Commit graph

51 commits

Author SHA1 Message Date
Aine e149f33140
add/unify 'Project source code URL' link across all roles 2022-07-16 23:59:21 +03:00
Slavi Pantaleev 5963a387f0 Upgrade Postgres (14.3 -> 14.4) 2022-06-22 14:43:55 +03:00
Aine 4109dc3bcd
Update Postgres (CVE-2022-1552 + last 9.x update)
CVE: https://security-tracker.debian.org/tracker/CVE-2022-1552
Source: https://www.postgresql.org/about/news/postgresql-143-137-1211-1116-and-1021-released-2449/
Postgres 9.6 upgrade (**not a CVE fix, 9.x still vulnerable**): https://www.postgresql.org/docs/release/9.6.24/
2022-05-16 19:56:54 +00:00
Slavi Pantaleev d5de1e8352 Document that using an external Postgres server has serious downsides
Related to:

- https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1682
- https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1679
2022-03-08 09:30:20 +02:00
Aaron Raimist f0e30c76f3
Postgres Minor Updates (14.2, 13.6, 12.10, 11.15, 10.20) 2022-02-16 09:22:25 +00:00
Marko Weltzer 7e5b88c3b7 fix: all praise the allmighty yamllinter 2022-02-05 21:32:54 +01:00
Aaron Raimist 61b743f86d
Postgres Minor Updates (14.1, 13.5, 12.9, 11.14, 10.19) 2021-11-14 19:10:56 +00:00
Slavi Pantaleev 09ac950d17 Fix dump importing (backup restore) into Postgres v14
In short, the problem is that older Postgres versions store passwords
hashed as md5. When you dump such a database, the dump naturally also
contains md5-hashed passwords.
Restoring from that dump used to create users and updates their passwords
with these md5 hashes.
However, Postgres v14 prefers does not like md5-hashed passwords now (by default),
which breaks connectivity. Postgres v14 prefers `scram-sha-256` for
authentication.

Our solution is to just ignore setting passwords (`ALTER ROLE ..`
statements) when restoring dumps. We don't need to set passwords as
defined in the dump anyway, because the playbook creates users
and manages their passwords by itself.

Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1340
2021-10-21 16:38:56 +03:00
Slavi Pantaleev 096c960b84 Add support for Postgres v14 2021-10-01 11:27:40 +03:00
sakkiii 48548eb561
Postgres Minor Updates 2021-08-22 18:45:25 +05:30
sakkiii d338090f00
postgres minor updates 2021-06-30 10:00:52 +05:30
Ahmad Haghighi e335f3fc77 rename matrix_global_registry to matrix_container_global_registry_prefix related to #990
Signed-off-by: Ahmad Haghighi <haghighi@fedoraproject.org>
2021-04-12 17:23:55 +04:30
Ahmad Haghighi f52a8b6484 use custom docker registry 2021-04-12 17:23:55 +04:30
Slavi Pantaleev 5cfeae806b Merge branch 'master' into synapse-workers 2021-02-14 13:00:57 +02:00
Slavi Pantaleev 7d39e5153a Upgrade Postgres minor versions 2021-02-14 09:12:29 +02:00
Marcel Partap 183adec3d8 Merge remote-tracking branch 'origin/master' into synapse-workers 2021-01-23 15:04:11 +01:00
Slavi Pantaleev bef0702fea Wait some more when starting Postgres during setup on ARM 2021-01-22 16:21:30 +02:00
Slavi Pantaleev f9c1d62435 Fix Postgres database (-alpine) failing to start on ARM32 2021-01-22 13:52:55 +02:00
Slavi Pantaleev 95346f3117 Reorganize Postgres access (breaking change)
In short, this makes Synapse a 2nd class citizen,
preparing for a future where it's just one-of-many homeserver software
options.

We also no longer have a default Postgres superuser password,
which improves security.

The changelog explains more as to why this was done
and how to proceed from here.
2021-01-22 13:26:12 +02:00
Marcel Partap cd8100544b Merge remote-tracking branch 'origin/master' into synapse-workers
Sync with upstream
2021-01-08 20:58:50 +01:00
Slavi Pantaleev ad1425eee4 Add pgloader self-building support (for ARM) 2020-12-23 09:08:54 +02:00
Slavi Pantaleev dd797ba6a7 Fix Postgres database importing/upgrading conflicts
We were running into conflicts, because having initialized
the roles (users) and databases, trying to import leads to
errors (role XXX already exists, etc.).

We were previously ignoring the Synapse database (`homeserver`)
when upgrading/importing, because that one gets created by default
whenever the container starts.

For our additional databases, it's a similar situation now.
It's not created by default as soon as Postgres starts with an empty
database, but rather we create it as part of running the playbook.

