Commit Graph

237 Commits

Author SHA1 Message Date
Marcel Partap
cd8100544b Merge remote-tracking branch 'origin/master' into synapse-workers
Sync with upstream
2021-01-08 20:58:50 +01:00
Slavi Pantaleev
d08b27784f Fix systemd services autostart problem with Docker 20.10
The Docker 19.04 -> 20.10 upgrade contains the following change
in `/usr/lib/systemd/system/docker.service`:

```
-BindsTo=containerd.service
-After=network-online.target firewalld.service containerd.service
+After=network-online.target firewalld.service containerd.service multi-user.target
-Requires=docker.socket
+Requires=docker.socket containerd.service
Wants=network-online.target
```

The `multi-user.target` requirement in `After` seems to be in conflict
with our `WantedBy=multi-user.target` and `After=docker.service` /
`Requires=docker.service` definitions, causing the following error on
startup for all of our systemd services:

> Job matrix-synapse.service/start deleted to break ordering cycle starting with multi-user.target/start

A workaround which appears to work is to add `DefaultDependencies=no`
to all of our services.
2020-12-10 11:43:20 +02:00
Slavi Pantaleev
aa86e0dac6 Upgrade Synapse (v1.23.0 -> v1.24.0)
Because the ARM images are not pushed yet, we hold back to v1.23.0
for now.
2020-12-09 13:31:10 +02:00
Slavi Pantaleev
c07c927d9f Automatically enable openid listeners when ma1sd enabled
ma1sd requires the openid endpoints for certain functionality.
Example: 90b2b5301c/src/main/java/io/kamax/mxisd/auth/AccountManager.java (L67-L99)

If federation is disabled, we still need to expose these openid APIs on the
federation port.

Previously, we were doing similar magic for Dimension.
As per its documentation, when running unfederated, one is to enable
the openid listener as well. As per their recommendation, people
are advised to do enable it on the Client-Server API port
and use the `federationUrl` variable to override where the federation
port is (making federation requests go to the Client-Server API).

Because ma1sd always uses the federation port (unless you do some
DNS overwriting magic using its configuration -- which we'd rather not
do), it's better if we just default to putting the `openid` listener
where it belongs - on the federation port.

With this commit, we retain the "automatically enable openid APIs" thing
we've been doing for Dimension, but move it to the federation port instead.
We also now do the same thing when ma1sd is enabled.
2020-12-08 16:59:20 +02:00
Marcel Partap
e892ac464f synapse workers: untangle config template and specify bind address
.. to mitigate log noise - WARNING:
Failed to listen on 0.0.0.0, continuing because listening on [::]
2020-12-01 23:49:23 +01:00
Marcel Partap
f201bca519 synapse workers: define and expose METRICS port for each worker
As seen on TV:
https://github.com/matrix-org/synapse/blob/master/docs/metrics-howto.md#monitoring-workers
2020-12-01 22:49:15 +01:00
Marcel Partap
b73ac965ac Merge remote-tracking branch 'origin/master' into synapse-workers 2020-12-01 21:24:26 +01:00
Slavi Pantaleev
1fca917ad1 Replace some -v instances with --mount
`-v` magically creates the source destination as a directory,
if it doesn't exist already. We'd like to avoid this magic
and the potential breakage that it might cause.

We'd rather fail while Docker tries to find things to `--mount`
than have it automatically create directories and fail anyway,
while having contaminated the filesystem.

There's a lot more `-v` instances remaining to be fixed later on.
This is just some start.

Things like `matrix_synapse_container_additional_volumes` and
`matrix_nginx_proxy_container_additional_volumes` were not changed to
use `--mount`, as options for each one are passed differently
(`ro` is `ro`, but `rw` doesn't exist and `slave` is `bind-propagation=slave`).
To avoid breaking people's custom volume mounts, we keep it as it is for now.

