Commit graph

86 commits

Author SHA1 Message Date
Slavi Pantaleev 810d0fb0e4 Make it possible to serve static websites from the base domain 2019-10-03 11:24:04 +03:00
Slavi Pantaleev 1dd1f9602f
Merge pull request #271 from thedanbob/certbot-0.38
Update certbot (0.37.1 -> 0.38.0)
2019-09-25 16:31:36 +03:00
Dan Arnfield c12ca8fff0 Update certbot (0.37.1 -> 0.38.0) 2019-09-25 06:17:12 -05:00
Dan Arnfield 2dd9dc4882 Update nginx (1.17.3 -> 1.17.4) 2019-09-25 06:00:44 -05:00
Slavi Pantaleev db57618abd Update nginx and certbot 2019-08-17 10:21:23 +03:00
Slavi Pantaleev 3e57a1463a Serve nginx status page over HTTPS as well
Continuation of #234 (Github Pull Request).

I had unintentionally updated the documentation for the feature,
saying the page is available at `https://matrix.DOMAIN/nginx_status`.

Looks like it wasn't the case, going against my expectations.

I'm correcting this with this patch.
The status page is being made available on both HTTP and HTTPS.
Serving over HTTP is likely necessary for services like
Longview
(https://www.linode.com/docs/platform/longview/longview-app-for-nginx/)
2019-08-07 12:53:53 +03:00
p5t2vspoqqw c32a3e3204 correct defaults 2019-08-07 10:56:29 +02:00
p5t2vspoqqw 4b8190dc3f serve status page for matrix.DOMAIN only 2019-08-07 10:54:14 +02:00
p5t2vspoqqw 51d5741bb3 Merge branch 'master' of https://github.com/spantaleev/matrix-docker-ansible-deploy 2019-08-05 09:34:30 +02:00
Slavi Pantaleev 6fc779dc83 Ensure matrix_ssl_retrieval_method value is valid
We recently had someone in the support room who set it to `false`
and the playbook ran without any issues.

This currently seems to yield the same result as 'none', but it's
better to avoid such behavior.
2019-08-02 11:59:10 +03:00
Dan Arnfield 9296dfd094 Update nginx (1.17.1 -> 1.17.2) 2019-07-24 06:21:37 -05:00
p5t2vspoqqw 5054fff88b Merge branch 'master' of https://github.com/spantaleev/matrix-docker-ansible-deploy 2019-07-12 15:45:19 +02:00
Slavi Pantaleev 1316d36f8b Fix deprecation warning (using cron module without name) 2019-07-09 09:11:38 +03:00
p5t2vspoqqw d88e261150 Merge branch 'master' of https://github.com/spantaleev/matrix-docker-ansible-deploy 2019-07-05 16:12:29 +02:00
Dan Arnfield f83bbf8525 Bump nginx version 2019-07-04 22:59:21 -05:00
p5t2vspoqqw 9874c3df90 Merge branch 'master' of https://github.com/spantaleev/matrix-docker-ansible-deploy 2019-06-26 10:41:14 +02:00
Dan Arnfield ae3a1bb148 Update nginx to 1.17.0 2019-06-24 13:10:58 -05:00
p5t2vspoqqw 8fcdac3738 Merge branch 'master' of https://github.com/spantaleev/matrix-docker-ansible-deploy 2019-06-12 10:10:52 +02:00
Slavi Pantaleev 7d3adc4512 Automatically force-pull :latest images
We do use some `:latest` images by default for the following services:
- matrix-dimension
- Goofys (in the matrix-synapse role)
- matrix-bridge-appservice-irc
- matrix-bridge-appservice-discord
- matrix-bridge-mautrix-facebook
- matrix-bridge-mautrix-whatsapp

It's terribly unfortunate that those software projects don't release
anything other than `:latest`, but that's how it is for now.

Updating that software requires that users manually do `docker pull`
on the server. The playbook didn't force-repull images that it already
had.

With this patch, it starts doing so. Any image tagged `:latest` will be
force re-pulled by the playbook every time it's executed.

It should be noted that even though we ask the `docker_image` module to
force-pull, it only reports "changed" when it actually pulls something
new. This is nice, because it lets people know exactly when something
gets updated, as opposed to giving the indication that it's always
updating the images (even though it isn't).
2019-06-10 14:30:28 +03:00
p5t2vspoqqw 4b657b3822 Merge branch 'master' of https://github.com/spantaleev/matrix-docker-ansible-deploy 2019-06-03 10:13:25 +02:00
Slavi Pantaleev 7d8dde8a53 Add support for proxying /_synapse/admin APIs
Fixes #191 (Github Issue).
2019-05-29 08:32:24 +03:00
Slavi Pantaleev ab59cc50bd Add support for more flexible container port exposing
Fixes #171 (Github Issue).
2019-05-25 07:41:08 +09:00
p5t2vspoqqw 0cfa73f153 Merge branch 'master' of https://github.com/spantaleev/matrix-docker-ansible-deploy 2019-05-23 10:48:22 +02:00
Dan Arnfield 9c23d877fe Fix docker_image option for ansible < 2.8 2019-05-22 05:43:33 -05:00
Dan Arnfield fa38c84be2 Fix casting int to string warning 2019-05-21 10:37:05 -05:00
Dan Arnfield db15791819 Add source option to docker_image to fix deprecation warning 2019-05-21 10:29:12 -05:00
Dan Arnfield 3982f114af Fix CONDITIONAL_BARE_VARS deprecation warning in ansible 2.8 2019-05-21 10:25:59 -05:00
Slavi Pantaleev 5c821b581a Check fullchain.pem, not cert.pem
While using certbot means we'll have both files retrieved,
it's actually the fullchain.pem file that we use in nginx configuration.

