Commit graph

62 commits

Author SHA1 Message Date
Slavi Pantaleev 67a445a74a Add support for controlling Matrix federation 2018-10-25 18:02:04 +03:00
Slavi Pantaleev 3ecb16bbef Use disable_guests=true for Riot 2018-10-24 13:59:06 +03:00
Hugues Morisset 83a17f8439 Expose mautrix-telegram public endpoint through nginx
It used to allow user to logging with their own account to the bot
see: https://github.com/tulir/mautrix-telegram/wiki/Authentication#replacing-telegram-accounts-matrix-puppet-with-matrix-account
for more informations
2018-10-21 23:20:37 +02:00
Slavi Pantaleev 6cc528ba5a Upgrade Synapse (v0.33.5.1 -> v0.33.7rc2)
We skipped v0.33.6 because of matrix-org/synapse#4014,
but v0.33.7rc2 fixed the problem.
2018-10-18 14:49:21 +03:00
Slavi Pantaleev 2185177957 Remove lt-cred-mech Coturn option
Coturn reports it as an option that conflicts with `use-auth-secret`.
Some reasoning is here: fa523e8d09
2018-10-08 08:22:40 +03:00
Slavi Pantaleev cc3e34b128 Fix to_yaml silliness 2018-10-05 10:59:02 +03:00
Slavi Pantaleev b49f4531e8 Make user presence-status tracking configurable 2018-10-05 10:35:16 +03:00
Slavi Pantaleev 7350842d9b Pull in homeserver.yaml template updates 2018-09-27 10:43:31 +03:00
Slavi Pantaleev 242f388af3 Make Synapse cache factor configurable 2018-09-27 10:03:31 +03:00
Slavi Pantaleev 161854e6d7 Disable Docker container logging
`--log-driver=none` is used for all Docker containers now.

All these containers are started through systemd anyway and get logged in journald,
so there's no need for Docker to be logging the same thing using the default `json-file` driver.
Doing that was growing `/var/lib/docker/containers/..` infinitely until service/container restart.

As a result of this, things like `docker logs matrix-synapse` won't work anymore.
`journalctl -u matrix-synapse` is how one can see the logs.
2018-09-26 09:11:19 +03:00
Slavi Pantaleev 0d0ccde286 Add Service Discovery (/.well-known/matrix/client) support 2018-09-17 10:51:46 +03:00
Slavi Pantaleev 38e3ffa29c Rename variable (matrix_riot_web_default_identity_server_url -> matrix_identity_server_url) 2018-09-17 08:44:29 +03:00
Slavi Pantaleev 4f48508014 Rename variable (matrix_nginx_riot_web_data_path -> matrix_riot_web_data_path) 2018-09-17 08:43:31 +03:00
Slavi Pantaleev 3fed0ec594 Remove now-useless file 2018-09-17 08:18:15 +03:00
Hugues Morisset 45fb2df43f Fix some problem with permissions
Fix typo
Move mautrix variable in `defaults/main.yml` exclusively
2018-09-07 20:02:46 +02:00
Hugues Morisset 7b5f68c431 Add mautrix-telegram to bridge with telegram services 2018-09-07 20:02:46 +02:00
Slavi Pantaleev 7adcdf3040 Add the ability to control event_cache_size for Synapse
I've found the previous 10K default value to be way too low
on a bunch of servers I'm running, so it's now up to
100K and made configurable.
2018-09-07 16:15:40 +03:00
Slavi Pantaleev b52d91e180 Add the ability to controll password-peppering for Synapse
Closes Github issue #5
2018-09-07 15:01:38 +03:00
Slavi Pantaleev 6d6a6412fa Add the ability to control statistics-reporting for Synapse
Closes Github issue #3
2018-09-07 14:49:51 +03:00
Slavi Pantaleev 23e4a4734b Switch from acmetool to certbot for SSL certificate retrieval 2018-08-29 09:37:44 +03:00
Slavi Pantaleev 5398d80f01 Add support for matrix-corporal 2018-08-21 13:34:34 +03:00
Slavi Pantaleev 02d5b54fa5 Add controls for influencing Matrix Synapse's rate-limiting 2018-08-20 21:25:06 +03:00
Slavi Pantaleev f72882fe1a Fix user registration regression
Regression since a302a7d748,
which made the Matrix Client API only available on
the http port (8008) and not over the federation port (8448).
2018-08-17 12:23:25 +03:00
Slavi Pantaleev b0f1a1c80f Fix nginx warning: adding already-default text/html to gzip_types 2018-08-17 10:44:34 +03:00
Slavi Pantaleev ea43d46b70 Add matrix-synapse-rest-auth support 2018-08-17 09:02:17 +03:00
Slavi Pantaleev df79901f8b Improve compression support 2018-08-17 08:00:38 +03:00
Slavi Pantaleev a302a7d748 Only run federation on 8448 and client on 80
This disables federation on the 80 port, as it's
not necessary. We also disable the old Angular webclient.

