), using
files coming from the server, not from the local machine.

By encouraging people NOT to use local files,
we potentially avoid problems such as #34 (Github issue),
where people would download `media_store` to their Mac's filesystem
and case-sensitivity issues will actually corrupt it.

By not encouraging local files usage, it's less likely that
people would copy (huge) directories to their local machine like that.
2019-01-01 15:57:50 +02:00
Slavi Pantaleev e604a7bd43 Fix error message inaccuracy 2019-01-01 15:25:52 +02:00
Slavi Pantaleev 4c2e1a0588 Make SQLite database import work with server files, not local
This is a simplification and a way to make it consistent with
how we do Postgres imports (see 6d89319822), using
files coming from the server, not from the local machine.
2019-01-01 15:21:52 +02:00
Slavi Pantaleev f153c70a60 Reorganize some files 2019-01-01 14:47:22 +02:00
Slavi Pantaleev 6d89319822 Add support for importing an existing Postgres database 2019-01-01 14:45:37 +02:00
Slavi Pantaleev f472c1b9e5 Ensure psql returns a failure exit code when it fails
Until now, if the .sql file contained invalid data, psql would
choke on it, but still return an exit code of 0.
This is very misleading.

We need to pass `-v ON_ERROR_STOP=1` to make it exit
with a proper error exit code when failures happen.
2019-01-01 14:05:11 +02:00
Slavi Pantaleev a7f791f8f9 Make Postgres version detection logic reusable to ease maintenance
We've had that logic in 2 places so far, leading to duplication
and a maintenance burden.

In the future, we'll also have an import-postgres feature,
which will also need Postgres version detection,
leading to more benefit from that logic being reusable.
2019-01-01 13:43:51 +02:00
Slavi Pantaleev c59a53551a Make well-known self-check not depend on Content-Type: application/json
Fixes #60 (Github issue)
2018-12-31 11:19:59 +02:00
Hardy Erlinger 2fc0f5f3cf Set MAILNAME env variable to FQDN hostname for matrix-mailer. 2018-12-30 21:50:59 +01:00
Slavi Pantaleev 87b5f0a4d4 Server non-scary page at matrix domain (take 2)
Fix for 12b65d8ccc.
2018-12-29 20:11:37 +02:00
Slavi Pantaleev f7aa362961 Make "obtain certificates" tasks have unique names
We always skip at least one of these tasks, depending on which
SSL retrieval method is enabled, so it could have been confusing why.
2018-12-24 09:39:27 +02:00
Slavi Pantaleev 4757c13a2e Do not install openssl if not necessary
Fix for d28bdb3258.

We were only supposed to install openssl when the self-signed
SSL certificate retrieval method is used, not always.
2018-12-24 09:38:00 +02:00
Slavi Pantaleev 12b65d8ccc Serve a non-scary page at the matrix domain
Fixes #18 (Github issue).

It would probably be better if we serve our own page,
as the Matrix one says:

"To use this server you'll need a Matrix client", which
is true, but we install Riot by default and it'd be better if we mention
that instead.
2018-12-23 19:45:03 +02:00
Slavi Pantaleev b9b5674b8a Lowercase host_specific_hostname_identity to prevent troubles
If uppercase is used, certain tools (like certbot) would cause trouble.
They would retrieve a certificate for the lowercased domain name,
but we'd try to use it from an uppercase-named directory, which will
fail.

Besides certbot, we may experience other trouble too.
(it hasn't been investigated how far the breakage goes).

To fix it all, we lowercase `host_specific_hostname_identity` by default,
which takes care of the general use-case (people only setting that
and relying on us to build the other domain names - `hostname_matrix`
and `hostname_riot`).

For others, who decide to override these other variables directly
(and who may work around us and introduce uppercase there directly),
we also have the sanity-check tool warn if uppercase is detected
in any of the final domains.
2018-12-23 19:25:57 +02:00
Slavi Pantaleev fe9b9773c0 Move setup sanity checks to a central place 2018-12-23 19:15:23 +02:00
Slavi Pantaleev 91567fc41d Remove debug 2018-12-23 17:26:39 +02:00
Slavi Pantaleev e033eb443b Do not set up nginx-proxy auto-restart if not using Let's Encrypt
Fix for d28bdb3258
2018-12-23 15:38:33 +02:00
Slavi Pantaleev 268e9b5b66 Escape homeserver variables to prevent rare breakage
Strings containing double-quotes would cause YAML syntax breakage.
Not anymore.

