Commit graph

2022 commits

Author SHA1 Message Date
sakkiii 8529ca4c17
Update grafana (7.5.6->7.5.7) 2021-05-19 22:30:03 +05:30
Slavi Pantaleev 073d920a62
Merge pull request #1061 from sakkiii/ssl_enhancement
Optimize SSL session
2021-05-19 17:14:52 +03:00
Toni Spets 544915ff76 Add Heisenbridge 2021-05-19 10:42:21 +03:00
Slavi Pantaleev 21eb39f986 Mention matrix_common_after_systemd_service_start_wait_for_timeout_seconds in failure message
Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1062
2021-05-19 08:46:13 +03:00
Slavi Pantaleev ee46fabdca Make waiting time for --tags=start configurable
Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1062
2021-05-19 08:39:55 +03:00
sakkiii e9b878b9e9 Optimize SSL session 2021-05-18 19:39:43 +05:30
Slavi Pantaleev e6afa05f7b Enable OCSP stapling for the federation port
Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1057

Not sure if this is beneficial though.
2021-05-18 08:15:42 +03:00
Slavi Pantaleev 57a6a98a50 Fix incorrect SSL certificate path
Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1057
2021-05-18 07:58:47 +03:00
Slavi Pantaleev b9c4e8ce16
Merge pull request #1057 from sakkiii/ssl_staple
Enable OCSP Stapling
2021-05-18 07:50:35 +03:00
sakkiii d31b55b2a7 SSL-enabled block only 2021-05-18 03:24:06 +05:30
rakshazi 400371f6dd
Updated Element version (1.7.27 -> 1.7.28) 2021-05-17 13:15:12 +00:00
Slavi Pantaleev d156c8caa2 Upgrade Synapse (1.33.2 -> 1.34.0) 2021-05-17 14:58:07 +03:00
Slavi Pantaleev e4dd933cf0 Make missing /_synapse/admin correctly return 404 responses
Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1058

We may try to capture such calls and return a friendlier response (HTML
or JSON) saying "The Synapse Admin API is not enabled", but that may not
be desirable.

For now, we stick to what "upstream" recommends: "simply
don't proxy these APIs", which should lead to the same kind of 404 that
we have now.
See here: 6660912226/docs/reverse_proxy.md (synapse-administration-endpoints)
2021-05-17 11:45:35 +03:00
sakkiii 2c3da6599b Added warning 2021-05-15 16:07:52 +05:30
sakkiii 0dd4459799 matrix_nginx_proxy_ocsp_stapling_enabled variable added 2021-05-15 16:01:49 +05:30
sakkiii c05021640d Enable OCSP Stapling 2021-05-15 15:57:05 +05:30
Aaron Raimist ca361af616
Add Hydrogen 2021-05-15 04:23:36 -05:00
sakkiii b191e461a5 Merge branch 'spantaleev:master' into master 2021-05-15 12:20:02 +05:30
sakkiii 4bd7d8b5e4
Update grafana (7.5.5->7.5.6) 2021-05-14 18:59:21 +05:30
sakkiii d5cd3d443d
Update prometheus (2.26.0->2.27.0) 2021-05-14 18:56:33 +05:30
sakkiii 322b750aad Merge branch 'spantaleev:master' into master 2021-05-14 18:54:47 +05:30
Slavi Pantaleev f481b1a84b Upgrade matrix-mailer (4.94.2-r0 -> 4.94.2-r0-1)
Related to https://github.com/devture/exim-relay/pull/9
2021-05-12 18:09:08 +03:00
Slavi Pantaleev 8e6f1876f5 Switch to :latest version of synapse-admin
Related to https://github.com/Awesome-Technologies/synapse-admin/issues/132

We should switch back when >0.8.0 gets released.
2021-05-11 19:25:12 +03:00
sakkiii 8fc55b30c5
Upgrade Synapse (1.33.1 -> 1.33.2)
This release fixes a denial of service attack (CVE-2021-29471) against Synapse's push rules implementation. Server admins are encouraged to upgrade.

Ref: https://github.com/matrix-org/synapse/releases/tag/v1.33.2
2021-05-11 19:06:30 +05:30
Slavi Pantaleev 2d4b039c55
Merge pull request #1046 from GoMatrixHosting/master
GoMatrixHosting v0.4.6
2021-05-11 09:07:48 +03:00
Michael-GMH 2b4bada72a fix conditional 2021-05-11 14:05:45 +08:00
Michael-GMH 0adcef65e6 fix conditional 2021-05-11 13:58:42 +08:00
Michael-GMH f70102e40c no dashes in usernames 2021-05-11 13:55:13 +08:00
Slavi Pantaleev f4657b2cdb Upgrade Element (1.7.26 -> 1.7.27) 2021-05-11 08:22:43 +03:00
Michael-GMH 4e6f6e179b GMH 0.4.6 update 2021-05-10 18:50:10 +08:00
sakkiii 29cf6a0087 Merge branch 'spantaleev:master' into master 2021-05-10 15:10:18 +05:30
Slavi Pantaleev 3dcc006932 Fix self-building for Coturn
689dcea773 wasn't enough. The `upstream/..` tags are
just upstream sources, without the alpine-based Dockerfile.
We need to use the `docker/..` tags for that (or `master`)

Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1032

Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1023

Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1009
2021-05-10 11:35:53 +03:00
Slavi Pantaleev 33f0074862 Upgrade matrix-mailer (4.94-r0 -> 4.94.2-r0)
Related to https://github.com/devture/exim-relay/issues/6
2021-05-10 11:23:44 +03:00
Slavi Pantaleev c19508087a
Merge pull request #1036 from sakkiii/grafana-csp
Grafana csp template backward compatible with older browsers
2021-05-10 10:09:13 +03:00
Slavi Pantaleev a198b87455 Upgrade synapse-admin (0.7.2 -> 0.8.0)
Related to https://github.com/Awesome-Technologies/synapse-admin/issues/132
2021-05-10 10:06:12 +03:00
Slavi Pantaleev 867ebb52ab
Merge pull request #1037 from pushytoxin/jitsi-5765-1
Update Jitsi (5142 -> 5765-1)
2021-05-08 12:35:29 +03:00
sakkiii bb0810302d Merge branch 'spantaleev:master' into master 2021-05-07 23:03:55 +05:30
Slavi Pantaleev 61220ea487 Upgrade Synapse (1.33.0 -> 1.33.1) 2021-05-06 20:47:09 +03:00
sakkiii 9174448e5e get rid of this {% else %} 2021-05-06 12:46:17 +05:30
sakkiii 0d5fe2d9f7
Update roles/matrix-grafana/templates/grafana.ini.j2
Co-authored-by: Aaron Raimist <aaron@raim.ist>
2021-05-06 12:38:40 +05:30
Béla Becker b10655ebb1 Jitsi XMPP Websocket support
Jitsi-meet enabled websockets by default, claiming better reliability.
Matrix-nginx-proxy configuration has been set up according to the
Prosody documentation: https://prosody.im/doc/websocket
2021-05-05 19:10:58 +02:00
Béla Becker 116bcaa13b Update jitsi to stable-5765-1
Changelog:
https://github.com/jitsi/docker-jitsi-meet/blob/stable-5765-1/CHANGELOG.md
2021-05-05 19:10:58 +02:00
sakkiii 37de7fc96a Updated Reference 2021-05-05 22:25:38 +05:30
sakkiii 303de935d5 grafana CSP backward compatible with older browsers 2021-05-05 22:12:56 +05:30
Slavi Pantaleev d4d1e2e922 Upgrade Synapse (1.32.2 -> 1.33.0) 2021-05-05 19:18:53 +03:00
Slavi Pantaleev b09a805939
Merge pull request #1031 from thedanbob/nginx-1.20.0
Update nginx (1.19.10 -> 1.20.0)
2021-05-04 10:41:02 +03:00
Slavi Pantaleev 6fdc71c40b
Merge pull request #1030 from thedanbob/grafana-7.5.5
Update grafana (7.5.4 -> 7.5.5)
2021-05-04 10:40:21 +03:00
Dan Arnfield cfaa3e598a Update nginx (1.19.10 -> 1.20.0) 2021-05-03 16:00:11 -05:00
Dan Arnfield bec5933db4 Update grafana (7.5.4 -> 7.5.5) 2021-05-03 15:57:06 -05:00
Michael-GMH 067b61e779 GoMatrixHosting v0.4.5 update 2021-04-29 08:06:45 +08:00
Slavi Pantaleev 2409c33ea2 Upgrade Element (1.7.25 -> 1.7.26) 2021-04-27 17:21:31 +03:00
benkuly 49cb2635a2
updated matrix-sms-bridge 2021-04-27 14:39:58 +02:00
Michael-GMH a14bf6c2ed GoMatrixHosting v0.4.4 update 2021-04-26 20:00:32 +08:00
Slavi Pantaleev 689dcea773 Fix self-building for Coturn
Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1023

Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1009
2021-04-24 20:31:25 +03:00
sakkiii 40fe6bd5c1 variable matrix_nginx_proxy_hsts_preload_enable added 2021-04-24 20:04:20 +05:30
Slavi Pantaleev 389dc26615 Fix Synapse generic worker balancing
Potentially fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1022
2021-04-24 11:52:45 +03:00
sakkiii 5b4fdf9b87 Merge branch 'master' of https://github.com/sakkiii/matrix-docker-ansible-deploy 2021-04-24 12:15:34 +05:30
sakkiii 0ccf0fbf1c HSTS preload + X-XSS enables
**HSTS Preloading:**
In its strongest and recommended form, the [HSTS policy](https://www.chromium.org/hsts) includes all subdomains, and indicates a willingness to be “preloaded” into browsers:
`Strict-Transport-Security: max-age=31536000; includeSubDomains; preload`

**X-Xss-Protection:**
`1; mode=block` which tells the browser to block the response if it detects an attack rather than sanitising the script.
2021-04-24 12:12:34 +05:30
sakkiii 3564635f0f
Merge branch 'master' into master 2021-04-24 11:46:52 +05:30
sakkiii 29bba5161b Element More security headers
More Production ready nginx headers for Matrix client element.
2021-04-24 11:10:40 +05:30
Slavi Pantaleev f6b371164c Remove useless variable 2021-04-23 07:07:18 +03:00
Slavi Pantaleev 62c0587b6a Use Alpine-based Coturn 2021-04-22 15:05:37 +03:00
Slavi Pantaleev 72a7cb4145
Merge pull request #1018 from GoMatrixHosting/master
GoMatrixHosting v0.4.3
2021-04-22 14:23:30 +03:00
Slavi Pantaleev e3fa3e12bc Upgrade Synapse (1.31 -> 1.32.2) 2021-04-22 14:22:07 +03:00
Michael-GMH 50d7209c5b GMH v04.3 2021-04-22 11:45:59 +08:00
Slavi Pantaleev 378fabf177 Revert "Upgrade Synapse (1.31 -> 1.32.1)"
This reverts commit 1fb54a37cb.

Seems like it's been pulled or something. It used to exist, but not
anymore. Not sure what's going on.

Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1017

Related to
https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1010
2021-04-21 23:36:58 +03:00
Slavi Pantaleev 1fb54a37cb Upgrade Synapse (1.31 -> 1.32.1)
Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1010
2021-04-21 18:47:15 +03:00
Slavi Pantaleev d691cc0920 Move variable definition a bit 2021-04-21 13:59:20 +03:00
Slavi Pantaleev e00ef04b57 Add opt-out-of-FLoC headers by default 2021-04-21 13:58:24 +03:00
Slavi Pantaleev 42783972fd
Merge pull request #1011 from aaronraimist/synapse-admin
Upgrade synapse-admin (0.7.0 -> 0.7.2)
2021-04-21 09:24:30 +03:00
Slavi Pantaleev ca786cc343 Revert "Upgrade Synapse (1.31 -> 1.32)"
This reverts commit f825c7c263.

Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1010
2021-04-20 23:40:55 +03:00
Aaron Raimist bb64b80697
Upgrade synapse-admin (0.7.0 -> 0.7.2) 2021-04-20 15:14:08 -05:00
Slavi Pantaleev f825c7c263 Upgrade Synapse (1.31 -> 1.32) 2021-04-20 17:47:34 +03:00
Slavi Pantaleev 7eda6a3c12
Merge pull request #1009 from thedanbob/coturn-official
Switch to official coturn image
2021-04-19 18:41:17 +03:00
Slavi Pantaleev adcecaffaf Fix connectivity between prometheus and prometheus-node-exporter
Expected to have regressed after https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1008

This patch comes with its own downsides (as described in the comments
for matrix_prometheus_node_exporter_container_http_host_bind_port),
but at least there's:
- no security issue
- metrics remain readable from matrix-prometheus (even if the network metrics are inaccurate)

A better patch is certainly welcome.
2021-04-19 18:29:03 +03:00
Dan Arnfield b2ca1f2829 Add capability required by new image 2021-04-19 10:16:26 -05:00
Slavi Pantaleev 398b9f5d66
Merge pull request #1008 from sakkiii/master
security** node-exporter data & port publicly exposed
2021-04-19 17:31:00 +03:00
Dan Arnfield 29177d4922 Switch to official coturn docker image 2021-04-19 09:04:08 -05:00
sak 88a30fb5ed security** node-exporter data & port publicly exposed 2021-04-19 15:35:23 +05:30
sak 0f9a455719 Revert "security** node-exporter data & port publicly exposed"
This reverts commit d0cd709c08.
2021-04-19 15:24:36 +05:30
sak d0cd709c08 security** node-exporter data & port publicly exposed 2021-04-19 15:15:59 +05:30
Slavi Pantaleev 4a1739f604
Merge pull request #1007 from teutat3s/fix/nginx-dont-send-version
Don't expose nginx version with each response
2021-04-18 21:33:11 +03:00
teutat3s 2bf7c26cfa
Don't expose nginx version with each response 2021-04-18 16:24:13 +02:00
Slavi Pantaleev c565e72f0d
Merge pull request #1003 from sakkiii/patch-2
updated matrix_grafana_docker_image to v7.5.4
2021-04-18 09:56:12 +03:00
Slavi Pantaleev 51b46697c5
Merge pull request #1005 from sakkiii/master
Improve security for grafana
2021-04-18 09:50:59 +03:00
Dan Arnfield f04614a993 Fix prometheus network for ansible < 2.8 2021-04-17 20:15:26 -05:00
Slavi Pantaleev badd81e0ec Revert "Attempt to fix docker_network result discrepancy between Ansible versions"
This reverts commit 68ca81c8c2.
2021-04-17 19:31:20 +03:00
sakkiii 1958d0792d Update matrix-client-element.conf.j2 2021-04-17 21:33:07 +05:30
sakkiii b6d45c5fd8 Merge branch 'master' of https://github.com/sakkiii/matrix-docker-ansible-deploy 2021-04-17 21:03:26 +05:30
sakkiii 05042f5ff1 Improve security grafana
- duplicate X-Content-Type-Options
- X-Frame-Options header
- Referrer-Policy [Might consider adding variable]
- Secure flag with cookies
- matrix_grafana_content_security_policy variable for [Content Security Policy](https://grafana.com/docs/grafana/latest/administration/configuration/#content_security_policy)
2021-04-17 21:03:05 +05:30
sakkiii 27377e099d
updated matrix_grafana_docker_image to v7.5.4
Latest stable grafana version is [7.5.4 (2021-04-14)](https://github.com/grafana/grafana/releases/tag/v7.5.4)
2021-04-17 17:31:14 +05:30
Slavi Pantaleev 68ca81c8c2 Attempt to fix docker_network result discrepancy between Ansible versions
Supposedly fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/907
2021-04-17 11:42:06 +03:00
Slavi Pantaleev 9c1f41eadf
Merge pull request #1002 from thedanbob/node-exporter-1.1.2
Update prometheus node exporter (1.1.0->1.1.2)
2021-04-17 11:15:13 +03:00
Dan Arnfield 8a550ce67c Update prometheus (2.24.1->2.26.0) 2021-04-16 09:25:45 -05:00
Dan Arnfield 83cc5c9e6a Update prometheus node exporter (1.1.0 -> 1.1.2) 2021-04-16 09:17:04 -05:00
sakkiii 5dc642ace1
Nginx element web: XSS protection & nosniff header
X-XSS-Protection: 1; mode=block; header, for basic XSS protection in legacy browsers.
X-Content-Type-Options: nosniff header, to disable MIME sniffing
2021-04-16 14:45:04 +05:30
Slavi Pantaleev fcb9e9618a Make Coturn TLSv1/v1.1 configurable
Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/999
2021-04-16 09:29:32 +03:00
sakkiii 540416e32d
Disable support for TLS 1.0 and TLS 1.1
These old versions of TLS rely on MD5 and SHA-1, both now broken, and contain other flaws. TLS 1.0 is no longer PCI-DSS compliant and the TLS working group has adopted a document to deprecate TLS 1.0 and TLS 1.1.
2021-04-15 19:25:23 +05:30
Michael-GMH 89cb5a3d7a GMH v0.4.2 update 2021-04-15 17:07:03 +08:00
Michael f41bfb69d2 update survey template formatting 2021-04-04 12:01:53 +08:00
Michael 814bdf5a88 update spelling 2021-04-04 11:52:26 +08:00
Michael fbe22289bd merge with upstream and testing branch 2021-04-04 11:41:06 +08:00
Slavi Pantaleev 995c483856
Merge pull request #962 from aaronraimist/mjolnir
Add mjolnir
2021-04-03 10:45:29 +03:00
Slavi Pantaleev f183add44d
Merge pull request #977 from aaronraimist/simple-antispam
Upgrade synapse-simple-antispam (0.0.1 -> 0.0.3)
2021-04-03 08:45:14 +03:00
Aaron Raimist 81dddd2e25
Upgrade Element (1.7.24 -> 1.7.24.1) 2021-04-02 18:43:30 -05:00
Aaron Raimist c43bd412dd
Upgrade synapse-simple-antispam (0.0.1 -> 0.0.3) 2021-04-02 18:08:08 -05:00
Aaron Raimist 1ecee625d5
Depend on more services, add a delay 2021-04-02 17:07:24 -05:00
Slavi Pantaleev a88391edf5
Merge pull request #972 from JohannesKleine/nginx-config
matrix-nginx-proxy: add custom nginx options to nginx.conf.j2
2021-03-31 10:30:57 +03:00
teutat3s 0b5e903693
Updates to mautrix-signal config
See these last commits:

