Commit graph

157 commits

Author SHA1 Message Date
Dan Arnfield 3982f114af Fix CONDITIONAL_BARE_VARS deprecation warning in ansible 2.8 2019-05-21 10:25:59 -05:00
Slavi Pantaleev affb99003c Improve Synapse variable naming consistency 2019-05-21 12:09:38 +09:00
Slavi Pantaleev a1e9818356 Update comment 2019-05-21 11:25:32 +09:00
Slavi Pantaleev fc7ba153b1 Make matrix-synapse role respect matrix_synapse_enabled flag 2019-05-21 10:46:49 +09:00
Slavi Pantaleev 8d654aecdd Improve file naming consistency 2019-05-21 09:57:48 +09:00
Slavi Pantaleev e3b4622ac8 Split Synapse extension tasks into install/uninstall files 2019-05-18 06:36:54 +09:00
Slavi Pantaleev 663d1add92 Move matrix-appservice-discord into a separate role 2019-05-18 01:14:12 +09:00
Slavi Pantaleev 13c4e7e5b6 Merge branch 'master' into separate-bridge-roles 2019-05-16 09:45:06 +09:00
Slavi Pantaleev ae7c8d1524 Use SyslogIdentifier to improve logging
Reasoning is the same as for matrix-org/synapse#5023.

For us, the journal used to contain `docker` for all services, which
is not very helpful when looking at them all together (`journalctl -f`).
2019-05-16 09:43:46 +09:00
Slavi Pantaleev cf3117011b Upgrade Synapse (0.99.3.2 -> 0.99.4) 2019-05-16 09:20:43 +09:00
Slavi Pantaleev 3339e37ce9 Move matrix-appservice-irc into a separate role 2019-05-16 09:07:40 +09:00
Slavi Pantaleev 43fd3cc274 Move mautrix-facebook into a separate role 2019-05-15 09:34:31 +09:00
Marcel Partap 5aa7f637d8 Fix matrix_synapse_ext_password_provider_ldap_start_tls (it's boolean) 2019-05-14 23:09:59 +02:00
Slavi Pantaleev bb816df557 Move mautrix telegram and whatsapp into separate roles
The goal is to move each bridge into its own separate role.
This commit starts off the work on this with 2 bridges:
- mautrix-telegram
- mautrix-whatsapp

Each bridge's role (including these 2) is meant to:

- depend only on the matrix-base role

- integrate nicely with the matrix-synapse role (if available)

- integrate nicely with the matrix-nginx-proxy role (if available and if
required). mautrix-telegram bridge benefits from integrating with
it.

- not break if matrix-synapse or matrix-nginx-proxy are not used at all

This has been provoked by #174 (Github Issue).
2019-05-14 23:47:22 +09:00
Slavi Pantaleev 873c291be6 Fix appservice-discord configuration-extension merging 2019-05-14 08:24:03 +09:00
Slavi Pantaleev 216cdf8c74
Merge pull request #166 from izissise/mautrix-facebook
Mautrix facebook
2019-05-09 10:05:14 +03:00
Dan Arnfield 958ad68078 Add registrations_require_3pid synapse option 2019-05-08 12:29:18 -05:00
Hugues Morisset a82d5ed281 Add tulir mautrix-facebook (https://github.com/tulir/mautrix-facebook) 2019-05-08 17:11:07 +02:00
Slavi Pantaleev 5f2f17cb1e
Merge pull request #160 from danbob/fix-matrix-mxisd-config
Fix template indentation
2019-05-08 08:01:00 +03:00
Hugues De Keyzer c451025134 Fix indentation in templates
Use Jinja2 lstrip_blocks option in templates to ensure consistent
indentation in generated files.
2019-05-07 21:23:35 +02:00
Dan Arnfield 3abed49764 Fix jinja config for indented code blocks 2019-05-07 06:02:38 -05:00
Slavi Pantaleev 0e7310fd7c
Merge pull request #164 from TheLastProject/fix/string_before_to_json
string before to_json when string value is expected
2019-05-07 10:41:41 +03:00
Sylvia van Os 9ea593df37 Fix incorrect casts 2019-05-07 09:35:51 +02:00
Sylvia van Os ed0ecf5bea string before to_json when string value is expected
This prevents Ansible from sometimes failing to decrypt vault variables
2019-05-06 10:10:27 +02:00
Slavi Pantaleev e0b7b4dc61
Merge pull request #159 from TheLastProject/feature/docker_add_hosts
Add the possibility to pass extra flags to the docker container
2019-05-05 10:22:59 +03:00
Slavi Pantaleev 1653e40239
Merge pull request #158 from lpopov/master
Add the ability to update user passwords with ansible
2019-05-05 10:21:45 +03:00
Slavi Pantaleev 6bea3237c9
Merge pull request #163 from aaronraimist/synapse-0.99.3.1
Update Synapse (0.99.3 -> 0.99.3.1)
2019-05-03 22:10:20 +03:00
Aaron Raimist 8051ea9ef9
Update Synapse (0.99.3.1 -> 0.99.3.2) 2019-05-03 13:34:45 -05:00
Aaron Raimist d1646bb497
Update Synapse (0.99.3 -> 0.99.3.1) 2019-05-03 12:07:58 -05:00
Lyubomir Popov a206b65ed7 Use the '-p' non-interactive option to generate password hash instead of 'expect' 2019-05-03 11:02:17 +03:00
Sylvia van Os 75b1528d13 Add the possibility to pass extra flags to the docker container 2019-04-30 16:35:18 +02:00
Lyubomir Popov 134faa3139 Add the ability to update user passwords with ansible (when using the matrix-postgres container). 2019-04-30 16:30:26 +03:00
Sylvia van Os bf77f776a2 Add variable to disable homeserver url preview 2019-04-30 13:58:48 +02:00
Ciaran Ainsworth 8624cf4a57 Fixed default url preview settings 2019-04-26 14:11:40 +01:00
Slavi Pantaleev 892abdc700 Do not refer to Synapse as "Matrix Synapse" 2019-04-23 10:20:56 +03:00
Slavi Pantaleev 39566aa7fe Generate a Synapse signing key file, if missing
The code used to check for a `homeserver.yaml` file and generate
a configuration (+ key) only if such a configuration file didn't exist.