Closes #48 and #49.
2018-12-23 15:20:01 +02:00
Slavi Pantaleev 727dcda7d7 Organize Synapse setup files better 2018-12-23 14:26:40 +02:00
Slavi Pantaleev d28bdb3258 Add support for 2 more SSL certificate retrieval methods
Adds support for managing certificates manually and for
having the playbook generate self-signed certificates for you.

With this, Let's Encrypt usage is no longer required.

Fixes Github issue #50.
2018-12-23 11:00:12 +02:00
Slavi Pantaleev bfcba5256e Upgrade mxisd (1.2.1 -> 1.2.2) 2018-12-23 08:49:21 +02:00
Slavi Pantaleev 57ee350420 Raise default timeout value for matrix-corporal
This is in line with what the recommendation is for matrix-corporal.

A value higher than 30 seconds is required to satisfy Riot
(and other clients') default long-polling behavior.
2018-12-21 12:19:16 +02:00
Slavi Pantaleev cc9d3aef59 Upgrade matrix-corporal (1.2.1 -> 1.2.2) 2018-12-21 11:55:35 +02:00
Slavi Pantaleev 6124effbe1 Register shared-secret-auth password provider first
For people using multiple password providers, it makes sense
to have the fastest one (which doesn't make network requests) be first.
2018-12-21 10:16:36 +02:00
Slavi Pantaleev 40626ff8df Upgrade Synapse (0.33.9/Python 2 -> 0.33.4/Python 3) 2018-12-21 10:15:58 +02:00
Slavi Pantaleev 9f163b2bf5 Do not disable SELinux on RedHat systems
It looks like SELinux can be left running without any (so far) negative
effects on our Matrix services.

There's no need to use `:z` or `:Z` options when mounting volumes either.
This means that files we create are labeled with a default context
(which may not be ideal if we only want them used from containers),
but it's compatible and doesn't cause issues.

Relabelling files is probably something we wish to stay away from,
especially for things like the media store, which contains lots of
files and is possibly on a fuse-mounted (S3/goofys) filesystem.
2018-12-20 15:30:43 +02:00
Slavi Pantaleev b9e5ad6c66 Upgrade Docker images for various components 2018-12-20 15:10:53 +02:00
Slavi Pantaleev 97280c7cc1 Change Goofys Docker image (clodproto/goofys -> ewoutp/goofys)
The new image is built in a much better way (2-stage build)
and is 10x smaller.

In terms of Goofys version recency, it's about the same..
Both images (and others alike) seem to not use version tags,
but rather some `:latest` (master), with ewoutp/goofys being a bit
more recent than clodproto/goofys.

Not using version tags is good (in this case),
because the last Goofys release seems to be from about a year ago
and there had been a bunch of bugfixes afterwards.
2018-12-20 14:30:24 +02:00
Slavi Pantaleev bfcceb1e82 Make it safer to override matrix_synapse_media_store_path
This is described in Github issue #58.

Until now, we had the variable, but if you redefined it, you'd run
into multiple problems:

- we actually always mounted some "storage" directory to the Synapse
container. So if your media store is not there, you're out of luck

- homeserver.yaml always hardcoded the path to the media store,
as a directory called "media-store" inside the storage directory.

Relocating to outside the storage directory was out of the question.

Moreover, even if you had simply renamed the media store directory
(e.g. "media-store" -> "media_store"), it would have also caused trouble.

With this patch, we mount the media store's parent to the Synapse container.
This way, we don't care where the media store is (inside storage or
not). We also don't assume (anymore) that the final part of the path
is called "media-store" -- anything can be used.

The "storage" directory and variable (`matrix_synapse_storage_path`)
still remain for compatibility purposes. People who were previously
overriding `matrix_synapse_storage_path` can continue doing so
and their media store will be at the same place.

The playbook no longer explicitly creates the `matrix_synapse_storage_path` directory
though. It's not necessary. If the media store is specified to be within it, it will
get created when the media store directory is created by the playbook.
2018-12-20 13:39:01 +02:00
Slavi Pantaleev e693b12d28 Relocate fail check to a better place 2018-12-20 13:00:07 +02:00
Slavi Pantaleev 60c7af93fe
Do not restart matrix-nginx-proxy during media store import
Previously, it was more necessary to have it
(because we had a dependency between matrix-synapse and matrix-nginx-proxy)..
But nowadays, it can be removed without negative side effects.

