Commit Graph

360 Commits

Author SHA1 Message Date
Slavi Pantaleev
fd4bd204e1 Improve changelog entry 2019-02-06 14:02:10 +02:00
Slavi Pantaleev
33726cdb08 Fix anchor 2019-02-06 13:02:17 +02:00
Slavi Pantaleev
241a4f9ef9 Add changelog entry for Synapse v0.99 2019-02-06 12:57:33 +02:00
Slavi Pantaleev
cd332d9b4e Add TLS v1.3 support to matrix-nginx-proxy
This was mentioned in #27 (Github Pull Request),
but it's just now that the nginx Docker image actually supports
TLS v1.3 and we can enable it.
2019-02-01 11:49:22 +02:00
Slavi Pantaleev
345d53b693 Update changelog 2019-01-31 20:52:20 +02:00
Slavi Pantaleev
0be7b25c64 Make (most) containers run with a read-only filesystem 2019-01-29 18:52:02 +02:00
Slavi Pantaleev
9c09978ecd Update changelog 2019-01-28 15:57:57 +02:00
Slavi Pantaleev
299a8c4c7c Make (most) containers start as non-root
This makes all containers (except mautrix-telegram and
mautrix-whatsapp), start as a non-root user.

We do this, because we don't trust some of the images.
In any case, we'd rather not trust ALL images and avoid giving
`root` access at all. We can't be sure they would drop privileges
or what they might do before they do it.

Because Postfix doesn't support running as non-root,
it had to be replaced by an Exim mail server.

The matrix-nginx-proxy nginx container image is patched up
(by replacing its main configuration) so that it can work as non-root.
It seems like there's no other good image that we can use and that is up-to-date
(https://hub.docker.com/r/nginxinc/nginx-unprivileged is outdated).

Likewise for riot-web (https://hub.docker.com/r/bubuntux/riot-web/),
we patch it up ourselves when starting (replacing the main nginx
configuration).
Ideally, it would be fixed upstream so we can simplify.
2019-01-27 20:25:13 +02:00
Slavi Pantaleev
2fdafaa85b Update CHANGELOG 2019-01-17 14:37:29 +02:00
Slavi Pantaleev
f4f06ae068 Make matrix-nginx-proxy role independent of others
The matrix-nginx-proxy role can now be used independently.
This makes it consistent with all other roles, with
the `matrix-base` role remaining as their only dependency.

Separating matrix-nginx-proxy was relatively straightforward, with
the exception of the Mautrix Telegram reverse-proxying configuration.
Mautrix Telegram, being an extension/bridge, does not feel important enough
to justify its own special handling in matrix-nginx-proxy.

Thus, we've introduced the concept of "additional configuration blocks"
(`matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks`),
where any module can register its own custom nginx server blocks.

For such dynamic registration to work, the order of role execution
becomes important. To make it possible for each module participating
in dynamic registration to verify that the order of execution is
correct, we've also introduced a `matrix_nginx_proxy_role_executed`
variable.

It should be noted that this doesn't make the matrix-synapse role
dependent on matrix-nginx-proxy. It's optional runtime detection
and registration, and it only happens in the matrix-synapse role
when `matrix_mautrix_telegram_enabled: true`.
2019-01-17 13:32:46 +02:00
Slavi Pantaleev
c10182e5a6 Make roles more independent of one another
With this change, the following roles are now only dependent
on the minimal `matrix-base` role:
- `matrix-corporal`
- `matrix-coturn`
- `matrix-mailer`
- `matrix-mxisd`
- `matrix-postgres`
- `matrix-riot-web`
- `matrix-synapse`

The `matrix-nginx-proxy` role still does too much and remains
dependent on the others.

Wiring up the various (now-independent) roles happens
via a glue variables file (`group_vars/matrix-servers`).
It's triggered for all hosts in the `matrix-servers` group.

According to Ansible's rules of priority, we have the following
chain of inclusion/overriding now:
- role defaults (mostly empty or good for independent usage)
- playbook glue variables (`group_vars/matrix-servers`)
- inventory host variables (`inventory/host_vars/matrix.<your-domain>`)

All roles default to enabling their main component
(e.g. `matrix_mxisd_enabled: true`, `matrix_riot_web_enabled: true`).
Reasoning: if a role is included in a playbook (especially separately,
in another playbook), it should "work" by default.

Our playbook disables some of those if they are not generally useful
(e.g. `matrix_corporal_enabled: false`).
2019-01-16 18:05:48 +02:00
Slavi Pantaleev
515f04e936 Update CHANGELOG 2019-01-16 17:13:58 +02:00
Slavi Pantaleev
51312b8250 Split playbook into multiple roles
As suggested in #63 (Github issue), splitting the
playbook's logic into multiple roles will be beneficial for
maintainability.

This patch realizes this split. Still, some components
affect others, so the roles are not really independent of one
another. For example:
- disabling mxisd (`matrix_mxisd_enabled: false`), causes Synapse
and riot-web to reconfigure themselves with other (public)
Identity servers.