tulir/mautrix-signal@4fc34330c1

tulir/mautrix-signal@64bc5c36a5

tulir/mautrix-signal@ddda1666d4
2021-03-31 02:51:23 +02:00
Christoph Johannes Kleine fcd66b2889
rename variables 2021-03-30 16:41:32 +02:00
Christoph Johannes Kleine 8ba1105010
rename variable 2021-03-30 15:59:10 +02:00
Christoph Johannes Kleine 3a772f2f65
matrix-nginx-proxy: add custom nginx options to nginx.conf.j2 2021-03-30 14:11:20 +02:00
Slavi Pantaleev 93960b70be Do not fail if _matrix-identity DNS SRV record missing
Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/963

This also simplifies Prerequisites, which is great.

It'd be nice if we were doing these checks in some optional manner
and reporting them as helpful messages (using
`matrix_playbook_runtime_results`), but that's more complicated.
I'd rather drop these checks completely.
2021-03-30 11:24:04 +03:00
Slavi Pantaleev 5e1cf7f8b9 Upgrade Element (1.7.23 -> 1.7.24) 2021-03-29 17:58:02 +03:00
Slavi Pantaleev 9409588513 Fix variable name typo (take 2)
Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/970
2021-03-29 10:59:57 +03:00
Slavi Pantaleev 179b416ed5 Fix variable name typo
Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/970
2021-03-29 09:24:35 +03:00
Slavi Pantaleev 77d598b315 Fix Go-NEB variable definitions using the wrong type
Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/969
2021-03-28 12:10:22 +03:00
Slavi Pantaleev 49868db3de Upgrade Synapse for ARM64 (1.30.0 -> 1.30.1) 2021-03-26 16:48:15 +02:00
Slavi Pantaleev 94487dc6a7 Upgrade Synapse for amd64 (1.30.0 -> 1.30.1) 2021-03-26 15:37:11 +02:00
transcaffeine dbae18fd6a
feat: push ephemeral events to appservices
This adds https://github.com/matrix-org/matrix-doc/pull/2409 to the
appservice registrations, enabling synapse to push EDUs to appservices.
2021-03-25 18:49:54 +01:00
Dan Arnfield 97d8527e00 Update nginx (1.19.6 -> 1.19.8) 2021-03-24 09:42:08 -05:00
Slavi Pantaleev 5a4ea5f866 Make AWX enabling/disabling consistent with other playbook roles
That is:
- enabled in the role by default
- disabled in the compilation (playbook), if considered an optional
component
2021-03-24 14:02:53 +02:00
Aaron Raimist bab8b950ca
Add mjolnir 2021-03-23 22:46:08 -05:00
Slavi Pantaleev 06c74728eb Move matrix_nginx_proxy_proxy_synapse_federation_api_enabled definition to the role
This variable was previously undefined in the role and was only getting
defined via `group_vars/matrix_servers`.

We now properly initialize it (and its good default value) in the role
itself.
2021-03-23 10:28:32 +02:00
Slavi Pantaleev d09609daa8 Fix Jinja2 syntax error
Fixes a regression introduced in ffe649a240
2021-03-22 17:13:10 +02:00
Slavi Pantaleev 6a3433fbad Update Synapse for ARM64 (1.29.0 -> 1.30.0)
Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/958
2021-03-22 16:43:23 +02:00
Slavi Pantaleev ffe649a240 Update homeserver.yaml to keep up with Synapse v1.30.0
Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/958
2021-03-22 16:43:10 +02:00
rakshazi 74106f2a80
Updated synapse 1.29.0 -> 1.30.0 2021-03-22 14:03:42 +00:00
Thom Wiggers 54fe59f05c
Update IRC appservice 2021-03-22 12:37:35 +01:00
Slavi Pantaleev 2737ebc290 Complain if people try to use matrix-sygnal on non-amd64 2021-03-20 13:38:27 +02:00
Slavi Pantaleev b824522b33 Remove unnecessary with_items statement 2021-03-20 13:34:22 +02:00
Slavi Pantaleev 9a0222fa47 Add Sygnal support
Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/683
2021-03-20 13:32:22 +02:00
Michael af240aef37 remove sections from task list that arent needed 2021-03-20 17:35:30 +08:00
Michael 85127bacba Merge remote-tracking branch 'upstream/master' 2021-03-20 17:21:27 +08:00
Michael 1e54b1d1a5 merge upstream 2021-03-20 17:21:02 +08:00
Slavi Pantaleev f99dcd611f Pass proper UID/GID to Synapse
Fixes a regression caused by a5ee39266c.

If the user id and group id were different than 991:991
(which used to be a hardcoded default for us long ago),
there was a mismatch between what Synapse was trying to use (991:991)
and what it was actually started with (in `--user=..`). It was then
trying to change ownership, which was failing.

This was mostly affecting newer installations which were not using the
991:991 defaults we had long ago (since a1c5a197a9).
2021-03-19 16:44:10 +02:00
Slavi Pantaleev a5ee39266c Go through start.py when launching Synapse
This allows us to benefit from helpful things it does for us,
like enabling jemalloc: https://github.com/matrix-org/synapse/pull/8553

We weren't going through `start.py` before, because it was causing some
conflict with our `docker run --user=...` stuff, but it doesn't seem
to be a problem anymore.

Having done this, we won't need to do things like
https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/941
anymore.
2021-03-19 08:16:59 +02:00
Aaron Raimist 32b3650c12
Set X-Forwarded-Proto on federation requests 2021-03-17 18:51:10 -05:00
Béla Becker 2d7e7680e5 matrix.{{ matrix_domain }} -> {{ matrix_server_fqn_matrix }} 2021-03-17 12:36:45 +01:00
Aaron Raimist 466827139a
Also check if matrix_ssl_lets_encrypt_support_email is blank 2021-03-17 00:54:05 -05:00
Slavi Pantaleev 97c0bf1a73
Merge pull request #942 from pushytoxin/etherpad1_8_12
Upgrade Etherpad (1.8.7 -> 1.8.12)
2021-03-16 20:07:34 +02:00
Béla Becker 60aa40845f Upgrade Etherpad (1.8.7 -> 1.8.12) 2021-03-16 18:55:58 +01:00
Yannick Goossens 27416607d9 Another field with 'invalid input syntax for type smallint' 2021-03-16 16:38:59 +01:00
Michael 5a6bdb0c3d merge upstream 2021-03-16 21:52:26 +08:00
Michael 571b70a1f4 fix for running outside of AWX 2021-03-16 21:37:19 +08:00
Michael 5a1f3b7d67 GMH v0.3.0 2021-03-14 14:35:38 +08:00
Michael 33ec5710d9 0.2.1 revision 2021-02-28 22:21:40 +08:00
Michael 4c882c513b initial PR 2021-02-20 17:19:17 +08:00
Marcus Proest 2ca8211184 Merge remote-tracking branch 'upstream/master' 2021-02-19 19:02:48 +01:00
Marcus Proest b99372a3c5 initial commit of mautrix-instagram role 2021-02-19 17:20:26 +01:00
Slavi Pantaleev 108aed53be Fix invalid matrix-postgres.service when matrix_postgres_process_extra_arguments is empty
This only seems to be affecting some people badly enough to cause
matrix-postgres not to start. Certain systemd versions probably handle
it better or something.

Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/889
(hopefully)
2021-02-19 16:33:23 +02:00
Slavi Pantaleev 1dbdfeec07 Fix matrix-postgres stopping for consistency with other services
This probably got lost somehow in all the work that happened in
https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/456
2021-02-19 15:53:30 +02:00
Slavi Pantaleev 9f91eaa54b Fix incorrect service name
Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/887
2021-02-19 12:12:21 +02:00
Slavi Pantaleev 91c987ca7d
Merge pull request #872 from xangelix/add-mx-puppet-groupme-gh
Add mx-puppet-groupme support
2021-02-19 11:42:41 +02:00
Slavi Pantaleev d94d0e2ca5
Merge pull request #456 from eMPee584/synapse-workers
Synapse workers
2021-02-19 11:40:36 +02:00
Slavi Pantaleev 9dc87bb948 Add Synapse worker presets for easier configuration
Adding more presets in the future would be nice.
2021-02-19 11:38:47 +02:00
Slavi Pantaleev eaea215282 Allow Synapse workers to be used with an external nginx webserver
We're talking about a webserver running on the same machine, which
imports the configuration files generated by the `matrix-nginx-proxy`
in the `/matrix/nginx-proxy/conf.d` directory.

Users who run an nginx webserver on some other machine will need to do
something different.
2021-02-19 11:36:48 +02:00
Slavi Pantaleev 2f732e4234 Update Synapse worker endpoints 2021-02-19 11:36:14 +02:00
Slavi Pantaleev 217b4a8808 Release Synapse v1.27.0 to ARM32 via self-building
Related to: https://matrix.org/blog/2021/02/18/synapse-1-27-0-released#dropping-armv7-docker-images
2021-02-19 09:10:16 +02:00
Béla Becker 65eab14a64 Make sure Etherpad has a database to write to 2021-02-18 17:43:14 +01:00
Béla Becker 005f4d57f9 Remove mention of sqlite3 support for Etherpad
The official Etherpad Docker image has no support for sqlite3 databases.
2021-02-18 17:39:36 +01:00
Slavi Pantaleev 1789620901 Merge branch 'master' into synapse-workers 2021-02-18 18:24:43 +02:00
Slavi Pantaleev d6c4d41c2b Define instanceId property on workers
This give us the possibility to run multiple instances of
workers that that don't expose a port.

Right now, we don't support that, but in the future we could
run multiple `federation_sender` or `pusher` workers, without
them fighting over naming (previously, they'd all be named
something like `matrix-synapse-worker-pusher-0`, because
they'd all define `port` as `0`).
2021-02-18 18:19:51 +02:00
rakshazi 996f732f98
Update synapse-admin (0.6.1 -> 0.7.0) 2021-02-18 12:05:21 +00:00
Cody Neiman c4e1209452
Merge branch 'master' into add-mx-puppet-groupme-gh 2021-02-17 13:52:37 -05:00
Slavi Pantaleev d33483b8ce Document that Synapse pusher worker instances are shardable
Related to:
- https://github.com/matrix-org/synapse/pull/9407
- https://github.com/matrix-org/synapse/pull/7855
2021-02-16 17:45:41 +02:00
Slavi Pantaleev daae74b074 Merge branch 'master' into synapse-workers 2021-02-16 17:31:40 +02:00
Slavi Pantaleev 521160c12f Upgrade Synapse (v1.26.0 -> v1.27.0) 2021-02-16 17:30:48 +02:00
Slavi Pantaleev 865d71e35a
Upgrade Element (1.7.20 -> 1.7.21) 2021-02-16 13:44:28 +02:00
Marc Leuser fd3d48bb6d trust the reverse proxy by default 2021-02-15 10:50:45 +01:00
Marc Leuser 1434c371bd safer port binding of etherpad docker container
don't bind to any host port if nginx_proxy is used
only bind to localhost if it's not used
2021-02-15 10:46:23 +01:00
Slavi Pantaleev 61e427d690 Do not let people enable more than 1 federation_sender worker 2021-02-15 11:37:03 +02:00
Slavi Pantaleev 85a05f38e8 Allow Synapse worker list to be generated dynamically
This leads to much easier management and potential safety
features (validation). In the future, we could try to avoid port
conflicts as well, but it didn't seem worth the effort to do it now.
Our port ranges seem large enough.

This can also pave the way for a "presets" feature
(similar to `matrix_nginx_proxy_ssl_presets`) which makes it even easier
for people to configure worker counts.
2021-02-15 11:25:35 +02:00
Slavi Pantaleev 43059bb040 Fix metrics listeners for Synapse workers
`::` leads to errors like:

> socket.gaierror: [Errno -9] Address family for hostname not supported
2021-02-15 11:19:07 +02:00
Slavi Pantaleev 453a4ec2d8 Relocate tasks related to Synapse workers 2021-02-15 11:18:47 +02:00
Cody Neiman e510481e84
Merge branch 'master' into add-mx-puppet-groupme-gh 2021-02-14 13:41:16 -05:00
Slavi Pantaleev 5cfeae806b Merge branch 'master' into synapse-workers 2021-02-14 13:00:57 +02:00
Slavi Pantaleev 894679750e
Merge pull request #862 from s-thom/nginx-additional
Add additional domains for Let's Encrypt certificates to be obtained
2021-02-14 11:05:25 +02:00
Slavi Pantaleev a8e9f35708 Touch up documentation a bit 2021-02-14 11:05:05 +02:00
Slavi Pantaleev 7d39e5153a Upgrade Postgres minor versions 2021-02-14 09:12:29 +02:00
Cody Neiman dc5e7eed3f
Fix mx-puppet-groupme port typo 2021-02-13 11:20:35 -05:00
Cody Neiman 2b3c143487
Update mx-puppet-groupme docker image 2021-02-13 11:10:53 -05:00
Cody Neiman 5a70a56ff0
Initial implementation 2021-02-12 23:13:30 -05:00
Slavi Pantaleev 8434af10de Do not fail on unrelated validation tasks when Grafana not enabled 2021-02-12 15:45:19 +02:00
Slavi Pantaleev 66d5b0e5b9 Do not fail on unrelated validation tasks when Prometheus not enabled
These validation tasks should only run when Prometheus is enabled.
2021-02-12 15:41:15 +02:00
Slavi Pantaleev 2ac2b02cb4
Merge pull request #838 from Peetz0r/stats
Prometheus and Grafana on stats.<domain>
2021-02-12 14:03:17 +02:00
Slavi Pantaleev c8ab200cb1 Break dependency between matrix-prometheus and (matrix-prometheus-node-exporter, matrix-synapse) 2021-02-12 11:59:24 +02:00
Slavi Pantaleev 6842102e00 Split install/uninstall tasks in matrix-prometheus 2021-02-12 11:59:24 +02:00
Slavi Pantaleev 18e31526a8 Rename some variables 2021-02-12 11:59:24 +02:00
Slavi Pantaleev 85a260daaf Make --tags=setup-prometheus not break, relying on matrix-base facts 2021-02-12 11:59:24 +02:00
Slavi Pantaleev df3dd1c824 Use --read-only FS for metrics-related containers
It seems like it doesn't cause any issues for any of these services.
2021-02-12 11:59:24 +02:00
Slavi Pantaleev 3ce9712388 Fix Grafana dashboard/datasource label 2021-02-12 11:59:24 +02:00
Slavi Pantaleev f0cd294628 Fix matrix-prometheus-node-exporter failure to start
The quotes around "host" for both `--pid` and `--net` were
causing trouble for me:

> docker: --pid: invalid PID mode.

and:

> docker: Error response from daemon: network "host" not found.

