Commit graph

80 commits

Author SHA1 Message Date
Slavi Pantaleev b79db89221 Improve wording a bit 2019-02-15 10:03:33 +02:00
Slavi Pantaleev fcdc2a6c4f Fix incomplete sentence 2019-02-15 10:01:10 +02:00
Slavi Pantaleev eb08e20418 Upgrade Synapse (0.99.0 -> 0.99.1) and sync config
`matrix_synapse_no_tls` is now implicit, so we've gotten rid of it.

The `homeserver.yaml.j2` template has been synchronized with the
configuration generated by Synapse v0.99.1 (some new options
are present, etc.)
2019-02-14 18:40:55 +02:00
Slavi Pantaleev 70b2f07fec Add PostgreSQL backup information 2019-02-09 14:36:47 +02:00
Slavi Pantaleev 46accfdb3c Add guide about certificates for other domains
We had something like that on the Server Delegation how-to page,
but it's better if we have it on the SSL certificates page.

Relocated there and improved linking.

Fixes #94 (Github Issue)
2019-02-08 11:59:00 +02:00
Slavi Pantaleev f4fa03d4b9 Re-iterate where one can find the well-known files 2019-02-07 19:43:00 +02:00
Slavi Pantaleev ef903fe544 Add some quick links 2019-02-06 13:30:24 +02:00
Slavi Pantaleev e9cfcb8429 Fix another YAML indentation problem on documentation page 2019-02-06 13:04:19 +02:00
Slavi Pantaleev 92aa5bfa2d Fix YAML indentation on documentation page 2019-02-06 13:03:26 +02:00
Slavi Pantaleev 33726cdb08 Fix anchor 2019-02-06 13:02:17 +02:00
Slavi Pantaleev 5148f8edf4 Update docs 2019-02-06 09:36:03 +02:00
Slavi Pantaleev 91a757c581 Add support for reloading Synapse 2019-02-06 09:25:13 +02:00
Slavi Pantaleev 772154f3b9 Update Server Delegation docs a bit 2019-02-05 13:38:20 +02:00
Slavi Pantaleev b540427974 Mention alternative ways to do Server Delegation 2019-02-05 13:02:15 +02:00
Slavi Pantaleev f6ebd4ce62 Initial work on Synapse 0.99/1.0 preparation 2019-02-05 12:09:46 +02:00
Plailect 29b40b428a
Database files must be stored on permanent storage 2019-02-01 11:44:06 -05:00
Slavi Pantaleev 5e8a7fd05b Update own-webserver guide and add sample Apache configuration
This supersedes #59 (Github Pull Request),
which was greatly beneficial in creating our sample Apache configuration.
2019-02-01 16:58:11 +02:00
Slavi Pantaleev 8681a5dc69 Add 'none' SSL certificate retrieval method 2019-02-01 16:50:25 +02:00
Slavi Pantaleev e09b7435d1 Update documentation a bit 2019-02-01 12:26:43 +02:00
Slavi Pantaleev cd332d9b4e Add TLS v1.3 support to matrix-nginx-proxy
This was mentioned in #27 (Github Pull Request),
but it's just now that the nginx Docker image actually supports
TLS v1.3 and we can enable it.
2019-02-01 11:49:22 +02:00
Slavi Pantaleev a9fae8e3b1 Revert "Use native OpenSSL module to generate passkey.pem"
This reverts commit 0dac5ea508.

Relying on pyOpenSSL is the Ansible way of doing things, but is
impractical and annoying for users.

`openssl` is easily available on most servers, even by default.
We'd better use that.
2019-01-31 20:45:14 +02:00
Plailect 0dac5ea508
Use native OpenSSL module to generate passkey.pem 2019-01-31 11:38:54 -05:00
Plailect 0a2a8e118c
Update example configuration and documentation 2019-01-31 11:05:27 -05:00
Plailect 1c057bf06d
Correct variable name in documentation 2019-01-31 10:58:45 -05:00
Plailect 3a4a671dd7
Add support for matrix-appservice-irc 2019-01-31 00:37:23 -05:00
Slavi Pantaleev 299a8c4c7c Make (most) containers start as non-root
This makes all containers (except mautrix-telegram and
mautrix-whatsapp), start as a non-root user.

We do this, because we don't trust some of the images.
In any case, we'd rather not trust ALL images and avoid giving
`root` access at all. We can't be sure they would drop privileges
or what they might do before they do it.