Restarting matrix-nginx-proxy is especially bad when the proxy is not installed at all.
2018-12-14 16:34:23 +09:00
Slavi Pantaleev 59afa841cb Add unintentionally removed quote 2018-12-13 14:44:27 +09:00
Slavi Pantaleev bf8023057a Fix SQLite importing failure
Fixes a problem where importing would lead to this error:
    Cannot link to /matrix-postgres, as it does not belond to the default network.
2018-12-13 14:40:30 +09:00
Slavi Pantaleev b11a4c07a8 Upgrade mxisd (1.2.0 -> 1.2.1) 2018-12-13 10:18:56 +09:00
Slavi Pantaleev fcf43eeacc Fix "missing translation" warning on riot-web homepage
Small bugfix related to #55
2018-12-12 10:48:30 +09:00
anadahz 57bfb970a9 Enable support for custom HTML in riot-web homepage
* Add default template file for homepage HTML
* Add default riot-web config options for homepage
2018-12-11 13:48:54 +00:00
Slavi Pantaleev cb874da1f7
Merge pull request #52 from aaronraimist/utf8-encoding
Add utf8 encoding option to log config
2018-12-05 10:57:23 +09:00
haslersn 22523c0e42 Support configuring mxisd's identity stores (two of them)
mxisd supports several identity stores. Add support to configure two of them:

* synapseSql (storing identities directly in Synapse's database)
* LDAP

This removed the need to copy `mxisd.yaml.j2` to the inventory in case one wants
to use LDAP as identity store. Note that the previous solution (copying
`mxisd.yaml.j2` was poor because of two reasons:

* The copy remains outdated in case the original is updated in future versions
  of this repo.
* The role's configuration should be in one place (configured only through role
  variables) instead of in multiple.

Configuring more identity stores through role variables can be supported in the
future.
2018-12-04 17:19:49 +01:00
Aaron Raimist 9028e3714e
Add utf8 encoding option to log config 2018-12-04 09:34:32 -06:00
Hugues Morisset f8987cb775 Set default mautrix-telegram image to 0.4.0 2018-11-30 19:32:29 +01:00
Slavi Pantaleev 9dad4c7c2d Fix /.well-known/matrix/client for CORS
This is provoked by Github issue #46.

No client had made use of the well-known mechanism
so far, so the set up performed by this playbook was not tested
and turned out to be a little deficient.

Even though /.well-known/matrix/client is usually requested with a
simple request (no preflight), it's still considered cross-origin
and [CORS](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS)
applies. Thus, the file always needs to be served with the appropriate
`Access-Control-Allow-Origin` header.

Github issue #46 attempts to fix it at the "reverse-proxying" layer,
which may work, but would need to be done for every server.
It's better if it's done "upstream", so that all reverse-proxy
configurations can benefit.
2018-11-29 09:13:25 +02:00
Thomas vO bb849bd34f Merge branch 'master' of https://github.com/spantaleev/matrix-docker-ansible-deploy into new-cmds 2018-11-28 11:03:47 +01:00
Thomas vO caba16ea0d add script + doc to remove everything 2018-11-28 11:02:51 +01:00
Thomas vO 2bdc35de63 add script + doc to change a user to admin 2018-11-28 11:02:15 +01:00
Slavi Pantaleev 9f212adc1d Rename variable (matrix_synapse_ext_password_provider_ldap -> matrix_synapse_ext_password_provider_ldap_enabled)
This makes it more consistent with other usage throughout the playbook.
2018-11-28 11:19:19 +02:00
Thomas vO bbf8928831 fix template and vars for ldap auth, add setup 2018-11-28 09:04:09 +01:00
Thomas vO 9cf9a1ec54 [auth-ldap] add template + vars for ldap auth 2018-11-27 16:40:22 +01:00
Slavi Pantaleev 18e1dda4c8 Revert "Update riot-web (0.17.6 -> 0.17.7)"
As Github issue #42 says, 0.17.7 is not available.
We shouldn't have tried to use it.

