Commit graph

296 commits

Author SHA1 Message Date
Slavi Pantaleev 6beb39a062 Announce Honoroit support
Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1511
2022-01-07 09:53:16 +02:00
Slavi Pantaleev 1098e64d19 Announce Cinny support
Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1509
2022-01-06 10:53:10 +02:00
Slavi Pantaleev e834a69e60 Announce mautrix-twitter support
Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1478
2021-12-22 15:53:56 +02:00
Slavi Pantaleev a8fc4fe6ce Mention log4j vulnerability affecting mautrix-signal
Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1459
and https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1452
2021-12-14 12:33:59 +02:00
Slavi Pantaleev 8abe1ac483 Warn people if on an old SQLite-supporting mautrix-facebook version
Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1401

https://github.com/mautrix/facebook/releases/tag/v0.3.2 says that this
version re-adds SQLite support.
2021-11-15 08:28:20 +02:00
Slavi Pantaleev b195760301 Mention dropped Postgres v9.6 support in the changelog
Related to c4d2c8394c
2021-11-11 16:04:20 +02:00
Slavi Pantaleev c69ea4cbcd Update changelog
Related to:

- https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1323
- https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1328
- https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1329
2021-10-13 07:58:35 +03:00
Slavi Pantaleev ee663e819e Announce LinkedIn Messaging bridging support
Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1242
2021-08-23 15:27:16 +03:00
Slavi Pantaleev 9860fb4675 Upgrade Sygnal (v0.9.0 -> v0.10.1) 2021-08-20 17:48:24 +03:00
Slavi Pantaleev 55b92d5a13 Fix another typo 2021-05-21 13:52:33 +03:00
Slavi Pantaleev 0a662dcbcd Fix typo 2021-05-21 13:52:07 +03:00
Slavi Pantaleev c5d52d49da Announce Hydrogen support
Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1055
2021-05-21 13:50:49 +03:00
Slavi Pantaleev 9e98450bba Announce Heisenbridge support 2021-05-19 13:21:11 +03:00
Slavi Pantaleev fcb9e9618a Make Coturn TLSv1/v1.1 configurable
Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/999
2021-04-16 09:29:32 +03:00
Slavi Pantaleev 6526087c14 Announce automated local Postgres backup support 2021-04-05 11:16:44 +03:00
Slavi Pantaleev 28a6f8bd57 Announce Mjolnir bot support
Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/962
2021-04-03 10:52:39 +03:00
Slavi Pantaleev 9a0222fa47 Add Sygnal support
Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/683
2021-03-20 13:32:22 +02:00
Slavi Pantaleev 6cbfee539c Announce Go-NEB support 2021-03-16 07:54:26 +02:00
Marcus Proest 913e0dae42 update informational files. 2021-02-19 19:39:46 +01:00
Slavi Pantaleev e56fcbbc0d Announce mx-puppet-groupme support
Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/872
2021-02-19 11:54:50 +02:00
Slavi Pantaleev b754c2778b Announce Synapse workers support 2021-02-19 11:39:58 +02:00
Slavi Pantaleev 87ce12c3eb Add note about potential breaking change 2021-02-12 14:07:26 +02:00
Slavi Pantaleev 890e4ad1af Announce Prometheus/Grafana 2021-02-12 14:02:53 +02:00
Slavi Pantaleev 5df2f6cdd1 Update docs and changelog 2021-01-31 09:54:12 +02:00
T. Küchel 67fab21d7e
Update CHANGELOG.md
propose explicit showing single quotes around the password, since I forgot to put them there.
2021-01-24 12:31:07 +00:00
Slavi Pantaleev acf7866442 Fix step number 2021-01-23 09:24:08 +02:00
Slavi Pantaleev f9968b6981 Fix matrix_postgres_connection_password length check 2021-01-22 21:22:58 +02:00
Slavi Pantaleev 3647b23628 Add some warning about ; in SQL statements (take 2) 2021-01-22 20:23:35 +02:00
Slavi Pantaleev 49c0e254db Add some warning about ; in SQL statements
I got at least a few reports of people pasting these statements one by
one and missing the `;`.
2021-01-22 20:21:22 +02:00
Dan Arnfield d95f160705 Fix typos 2021-01-22 06:48:25 -06:00
Slavi Pantaleev 89db6be568 Fix typo 2021-01-22 14:33:02 +02:00
Slavi Pantaleev e88dcfa252 Mention Postgres backup 2021-01-22 13:58:55 +02:00
Slavi Pantaleev 95346f3117 Reorganize Postgres access (breaking change)
In short, this makes Synapse a 2nd class citizen,
preparing for a future where it's just one-of-many homeserver software
options.