- enabling matrix-corporal (`matrix_corporal_enabled: true`) affects
how reverse-proxying (by `matrix-nginx-proxy`) is done, in order to
put matrix-corporal's gateway server in front of Synapse

We may be able to move away from such dependencies in the future,
at the expense of a more complicated manual configuration, but
it's probably not worth sacrificing the convenience we have now.

As part of this work, the way we do "start components" has been
redone now to use a loop, as suggested in #65 (Github issue).
This should make restarting faster and more reliable.
2019-01-12 18:01:10 +02:00
Slavi Pantaleev
9a9b7383e9 Completely redo how mxisd configuration gets generated
This change is provoked by a few different things:

- #54 (Github Pull Request), which rightfully says that we need a
way to support ALL mxisd configuration options easily

- the upcoming mxisd 1.3.0 release, which drops support for
property-style configuration (dot-notation), forcing us to
redo the way we generate the configuration file

With this, mxisd is much more easily configurable now
and much more easily maintaneable by us in the future
(no need to introduce additional playbook variables and logic).
2019-01-11 19:33:54 +02:00
Slavi Pantaleev
b222d26c86 Switch to managing cronjobs with the Ansible cron module
As suggested in #65 (Github issue), this patch switches
cronjob management from using templates to using Ansible's `cron` module.

It also moves the management of the nginx-reload cronjob to `setup_ssl_lets_encrypt.yml`,
which is a more fitting place for it (given that this cronjob is only required when
Let's Encrypt is used).

Pros:
- using a module is more Ansible-ish than templating our own files in
special directories

- more reliable: will fail early (during playbook execution) if `/usr/bin/crontab`
is not available, which is more of a guarantee that cron is working fine
(idea: we should probably install some cron package using the playbook)

Cons:
- invocation schedule is no longer configurable, unless we define individual
variables for everything or do something smart (splitting on ' ', etc.).
Likely not necessary, however.

- requires us to deprecate and clean-up after the old way of managing cronjobs,
because it's not compatible (using the same file as before means appending
additional jobs to it)
2019-01-08 12:52:03 +02:00
Slavi Pantaleev
d05b66cff3 Update README 2018-12-23 11:03:42 +02:00
Slavi Pantaleev
d28bdb3258 Add support for 2 more SSL certificate retrieval methods
Adds support for managing certificates manually and for
having the playbook generate self-signed certificates for you.

With this, Let's Encrypt usage is no longer required.

Fixes Github issue #50.
2018-12-23 11:00:12 +02:00
Slavi Pantaleev
bfcba5256e Upgrade mxisd (1.2.1 -> 1.2.2) 2018-12-23 08:49:21 +02:00
Slavi Pantaleev
8cf66bdff3 Update changelog with some past information 2018-12-21 10:25:25 +02:00
Slavi Pantaleev
40626ff8df Upgrade Synapse (0.33.9/Python 2 -> 0.33.4/Python 3) 2018-12-21 10:15:58 +02:00
Thomas vO
cf6d8c9445 update changelog 2018-11-28 11:05:35 +01:00
Slavi Pantaleev
3fec9dfa0e Add LDAP auth password provider documentation and changelog description 2018-11-28 11:21:03 +02:00
Slavi Pantaleev
2d3f5b21f7 Update changelog 2018-11-23 11:21:30 +02:00
Aaron Raimist
ddec99b899
Allow Synapse log levels to be configured (#23) 2018-11-14 13:39:52 -06:00
Slavi Pantaleev
f88b0ca33f
Merge branch 'master' into riot-web-config-json 2018-11-03 12:00:48 +02:00
Slavi Pantaleev
ec316afdc1 Fix typo 2018-11-03 10:15:54 +02:00
Aaron Raimist
ef2e330d22
Allow a few parts of Riot config.json to be configured (#24) 2018-11-02 20:14:03 -05:00
Aaron Raimist
ebab95c9ec
Add new variable matrix_nginx_proxy_ssl_protocols 2018-11-02 18:20:05 -05:00
Slavi Pantaleev
099558bee8 Fix doc file name inconsistency (configuration -> configuring) 2018-11-01 18:20:49 +02:00
Slavi Pantaleev
e417ac4922 Add support for Postgres 11 2018-11-01 09:48:56 +02:00
Slavi Pantaleev
fb5115a544 Rename playbook variables so they are consistently prefixed
Pretty much all variables live in their own `matrix_<whatever>`
prefix now and are grouped closer together in the default
variables file (`roles/matrix-server/defaults/main.yml`).
2018-11-01 08:46:47 +02:00
Slavi Pantaleev
5e3c6ebf49 Update documentation 2018-10-26 19:44:58 +03:00
Slavi Pantaleev
67a445a74a Add support for controlling Matrix federation 2018-10-25 18:02:04 +03:00
Slavi Pantaleev
3ecb16bbef Use disable_guests=true for Riot 2018-10-24 13:59:06 +03:00
Slavi Pantaleev
d0c2ef10e4 Add self-check command 2018-10-21 12:58:25 +03:00
Slavi Pantaleev
b49f4531e8 Make user presence-status tracking configurable 2018-10-05 10:35:16 +03:00
Slavi Pantaleev
242f388af3 Make Synapse cache factor configurable 2018-09-27 10:03:31 +03:00
Slavi Pantaleev
161854e6d7 Disable Docker container logging
`--log-driver=none` is used for all Docker containers now.