For the federation port (8448), we disable the client APIs
as those are not necessary. Those can even cause trouble
if one doesn't know about them and thinks that guarding the client
APIs at the 80 port is enough.
2018-08-17 07:55:58 +03:00
Slavi Pantaleev 74093dfb15 Add mxisd Identity Server support 2018-08-15 10:46:13 +03:00
Slavi Pantaleev 617712000e Minor wording improvements 2018-08-15 10:19:31 +03:00
Slavi Pantaleev 21da2f572b Add email-sending support 2018-08-14 14:47:44 +03:00
Slavi Pantaleev 084a0a0e53 Minor consistency improvement 2018-08-08 10:47:03 +03:00
Slavi Pantaleev 700602eed3 Rename a bunch of playbook variables for better consistency 2018-08-08 09:17:18 +03:00
Slavi Pantaleev 3fd6fd647f Put all containers in their own isolated Docker network (matrix)
Moving away from using the default bridge network to using our own.
This isolates our services from other Docker containers running
on the default network on the same host.

The benefits are that:

- isolation is a little better - we no longer share a default
bridge network with any other containers that might be running on the host

- there are no longer hard dependencies - we do service discovery
by DNS name, and not via explicit `--link` usage during container start,
so containers can start out of order and fail without bringing down others
with them
(`matrix-nginx-proxy` can continue running, even if one of the other services dies)

In the future, when other services get introduced,
the increased resilience and simplicity will help as well.
2018-08-08 08:57:48 +03:00
Slavi Pantaleev b88fe971d6 Fix matrix-nginx-proxy.service dependency on riot-web, if riot-web disabled 2018-08-07 15:39:57 +03:00
Slavi Pantaleev 839b401b28 Set up Synapse configuration using a template (not line/regexp replacements)
Until now, we were starting from a fresh configuration, as generated
by Synapse and manipulating it with regex and line replacements,
until we made it work.

This is more fragile and less predictable, so we're moving to a static
configuration file generated from a Jinja template.

The upside is that configuration will be stable and predictable.

The downside of this new approach is that any manual configuration changes
after the playbook is done, will be thrown away on future playbook
invocations.

There are 2 ways to work around the need for manual configuration
changes though:
- making them part of this playbook and its default template
configuration files (which benefits everyone)
- going your own way for a given host and overriding the template files
that gets used (that is, the
`matrix_synapse_template_synapse_homeserver` or
`matrix_synapse_template_synapse_log` variables)
2018-06-26 21:05:59 +03:00
Slavi Pantaleev add8169c33 Remove deprecated "ssl" directive from nginx configuration 2018-06-26 20:43:57 +03:00
Slavi Pantaleev 053328be08 Fix nginx failing to start on certain low-cache CPUs 2018-06-26 20:40:48 +03:00
Slavi Pantaleev 1670a20937 Clean up riot-web UI (disable custom URLs and guest usage)
This playbook does not set up guest access in Synapse anyway,
so until the need comes (or someone asks for it), guest access
is removed from riot-web's UI too.