I've also changed the `-v` call to `--mount` for consistency with the
rest of the playbook.
2021-02-12 11:59:24 +02:00
efraimbart b7e68cb779
Fix wrong docker image being pulled
Changed `matrix_mautrix_signal_docker_image_force_pull` to `matrix_mautrix_signal_daemon_docker_image_force_pull` when force pulling the daemon
2021-02-11 22:56:37 -05:00
Peetz0r fde222a041 Update Prometheus Node Exporter 1.0.1 => 1.1.0 2021-02-10 23:11:17 +01:00
Peetz0r 3a77261dc6 Update Grafana 7.3.7 => 7.4.0 2021-02-10 23:11:02 +01:00
Peetz0r 144a5e6198 Register docker network info and use it for prometheus-node-exporter
Using the hardcoded IP did break while I was
messing with IPv6 stuff on the other branch
2021-02-10 22:54:42 +01:00
Peetz0r 76d7e84be5 Make prometheus-node-exporter a bit more capable
By running it in a more privileged container with access to the host network stack and such
2021-02-10 22:54:14 +01:00
Peetz0r 989100b1c1 Grafana nginx proxy config 2021-02-10 22:54:14 +01:00
Peetz0r eb5aa93e8a Grafana
Also includes the dashboards for Synapse and for Node Exporter.

Again has only been tested on debian amd64 so far, but the grafana docker image is available for arm64 and arm32. Nice.
2021-02-10 22:54:14 +01:00
Peetz0r e525970b39 Prometheus Node Exporter
Basic system stats, to show stuff the synapse metrics
can't show such as resource usage by bridges, etc

Seems to work fine as well.

This too has only been tested on debian amd64 so far
2021-02-10 22:54:14 +01:00
Peetz0r 13ef9e85cf Prometheus
Initial attempt. Seems to work fine.

Only tested on debian amd64 so far
2021-02-10 22:54:14 +01:00
Slavi Pantaleev 7e8e95a09a Make S3-mounting path configurable
This will make data migration easier.
2021-02-09 22:05:07 +02:00
Yan 385b6c623e Fixes: a66a604e ("Selfbuild appservice-slack bridge") 2021-02-09 00:02:48 +01:00
Stuart Thomson 064b2e533c Add variable for extra domains to get LE certs for
I felt that adding another variable was probably going to be the easiest way to do this. I may end up adding another variable to enable this feature, for consistency with some of the other things.
2021-02-06 20:02:39 +13:00
Paul Tötterman 9ad67d7cdf
Upgrade Element (1.7.19 -> 1.7.20)
https://github.com/vector-im/element-web/releases/tag/v1.7.20
https://hub.docker.com/layers/vectorim/element-web/v1.7.20/images/sha256-44cae3a532d86c16940deb70866b522ba6acc8c5d7adf3c661cfc8b06f1de681?context=explore
2021-02-04 16:26:56 +02:00
Aaron Raimist 5cb976c321
Upgrade Element (1.7.18 -> 1.7.19) 2021-02-03 10:07:43 -06:00
Julian Foad d1f28d17bb Allow psql args to be given to matrix-postgres-cli
This passes any arguments given to 'matrix-postgres-cli' to the 'psql' command.

Examples:
  $ # start an interactive shell connected to a given db
  $ sudo matrix-postgres-cli -d synapse
  $ # run a query, non-interactively
  $ sudo matrix-postgres-cli -d synapse -c 'SELECT group_id FROM groups;'
2021-02-03 12:59:21 +00:00
Slavi Pantaleev c4a05b760a Make mautrix bridges not overwrite their config
If they do, our next playbook runs would simply revert it
and report "changed" for that task.

There's no benefit to letting the bridge spew a new config file.

This does not apply to the mautrix whatsapp bridge, because that one
is written in Go (not Python) and takes different flags. There's no
equivalent flag there.
2021-02-03 13:23:18 +02:00
Slavi Pantaleev 889b299bc2
Merge pull request #804 from pushytoxin/matrix-etherpad
Self-hosted Etherpad
2021-01-31 09:55:46 +02:00
Slavi Pantaleev 7804060eee Use Etherpad 1.8.7, not :latest 2021-01-31 09:47:47 +02:00
Slavi Pantaleev 98f9619279
Merge pull request #843 from thomwiggers/update-irc
Update IRC bridge to 0.23.0
2021-01-31 09:26:56 +02:00
o8F0LY 0a0c9a4efc Add double quotes to avoid synatx errors 2021-01-30 22:54:51 +01:00
Thom Wiggers 8de739132a
Update IRC bridge to 0.23.0 2021-01-30 12:47:56 +01:00
Peetz0r e0e459ac0c Fixed missing quotes 2021-01-30 11:58:24 +01:00
Slavi Pantaleev efbffa26bf
Fix typo 2021-01-30 11:37:08 +02:00
Peetz0r 473936065d Use Debian Buster Docker repo on Debian Bullseye
Future maintainer: check on https://docs.docker.com/engine/install/debian/ if Docker for
Debian 11 is released, then undo this commit
2021-01-30 09:02:41 +01:00
Béla Becker 2edc9cb83c Name the Synapse database on state compression import
Fixes:
https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/833
2021-01-28 17:54:02 +01:00
Béla Becker b7261dc098 Etherpad role: Etherpad needs Dimension
The default scalar.vector.im integrations manager doesn't support custom
URL's for etherpad, therefore Dimension needs to be enabled.
2021-01-28 15:11:22 +01:00
Slavi Pantaleev 3ea90ca436 Upgrade Element (1.7.17 -> 1.7.18) 2021-01-28 09:23:23 +02:00
Slavi Pantaleev e7f3f7c431 Enable /devices endpoint for generic workers 2021-01-27 22:18:47 +02:00
Slavi Pantaleev 26b287bd17 Upgrade certbot (1.10.1 -> 1.11.0) 2021-01-27 21:51:46 +02:00
Slavi Pantaleev 1cd2a218de Merge branch 'master' into synapse-workers 2021-01-27 21:41:54 +02:00
Slavi Pantaleev c6feb0b99e Upgrade Synapse (v1.25.0 -> v1.26.0) 2021-01-27 21:41:47 +02:00
Slavi Pantaleev 39c2d72d17 Merge branch 'master' into synapse-workers 2021-01-27 17:12:16 +02:00
Slavi Pantaleev 008049f2a9 Fix mautrix-telegram registration file mistake
Regression since f6097fbba1
2021-01-27 17:11:46 +02:00
Slavi Pantaleev a49dab76f8 Merge branch 'master' into synapse-workers 2021-01-27 15:49:16 +02:00
Slavi Pantaleev e3290d8bcb Remove |to_json causing trouble
Fixes a regression introduced in f6097fbba1, which was cauing Synapse
to die with this error message:

> ValueError: sender_localpart needs characters which are not URL encoded.
2021-01-27 15:48:35 +02:00
Slavi Pantaleev a31c9603fa Merge branch 'master' into synapse-workers 2021-01-27 15:43:56 +02:00
Slavi Pantaleev f6097fbba1 E2BE not working for mautrix bridges
Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/806
2021-01-27 15:43:33 +02:00
Slavi Pantaleev 07f1ea24ee Make it possible to override the welcome.html.j2 template used for Element 2021-01-27 12:36:57 +02:00
Slavi Pantaleev d98a1ceadd Merge branch 'master' into synapse-workers 2021-01-27 10:27:17 +02:00
Slavi Pantaleev 512f42aa76 Do not report docker kill/rm attempts as errors
These are just defensive cleanup tasks that we run.
In the good case, there's nothing to kill or remove, so they trigger an
error like this:

> Error response from daemon: Cannot kill container: something: No such container: something

and:

> Error: No such container: something

People often ask us if this is a problem, so instead of always having to
answer with "no, this is to be expected", we'd rather eliminate it now
and make logs cleaner.

In the event that:
- a container is really stuck and needs cleanup using kill/rm
- and cleanup fails, and we fail to report it because of error
suppression (`2>/dev/null`)

.. we'd still get an error when launching ("container name already in use .."),
so it shouldn't be too hard to investigate.
2021-01-27 10:22:46 +02:00
Slavi Pantaleev 869727a402 Add comment to mautrix-facebook bridge regarding alembic migrations 2021-01-27 10:17:48 +02:00
Slavi Pantaleev a9af36841d Merge branch 'master' into synapse-workers 2021-01-27 09:34:29 +02:00
Slavi Pantaleev 346f8b3475
Fix typo 2021-01-26 10:13:08 +02:00
Slavi Pantaleev 26542308b3 Use |to_json in more places in matrix-appservice-discord config
I don't think this was causing an issue, but it might
if the bot token has a more special value in the future.

Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/828
2021-01-26 10:00:07 +02:00
Béla Becker 42f338016b Etherpad matrix-nginx-proxy configuration 2021-01-26 05:04:47 +01:00
Béla Becker 7bc9be95cb Add map directive to the base of nginx.conf
This needs to be added for WebSocket upgrades to work properly (see doc:
http://nginx.org/en/docs/http/websocket.html)
2021-01-26 05:04:47 +01:00
Béla Becker 38bf1eda70 Etherpad Jitsi integration 2021-01-26 05:04:47 +01:00
Béla Becker 4b451ff782 Etherpad role 2021-01-26 05:04:47 +01:00
Slavi Pantaleev a535226210 Stop/disable unnecessary worker services before deleting them 2021-01-25 15:20:37 +02:00
Slavi Pantaleev dd24942c03
Use |to_json for mautrix-telegram config
Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/824
2021-01-25 15:15:27 +02:00
Slavi Pantaleev 778b66876c Merge branch 'master' into synapse-workers 2021-01-25 14:56:55 +02:00
Slavi Pantaleev 70dcdd41a7 Simplify matrix-remove-all
We don't have instantiated services anymore, nor
/etc/systemd/system/matrix-synapse.service.wants/ stuff.
2021-01-25 14:02:30 +02:00
Slavi Pantaleev d3ecc6f017 Fix bridges failing to upload media when Synapse workers are enabled 2021-01-25 13:55:08 +02:00
Slavi Pantaleev 66cdc7bf5a Clean up worker.yaml generation a bit and make it more flexible 2021-01-25 13:02:01 +02:00
Slavi Pantaleev 1462409b34 Fix worker listening addresses
Not specifying bind addresses for the worker resulted in this warning:

> synapse.app - 47 - WARNING - None - Failed to listen on 0.0.0.0, continuing because listening on [::]

Additionally, metrics listening only on 127.0.0.1 seems like a no-op.
Only having it accessible from within the container is likely not what
we intend. Changed that to all interfaces as well.

Whether it actually gets exposed or not depends on the systemd service
and `matrix_synapse_workers_container_host_bind_address`.
2021-01-25 12:29:47 +02:00
Slavi Pantaleev 01747c8cc4 Prevent Synapse warning about enabling metric listeners with enable_metrics: false
> synapse.app.generic_worker - 606 - WARNING - None - Metrics listener configured, but enable_metrics is not True!
2021-01-25 12:24:12 +02:00
Slavi Pantaleev 70796703d3 Run Synapse workers in their own containers
This switches the `docker exec` method of spawning
Synapse workers inside the `matrix-synapse` container with
dedicated containers for each worker.

We also have dedicated systemd services for each worker,
so this are now:
- more consistent with everything else (we don't use systemd
instantiated services anywhere)
- we don't need the "parse systemd instance name into worker name +
port" part
- we don't need to keep track of PIDs manually
- we don't need jq (less depenendencies)
- workers dying would be restarted by systemd correctly, like any other
service
- `docker ps` shows each worker separately and we can observe resource
usage
2021-01-25 12:14:46 +02:00
Slavi Pantaleev 6fc214480c
Fix Signal role using incorrect database string variable
Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/823
2021-01-25 10:42:23 +02:00
Slavi Pantaleev da50fb27a0 Whitelist /_matrix/key requests for going to generic workers on the federation port 2021-01-25 09:46:50 +02:00
Slavi Pantaleev 4d62a75f6f Get matrix-corporal to play nicely with a Synapse worker setup
We do this by creating one more layer of indirection.

First we reach some generic vhost handling matrix.DOMAIN.
A bunch of override rules are added there (capturing traffic to send to
ma1sd, etc). nginx-status and similar generic things also live there.

We then proxy to the homeserver on some other vhost (only Synapse being
available right now, but repointing this to Dendrite or other will be
possible in the future).
Then that homeserver-specific vhost does its thing to proxy to the
homeserver. It may or may not use workers, etc.

Without matrix-corporal, the flow is now:
1. matrix.DOMAIN (matrix-nginx-proxy/matrix-domain.conf)
2. matrix-nginx-proxy/matrix-synapse.conf
3. matrix-synapse

With matrix-corporal enabled, it becomes:
1. matrix.DOMAIN (matrix-nginx-proxy/matrix-domain.conf)
2. matrix-corporal
3. matrix-nginx-proxy/matrix-synapse.conf
4. matrix-synapse

(matrix-corporal gets injected at step 2).
2021-01-25 09:46:41 +02:00
Slavi Pantaleev c05d3d09bd Disable systemd services while stopping them
This removes some `multi-target.wants` symlinks as well, etc.

But despite systemd saying:

> Removed symlink /etc/systemd/system/matrix-synapse.service.wants/matrix-synapse-worker@appservice:0.service

.. I still see such symlinks tehre for me for some reason, so keeping the
code (below) to find & delete them still seems like a good idea.
2021-01-25 08:58:23 +02:00
Slavi Pantaleev 63301b0ef1 Improvements around Synapse worker/metrics ports exposure
There was a `matrix_nginx_proxy_enabled|default(False)` check, but:
- it didn't seem to work reliably for some reason (hmm)
- referring to a `matrix_nginx_proxy_*` variable from within the
  `matrix-synapse` role is not ideal
- exposing always happened on `127.0.0.1`, which may not be good enough
  for some rarer setups (where the own webserver is external to the host)
2021-01-25 08:25:43 +02:00
Slavi Pantaleev f66a6b066b Be more specific with the Redis version being used 2021-01-25 01:34:58 +02:00
Slavi Pantaleev 5ca68210cd Do not handle /_matrix/federation on client-server port, nor /_matrix/client stuff on federation port
I guess it didn't hurt to do it until now, but it's not great serving
federation APIs on the client-server API port, etc.

matrix-corporal doesn't work yet (still something to be solved in the
future), but its firewalling operations will also be sabotaged
by Client-Server APIs being served on the federation port (it's a way to get around its firewalling).
2021-01-24 22:22:57 +02:00
Slavi Pantaleev cc5cf0d725 Load roles/matrix-synapse/vars/workers.yml earlier to not break --tags=setup-nginx-proxy
If we load it at runtime, during matrix-synapse role execution,
it's good enough for matrix-synapse and all roles after that,
but.. it breaks when someone uses `--tags=setup-nginx-proxy` alone.

The downside of including this vars file like this in `setup.yml`
is that the variables contained in it cannot be overriden by the user
(in their inventory's `vars.yml`).
... but it's not like overriding these variables was possible anyway
when including them at runtime.
2021-01-24 20:19:55 +02:00
Slavi Pantaleev 92ee3d78a0 Fix matrix-remove-all for when Synapse workers are enabled 2021-01-24 19:42:32 +02:00
Slavi Pantaleev 8fa913dca7 Fix Ansible warning 2021-01-24 19:11:35 +02:00
Marcel Partap edc21f15e5 Restrict publishing worker (metrics) ports to localhost 2021-01-24 08:53:09 +01:00
Marcel Partap 183adec3d8 Merge remote-tracking branch 'origin/master' into synapse-workers 2021-01-23 15:04:11 +01:00
Marcel Partap c8f051a42d Track workers endpoint list in repo instead of regenerating on user side 2021-01-23 14:44:36 +01:00
Marcel Partap f2c7d79238 Drop probably incorrect comment from synapse homeserver.yaml.j2 2021-01-23 14:44:36 +01:00
Slavi Pantaleev a56cb34850 Notify people if /matrix/postgres/data-auto-upgrade-backup exists 2021-01-23 14:14:45 +02:00
Slavi Pantaleev a2422c458a Notify of remaining matrix-postgres local data in a better way 2021-01-23 14:04:51 +02:00
Slavi Pantaleev 1cd251ed78 Don't delete Docker images which may have been pulled by another
Some people run Coturn or Jitsi, etc., by themselves and disable it
in the playbook.

Because the playbook is trying to be nice and clean up after itself,
it was deleting these Docker images.

However, people wish to pull and use them separately and would rather
they don't get deleted.

We could make this configurable for the sake of this special case, but
it's simpler to just avoid deleting these images.
It's not like this "cleaning things up" thing works anyway.
As time goes on, the playbook gets updated with newer image tags
and we leave so many images behind. If one doesn't run
`docker system prune -a` manually once in a while, they'd get swamped
with images anyway. Whether we leave a few images behind due to the lack
of this cleanup now is pretty much irrelevant.
2021-01-23 14:01:31 +02:00
Slavi Pantaleev f085362149 Fix some Postgres CLI scripts to target the correct database
Fixes a regression introduced in 95346f3117.

Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/814

Using `matrix_synapse_` variables in the `matrix-postgres` role is not
ideal, but.. this script belongs neither here, nor there.
We'll have it be like that for now.
2021-01-23 11:38:34 +02:00
Slavi Pantaleev 3051655d21
Ensure matrix_appservice_irc_docker_src_files_path created when self-building
The git module will create it anyway, but that would likely use `root:root`.
2021-01-22 22:42:40 +02:00
Panagiotis Georgiadis f10e3fef0d
Merge branch 'master' into irc 2021-01-22 20:30:24 +00:00
Panagiotis Georgiadis e502ee33da
Selfbuild appservice-irc bridge 2021-01-22 21:28:53 +01:00
Slavi Pantaleev f9968b6981 Fix matrix_postgres_connection_password length check 2021-01-22 21:22:58 +02:00
Slavi Pantaleev 2997a7fc3e Make mx-puppet-* bridges not log to files
We log everything in systemd/journald for every service already,
so there's no need for double-logging, bridges rotating log files
manually and other such nonsense.
2021-01-22 19:22:26 +02:00
Slavi Pantaleev f3dd346724 Try to tighten Signal bridge security 2021-01-22 18:56:08 +02:00
Slavi Pantaleev 8ec975e3c8 Use matrix:matrix for Signal bridge (not root) 2021-01-22 18:52:20 +02:00
Slavi Pantaleev 37909aa7a9 Create signald/{avatars,attachments,data} and rename config dir 2021-01-22 18:40:51 +02:00
Slavi Pantaleev 88addd71fc Fix Postgres imports going to the matrix DB by default
Well, they still do go to that DB by default,
but our docs give a better command to users, which would do the right
thing.
2021-01-22 17:39:08 +02:00
Slavi Pantaleev bef0702fea Wait some more when starting Postgres during setup on ARM 2021-01-22 16:21:30 +02:00
Slavi Pantaleev f9c1d62435 Fix Postgres database (-alpine) failing to start on ARM32 2021-01-22 13:52:55 +02:00
Slavi Pantaleev 95346f3117 Reorganize Postgres access (breaking change)
In short, this makes Synapse a 2nd class citizen,
preparing for a future where it's just one-of-many homeserver software
options.

We also no longer have a default Postgres superuser password,
which improves security.

The changelog explains more as to why this was done
and how to proceed from here.
2021-01-22 13:26:12 +02:00
throwawayay a30ef0cc29
Update element-web (1.7.16 -> 1.7.17) 2021-01-20 08:35:07 -05:00
Slavi Pantaleev 024a23ed17 Upgrade mautrix-facebook to the new Postgres-only version
I had intentionally held it back in 39ea3496a4
until:
- it received more testing (there were a few bugs during the
migration, but now it seems OK)
- this migration guide was written
2021-01-20 10:12:51 +02:00
pushytoxin d51ea25219 When validating LE certs, do not wait for a random time
While administering we will occasionally invoke this script interactively with the "non-interactive" switch still there, yet still sit at the desk waiting for 300 seconds for this timer to run out.

The systemd-timer already uses a 3h randomized delay for automatic renewals, which serves this purpose well.
2021-01-19 18:41:45 +01:00
Slavi Pantaleev 39ea3496a4 Downgrade/lock mautrix-facebook to pre-mobile times
The `mobile` branch got merged to `master`, which ends up becoming
`:latest`. It's a "rewrite" of the bridge's backend and only
supports a Postgres database.

We'd like to go back (well, forward) to `:latest`, but that will take
a little longer, because:
- we need to handle and document things for people still on SQLite
(especially those with external Postgres, who are likely on SQLite for
bridges)
- I'd rather test the new builds (and migration) a bit before
releasing it to others and possibly breaking their bridge

Brave ones who are already using the bridge with Postgres
can jump on `:latest` and report their experience.
2021-01-19 18:44:15 +02:00
Slavi Pantaleev c9d96d8135 Fix mautrix-telegram paths creation bug 2021-01-19 09:15:34 +02:00
Slavi Pantaleev 56c54d5cc7 Upgrade matrix-corporal (2.0.1 -> 2.1.0) 2021-01-18 18:23:17 +02:00
Slavi Pantaleev c1008fde44 Upgrade matrix-coturn (4.5.1.3 -> 4.5.2) 2021-01-18 00:41:47 +02:00
Slavi Pantaleev cf06f84608 Upgrade matrix-corporal (2.0.0 -> 2.0.1) 2021-01-17 22:05:26 +02:00
Slavi Pantaleev d95cbe38d7 Rename configuration setting 2021-01-17 18:29:26 +02:00
Slavi Pantaleev 28d86e3aaa Initial work on support for matrix-corporal v2 2021-01-16 23:47:14 +02:00
Slavi Pantaleev 8549926395 Attempt to fix mautrix-whatsapp DB migration user table conflict
Discussed in https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/791
2021-01-15 17:13:47 +02:00
Slavi Pantaleev 1692a28fe4 Work around annoying Docker warning about undefined $HOME
> WARNING: Error loading config file: .dockercfg: $HOME is not defined

.. which appeared in Docker 20.10.
2021-01-15 00:23:01 +02:00
Slavi Pantaleev 26f0bbfdef Fix self-building for matrix-ma1sd on non-version tag/branch
Building `master` or something like this was failing.
2021-01-14 23:57:38 +02:00
Slavi Pantaleev 9e936e45ad Use BuildKit for ma1sd Docker building
Newer versions (`master`) use things like `--platform=...`,
which are not supported unless we enable the new BuildKit building
backend.
2021-01-14 23:48:30 +02:00
Slavi Pantaleev e1690722f7 Replace cronjobs with systemd timers
Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/756

Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/737

I feel like timers are somewhat more complicated and dirty (compared to
cronjobs), but they come with these benefits:

- log output goes to journald
- on newer systemd distros, you can see when the timer fired, when it
will fire, etc.
- we don't need to rely on cron (reducing our dependencies to just
systemd + Docker)

Cronjobs work well, but it's one more dependency that needs to be
installed. We were even asking people to install it manually
(in `docs/prerequisites.md`), which could have gone unnoticed.

Once in a while someone says "my SSL certificates didn't renew"
and it's likely because they forgot to install a cron daemon.

Switching to systemd timers means that installation is simpler
and more unified.
2021-01-14 23:35:50 +02:00
Slavi Pantaleev 05ca9357a8 Add .service suffix to systemd units list
We'll be adding `.timer` units later on, so it's good to be
more explicit.
2021-01-14 23:02:10 +02:00
Slavi Pantaleev 653d1d7924 Revert "Don't self-build ma1sd every time unless git sources changed"
This reverts commit 2a25b63bb6.

Looking at other roles, we trigger building regardless of this.
It's better to always trigger it, because it's less fragile.
If the build fails and we only trigger it on "git changes"
then we won't trigger it for a while. That's not good.

Triggering it each and every time may seem like a waste,
but it supposedly runs quickly due to Docker caching.
2021-01-14 22:20:51 +02:00
Slavi Pantaleev 6f5aaad48d Split install/uninstall tasks in matrix-coturn 2021-01-14 22:11:38 +02:00
Slavi Pantaleev 57ea43d8b0 Remove unused variable
This variable has been useless since 2019-01-08.
We probably don't need to check for its usage anymore,
given how much time has passed since then, but ..
2021-01-14 17:47:13 +02:00
Slavi Pantaleev 7a90eb6d4f Relocate some validation tasks 2021-01-14 17:00:46 +02:00
Slavi Pantaleev 67dc5237c5
Merge pull request #794 from drpaneas/appservice_slack_rebuild
Selfbuild appservice-slack bridge
2021-01-14 10:47:31 +02:00
Slavi Pantaleev 862a6276a0
Do not pull appservice-slack when self-building 2021-01-14 10:47:23 +02:00
Slavi Pantaleev b15da29ebb Bump Synapse to v1.25.0 for ARM 2021-01-14 10:41:47 +02:00
Panagiotis Georgiadis a66a604e53
Selfbuild appservice-slack bridge 2021-01-14 01:29:11 +01:00
Slavi Pantaleev 2a25b63bb6 Don't self-build ma1sd every time unless git sources changed 2021-01-13 20:14:47 +02:00
Slavi Pantaleev a5a44a9d3f
Merge pull request #786 from drpaneas/rebuild_telegram
Local rebuild for Telegram
2021-01-13 18:01:15 +02:00
Slavi Pantaleev 52fa7e576b
Fix path typo 2021-01-13 18:00:32 +02:00
Slavi Pantaleev 5fa30cdfcb
Ensure matrix_mautrix_facebook_docker_src_files_path created
Before we potentially clone to that path, we'd better make sure it exists.