A deficiency with `--mount` is that it lacks the `z` option (SELinux
ownership changes), and some of our `-v` instances use that. I'm not
sure how supported SELinux is for us right now, but it might be,
and breaking that would not be a good idea.
2020-11-24 10:26:05 +02:00
Slavi Pantaleev
b627d93cdc Update homeserver.yaml to keep up with Synapse v1.23.0
Related to #724 (Github Pull Request)
2020-11-18 16:57:50 +02:00
Marcel Partap
2d1b9f2dbf synapse workers: reworkings + get endpoints from upstream docs via awk
(yes, a bit awkward and brittle… xD)
2020-10-28 07:13:19 +01:00
Marcel Partap
87bd64ce9e Merge remote-tracking branch 'origin/master' into synapse-workers 2020-10-23 23:45:07 +02:00
Marcel Partap
a4125d5446 synapse workers: polishing, cleansing and installation of jq dependency 2020-10-23 20:49:53 +02:00
Marcel Partap
501efee07e synapse workers: supply systemd with actual worker PIDs (requires jq)
also, worker.yaml.j2:
  - hone worker_name
  - remove worker_pid_file entry (would only be used if worker_daemonize
    set to true; also, synapse only knows about the container namespace
    and thus can not provide the required host-view PID)
2020-10-22 20:53:41 +02:00
Aaron Raimist
78529cbd47
Upgrade Synapse (v1.20.1 -> v1.21.0) 2020-10-12 23:59:34 -05:00
Marcel Partap
d2e61af224 Add worker_name to synapse worker config template
& restrict federation listener; frontend_proxy / user_dir don't need it
2020-10-11 21:52:08 +02:00
Marcel Partap
e9241f5fb9 Improve synapse-workers systemd service template
Is the PID magic gonna work? or will it need an ExecStartPost hack..
2020-10-11 21:09:19 +02:00
Marcel Partap
40024e9b81 Prevent workers failing if their config doesn't exist
- cherry-pick "Ensure worker config exists in systemd service (#7528)"
  from synapse d74cdc1a42e8b487d74c214b1d0ca575429d546a:
  "check that the worker config file exists instead of silently failing."
2020-10-11 21:09:19 +02:00
Marcel Partap
93a8ea7e4a Merge remote-tracking branch 'master' into feature/add-worker-support 2020-10-11 20:59:05 +02:00
Slavi Pantaleev
dd217137b6 Upgrade Synapse (v1.19.3 -> v1.20.0) 2020-09-22 19:28:07 +03:00
Max Klenk
4fdfc0a34f
add missing ratelimiting options required for load testing 2020-09-11 09:46:20 +02:00
Max Klenk
a25a429a52
add redis support 2020-09-10 13:39:00 +02:00
Max Klenk
06bc430c7c
refactor to use new workers and routes they serve 2020-08-28 13:53:39 +02:00
Max Klenk
567d0318b0
Merge branch 'synapse-workers' into feature/add-worker-support 2020-08-27 15:22:12 +02:00
Slavi Pantaleev
9952ec6c16 Upgrade Synapse (v1.18.0 -> v1.19.0) 2020-08-17 17:02:40 +03:00
Slavi Pantaleev
f78a5d4ee8 Upgrade Synapse (v1.17.0 -> v1.18.0) 2020-07-30 14:21:44 +03:00
Slavi Pantaleev
200f912c04 Upgrade Synapse (v1.16.1 -> v1.17.0)
Fixes #579 (Github Issue).
2020-07-13 14:08:50 +03:00
Slavi Pantaleev
928982cffe Upgrade Synapse (v1.15.2 -> v1.16.0) 2020-07-08 14:08:46 +03:00
Slavi Pantaleev
18ab677a96 Remove useless file 2020-07-08 00:22:47 +03:00
Slavi Pantaleev
f758ee90cb
Add |to_json to some values 2020-07-04 09:31:52 +03:00
Justin Croonenberghs
35c2655fa4 Removed troublesome #s 2020-07-03 19:01:03 -05:00
Justin Croonenberghs
1f21f0c09a Add variables for reCAPTCHA validation 2020-07-03 18:33:25 -05:00
Slavi Pantaleev
6538ae34f5 Upgrade Synapse (v1.14 -> v1.15)
Fixes #539 (Github Issue).
2020-06-11 16:02:01 +03:00
Slavi Pantaleev
f56a9a0f5f
Merge pull request #524 from cnvandijk/fix-executable-path
Remove hardcoded paths to commands on the host machine
2020-05-28 15:39:25 +03:00
Slavi Pantaleev
8bae39050e Update settings for Synapse v1.14.0 2020-05-28 15:23:05 +03:00
Chris van Dijk
6334f6c1ea Remove hardcoded command paths in systemd unit files
Depending on the distro, common commands like sleep and chown may either
be located in /bin or /usr/bin.

