Commit Graph

29 Commits

Author SHA1 Message Date
Slavi Pantaleev
bf2b540807 Harden Traefik security by accessing the Docker API through docker-socket-proxy
With these changes, we:

- install https://github.com/Tecnativa/docker-socket-proxy via the
  https://github.com/devture/com.devture.ansible.role.container_socket_proxy Ansible role

- make Traefik access the Docker API via TCP by connecting to this
  socket proxy

- .. which allows us to run the Traefik container with less privileges
  (non-`root`, dropped capabilities)
2023-03-06 09:11:02 +02:00
Slavi Pantaleev
124fbeda04 Switch to using an external Etherpad role
This new role also adds native Traefik support and support for other
(non-`amd64`) architectures via self-building.
2023-03-02 22:50:13 +02:00
Slavi Pantaleev
f7149103e4 Remove matrix_playbook_traefik_certs_dumper_role_enabled in favor of just devture_traefik_certs_dumper_enabled
We don't need these 2 roughly-the-same settings related to the
traefik-certs-dumper role.

For Traefik, it makes sense, because it's a component used by the
various related playbooks and they could step onto each other's toes
if the role is enabled, but Traefik is disabled (in that case, uninstall
tasks will run).

As for Traefik certs dumper, the other related playbooks don't have it,
so there's no conflict. Even if they used it, each one would use its own
instance (different `devture_traefik_certs_dumper_identifier`), so there
wouldn't be a conflict and uninstall tasks can run without any danger.
2023-03-01 09:31:48 +02:00
Benjamin Kampmann
40f037b36d Add rageshake server 2023-02-24 16:55:49 +01:00
Slavi Pantaleev
990a6369e1 Switch to using an external Redis role 2023-02-17 16:23:59 +02:00
Slavi Pantaleev
964aa0e84d Switch to using an external Ntfy role
The newly extracted role also has native Traefik support,
so we no longer need to rely on `matrix-nginx-proxy` for
reverse-proxying to Ntfy.

The new role uses port `80` inside the container (not `8080`, like
before), because that's the default assumption of the officially
published container image. Using a custom port (like `8080`), means the
default healthcheck command (which hardcodes port `80`) doesn't work.
Instead of fiddling to override the healthcheck command, we've decided
to stick to the default port instead. This only affects the
inside-the-container port, not any external ports.

The new role also supports adding the network ranges of the container's
multiple additional networks as "exempt hosts". Previously, only one
network's address range was added to "exempt hosts".
2023-02-17 09:54:33 +02:00
Slavi Pantaleev
1006b8d899 Replace matrix-grafana with an external role 2023-02-15 10:32:24 +02:00
Slavi Pantaleev
78c35136b2 Replace matrix-backup-borg with an external role 2023-02-13 10:53:11 +02:00
Slavi Pantaleev
06ccd71edc Merge branch 'master' into traefik 2023-02-10 14:37:59 +02:00
Slavi Pantaleev
01ccec2dbe Merge branch 'master' into pr-jitsi-matrix-authentication 2023-02-10 14:12:47 +02:00
Catalan Lover
7b42ff4b75
Finalise moving draupnir to a fully testable state. 2023-02-08 18:55:08 +01:00
Slavi Pantaleev
c07630ed51 Add com.devture.ansible.role.traefik_certs_dumper role
With this, other roles (like Coturn, Postmoogle) will be able
to use SSL certificates extracted from Traefik
via https://github.com/ldez/traefik-certs-dumper
2023-02-08 16:05:38 +02:00
Slavi Pantaleev
f983604695 Initial work on Traefik support
This gets us started on adding a Traefik role and hooking Traefik:

- directly to services which support Traefik - we only have a few of
  these right now, but the list will grow

- to matrix-nginx-proxy for most services that integrate with
  matrix-nginx-proxy right now

Traefik usage should be disabled by default for now and nothing should
change for people just yet.

Enabling these experiments requires additional configuration like this:

```yaml
devture_traefik_ssl_email_address: '.....'

matrix_playbook_traefik_role_enabled: true
matrix_playbook_traefik_labels_enabled: true

matrix_ssl_retrieval_method: none

matrix_nginx_proxy_https_enabled: false

matrix_nginx_proxy_container_http_host_bind_port: ''
matrix_nginx_proxy_container_federation_host_bind_port: ''

matrix_nginx_proxy_trust_forwarded_proto: true

matrix_nginx_proxy_x_forwarded_for: '$proxy_add_x_forwarded_for'

matrix_coturn_enabled: false
```

What currently works is:
reverse-proxying for all nginx-proxy based services **except** for the Matrix homeserver
(both Client-Server an Federation traffic for the homeserver don't work yet)
2023-02-06 10:34:51 +02:00
Slavi Pantaleev
be78b74fbd Switch from matrix-prometheus-postgres-exporter to an external prometheus_postgres_exporter role 2023-02-05 10:32:09 +02:00
Slavi Pantaleev
9ed2e04d80 Switch from matrix-prometheus-node-exporter to an external prometheus_node_exporter role 2023-01-21 11:07:04 +02:00
Slavi Pantaleev
a529bca756 Add justfile
We keep the Makefile for now, but don't mention it to new
users anymore.
2023-01-11 15:12:05 +02:00
Slavi Pantaleev
4e40ac5ad8
Merge pull request #2227 from xangelix/add-matrix-mautrix-slack-role
Add matrix-bridge-mautrix-slack role
2023-01-11 10:35:45 +02:00
bertybuttface
0ec1868b95 Add matrix-bot-chatgpt.
Co-Authored-By: Slavi Pantaleev <slavi@devture.com>
2023-01-10 13:57:38 +00:00
jakicoll
42e4e50f5b Matrix Authentication Support for Jitsi
This extends the collection with support for seamless authentication at the Jitsi server using Matrix OpenID.