Using that one for the check makes more sense.
2019-05-21 11:58:18 +09:00
Slavi Pantaleev ae7c8d1524 Use SyslogIdentifier to improve logging
Reasoning is the same as for matrix-org/synapse#5023.

For us, the journal used to contain `docker` for all services, which
is not very helpful when looking at them all together (`journalctl -f`).
2019-05-16 09:43:46 +09:00
p5t2vspoqqw 4315b472af Merge branch 'master' of https://github.com/spantaleev/matrix-docker-ansible-deploy 2019-05-09 09:34:09 +02:00
Dan Arnfield 171c6db41e Add option to proxy 3pid registration endpoints 2019-05-08 13:49:51 -05:00
Hugues De Keyzer c451025134 Fix indentation in templates
Use Jinja2 lstrip_blocks option in templates to ensure consistent
indentation in generated files.
2019-05-07 21:23:35 +02:00
Slavi Pantaleev e0b7b4dc61
Merge pull request #159 from TheLastProject/feature/docker_add_hosts
Add the possibility to pass extra flags to the docker container
2019-05-05 10:22:59 +03:00
p5t2vspoqqw 79ad60cf0a Merge branch 'master' of https://github.com/spantaleev/matrix-docker-ansible-deploy 2019-05-02 14:31:18 +02:00
Slavi Pantaleev 0e391b5870 Add explicit |int casting for more variables
As discussed in #151 (Github Pull Request), it's
a good idea to not selectively apply casting, but to do it in all
cases involving arithmetic operations.
2019-04-30 18:26:03 +03:00
Sylvia van Os 75b1528d13 Add the possibility to pass extra flags to the docker container 2019-04-30 16:35:18 +02:00
Slavi Pantaleev db977ea584
Merge pull request #151 from huguesdk/bugfix/nginx_proxy_tmpfs_size
Fix value of nginx-proxy tmpfs size
2019-04-29 09:00:37 +03:00
Slavi Pantaleev 7c246b4a99 Make error about unset matrix_ssl_lets_encrypt_support_email more descriptive
Previously, we'd show an error like this:

{"changed": false, "item": null, "msg": "Detected an undefined required variable"}

.. which didn't mention the variable name
(`matrix_ssl_lets_encrypt_support_email`).
2019-04-28 11:02:17 +03:00
Hugues De Keyzer 6aa6633ee7 Fix value of nginx-proxy tmpfs size
Use an int conversion in the computation of the value of
matrix_nginx_proxy_tmp_directory_size_mb, to have the integer value
multiplied by 50 instead of having the string repeated 50 times.
2019-04-27 21:54:21 +02:00
p5t2vspoqqw af8beb3627 Merge branch 'master' of https://github.com/spantaleev/matrix-docker-ansible-deploy 2019-04-24 15:03:47 +02:00
Slavi Pantaleev ec0f936227 Try SSL renewal more frequently and reload later
It doesn't hurt to attempt renewal more frequently, as it only does
real work if it's actually necessary.

Reloading, we postpone some more, because certbot adds some random delay
(between 1 and 8 * 60 seconds) when renewing. We want to ensure
we reload at least 8 minutes later, which wasn't the case.

To make it even safer (in case future certbot versions use a longer
delay), we reload a whole hour later. We're in no rush to start using
the new certificates anyway, especially given that we attempt renewal
often.

Somewhat fixes #146 (Github Issue)
2019-04-23 17:59:02 +03:00
p5t2vspoqqw c2eabf2b9d Merge branch 'master' of https://github.com/spantaleev/matrix-docker-ansible-deploy 2019-04-23 09:45:10 +02:00
p5t2vspoqqw 7ee6927ca9 add suggested change; correct indent 2019-04-23 09:44:02 +02:00
Slavi Pantaleev 18a562c000 Upgrade services 2019-04-21 08:57:49 +03:00
p5t2vspoqqw deeefac84c add ngnix-status to config
add doc
2019-04-17 13:45:42 +02:00
Slavi Pantaleev bec59c06bb Update images 2019-04-09 09:33:24 +03:00
Slavi Pantaleev af1c9ae59d Do not force firewalld on people
In most cases, there's not really a need to touch the system
firewall, as Docker manages iptables by itself
(see https://docs.docker.com/network/iptables/).

All ports exposed by Docker containers are automatically whitelisted
in iptables and wired to the correct container.

This made installing firewalld and whitelisting ports pointless,
as far as this playbook's services are concerned.

People that wish to install firewalld (for other reasons), can do so
manually from now on.

This is inspired by and fixes #97 (Github Issue).
2019-04-03 11:37:20 +03:00
Slavi Pantaleev 95e4234dca Update nginx (1.15.9 -> 1.15.10) 2019-04-01 19:54:53 +03:00
Slavi Pantaleev 73af8f7bbb Make self-check not validate self-signed certificates
By default, `--tags=self-check` no longer validates certificates
when `matrix_ssl_retrieval_method` is set to `self-signed`.

Besides this default, people can also enable/disable validation using the
individual role variables manually.

Fixes #124 (Github Issue)
2019-03-22 09:41:08 +02:00
Lee Verberne d90bc20690 Use common path for systemctl in lets encrypt cron
Currently the nginx reload cron fails on Debian 9 because the path to
systemctl is /bin/systemctl rather than /usr/bin/systemctl.

CentOS 7 places systemctl in both /bin and /usr/bin, so we can just use
/bin/systemctl as the full path.
2019-03-16 20:48:58 +01:00