Because Postfix doesn't support running as non-root,
it had to be replaced by an Exim mail server.

The matrix-nginx-proxy nginx container image is patched up
(by replacing its main configuration) so that it can work as non-root.
It seems like there's no other good image that we can use and that is up-to-date
(https://hub.docker.com/r/nginxinc/nginx-unprivileged is outdated).

Likewise for riot-web (https://hub.docker.com/r/bubuntux/riot-web/),
we patch it up ourselves when starting (replacing the main nginx
configuration).
Ideally, it would be fixed upstream so we can simplify.
2019-01-27 20:25:13 +02:00
Slavi Pantaleev c10182e5a6 Make roles more independent of one another
With this change, the following roles are now only dependent
on the minimal `matrix-base` role:
- `matrix-corporal`
- `matrix-coturn`
- `matrix-mailer`
- `matrix-mxisd`
- `matrix-postgres`
- `matrix-riot-web`
- `matrix-synapse`

The `matrix-nginx-proxy` role still does too much and remains
dependent on the others.

Wiring up the various (now-independent) roles happens
via a glue variables file (`group_vars/matrix-servers`).
It's triggered for all hosts in the `matrix-servers` group.

According to Ansible's rules of priority, we have the following
chain of inclusion/overriding now:
- role defaults (mostly empty or good for independent usage)
- playbook glue variables (`group_vars/matrix-servers`)
- inventory host variables (`inventory/host_vars/matrix.<your-domain>`)

All roles default to enabling their main component
(e.g. `matrix_mxisd_enabled: true`, `matrix_riot_web_enabled: true`).
Reasoning: if a role is included in a playbook (especially separately,
in another playbook), it should "work" by default.

Our playbook disables some of those if they are not generally useful
(e.g. `matrix_corporal_enabled: false`).
2019-01-16 18:05:48 +02:00
Slavi Pantaleev 51312b8250 Split playbook into multiple roles
As suggested in #63 (Github issue), splitting the
playbook's logic into multiple roles will be beneficial for
maintainability.

This patch realizes this split. Still, some components
affect others, so the roles are not really independent of one
another. For example:
- disabling mxisd (`matrix_mxisd_enabled: false`), causes Synapse
and riot-web to reconfigure themselves with other (public)
Identity servers.

- enabling matrix-corporal (`matrix_corporal_enabled: true`) affects
how reverse-proxying (by `matrix-nginx-proxy`) is done, in order to
put matrix-corporal's gateway server in front of Synapse

We may be able to move away from such dependencies in the future,
at the expense of a more complicated manual configuration, but
it's probably not worth sacrificing the convenience we have now.

As part of this work, the way we do "start components" has been
redone now to use a loop, as suggested in #65 (Github issue).
This should make restarting faster and more reliable.
2019-01-12 18:01:10 +02:00
Slavi Pantaleev 9a9b7383e9 Completely redo how mxisd configuration gets generated
This change is provoked by a few different things:

- #54 (Github Pull Request), which rightfully says that we need a
way to support ALL mxisd configuration options easily

- the upcoming mxisd 1.3.0 release, which drops support for
property-style configuration (dot-notation), forcing us to
redo the way we generate the configuration file

With this, mxisd is much more easily configurable now
and much more easily maintaneable by us in the future
(no need to introduce additional playbook variables and logic).
2019-01-11 19:33:54 +02:00
Slavi Pantaleev 5135c0cc0a Add Ansible guide and Ansible version checks
After having multiple people report issues with retrieving
SSL certificates, we've finally discovered the culprit to be
Ansible 2.5.1 (default and latest version on Ubuntu 18.04 LTS).

As silly as it is, certain distributions ("LTS" even) are 13 bugfix
versions of Ansible behind.

From now on, we try to auto-detect buggy Ansible versions and tell the
user. We also provide some tips for how to upgrade Ansible or
run it from inside a Docker container.

My testing shows that Ansible 2.4.0 and 2.4.6 are OK.
All other intermediate 2.4.x versions haven't been tested, but we
trust they're OK too.

From the 2.5.x releases, only 2.5.0 and 2.5.1 seem to be affected.
Ansible 2.5.2 corrects the problem with `include_tasks` + `with_items`.
2019-01-03 16:24:14 +02:00
Slavi Pantaleev 76506f34e0 Make media-store restore work with server files, not local
This is a simplification and a way to make it consistent with
how we do Postgres imports (see 6d89319822), using
files coming from the server, not from the local machine.

