Commit graph

385 commits

Author SHA1 Message Date
Dan Arnfield 7b5e633776 Update synapse (1.2.1 -> 1.3.0) 2019-08-15 06:59:37 -05:00
Slavi Pantaleev 99f5baa7bb Fix undefined variable error (matrix_synapse_id_servers_public)
This only gets triggered if:
- the Synapse role is used standalone and the default values are used
- the whole playbook is used, with `matrix_mxisd_enabled: false`
2019-08-08 18:30:54 +03:00
Oleg Fiksel 43628ddad6 Added "|to_json" to ensure we really pass a boolean 2019-08-08 12:11:19 +02:00
Oleg Fiksel f713bbe0f8 Added possibility to enable guest access on synapse 2019-08-08 11:57:35 +02:00
Slavi Pantaleev 6fe4bafc2a Decrease default Synapse logging level
Also discussed previously in #213 (Github Pull Request).

shared-secret-auth and rest-auth logging is still at `INFO`
intentionally, as user login events seem more important to keep.
Those modules typically don't spam as much.
2019-08-03 07:48:04 +03:00
Slavi Pantaleev bd99dd05b4 Upgrade Synapse (1.2.0 -> 1.2.1) 2019-07-26 14:17:31 +03:00
Slavi Pantaleev 255b67a0ce Update homeserver.yaml with new options from Synapse v1.2.0
Related to #223 (Github Pull Request)
2019-07-25 22:03:12 +03:00
Dan Arnfield 0e54515c9d Update synapse (1.1.0 -> 1.2.0) 2019-07-25 08:42:33 -05:00
Slavi Pantaleev 631a14bf0c Rename run control variables for consistency 2019-07-08 09:38:36 +03:00
Slavi Pantaleev 17cd52ced6 Make Synapse log messages a bit prettier
ef5e4ad061 intentionally makes us conform to
the logging format suggested by the official Docker image.

Reverting this part, because it's uglier.

This likely should be fixed upstream as well though.
2019-07-04 18:19:52 +03:00
Slavi Pantaleev ef5e4ad061 Make Synapse not log to text files
Somewhat related to #213 (Github Pull Request).

We've been moving in the opposite direction for quite a long time.
All services should just leave logging to systemd's journald.
2019-07-04 17:46:31 +03:00
Slavi Pantaleev b84139088c Fix password providers not working on Synapse v1.1.0
Fixes a regression introduced during the upgrade to
Synapse v1.1.0 (in 2b3865ceea).

Since Synapse v1.1.0 upgraded to Python 3.7
(https://github.com/matrix-org/synapse/pull/5546),
we need to use a different modules directory when mounting
password provider modules.
2019-07-04 17:28:38 +03:00
Slavi Pantaleev 73158e6c2f Fix unintentionally inverted boolean
Fixes a problem introduced by da6edc9cba.

Related to #145 (Github Pull Request).
2019-07-04 17:27:42 +03:00
Slavi Pantaleev da6edc9cba Add support for disabling Synapse's local database for user auth
This is a new feature of Synapse v1.1.0.

Discussed in #145 (Github Pull Request).
2019-07-04 17:11:51 +03:00
Slavi Pantaleev 2b3865ceea Upgrade Synapse (1.0.0 -> 1.1.0) 2019-07-04 16:58:45 +03:00
Slavi Pantaleev f4574961c7
Prevent double-quotes around default room version
Using `|to_json` on a string is expected to correctly wrap it in quotes (e.g. `"4"`).
Wrapping it explicitly in double-quotes results in undesirable double-quoting (`""4""`).
2019-06-12 09:17:35 +03:00
Aaron Raimist 483bdd8c01
Allow default room version to be configured 2019-06-11 21:18:06 -05:00
Slavi Pantaleev e4068e55ee Upgrade Synapse (0.99.5.2 -> 1.0.0) 2019-06-11 20:30:18 +03:00
Slavi Pantaleev 7d3adc4512 Automatically force-pull :latest images
We do use some `:latest` images by default for the following services:
- matrix-dimension
- Goofys (in the matrix-synapse role)
- matrix-bridge-appservice-irc
- matrix-bridge-appservice-discord
- matrix-bridge-mautrix-facebook
- matrix-bridge-mautrix-whatsapp

It's terribly unfortunate that those software projects don't release
anything other than `:latest`, but that's how it is for now.