We also no longer have a default Postgres superuser password,
which improves security.

The changelog explains more as to why this was done
and how to proceed from here.
2021-01-22 13:26:12 +02:00
Slavi Pantaleev f6861e3c65 Improve wording a bit 2021-01-20 10:19:39 +02:00
Slavi Pantaleev 024a23ed17 Upgrade mautrix-facebook to the new Postgres-only version
I had intentionally held it back in 39ea3496a4
until:
- it received more testing (there were a few bugs during the
migration, but now it seems OK)
- this migration guide was written
2021-01-20 10:12:51 +02:00
Slavi Pantaleev ef64c88dc7 Announce matrix-corporal v2 2021-01-17 18:48:21 +02:00
Slavi Pantaleev e1690722f7 Replace cronjobs with systemd timers
Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/756

Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/737

I feel like timers are somewhat more complicated and dirty (compared to
cronjobs), but they come with these benefits:

- log output goes to journald
- on newer systemd distros, you can see when the timer fired, when it
will fire, etc.
- we don't need to rely on cron (reducing our dependencies to just
systemd + Docker)

Cronjobs work well, but it's one more dependency that needs to be
installed. We were even asking people to install it manually
(in `docs/prerequisites.md`), which could have gone unnoticed.

Once in a while someone says "my SSL certificates didn't renew"
and it's likely because they forgot to install a cron daemon.

Switching to systemd timers means that installation is simpler
and more unified.
2021-01-14 23:35:50 +02:00
Slavi Pantaleev 95ebff1ef1 Announce nginx SSL configuration presets 2021-01-08 21:30:13 +02:00
Agustin Ferrario 25d423e6b6 Fix errors per spantaleev suggestions
The different configurations are now all lower case, for consistent
naming.

`matrix_nginx_proxy_ssl_config` is now called
`matrix_nginx_proxy_ssl_preset`. The different options for "modern",
"intermediate" and "old" are stored in the main.yml file, instead of
being hardcoded in the configuration files. This will improve the
maintainability of the code.

The "custom" preset was removed. Now if one of the variables is set, it
will use it instead of the preset. This will allow to mix and match more
easily, for example using all the intermediate options but only
supporting TLSv1.2. This will also provide better backward
compatibility.
2021-01-08 11:32:10 +01:00
Agustin Ferrario 3cb71e7e84 Merge branch 'master' of https://github.com/spantaleev/matrix-docker-ansible-deploy 2021-01-03 13:18:21 +01:00
Slavi Pantaleev 23f246b0ad Mention mautrix-signal migration steps to early adopters 2021-01-03 09:19:06 +02:00
Slavi Pantaleev aac400664a Announce mautrix-signal bridge 2021-01-03 07:59:49 +02:00
Slavi Pantaleev 4fe1248d95 Update changelog entry to be more informative 2020-12-23 11:21:06 +02:00
Slavi Pantaleev 3475b98b76 Announce the big move to all-on-Postgres
Related to
- https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/740
- https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/686
2020-12-23 11:02:33 +02:00
Agustin Ferrario 49b3cc024b Document the SSL changes in the CHANGELOG
The breaking changes are properly documented in the CHANGELOG.md file.
The date used is specified as XXXX-XX-XX and should be modified at the
moment of merge.
2020-12-16 10:53:11 +01:00
Slavi Pantaleev 47613e5a27 Remove synapse-janitor support
Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/746
2020-12-11 23:24:42 +02:00
Slavi Pantaleev eae4f67470 Mention Docker 20.10 in the changelog 2020-12-11 00:13:10 +02:00
Slavi Pantaleev c07c927d9f Automatically enable openid listeners when ma1sd enabled
ma1sd requires the openid endpoints for certain functionality.
Example: 90b2b5301c/src/main/java/io/kamax/mxisd/auth/AccountManager.java (L67-L99)

If federation is disabled, we still need to expose these openid APIs on the
federation port.