Systemd added path lookup to ExecStart in v239, allowing only the
command name to be put in unit files and not the full path as
historically required. At least Ubuntu 18.04 LTS is however still on
v237 so we should maintain portability for a while longer.
2020-05-27 23:14:54 +02:00
Slavi Pantaleev
8fb3ce6f6d Upgrade Synapse (v1.12.4 -> v1.13.0) 2020-05-19 21:35:32 +03:00
Chris van Dijk
3f4bc9b881 Move config supprt for unfederated dimension into group_vars 2020-04-22 19:23:56 +02:00
Marcel Partap
66a4073512 Publish synapse worker ports, need to be accessible to nginx 2020-04-19 19:05:03 +02:00
Marcel Partap
353bc7c362 Add initial support for synapse workers
· needs documentation; no checks yet for port clashes or typos in worker name
· according to https://github.com/matrix-org/synapse/wiki/Workers-setup-with-nginx#results
  about 90% of requests go to the synchrotron endpoint
· thus, the synchrotron worker is especially suited to be load-balanced
· most of the other workers are documented to support only a single instance
· https://github.com/matrix-org/synapse/blob/master/docs/workers.md
2020-04-19 19:05:03 +02:00
Chris van Dijk
3ddb8cd148 Add support for running dimension in an unfederated environment
This config change follows:

  https://github.com/turt2live/matrix-dimension/blob/master/docs/unfederated.md
2020-04-18 19:00:20 +02:00
Slavi Pantaleev
c13c29f48e Fix |to_nice_yaml breaking formatting
Well, actually 8cd9cde won't work, unless we put the
`|to_nice_yaml` thing on a new line.

We can, but that takes more lines and makes things look uglier.
Using `|to_json` seems good enough.

The whole file is parsed as YAML later on and merged with the
`_extension` variable before being dumped as YAML again in the end.
2020-04-18 11:06:53 +03:00
Slavi Pantaleev
8cd9cdead0 Improve consistency 2020-04-18 11:05:47 +03:00
Tom
e54428b160 Expose allowed local 3pids as a configurable option 2020-04-18 00:11:30 +01:00
Slavi Pantaleev
845f5f007b Make Synapse use ma1sd (if enabled) for threepid registration 2020-04-03 10:08:37 +03:00
Slavi Pantaleev
9032151486 Update Synapse configuration for v1.12.0
Some options are no longer required and have sensible default values.
2020-03-23 16:15:03 +02:00
Slavi Pantaleev
5de8f27122 Upgrade Synapse (v1.10.1 -> v1.11.0) 2020-02-21 12:32:35 +02:00
Slavi Pantaleev
8343ff5268
Add missing to_json filter 2020-02-19 10:13:36 +02:00
orange
45e32bdad2 add synapse config enable_group_creation 2020-02-18 18:05:54 +01:00
Slavi Pantaleev
2c04384e8e Synchronize config with the one from Synapse 1.9.0
Related to #355.
2020-01-23 15:47:53 +02:00
Slavi Pantaleev
fddd3f922f Upgrade Synapse to 1.8.0 2020-01-09 15:33:35 +02:00
Slavi Pantaleev
d69ddcfdac Upgrade Synapse (1.6.1 -> 1.7.0) 2019-12-13 14:52:29 +02:00
Aaron Raimist
79d1576648
Allow Synapse manhole to be enabled
Can you double check that the way I have this set only exposes it locally? It is important that the manhole is not available to the outside world since it is quite powerful and the password is hard coded.
2019-12-05 00:07:15 -06:00
Slavi Pantaleev
0c51440426 Update Synapse to v1.6.0 2019-11-26 16:28:17 +02:00
Slavi Pantaleev
2da40c729a Do not expose server room directory by default
Prompted by: https://matrix.org/blog/2019/11/09/avoiding-unwelcome-visitors-on-private-matrix-servers

This is a bit controversial, because.. the Synapse default remains open,
while the general advice (as per the blog post) is to make it more private.