Updating that software requires that users manually do `docker pull`
on the server. The playbook didn't force-repull images that it already
had.

With this patch, it starts doing so. Any image tagged `:latest` will be
force re-pulled by the playbook every time it's executed.

It should be noted that even though we ask the `docker_image` module to
force-pull, it only reports "changed" when it actually pulls something
new. This is nice, because it lets people know exactly when something
gets updated, as opposed to giving the indication that it's always
updating the images (even though it isn't).
2019-06-10 14:30:28 +03:00
Aaron Raimist 79f4bcf5be
Enable sentry.io integration 2019-06-07 16:02:41 -05:00
Slavi Pantaleev d6d6c152a3 Delay bridge startup to ensure Synapse is up
Bridges start matrix-synapse.service as a dependency, but
Synapse is sometimes slow to start, while bridges are quick to
hit it and die (if unavailable).

They'll auto-restart later, but .. this still breaks `--tags=start`,
which doesn't wait long enough for such a restart to happen.

This attempts to slow down bridge startup enough to ensure Synapse
is up and no failures happen at all.
2019-06-07 12:15:37 +03:00
Slavi Pantaleev 3bc8aa0a82 Upgrade Synapse (0.99.5.1 -> 0.99.5.2) 2019-05-30 20:50:09 +03:00
Slavi Pantaleev 2982b03809 Explicitly serialize matrix_synapse_app_service_config_files
Attempt to fix #192 (Github Issue), potential regression since
70487061f4.

Serializing as JSON/YAML explicitly is much better than relying on
magic (well, Python serialization being valid YAML..).
It seems like Python may prefix strings with `u` sometimes (Python 3?),
which causes Python serialization to not be compatible with YAML.
2019-05-30 09:42:08 +03:00
Slavi Pantaleev 70487061f4 Prefer --mount instead of -v for mounting volumes
This doesn't replace all usage of `-v`, but it's a start.

People sometimes troubleshoot by deleting files (especially bridge
config files). Restarting Synapse with a missing registration.yaml file
for a given bridge, causes the `-v
/something/registration.yaml:/something/registration.yaml:ro` option
to force-create `/something/registration.yaml` as a directory.

When a path that's provided to the `-v` option is missing, Docker
auto-creates that path as a directory.
This causes more breakage and confusion later on.

We'd rather fail, instead of magically creating directories.
Using `--mount`, instead of `-v` is the solution to this.

From Docker's documentation:

> When you use --mount with type=bind, the host-path must refer to an existing path on the host.
> The path will not be created for you and the service will fail with an error if the path does not exist.
2019-05-29 09:59:50 +03:00
Slavi Pantaleev ab59cc50bd Add support for more flexible container port exposing
Fixes #171 (Github Issue).
2019-05-25 07:41:08 +09:00
Slavi Pantaleev a8b633561d Upgrade Synapse (v0.99.4 -> v0.99.5.1) 2019-05-23 09:23:04 +09:00
Dan Arnfield 9c23d877fe Fix docker_image option for ansible < 2.8 2019-05-22 05:43:33 -05:00
Dan Arnfield db15791819 Add source option to docker_image to fix deprecation warning 2019-05-21 10:29:12 -05:00
Dan Arnfield 3982f114af Fix CONDITIONAL_BARE_VARS deprecation warning in ansible 2.8 2019-05-21 10:25:59 -05:00
Slavi Pantaleev affb99003c Improve Synapse variable naming consistency 2019-05-21 12:09:38 +09:00
Slavi Pantaleev a1e9818356 Update comment 2019-05-21 11:25:32 +09:00
Slavi Pantaleev fc7ba153b1 Make matrix-synapse role respect matrix_synapse_enabled flag 2019-05-21 10:46:49 +09:00
Slavi Pantaleev 8d654aecdd Improve file naming consistency 2019-05-21 09:57:48 +09:00
Slavi Pantaleev e3b4622ac8 Split Synapse extension tasks into install/uninstall files 2019-05-18 06:36:54 +09:00
Slavi Pantaleev 663d1add92 Move matrix-appservice-discord into a separate role 2019-05-18 01:14:12 +09:00
Slavi Pantaleev 13c4e7e5b6 Merge branch 'master' into separate-bridge-roles 2019-05-16 09:45:06 +09:00
Slavi Pantaleev ae7c8d1524 Use SyslogIdentifier to improve logging
Reasoning is the same as for matrix-org/synapse#5023.