Certain rare cases (setting up with one server name and then
changing to another) lead to `homeserver.yaml` being there,
but a `matrix.DOMAIN.signing.key` file missing (because the domain
changed).
A new signing key file would never get generated, because `homeserver.yaml`'s
existence used to be (incorrectly) satisfactory for us.

From now on, we don't mix things up like that.
We don't care about `homeserver.yaml` anymore, but rather
about the actual signing key.

The rest of the configuration (`homeserver.yaml` and
`matrix.DOMAIN.log.config`) is rebuilt by us in any case, so whether
it exists or not is irrelevant and doesn't need checking.
2019-04-23 10:06:42 +03:00
Lyubomir Popov eab8f31eed Add additional room config options:
- matrix_enable_room_list_search - Controls whether searching the public room list is enabled.
 - matrix_alias_creation_rules - Controls who's allowed to create aliases on this server.
 - matrix_room_list_publication_rules - Controls who can publish and which rooms can be published in the public room list.
2019-04-16 12:40:38 +03:00
Slavi Pantaleev 9a05b030cb Fix unknown tag error when generating Goofys service
`{% matrix_s3_media_store_custom_endpoint_enabled %}` should have
been `{% if matrix_s3_media_store_custom_endpoint_enabled %}` instead.

Related to #132 (Github Pull Request).
2019-04-10 08:45:52 +03:00
Alexander Acevedo 6cc6638098
revert 3953705682
that's not how it works
2019-04-05 06:01:58 -04:00
Alexander Acevedo 3953705682
add custom endpoint environment variable 2019-04-05 05:56:36 -04:00
Alexander Acevedo 3ffb03f20e
missing whitespace 2019-04-05 05:54:58 -04:00
Alexander Acevedo c55e49d733
add custom endpoint to matrix-goofys.service.j2
This (should) check if custom endpoint is enabled.
2019-04-05 05:48:31 -04:00
Alexander Acevedo b5fbec8d83
add goofys custom
Creates the configuration variable to toggle custom endpoint and the default custom endpoint.
2019-04-05 05:33:38 -04:00
Slavi Pantaleev af1c9ae59d Do not force firewalld on people
In most cases, there's not really a need to touch the system
firewall, as Docker manages iptables by itself
(see https://docs.docker.com/network/iptables/).

All ports exposed by Docker containers are automatically whitelisted
in iptables and wired to the correct container.

This made installing firewalld and whitelisting ports pointless,
as far as this playbook's services are concerned.

People that wish to install firewalld (for other reasons), can do so
manually from now on.

This is inspired by and fixes #97 (Github Issue).
2019-04-03 11:37:20 +03:00
Slavi Pantaleev 631b7cc6a6 Add support for adjusting Synapse rate-limiting configuration 2019-04-01 21:40:14 +03:00
Slavi Pantaleev 77359ae867 Synchronize Synapse config with the sample from 0.99.3 2019-04-01 21:22:05 +03:00
Aaron Raimist c6f1f7aa23
Update Synapse (0.99.2 -> 0.99.3) 2019-04-01 11:26:46 -05:00
Slavi Pantaleev d9c6884b6a Update mautrix-telegram (0.4.0 -> 0.5.1) 2019-03-22 18:50:41 +02:00
Slavi Pantaleev 73af8f7bbb Make self-check not validate self-signed certificates
By default, `--tags=self-check` no longer validates certificates
when `matrix_ssl_retrieval_method` is set to `self-signed`.