This reverts commit 529b5b222d.
2018-11-27 16:40:26 +02:00
Slavi Pantaleev 529b5b222d Update riot-web (0.17.6 -> 0.17.7) 2018-11-25 09:57:30 +02:00
Slavi Pantaleev 5b70ec67a4 Add support for controlling Synapse's autocreate_auto_join_rooms 2018-11-23 11:16:40 +02:00
Slavi Pantaleev de91293d0d Update homeserver.yaml with new options and comments from upstream 2018-11-23 11:16:00 +02:00
Slavi Pantaleev a454feb5df Render trusted_third_party_id_servers more prettily 2018-11-23 11:07:22 +02:00
Slavi Pantaleev bc15db3316 Fix a few minor things for consistency
Trying to:

- stay closer to naming in Synapse (autojoin -> auto_join)

- not create new variable namespaces (`matrix_homeserver_`),
when existing ones (`matrix_synapse_`) are more suitable

- allow `null` (`~`) values for `matrix_riot_web_welcome_user_id`

- render things like `auto_join_rooms` in `homeserver.yaml` more prettily

- fix breakage in `config.json` where `matrix_riot_web_roomdir_servers`
was rendered as YAML and not as JSON

- simplify code (especially in riot-web's `config.json`), which used
`if` statements that could have been omitted

- avoid changing comments in `homeserver.yaml` which are not ours,
so that we can keep closer to the configuration file generated by upstream
2018-11-23 11:00:08 +02:00
anadahz 4febb117f4 Merge remote-tracking branch 'upstream/master' into fix/add/config 2018-11-23 00:58:32 +00:00
anadahz 792bed3f5a Fix add/config based on comments by @spantaleev 2018-11-23 00:42:54 +00:00
Aaron Raimist d13aa7316e
Remove riot.im from list of trusted identity servers
This brings the list in line with the new default as of https://github.com/matrix-org/synapse/pull/4207
2018-11-20 20:15:26 -06:00
Slavi Pantaleev 0e02dbd569 Update dependencies 2018-11-20 09:02:27 +02:00
anadahz 3cb3f17a90 Add more configured options for riot-web and homeserver. 2018-11-18 02:00:08 +00:00
Slavi Pantaleev d3c9be2cdf
Merge pull request #37 from aaronraimist/fix-well-known-self-check
Fix well known self check
2018-11-17 10:04:14 +01:00
Aaron Raimist 5a2069fa63
Fix well known self check 2018-11-16 16:12:13 -06:00
Aaron Raimist ddec99b899
Allow Synapse log levels to be configured (#23) 2018-11-14 13:39:52 -06:00
Slavi Pantaleev 12c4591a58 Update mxisd 2018-11-12 08:32:13 +02:00
Slavi Pantaleev 19257677c5 Update dependencies 2018-11-10 10:41:10 +02:00
Slavi Pantaleev f88b0ca33f
Merge branch 'master' into riot-web-config-json 2018-11-03 12:00:48 +02:00
Aaron Raimist ef2e330d22
Allow a few parts of Riot config.json to be configured (#24) 2018-11-02 20:14:03 -05:00
Aaron Raimist ebab95c9ec
Add new variable matrix_nginx_proxy_ssl_protocols 2018-11-02 18:20:05 -05:00
Aaron Raimist 3254a4d161
Disable TLS 1.0 and enable TLS 1.3 2018-11-01 22:14:09 -05:00
Slavi Pantaleev 9e8f216b9b Upgrade Synapse (v0.33.7 -> v0.33.8) 2018-11-01 12:50:33 +02:00
Slavi Pantaleev 4c0970d31e Make postgres_start_wait_time (affecting upgrades) configurable
This also raises the default from 5 seconds to 15 seconds.
2018-11-01 10:11:08 +02:00
Slavi Pantaleev e417ac4922 Add support for Postgres 11 2018-11-01 09:48:56 +02:00
Slavi Pantaleev a0a4ee526e Fix bug in Postgres dump/import causing upgrades to fail