All these containers are started through systemd anyway and get logged in journald,
so there's no need for Docker to be logging the same thing using the default `json-file` driver.
Doing that was growing `/var/lib/docker/containers/..` infinitely until service/container restart.

As a result of this, things like `docker logs matrix-synapse` won't work anymore.
`journalctl -u matrix-synapse` is how one can see the logs.
2018-09-26 09:11:19 +03:00
Slavi Pantaleev
0d0ccde286 Add Service Discovery (/.well-known/matrix/client) support 2018-09-17 10:51:46 +03:00
Slavi Pantaleev
38e3ffa29c Rename variable (matrix_riot_web_default_identity_server_url -> matrix_identity_server_url) 2018-09-17 08:44:29 +03:00
Slavi Pantaleev
4f48508014 Rename variable (matrix_nginx_riot_web_data_path -> matrix_riot_web_data_path) 2018-09-17 08:43:31 +03:00
Slavi Pantaleev
620553e408 Update README 2018-09-07 23:35:04 +03:00
Slavi Pantaleev
7adcdf3040 Add the ability to control event_cache_size for Synapse
I've found the previous 10K default value to be way too low
on a bunch of servers I'm running, so it's now up to
100K and made configurable.
2018-09-07 16:15:40 +03:00
Slavi Pantaleev
b52d91e180 Add the ability to controll password-peppering for Synapse
Closes Github issue #5
2018-09-07 15:01:38 +03:00
Slavi Pantaleev
6d6a6412fa Add the ability to control statistics-reporting for Synapse
Closes Github issue #3
2018-09-07 14:49:51 +03:00
Slavi Pantaleev
09a41dd3ea Fix systemctl command to avoid wildcard expansion 2018-08-29 09:42:59 +03:00
Slavi Pantaleev
9e91d5059f Fix wording 2018-08-29 09:41:24 +03:00
Slavi Pantaleev
23e4a4734b Switch from acmetool to certbot for SSL certificate retrieval 2018-08-29 09:37:44 +03:00
Slavi Pantaleev
5398d80f01 Add support for matrix-corporal 2018-08-21 13:34:34 +03:00
Slavi Pantaleev
76e904eb70 Fix broken link in changelog 2018-08-20 21:27:19 +03:00
Slavi Pantaleev
02d5b54fa5 Add controls for influencing Matrix Synapse's rate-limiting 2018-08-20 21:25:06 +03:00
Slavi Pantaleev
f72882fe1a Fix user registration regression
Regression since a302a7d748,
which made the Matrix Client API only available on
the http port (8008) and not over the federation port (8448).
2018-08-17 12:23:25 +03:00
Slavi Pantaleev
ea43d46b70 Add matrix-synapse-rest-auth support 2018-08-17 09:02:17 +03:00
Slavi Pantaleev
df79901f8b Improve compression support 2018-08-17 08:00:38 +03:00
Slavi Pantaleev
a302a7d748 Only run federation on 8448 and client on 80
This disables federation on the 80 port, as it's
not necessary. We also disable the old Angular webclient.

For the federation port (8448), we disable the client APIs
as those are not necessary. Those can even cause trouble
if one doesn't know about them and thinks that guarding the client
APIs at the 80 port is enough.
2018-08-17 07:55:58 +03:00
Slavi Pantaleev
74093dfb15 Add mxisd Identity Server support 2018-08-15 10:46:13 +03:00
Slavi Pantaleev
21da2f572b Add email-sending support 2018-08-14 14:47:44 +03:00
Slavi Pantaleev
700602eed3 Rename a bunch of playbook variables for better consistency 2018-08-08 09:17:18 +03:00
Slavi Pantaleev
336785d1ed Rename Ansible playbook tag (setup-main -> setup-all) 2018-08-08 09:03:37 +03:00
Slavi Pantaleev
3fd6fd647f Put all containers in their own isolated Docker network (matrix)
Moving away from using the default bridge network to using our own.
This isolates our services from other Docker containers running
on the default network on the same host.

The benefits are that:

- isolation is a little better - we no longer share a default
bridge network with any other containers that might be running on the host

- there are no longer hard dependencies - we do service discovery
by DNS name, and not via explicit `--link` usage during container start,
so containers can start out of order and fail without bringing down others
with them
(`matrix-nginx-proxy` can continue running, even if one of the other services dies)

In the future, when other services get introduced,
the increased resilience and simplicity will help as well.
2018-08-08 08:57:48 +03:00