By encouraging people NOT to use local files,
we potentially avoid problems such as #34 (Github issue),
where people would download `media_store` to their Mac's filesystem
and case-sensitivity issues will actually corrupt it.

By not encouraging local files usage, it's less likely that
people would copy (huge) directories to their local machine like that.
2019-01-01 15:57:50 +02:00
Slavi Pantaleev 543b98d24c Update documentation 2019-01-01 15:35:33 +02:00
Slavi Pantaleev 4c2e1a0588 Make SQLite database import work with server files, not local
This is a simplification and a way to make it consistent with
how we do Postgres imports (see 6d89319822), using
files coming from the server, not from the local machine.
2019-01-01 15:21:52 +02:00
Slavi Pantaleev 6d89319822 Add support for importing an existing Postgres database 2019-01-01 14:45:37 +02:00
Slavi Pantaleev c48e31381d Add minimum version requirement for Ansible 2018-12-29 15:31:05 +02:00
Slavi Pantaleev d28bdb3258 Add support for 2 more SSL certificate retrieval methods
Adds support for managing certificates manually and for
having the playbook generate self-signed certificates for you.

With this, Let's Encrypt usage is no longer required.

Fixes Github issue #50.
2018-12-23 11:00:12 +02:00
Slavi Pantaleev 4fd8b66b6e Update documentation about email configuration (relayhost brackets)
Relay hostnames that have MX records are looked up by postfix
and the MX record's payload is used instead.

This special behavior may be undesirable, so we make sure to
point it out.
2018-12-13 16:32:10 +09:00
Slavi Pantaleev 2b2409bf1e Update documentation about email configuration
This makes it explicit that outgoing traffic (25/587) needs
to be let through, as well as documenting how to debug
other non-delivery issues.
2018-12-13 15:19:01 +09:00
Aaron Raimist 92ef6986a2
Link to Synapse Homeowners room 2018-12-11 10:15:09 -06:00
Slavi Pantaleev 9dad4c7c2d Fix /.well-known/matrix/client for CORS
This is provoked by Github issue #46.

No client had made use of the well-known mechanism
so far, so the set up performed by this playbook was not tested
and turned out to be a little deficient.

Even though /.well-known/matrix/client is usually requested with a
simple request (no preflight), it's still considered cross-origin
and [CORS](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS)
applies. Thus, the file always needs to be served with the appropriate
`Access-Control-Allow-Origin` header.

Github issue #46 attempts to fix it at the "reverse-proxying" layer,
which may work, but would need to be done for every server.
It's better if it's done "upstream", so that all reverse-proxy
configurations can benefit.
2018-11-29 09:13:25 +02:00
Thomas vO bb849bd34f Merge branch 'master' of https://github.com/spantaleev/matrix-docker-ansible-deploy into new-cmds 2018-11-28 11:03:47 +01:00
Thomas vO caba16ea0d add script + doc to remove everything 2018-11-28 11:02:51 +01:00
Thomas vO 2bdc35de63 add script + doc to change a user to admin 2018-11-28 11:02:15 +01:00
Slavi Pantaleev 3fec9dfa0e Add LDAP auth password provider documentation and changelog description 2018-11-28 11:21:03 +02:00
Slavi Pantaleev 5533db8a28 Add a note about trying to use local PostgreSQL instances 2018-11-26 07:27:53 +02:00
Slavi Pantaleev 733b806833 Annotate certain features as optional/advanced
We've had some people get confused into installing
Matrix Corporal and having pain with that.

With this documentation change, we try to make it clearer
that it's an advanced feature not to be touched unless
you know what you're doing.

On a similar note, we also make sure other things are properly
labeled as "(optional)" and/or "(advanced)".
2018-11-26 07:23:42 +02:00
Aaron Raimist d260b17508
Add initial version of maintenance and troubleshooting doc 2018-11-14 14:34:24 -06:00
Aaron Raimist a1609ce6e4
Link to the restoring media store guide
It isn't below anymore
2018-11-12 19:11:47 -06:00
TheForcer 20bba449c4
Updated "Controlling Matrix federation" link
Missing file ending results in 404
2018-11-04 00:30:17 +01:00
Slavi Pantaleev 3bccec63b4 Add details about the telemetry data that gets sent (if enabled) 2018-11-01 18:40:45 +02:00