For us, the journal used to contain `docker` for all services, which
is not very helpful when looking at them all together (`journalctl -f`).
2019-05-16 09:43:46 +09:00
Slavi Pantaleev cf3117011b Upgrade Synapse (0.99.3.2 -> 0.99.4) 2019-05-16 09:20:43 +09:00
Slavi Pantaleev 3339e37ce9 Move matrix-appservice-irc into a separate role 2019-05-16 09:07:40 +09:00
Slavi Pantaleev 43fd3cc274 Move mautrix-facebook into a separate role 2019-05-15 09:34:31 +09:00
Marcel Partap 5aa7f637d8 Fix matrix_synapse_ext_password_provider_ldap_start_tls (it's boolean) 2019-05-14 23:09:59 +02:00
Slavi Pantaleev bb816df557 Move mautrix telegram and whatsapp into separate roles
The goal is to move each bridge into its own separate role.
This commit starts off the work on this with 2 bridges:
- mautrix-telegram
- mautrix-whatsapp

Each bridge's role (including these 2) is meant to:

- depend only on the matrix-base role

- integrate nicely with the matrix-synapse role (if available)

- integrate nicely with the matrix-nginx-proxy role (if available and if
required). mautrix-telegram bridge benefits from integrating with
it.

- not break if matrix-synapse or matrix-nginx-proxy are not used at all

This has been provoked by #174 (Github Issue).
2019-05-14 23:47:22 +09:00
Slavi Pantaleev 873c291be6 Fix appservice-discord configuration-extension merging 2019-05-14 08:24:03 +09:00
Slavi Pantaleev 216cdf8c74
Merge pull request #166 from izissise/mautrix-facebook
Mautrix facebook
2019-05-09 10:05:14 +03:00
Dan Arnfield 958ad68078 Add registrations_require_3pid synapse option 2019-05-08 12:29:18 -05:00
Hugues Morisset a82d5ed281 Add tulir mautrix-facebook (https://github.com/tulir/mautrix-facebook) 2019-05-08 17:11:07 +02:00
Slavi Pantaleev 5f2f17cb1e
Merge pull request #160 from danbob/fix-matrix-mxisd-config
Fix template indentation
2019-05-08 08:01:00 +03:00
Hugues De Keyzer c451025134 Fix indentation in templates
Use Jinja2 lstrip_blocks option in templates to ensure consistent
indentation in generated files.
2019-05-07 21:23:35 +02:00
Dan Arnfield 3abed49764 Fix jinja config for indented code blocks 2019-05-07 06:02:38 -05:00
Slavi Pantaleev 0e7310fd7c
Merge pull request #164 from TheLastProject/fix/string_before_to_json
string before to_json when string value is expected
2019-05-07 10:41:41 +03:00
Sylvia van Os 9ea593df37 Fix incorrect casts 2019-05-07 09:35:51 +02:00
Sylvia van Os ed0ecf5bea string before to_json when string value is expected
This prevents Ansible from sometimes failing to decrypt vault variables
2019-05-06 10:10:27 +02:00
Slavi Pantaleev e0b7b4dc61
Merge pull request #159 from TheLastProject/feature/docker_add_hosts
Add the possibility to pass extra flags to the docker container
2019-05-05 10:22:59 +03:00
Slavi Pantaleev 1653e40239
Merge pull request #158 from lpopov/master
Add the ability to update user passwords with ansible
2019-05-05 10:21:45 +03:00
Slavi Pantaleev 6bea3237c9
Merge pull request #163 from aaronraimist/synapse-0.99.3.1
Update Synapse (0.99.3 -> 0.99.3.1)
2019-05-03 22:10:20 +03:00
Aaron Raimist 8051ea9ef9
Update Synapse (0.99.3.1 -> 0.99.3.2) 2019-05-03 13:34:45 -05:00
Aaron Raimist d1646bb497
Update Synapse (0.99.3 -> 0.99.3.1) 2019-05-03 12:07:58 -05:00
Lyubomir Popov a206b65ed7 Use the '-p' non-interactive option to generate password hash instead of 'expect' 2019-05-03 11:02:17 +03:00
Sylvia van Os 75b1528d13 Add the possibility to pass extra flags to the docker container 2019-04-30 16:35:18 +02:00
Lyubomir Popov 134faa3139 Add the ability to update user passwords with ansible (when using the matrix-postgres container). 2019-04-30 16:30:26 +03:00
Sylvia van Os bf77f776a2 Add variable to disable homeserver url preview 2019-04-30 13:58:48 +02:00
Ciaran Ainsworth 8624cf4a57 Fixed default url preview settings 2019-04-26 14:11:40 +01:00
Slavi Pantaleev 892abdc700 Do not refer to Synapse as "Matrix Synapse" 2019-04-23 10:20:56 +03:00
Slavi Pantaleev 39566aa7fe Generate a Synapse signing key file, if missing
The code used to check for a `homeserver.yaml` file and generate
a configuration (+ key) only if such a configuration file didn't exist.