I'm not sure exactly what kind of server people set up and whether they
want to make the room directory public. Our general goal is to favor
privacy and security when running personal (family & friends) and corporate
homeservers, both of which likely benefit from having a more secure default.
2019-11-10 08:55:46 +02:00
recklesscoder
5d3b765241
Actually use matrix_synapse_storage_path
matrix_synapse_storage_path is already defined in matrix-synapse/defaults/main.yml (with a default of "{{ matrix_synapse_base_path }}/storage"), but was not being used for its presumed purpose in matrix-synapse.service.j2. As a result, if matrix_synapse_storage_path was overridden (in a vars.yml), the synapse service failed to start.
2019-11-02 13:46:02 +01:00
Julian Foad
7ce80bc58e
Quote docker args in case inputs contain spaces 2019-10-14 08:59:56 +01:00
Slavi Pantaleev
392f8202bd Make SAML2 configuration match sample config generated using generate command 2019-10-03 19:26:38 +03:00
Aaron Raimist
413d9ec143
WIP: Upgrade Synapse (1.3.1 -> 1.4.0rc2) 2019-10-02 21:35:44 -05:00
Slavi Pantaleev
4b1e9a4827 Add support for configuring Synapse spam_checker setting 2019-09-09 08:11:32 +03:00
Slavi Pantaleev
1b2191a0f1 Add new Synapse configuration options (since 1.3.0)
Continuation of #246 (Github Pull Request)
2019-08-16 09:57:51 +03:00
Oleg Fiksel
43628ddad6 Added "|to_json" to ensure we really pass a boolean 2019-08-08 12:11:19 +02:00
Oleg Fiksel
f713bbe0f8 Added possibility to enable guest access on synapse 2019-08-08 11:57:35 +02:00
Slavi Pantaleev
255b67a0ce Update homeserver.yaml with new options from Synapse v1.2.0
Related to #223 (Github Pull Request)
2019-07-25 22:03:12 +03:00
Slavi Pantaleev
17cd52ced6 Make Synapse log messages a bit prettier
ef5e4ad061 intentionally makes us conform to
the logging format suggested by the official Docker image.

Reverting this part, because it's uglier.

This likely should be fixed upstream as well though.
2019-07-04 18:19:52 +03:00
Slavi Pantaleev
ef5e4ad061 Make Synapse not log to text files
Somewhat related to #213 (Github Pull Request).

We've been moving in the opposite direction for quite a long time.
All services should just leave logging to systemd's journald.
2019-07-04 17:46:31 +03:00
Slavi Pantaleev
da6edc9cba Add support for disabling Synapse's local database for user auth
This is a new feature of Synapse v1.1.0.

Discussed in #145 (Github Pull Request).
2019-07-04 17:11:51 +03:00
Slavi Pantaleev
2b3865ceea Upgrade Synapse (1.0.0 -> 1.1.0) 2019-07-04 16:58:45 +03:00
Slavi Pantaleev
f4574961c7
Prevent double-quotes around default room version
Using `|to_json` on a string is expected to correctly wrap it in quotes (e.g. `"4"`).
Wrapping it explicitly in double-quotes results in undesirable double-quoting (`""4""`).
2019-06-12 09:17:35 +03:00
Aaron Raimist
483bdd8c01
Allow default room version to be configured 2019-06-11 21:18:06 -05:00
Slavi Pantaleev
e4068e55ee Upgrade Synapse (0.99.5.2 -> 1.0.0) 2019-06-11 20:30:18 +03:00
Aaron Raimist
79f4bcf5be
Enable sentry.io integration 2019-06-07 16:02:41 -05:00
Slavi Pantaleev
d6d6c152a3 Delay bridge startup to ensure Synapse is up
Bridges start matrix-synapse.service as a dependency, but
Synapse is sometimes slow to start, while bridges are quick to
hit it and die (if unavailable).