Besides this default, people can also enable/disable validation using the
individual role variables manually.

Fixes #124 (Github Issue)
2019-03-22 09:41:08 +02:00
Slavi Pantaleev e65514223e
Merge branch 'master' into update-homeserver-yaml 2019-03-17 20:53:52 +02:00
Slavi Pantaleev 2f1662626e Use |to_json for matrix_synapse_push_include_content
Doing this for consistency.

Related to #117 (Github Pull Request).
2019-03-17 20:51:12 +02:00
Aaron Raimist ae912c4529
Update homeserver.yaml with some new options we could enable 2019-03-16 15:51:41 -05:00
Lee Verberne 71c7c74b7b Allow configuring push content for matrix-synapse
This allows overriding the default value for `include_content`. Setting
this to false allows homeserver admins to ensure that message content
isn't sent in the clear through third party servers.
2019-03-16 07:16:20 +01:00
Lorrin Nelson ceba99eed3 Make federation self-check conditional on matrix_synapse_federation_enabled 2019-03-13 22:33:52 -07:00
Slavi Pantaleev 2d56ff0afa Skip some uninstall tasks if not necessary to run 2019-03-13 07:40:51 +02:00
Plailect f6de3fd668
Start appservice-irc as non-root 2019-03-12 13:17:51 -04:00
Slavi Pantaleev 390ec8a599 Skip some tasks when not necessary to run them 2019-03-08 12:14:58 +02:00
Slavi Pantaleev 62e2acada5
Merge pull request #104 from dangersalad/master
allow exposing mautrix_telegram port
2019-03-08 08:50:05 +02:00
paulbdavis 17e86ba817 implement requested changes 2019-03-07 12:45:58 -07:00
Slavi Pantaleev 85c5adfd69 Minor consistency improvements 2019-03-05 09:20:36 +02:00
Slavi Pantaleev a310a01818 Use non-root and no-capability containers during Discord setup
Related to #105 (Github Pull Request).
2019-03-05 09:10:51 +02:00
Slavi Pantaleev f037f63a07
Merge pull request #105 from Lionstiger/matrix-discord-bridge
Add Support for matrix-appservice-discord
2019-03-05 06:39:46 +00:00
Lionstiger c2834d2226 running as matrix user from the start 2019-03-04 16:26:19 +01:00
Lionstiger 278484656b ensure systemd reloaded after bridge installation 2019-03-04 15:12:37 +01:00
Lionstiger 2d78c5f89d made matrix_appservice_discord_client_id lowercase 2019-03-04 15:11:06 +01:00
Lionstiger 7aadd8bbe9 undo changed synapse version 2019-03-03 19:55:56 +01:00
Lionstiger 4aeeb5cf31 Autogenerate Discord invite link
Generates the link required to add the Bridge to a Discord server.
2019-03-03 19:33:16 +01:00
Lionstiger 835c349275 Add matrix-appservice-discord bridge
Bridge is setup to work on the matrix side with this, but the discord invite link is not automatically generated.
2019-03-03 18:22:52 +01:00
Slavi Pantaleev 45618679f5 Reload systemd services when they get updated
Fixes #69 (Github Issue)
2019-03-03 11:55:15 +02:00
Slavi Pantaleev 041a1947b3 Update Synapse (0.99.1.1 -> 0.99.2) 2019-03-02 10:03:09 +02:00
paulbdavis f2a2cad107 allow exposing mautrix_telegram port 2019-03-01 16:05:01 -07:00
Slavi Pantaleev a43bcd81fe Rename some variables 2019-02-28 11:51:09 +02:00
Slavi Pantaleev 8cac29a5d5 Update matrix-synapse-rest-auth (0.1.1 -> 0.1.2) 2019-02-28 11:15:26 +02:00
Slavi Pantaleev 433780384e Do not use docker_container module
Using `docker_container` with a `cap_drop` argument requires
Ansible >=2.7.

We want to support older versions too (2.4), so we either need to
stop invoking it with `cap_drop` (insecure), or just stop using
the module altogether.

Since it was suffering from other bugs too (not deleting containers
on failure), we've decided to remove `docker_container` usage completely.
2019-02-25 10:42:27 +02:00
Slavi Pantaleev 350b25690d Add Riot v1.0 (v1.0.1) support 2019-02-16 11:48:17 +02:00
Slavi Pantaleev 0f55823c5f Update Synapse (0.99.1 -> 0.99.1.1)
It's not important for us, as it only contains
some ACME-related fix.
2019-02-14 19:43:13 +02:00
Slavi Pantaleev eb08e20418 Upgrade Synapse (0.99.0 -> 0.99.1) and sync config
`matrix_synapse_no_tls` is now implicit, so we've gotten rid of it.