1. New role for installing the [Matrix User Verification Service](https://github.com/matrix-org/matrix-user-verification-service)
2. Changes to Jitsi role: Installing Jitsi Prosody Mods and configuring Jitsi Auth
3. Changes to Jitsi and nginx-proxy roles: Serving .well-known/element/jitsi from jitsi.DOMAIN
4. We updated the Jitsi documentation on authentication and added documentation for the user verification service.
2023-01-04 14:27:16 +01:00
Cody Wyatt Neiman
c925b517e7
Include mautrix-slack in setup 2023-01-02 21:09:23 -05:00
Slavi Pantaleev
2188dd34d1 Add missing install-* tags in setup.yml
Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/2356
2022-12-28 15:29:34 +02:00
Slavi Pantaleev
ae7325f251 Run com.devture.ansible.role.playbook_state_preserver even on --tags=install-all 2022-12-12 15:28:29 +02:00
ikkemaniac
8ebf18a885
add prometheus-nginxlog-exporter role (#2315)
* add prometheus-nginxlog-exporter role

* Rename matrix_prometheus_nginxlog_exporter_container_url to matrix_prometheus_nginxlog_exporter_container_hostname

* avoid referencing variables from other roles, handover info using group_vars/matrix_servers

* fix: stop service when uninstalling

fix: typo

move available arch's into a var

fix: text

* fix: prometheus enabled condition

Co-authored-by: ikkemaniac <ikkemaniac@localhost>
2022-12-07 16:58:36 +02:00
Slavi Pantaleev
4eed49f931 Replace custom/matrix-postgres-backup role with galaxy/com.devture.ansible.role.postgres_backup
This role is usable on its own and it's not tied to Matrix, so
extracting it out into an independent role that we install via
ansible-galaxy makes sense.

This also fixes the confusion from the other day, where
`matrix_postgres_*` had to be renamed to `devture_postgres_*`
(unless it was about `matrix_postgres_backup_*`).
We now can safely say that ALL `matrix_postgres_*` variables need to be
renamed.

Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/2305
2022-11-30 11:01:19 +02:00
Slavi Pantaleev
04b9483f0d Switch from matrix-postgres to com.devture.ansible.role.postgres 2022-11-27 08:04:31 +02:00
Slavi Pantaleev
93d4f8d425 Replace matrix-common-after systemd service management with com.devture.ansible.role.systemd_service_manager 2022-11-23 11:45:46 +02:00
Slavi Pantaleev
d8f2141eb0 Install Docker via geerlingguy.docker Galaxy role 2022-11-22 09:01:26 +02:00
Slavi Pantaleev
e9e84341a9 Reverse-proxy to Synapse via matrix-synapse-reverse-proxy-companion
Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/2090
2022-11-20 16:43:33 +02:00
Warren Bailey
84c74136ea
Provision extra Jitsi JVB services on additional hosts (#2166)
* Add task to configure a standalone JVB on a different server

* add missing file

* set nginx config

* update prosody file and expose port 5222

* change variable name to server id

* formatting change

* use server id of jvb-1 for the main server

* adding documentation

* adding more jvbs

* rename variable

* revert file

* fix yaml error

* minor doc fixes

* renaming tags and introducing a common tag

* remove duplicates

* add mapping for jvb to hostname/ip

* missed a jvb_server

* Update roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2

Co-authored-by: Slavi Pantaleev <slavi@devture.com>

* PR review comments and additional documentation

* iterate on dict items

* Update docs/configuring-playbook-jitsi.md

Co-authored-by: Slavi Pantaleev <slavi@devture.com>

* Update docs/configuring-playbook-jitsi.md

Co-authored-by: Slavi Pantaleev <slavi@devture.com>

* Update docs/configuring-playbook-jitsi.md

Co-authored-by: Slavi Pantaleev <slavi@devture.com>

* Update docs/configuring-playbook-jitsi.md

Co-authored-by: Slavi Pantaleev <slavi@devture.com>

* Update docs/configuring-playbook-jitsi.md

Co-authored-by: Slavi Pantaleev <slavi@devture.com>

* Update docs/configuring-playbook-jitsi.md

Co-authored-by: Slavi Pantaleev <slavi@devture.com>

* Update docs/configuring-playbook-jitsi.md

Co-authored-by: Slavi Pantaleev <slavi@devture.com>

* adding documentation around the xmpp setting

* add common after

* reduce the number of services during init of the additional jvb

* remove rogue i

* revert change to jitsi init as it's needed

* only run the jvb service on the additional jvb host

* updating docs

* reset default and add documentation about the websocket port

* fix issue rather merge with master

* add missing role introduced in master

* this role is required too

* Adding new jitsi jvb playbook, moving setup.yml to matrix.yml and creating soft link

* updating documentation

* revert accidental change to file

* add symlink back to roles to aid running of the jitsi playbook

* Remove extra space

* Delete useless playbooks/roles symlink

* Remove blank lines

Co-authored-by: Slavi Pantaleev <slavi@devture.com>
2022-11-18 14:00:27 +02:00