They'll auto-restart later, but .. this still breaks `--tags=start`,
which doesn't wait long enough for such a restart to happen.

This attempts to slow down bridge startup enough to ensure Synapse
is up and no failures happen at all.
2019-06-07 12:15:37 +03:00
Slavi Pantaleev
2982b03809 Explicitly serialize matrix_synapse_app_service_config_files
Attempt to fix #192 (Github Issue), potential regression since
70487061f4.

Serializing as JSON/YAML explicitly is much better than relying on
magic (well, Python serialization being valid YAML..).
It seems like Python may prefix strings with `u` sometimes (Python 3?),
which causes Python serialization to not be compatible with YAML.
2019-05-30 09:42:08 +03:00
Slavi Pantaleev
ab59cc50bd Add support for more flexible container port exposing
Fixes #171 (Github Issue).
2019-05-25 07:41:08 +09:00
Slavi Pantaleev
a8b633561d Upgrade Synapse (v0.99.4 -> v0.99.5.1) 2019-05-23 09:23:04 +09:00
Slavi Pantaleev
affb99003c Improve Synapse variable naming consistency 2019-05-21 12:09:38 +09:00
Slavi Pantaleev
663d1add92 Move matrix-appservice-discord into a separate role 2019-05-18 01:14:12 +09:00
Slavi Pantaleev
13c4e7e5b6 Merge branch 'master' into separate-bridge-roles 2019-05-16 09:45:06 +09:00
Slavi Pantaleev
ae7c8d1524 Use SyslogIdentifier to improve logging
Reasoning is the same as for matrix-org/synapse#5023.

For us, the journal used to contain `docker` for all services, which
is not very helpful when looking at them all together (`journalctl -f`).
2019-05-16 09:43:46 +09:00
Slavi Pantaleev
cf3117011b Upgrade Synapse (0.99.3.2 -> 0.99.4) 2019-05-16 09:20:43 +09:00
Slavi Pantaleev
3339e37ce9 Move matrix-appservice-irc into a separate role 2019-05-16 09:07:40 +09:00
Slavi Pantaleev
43fd3cc274 Move mautrix-facebook into a separate role 2019-05-15 09:34:31 +09:00
Marcel Partap
5aa7f637d8 Fix matrix_synapse_ext_password_provider_ldap_start_tls (it's boolean) 2019-05-14 23:09:59 +02:00
Slavi Pantaleev
bb816df557 Move mautrix telegram and whatsapp into separate roles
The goal is to move each bridge into its own separate role.
This commit starts off the work on this with 2 bridges:
- mautrix-telegram
- mautrix-whatsapp

Each bridge's role (including these 2) is meant to:

- depend only on the matrix-base role

- integrate nicely with the matrix-synapse role (if available)

- integrate nicely with the matrix-nginx-proxy role (if available and if
required). mautrix-telegram bridge benefits from integrating with
it.