So we either need to skip those role/database creation statements
while upgrading/importing, or to avoid creating the additional database
and rely on the import for that. I've gone for the former, because
it's already similar to what we were doing and it's simpler
(it lets `setup_postgres.yml` be the same in all scenarios).
2020-12-14 22:28:20 +02:00
Slavi Pantaleev cb969c6ca2 Add --tags=import-generic-sqlite-db (pgloader import)
This can be used by various bridges, etc., to import an SQLite
(or some other supported) database into Postgres.
2020-12-14 02:23:29 +02:00
Slavi Pantaleev 183d2a10db Ensure matrix-postgres.service is started before creating additional users/databases 2020-12-14 00:59:59 +02:00
Slavi Pantaleev 46a4034d3e Use "password" for additional Postgres databases, not "pass"
Being more explicit sounds better.
2020-12-14 00:43:03 +02:00
Slavi Pantaleev 0641106370 Allow username of additional Postgres databases to be different
We'll most likely use one that matches the database name, but
it's better to have it configurable.
2020-12-13 22:37:04 +02:00
Slavi Pantaleev dac0d3a682 Add default matrix_postgres_additional_databases 2020-12-13 21:07:16 +02:00
Slavi Pantaleev 47613e5a27 Remove synapse-janitor support
Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/746
2020-12-11 23:24:42 +02:00
Marcel Partap b73ac965ac Merge remote-tracking branch 'origin/master' into synapse-workers 2020-12-01 21:24:26 +01:00
Slavi Pantaleev 3e2355282b Upgrade Postgres minor versions
Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/727
2020-11-24 09:06:19 +02:00
Slavi Pantaleev ccabc82d4c Use more fully-qualified container images
This is both for consistency with 93cc71cb69976c
and for making things more obvious.
2020-11-14 23:01:11 +02:00
Marcel Partap 93a8ea7e4a Merge remote-tracking branch 'master' into feature/add-worker-support 2020-10-11 20:59:05 +02:00
Dan Arnfield 3a3383fada Add support for postgres 13 2020-09-30 16:50:59 -05:00
Max Klenk 1e68d8b2e5
allow to pass arguments to the postgres process 2020-09-11 14:29:10 +02:00
Dan Arnfield 20eea648a5 Update postgres versions (12.3 -> 12.4, etc) 2020-08-16 14:41:40 -05:00
Dan Arnfield ee3944bcdb Update postgres (12.2 -> 12.3, etc) 2020-05-21 11:40:40 -05:00
Dan Arnfield e36de7e627 Update postgres (12.1 -> 12.2, etc) 2020-03-18 06:50:51 -05:00
David Gnedt c55682d099 Update synapse-janitor to support current synapse database schema 2020-03-06 17:48:16 +01:00
Dan Arnfield 4a60f385d1 Update postgres versions (12.0 -> 12.1, etc) 2019-11-21 09:38:37 -06:00
Slavi Pantaleev 9c438a3870 Add support for Postgres v12 2019-10-04 08:51:36 +03:00
Dan Arnfield dc11704c11 Bump postgres versions (11.5, 10.10, 9.6.15) 2019-08-09 06:03:26 -05:00
Slavi Pantaleev 0ca21d80d7 Add Synapse Maintenance docs and synapse-janitor integration 2019-07-08 09:38:36 +03:00
Dan Arnfield 1eaa7b6967 Update postgres versions to latest 2019-06-24 13:11:23 -05:00
Slavi Pantaleev 7d3adc4512 Automatically force-pull :latest images
We do use some `:latest` images by default for the following services:
- matrix-dimension
- Goofys (in the matrix-synapse role)
- matrix-bridge-appservice-irc
- matrix-bridge-appservice-discord
- matrix-bridge-mautrix-facebook
- matrix-bridge-mautrix-whatsapp

It's terribly unfortunate that those software projects don't release
anything other than `:latest`, but that's how it is for now.

Updating that software requires that users manually do `docker pull`
on the server. The playbook didn't force-repull images that it already
had.

With this patch, it starts doing so. Any image tagged `:latest` will be
force re-pulled by the playbook every time it's executed.

It should be noted that even though we ask the `docker_image` module to
force-pull, it only reports "changed" when it actually pulls something
new. This is nice, because it lets people know exactly when something
gets updated, as opposed to giving the indication that it's always
updating the images (even though it isn't).
2019-06-10 14:30:28 +03:00
Slavi Pantaleev 4f87f7e43e
Explain matrix_postgres_container_postgres_bind_port a little more
Previously, it only mentioned exposing for psql-usage purposes.

Realistically, it can be used for much more. Especially given that
psql can be easily accessed via our matrix-postgres-cli script,
without exposing the container port.
2019-06-10 08:24:37 +03:00
Aaron Raimist 6fce809d10
Add config option to be able to access database outside of container 2019-06-09 20:35:35 -05:00
Dan Arnfield 6163ba5bb1 Bump postgres versions 2019-05-10 08:02:32 -05:00
Sylvia van Os 75b1528d13 Add the possibility to pass extra flags to the docker container 2019-04-30 16:35:18 +02:00
Slavi Pantaleev 6f6dff3e2b Update some Docker images 2019-03-03 12:27:43 +02:00
Slavi Pantaleev c10182e5a6 Make roles more independent of one another
With this change, the following roles are now only dependent
on the minimal `matrix-base` role:
- `matrix-corporal`
- `matrix-coturn`
- `matrix-mailer`
- `matrix-mxisd`
- `matrix-postgres`
- `matrix-riot-web`
- `matrix-synapse`

The `matrix-nginx-proxy` role still does too much and remains
dependent on the others.

Wiring up the various (now-independent) roles happens
via a glue variables file (`group_vars/matrix-servers`).
It's triggered for all hosts in the `matrix-servers` group.

According to Ansible's rules of priority, we have the following
chain of inclusion/overriding now:
- role defaults (mostly empty or good for independent usage)
- playbook glue variables (`group_vars/matrix-servers`)
- inventory host variables (`inventory/host_vars/matrix.<your-domain>`)

All roles default to enabling their main component
(e.g. `matrix_mxisd_enabled: true`, `matrix_riot_web_enabled: true`).
Reasoning: if a role is included in a playbook (especially separately,
in another playbook), it should "work" by default.

Our playbook disables some of those if they are not generally useful
(e.g. `matrix_corporal_enabled: false`).
2019-01-16 18:05:48 +02:00