Previously, we were doing similar magic for Dimension.
As per its documentation, when running unfederated, one is to enable
the openid listener as well. As per their recommendation, people
are advised to do enable it on the Client-Server API port
and use the `federationUrl` variable to override where the federation
port is (making federation requests go to the Client-Server API).

Because ma1sd always uses the federation port (unless you do some
DNS overwriting magic using its configuration -- which we'd rather not
do), it's better if we just default to putting the `openid` listener
where it belongs - on the federation port.

With this commit, we retain the "automatically enable openid APIs" thing
we've been doing for Dimension, but move it to the federation port instead.
We also now do the same thing when ma1sd is enabled.
2020-12-08 16:59:20 +02:00
Slavi Pantaleev d64ad91c25 Add some notes about recent Jitsi changes
A bit late, but still better than nothing.
2020-11-30 13:11:57 +02:00
benkuly 8c8002f639 added changelog 2020-11-23 14:48:04 +01:00
benkuly c985e17f18 updated matrix-sms-bridge 2020-11-13 08:44:21 +01:00
Slavi Pantaleev d910df2b1c Announce Dynamic DNS support
Related to #681 (Github Pull Request)
2020-11-11 00:01:08 +02:00
Slavi Pantaleev 9a46647010 Make https://matrix.DOMAIN/ redirect to https://element.DOMAIN/
Fixes #696 (Github Issue)
2020-10-28 10:39:12 +02:00
Slavi Pantaleev 63a49bb2dc Do not expose /_synapse/admin publicly by default
Fixes #685 (Github Issue).
2020-10-26 10:36:38 +02:00
Slavi Pantaleev ae75920be9 Update changelog
Related to 23daec748c and #662 (Github Issue).
2020-10-02 12:01:16 +03:00
Slavi Pantaleev 3bfbbc10bc Announce Postgres v13 upgrade 2020-10-01 09:46:43 +03:00
Slavi Pantaleev 7901293438 Relocate docs page for consistency 2020-09-01 13:47:58 +03:00
Slavi Pantaleev da38a7869f Add matrix-registration support 2020-09-01 13:46:05 +03:00
Slavi Pantaleev daf13107a0 Add support for rust-synapse-compress-state 2020-08-21 13:53:39 +03:00
Slavi Pantaleev b2ae669566 Add synapse-admin support
Fixes #562 (Github Issue)
2020-07-22 08:10:26 +03:00
Slavi Pantaleev 34eec3bf11 Fix date typo 2020-07-22 08:06:39 +03:00
Slavi Pantaleev 78b1ef9a5f Add support for matrix-reminder-bot 2020-07-20 14:13:08 +03:00
Slavi Pantaleev c6ab1c6a90 Riot is now Element
Fixes #586 (Github Issue)
2020-07-17 11:31:20 +03:00
Slavi Pantaleev a8f7ccf3f3 Announce mx-puppet-steam bridging support
Related to #557 (Github Pull Request).
2020-07-03 12:10:57 +03:00
Slavi Pantaleev 76352bcbd8 Announce mx-puppet-discord bridging support
Related to #540 (Github Pull Request).
2020-07-01 19:01:14 +03:00
Slavi Pantaleev b5bed60e6b Announce mx-puppet-instagram and mx-puppet-twitter support
Related to #551 and #555 (Github Pull Requests).
2020-06-30 17:52:06 +03:00
teutat3s 0162fe31d1
Re-enable ma1sd user directory search 2020-06-28 21:47:39 +02:00
benkuly e44cc9e2a1 added changelog of sms bridge 2020-06-11 16:11:24 +02:00
Slavi Pantaleev 8d786713a6 Update changelog 2020-06-05 15:05:48 +03:00
Slavi Pantaleev 07ff116266 Do not send User Directory search requests to ma1sd for now
We can undo this once https://github.com/ma1uta/ma1sd/issues/44 gets
resolved.
2020-05-19 12:57:19 +03:00
John Goerzen a2df0016eb Update matrix-appservice-irc to 0.16.0
Note the potential breaking change