As for supporting custom URLs, this is also not something
that seems like it'd be useful to most deployments.
2018-05-30 15:36:09 +03:00
Slavi Pantaleev 5399e2b6bb Do not require (but want) matrix-coturn.service in matrix-synapse
It's not really a requirement, as it can function without it.
Also, restarting matrix-coturn doesn't need to restart matrix-synapse.
2018-05-29 13:38:41 +03:00
Slavi Pantaleev cbee084ac1 Use Postgres 10.x by default (only for new installs)
This playbook just tries to avoid trying to setup a Postgres 10
database with existing 9.x files, as that makes Postgres complain.

Due to this, existing installs (still on 9.x) are detected
and left on Postgres 9.x.
They need to be upgraded to Postgres 10.x manually.
2018-05-28 20:16:02 +03:00
Slavi Pantaleev b3e62126db Switch Docker image to official one
Switching from from avhost/docker-matrix (silviof/docker-matrix)
to matrixdotorg/synapse.

The avhost/docker-matrix (silviof/docker-matrix) image used to bundle
in the coturn STUN/TURN server, so as part of the move,
we're separating this to a separately-ran service
(matrix-coturn.service, powered by instrumentisto/coturn-docker-image)
2018-05-25 21:58:53 +03:00
Slavi Pantaleev 67a98e51d9 Make the riot-web container run without root privileges 2018-05-14 14:31:43 +03:00
Slavi Pantaleev efc78fb9d3 Switch from s3fs to Goofys
Improves performance of media store operations.
2018-02-20 21:36:08 +02:00
Slavi Pantaleev d14ef08d5b Fix SSL certificate renewal for the custom-proxy-server case
When using matrix-nginx-proxy, the file permissions are organized
in a way that matrix-nginx-proxy could read the challenge files
produced by acmetool.

However, when another own/external webserver was used (like nginx
with our generated sample configuration), this could not work.
From on we're proxying the HTTP requests to port :402 in such a case,
which fixes the problem.
2017-12-01 12:07:27 +01:00
Slavi Pantaleev f476e49e64 Make SSL renewal time configurable and nginx-proxy reload time adequate
The matrix-nginx-proxy was reloaded on the 3rd day of the month (`15 4 3 * *`),
which makes no sense - it's too infrequently.

It's in line with the renewal time now (+5 minutes).
2017-11-11 10:38:38 +02:00
Slavi Pantaleev 19e191f0bd Do not assign Docker container name for certificate renewal
Prevents clashes with other services like this one.
2017-10-16 08:42:27 +03:00
Slavi Pantaleev 767b321f60 Do not mount certain Docker volumes as read-write unnecessarily 2017-10-01 11:36:30 +03:00
Slavi Pantaleev 3a5f82267b Do not use Let's Encrypt certificate for Synapse's federation port
As described here (
https://github.com/matrix-org/synapse/issues/2438#issuecomment-327424711
), using own SSL certificates for the federation port is more fragile,
as renewing them could cause federation outages.

The recommended setup is to use the self-signed certificates generated
by Synapse.

On the 443 port (matrix-nginx-proxy) side, we still use the Let's Encrypt
certificates, which ensures API consumers work without having to trust
"our own CA".

Having done this, we also don't need to ever restart Synapse anymore,
as no new SSL certificates need to be applied there.

It's just matrix-nginx-proxy that needs to be restarted, and it doesn't
even need a full restart as an "nginx reload" does the job of swithing
to the new SSL certificates.
2017-09-23 15:29:15 +03:00
Slavi Pantaleev 6962bfcc42 Add support for not taking over a server (no matrix-nginx-proxy) and disabling Riot 2017-09-12 12:41:44 +03:00
Slavi Pantaleev cb323f5b4c Move SSL certificates from /etc/pki/acmetool-certs to /matrix/ssl
Moving keeps everything in the /matrix directory, so that we
wouldn't contaminate anything else on the system or risk
clashing with something else.

Also retrieving certificates separately for the Riot and Matrix domains,
which should help in multiple ways:

- allows them to be very different (completely separate base domain..)

- allows for Riot to be disabled for the playbook some time later
  and still have the code not break
2017-09-11 23:50:14 +03:00