- not break if matrix-synapse or matrix-nginx-proxy are not used at all

This has been provoked by #174 (Github Issue).
2019-05-14 23:47:22 +09:00
Slavi Pantaleev
216cdf8c74
Merge pull request #166 from izissise/mautrix-facebook
Mautrix facebook
2019-05-09 10:05:14 +03:00
Dan Arnfield
958ad68078 Add registrations_require_3pid synapse option 2019-05-08 12:29:18 -05:00
Hugues Morisset
a82d5ed281 Add tulir mautrix-facebook (https://github.com/tulir/mautrix-facebook) 2019-05-08 17:11:07 +02:00
Hugues De Keyzer
c451025134 Fix indentation in templates
Use Jinja2 lstrip_blocks option in templates to ensure consistent
indentation in generated files.
2019-05-07 21:23:35 +02:00
Slavi Pantaleev
0e7310fd7c
Merge pull request #164 from TheLastProject/fix/string_before_to_json
string before to_json when string value is expected
2019-05-07 10:41:41 +03:00
Sylvia van Os
9ea593df37 Fix incorrect casts 2019-05-07 09:35:51 +02:00
Sylvia van Os
ed0ecf5bea string before to_json when string value is expected
This prevents Ansible from sometimes failing to decrypt vault variables
2019-05-06 10:10:27 +02:00
Slavi Pantaleev
e0b7b4dc61
Merge pull request #159 from TheLastProject/feature/docker_add_hosts
Add the possibility to pass extra flags to the docker container
2019-05-05 10:22:59 +03:00
Slavi Pantaleev
6bea3237c9
Merge pull request #163 from aaronraimist/synapse-0.99.3.1
Update Synapse (0.99.3 -> 0.99.3.1)
2019-05-03 22:10:20 +03:00
Aaron Raimist
d1646bb497
Update Synapse (0.99.3 -> 0.99.3.1) 2019-05-03 12:07:58 -05:00
Sylvia van Os
75b1528d13 Add the possibility to pass extra flags to the docker container 2019-04-30 16:35:18 +02:00
Sylvia van Os
bf77f776a2 Add variable to disable homeserver url preview 2019-04-30 13:58:48 +02:00
Ciaran Ainsworth
8624cf4a57 Fixed default url preview settings 2019-04-26 14:11:40 +01:00
Slavi Pantaleev
892abdc700 Do not refer to Synapse as "Matrix Synapse" 2019-04-23 10:20:56 +03:00
Lyubomir Popov
eab8f31eed Add additional room config options:
- matrix_enable_room_list_search - Controls whether searching the public room list is enabled.
 - matrix_alias_creation_rules - Controls who's allowed to create aliases on this server.
 - matrix_room_list_publication_rules - Controls who can publish and which rooms can be published in the public room list.
2019-04-16 12:40:38 +03:00
Slavi Pantaleev
9a05b030cb Fix unknown tag error when generating Goofys service
`{% matrix_s3_media_store_custom_endpoint_enabled %}` should have
been `{% if matrix_s3_media_store_custom_endpoint_enabled %}` instead.

Related to #132 (Github Pull Request).
2019-04-10 08:45:52 +03:00
Alexander Acevedo
6cc6638098
revert 3953705682
that's not how it works
2019-04-05 06:01:58 -04:00
Alexander Acevedo
3953705682
add custom endpoint environment variable 2019-04-05 05:56:36 -04:00
Alexander Acevedo
3ffb03f20e
missing whitespace 2019-04-05 05:54:58 -04:00
Alexander Acevedo
c55e49d733
add custom endpoint to matrix-goofys.service.j2
This (should) check if custom endpoint is enabled.
2019-04-05 05:48:31 -04:00
Slavi Pantaleev
631b7cc6a6 Add support for adjusting Synapse rate-limiting configuration 2019-04-01 21:40:14 +03:00
Slavi Pantaleev
77359ae867 Synchronize Synapse config with the sample from 0.99.3 2019-04-01 21:22:05 +03:00
Slavi Pantaleev
e65514223e
Merge branch 'master' into update-homeserver-yaml 2019-03-17 20:53:52 +02:00
Slavi Pantaleev
2f1662626e Use |to_json for matrix_synapse_push_include_content
Doing this for consistency.

Related to #117 (Github Pull Request).
2019-03-17 20:51:12 +02:00
Aaron Raimist
ae912c4529
Update homeserver.yaml with some new options we could enable 2019-03-16 15:51:41 -05:00
Lee Verberne
71c7c74b7b Allow configuring push content for matrix-synapse
This allows overriding the default value for `include_content`. Setting
this to false allows homeserver admins to ensure that message content
isn't sent in the clear through third party servers.
2019-03-16 07:16:20 +01:00
Plailect
f6de3fd668
Start appservice-irc as non-root 2019-03-12 13:17:51 -04:00
Slavi Pantaleev
62e2acada5
Merge pull request #104 from dangersalad/master
allow exposing mautrix_telegram port
2019-03-08 08:50:05 +02:00
paulbdavis
17e86ba817 implement requested changes 2019-03-07 12:45:58 -07:00
Lionstiger
c2834d2226 running as matrix user from the start 2019-03-04 16:26:19 +01:00
Lionstiger
835c349275 Add matrix-appservice-discord bridge
Bridge is setup to work on the matrix side with this, but the discord invite link is not automatically generated.
2019-03-03 18:22:52 +01:00
paulbdavis
f2a2cad107 allow exposing mautrix_telegram port 2019-03-01 16:05:01 -07:00
Slavi Pantaleev
a43bcd81fe Rename some variables 2019-02-28 11:51:09 +02:00
Slavi Pantaleev
eb08e20418 Upgrade Synapse (0.99.0 -> 0.99.1) and sync config
`matrix_synapse_no_tls` is now implicit, so we've gotten rid of it.