We also simplify `when` statements a bit.
Given that we're in `setup_install.yml`, we know that the bridge is enabled,
so there's no need to check for that.
2021-01-13 17:59:46 +02:00
Slavi Pantaleev 568cb3d86f Upgrade matrix-mailer (4.93-r0 -> 4.93-r1)
This is a bit misleading, because the old Docker image
was tagged as `4.93.1`. There hasn't been a `4.93.1` version yet though.

Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/792
2021-01-13 17:37:31 +02:00
Slavi Pantaleev 24100342e1 Tell people that federation_ip_range_blacklist is gone
Related to d5945c6e78
2021-01-13 13:47:51 +02:00
Slavi Pantaleev d5945c6e78 Upgrade Synapse (v1.24.0 -> v1.25.0) for amd64 2021-01-13 13:02:49 +02:00
Panagiotis Georgiadis 999fd2596f
Local rebuild for Telegram 2021-01-12 19:29:50 +01:00
Slavi Pantaleev 0b260a133f Add matrix-aux role to help with managing auxiliary files/directories 2021-01-11 22:32:52 +02:00
Will 5b0761bf40
Create list_tokens.yml 2021-01-09 08:52:02 -08:00
Will 1468010194
Update main.yml 2021-01-09 08:50:34 -08:00
Marcel Partap cd8100544b Merge remote-tracking branch 'origin/master' into synapse-workers
Sync with upstream
2021-01-08 20:58:50 +01:00
Slavi Pantaleev f7ae050eaf Remove useless quotes around ssl_ciphers value
Not sure if it breaks with them or not, but no other directive
uses quotes and the nginx docs show examples without quotes,
so we're being consistent with all of that.
2021-01-08 21:22:44 +02:00
Slavi Pantaleev 5822ba0c01 Use a more natural if statement 2021-01-08 21:21:33 +02:00
Slavi Pantaleev de6ecd8818
Update inaccurate comments 2021-01-08 21:15:14 +02:00
Agustin Ferrario 5156c63a76 Clean up code
Code was clean up and simplified to make it simpler and easier to
maintain. No features were modified.
2021-01-08 18:35:27 +01:00
Agustin Ferrario 25d423e6b6 Fix errors per spantaleev suggestions
The different configurations are now all lower case, for consistent
naming.

`matrix_nginx_proxy_ssl_config` is now called
`matrix_nginx_proxy_ssl_preset`. The different options for "modern",
"intermediate" and "old" are stored in the main.yml file, instead of
being hardcoded in the configuration files. This will improve the
maintainability of the code.

The "custom" preset was removed. Now if one of the variables is set, it
will use it instead of the preset. This will allow to mix and match more
easily, for example using all the intermediate options but only
supporting TLSv1.2. This will also provide better backward
compatibility.
2021-01-08 11:32:10 +01:00
Agustin Ferrario 3cb71e7e84 Merge branch 'master' of https://github.com/spantaleev/matrix-docker-ansible-deploy 2021-01-03 13:18:21 +01:00
Slavi Pantaleev 6cce5383bc Fix Ansible 2.9.6 check
Fixup for https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/769
2021-01-03 08:55:30 +02:00
Slavi Pantaleev 2c09111a3a Actually enforce that we run on Ansible >= 2.7.1
Related to 6e652e10ad
2021-01-03 08:54:17 +02:00
Slavi Pantaleev 8710883064
Merge pull request #743 from pushytoxin/docker_network
Drop the old workaround for an Ansible bug that has been fixed three years ago
2021-01-03 08:49:09 +02:00
Slavi Pantaleev cd2d2f594a
Merge pull request #686 from laszabine/signal
Added a role for the bridge mautrix-signal
2021-01-03 08:25:01 +02:00
Slavi Pantaleev 3b524ee815 Make mautrix-signal bridge not log to files
We try to only use console logging (going to journald) for everything,
instead of logging things twice (or more).
2021-01-03 08:20:43 +02:00
Slavi Pantaleev 274f23f668 Make matrix-mautrix-signal-daemon.service depend on docker.service 2021-01-03 08:16:49 +02:00
Slavi Pantaleev da2a6682b3 Get rid of matrix_mautrix_signal_configuration_permissions
While it's kind of nice having it, it's also somewhat raw
and unnecessary.

Having a good default and not even mentioning it seems better
for most users.

People who need a more exposed bridge (rare) can use
override the default configuration using
`matrix_mautrix_signal_configuration_extension_yaml`.
2021-01-03 08:06:32 +02:00
Slavi Pantaleev df8d9cfd34 Remove some TODOs
The answer to these is: it's good to have them in both places.
The role defines the obvious things it depends on (not knowing
what setup it will find itself into), and then
`group_vars/matrix_servers` "extends" it based on everything else it
knows (the homeserver being Synapse, whether or not the internal
Postgres server is being used, etc.)
2021-01-03 07:46:55 +02:00
Slavi Pantaleev 4805637181 Add support for custom ma1sd view sesion templates 2021-01-03 07:36:09 +02:00
Slavi Pantaleev f84c69c164 Relocate custom ma1sd threepid email templates to config/
We used to store them in data/, but that seems inappropriate,
since it's just static configuration that the playbook can recreate.
2021-01-03 07:35:13 +02:00
Slavi Pantaleev b5812b539b Rename ma1sd custom email template variable
Keeps up with a1f64f5159 (diff-0ccf69eb4d59a7645eb4d0a0b077e693948edb33ad06df043bba3fb30122879b)
2021-01-03 00:58:31 +02:00
Slavi Pantaleev fb83eccf99 Relocate SQL template file 2021-01-03 00:58:31 +02:00
Sabine Laszakovits 84cac25c11 added config data_dir (else in ~, which isn't set) 2021-01-02 19:01:21 +01:00
Sabine Laszakovits 56af2b1a8c small fixes 2021-01-02 00:56:45 +01:00
Sabine Laszakovits 89f7f3c3b8 added log level configuration 2021-01-02 00:55:55 +01:00
Sabine Laszakovits ffb837d4bc made the bridge use the default postgres db 2021-01-02 00:39:11 +01:00
Sabine Laszakovits a06c58c753 Merge branch 'master' into signal 2021-01-01 21:05:00 +01:00
Slavi Pantaleev 1ed991e25c
Merge pull request #769 from aaronraimist/check-for-buggy-ansible
Check for buggy version of Ansible that Ubuntu 20.04 provides
2020-12-29 11:19:37 +02:00
Slavi Pantaleev 86da489b9b Never fail when stopping systemd service during (SQLite -> Postgres) migration
We need to suppress systemd service-stopping requests in certain rare
cases like https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/771

That issue seems to describe a case, where a migration from mxisd to
ma1sd was happening (DB files had just been moved), and then we were
attemping to stop `matrix-ma1sd.service` so we could import that database into
Postgres. However, there's neither `matrix-mxisd.service`, nor
`matrix-ma1sd.service` after `migrate_mxisd.yml` had just run, so
stopping `matrix-ma1sd.service` was failing.
2020-12-29 10:31:20 +02:00
Aaron Raimist 8827a49e21
Check equality properly 2020-12-26 20:20:00 -06:00
Aaron Raimist 3dd0517f04
Check for buggy version of Ansible that Ubuntu 20.04 provides 2020-12-26 20:13:49 -06:00
Slavi Pantaleev a2a4218e95 Make mautrix-python-based bridges E2EE happier
Fixes a problem like this:
> File "/usr/lib/python3.8/site-packages/mautrix/bridge/e2ee.py", line 79, in __init__
> raise RuntimeError("Unsupported database scheme")

mautrix-python's e2ee.py module expects to find `postgres://` instead of
`postgresql://`.
2020-12-23 15:39:12 +02:00
Slavi Pantaleev 80c72615c7 Fixup all Dimension boolean fields after pgloader import
This is 8b6174786b done right. There were many more fields
that we had to account for.
2020-12-23 14:12:11 +02:00
Slavi Pantaleev 21662af3be Archive database only after additional_psql_statements_list had executed 2020-12-23 14:12:11 +02:00
Stuart Mumford 019a4d7dcd Use role relative paths for things 2020-12-23 11:34:48 +00:00
Slavi Pantaleev be0c599565 Feed more slashes to mautrix bridges when using SQLite
This makes the `sqlite://` URI match what we were using before
and what the config expects.
2020-12-23 13:33:25 +02:00
Slavi Pantaleev 8b6174786b Fixup Dimension database schema a bit after pgloader import 2020-12-23 12:57:43 +02:00
Slavi Pantaleev c5f8b1f61b Fix mautrix-whatsapp Postgres connection string to not use SSL by default 2020-12-23 11:40:22 +02:00