Commit graph

1212 commits

Author SHA1 Message Date
Slavi Pantaleev 8d774db3bc Indicate that Ubuntu Bionic (18.04) is not supported yet
We have 2 blockers that prevent us from adding support:

- the Docker CE repository does not publish a `docker-ce` package
in the `stable` channel. It's still in `edge`
(can be worked around by using `edge`, but we'd better not)

- Docker bind propagation has troubles on Docker CE 18.05,
which breaks matrix-synapse.service from starting, as it wants to do
a `:slave` mount. See https://github.com/moby/moby/issues/37032
2018-05-29 09:25:30 +03:00
Slavi Pantaleev 7527929824 Update README to reflect recent changes 2018-05-28 20:53:02 +03:00
Slavi Pantaleev d107ab2540 Add support for upgrading Postgres
Since cbee084ac1, this playbook supports Postgres 10.x,
but keeps existing Postgres-9.x installs on 9.x.

This playbook can now also be ran with `--tags=upgrade-postgres`
to make it upgrade from Postgres 9.x to 10.x (or other versions
in the future).
2018-05-28 20:40:42 +03:00
Slavi Pantaleev cbee084ac1 Use Postgres 10.x by default (only for new installs)
This playbook just tries to avoid trying to setup a Postgres 10
database with existing 9.x files, as that makes Postgres complain.

Due to this, existing installs (still on 9.x) are detected
and left on Postgres 9.x.
They need to be upgraded to Postgres 10.x manually.
2018-05-28 20:16:02 +03:00
Slavi Pantaleev f1b4730e82 Update Docker images 2018-05-26 12:25:09 +03:00
Slavi Pantaleev b3e62126db Switch Docker image to official one
Switching from from avhost/docker-matrix (silviof/docker-matrix)
to matrixdotorg/synapse.

The avhost/docker-matrix (silviof/docker-matrix) image used to bundle
in the coturn STUN/TURN server, so as part of the move,
we're separating this to a separately-ran service
(matrix-coturn.service, powered by instrumentisto/coturn-docker-image)
2018-05-25 21:58:53 +03:00
Slavi Pantaleev 3af3ef48fc Make .log.config modifications respect whitespace
A `.log.config` file may be generated with a different
level of indentation depending on which (Docker image, etc.)
generates it.

With this patch, we tolerate different levels of indentation
(2 spaces, 4 spaces, etc.) and don't break the configuration.
2018-05-25 13:15:17 +03:00
Slavi Pantaleev 67a98e51d9 Make the riot-web container run without root privileges 2018-05-14 14:31:43 +03:00
Slavi Pantaleev bd580d3b9a Update dependencies 2018-05-14 14:31:00 +03:00
Slavi Pantaleev a367172b67 Update dependencies 2018-04-28 13:38:44 +03:00
Slavi Pantaleev 7de11261b1 Update Docker images 2018-04-11 18:51:32 +02:00
Slavi Pantaleev af54d60b0f Update Docker images 2018-04-03 18:49:05 +03:00
Slavi Pantaleev 5d9ddd1627 Update Docker images 2018-03-16 10:22:09 +02:00
Slavi Pantaleev efc78fb9d3 Switch from s3fs to Goofys
Improves performance of media store operations.
2018-02-20 21:36:08 +02:00
Slavi Pantaleev db686c3f8e Update dependencies 2018-02-13 23:19:50 +02:00
Slavi Pantaleev edd97d33c1 Fix README instructions typo about Ansible host_vars 2018-01-17 15:57:01 +02:00
Slavi Pantaleev bfca91ac1f Switch Matrix Docker images (silviof -> AVENTER-UG)
Silvio announced that he's no longer maintaining his images,
so we're jumping to AVENTER-UG's fork.
2018-01-10 22:11:32 +02:00
Slavi Pantaleev 4e09499286 Fix typo 2018-01-10 12:10:56 +02:00
Slavi Pantaleev 534f78f9d0 Update Docker image versions 2017-12-07 22:53:43 +02:00
Slavi Pantaleev d14ef08d5b Fix SSL certificate renewal for the custom-proxy-server case
When using matrix-nginx-proxy, the file permissions are organized
in a way that matrix-nginx-proxy could read the challenge files
produced by acmetool.

However, when another own/external webserver was used (like nginx
with our generated sample configuration), this could not work.
From on we're proxying the HTTP requests to port :402 in such a case,
which fixes the problem.
2017-12-01 12:07:27 +01:00
Slavi Pantaleev f476e49e64 Make SSL renewal time configurable and nginx-proxy reload time adequate
The matrix-nginx-proxy was reloaded on the 3rd day of the month (`15 4 3 * *`),
which makes no sense - it's too infrequently.

It's in line with the renewal time now (+5 minutes).
2017-11-11 10:38:38 +02:00
Slavi Pantaleev 57e4f12ad3 Add support for using a pre-configured Macaroon secret key 2017-10-24 15:29:19 +09:00
Slavi Pantaleev dd5cabf658 Make /matrix owned by matrix:matrix 2017-10-24 13:01:11 +09:00
Slavi Pantaleev 19e191f0bd Do not assign Docker container name for certificate renewal
Prevents clashes with other services like this one.
2017-10-16 08:42:27 +03:00
Slavi Pantaleev 1c2d59ae91 Stop using patched synapse_port_db script
The non-working script is supposed to be fixed
by https://github.com/matrix-org/synapse/pull/2375

To have it work, we'd need an updated Docker image
of `silviof/matrix-riot-docker:latest`, which is not yet available
at the time of this commit.