The `homeserver.yaml.j2` template has been synchronized with the
configuration generated by Synapse v0.99.1 (some new options
are present, etc.)
2019-02-14 18:40:55 +02:00
Slavi Pantaleev
42c4de348c Revert "Bind metrics on :: too"
This reverts commit 536c85619f.

Looks like binding metrics on IPv6 (`::`) fails with an error:

socket.gaierror: [Errno -2] Name does not resolve
2019-02-09 13:21:18 +02:00
Slavi Pantaleev
536c85619f Bind metrics on :: too
For consistency with all our other listeners,
we make this one bind on the `::` address too
(both IPv4 and IPv6).

Additional details are in #91 (Github Pull Request).
2019-02-06 14:24:10 +02:00
Slavi Pantaleev
91a757c581 Add support for reloading Synapse 2019-02-06 09:25:13 +02:00
Slavi Pantaleev
5db692f877 Remove some useless homeserver.yaml configuration 2019-02-05 14:02:01 +02:00
Slavi Pantaleev
f6ebd4ce62 Initial work on Synapse 0.99/1.0 preparation 2019-02-05 12:09:46 +02:00
Aaron Raimist
58ca2e7dfd
Turn off IPv6 when using your own Nginx server
Docker apparently doesn't like IPv6.
2019-02-04 09:03:43 -06:00
dhose
87e3deebfd Enable exposure of Prometheus metrics. 2019-02-01 20:02:11 +01:00
Plailect
5e1d96c727
Add matrix_appservice_irc_container_expose_client_server_api_port 2019-01-31 11:20:45 -05:00
Plailect
3a4a671dd7
Add support for matrix-appservice-irc 2019-01-31 00:37:23 -05:00
Slavi Pantaleev
0be7b25c64 Make (most) containers run with a read-only filesystem 2019-01-29 18:52:02 +02:00
Slavi Pantaleev
bf10331456 Make mautrix-whatsapp run as non-root and w/o capabilities 2019-01-28 15:55:58 +02:00
Slavi Pantaleev
8a3f942d93 Make mautrix-telegram run as non-root and w/o capabilities 2019-01-28 15:40:16 +02:00
Slavi Pantaleev
316d653d3e Drop capabilities in containers
We run containers as a non-root user (no effective capabilities).

Still, if a setuid binary is available in a container image, it could
potentially be used to give the user the default capabilities that the
container was started with. For Docker, the default set currently is:
- "CAP_CHOWN"
- "CAP_DAC_OVERRIDE"
- "CAP_FSETID"
- "CAP_FOWNER"
- "CAP_MKNOD"
- "CAP_NET_RAW"
- "CAP_SETGID"
- "CAP_SETUID"
- "CAP_SETFCAP"
- "CAP_SETPCAP"
- "CAP_NET_BIND_SERVICE"
- "CAP_SYS_CHROOT"
- "CAP_KILL"
- "CAP_AUDIT_WRITE"

We'd rather prevent such a potential escalation by dropping ALL
capabilities.

The problem is nicely explained here: https://github.com/projectatomic/atomic-site/issues/203
2019-01-28 11:22:54 +02:00
Slavi Pantaleev
299a8c4c7c Make (most) containers start as non-root
This makes all containers (except mautrix-telegram and
mautrix-whatsapp), start as a non-root user.