Certain rare cases (setting up with one server name and then
changing to another) lead to `homeserver.yaml` being there,
but a `matrix.DOMAIN.signing.key` file missing (because the domain
changed).
A new signing key file would never get generated, because `homeserver.yaml`'s
existence used to be (incorrectly) satisfactory for us.

From now on, we don't mix things up like that.
We don't care about `homeserver.yaml` anymore, but rather
about the actual signing key.

The rest of the configuration (`homeserver.yaml` and
`matrix.DOMAIN.log.config`) is rebuilt by us in any case, so whether
it exists or not is irrelevant and doesn't need checking.
2019-04-23 10:06:42 +03:00
Lyubomir Popov eab8f31eed Add additional room config options:
- matrix_enable_room_list_search - Controls whether searching the public room list is enabled.
 - matrix_alias_creation_rules - Controls who's allowed to create aliases on this server.
 - matrix_room_list_publication_rules - Controls who can publish and which rooms can be published in the public room list.
2019-04-16 12:40:38 +03:00
Slavi Pantaleev 9a05b030cb Fix unknown tag error when generating Goofys service
`{% matrix_s3_media_store_custom_endpoint_enabled %}` should have
been `{% if matrix_s3_media_store_custom_endpoint_enabled %}` instead.

Related to #132 (Github Pull Request).
2019-04-10 08:45:52 +03:00
Alexander Acevedo 6cc6638098
revert 3953705682
that's not how it works
2019-04-05 06:01:58 -04:00
Alexander Acevedo 3953705682
add custom endpoint environment variable 2019-04-05 05:56:36 -04:00
Alexander Acevedo 3ffb03f20e
missing whitespace 2019-04-05 05:54:58 -04:00
Alexander Acevedo c55e49d733
add custom endpoint to matrix-goofys.service.j2
This (should) check if custom endpoint is enabled.
2019-04-05 05:48:31 -04:00
Alexander Acevedo b5fbec8d83
add goofys custom
Creates the configuration variable to toggle custom endpoint and the default custom endpoint.
2019-04-05 05:33:38 -04:00
Slavi Pantaleev af1c9ae59d Do not force firewalld on people
In most cases, there's not really a need to touch the system
firewall, as Docker manages iptables by itself
(see https://docs.docker.com/network/iptables/).

