Commit graph

25 commits

Author SHA1 Message Date
Slavi Pantaleev 6d253ff571 Switch to a better riot-web image (avhost/docker-matrix-riot -> bubuntux/riot-web)
The new container image is about 20x smaller in size, faster to start up, etc.

This also fixes #26 (Github issue).
2019-01-11 21:20:21 +02:00
Slavi Pantaleev 87b5f0a4d4 Server non-scary page at matrix domain (take 2)
Fix for 12b65d8ccc.
2018-12-29 20:11:37 +02:00
Slavi Pantaleev 12b65d8ccc Serve a non-scary page at the matrix domain
Fixes #18 (Github issue).

It would probably be better if we serve our own page,
as the Matrix one says:

"To use this server you'll need a Matrix client", which
is true, but we install Riot by default and it'd be better if we mention
that instead.
2018-12-23 19:45:03 +02:00
Slavi Pantaleev d28bdb3258 Add support for 2 more SSL certificate retrieval methods
Adds support for managing certificates manually and for
having the playbook generate self-signed certificates for you.

With this, Let's Encrypt usage is no longer required.

Fixes Github issue #50.
2018-12-23 11:00:12 +02:00
Slavi Pantaleev 9dad4c7c2d Fix /.well-known/matrix/client for CORS
This is provoked by Github issue #46.

No client had made use of the well-known mechanism
so far, so the set up performed by this playbook was not tested
and turned out to be a little deficient.

Even though /.well-known/matrix/client is usually requested with a
simple request (no preflight), it's still considered cross-origin
and [CORS](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS)
applies. Thus, the file always needs to be served with the appropriate
`Access-Control-Allow-Origin` header.

Github issue #46 attempts to fix it at the "reverse-proxying" layer,
which may work, but would need to be done for every server.
It's better if it's done "upstream", so that all reverse-proxy
configurations can benefit.
2018-11-29 09:13:25 +02:00
Aaron Raimist ebab95c9ec
Add new variable matrix_nginx_proxy_ssl_protocols 2018-11-02 18:20:05 -05:00
Aaron Raimist 3254a4d161
Disable TLS 1.0 and enable TLS 1.3 2018-11-01 22:14:09 -05:00
Hugues Morisset 83a17f8439 Expose mautrix-telegram public endpoint through nginx
It used to allow user to logging with their own account to the bot
see: https://github.com/tulir/mautrix-telegram/wiki/Authentication#replacing-telegram-accounts-matrix-puppet-with-matrix-account
for more informations
2018-10-21 23:20:37 +02:00
Slavi Pantaleev 0d0ccde286 Add Service Discovery (/.well-known/matrix/client) support 2018-09-17 10:51:46 +03:00
Slavi Pantaleev 23e4a4734b Switch from acmetool to certbot for SSL certificate retrieval 2018-08-29 09:37:44 +03:00
Slavi Pantaleev 5398d80f01 Add support for matrix-corporal 2018-08-21 13:34:34 +03:00
Slavi Pantaleev b0f1a1c80f Fix nginx warning: adding already-default text/html to gzip_types 2018-08-17 10:44:34 +03:00
Slavi Pantaleev df79901f8b Improve compression support 2018-08-17 08:00:38 +03:00
Slavi Pantaleev 74093dfb15 Add mxisd Identity Server support 2018-08-15 10:46:13 +03:00
Slavi Pantaleev 617712000e Minor wording improvements 2018-08-15 10:19:31 +03:00
Slavi Pantaleev 700602eed3 Rename a bunch of playbook variables for better consistency 2018-08-08 09:17:18 +03:00
Slavi Pantaleev 3fd6fd647f Put all containers in their own isolated Docker network (matrix)
Moving away from using the default bridge network to using our own.
This isolates our services from other Docker containers running
on the default network on the same host.

The benefits are that:

- isolation is a little better - we no longer share a default
bridge network with any other containers that might be running on the host

- there are no longer hard dependencies - we do service discovery
by DNS name, and not via explicit `--link` usage during container start,
so containers can start out of order and fail without bringing down others
with them
(`matrix-nginx-proxy` can continue running, even if one of the other services dies)

In the future, when other services get introduced,
the increased resilience and simplicity will help as well.
2018-08-08 08:57:48 +03:00
Slavi Pantaleev add8169c33 Remove deprecated "ssl" directive from nginx configuration 2018-06-26 20:43:57 +03:00
Slavi Pantaleev 053328be08 Fix nginx failing to start on certain low-cache CPUs 2018-06-26 20:40:48 +03:00
Slavi Pantaleev d14ef08d5b Fix SSL certificate renewal for the custom-proxy-server case
When using matrix-nginx-proxy, the file permissions are organized
in a way that matrix-nginx-proxy could read the challenge files
produced by acmetool.

However, when another own/external webserver was used (like nginx
with our generated sample configuration), this could not work.
From on we're proxying the HTTP requests to port :402 in such a case,
which fixes the problem.
2017-12-01 12:07:27 +01:00
Slavi Pantaleev 6962bfcc42 Add support for not taking over a server (no matrix-nginx-proxy) and disabling Riot 2017-09-12 12:41:44 +03:00
Slavi Pantaleev 2bb8bb96d4 Add support for configuring max_upload_size 2017-08-30 12:07:03 +03:00
Slavi Pantaleev 1cd227b699 Increase max body size for the nginx proxy
Otherwise, we can't support large media file uploads.
2017-08-12 15:39:21 +03:00
Slavi Pantaleev a3ecb7bfd9 Add http->http redirection for Matrix/Riot
Doing this means that matrix-nginx-proxy now starts
occupying port 80, which necessitates that
SSL renewal happens slightly differently.
2017-08-06 19:10:50 +03:00
Slavi Pantaleev 87f5883f24 Initial commit 2017-07-31 23:08:20 +03:00