Regression since 3fd6fd647f
2018-11-01 09:48:56 +02:00
Slavi Pantaleev 009bb1b776 Add support for configuring Postgres auto-upgrade-backup path 2018-11-01 09:48:56 +02:00
Slavi Pantaleev ac8d5a839d
Merge pull request #21 from Cadair/flags
Allow specifying which parts of the role run from playbooks
2018-11-01 08:58:42 +02:00
Slavi Pantaleev fb5115a544 Rename playbook variables so they are consistently prefixed
Pretty much all variables live in their own `matrix_<whatever>`
prefix now and are grouped closer together in the default
variables file (`roles/matrix-server/defaults/main.yml`).
2018-11-01 08:46:47 +02:00
Aaron Raimist 1955aac4bd
Update riot-web (0.17.0 -> 0.17.3) 2018-10-31 11:47:17 -05:00
Stuart Mumford 67e2bf285d
A simple idea to allow playbooks to control which bit of the role to run 2018-10-30 20:49:39 +00:00
Slavi Pantaleev 2186031be2 Remove unnecessary code causing troubles on Debian-based systems
It should be `/bin/mkdir` and `/bin/chown` on Ubuntu 18.04 for example.
Still, it doesn't seem like we need to create and chown these
directories at all, since the playbook takes care of creating them
and setting appropriate permission by itself.
2018-10-29 20:47:56 +02:00
Stuart Mumford 8498c4c5de
comment out all the things 2018-10-28 15:16:21 +00:00
Slavi Pantaleev cf0a5b3d2e
Merge pull request #20 from izissise/mautrix-whatsapp
Mautrix whatsapp
2018-10-26 19:39:14 +03:00
Slavi Pantaleev 95a6519876 Fix yaml syntax breakage
Regression since 67a445a74a
2018-10-25 18:15:56 +03:00
Slavi Pantaleev 67a445a74a Add support for controlling Matrix federation 2018-10-25 18:02:04 +03:00
Hugues Morisset b3fcc641c4 Add documentation and fix templates 2018-10-24 18:23:39 +02:00
Hugues Morisset 7a94fc0e24 Add mautrix-whatsapp 2018-10-24 17:09:23 +02:00
Slavi Pantaleev 3ecb16bbef Use disable_guests=true for Riot 2018-10-24 13:59:06 +03:00
Hugues Morisset 83a17f8439 Expose mautrix-telegram public endpoint through nginx
It used to allow user to logging with their own account to the bot
see: https://github.com/tulir/mautrix-telegram/wiki/Authentication#replacing-telegram-accounts-matrix-puppet-with-matrix-account
for more informations
2018-10-21 23:20:37 +02:00
Slavi Pantaleev c7188e06f9 Relocate some playbook task files to make it easier to navigate 2018-10-21 13:14:47 +03:00
Slavi Pantaleev d0c2ef10e4 Add self-check command 2018-10-21 12:58:25 +03:00
anadahz 2313907faa Add missing tag to task
The setup-all should include the setup_well_known task as well
2018-10-19 15:07:31 +01:00
Slavi Pantaleev a0320346e1 Upgrade Synapse (v0.33.7rc2 -> 0.33.7) 2018-10-18 18:15:07 +03:00
Slavi Pantaleev 9b3c882483 Update riot-web (0.16.4 -> 0.17.0) 2018-10-18 15:13:13 +03:00
Slavi Pantaleev 6cc528ba5a Upgrade Synapse (v0.33.5.1 -> v0.33.7rc2)
We skipped v0.33.6 because of matrix-org/synapse#4014,
but v0.33.7rc2 fixed the problem.
2018-10-18 14:49:21 +03:00
Slavi Pantaleev 36658addcd Work around buggy docker_network sometimes failing to work
If a network like `matrix-whatever` already exists for some reason,
the `docker_network` module would not create our `matrix` network.
Working around it by avoiding `docker_network` and doing it manually.