The `homeserver.yaml.j2` template has been synchronized with the
configuration generated by Synapse v0.99.1 (some new options
are present, etc.)
2019-02-14 18:40:55 +02:00
Slavi Pantaleev df76ae707a Fix inaccurate comment 2019-02-13 14:07:16 +02:00
Slavi Pantaleev 42c4de348c Revert "Bind metrics on :: too"
This reverts commit 536c85619f.

Looks like binding metrics on IPv6 (`::`) fails with an error:

socket.gaierror: [Errno -2] Name does not resolve
2019-02-09 13:21:18 +02:00
Slavi Pantaleev 536c85619f Bind metrics on :: too
For consistency with all our other listeners,
we make this one bind on the `::` address too
(both IPv4 and IPv6).

Additional details are in #91 (Github Pull Request).
2019-02-06 14:24:10 +02:00
Slavi Pantaleev 91a757c581 Add support for reloading Synapse 2019-02-06 09:25:13 +02:00
Slavi Pantaleev 40f3793af7 Upgrade Synapse to v0.99 and simplify dummy TLS cert logic 2019-02-06 09:17:55 +02:00
Slavi Pantaleev 5db692f877 Remove some useless homeserver.yaml configuration 2019-02-05 14:02:01 +02:00
Slavi Pantaleev 738c592c27 Bump Synapse version (0.34.1.1 -> 0.99.0rc4) 2019-02-05 13:33:39 +02:00
Slavi Pantaleev f6ebd4ce62 Initial work on Synapse 0.99/1.0 preparation 2019-02-05 12:09:46 +02:00
Aaron Raimist 1f0cc92b33
Use IPv4 localhost everywhere (or almost everywhere) 2019-02-04 09:49:45 -06:00
Aaron Raimist 58ca2e7dfd
Turn off IPv6 when using your own Nginx server
Docker apparently doesn't like IPv6.
2019-02-04 09:03:43 -06:00
dhose 87e3deebfd Enable exposure of Prometheus metrics. 2019-02-01 20:02:11 +01:00
Plailect 29b40b428a
Database files must be stored on permanent storage 2019-02-01 11:44:06 -05:00
Slavi Pantaleev a9fae8e3b1 Revert "Use native OpenSSL module to generate passkey.pem"
This reverts commit 0dac5ea508.

Relying on pyOpenSSL is the Ansible way of doing things, but is
impractical and annoying for users.

`openssl` is easily available on most servers, even by default.
We'd better use that.
2019-01-31 20:45:14 +02:00
Plailect 0dac5ea508
Use native OpenSSL module to generate passkey.pem 2019-01-31 11:38:54 -05:00
Plailect 5e1d96c727
Add matrix_appservice_irc_container_expose_client_server_api_port 2019-01-31 11:20:45 -05:00
Plailect 0a2a8e118c
Update example configuration and documentation 2019-01-31 11:05:27 -05:00
Plailect 3a4a671dd7
Add support for matrix-appservice-irc 2019-01-31 00:37:23 -05:00
Slavi Pantaleev 0be7b25c64 Make (most) containers run with a read-only filesystem 2019-01-29 18:52:02 +02:00
Slavi Pantaleev bf10331456 Make mautrix-whatsapp run as non-root and w/o capabilities 2019-01-28 15:55:58 +02:00
Slavi Pantaleev 8a3f942d93 Make mautrix-telegram run as non-root and w/o capabilities 2019-01-28 15:40:16 +02:00
Slavi Pantaleev 3e8a4159e6 Uncomment unintentionally-commented logic 2019-01-28 14:25:03 +02:00
Slavi Pantaleev 9438402f61 Drop capabilities in a few more places
Continuation of 316d653d3e
2019-01-28 11:43:32 +02:00
Slavi Pantaleev 316d653d3e Drop capabilities in containers
We run containers as a non-root user (no effective capabilities).

Still, if a setuid binary is available in a container image, it could
potentially be used to give the user the default capabilities that the
container was started with. For Docker, the default set currently is:
- "CAP_CHOWN"
- "CAP_DAC_OVERRIDE"
- "CAP_FSETID"
- "CAP_FOWNER"
- "CAP_MKNOD"
- "CAP_NET_RAW"
- "CAP_SETGID"
- "CAP_SETUID"
- "CAP_SETFCAP"
- "CAP_SETPCAP"
- "CAP_NET_BIND_SERVICE"
- "CAP_SYS_CHROOT"
- "CAP_KILL"
- "CAP_AUDIT_WRITE"

We'd rather prevent such a potential escalation by dropping ALL
capabilities.

The problem is nicely explained here: https://github.com/projectatomic/atomic-site/issues/203
2019-01-28 11:22:54 +02:00