Resolves #474
2020-04-28 11:43:52 -05:00
Slavi Pantaleev 4afc46fffe Announce mx-puppet-slack support
Related to #454 (Github Pull Request).
2020-04-23 18:03:36 +03:00
Slavi Pantaleev 5b8f8bc942 Announce Skype bridging 2020-04-09 09:33:30 +03:00
Slavi Pantaleev 70010c26ab Update changelog with information on private Jitsi
Related to #436 (Github Pull Request).
2020-04-05 10:27:52 +03:00
Slavi Pantaleev c2d0304eb1 Fix incorrect URL 2020-04-03 11:17:05 +03:00
Slavi Pantaleev 229c8e1c38 Adjust name in changelog 2020-04-03 11:14:34 +03:00
Slavi Pantaleev 2fad4ee7d8 Adjust changelog to give credit where credit is due 2020-04-03 10:43:47 +03:00
Slavi Pantaleev 7266542356 Announce ma1sd -> mxisd migration 2020-04-03 10:41:36 +03:00
Slavi Pantaleev a8f4b2a755 Update docs
Related to #425 (Github Pull Request).
2020-03-29 10:16:25 +03:00
Slavi Pantaleev 8ff55bcd14 Update documentation and changelog 2020-03-24 15:30:14 +02:00
Slavi Pantaleev bca8afc3c5 Update changelog to credit Gergely Horváth
Related to #386 (Github Pull Request)
2020-03-15 12:58:28 +02:00
Slavi Pantaleev 8dd187ac55 Update changelog and documentation 2020-03-15 12:54:41 +02:00
Slavi Pantaleev 37f3a2d5a8 Add support for themes to riot-web 2020-02-26 08:40:35 +02:00
Julian Foad 0703c31e11 Document the new Riot server name setting. 2020-02-24 14:55:08 +00:00
Slavi Pantaleev f18037ae42 Disable TLSv1.1 by default 2020-01-30 12:56:20 +02:00
Slavi Pantaleev 9d3d538a2d Use C collation for Postgres to appease Synapse 2020-01-21 00:13:47 +02:00
Slavi Pantaleev 4840214193 Announce Appservice Webhooks support
Related to #339 (Github Pull Request).
2020-01-14 16:02:37 +02:00
Slavi Pantaleev bd38861179 Add support for automatic Double Puppeting for all Mautrix bridges 2020-01-12 20:28:36 +02:00
Slavi Pantaleev ca3b158d94 Add support to matrix-nginx-proxy to work in HTTP-only mode 2019-12-06 11:53:15 +02:00
Slavi Pantaleev 2da40c729a Do not expose server room directory by default
Prompted by: https://matrix.org/blog/2019/11/09/avoiding-unwelcome-visitors-on-private-matrix-servers

This is a bit controversial, because.. the Synapse default remains open,
while the general advice (as per the blog post) is to make it more private.

I'm not sure exactly what kind of server people set up and whether they
want to make the room directory public. Our general goal is to favor
privacy and security when running personal (family & friends) and corporate
homeservers, both of which likely benefit from having a more secure default.
2019-11-10 08:55:46 +02:00
Slavi Pantaleev e32aaacaa7 Make gzipped SQL dumps by default during --upgrade-postgres 2019-10-05 11:42:08 +03:00
Slavi Pantaleev 29526e7bb1 Add support for backing up / importing all Postgres databases/users 2019-10-05 11:42:08 +03:00
Slavi Pantaleev 9c438a3870 Add support for Postgres v12 2019-10-04 08:51:36 +03:00
Slavi Pantaleev c3229209e8 Update changelog 2019-10-03 19:34:02 +03:00
Slavi Pantaleev 68ed2ebefa Add support for Synapse Simple Antispam
Fixes #255 (Github Issue).
2019-09-09 08:13:10 +03:00
Slavi Pantaleev 0edd7e8089 Make Riot-web configuration extensible
Fixes #71 (Github Issue).
2019-08-25 10:37:05 +03:00
Slavi Pantaleev 10a9deba4a Make Synapse configuration extensible 2019-08-22 09:49:22 +03:00
Slavi Pantaleev dd0f35562b Update changelog 2019-08-21 07:48:42 +03:00
Slavi Pantaleev 63d1ed1d56 Update changelog and documentation 2019-08-21 07:24:58 +03:00
Slavi Pantaleev 4be35822dd Add Email2Matrix support 2019-08-05 13:09:49 +03:00
Slavi Pantaleev 6fe4bafc2a Decrease default Synapse logging level
Also discussed previously in #213 (Github Pull Request).