All ports exposed by Docker containers are automatically whitelisted
in iptables and wired to the correct container.

This made installing firewalld and whitelisting ports pointless,
as far as this playbook's services are concerned.

People that wish to install firewalld (for other reasons), can do so
manually from now on.

This is inspired by and fixes #97 (Github Issue).
2019-04-03 11:37:20 +03:00
Slavi Pantaleev 631b7cc6a6 Add support for adjusting Synapse rate-limiting configuration 2019-04-01 21:40:14 +03:00
Slavi Pantaleev 77359ae867 Synchronize Synapse config with the sample from 0.99.3 2019-04-01 21:22:05 +03:00
Aaron Raimist c6f1f7aa23
Update Synapse (0.99.2 -> 0.99.3) 2019-04-01 11:26:46 -05:00
Slavi Pantaleev d9c6884b6a Update mautrix-telegram (0.4.0 -> 0.5.1) 2019-03-22 18:50:41 +02:00
Slavi Pantaleev 73af8f7bbb Make self-check not validate self-signed certificates
By default, `--tags=self-check` no longer validates certificates
when `matrix_ssl_retrieval_method` is set to `self-signed`.

Besides this default, people can also enable/disable validation using the
individual role variables manually.

Fixes #124 (Github Issue)
2019-03-22 09:41:08 +02:00
Slavi Pantaleev e65514223e
Merge branch 'master' into update-homeserver-yaml 2019-03-17 20:53:52 +02:00
Slavi Pantaleev 2f1662626e Use |to_json for matrix_synapse_push_include_content
Doing this for consistency.

Related to #117 (Github Pull Request).
2019-03-17 20:51:12 +02:00
Aaron Raimist ae912c4529
Update homeserver.yaml with some new options we could enable 2019-03-16 15:51:41 -05:00
Lee Verberne 71c7c74b7b Allow configuring push content for matrix-synapse
This allows overriding the default value for `include_content`. Setting
this to false allows homeserver admins to ensure that message content
isn't sent in the clear through third party servers.
2019-03-16 07:16:20 +01:00
Lorrin Nelson ceba99eed3 Make federation self-check conditional on matrix_synapse_federation_enabled 2019-03-13 22:33:52 -07:00
Slavi Pantaleev 2d56ff0afa Skip some uninstall tasks if not necessary to run 2019-03-13 07:40:51 +02:00
Plailect f6de3fd668
Start appservice-irc as non-root 2019-03-12 13:17:51 -04:00
Slavi Pantaleev 390ec8a599 Skip some tasks when not necessary to run them 2019-03-08 12:14:58 +02:00
Slavi Pantaleev 62e2acada5
Merge pull request #104 from dangersalad/master
allow exposing mautrix_telegram port
2019-03-08 08:50:05 +02:00
paulbdavis 17e86ba817 implement requested changes 2019-03-07 12:45:58 -07:00
Slavi Pantaleev 85c5adfd69 Minor consistency improvements 2019-03-05 09:20:36 +02:00
Slavi Pantaleev a310a01818 Use non-root and no-capability containers during Discord setup
Related to #105 (Github Pull Request).
2019-03-05 09:10:51 +02:00
Slavi Pantaleev f037f63a07
Merge pull request #105 from Lionstiger/matrix-discord-bridge
Add Support for matrix-appservice-discord
2019-03-05 06:39:46 +00:00
Lionstiger c2834d2226 running as matrix user from the start 2019-03-04 16:26:19 +01:00
Lionstiger 278484656b ensure systemd reloaded after bridge installation 2019-03-04 15:12:37 +01:00
Lionstiger 2d78c5f89d made matrix_appservice_discord_client_id lowercase 2019-03-04 15:11:06 +01:00
Lionstiger 7aadd8bbe9 undo changed synapse version 2019-03-03 19:55:56 +01:00
Lionstiger 4aeeb5cf31 Autogenerate Discord invite link
Generates the link required to add the Bridge to a Discord server.
2019-03-03 19:33:16 +01:00
Lionstiger 835c349275 Add matrix-appservice-discord bridge
Bridge is setup to work on the matrix side with this, but the discord invite link is not automatically generated.
2019-03-03 18:22:52 +01:00
Slavi Pantaleev 45618679f5 Reload systemd services when they get updated
Fixes #69 (Github Issue)
2019-03-03 11:55:15 +02:00
Slavi Pantaleev 041a1947b3 Update Synapse (0.99.1.1 -> 0.99.2) 2019-03-02 10:03:09 +02:00
paulbdavis f2a2cad107 allow exposing mautrix_telegram port 2019-03-01 16:05:01 -07:00
Slavi Pantaleev a43bcd81fe Rename some variables 2019-02-28 11:51:09 +02:00
Slavi Pantaleev 8cac29a5d5 Update matrix-synapse-rest-auth (0.1.1 -> 0.1.2) 2019-02-28 11:15:26 +02:00
Slavi Pantaleev 433780384e Do not use docker_container module
Using `docker_container` with a `cap_drop` argument requires
Ansible >=2.7.