We do this, because we don't trust some of the images.
In any case, we'd rather not trust ALL images and avoid giving
`root` access at all. We can't be sure they would drop privileges
or what they might do before they do it.

Because Postfix doesn't support running as non-root,
it had to be replaced by an Exim mail server.

The matrix-nginx-proxy nginx container image is patched up
(by replacing its main configuration) so that it can work as non-root.
It seems like there's no other good image that we can use and that is up-to-date
(https://hub.docker.com/r/nginxinc/nginx-unprivileged is outdated).

Likewise for riot-web (https://hub.docker.com/r/bubuntux/riot-web/),
we patch it up ourselves when starting (replacing the main nginx
configuration).
Ideally, it would be fixed upstream so we can simplify.
2019-01-27 20:25:13 +02:00
Slavi Pantaleev
56d501679d Be explicit about the UID/GID we start Synapse with
We do match the defaults anyway (by default that is),
but people can customize `matrix_user_uid` and `matrix_user_uid`
and it wouldn't be correct then.

In any case, it's better to be explicit about such an important thing.
2019-01-26 20:21:18 +02:00
Slavi Pantaleev
1a80058a2a Indent (non-YAML) using tabs
Fixes #83 (Github issue)
2019-01-26 09:37:29 +02:00
Slavi Pantaleev
c10182e5a6 Make roles more independent of one another
With this change, the following roles are now only dependent
on the minimal `matrix-base` role:
- `matrix-corporal`
- `matrix-coturn`
- `matrix-mailer`
- `matrix-mxisd`
- `matrix-postgres`
- `matrix-riot-web`
- `matrix-synapse`

The `matrix-nginx-proxy` role still does too much and remains
dependent on the others.

Wiring up the various (now-independent) roles happens
via a glue variables file (`group_vars/matrix-servers`).
It's triggered for all hosts in the `matrix-servers` group.

According to Ansible's rules of priority, we have the following
chain of inclusion/overriding now:
- role defaults (mostly empty or good for independent usage)
- playbook glue variables (`group_vars/matrix-servers`)
- inventory host variables (`inventory/host_vars/matrix.<your-domain>`)

All roles default to enabling their main component
(e.g. `matrix_mxisd_enabled: true`, `matrix_riot_web_enabled: true`).
Reasoning: if a role is included in a playbook (especially separately,
in another playbook), it should "work" by default.

Our playbook disables some of those if they are not generally useful
(e.g. `matrix_corporal_enabled: false`).
2019-01-16 18:05:48 +02:00
Slavi Pantaleev
294a5c9083 Fix YAML serialization of empty matrix_synapse_federation_domain_whitelist
We've previously changed a bunch of lists in `homeserver.yaml.j2`
to be serialized using `|to_nice_yaml`, as that generates a more
readable list in YAML.

`matrix_synapse_federation_domain_whitelist`, however, couldn't have
been changed to that, as it can potentially be an empty list.

We may be able to differentiate between empty and non-empty now
and serialize it accordingly (favoring `|to_nice_yaml` if non-empty),
but it's not important enough to be justified. Thus, always
serializing with `|to_json`.

Fixes #78 (Github issue)
2019-01-16 17:06:58 +02:00
Slavi Pantaleev
51312b8250 Split playbook into multiple roles
As suggested in #63 (Github issue), splitting the
playbook's logic into multiple roles will be beneficial for
maintainability.

This patch realizes this split. Still, some components
affect others, so the roles are not really independent of one
another. For example:
- disabling mxisd (`matrix_mxisd_enabled: false`), causes Synapse
and riot-web to reconfigure themselves with other (public)
Identity servers.

- enabling matrix-corporal (`matrix_corporal_enabled: true`) affects
how reverse-proxying (by `matrix-nginx-proxy`) is done, in order to
put matrix-corporal's gateway server in front of Synapse

We may be able to move away from such dependencies in the future,
at the expense of a more complicated manual configuration, but
it's probably not worth sacrificing the convenience we have now.

As part of this work, the way we do "start components" has been
redone now to use a loop, as suggested in #65 (Github issue).
This should make restarting faster and more reliable.
2019-01-12 18:01:10 +02:00