shared-secret-auth and rest-auth logging is still at `INFO`
intentionally, as user login events seem more important to keep.
Those modules typically don't spam as much.
2019-08-03 07:48:04 +03:00
Slavi Pantaleev 0ca21d80d7 Add Synapse Maintenance docs and synapse-janitor integration 2019-07-08 09:38:36 +03:00
Slavi Pantaleev 631a14bf0c Rename run control variables for consistency 2019-07-08 09:38:36 +03:00
Slavi Pantaleev ef5e4ad061 Make Synapse not log to text files
Somewhat related to #213 (Github Pull Request).

We've been moving in the opposite direction for quite a long time.
All services should just leave logging to systemd's journald.
2019-07-04 17:46:31 +03:00
Slavi Pantaleev 420b46ad2e
Update CHANGELOG.md 2019-06-27 09:34:08 +03:00
Slavi Pantaleev bccfd13c7f Fix changelog entry typo 2019-06-26 10:48:19 +03:00
Slavi Pantaleev 8529efcd1c Make Discord bridge configuration playbook-managed
Well, `config.yaml` has been playbook-managed for a long time.
It's now extended to match the default sample config of the Discord
bridge.

With this patch, we also make `registration.yaml` playbook-managed,
which leads us to consistency with all other bridges.

Along with that, we introduce `./config` and `./data` separation,
like we do for the other bridges.
2019-06-26 10:35:00 +03:00
Thomas Kuehne 39b6e3ed26 Added a changelog for the new WhatsApp config style
- changelog entry for commit 4797469383
2019-06-24 00:22:02 +02:00
Slavi Pantaleev e585f314b8
Merge pull request #204 from spantaleev/irc-bridge-refactoring
Make IRC bridge configuration entirely managed by the playbook
2019-06-20 17:00:16 +03:00
Slavi Pantaleev 764feb4d7b
Bump changelog entry date 2019-06-20 17:00:05 +03:00
Slavi Pantaleev c98eacdd70 Add BC Break label to old changelog entry 2019-06-20 16:59:16 +03:00
Slavi Pantaleev 174a6fcd1b Make IRC bridge configuration entirely managed by the playbook 2019-06-19 12:29:44 +03:00
Slavi Pantaleev 9b97a42ffb Add a note about DNS SRV records not being obsolete 2019-06-15 16:14:14 +03:00
Slavi Pantaleev 2a2e7a7f6c Minor changelog clarification 2019-06-15 09:53:01 +03:00
Slavi Pantaleev 4e8543ce21 Make Telegram bridge configuration playbook-managed 2019-06-15 09:43:43 +03:00
Slavi Pantaleev 2e16257e50 Do not ask for _matrix._tcp SRV records anymore
With most people on Synapse v0.99+ and Synapse v1.0 now available,
we should no longer try to be backward compatible with Synapse 0.34,
because this just complicates the instructions for no good reason.
2019-06-12 14:51:10 +03:00
Slavi Pantaleev 67c13d0a77 Update changelog 2019-06-07 15:11:25 +03:00
Slavi Pantaleev 330648a3e0 Make Facebook bridge configuration playbook-managed
Related to #193, but for the Facebook bridge.
(other bridges can be changed to do the same later).

This patch makes the bridge configuration entirely managed by the
Ansible playbook. The bridge's `config.yaml` and `registration.yaml`
configuration files are regenerated every time the playbook runs.

This allows us to apply updates to those files and to avoid
people having to manage the configuration files manually on the server.

-------------------------------------------------------------

A deficiency of the current approach to dumping YAML configuration in
`config.yaml` is that we strip all comments from it.
Later on, when the bridge actually starts, it will load and redump
(this time with comments), which will make the `config.yaml` file
change.

Subsequent playbook runs will report "changed" for the
"Ensure mautrix-facebook config.yaml installed" task, which is a little
strange.

We might wish to improve this in the future, if possible.