We want to support older versions too (2.4), so we either need to
stop invoking it with `cap_drop` (insecure), or just stop using
the module altogether.

Since it was suffering from other bugs too (not deleting containers
on failure), we've decided to remove `docker_container` usage completely.
2019-02-25 10:42:27 +02:00
Slavi Pantaleev 350b25690d Add Riot v1.0 (v1.0.1) support 2019-02-16 11:48:17 +02:00
Slavi Pantaleev 0f55823c5f Update Synapse (0.99.1 -> 0.99.1.1)
It's not important for us, as it only contains
some ACME-related fix.
2019-02-14 19:43:13 +02:00
Slavi Pantaleev eb08e20418 Upgrade Synapse (0.99.0 -> 0.99.1) and sync config
`matrix_synapse_no_tls` is now implicit, so we've gotten rid of it.

The `homeserver.yaml.j2` template has been synchronized with the
configuration generated by Synapse v0.99.1 (some new options
are present, etc.)
2019-02-14 18:40:55 +02:00
Slavi Pantaleev df76ae707a Fix inaccurate comment 2019-02-13 14:07:16 +02:00
Slavi Pantaleev 42c4de348c Revert "Bind metrics on :: too"
This reverts commit 536c85619f.

Looks like binding metrics on IPv6 (`::`) fails with an error:

socket.gaierror: [Errno -2] Name does not resolve
2019-02-09 13:21:18 +02:00
Slavi Pantaleev 536c85619f Bind metrics on :: too
For consistency with all our other listeners,
we make this one bind on the `::` address too
(both IPv4 and IPv6).

Additional details are in #91 (Github Pull Request).
2019-02-06 14:24:10 +02:00
Slavi Pantaleev 91a757c581 Add support for reloading Synapse 2019-02-06 09:25:13 +02:00
Slavi Pantaleev 40f3793af7 Upgrade Synapse to v0.99 and simplify dummy TLS cert logic 2019-02-06 09:17:55 +02:00
Slavi Pantaleev 5db692f877 Remove some useless homeserver.yaml configuration 2019-02-05 14:02:01 +02:00
Slavi Pantaleev 738c592c27 Bump Synapse version (0.34.1.1 -> 0.99.0rc4) 2019-02-05 13:33:39 +02:00
Slavi Pantaleev f6ebd4ce62 Initial work on Synapse 0.99/1.0 preparation 2019-02-05 12:09:46 +02:00
Aaron Raimist 1f0cc92b33
Use IPv4 localhost everywhere (or almost everywhere) 2019-02-04 09:49:45 -06:00
Aaron Raimist 58ca2e7dfd
Turn off IPv6 when using your own Nginx server
Docker apparently doesn't like IPv6.
2019-02-04 09:03:43 -06:00
dhose 87e3deebfd Enable exposure of Prometheus metrics. 2019-02-01 20:02:11 +01:00
Plailect 29b40b428a
Database files must be stored on permanent storage 2019-02-01 11:44:06 -05:00
Slavi Pantaleev a9fae8e3b1 Revert "Use native OpenSSL module to generate passkey.pem"
This reverts commit 0dac5ea508.