Fixes Github issue #12
2018-10-15 07:49:44 +03:00
Slavi Pantaleev 17ea05683b Fix yum/apt module invocation
The old way is deprecated and would stop working
after Ansible 2.11.
2018-10-12 09:00:53 +03:00
Slavi Pantaleev a1c1ec9b7f Update dependencies 2018-10-08 08:24:20 +03:00
Slavi Pantaleev 2185177957 Remove lt-cred-mech Coturn option
Coturn reports it as an option that conflicts with `use-auth-secret`.
Some reasoning is here: fa523e8d09
2018-10-08 08:22:40 +03:00
Slavi Pantaleev cc3e34b128 Fix to_yaml silliness 2018-10-05 10:59:02 +03:00
Slavi Pantaleev b49f4531e8 Make user presence-status tracking configurable 2018-10-05 10:35:16 +03:00
Slavi Pantaleev 7350842d9b Pull in homeserver.yaml template updates 2018-09-27 10:43:31 +03:00
Slavi Pantaleev 242f388af3 Make Synapse cache factor configurable 2018-09-27 10:03:31 +03:00
Slavi Pantaleev 161854e6d7 Disable Docker container logging
`--log-driver=none` is used for all Docker containers now.

All these containers are started through systemd anyway and get logged in journald,
so there's no need for Docker to be logging the same thing using the default `json-file` driver.
Doing that was growing `/var/lib/docker/containers/..` infinitely until service/container restart.

As a result of this, things like `docker logs matrix-synapse` won't work anymore.
`journalctl -u matrix-synapse` is how one can see the logs.
2018-09-26 09:11:19 +03:00
Slavi Pantaleev 4fbaa02bef Update Synapse (v0.33.4 -> v0.33.5.1) 2018-09-26 08:48:30 +03:00
Slavi Pantaleev de5f4f7a05 Update matrix-corporal dependency 2018-09-20 10:34:11 +03:00
Slavi Pantaleev 2df4349606 Fix matrix-corporal nginx configuration trouble in certain conditions
If the playbook were to run with `--tags=setup-nginx-proxy`,
it wouldn't go into `setup_corporal.yml`, which meant it wouldn't
perform a bunch of `set_fact` calls which override important
nginx proxy configuration.

We run these variable overrides on each call now (tagged with `always`)
to avoid such problems in the future.
2018-09-20 09:25:00 +03:00
Slavi Pantaleev 0d0ccde286 Add Service Discovery (/.well-known/matrix/client) support 2018-09-17 10:51:46 +03:00
Slavi Pantaleev 38e3ffa29c Rename variable (matrix_riot_web_default_identity_server_url -> matrix_identity_server_url) 2018-09-17 08:44:29 +03:00
Slavi Pantaleev 4f48508014 Rename variable (matrix_nginx_riot_web_data_path -> matrix_riot_web_data_path) 2018-09-17 08:43:31 +03:00
Slavi Pantaleev 3fed0ec594 Remove now-useless file 2018-09-17 08:18:15 +03:00
Slavi Pantaleev 2446b4845c Update matrix-corporal dependency 2018-09-15 11:50:02 +03:00
Slavi Pantaleev 8bbb6f0c60 Update dependencies 2018-09-12 20:04:54 +03:00
Slavi Pantaleev 21916c1a3c Update matrix-corporal (1.1 -> 1.1.1) 2018-09-08 11:19:39 +03:00
Slavi Pantaleev 620553e408 Update README 2018-09-07 23:35:04 +03:00
Hugues Morisset 6ef934a416 Mautrix telegram minimum config variable requirement 2018-09-07 20:03:56 +02:00
Hugues Morisset 45fb2df43f Fix some problem with permissions
Fix typo
Move mautrix variable in `defaults/main.yml` exclusively
2018-09-07 20:02:46 +02:00
Hugues Morisset 7b5f68c431 Add mautrix-telegram to bridge with telegram services 2018-09-07 20:02:46 +02:00
Slavi Pantaleev 7adcdf3040 Add the ability to control event_cache_size for Synapse
I've found the previous 10K default value to be way too low
on a bunch of servers I'm running, so it's now up to
100K and made configurable.
2018-09-07 16:15:40 +03:00
Slavi Pantaleev b52d91e180 Add the ability to controll password-peppering for Synapse
Closes Github issue #5
2018-09-07 15:01:38 +03:00
Slavi Pantaleev 6d6a6412fa Add the ability to control statistics-reporting for Synapse
Closes Github issue #3
2018-09-07 14:49:51 +03:00
Slavi Pantaleev 88b4434da9 Fix incorrect path 2018-09-07 13:59:29 +03:00
Slavi Pantaleev 7310498f71 Update certbot 2018-09-06 18:23:16 +03:00
Slavi Pantaleev 49e0d0e6db Update dependencies 2018-09-06 18:13:06 +03:00
Slavi Pantaleev 7428b941c8 Remove old s3fs stuff
We've been using Goofys for a long time instead.
2018-08-29 10:14:48 +03:00
Slavi Pantaleev 23e4a4734b Switch from acmetool to certbot for SSL certificate retrieval 2018-08-29 09:37:44 +03:00
Slavi Pantaleev d5346656e3 Use 0.16.1 for riot-web, as the image for 0.16.2 is still unavailable 2018-08-29 08:46:21 +03:00
Slavi Pantaleev 51ac3421b5 Update matrix-corporal (1.0.1 -> 1.1) 2018-08-24 17:13:58 +03:00