Still, it's better to have a (usually) somewhat meaningless "changed"
task than to what we had -- never rebuilding the configuration.
2019-06-07 14:05:53 +03:00
Slavi Pantaleev ab59cc50bd Add support for more flexible container port exposing
Fixes #171 (Github Issue).
2019-05-25 07:41:08 +09:00
Slavi Pantaleev 7a08c9b7cc Update changelog 2019-05-23 08:52:12 +09:00
Slavi Pantaleev affb99003c Improve Synapse variable naming consistency 2019-05-21 12:09:38 +09:00
Slavi Pantaleev a21b410c51 Update README and changelog 2019-05-21 11:04:58 +09:00
Slavi Pantaleev 9d14e2dcb1 Fix broken link in changelog 2019-05-09 10:31:22 +03:00
Slavi Pantaleev c669ea1b79 Update changelog 2019-05-09 10:30:08 +03:00
Slavi Pantaleev 0b034ac34b Update changelog 2019-04-03 11:28:51 +03:00
Slavi Pantaleev 59e37105e8 Add TLS support to Coturn 2019-03-19 10:24:39 +02:00
Slavi Pantaleev c545d3eb85 Add support for serving base domain via matrix-nginx-proxy 2019-03-12 23:01:16 +02:00
Slavi Pantaleev e645b0e372 Rename matrix_nginx_proxy_data_path to matrix_nginx_proxy_base_path
`matrix_nginx_proxy_data_path` has always served as a base path,
so we're renaming it to reflect that.

Along with this, we're also introducing a new "data path" variable
(`matrix_nginx_proxy_data_path`), which is really a data path this time.
It's used for storing additional, non-configuration, files related to
matrix-nginx-proxy.
2019-03-12 23:01:16 +02:00
Slavi Pantaleev 6745ee4ab6 Add changelog entry for Dimension support
Related to #107 and #111 (Github Pull Requests)
2019-03-10 19:03:04 +02:00
Slavi Pantaleev ae7e17e64a Add information about mxisd email template customization
Related to #108 (Github Pull Request).
2019-03-08 12:06:50 +02:00
Slavi Pantaleev 08aa676338 Update changelog
Related to #105 (Github Pull Request).
2019-03-05 09:23:12 +02:00
Slavi Pantaleev a43bcd81fe Rename some variables 2019-02-28 11:51:09 +02:00
Slavi Pantaleev 28a5027138 Update changelog a bit 2019-02-16 11:50:06 +02:00
Slavi Pantaleev 350b25690d Add Riot v1.0 (v1.0.1) support 2019-02-16 11:48:17 +02:00
Slavi Pantaleev 1dd4f85e61 Update changelog 2019-02-14 19:05:14 +02:00
Slavi Pantaleev 70b2f07fec Add PostgreSQL backup information 2019-02-09 14:36:47 +02:00
Slavi Pantaleev fd4bd204e1 Improve changelog entry 2019-02-06 14:02:10 +02:00
Slavi Pantaleev 33726cdb08 Fix anchor 2019-02-06 13:02:17 +02:00
Slavi Pantaleev 241a4f9ef9 Add changelog entry for Synapse v0.99 2019-02-06 12:57:33 +02:00
Slavi Pantaleev cd332d9b4e Add TLS v1.3 support to matrix-nginx-proxy
This was mentioned in #27 (Github Pull Request),
but it's just now that the nginx Docker image actually supports
TLS v1.3 and we can enable it.
2019-02-01 11:49:22 +02:00
Slavi Pantaleev 345d53b693 Update changelog 2019-01-31 20:52:20 +02:00
Slavi Pantaleev 0be7b25c64 Make (most) containers run with a read-only filesystem 2019-01-29 18:52:02 +02:00
Slavi Pantaleev 9c09978ecd Update changelog 2019-01-28 15:57:57 +02:00
Slavi Pantaleev 299a8c4c7c Make (most) containers start as non-root
This makes all containers (except mautrix-telegram and
mautrix-whatsapp), start as a non-root user.

We do this, because we don't trust some of the images.
In any case, we'd rather not trust ALL images and avoid giving
`root` access at all. We can't be sure they would drop privileges
or what they might do before they do it.

Because Postfix doesn't support running as non-root,
it had to be replaced by an Exim mail server.

The matrix-nginx-proxy nginx container image is patched up
(by replacing its main configuration) so that it can work as non-root.
It seems like there's no other good image that we can use and that is up-to-date
(https://hub.docker.com/r/nginxinc/nginx-unprivileged is outdated).