Still, the previous patched synapse_port_db didn't work well either,
so it's not like we're regressing much by getting rid of it.
2017-10-14 09:58:06 +03:00
Slavi Pantaleev 7133418dc3 Fix README omission related to S3 setup 2017-10-14 09:55:47 +03:00
Slavi Pantaleev 767b321f60 Do not mount certain Docker volumes as read-write unnecessarily 2017-10-01 11:36:30 +03:00
Slavi Pantaleev 2906ec3045 Fix SSL-renewal problem caused by incorrect permissions 2017-10-01 11:26:20 +03:00
Slavi Pantaleev 3a5f82267b Do not use Let's Encrypt certificate for Synapse's federation port
As described here (
https://github.com/matrix-org/synapse/issues/2438#issuecomment-327424711
), using own SSL certificates for the federation port is more fragile,
as renewing them could cause federation outages.

The recommended setup is to use the self-signed certificates generated
by Synapse.

On the 443 port (matrix-nginx-proxy) side, we still use the Let's Encrypt
certificates, which ensures API consumers work without having to trust
"our own CA".

Having done this, we also don't need to ever restart Synapse anymore,
as no new SSL certificates need to be applied there.

It's just matrix-nginx-proxy that needs to be restarted, and it doesn't
even need a full restart as an "nginx reload" does the job of swithing
to the new SSL certificates.
2017-09-23 15:29:15 +03:00
Slavi Pantaleev 6962bfcc42 Add support for not taking over a server (no matrix-nginx-proxy) and disabling Riot 2017-09-12 12:41:44 +03:00
Slavi Pantaleev b3a8698734 Update README 2017-09-12 00:37:18 +03:00
Slavi Pantaleev cb323f5b4c Move SSL certificates from /etc/pki/acmetool-certs to /matrix/ssl
Moving keeps everything in the /matrix directory, so that we
wouldn't contaminate anything else on the system or risk
clashing with something else.

Also retrieving certificates separately for the Riot and Matrix domains,
which should help in multiple ways:

- allows them to be very different (completely separate base domain..)

- allows for Riot to be disabled for the playbook some time later
  and still have the code not break
2017-09-11 23:50:14 +03:00
Slavi Pantaleev ded7c274f6 Add support for Debian (9+) and Ubuntu (16.04+) 2017-09-11 23:24:05 +03:00
Slavi Pantaleev 13ab9eb238 Do not touch hostname and timezone
Let's let the admin set them as they wish.
We don't care what they are anyway.

If other things run on the same server,
it's also better not to hijack these for our
own purposes, especially when we don't need to.

The timedatectl call also seems to fail on Ubuntu 17.04
for some reason (missing timezones information file?).
2017-09-11 22:55:05 +03:00
Slavi Pantaleev 7c049be11a Update postgres and nginx 2017-09-11 22:16:51 +03:00
Slavi Pantaleev f422e379c2 Do not try to start postgres when it's external 2017-09-11 00:58:22 +03:00
Slavi Pantaleev ab1a9fd87e Add support for using an external PostgreSQL server 2017-09-08 17:24:27 +03:00
Slavi Pantaleev f6be25a6ae Fix idempotency problem when getting rid of S3 setup 2017-09-08 16:34:40 +03:00
Slavi Pantaleev ac59192696 Do not leave containers behind after matrix-postgres-cli usage 2017-09-08 14:18:12 +03:00
Slavi Pantaleev 49e5dad86d Do not do the S3 setup so early
It was never intended to be there, but was while testing/development
and got forgotten later.
2017-09-08 10:50:31 +03:00
Slavi Pantaleev 0f43abb91d Do not assume /usr/local/bin is always on the PATH 2017-09-08 10:47:12 +03:00
Slavi Pantaleev 9c68b057b0 Add support for storing Matrix Synapse's media_store to Amazon S3 2017-09-07 18:26:41 +03:00
Slavi Pantaleev 9b97ab6a90 Do not wastefully preserve owner/group when importing media store files 2017-09-07 12:27:32 +03:00
Slavi Pantaleev 0f723c9574 Ensure media store files are owned by the correct user/group after importing (recursively) 2017-09-07 12:24:04 +03:00
Slavi Pantaleev a6760f4469 Ensure media store files are owned by the correct user/group after importing 2017-09-07 12:23:22 +03:00
Slavi Pantaleev ea91ef7fb2 Move media_store & logs out of /data. Allow logging to be configured
The goal is to allow these to be on separate partitions
(including remote ones in the future).

Because the `silviof/docker-matrix` image chowns
everything to MATRIX_UID:MATRIX_GID on startup,
we definitely don't want to include `media_store` in it.
If it's on a remote FS, it would cause a slow startup.

Also, adding some safety checks to the "import media store"
task, after passing a wrong path to it on multiple occassions and
wondering what's wrong.

Also, making logging configurable. The default of keeping 10x100MB
log files is likely excessive and people may want to change that.
2017-09-07 12:12:31 +03:00
Slavi Pantaleev 2bb8bb96d4 Add support for configuring max_upload_size 2017-08-30 12:07:03 +03:00
Slavi Pantaleev b046052aed Switch from playbook vars to role defaults
By using role defauts, we can have inventory variables
which overide the defaults.
2017-08-30 12:05:13 +03:00
Slavi Pantaleev ce3c31eb41 Adjust x_forwarded setting for the plain (8008) port
Port 8008 is forwarded in our case, so unless we adjust
`x_forwaded` for it, Docker's local network IPs are
logged/displayed for devices.

The TLS port (8448) is not proxied in our setup,
so its `x_forwarded` setting remains `false`.
2017-08-12 18:32:24 +03:00
Slavi Pantaleev 1cd227b699 Increase max body size for the nginx proxy
Otherwise, we can't support large media file uploads.
2017-08-12 15:39:21 +03:00