Relying on pyOpenSSL is the Ansible way of doing things, but is
impractical and annoying for users.

`openssl` is easily available on most servers, even by default.
We'd better use that.
2019-01-31 20:45:14 +02:00
Plailect 0dac5ea508
Use native OpenSSL module to generate passkey.pem 2019-01-31 11:38:54 -05:00
Plailect 5e1d96c727
Add matrix_appservice_irc_container_expose_client_server_api_port 2019-01-31 11:20:45 -05:00
Plailect 0a2a8e118c
Update example configuration and documentation 2019-01-31 11:05:27 -05:00
Plailect 3a4a671dd7
Add support for matrix-appservice-irc 2019-01-31 00:37:23 -05:00
Slavi Pantaleev 0be7b25c64 Make (most) containers run with a read-only filesystem 2019-01-29 18:52:02 +02:00
Slavi Pantaleev bf10331456 Make mautrix-whatsapp run as non-root and w/o capabilities 2019-01-28 15:55:58 +02:00
Slavi Pantaleev 8a3f942d93 Make mautrix-telegram run as non-root and w/o capabilities 2019-01-28 15:40:16 +02:00
Slavi Pantaleev 3e8a4159e6 Uncomment unintentionally-commented logic 2019-01-28 14:25:03 +02:00
Slavi Pantaleev 9438402f61 Drop capabilities in a few more places
Continuation of 316d653d3e
2019-01-28 11:43:32 +02:00
Slavi Pantaleev 316d653d3e Drop capabilities in containers
We run containers as a non-root user (no effective capabilities).

Still, if a setuid binary is available in a container image, it could
potentially be used to give the user the default capabilities that the
container was started with. For Docker, the default set currently is:
- "CAP_CHOWN"
- "CAP_DAC_OVERRIDE"
- "CAP_FSETID"
- "CAP_FOWNER"
- "CAP_MKNOD"
- "CAP_NET_RAW"
- "CAP_SETGID"
- "CAP_SETUID"
- "CAP_SETFCAP"
- "CAP_SETPCAP"
- "CAP_NET_BIND_SERVICE"
- "CAP_SYS_CHROOT"
- "CAP_KILL"
- "CAP_AUDIT_WRITE"

We'd rather prevent such a potential escalation by dropping ALL
capabilities.

The problem is nicely explained here: https://github.com/projectatomic/atomic-site/issues/203
2019-01-28 11:22:54 +02:00
Slavi Pantaleev 299a8c4c7c Make (most) containers start as non-root
This makes all containers (except mautrix-telegram and
mautrix-whatsapp), start as a non-root user.

We do this, because we don't trust some of the images.
In any case, we'd rather not trust ALL images and avoid giving
`root` access at all. We can't be sure they would drop privileges
or what they might do before they do it.

Because Postfix doesn't support running as non-root,
it had to be replaced by an Exim mail server.

The matrix-nginx-proxy nginx container image is patched up
(by replacing its main configuration) so that it can work as non-root.
It seems like there's no other good image that we can use and that is up-to-date
(https://hub.docker.com/r/nginxinc/nginx-unprivileged is outdated).

Likewise for riot-web (https://hub.docker.com/r/bubuntux/riot-web/),
we patch it up ourselves when starting (replacing the main nginx
configuration).
Ideally, it would be fixed upstream so we can simplify.
2019-01-27 20:25:13 +02:00
Slavi Pantaleev 56d501679d Be explicit about the UID/GID we start Synapse with
We do match the defaults anyway (by default that is),
but people can customize `matrix_user_uid` and `matrix_user_uid`
and it wouldn't be correct then.