Likewise for riot-web (https://hub.docker.com/r/bubuntux/riot-web/),
we patch it up ourselves when starting (replacing the main nginx
configuration).
Ideally, it would be fixed upstream so we can simplify.
2019-01-27 20:25:13 +02:00
Slavi Pantaleev 2fdafaa85b Update CHANGELOG 2019-01-17 14:37:29 +02:00
Slavi Pantaleev f4f06ae068 Make matrix-nginx-proxy role independent of others
The matrix-nginx-proxy role can now be used independently.
This makes it consistent with all other roles, with
the `matrix-base` role remaining as their only dependency.

Separating matrix-nginx-proxy was relatively straightforward, with
the exception of the Mautrix Telegram reverse-proxying configuration.
Mautrix Telegram, being an extension/bridge, does not feel important enough
to justify its own special handling in matrix-nginx-proxy.

Thus, we've introduced the concept of "additional configuration blocks"
(`matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks`),
where any module can register its own custom nginx server blocks.

For such dynamic registration to work, the order of role execution
becomes important. To make it possible for each module participating
in dynamic registration to verify that the order of execution is
correct, we've also introduced a `matrix_nginx_proxy_role_executed`
variable.

It should be noted that this doesn't make the matrix-synapse role
dependent on matrix-nginx-proxy. It's optional runtime detection
and registration, and it only happens in the matrix-synapse role
when `matrix_mautrix_telegram_enabled: true`.
2019-01-17 13:32:46 +02:00
Slavi Pantaleev c10182e5a6 Make roles more independent of one another
With this change, the following roles are now only dependent
on the minimal `matrix-base` role:
- `matrix-corporal`
- `matrix-coturn`
- `matrix-mailer`
- `matrix-mxisd`
- `matrix-postgres`
- `matrix-riot-web`
- `matrix-synapse`

The `matrix-nginx-proxy` role still does too much and remains
dependent on the others.

Wiring up the various (now-independent) roles happens
via a glue variables file (`group_vars/matrix-servers`).
It's triggered for all hosts in the `matrix-servers` group.

According to Ansible's rules of priority, we have the following
chain of inclusion/overriding now:
- role defaults (mostly empty or good for independent usage)
- playbook glue variables (`group_vars/matrix-servers`)
- inventory host variables (`inventory/host_vars/matrix.<your-domain>`)

All roles default to enabling their main component
(e.g. `matrix_mxisd_enabled: true`, `matrix_riot_web_enabled: true`).
Reasoning: if a role is included in a playbook (especially separately,
in another playbook), it should "work" by default.

Our playbook disables some of those if they are not generally useful
(e.g. `matrix_corporal_enabled: false`).
2019-01-16 18:05:48 +02:00
Slavi Pantaleev 515f04e936 Update CHANGELOG 2019-01-16 17:13:58 +02:00
Slavi Pantaleev 51312b8250 Split playbook into multiple roles
As suggested in #63 (Github issue), splitting the
playbook's logic into multiple roles will be beneficial for
maintainability.

This patch realizes this split. Still, some components
affect others, so the roles are not really independent of one
another. For example:
- disabling mxisd (`matrix_mxisd_enabled: false`), causes Synapse
and riot-web to reconfigure themselves with other (public)
Identity servers.

- enabling matrix-corporal (`matrix_corporal_enabled: true`) affects
how reverse-proxying (by `matrix-nginx-proxy`) is done, in order to
put matrix-corporal's gateway server in front of Synapse

We may be able to move away from such dependencies in the future,
at the expense of a more complicated manual configuration, but
it's probably not worth sacrificing the convenience we have now.

As part of this work, the way we do "start components" has been
redone now to use a loop, as suggested in #65 (Github issue).
This should make restarting faster and more reliable.
2019-01-12 18:01:10 +02:00
Slavi Pantaleev 9a9b7383e9 Completely redo how mxisd configuration gets generated
This change is provoked by a few different things:

- #54 (Github Pull Request), which rightfully says that we need a
way to support ALL mxisd configuration options easily

- the upcoming mxisd 1.3.0 release, which drops support for
property-style configuration (dot-notation), forcing us to
redo the way we generate the configuration file

With this, mxisd is much more easily configurable now
and much more easily maintaneable by us in the future
(no need to introduce additional playbook variables and logic).
2019-01-11 19:33:54 +02:00