In any case, it's better to be explicit about such an important thing.
2019-01-26 20:21:18 +02:00
Slavi Pantaleev 1a80058a2a Indent (non-YAML) using tabs
Fixes #83 (Github issue)
2019-01-26 09:37:29 +02:00
Slavi Pantaleev f4f06ae068 Make matrix-nginx-proxy role independent of others
The matrix-nginx-proxy role can now be used independently.
This makes it consistent with all other roles, with
the `matrix-base` role remaining as their only dependency.

Separating matrix-nginx-proxy was relatively straightforward, with
the exception of the Mautrix Telegram reverse-proxying configuration.
Mautrix Telegram, being an extension/bridge, does not feel important enough
to justify its own special handling in matrix-nginx-proxy.

Thus, we've introduced the concept of "additional configuration blocks"
(`matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks`),
where any module can register its own custom nginx server blocks.

For such dynamic registration to work, the order of role execution
becomes important. To make it possible for each module participating
in dynamic registration to verify that the order of execution is
correct, we've also introduced a `matrix_nginx_proxy_role_executed`
variable.

It should be noted that this doesn't make the matrix-synapse role
dependent on matrix-nginx-proxy. It's optional runtime detection
and registration, and it only happens in the matrix-synapse role
when `matrix_mautrix_telegram_enabled: true`.
2019-01-17 13:32:46 +02:00
Slavi Pantaleev c10182e5a6 Make roles more independent of one another
With this change, the following roles are now only dependent
on the minimal `matrix-base` role:
- `matrix-corporal`
- `matrix-coturn`
- `matrix-mailer`
- `matrix-mxisd`
- `matrix-postgres`
- `matrix-riot-web`
- `matrix-synapse`

The `matrix-nginx-proxy` role still does too much and remains
dependent on the others.

Wiring up the various (now-independent) roles happens
via a glue variables file (`group_vars/matrix-servers`).
It's triggered for all hosts in the `matrix-servers` group.

According to Ansible's rules of priority, we have the following
chain of inclusion/overriding now:
- role defaults (mostly empty or good for independent usage)
- playbook glue variables (`group_vars/matrix-servers`)
- inventory host variables (`inventory/host_vars/matrix.<your-domain>`)

All roles default to enabling their main component
(e.g. `matrix_mxisd_enabled: true`, `matrix_riot_web_enabled: true`).
Reasoning: if a role is included in a playbook (especially separately,
in another playbook), it should "work" by default.

Our playbook disables some of those if they are not generally useful
(e.g. `matrix_corporal_enabled: false`).
2019-01-16 18:05:48 +02:00
Slavi Pantaleev 294a5c9083 Fix YAML serialization of empty matrix_synapse_federation_domain_whitelist
We've previously changed a bunch of lists in `homeserver.yaml.j2`
to be serialized using `|to_nice_yaml`, as that generates a more
readable list in YAML.

`matrix_synapse_federation_domain_whitelist`, however, couldn't have
been changed to that, as it can potentially be an empty list.

We may be able to differentiate between empty and non-empty now
and serialize it accordingly (favoring `|to_nice_yaml` if non-empty),
but it's not important enough to be justified. Thus, always
serializing with `|to_json`.

Fixes #78 (Github issue)
2019-01-16 17:06:58 +02:00
Slavi Pantaleev 51312b8250 Split playbook into multiple roles
As suggested in #63 (Github issue), splitting the
playbook's logic into multiple roles will be beneficial for
maintainability.

This patch realizes this split. Still, some components
affect others, so the roles are not really independent of one
another. For example:
- disabling mxisd (`matrix_mxisd_enabled: false`), causes Synapse
and riot-web to reconfigure themselves with other (public)
Identity servers.

- enabling matrix-corporal (`matrix_corporal_enabled: true`) affects
how reverse-proxying (by `matrix-nginx-proxy`) is done, in order to
put matrix-corporal's gateway server in front of Synapse

We may be able to move away from such dependencies in the future,
at the expense of a more complicated manual configuration, but
it's probably not worth sacrificing the convenience we have now.

As part of this work, the way we do "start components" has been
redone now to use a loop, as suggested in #65 (Github issue).
This should make restarting faster and more reliable.
2019-01-12 18:01:10 +02:00